Wellness Hotel Gyula **** Superior

Privacy and Data Management Policy

 

General provisions

I. Details of the provider as Data Controller

 

Hotel Gyula Limited Company

headquarters: 5700 Gyula, Part street 5.

Company Registration Number: Cg. 04-09-009911

led by the Court of Registration of the Gyula Tribunal

Tax ID: 22664747-2-04

phone number: (66) 463-522

email:   info@wellnesshotelgyula.hu

Representative: István Havasi Managing Director  

(hereinafter referred to as "Data Controller")

 

The Data such as the Wellness Hotel Gyula **** Superior (hereinafter referred to as Hotel) operator informs clients, guests and website visitors (hereinafter referred to collectively as relevant (s), user (s) or guest (s)) to it respects the personal rights of its guests, and therefore, in the course of its data management, proceeds in accordance with the following data management regulations (hereinafter: the Rules). The Data Controller reserves the right to change the Policy due to the alignment of the Policy with the current legal background and other internal regulations. The current version of the Privacy Policy is available at www.wellnesshotelgyula.hu and is also available on paper at the hotel reception.

 

This policy regulates the data management activities related to the services provided by the Wellness Hotel Gyula **** Superior hotel, located at 5700 Gyula, Part street 5.

 I. OBJECTIVE OF THE REGULATION

 

1. The primary purpose of this policy is to define and adhere to the basic principles and provisions for the management of the data of the natural persons contacting the Hotel in order to protect the privacy of natural persons in accordance with the relevant statutory regulations.

 

2. Referring to Section I.1, the purpose of this Policy is to ensure that the Hotel complies with all applicable privacy laws and regulations, and in particular but not exclusively.
• CXII of 2011 on Information Self-Determination and Freedom of Information and GDPR,
• CVIII of 2001 on certain aspects of electronic commerce services and information society services; law,
• on the Prohibition of Unfair Commercial Practices against Consumers law,
• of Act XLVIII of 2008 on the Essential Conditions and Certain Limitations of Economic Advertising Activities law.

 

3. The Data Controller, therefore, attaches the utmost importance to being committed to the provision of information self-determination and freedom of information by CXII. protect your privacy and respect your right to information self-determination. In this respect, it will contribute to the creation of safe Internet opportunities for those concerned by fully complying with the relevant legislation in force.

 II. SCOPE OF RULES

 

1. Temporal Scope: This Policy is effective from October 28, 2015, until further notice until revocation. Last modified May 25, 2018

 

2. Personal Scope: The scope of this Policy extends to the Hotel, the persons whose details are contained in the data processing covered by this Policy and those whose rights or legitimate interests are affected by the data management.

 

3. Subject matter: The scope of this Policy extends to the processing of all personal data in all organizational units of the Hotel.

 III. DEFINITIONS

 

• Affected or User or Guest: any natural person identified or identified directly or indirectly by personal data;
• Personal data: data relating to the data subject, in particular, the name of the data subject, his identification mark and knowledge of one or more physical, physiological, mental, economic, cultural or social identities, and the conclusion drawn from the data relating to the data subject;
• Hotel: Wellness Hotel Gyula **** Superior, located at 5700 Gyula, Part street 5, operated by Data Controller;
• Contribution: a voluntary and decisive declaration of the will of the data subject based on appropriate information and with unambiguous consent to the processing of personal data relating to him or her, wholly or in part;
• Data Controller: a natural or legal person, or an entity without legal personality, who, either individually or together with others, determines the purpose of data management, makes and implements decisions on data management (including the equipment used), or implements it with a data processor entrusted to it. , from this point of view and from the point of view of the Hotel, data manager: Hotel Gyula Limited Company, seat: 5700 Gyula, Part street 5, registration number: Cg. 04-09-009911, tax number: 22664747-2-04;
• Data management : any operation or operation performed on data, irrespective of the procedure used, including, in particular, collection, recording, recording, systematization, storage, alteration, use, querying, transmission, disclosure, coordination or interconnection, blocking, deletion and destruction; preventing further use of the data, taking photographs, sound or images, and recording physical characteristics suitable for identifying the person;
• Transmission of data: making data available to a specific third party;
• Data processing: performing technical tasks related to data management operations, irrespective of the method and means used to perform the operations and the location of the application, provided that the technical task is performed on the data;
• Data deletion: making data unrecognizable in such a way that their recovery is no longer possible;
• Data blocking: for the purpose of limiting the further processing of the data with an identifier for a definitive or definite period of time;
• Data Destruction: Complete physical destruction of media containing data
• Data set: a set of data processed in a register;
• The third person means any natural or legal person or organization without legal personality who or which is not the subject, the data controller or data processor;
• Data Protection Incident: unlawful handling or processing of personal data, including in particularly unauthorized access, alteration, transmission, disclosure, deletion or destruction, and accidental destruction and damage;
• Website: www.wellneshotelgyula.hu portal and all sub-pages operated by Data Controller;
• Facebook page: https://www.facebook.com/Wellness-Hotel-Gyula-superior-175641702478608/, which is managed by the Data Controller.

 IV. PRINCIPLES OF DATA MANAGEMENT

 

1. Proportionality, necessity principle: Only personal data that is indispensable for the purpose of data management can be handled to achieve the goal. Personal data can only be managed to the extent and for the time necessary to achieve the goal.

 

2. The principle of purpose limitation: Personal data may only be processed for a specific purpose, for the purpose of exercising rights and fulfilling an obligation. At every stage of data management, the purpose of data management must be met, the recording and processing of data must be fair and lawful.

 

3. Personal data in the course of data management retains this quality as long as your relationship with the affected person can be restored. The contact can be restored if the data controller has the technical conditions needed for recovery.
4. During data management, the accuracy, completeness of the data and, if necessary, for the purpose of data management, its up-to-date information, and that the data subject can only be identified for the time necessary for the purpose of data management, shall be ensured.

 

5. The principle of volunteering: Data provision by the data subject is voluntary. The Data Controller handles the personal data with the consent of the data subject. Voluntary consent, as an agreement, should be understood as the user behaviour by which the user accepts the use of the website for all the rules relating to the use of the website.

 V. DECLARATIONS BY THE DATA MANAGER

 

1. The Data Controller declares that
1. in the course of data management, the CXII of 2011 on the right to self-determination and the freedom of information; Act and GDPR.
2. personal data received by the Data Controller in the course of data management shall be known only to those persons working with the Data Controller who has the task of dealing with the given data management.
3. ensure that the rules in force at all times are accessible to the data subject, thereby enforcing the principle of transparency.
4. the website manages the personal data of the visitors in a confidential manner, in accordance with the legal regulations in force, ensures their safety, takes technical and organizational measures, and establishes procedural rules to fully comply with the principles of data protection.
5. the personal data of the Hotel occupants will be treated confidentially, in accordance with the legal regulations in force, they will ensure their safety, take technical and organizational measures, and establish procedural rules to fully comply with the principles of data protection.
6. it shall take all appropriate measures to support the management of data and other secure data relating to data storage, processing and data transmission in order to preserve the data it manages.
7. as he expects, he will do his best to protect the personal data he/she manages from unauthorized access, alteration, disclosure, deletion, injury, or destruction, in order to guarantee the necessary technical conditions.
8. does not verify the personal information provided to him or her;
9. communicates personal data to a third party only exceptionally and in the event that the data subject expressly consents to it or is permitted by law, and if the terms of data management are subject to each personal data They met.
10. it only carries out activities in Hungary, does not belong to a multinational hotel chain, therefore it is not necessary to introduce and operate mandatory organizational regulations.
11. forward personal data to a data controller or data processor in a third country in accordance with the information contained in the Data Register.
12. keeps records for the purposes of monitoring the data protection incident and informing the data subject, including the scope of the personal data concerned, the number and number of data subject affected by the data protection incident, the date, circumstances, effects of the data protection incident and measures taken to prevent it, as well as the law governing data management other specified data.

 

2. The Data Controller shall exclude the Data Controller's liability for the lawfulness of the data processing of the contractual partner who has a legal relationship with the Data Controller.

 

3. By using appropriate security measures to protect personal data stored in automated data files, the Data Controller shall ensure that accidental or unlawful destruction or accidental loss as well as unauthorized access, alteration, or distribution is prevented.

 VI. RELATIONSHIP WITH DATA MANAGEMENT AND DATA

 

The data management activities and the scope of personal data are included in the Data Register along with the data management objectives.

 

1. VI. 1 Hotel services

 

1. In the field of hotel service provision - such as requesting quotation, ordering and booking, logging, managing the database of the magnetic card access system, booking, frequent flyer program, quality assurance, operation of the camera system, bicycle rental, babysitting, use of Visit Gyula Card, and marketing activities to promote the hotel service. The management of all data relating to the person concerned is based on voluntary consent, and the macro-objective is to ensure the provision of the service and to maintain contact. Each well-defined data management goals are defined by Data Register, together with an indication of the retention time of the relevant personal data.  

 

VI. 2 Request for ¹

 

1. In the case of a request for quotation via the website, the Data Controller requests the following information from the Guest:

• Name*
• E-mail*
• Phone *
• City*
• Postal code *
• Title*
• Date of Arrival *
• Date of departure *
• The number of adults*
• Number of children
• Room Type *
• Supply*
• Payment*
• Comment

 

The inquiry is voluntary.

 

1. The activity and process involved in data management are:
1. By clicking on the "Pricing Periods" or "Featured Period Offers" or " Daily Portal Rates" or other periodic offers (e.g. Summer Offers) on the website "PRICES, ACTIVITIES" or "Periodic Offers" (e.g. Summer Offers) By clicking on the button, you will be able to reach the surface of the website where you have the opportunity to provide the information specified in point VI.2.1, as well as the reservation and cancellation conditions and this data management policy. After entering the data, accepting the terms and conditions, and pressing the "Next" button, you can send the named data to the Data Controller.
2. Data sent to the Data Controller at the Data Controller front office manager, reservation Agent and employees working in sales jobs are treated using the ZADIR Host ware programs and who recorded the information received, the relevant work out an offer for that e-mail was sent out to it.

 

VI.3 Room Bookings ²

 

1. When booking a room, Data Manager requests the following information from the Guest:

• Name*
• E-mail*
• Phone *
• Date of Arrival *
• Date of departure *
• The number of adults*
• Number of children
• Room Type *
• Postal code *
• City *
• Street Address*
• Payment*
• Message to the hotel

 

1. The activity and process involved in data management are:
1. If the data subject accepts the offer and informs the Data Controller about it orally or in writing, the Data Controller will take the steps related to the reservation.
2. The front office employed by the Data Controller in his employment manager, reservation Agent and Sales Worker enters the data provided by the affected person into Host ware Front Office and connects them to a specific room in the hotel to create a room reservation.
3. Occupation of the room shall be notified in writing to the person concerned by the employee specified above.

 

VI.4 Login and notification page ³

 

1. Upon arrival at the Hotel, he / she completes a hotel notification form prior to occupying his / her reserved room, in which he/she agrees that the Data Controller will comply with his / her obligations specified in relevant legislation (in particular foreign law and tourist tax legislation) and proof of fulfilment, furthermore, for the purposes of identifying the Guest, you must treat it as long as the competent authority can verify the fulfilment of the obligations laid down in the relevant legislation:

• Last name*
• First Name *
• Company name
• Vehicle registration number
• Home address*
• Nationality*
• Date of birth*
• Date of Arrival *
• Day of departure *
• ID number*
• E-mail address
• "Where did you know about the hotel?"

 

1. The provision of mandatory information by the Guest is a condition for the use of hotel services.

 

2. By signing the notification form, the guest agrees that the Data Controller will manage and archive the data submitted by completing the notification form for the purpose of the conclusion or fulfilment of the contract, as well as for the possible claim enforcement within the time period specified above.

 

3. By entering the email address on the notification page, the guest has the opportunity to subscribe to the Data Manager newsletter. For the newsletter, please refer to section VI.6. shall apply.

 

VI. 5 Magnetic Access Control System

 

1. After logging in to the Hotel, the Data Manager of the Data Controller specified in point VI.3.2.b will enter the following Guest information into Sea Guest:

• Last name
• first name

and connects to the following data:

• room number
• Number of magnetic cards
• Date of writing a magnetic card
• Arrival day
• Date of departure

 

1. After this step, the Data Controller of the Data Controller defined in point VI.3.2. (B) will write the magnetic card, i.e. will add the room number and the date of arrival and expected departure to the magnetic card. The magnetic card is not the personal data of the Guest.

 

VI.6 Send newsletter

 

1. Affiliated through the website by email with the information specified below to subscribe to the newsletter.

 

2. The range of data processed ⁴ :

• Last name*
• First Name *
• E-mail address*

 

1. Subscribing to and unsubscribing to the newsletter is voluntary.

 

1. The purpose of data management for newsletter sending is to manage the database for the purpose of sending the newsletter and to provide the recipient with full or customized information about the latest actions of the Data Controller.

 

1. The Data Controller will only send the newsletter with the consent of the data subject.

 

1. The personal data provided shall be stored in a separate list by the Data Controller separately from the data provided to the Data Controller for other purposes; Data Controller Data Processor: Morgens Design Kft. (8800 Nagykanizsa, Csányi László street 2)

 

1. The controller does not transmit the list or the data to a third party, it is unauthorized, and takes all security measures to prevent them from being recognized by an unauthorized person.

 

1. The Data Controller will only handle personal data recorded for e-purposes as long as the data subject does not subscribe to the newsletter list or requests that his / her data be deleted. The Data Manager reviews the newsletter list once a year. An objective deadline for data retention is 4 years.

 

1. The affected person can unsubscribe from the newsletter at any time by sending an e-mail to info@wellneshotelgyula.hu.

 

1. Data Controller provides statistics on the readability of posted newsletters, clicks on the links in newsletters.

 

1. You can sign up for the news feed posted on the Facebook page by clicking on the " like " / "like" link on the page, and you can sign up by clicking on the " dislike " / "dislike" link on the page or delete the message wall settings. unwanted news feeds appearing on the message wall.

 

VI. 7 Use of fitness room ⁵

 

1. Use of the fitness room is voluntary and subject to prior notification.

 

2. The following data is required to use the gym in the operation of a data manager:

• Name and Room Number *

 

1. Data is handled by an employee of the Data Controller in a specific job (reception), who does not transmit the individual data or the entire dataset to a third party and takes all security measures to prevent them from being recognized by an unauthorized person.

 

VI.8 Health-Medicine  

 

1. Only the wellness reception can access the health information required for the health service. Health data can only be handled if the data subject has given his / her explicit consent to the handling of the personal data for one or more specific purposes.

 

2. The Data Controller in the Data Protection Act and the Act XLVII of 1997 on the Handling and Protection of Health and Personal Data Related to them govern the management of health data. in accordance with the law.

 

3. For more information on the management of data collected during healthcare services, the Data Controller provides information to info@wellnesshotelgyula.hu. The data can be deleted by the person concerned.

 

VI.9 Bank card details

 

1. The Data Controller shall use and use the bank/credit card/bank account details provided by the Data Controller to the extent and for the time necessary for the exercise of his / her rights and fulfilment of his / her obligations. The data is managed by the Data Bank's contractual bank partners. You can find out about this data management on the websites of the competent Bank.

 

2. For more information on bank card data managed by certain subsystems of the Data Controller, see Guest at info@wellneshotelgyula.hu.

 

VI.10 Regular Program ⁶

 

1. The Data Controller Regular Program is an exclusive service provided to hotel guests - natural persons - with the aim of providing discounts to returning guests.

 

2. Participation in the regular program is voluntary.

 

3. Participants in the given program will express their explicit consent to the Data Manager handling their personal data provided for this purpose for the purpose of operating the Regular System, or specifically for the purpose of sending newsletters to regulars. Based on this consent, the processing of the transferred personal data will continue until the person concerned participates in the program.

 

4. Membership status of the Frequent Customer Program becomes inactive after 5 (five) years of the last hotel service. The Data Manager stores the personal data of the member for a period specified in the relevant tax and accounting regulations and deletes them after the deadline.

 

5. Personal data handled by programs is used to keep in touch. In your programs, you can manage the following personal information in Data Manager:

• name*
• title*
• b. date*
• eye. identity card number*
• passport*
• license plate number
• stay time

1. The Data Controller stores the data provided in a separate data file separately from other specified data. This dataset can only be accessed by employees authorized by the Data Controller.

 

1. The Data Controller forwards the individual data or the entire dataset to its Data Processor, who is Morgens Design Kft. (8800 Nagykanizsa, Csányi László street 2.)

 

8. Regular (natural persons) data may be used for market research purposes, but this particular Regular must be informed in advance and subject to prior consent.

 

1. The Data Manager deletes the data managed by the regular program at the request of the e-mail address info@wellneshotelgyula.hu.

 

VI.11 Gift Vouchers ⁷

 

1. The hotel allows the guest to buy various gift vouchers that can be used for the value of the hotel at the given value.

 

2. Ordering and using the gift voucher is voluntary.

 

3. Ordering a gift voucher and a range of data affected by data management:

• customer name
• Buyer's email address
• customer phone number
• buyer mailing address (country, zip code, city, street, house number)
• customer billing address (country, zip code, city, street, house number)
• buyer's IP address (online ID)
• the name of the gift (s )

 

1. The Data Controller issues an invoice for the amount of the matched and ordered voucher, and after receipt of the amount, it issues a numbered voucher and then delivers it to the specified address.

 

1. The personal data entered is stored in a separate file by the Data Controller separately from other specified data. This dataset can only be accessed by employees authorized by the Data Controller.

 

1. The Data Controller forwards the individual data or the entire dataset to its Data Processor, who is Morgens Design Kft. (8800 Nagykanizsa, Csányi László street 2.)

 

7. The Data Controller stores the data for a period of time in accordance with the applicable tax and accounting regulations and deletes them after such deadline.

 

1. For more information on data management related to the Gift voucher, please contact the Data Manager for further information sent to the e-mail address info@wellnesshotelgyula.hu. The deletion from the file is also available here.

 

VI:11 Guestbook

 

1. Stakeholders can give their views online in order to improve the quality of the service.

 

2. The range of data processed is:

• Name of the person concerned
• His e-mail addresses
• concerned.

 

1. It is not mandatory to provide the data, but only to investigate the possible complaints and to provide the Data Manager with the response to the guest.

 

1. The data obtained in this manner and any related data not related to the given Guest, which may not be associated with the Guest, may be used by the Data Controller for statistical purposes.

 

1. The personal data entered is stored in a separate file by the Data Controller separately from other specified data. This dataset can only be accessed by employees authorized by the Data Controller.

 

1. The Data Controller forwards the individual data or the entire dataset to its Data Processor, who is Morgens Design Kft. (8800 Nagykanizsa, Csányi László street 2.)

 

VI.12 camera System

 

1. Cameras operated by the Data Controller are operated by cameras for the personal and property security of the guests; With respect to the lawful operation of the Surveillance System, the Data Controller shall act in accordance with the provisions of these Regulations and the Camera Rules and make them available to those affected.
2. The range of data processed: The touch screen captured by the camera system being operated.

 

3. Special rules for operating the Camera Surveillance System:
1. In accordance with the provisions of these Rules, a separate policy is applicable to the camera surveillance system, the version of which is always in force at the reception of the Hotel.
2. The camera system records an image.
3. The purpose of data management: personal and property security.
4. The place of storage of the recording is the hotel located at the address of 5700 Gyula, Part street operated by the Data Manager.
5. The legal basis for data management is the voluntary consent of the data subject on the basis of information provided by the Operator in the form of tables. The contribution may also be provided in the form of implicit conduct. In particular, the person concerned enters or is present in the units affected by the camera surveillance system.
6. The Operator shall ensure that the personal data of the person concerned, and in particular his privacy and privacy, are protected from unauthorized access.
7. It is not possible to use an electronic surveillance system in a place where the observation may violate human dignity, especially in changing rooms, showers and washbasins, toilets and rest areas. Camera surveillance is proportionate to its purpose, unlimited and direct monitoring is not performed by the Data Controller.
8. Duration of recording: The recorded image should be destroyed or deleted no more than 3 working days after recording, if not used. It is considered to be used if the recorded image and other personal data are used as evidence in judicial or other official proceedings.
9. Those whose rights or legitimate interests are affected by the recording of their personal data or other personal data may, within 15 working days of their recording, justify their right or legitimate interest not to destroy or delete their data.
10. At the request of a court or other authority, the recorded record and other personal data shall be sent to the court or authority without delay. If within thirty days of the request, non-destruction has been requested, the recorded image and other personal data shall be destroyed or deleted, unless the time limit specified in the Code has expired.

 

VI.13 Facebook page

 

1. The purpose of data management is to exploit the potential of the community site to promote the Hotel.

 

2. By clicking on the " like " link on the Facebook page of the Data Controller, the data subject agrees to publish the data manager's news and offers on his / her own message board.

 

3. You also publish photos / movies on various events / hotels / fitness clubs / restaurants on Facebook's data manager page, etc. If it is not a mass record, the Data Controller will always ask for the written consent of the data subject before publishing the images.

 

4. The Facebook page of data management information to the Facebook privacy policy and regulations provide in the website www.facebook.com get at.   

 

VI.14 Website Visiting Data

 

Links and links

1. The Data Controller's website may contain links that are not operated by the Data Controller but serve only to inform visitors. The Data Controller has no influence on the content and security of the websites operated by the partner companies, so it is not responsible for them.

 

2. Please review the Privacy Policy and Privacy Statement of the pages you visit before you submit your data on any particular page.

 

Analytics, cookies

1. The Data Controller uses an analytical tool to track your web pages, creating a series of data and tracking how visitors use the web pages. When viewing a page, the system creates a cookie with the purpose of capturing information about the visit (our visited pages, time spent on our pages, browsing data, exits, etc.), which, however, are not related to the visitor's person. This tool helps to improve the website's ergonomics, create a user-friendly website, and enhance the visitor's online experience. Data Manager does not use analytical systems to collect personal information. Most web browsers automatically accept cookies however, visitors have the option to delete them or reject them automatically. Because all browsers are different, the visitor can individually set the preferences for the cookie using the browser toolbar. You may not be able to use certain features on our website if you choose not to accept cookies.  
2. The website session, that session cookies (small data packet) is used, which is the particular session pending created valid, so the visit duration, then automatically deleted from the user's computer. The so-called. cookie for website security, for user-friendly solutions for higher user experience.
3. The technological background of the site required for the operation of the website is provided by MORGENS Design Kft. (Headquarters: 8800 Nagykanizsa, Csányi László u. 2, Tax number: 23964710-2-20) as a Data Processor.

 

VI.14 STORING PERSONAL DATA, SECURITY OF INFORMATION

 

Personal data only in VI. in accordance with the activities of Chapter II may be managed in accordance with the purpose of the data management.

 

1. The goals, legal basis and duration of data management are included in the Data Register.

 

2. Modify and delete personal data, withdrawal of voluntary contributions, as well as treatment of personal data information at the request of the info@wellnesshotelgyula.hu is possible by giving notice to availability.

 

3. Data Manager ensures data security. To this end, it shall take the necessary technical and organizational measures, establish procedural rules and comply with them.

 

4. The Data Controller protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against unavailability due to accidental destruction and damage to the technique used.

 

5. The Data Controller shall ensure the enforcement of the data security rules by means of rules, instructions and procedural rules separate from the present Rules.

 

6. In order to enforce data security conditions, the Data Controller shall ensure the proper preparation of the Employees concerned.

 

7. The Data Controller takes into account the state of the art in the definition and application of data security measures and chooses more than one possible data management solution that provides a higher level of protection of personal data unless it would be a disproportionate difficulty.

 

8. In particular, the Data Controller shall, in the context of its IT security tasks:

• Measures to protect against unauthorized access, including protection of software and hardware devices, and physical protection (access protection, network protection);
• Measures to enable the recovery of data files, including regular backups and separate, secure handling of copies (mirroring, backup);
• Protection of data files against viruses (virus protection);
• Physical protection of data files and devices carrying them, including protection against fire damage, water damage, lightning strikes, other elementary damage, and recoverability of damage caused by such events (archiving, fire protection).

 

1. The Data Controller provides the required level of protection during the request or protest of the data concerned, especially in the storage, correction, deletion of the data.

 

1. Transmission of data is carried out with the consent of the data subject, without prejudice to the interests of the data subject, in full compliance with an adequate IT system, while respecting the purpose, legal basis and principles of data management. The Data Controller shall not forward the personal data of the data subject without his consent and shall not make it available to a third party unless required by law.

11. Any other unidentifiable, non-anonymous, data that is directly or indirectly unrelated to it will not be considered personal data.

 

VI.15 EXERCISE OF RELATED RIGHTS

In the case of exercising the rights of the data subject, the Data Controller shall ensure the investigation of the request encompassing the e-mail address info@wellnesshotelgyula.hu and the reply to it at the latest 30 days in the following cases:

1) The right of Access = The data subject is entitled to receive feedback from the controller on whether personal data are being processed and, if such data is being processed, to have access to personal data and the following information:

 

• according to the data management goals/data management table /;
• the categories of personal data concerned / personal data - sensitive data, as specified in the data management table /;
• the categories of recipients or recipients with whom or with whom personal data were or will be communicated / as set out in the data management table /;
• where applicable, the planned duration of the storage of personal data or, if this is not possible, the criteria for determining that period / as set out in the archiving policy and data management table /;
• the right of the data subject to a request from the controller the rectification, erasure or restriction of personal data relating to him or her and to object to the processing of such personal data;
• the right to lodge a complaint with a supervisory authority;
• if the data were not collected from the data subject, any available information/data transmission of their source as indirect data collection /;
• automated decision-making, including profiling, and at least in these cases the logic used and understandable information on the importance of such data management and the expected consequences for the data subject.

 

2) Correction and deletion

 

a) Correction:

The data subject shall have the right, at his request, to correct the inaccurate personal data relating to him without undue delay. Taking into account the purpose of data management, the data subject is entitled to request the addition of incomplete personal data, including by means of a supplementary declaration.

 

b) Delete

In the following cases, the Data Controller must delete the data without consideration:

Upon request, the data subject shall have the right to delete the personal data relating to him without undue delay, and the controller shall delete the personal data relating to the data subject without undue delay if one of the following grounds exists:

 

• Personal data are no longer needed for the purpose for which they were collected or otherwise handled. At the end of the data management period, personal data must be deleted.
• The data subject's consent is revoked by the data subject and there is no other legal basis for data management. The Data Controller must confirm the existence of his / her consent to the data management concerned. The data subject has the right to withdraw his consent at any moment. This provision applies only to cases where the data subject's consent is the legal basis for data processing.
• The data subject protests against data management and there are no legal reason for data management (e.g. statutory reasons) or if personal data is processed for direct marketing (e.g. newsletter, direct marketing) and the person concerned protests against its data for this purpose, the data must be deleted.
• Personal data have been unlawfully treated (e.g. lack of legal basis for data management (e.g. consent of the data subject), data processed over time, data transmitted without informing the data subject, etc.).
• Personal data must be deleted in order to fulfil a legal obligation under EU or Member State law applicable to the controller;
• Personal information was collected for information society services for children.

 

Exceptions to deletion:

 

The controller is not required to perform the deletion if the data management is necessary:

a) To exercise the right to freedom of expression and information;

(b) fulfilment of an obligation under Union or Member State law which governs the processing of personal data, or for the performance of a task carried out in the public interest or in the exercise of the official authority conferred on the controller; (e.g. data management under employment contracts)

(c) on grounds of public interest in the field of public health;

(d) for purposes of archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where such deletion is likely to render such processing impossible or seriously jeopardized;

e) Submitting, enforcing or protecting legal claims.

 

3) The right to restrict data management

 

The data subject shall have the right to limit the data controller's request if one of the following is fulfilled:

• the person concerned disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the controller to verify the accuracy of the personal data;
• data processing is illegal, but the data subject is against the deletion of the data and instead asks for a restriction on their use;
• the data controller no longer needs personal data for data management purposes, but the data subject requests them for the submission, validation or protection of legal claims; or
• the data subject objected to; in this case, the limitation shall apply for the period until it is established whether the legitimate reasons of the controller prevail over the legitimate reasons of the data subject.

 

The controller shall inform the data subject at whose request the data management has been limited, of the lifting of the restriction on data management.

 

4) The right to data storage - NEW JOG

 

The data subject shall be entitled to receive personal data concerning him / her which is made available to him / her by a data controller in a distributed, widely used, machine-readable format and shall be entitled to forward such data to another data controller without being hindered by the controller whose provided personal information to your if

• data processing is based solely on the consent or contract of the data subject and
• data management is automated. (non-paper based) e.g. e-mail address, username, age specified during registration

 

5) Right to protest

 

The data subject may, at any time, object to the processing of his or her personal data for reasons related to his / her situation if

• data processing is necessary for the performance of a task carried out in the public interest or in the exercise of a public authority delegated to the controller;
• data processing is necessary for the legitimate interests of the data controller or a third party unless such interests have priority over the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, especially if the child concerned and
• including profiling.

 

In this case, the data controller may not further process (delete) the personal data unless the controller proves that the data management is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject or which bring legal claims related to their validation or protection.

 

If the processing of personal data is done for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data relating to him or her, including profiling, if related to direct marketing. If the data subject objects to the handling of personal data for the purpose of direct marketing, personal data will no longer be processed for this purpose. (Data must be deleted).

 

 

1. VII.              DATA PROTECTION INCIDENTS NOTICE SYSTEM

 

1. Privacy Incident: A breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored or otherwise processed.

 

2. Notification of the privacy incident to the supervisory authority

 

• The Data Protection Incident will be notified by the Data Controller without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its knowledge, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.
• The Data Processor shall notify the Data Controller without undue delay after becoming aware of the data protection incident. (24 hours maximum)
• Notification Form:

 

Privacy Incident Notification Tab National Authority for Data Protection and Freedom of Information

criterion

1. Nature of the data protection incident, including, if possible, the categories and approximate number of data subjects and the categories and the approximate amount of data affected by the incident; Explanation: According to Data Register

2. Name and contact details of the DPO or other contact person providing further information;

3. The likely consequences of a data protection incident; Explanation: data loss, probable damage, etc.

4. Measures were taken or planned by the controller to remedy a data protection incident, including, where appropriate, measures to mitigate any adverse consequences of a data protection incident Explanation: IT measures, contact with the person concerned, criminal record etc.

 

• If and if it is not possible to communicate the information at the same time, they may be communicated in instalments without further undue delay.
• The Data Controller registers data protection incidents, indicating facts, effects, and actions taken to remedy the data protection incident.

Form:

 

Privacy incident time	Description of a privacy incident	Effects of a privacy incident	Measures against a privacy incident

 

Created / validated

Date, signature

 

1. Informing the data subject of the privacy incident

 

• If a data protection incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay (up to 24 hours)
• The information provided to the data subject shall clearly and clearly describe the nature of the data protection incident and the information and measures referred to above shall be communicated.
• The data subject need not be informed if any of the following conditions are met:
• the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular, the measures such as the use of encryption, which make the access to personal data inexplicable data;
• the Data Controller, following a data protection incident, has taken additional measures to ensure that the high risk referred to in the previous paragraph is reported to be unlikely to materialize to the rights and freedoms of the data subject;
• the information would require a disproportionate effort. In such cases, the persons concerned shall be informed by means of publicly available information or a similar measure shall be taken to ensure that the persons concerned are equally informed.

 

1. VIII.            LEGAL OPTIONS

1. Judicial Enforcement:

• In the case of violation of the rights of the data subject and the protest against the processing of personal data ( Article 21 of the Information Act), the data receiver may apply to the court against the data controller. The court acts out of the case.
• The data controller is obliged to prove that the data management complies with the law. The data bearer must prove the legality of the data transfer.
• If the court approves the application, the data controller obliges the data controller to provide information, correct, block, delete, cancel the decision made by automated data processing, take into account the right of protest of the data subject and issue the data requested by the data receiver.
• The court may order the disclosure of its judgment by publishing the identity of the controller if it is required by the data protection interests and the rights of a greater number of data subjects protected by this Act.

1. In the event of violation of your right to self-determination, you may complain about a complaint or complaint:

National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet street 22 / c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Site: http://www.naih.hu

E-mail: ugyfelszolgalat@naih.hu

2. In case of violation of the rights of minors, hatred, exclusionary content, correction, deceased person's rights, violation of reputation, complain, complaint:

National Media and Communications Authority

1015 Budapest, Ostrom u. 23-25.

Mailing address: 1525.

Tel: (061) 457 7100

Fax: (061) 356 5520

E-mail: info@nmhh.hu

 

1. IX.                OTHER PROVISIONS

This policy is effective from May 1, 20185, October 1st.

Appendix: List of Data Processors

enter into force. Budapest, October 2015 Day 1 _______________________

István Havasi

Executive Director

Wellness Hotel Gyula **** Superior

NAME OF THE DATA MANAGEMENT ACTIVITY	ONLINE BOOKING
NAME OF THE DATA PROCESSOR
The name of the data processor	MORGENS Design Kft.
Address of the data processor	8800 Nagykanizsa, Csányi László street 2.
Purpose of data processing on behalf of data controller	the Hosting.eu to allow operation of the online booking module, storage of incoming online bookings in a closed system, booking confirmation Kft. (1144 Budapest, Ormánság street floor 4 X 241) server
The name of the data processor	Rocket Science Group
Address of the data processor	675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308
Purpose of data processing on behalf of the data controller	provide Mandrill electronic mailing feature for recording online booking, making confirmation, using guest ratings
The name of the data processor	OTP Bank Plc.
Address of the data processor	1051 Budapest, Nádor street 16
Purpose of data processing on behalf of the data controller	The company/company operating the accommodation and the OTP Bank Plc. (payment service provider), confirm the status of the transaction
The name of the data processor	OTP Mobil Kft.
Address of the data processor	1093 Budapest, Közraktár u. 30-32.
Purpose of data processing on behalf of the data controller	Providing data communication for the online payment transaction between the host company/company and the SimplePay by OTP Mobil (payment service provider) electronic system, confirmation of transaction status
The name of the data processor	CIB Bank Zrt.
Address of the data processor	1027 Budapest, Medve u. 4-14.
Purpose of data processing on behalf of the data controller	The company/company operating the accommodation and the CIB Bank Zrt. (payment service provider), confirm the status of the transaction
The name of the data processor	BIG FISH Internet Technology Ltd.
Address of the data processor	1066 Budapest, Nyugati square 1-2.
Purpose of data processing on behalf of the data controller	Providing data communication for the online payment transaction between the hosting company/company and the payment system of the Payment Gateway online payment system provider, confirming the status of the transaction

 

 

NAME OF THE DATA MANAGEMENT ACTIVITY	ONLINE OFFER
NAME OF THE DATA PROCESSOR
The name of the data processor	MORGENS Design Kft.
Address of the data processor	8800 Nagykanizsa, Csányi László street 2.
Purpose of data processing on behalf of the data controller	the Hosting.EU operation of the online quotation module, the storage of incoming online inquiries within a closed system, answering inquiries Kft. (1144 Budapest, Ormánság street floor 4 X 241) server to enable
The name of the data processor	Rocket Science Group
Address of the data processor	675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308
Purpose of data processing on behalf of the data controller	provide Mandrill's electronic mailing feature to record online bids, prepare bids, and validity

 

 

NAME OF THE DATA MANAGEMENT ACTIVITY	ONLINE GIFT CONTRACT ORDER
NAME OF THE DATA PROCESSOR
The name of the data processor	MORGENS Design Kft.
Address of the data processor	8800 Nagykanizsa, Csányi László street 2.
Purpose of data processing on behalf of the data controller	the Hosting.EU Kft. (1144 Budapest, Ormánság street floor 4 X 241) server running the online gift certificate ordering module, storage of incoming orders for gift vouchers in a closed system, making it possible to send gift certificates online form
The name of the data processor	Rocket Science Group
Address of the data processor	675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308
Purpose of data processing on behalf of the data controller	provide Mandrill's electronic mailing feature to record online gift vouchers
The name of the data processor	OTP Bank Plc.
Address of the data processor	1051 Budapest, Nádor street 16
Purpose of data processing on behalf of the data controller	The company/company operating the accommodation and the OTP Bank Plc. (payment service provider), confirm the status of the transaction
The name of the data processor	OTP Mobil Kft.
Address of the data processor	1093 Budapest, Közraktár u. 30-32.
Purpose of data processing on behalf of the data controller	Providing data communication for the online payment transaction between the host company/company and the SimplePay by OTP Mobil (payment service provider) electronic system, confirmation of transaction status
The name of the data processor	CIB Bank Zrt.
Address of the data processor	1027 Budapest, Medve u. 4-14.
Purpose of data processing on behalf of the data controller	The company/company operating the accommodation and the CIB Bank Zrt. (payment service provider), confirm the status of the transaction
The name of the data processor	BIG FISH Internet Technology Ltd.
Address of the data processor	1066 Budapest, Nyugati square 1-2.
Purpose of data processing on behalf of the data controller	Providing data communication for the online payment transaction between the hosting company/company and the payment system of the Payment Gateway online payment system provider, confirming the status of the transaction

 

 

NAME OF THE DATA MANAGEMENT ACTIVITY	SIGN UP FOR NEWSLETTER
Name of the managed personal data	Personal information handled for newsletter signing as follows: subscribing name Subscription email address the subscriber IP address (online ID) subscription date source of subscription subscription status subscription status
NAME OF THE DATA PROCESSOR
The name of the data processor	MORGENS Design Kft.
Address of the data processor	8800 Nagykanizsa, Csányi László street 2.
Purpose of data processing on behalf of the data controller	the DotRoll Computer Kft. (1148 Budapest, Fogarasi road 3-5.) closed server, online, password-protected account and Zadír MailR ensure the system storage of the data controller for its entry account specified newsletters in order to
The name of the data processor	E .N . Zrt.
Address of the data processor	1106 Budapest, Fehér road 10. 2nd building. 2. floor
Purpose of data processing on behalf of the data controller	E. N. Zrt. providing servers for sending e-mail function to send email newsletters in order to

 

 

The data marked with 1* are mandatory to be filled in.

Data marked with 2 * are mandatory.

Data marked with 3 * are mandatory.

Data marked with 4 * are mandatory.

Data marked with 5 * are mandatory.

Data marked with 6 * are mandatory.

Data marked with 7 * are mandatory.