Privacy Policy

Introduction

Imre Balázs Puskovitz (Address: 8600 Siófok, Beszédes József sétány 73/19. email: office@siofokszallas.info) (hereinafter referred to as the Service Provider, Data Controller) submits itself to the following information notice.
In accordance with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), we provide the following information.
This privacy policy governs the data processing of all accommodations found on the https://siofokszallas.info/ website. The privacy policy is available from the following page: http://siofokszallas.info/adatkezelesi-tajekoztato

Amendments to this notice become effective upon their publication at the above address.

Data Controller and Contact Information

Name: Imre Balázs Puskovitz
Address: 8600 Siófok, Beszédes József sétány 73/19.
Email: office@siofokszallas.info
Phone: +36 20 225 8400

Definition of Terms


1. "personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. "controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. "processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. "recipient": a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. "the data subject's consent": a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. "data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles Relating to Processing of Personal Data

Personal data must be:

a) Processed lawfully, fairly, and in a transparent manner in relation to the data subject ("lawfulness, fairness, and transparency");
b) Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes in accordance with Article 89(1) ("purpose limitation");
c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay ("accuracy");
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ("storage limitation");
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality").

The controller shall be responsible for, and be able to demonstrate compliance with, the principles set out above ("accountability").

Data Processing

ROOM RESERVATION, INQUIRY

1. The fact of data collection, the scope of managed data, and the purpose of data processing:
Personal Data
Purpose of Data Processing
Name (first and last name)
Necessary for making an inquiry and room reservation.
Email Address
Communication.
Phone Number
To facilitate more efficient coordination regarding room reservations and inquiries.
Data related to room reservation/inquiry (arrival time, departure time, number of adults, number of children, age of children, type of room)
To enable room reservation and inquiry.
Date of the room reservation/inquiry
Execution of a technical operation.
IP address at the time of the room reservation/inquiry
Execution of a technical operation.
2. Scope of data subjects: All individuals making a room reservation/inquiry on the website.
3. Duration of data processing, deadline for data deletion: Data are immediately deleted after responding to the user's inquiry (in this case, the data controller is no longer entitled to send newsletters), unless a room has been booked. If the User has booked a room in the Service Provider's system, this constitutes a contract, thus the deadline for deleting personal data differs for accounting documents, as according to Section 169 (2) of the Act C of 2000 on Accounting, these data must be retained for 8 years.
Accounting records directly and indirectly supporting the accounting settlement must be preserved in a legible form for at least 8 years, in a manner retrievable based on the accounting records' references.
4. The persons entitled to know the data, the recipients of personal data: The personal data can be managed by the data controller's sales-marketing and reception staff, respecting the principles mentioned above.
5. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
object to the processing of such personal data, as well as
the data subject has the right to data portability and to withdraw consent at any time.
6. The data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability, and object to data processing in the following ways:

by mail at 8600 Siófok, Beszédes József sétány 73/19.
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

7. The data subject's consent, Article 6(1) points (a) and (b), Section 5(1) of the Info Act, Section 169(2) of Act C of 2000 on Accounting, and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (hereinafter: Ecom Act):
The service provider may process those personal data that are technically indispensable for the provision of the service. Given the equality of other conditions, the service provider must select and operate the tools used in the provision of services related to the information society in such a way that personal data are processed only if it is absolutely necessary for the provision of the service and the fulfillment of other objectives defined in this Act, but even in this case, only to the necessary extent and duration.
8. Please be informed that
data processing is based on your consent.
you are obliged to provide personal data so that we can fulfill the room reservation and inquiry.
failure to provide data will result in us being unable to process your room reservation or inquiry.

Data Processors Utilized

WEB HOSTING SERVICE PROVIDER

1. Activity performed by the data processor: Web hosting services
2. Name and contact details of the data processor:
3 in 1 Hosting Bt. (Limited Partnership).
Address: 2310 Szigetszentmiklós, Brassó u. 4/A.
Email: admin@megacp.com
Phone: +36 21 200 00 40

3. The fact of data processing, the scope of managed data: All personal data provided by the data subject.
4. Scope of data subjects: All individuals using the website.
5. Purpose of data processing: Making the website accessible and ensuring its proper operation.
6. Duration of data processing, deadline for data deletion: Data processing continues until the termination of the agreement between the data controller and the web hosting service provider, or until the data subject's request for deletion to the web hosting service provider.
7. Legal basis for data processing: Article 6(1) points (c) and (f), and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society.

Management of Cookies


1. The fact of data processing, the scope of managed data: Unique identifier numbers, dates, times
2. Scope of data subjects: All visitors to the website.
3. Purpose of data processing: Identifying users and tracking visitors.
4. Duration of data processing, deadline for data deletion:
Type of Cookie
Session cookies
Persistent or saved cookies
Legal basis for data processing
Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (Ecom Act)
Duration of data processing
For the duration of the related visitor session

Until deletion by the data subject, up to a maximum of 30 days
Managed data
connect.sid

5. The persons entitled to know the data: The use of cookies does not process personal data by the data controller.
6. Description of data subjects' rights related to data processing: Data subjects have the option to delete cookies in the Tools/Settings menu of browsers, typically under the Privacy settings.
7. Legal basis for data processing: Consent from the data subject is not required if the sole purpose of using cookies is to transmit communications over an electronic communications network or if it is strictly necessary for the provider to provide an information society service explicitly requested by the subscriber or user.

Use of Google Ads (AdWords) Conversion Tracking


1. The Data Controller uses the online advertising program "Google Ads (AdWords)" and utilizes Google's conversion tracking service within its framework. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google").
2. When a User accesses a webpage via a Google ad, a cookie necessary for conversion tracking is placed on their computer. These cookies have a limited validity, contain no personal data, and thus, the User cannot be identified through them.
3. When the User browses certain pages of the website and the cookie has not yet expired, both Google and the Data Controller can see that the User clicked on the ad.
4. Each Google Ads (AdWords) client receives a different cookie, so cookies cannot be tracked across the websites of Ads (AdWords) clients.
5. The information obtained with the help of conversion tracking cookies is used to create conversion statistics for Ads (AdWords) clients who have opted for conversion tracking. This way, clients are informed about the number of users who have clicked on their advertisement and were redirected to a page tagged with a conversion tracking tag. However, they do not gain access to information that could personally identify any user.
6. If you do not wish to participate in conversion tracking, you can reject this by disabling the installation of cookies in your browser settings. You will then not be included in the conversion tracking statistics.
7. More information and Google's privacy policy can be found at: www.google.de/policies/privacy/

Use of Google Analytics


1. This website uses Google Analytics, a web analytics service provided by Google Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help analyze how users use the site.
2. The information generated by the cookies about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. If IP anonymization is activated on this website, Google will truncate/anonymize the last octet of the IP address for Member States of the European Union as well as for other parties to the Agreement on the European Economic Area.
3. Only in exceptional cases, the full IP address is sent to and shortened by Google servers in the USA. On behalf of the website provider, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators, and providing other services relating to website activity and internet usage to the website provider.
4. Google will not associate your IP address with any other data held by Google within the framework of Google Analytics. You may refuse the use of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore, you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available under https://tools.google.com/dlpage/gaoptout?hl=en

Customer Relations


1. The fact of data collection, the scope of managed data, and the purpose of data processing:
Personal Data
Purpose of Data Processing
Name, email address, phone number.
Communication, identification, contract fulfillment, business purposes.
2. Scope of data subjects: All individuals who are in contact with the data controller via phone/email/in person or are in a contractual relationship.
3. Duration of data processing, deadline for data deletion: Data processing lasts until the termination of the relationship between the data controller and the data subject or, in the case of claims, for 5 years following the contract.
4. The persons entitled to know the data, the recipients of personal data: Personal data can be managed by the data controller's authorized employees, respecting the principles mentioned above.
5. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
the data subject has the right to data portability and to withdraw consent at any time.

6. Ways the data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability:
by mail at 8600 Siófok, Beszédes József sétány 73/19.
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

7. Legal basis for data processing:
7.1. Article 6(1) points (b) and (c) of the GDPR.
7.2. In the case of enforcing claims arising from a contract, according to Section 6:21 of Act V of 2013 on the Civil Code, 5 years.
Section 6:22 [Limitation]
(1) Unless otherwise provided by this Act, claims shall be time-barred after five years.
(2) Limitation commences when the claim becomes due.
(3) Agreement to alter the limitation period must be made in writing.
(4) Agreement to exclude limitation is null and void.
8. Please be informed that:
data processing is necessary for the fulfillment of the contract and to provide an offer.
you are obliged to provide personal data to fulfill your order/other request.
failure to provide data will result in us being unable to process your order/request.

Contact


1. The fact of data collection, the scope of managed data, and the purpose of data processing:
Personal Data
Purpose of Data Processing
Name
Identification
Email Address
Communication, sending response messages
Phone Number
Communication
Content of the Message
Necessary for responding
Time of Contact
Execution of a technical operation
IP Address at the Time of Contact
Execution of a technical operation
The email address does not need to contain personal data.
2. Scope of data subjects: All individuals sending messages through the contact form.
3. Duration of data processing, deadline for data deletion: Until the data subject's request for deletion.
4. The persons entitled to know the data, the recipients of personal data: The personal data can be managed by the data controller's authorized employees.
5. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
the data subject has the right to data portability and to withdraw consent at any time.

6. Ways the data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability:
by mail at 8600 Siófok, Beszédes József sétány 73/19,
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

7. Legal basis for data processing: The data subject's consent, Article 6(1) points (a) and (b).
8. Please be informed that
this data processing is based on your consent and is necessary for making contact or providing an offer.
you are obliged to provide personal data to establish contact with us.
failure to provide data will result in the inability to contact the Service Provider.

Guestbook

1. The fact of data collection, the scope of managed data, and the purpose of data processing:
Personal Data
Purpose of Data Processing
Name
Identification
Email Address
Communication, identification
Date, IP Address
Execution of a technical operation
The email address does not need to contain personal data.
2. Scope of data subjects: All individuals writing in the guestbook.
3. Duration of data processing, deadline for data deletion: Until the data subject's request for deletion.
4. The persons entitled to know the data, the recipients of personal data: Personal data can be managed by the data controller's authorized employees.
5. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
the data subject has the right to data portability and to withdraw consent at any time.
6. Ways the data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability:
by mail at 8600 Siófok, Beszédes József sétány 73/19,
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

7. Legal basis for data processing: The data subject's consent, Article 6(1) points (a) and (b).
8. Please be informed that
this data processing is based on your consent and
you are obliged to provide personal data in order to write in the guestbook.
failure to provide data will result in the inability to write in the guestbook.

Newsletter, Direct Marketing Activity

1. In accordance with Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, the User may give prior explicit consent to the Service Provider to be contacted at the contact details provided at registration with promotional offers and other mailings.
2. Furthermore, the Customer, keeping in mind the provisions of this notice, may consent to the Service Provider processing their personal data necessary for sending promotional offers.
3. The Service Provider does not send unsolicited advertising messages and the User can unsubscribe from the offers at any time without restriction or justification, free of charge. In this case, the Service Provider deletes all personal data necessary for sending advertising messages from its records and will not contact the User with further promotional offers. The User can unsubscribe from the advertisements by clicking on the link in the message.
4. The fact of data collection, the scope of managed data, and the purpose of data processing:
Personal Data
Purpose of Data Processing
Name, email address.
Identification, enabling subscription to the newsletter.
Date of subscription
Execution of a technical operation.
IP address at the time of subscription
Execution of a technical operation.
5. Scope of data subjects: All individuals subscribing to the newsletter.
6. Purpose of data processing: Sending electronic messages containing advertisements (email, SMS, push message) to the data subject, providing information about current news, products, promotions, new features, etc.
7. Duration of data processing, deadline for data deletion: Until the withdrawal of the consent statement, i.e., until unsubscribing from the data processing.
8. The persons entitled to know the data, the recipients of personal data: Personal data can be managed by the data controller's sales and marketing employees, respecting the principles mentioned above.
9. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
the data subject has the right to object to the processing of their personal data and
the data subject has the right to data portability and to withdraw consent at any time.

10. Ways the data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability, or their objection:
by mail at 8600 Siófok, Beszédes József sétány 73/19,
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

11. The data subject can unsubscribe from the newsletter at any time, free of charge.
12. Data processor used during data processing:
Company Name: E.N.S Information Technology and System Integration Plc.
Address: 1106 Budapest, Fehér út 10.
CEO: Balázs Nádasdy-Nagy, and COO: Dr. Julianna Koppány
Email: adatkezeles@ens.hu, info@ens.hu
Phone: +36 (20) 222 0011

13. Legal basis for data processing: The data subject's consent, Article 6(1) points (a) and (f), and Section 6(5) of Act XLVIII of 2008:
The advertiser, the advertising service provider, and the publisher of the advertisement shall keep a record of the personal data of individuals who have made a consent statement with them. The data recorded in this register - relating to the addressee of the advertisement - can only be processed in accordance with the consent statement until its withdrawal, and can only be transferred to a third party with the prior consent of the person concerned.
14. Please be informed that
data processing is based on your consent.
you are obliged to provide personal data if you wish to receive our newsletter.
failure to provide data will result in us being unable to send you a newsletter.

Complaint Handling


1. The fact of data collection, the scope of managed data, and the purpose of data processing:
Personal Data
Purpose of Data Processing
First and Last Name
Identification, communication.
Email Address
Communication.
Phone Number
Communication.
Billing Name and Address
Identification, handling quality objections, questions, and issues related to services.
2. Scope of data subjects: All individuals who have quality objections or complaints regarding the hotel's services.
3. Duration of data processing, deadline for data deletion: According to Section 17/A (7) of Act CLV of 1997 on Consumer Protection, records, transcripts, and copies of responses to the recorded objections must be retained for 5 years.
4. The persons entitled to know the data, the recipients of personal data: Personal data can be managed by the data controller's sales and marketing employees, respecting the principles mentioned above.
5. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
the data subject has the right to object to the processing of such personal data, and
the data subject has the right to data portability and to withdraw consent at any time.

6. Ways the data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability, or object to data processing:
by mail at 8600 Siófok, Beszédes József sétány 73/19,
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

7. Legal basis for data processing: Article 6(1) point (c) and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.
8. Please be informed that
providing personal data is based on a contractual obligation.
handling personal data is a prerequisite for entering into a contract.
you are obliged to provide personal data so we can handle your complaint.
failure to provide data will result in our inability to handle the complaint submitted to us.

Internal Data Protection (Form)


1. Legal basis for data processing: Article 6(1) point (c) of the GDPR.
2. Purpose of data processing: Compliance with legal requirements related to the tourist tax.
3. Duration of data processing, deadline for data deletion: Until the competent authority can verify the fulfillment of obligations defined in the respective laws, and in the case of a contract, until December 31 of the 7th year following the given year, in accordance with Section 169 (2) of Act C of 2000 on Accounting.
4. Scope of managed data: Name, email, address, identification number, nationality, date of birth, license plate number, other personal data.
5. The persons entitled to know the data, the recipients of personal data: Personal data can be managed by the data controller's employees, respecting the principles mentioned above.
6. Description of data subjects' rights related to data processing:
The data subject may request from the data controller access to, rectification, erasure of personal data or restriction of processing concerning the data subject, and
the data subject has the right to data portability and to withdraw consent at any time.

9. Ways the data subject can initiate access to personal data, their deletion, modification, or the restriction of their processing, data portability:
by mail at 8600 Siófok, Beszédes József sétány 73/19,
via email at office@siofokszallas.info,
by phone at +36 20 225 8400.

Social Media


1. The fact of data collection, the scope of managed data: Names registered on social media platforms such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and the user's public profile picture.
2. Scope of data subjects: All individuals who have registered on social media platforms like Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and have "liked" the website.
3. Purpose of data collection: Sharing, "liking", or promoting certain content elements, products, promotions of the website, or the website itself on social media platforms.
4. Duration of data processing, deadline for data deletion, the persons entitled to know the data, and description of data subjects' rights related to data processing: The data subject can find information about the source of the data, its management, the method and legal basis of its transfer on the respective social media platform. Data processing is conducted on social media platforms, thus the duration, method of data processing, and the options for data deletion and modification are governed by the regulations of the respective social media platform.
5. Legal basis for data processing: The voluntary consent of the data subject to the processing of their personal data on social media platforms.

Customer Relations and Other Data Processing


1. If any questions or problems arise during the use of the data controller's services, the data subject can contact the data controller through the means provided on the website (phone, email, social media platforms, etc.).
2. The data controller deletes the emails, messages, and data provided via phone, Facebook, etc., along with the inquirer's name and email address, as well as any other voluntarily provided personal data, within a maximum of 2 years from the date of data communication.
3. For data processing not listed in this notice, information will be provided at the time of data collection.
4. In exceptional cases of official inquiries or inquiries from other organizations under legal authorization, the Service Provider is obliged to provide information, communicate data, transfer data, or make documents available.
5. In these cases, the Service Provider will only disclose personal data to the inquirer to the extent and degree necessary to achieve the purpose of the inquiry, provided that the exact purpose and scope of the data have been specified.

Rights of the Data Subjects

1. Right of Access: You have the right to obtain confirmation from the data controller whether or not personal data concerning you is being processed, and, if that is the case, access to the personal data and the information listed in the regulation.
2. Right to Rectification: You have the right to have the data controller rectify inaccurate personal data concerning you without undue delay. Considering the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to Erasure: You have the right to have the data controller erase personal data concerning you without undue delay, and the data controller has the obligation to erase personal data without undue delay under certain conditions.
4. Right to be Forgotten: If the data controller has made the personal data public and is obliged to erase it, the data controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that you have requested the erasure by such data controllers of any links to, or copy or replication of, those personal data.
5. Right to Restriction of Processing: You have the right to obtain from the data controller restriction of processing where one of the following applies:

You contest the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data;
The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
The data controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
You have objected to processing pending the verification whether the legitimate grounds of the data controller override those of you.
6. Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided.
7. Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.
8. Right to Object in Direct Marketing: Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
9. Right in relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The above does not apply if the decision:

Is necessary for entering into, or performance of, a contract between you and a data controller;
Is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
Is based on your explicit consent.

Time Frame for Action


The data controller shall inform you about the actions taken on your requests without undue delay and in any event within 1 month of receipt of the request.
This period may be extended by 2 months where necessary, taking into account the complexity and number of the requests. The data controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
If the data controller does not take action on your request, they will inform you without delay and at the latest within one month of receipt of the request, of the reasons for not taking action and on your right to lodge a complaint with a supervisory authority and to seek a judicial remedy."

Data Security Measures


The data controller and the data processor, taking into account the state of technology and the costs of implementation, as well as the nature, scope, context, and purposes of data processing along with the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among others, as appropriate:

a) the pseudonymization and encryption of personal data;
b) ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Specific data security measures implemented by the data controller:
The accommodations use the VENDÉGEM guest registration application operated by the HUNGARIAN TOURISM AGENCY LTD. (1027 Budapest, Kacsa utca 15-23., Tel.: +36 1 488 8700, Email: info@mtu.gov.hu) for managing guest traffic, statistical services, and use the Számlázz.hu website operated by KBOSS.HU Ltd. (1031 Budapest, Záhony utca 7., Email: info@szamlazz.hu) for invoicing-related tasks.
The protection of personal data is ensured by the following measures:

1. Access to the databases of VENDÉGEM and Számlázz.hu is restricted to the operators of the accommodations and those authorized by them within the applications.
2. Only verified and authentic data can be entered into the system, the integrity of which is verifiable.
3. Protection against unauthorized access to data and unauthorized data entry is ensured.
4. It is possible to check and establish who entered the personal data into the system and when, and whether they modified the data subsequently.
5. Recovery of installed computer systems in case of failure and securing of databases are ensured."

Notification of the Data Subject in the Event of a Data Protection Breach


If a data protection breach is likely to result in a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the breach without undue delay.

The information provided to the data subject shall clearly and plainly describe the nature of the data protection breach and include the contact details of the data protection officer or another contact point where more information can be obtained; describe the likely consequences of the data protection breach; describe the measures taken or proposed by the data controller to address the data protection breach, including, where appropriate, measures to mitigate its possible adverse effects.

The data subject does not need to be informed if any of the following conditions are met:

- The data controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the data affected by the data protection breach, particularly those that render the data unintelligible to any person who is not authorized to access it, such as encryption.
- The data controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
- Notification would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

If the data controller has not already communicated the data protection breach to the data subject, the supervisory authority, after considering the likelihood of the data protection breach resulting in a high risk, may require the data controller to do so.

Filing a Complaint

In case of any legal infringement by the data controller, a complaint can be filed with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary
Mailing address: 1530 Budapest, PO Box: 5, Hungary
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

Conclusion


In preparing this information, we have taken into account the following legislation:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act).
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (particularly Section 13/A).
Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers.
Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activity (especially Section 6).
Act XC of 2005 on the Freedom of Electronic Information.
Act C of 2003 on Electronic Communications (specifically Section 155).
Opinion 16/2011 on the EASA/IAB Best Practice Recommendation on Online Behavioural Advertising.
The recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of preliminary information.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.