The scope of this Notice covers all processes in which personal data is processed by all departments of the Company.
The temporal validity of the Prospectus is until it is withdrawn. The Company reserves the right to amend this Prospectus and will notify you accordingly by publishing the amended Prospectus on its website.
The data controller is Szepesi Vendéglátóipari Kft.
The registered office of the company is 3412 Bogács, Dózsa György u. 16.
Company registration number: 05-09-011883
Tax number: 13422125-2-05
Phone number: +36304289361
Email address: email@example.com
This privacy statement governs the processing of data on the following websites: www.strandhotel.hu
The privacy notice is available at: www.strandhotel.hu
Amendments to the Prospectus will enter into force upon publication at the above address.
DEFINITIONS OF TERMS
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) “processing” means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3) ‘controller’ means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
(4) “processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
(5) “recipient” means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
(6) ‘data subject’s consent’ means the freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
(7) “data breach” means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA
(a) be processed lawfully and fairly and in a transparent manner for the data subject (“lawfulness, fairness and transparency”);
(b) be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purpose in accordance with Article 89(1) (‘purpose limitation’);
(c) be adequate, relevant and limited to what is necessary for the purposes for which the data are processed (“data minimisation”);
(d) be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay (“accuracy”);
(e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of data subjects (‘limited storage’);
(f) be carried out in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”), by implementing appropriate technical or organisational measures.
The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).
DATA PROCESSING BOOKING OF ACCOMMODATION, REQUESTING AN OFFER
1.The fact of data collection, the scope of the data processed and the purpose of the processing:
Purpose of processing Surname and first name
It is required for contacting, booking and issuing a proper invoice.
E-mail address Contact. Phone number Contact us to discuss your booking and billing queries more efficiently. Invoicing name and address To issue a correct invoice and to create, define the content, modify, monitor the performance of the contract, invoice the fees and claim the related charges.
Reservation data (date and time, arrival time, departure time, number of adults, number of children, age of children, type of board, room type) To enable the reservation. Date of reservation/request for reservation Execution of a technical operation. IP address of the reservation/request IP address at the time of the reservation/request Execute technical operation. The e-mail address does not need to contain personal data.
2. Data subjects: all data subjects who book and enquire on the website.
3. Duration of data processing, deadline for data deletion: the data will be deleted immediately after the User has replied to the request for a quote (in this case, the Data Controller is no longer entitled to send a newsletter), if no room has been booked. If the User has booked a room in the Service Provider’s system, a contract has been concluded, and the deadline for deletion of personal data is different for accounting records, as these data must be kept for 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting.
4. Identity of the potential controllers of the data, recipients of the personal data: personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.
5.Description of the data subjects’ rights in relation to data processing:- The data subject may request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and – object to the processing of such personal data, and – the data subject has the right to data portability and to withdraw consent at any time.
6. The data subject may request access to, erasure, modification or restriction of processing of personal data, data portability and objection to processing in the following ways: – by post to 3412 Bogács, Dózsa György utca 16., – by e-mail to firstname.lastname@example.org, – by telephone to +36 30 428 9361.
7. Legal basis for data processing: the data subject’s consent, Article 6 (1) (a), the Infotv. The service provider may process personal data that are technically indispensable for the provision of the service for the purpose of providing the service. The service provider must, other things being equal, choose and in any case operate the means used in the provision of the information society service in such a way that personal data are processed only if absolutely necessary for the provision of the service and for the fulfilment of the other purposes specified in this Act, but in this case only to the extent and for the duration necessary.
8. You are informed that -processing is based on your consent- you are obliged to provide the personal data in order for us to be able to fulfil the reservation. – failure to provide the data will result in our inability to process your reservation or request.
WHO IS ENTITLED TO ACCESS THE DATA
Personal data may be disclosed to the Company’s employees who have access rights related to the relevant data management purpose, or to persons or organisations performing data processing or outsourcing activities for the Company on the basis of service contracts, to the extent and to the extent necessary for the performance of their activities, as determined by the Company.
In the course of data processing, the Company uses the services of the following data processors under service contracts:
MT-HOSTWARE Számítástechnikai Korlátolt Felelősségű Társaság (registered office: 1149 Budapest, Róna utca 120-122.; tax number: 10426917-2-42)
The above company provides the Company with the hotel management software Hostware, within the framework of which it performs electronic data processing activities for the Company.
Storage provider Name / company name: Privnet Korlátolt Felelősségű Társaság Registered office: 1139 Budapest, Frangepán utca 16. E-mail: info[at]privnet.biz
1. Activity provided by the data processor: Hosting
2. Name and contact details of the data processor: server location:
3. Fact of processing, scope of data processed: all personal data provided by the data subject.
4. Data subjects: all data subjects using the website.
5. Purpose of data processing: to make the website available and to ensure its proper operation.
6. Duration of data processing, deadline for deletion of data: immediately upon cancellation of registration. 7. 5 (1), Article 6 (1) a), and Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
THE GOOGLE ANALYTICS APPLICATION
1. This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site you have visited.
2. The information generated by the cookies on the website used by the User is usually transmitted to and stored on a Google server in the USA. By activating the IP anonymisation on the website, Google will previously shorten the User’s IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website activity and internet usage.
NEWSLETTER, DM ACTIVITIES
1.Pursuant to Article 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activity, the User may expressly consent in advance to the Service Provider contacting him/her with advertising offers and other mailings at the contact details provided at the time of registration.
2. Furthermore, the Customer may, subject to the provisions of this information, consent to the processing of personal data by the Service Provider necessary for the sending of advertising offers.
3. The Service Provider shall not send unsolicited advertising messages, and the User may unsubscribe from receiving such offers without any restriction and without giving any reason, free of charge. In this case, the Service Provider shall delete all personal data necessary for sending advertising messages from its records and shall not contact the User with further advertising offers. The User may unsubscribe from advertising by clicking on the link in the message.
4. Fact of data collection, scope of data processed and purpose of data processing Personal data Purpose of data processing Name, e-mail address. Identification, to enable subscription to the newsletter. A feliratkozás időpontja Technikai művelet végrehajtása. IP address at the time of subscription Technical operation.
5. Data subjects: all data subjects who subscribe to the newsletter.
Purpose of processing: sending electronic messages (e-mail, SMS, push messages) containing advertising to the data subject, providing information about current information, products, promotions, new features, etc.
7. Duration of data processing, deadline for deletion of data: data processing lasts until the consent is withdrawn, i.e. until unsubscription.
8. Potential data controllers entitled to access the data, recipients of personal data: personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.
9.Description of data subjects’ rights in relation to data processing:- The data subject may request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and – object to the processing of such personal data, and – the data subject has the right to data portability and to withdraw consent at any time.
10. The data subject may request access to, erasure, modification or restriction of processing of personal data, data portability and objection to processing in the following ways: – by post to 3412 Bogács, Dózsa György utca 16., – by e-mail to email@example.com, – by telephone to +36 30 428 9361.
11. The data subject may unsubscribe from the newsletter at any time, free of charge.
12. Legal basis for data processing: the data subject’s consent, Article 6 (1) (a), the provisions of the Infotv. Article 5(1)(a), and Article 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities. The data recorded in this register – relating to the recipient of the advertising – may be processed only in accordance with the consent given in the consent form, until the consent is withdrawn, and may be disclosed to third parties only with the prior consent of the person concerned.
13. Please note that – the processing is based on your consent – you are required to provide personal data if you wish to receive newsletters from us. – failure to provide this information will result in our inability to send you a newsletter.
PROCESSING JOB APPLICANTS’ DATA
The Company processes the personal data contained in the “incoming” and targeted CVs and other attached documents received directly or through a recruitment intermediary. The purpose of the processing is to inform the data subject of job vacancies that best match his/her qualifications and interests, to arrange an appointment with the data subject and to carry out the selection procedure. The legal basis for the processing is the data subject’s voluntary consent [Article 6(1)(a) GDPR], which is given by sending his/her CV and related documents. The duration of the processing is the duration of the employment relationship in case of a successful application, in case of an unsuccessful application, the application file of the unsuccessful candidates will be deleted after the selection.
DATA PROCESSING IN RELATION TO CAMERA SURVEILLANCE
The Company operates an electronic monitoring and recording system in areas marked with a camera pictogram or attention information (monitored areas) at the headquarters. The camera system monitors the common areas of the hotel. The camera surveillance system records the images and actions of persons entering the monitored area. The camera surveillance system does not record sound. Only authorised employees of the data controllers are entitled to view the actual images and recordings from the cameras. The camera system is operated by the Company and does not use any service provider, so the Company is the only data controller. The purpose of data processing is to protect property and persons in the building, to protect business secrets and to prove possible abuses and infringements. The legal basis for data processing is based on the voluntary consent of the data subject (access to the building) [Article 6(1)(a) GDPR] on the one hand, and on the legal possibility provided by Section 25 of the Act on the Protection of Personal Data. The data processing period is 15 (fifteen) days from the date of the recording, after which the recordings are automatically deleted in accordance with § 25 of the Act.
INTERNAL DATA PROTECTION
1. Legal basis for the processing: the data subject’s consent, expressed by signing the notification form.
2. Purpose of data processing: to comply with the legal requirements relating to tourist tax.
3. Duration of data processing, deadline for erasure of data: until the competent authority can verify the fulfilment of the obligations laid down in the relevant legislation and, in the case of a contract, until 31 December of the 7th year following the year in question, in accordance with Article 169 (2) of Act C of 2000 on Accounting.
4. Scope of data processed: name, e-mail, address, ID number, nationality, place of birth, date, other personal data.
5. Potential data controllers: personal data may be processed by the controller’s staff, in compliance with the principles set out above.
PROCESSING OF BUSINESS CARDS
1. Legal basis for data processing: the User’s voluntary consent, which is obtained by the User’s act of providing the Service Provider with his/her business card containing his/her personal data.
2. Scope of the data processed: name, telephone number, address, e-mail address, workplace, work address, and other personal data on the business card.
3. Purpose of the processing: to establish contact and facilitate contact between persons.
5. Time limit for deletion of data: until the withdrawal of the consent, i.e. until the instruction to destroy the business card.
6. Potential data controllers: personal data may be processed by the controller’s staff, in compliance with the principles set out above.
SOCIAL NETWORKING SITES
1. Fact of data collection, scope of data processed: name registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. social networking sites, and public profile picture of the user.
2. Data subjects: all data subjects who have registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. and have “liked” the website.
3. Purpose of data collection: to share or “like” certain content, products, promotions or the website itself on social networking sites.
4. Duration of data processing, time limit for deletion of data, the identity of the possible controllers entitled to access the data and the rights of the data subjects in relation to data processing: the data subject can find out about the source of the data, the processing of the data and the method and legal basis of the transfer on the relevant Community site. The data are processed on the social networking sites, so the duration of the processing, the way in which the data are processed and the possibilities for deleting and modifying the data are governed by the rules of the social networking site concerned.
5. Legal basis for processing: the data subject’s voluntary consent to the processing of his or her personal data on social networking sites.
CUSTOMER RELATIONS AND OTHER DATA MANAGEMENT
1. Should the data controller have any questions or problems when using our services, the data subject may contact the data controller using the methods provided on the website (telephone, e-mail, social networking sites, etc.).
2. The Data Controller shall delete the data provided in e-mails, messages, telephone, Facebook, etc., together with the name and e-mail address of the interested party and other personal data voluntarily provided by the interested party, after a maximum of 2 years from the date of the communication.
3. Information about data processing not listed in this notice is provided at the time of collection.
4. In the event of an exceptional request from a public authority or other bodies authorised by law, the Service Provider shall provide information, disclose data, hand over data or make documents available.
5. In these cases, the Service Provider shall disclose personal data to the requesting party only to the extent and to the extent strictly necessary for the purpose of the request, provided that the requesting party has indicated the exact purpose and scope of the data.
THE RIGHTS OF DATA SUBJECTS
1.Right of access: you have the right to receive feedback from the controller as to whether your personal data are being processed and, if such processing is taking place, you have the right to access your personal data and the information listed in the Regulation.
2. Right to rectification You have the right to obtain, at your request and without undue delay, the rectification of inaccurate personal data relating to you. Having regard to the purposes of the processing, you have the right to request the rectification of incomplete personal data, including by means of a supplementary declaration.
3.Right to erasure: You have the right to obtain from the controller the erasure of personal data relating to you without undue delay and the controller is obliged to erase personal data relating to you without undue delay under certain conditions.
4. The right to be forgotten: If the controller has disclosed the personal data and is required to delete it, it will take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that have processed the data that you have requested the deletion of the links to or copies of the personal data in question.
5. Right to restriction of processing: you have the right to obtain, at your request, the restriction of processing by the controller if one of the following conditions is met: – you contest the accuracy of the personal data, in which case the restriction shall be for a period of time which allows the controller to verify the accuracy of the personal data; – the processing is unlawful and you oppose the erasure of the data and instead request the restriction of their use; – the controller no longer needs the personal data for the purposes of the processing but you request them for the establishment, exercise or defence of legal claims; – you have objected to the processing, in which case the restriction applies for a period of time until it is established whether the controller’s legitimate grounds override your legitimate grounds.
6. Right to data portability: you have the right to receive personal data concerning you which you have provided to a controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to whom you have provided the personal data (…)
7. Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data, including profiling based on the aforementioned provisions.
8. Objection in case of direct marketing: If personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, if it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data may no longer be processed for these purposes.
9. Automated decision-making on individual matters, including profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The preceding paragraph shall not apply where the decision: – is necessary for entering into, or the performance of, a contract between you and the controller; – is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to safeguard your rights and freedoms and legitimate interests; or is based on your explicit consent.
10. Right to apply to the courts (right of action)
Irrespective of their right to lodge a complaint, the data subject may go to court if their rights under the GDPR or the Infotv. have been violated in the processing of their personal data.
The Company, as a data controller established in Hungary, may be sued before a Hungarian court.
You can also bring the case before the court in your country of residence. In Hungary, the courts can be found at the following link: http://birosag.hu/torvenyszekek. VI. Other information
11. Enforcement of rights relating to personal data after the death of the data subject
Within five years of the death of the data subject, the rights of the deceased during his or her lifetime may be exercised by a person authorised by the data subject by means of an administrative arrangement or a declaration made to the controller (in a public or private document with full probative value). If the data subject has not made such a declaration, the rights of the deceased during his or her lifetime may be exercised by his or her close relative within the meaning of the Civil Code within five years of the death of the data subject (in the case of more than one close relative, the first to exercise the rights shall be the first to exercise them).
12. Right to request information
Within 15 (fifteen) days from the date of the recording, the data subject may request information about what is shown in the recording in relation to the data subject. The request must specify where and when the recording was made and how the data subject can be identified. The Company shall comply with the request within 15 (fifteen) days.
13. Right to blocking
Within 15 (fifteen) days from the date of the recording, the data subject may request that the data not be destroyed or erased by the data controllers (blocking), by justifying his or her right or legitimate interest. The request must specify where the recording was made, when it was made, how the data subject can be identified and the reason for the blocking. At the same time as the blocking, it is advisable for the data subject to initiate the necessary official or judicial proceedings, as the Company only releases the recordings in response to a request from an authority or court.
14. Right of access
The data subject may request access to the recordings made of him or her within 15 (fifteen) days of the date on which the recording was made. The request must specify where and at what time the recording was made, how the data subject can be identified and on which day the data subject wishes to have access to the recording. The Company will be able to provide access on working days from Monday to Friday, between 10 a.m. and 10 p.m.
DEADLINE FOR ACTION
The controller shall inform you of the action taken on such requests without undue delay and in any event within 1 month of receipt of the request. If necessary, this may be extended by 2 months. The controller shall inform you of the extension, stating the reasons for the delay, within 1 month of receipt of the request. If the controller does not take action on your request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.
THE SECURITY OF DATA PROCESSING
The controller and the processor shall implement appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of data security appropriate to the level of risk, including, where appropriate: (b) the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data; (c) the ability to restore access to and availability of personal data in the event of a physical or technical incident in a timely manner; (d) a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of processing.
INFORMING THE DATA SUBJECT OF THE PERSONAL DATA BREACH
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. The information given to the data subject shall clearly and prominently describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach. The data subject need not be informed if any of the following conditions are met: – the controller has implemented appropriate technical and organisational protection measures and those measures have been applied in relation to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data; – the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise; – the provision of information would require a disproportionate effort. In such cases, the data subject should be informed by means of publicly disclosed information or by means of a similar measure ensuring that the data subject is informed in an equally effective manner. Where the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed.
REPORTING A PERSONAL DATA BREACH TO THE AUTHORITY
The data protection incident shall be notified by the controller to the supervisory authority competent under Article 55 without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.
POSSIBILITY TO COMPLAIN
Complaints against possible infringements by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information: National Authority for Data Protection and Freedom of Information 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, P.O. Box 5 Phone: +36 -1-391-1400 Fax: +36-1-391-1410 E-mail: firstname.lastname@example.org
SZEPESI KFT. 3412 Bogács, Dózsa György utca 16., by e-mail at email@example.com, – by telephone at +36 30 428 9361.
The following legislation has been taken into account in the preparation of this information:
– REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)
– Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.)
– Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (in particular § 13/A)
– Act XLVII of 2008 – on the prohibition of unfair commercial practices against consumers; – Act XLVIII of 2008 – on the basic conditions and certain restrictions of economic advertising (in particular § 6)
– Act XC of 2005 on Electronic Freedom of Information
– Act C of 2003 on Electronic Communications (specifically § 155)
– Opinion No 16/2011 on the EASA/IAB Recommendation on best practice on behavioural online advertising
– Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements for prior information.