Page Title
Privacy and Data Management Policy of Viva Velence Termálpart Kft
INFORMATION FOR GUESTS AND WEBSITE USERS ON THE HANDLING OF THEIR PERSONAL DATA
(effective from 14.09.2021)
The operator of Viva Velence Termálpart Kft. (hereinafter: Accommodation), as Data Controller, for its customers, guests and website visitors - On the protection of natural persons with regard to the management of personal data and the free flow of such data, as well as Regulation 95/46/EC on the basis of the repealing Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter: GDPR) - provides the following information regarding the management of your personal data.
Details of the data controller and the internal data protection officer:
Viva Velence Termálpart Kft.
Contact details:
Email: vivavelence@gmail.com
Website: http://www.vivavelence.hu
Postal address: 1212 Budapest, Határ u. 92.
Phone: +36 20 965 8994
Internal data protection officer: Managing Director Szilvia Józsáné Román
(hereinafter: "Data controller")
The operator of Viva Velence Termálpart Kft. (hereinafter: Accommodation) respects the personal rights of its Guests, and therefore acts in accordance with the following data management information during data processing. The Data Controller reserves the right to change the information - due to its alignment with the legal background and other internal regulations, which will be amended in the meantime. The valid version of the data protection information is available at www.vivavelence.huat website.
This information is available at Béke u. in Venice. It regulates the data management activities related to the services provided by the accommodation named Viva Velence Apartman at No. 56 and accessible through the website.
-
PURPOSE OF DATA MANAGEMENT
The primary purpose of this information sheet is to define and comply with the basic principles and provisions regarding the handling of the data of natural persons and guests who come into contact with the Accommodation, in order to ensure that the private sphere of natural persons is protected in accordance with the relevant legal regulations, and that the data controller informs the guests about the use of the services necessary about the scope of their personal data managed by them, the purpose and method of data management, as well as all other facts related to the management of data, including, in particular, but not exclusively, their rights related to data management and the legal remedies available to them.
1.2. With reference to the provisions set out in point 1.1, the purpose of this information is to ensure that the Hotel complies with the data protection provisions of the current legislation, in particular, but not exclusively
-
General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR),
-
CXII of 2011 on the right to information self-determination and freedom of information. law
-
CVIII of 2001 on certain issues of electronic commercial services and services related to the information society. law,
-
XLVII of 2008 on the prohibition of unfair commercial practices towards consumers. law,
-
XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity. provisions of the law.
1.3. The Data Controller therefore considers it of utmost importance and is also committed to protecting the personal data managed by the data subject provided by the data subject on the website or other forum or in another way, and to respect the data subject's right to self-determination of information. In this context, it contributes to the creation of safe internet access opportunities for those concerned by fully complying with the applicable laws in force.
2. DEFINITION
-
Affected person or User or Guest: any natural person identified or - directly or indirectly - identified on the basis of personal data;
-
Personal data: data that can be associated with the data subject - in particular the data subject's name, identification mark, and one or more physical, physiological, mental, economic, cultural or social characteristics of the data subject - as well as the conclusion about the data subject that can be drawn from the data;
-
Accommodation: Viva Velence Apartman Superior accommodation located at Béke utca 56, Velence, operated by the Data Controller;
-
Consent: the voluntary and decisive declaration of the data subject's will, which is based on adequate information, and with which he gives his unequivocal consent to the processing of his personal data - in full or covering certain operations;
-
Data controller: a natural or legal person or an organization without legal personality who, independently or jointly with others, determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or implements them with the data processor it has commissioned , the data controller for this information and the Accommodation: Viva Velence Termálpart Kft. Társaság, registered office: 1212 Budapest, Határ u. 92.;
-
Data processors used:
-
Venice Resort Spa Hotel
-
V Apartment Service Kft.
-
Taxcontrolling Magyarország Kft.
-
-
Data management: regardless of the procedure used, any operation performed on the data or the set of operations, including, in particular, collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, locking, deletion and destruction, and preventing further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person;
-
Data transfer: making the data available to a specific third party;
-
Data processing: performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;
-
Data deletion: making data unrecognizable in such a way that their recovery is no longer possible;
-
Data blocking: providing the data with an identification mark for the purpose of limiting its further processing permanently or for a specified period of time;
-
Data destruction: complete physical destruction of the data carrier containing the data
-
Data file: the totality of the data managed in a register;
-
Third party: a natural or legal person, or an organization without legal personality, who is not the same as the data subject, the data controller or the data processor;
-
Data protection incident: unlawful handling or processing of personal data, including in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage;
-
Website: a www.vivavelence.hu portal and all its subpages operated by the Data Controller;
-
Facebook page: a https://www.facebook.com/Viva_Venice/Page located at portal.
3. PRINCIPLES OF DATA MANAGEMENT
3.1. Principle of proportionality and necessity: Only such personal data can be processed that is essential for the realization of the purpose of data management and suitable for achieving the purpose. Personal data can only be processed to the extent and for the time necessary to achieve the purpose.
3.2. Purpose-bound principle: Personal data can only be processed for a specific purpose, in order to exercise a right and fulfill an obligation. In all stages of data management, the purpose of data management must be met, the collection and management of data must be fair and legal.
3.3. During data management, personal data will retain its quality as long as the relationship with the data subject can be restored. The relationship with the data subject can be restored if the data controller has the technical conditions necessary for restoration.
3.4. During data management, the accuracy, completeness and - if necessary in view of the purpose of the data management - up-to-dateness of the data must be ensured, as well as that the data subject can only be identified for the time necessary for the purpose of the data management.
3.5. Principle of voluntariness: Data provision by the data subject is voluntary. The Data Controller processes personal data with the consent of the data subject. Voluntary consent, as consent, should be understood as the user behavior by which the user, by using the website, accepts that all regulations related to the use of the website automatically apply to him.
4. STATEMENTS OF THE DATA CONTROLLER
4.1. The Data Controller declares that
-
CXII of 2011 on the right to information self-determination and freedom of information during data management. act in accordance with the provisions of the GDPR.
-
personal data obtained by the Data Controller in the course of data processing can only be seen by persons in employment with the Data Controller and its contractual partners, who are responsible for the given data processing.
-
ensures that the information sheet in force at all times is continuously accessible to the person concerned, thereby enforcing the principle of transparency.
-
the website treats the visitors' personal data confidentially in accordance with the applicable legal regulations, ensures their security, takes technical and organizational measures, and has developed procedural rules in order to fully comply with the principles of data protection.
-
handles the personal data of the Guests staying at the Hotel confidentially in accordance with the applicable legal regulations, ensures their security, takes technical and organizational measures, and has developed procedural rules in order to fully comply with the principles of data protection.
-
in order to preserve the data managed by it, it takes and ensures all IT and other measures related to data storage, processing and data transmission that promote secure data management.
-
in the manner expected of him, he will do everything in order to protect the personal data he manages against unauthorized access, change, disclosure, deletion, damage, destruction, and to guarantee the necessary technical conditions.
-
does not check the personal data provided to him, and disclaims responsibility for their correctness.
-
transfer personal data to third parties only exceptionally and in such cases, and connect the database it manages with another data controller only if the data subject expressly consents to it or is permitted by law, and if the conditions of data management for each individual personal data are fulfilled.
-
operates exclusively in Hungary, does not belong to a multinational hotel chain, therefore it is not necessary to introduce and operate mandatory organizational regulations.
-
personal data is forwarded to a data controller or data processor in a third country in accordance with the information provided.
-
keeps a register for the purpose of monitoring the measures related to the data protection incident and for informing the data subject, which includes the scope of personal data concerned, the scope and number of those affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as in the legislation prescribing data management specified other data.
4.2. The Data Controller excludes responsibility for the legality of the data management of a contractual partner with a legal relationship with the Data Controller.
4.3. By applying appropriate security measures, in order to protect the personal data stored in the data files, the Data Controller ensures the prevention of accidental or unlawful destruction or accidental loss, as well as unlawful access, alteration or distribution.
5. SCOPE OF ACTIVITIES AND DATA AFFECTED BY DATA MANAGEMENT
5.1. Request for
The processed data are as follows:
Name*, E-mail*, Phone number*, City*
Postal code*, Address*, Arrival date*, Departure date*, Number of adults*, Number of children, Room type*, Service*, Payment method*, Comment
Purpose of data management:
Providing the exact offer, preparing the reservation
Legal basis for data management:
Consent (Article 6(1)(a) GDPR)
Duration of data management:
- in the case of a successful request for a quote, according to the rules for booking,
- in case of rejection of the offer, until the day of rejection,
- if no response to the offer is received, until the day after the end of the binding offer
Will data be transferred?:
no
In the course of a request for an offer related to a room reservation via the website, the data subject will voluntarily provide his/her data to the Data Controller with the aim of providing the Data Controller with a price offer.
The activity and process involved in data management are as follows:
-
On the "Contact" page in the "Contact" menu item of the website, the data subject will be taken to the interface of the website where he can enter the data specified in point 5.1. After entering the data, accepting the conditions and information, the data subject can send the named data to the Data Controller by pressing the "Send" button.
-
Data sent to the Data Controller, the Data Controller records the received data, an offer is drawn up for the data subject, which is sent to him by e-mail.
5.2. Room Bookings
The processed data are as follows:
Name*, E-mail*, Telephone number*, Arrival date*, Departure date*, Number of adults*, Number of children, Room type*, Postal code*, City*, Street, house number*, Payment method*, Message to the hotel
Purpose of data management:
Providing the service, fulfilling the room reservation
Legal basis for data management:
Contract performance (GDPR Article 6 (1) point b)
Consent (Article 6(1)(a) GDPR)
Duration of data management:
The personal data received during the reservation will be processed for the duration of the contractual relationship with the data subject, with the exception of: data to be kept for 8 years based on Act C of 2000 on accounting, and CL of 2017 on taxation. data to be kept by law until the last day of the 5th year following the relevant year
or according to the current regulations of the regular guest program
Will data be transferred?:
-
Venice Resort Spa hotel
-
V-Apartment Service Kft.
Online booking sites and travel agencies are considered independent data controllers, in this process no data processor is used.
The activity and process involved in data management are as follows:
-
If the data subject accepts the offer and informs the Data Controller about this orally or in writing, the Data Controller will take steps related to the room reservation.
-
The Data Controller notifies the data subject in writing about the reservation of the room.
5.3. Login and the reporting form
The processed data are as follows:
Surname*, First name*, Company name, Vehicle registration number, Residential address*, Citizenship*, Place of birth, time*, Date of arrival*, Date of departure*, Passport number*, E-mail address, Gender, "How did you find out about the hotel?", document number
Purpose of data management:
Maintaining contact and fulfilling legal obligations
Legal basis for data management:
Legal obligation (GDPR Article 6 (1) point c)
Consent (Article 6(1)(a) GDPR)
Duration of data management:
The personal data provided will be processed for the duration of the contractual relationship with the data subject, with the exception of: data to be kept for 8 years based on Act C of 2000 on accounting, and CL. 2017 on taxation. data to be kept by law until the last day of the 5th year following the relevant year, or according to the regulations of the regular guest program in force
Will data be transferred?:
-
NTAK
-
Visa info
Upon arrival at the Hotel, before occupying the reserved room, the Data Subject fills in the accommodation registration form, in which he consents to the Data Controller handling the data provided below for the purpose of fulfilling his obligations defined in the relevant legislation, and for the purpose of proving fulfillment, as well as for the identification of the Guest, as long as the competent authority you can check the fulfillment of the obligations defined in specific legislation:
The activity and process involved in data management are as follows:
-
The provision of mandatory data by the Guest is a condition for the use of accommodation services.
-
By signing the notification form, the guest consents to the fact that the data provided by filling out the notification form will be processed and archived by the Data Controller within the above-mentioned deadline for the purpose of proving the creation of the contract, the completion and fulfillment of the contract, and the possible assertion of claims.
-
On the registration page, the guest has the opportunity to join the hotel's regular guest program.
5.4. Magnetic card access control system
The processed data are as follows:
Surname*, First name*, Room number*, Magnetic card number*, Date of writing magnetic card*, Date of arrival*, Date of departure*
Purpose of data management:
Facilitating the guests' access to the room, checking their authorization, property security.
Legal basis for data management:
Legitimate interest (GDPR Article 6 (1) point f)
Duration of data management:
Duration of stay at the hotel
Will data be transferred?:
No
The activity and process involved in data management are as follows:
The employee of the Data Controller writes the magnetic card, i.e. writes the room number and the date of arrival and expected departure on the magnetic card. The magnetic card does not contain the Guest's personal data.
5.5. Wellness medicine
The processed data are as follows:
Surname*, First name*, Room number*
Purpose of data management:
General administration, serving the users of the service
Legal basis for data management:
Legitimate interest (GDPR Article 6 (1) point f)
Duration of data management:
Duration of stay at the hotel
Will data be transferred?:
No
The activity and process involved in data management are as follows:
When using the hotel's wellness services, the data is recorded at the reception for the purpose of booking the service and for later invoicing.
5.6. Invoicing
The processed data are as follows:
Surname*, First name*, Address, length of stay at the hotel, Bank account details*,
Purpose of data management:
Invoicing the use of accommodation services, fulfilling invoicing obligations, processing payment transactions
Legal basis for data management:
Legitimate interest (GDPR Article 6(1)(f));
Fulfillment of a legal obligation (GDPR Article 6 (1) point c)
Duration of data management:
data to be kept for 8 years based on Act C of 2000 on accounting, as well as CL of 2017 on taxation. data to be kept by law until the last day of the 5th year following the relevant year
Will data be transferred?:
-
Taxcontrolling Kft.
-
szamlazz.hu
-
Financial institutions involved (joint data management)
-
The data controller uses and may use the bank, credit card/bank account data provided by the data subject to the Data Controller only to the extent and for as long as it is necessary to exercise its rights and fulfill its obligations. The data are managed by the contractual banking partners of the Data Controller. You can find information about this data management on the websites of the relevant Bank.
-
Guests can get more information about the bank card data managed by some subsystems of the data controller by sending a request to vivavelence@gmail.com.
5.7. Guest book
The processed data are as follows:
Data subject name*, e-mail address*, City*, Data subject opinion*
Purpose of data management:
Guest book management on the wellnesshotelgyula.hu website.
Legal basis for data management:
Consent (Article 6(1)(a) GDPR)
Duration of data management:
Until withdrawal of consent.
Will data be transferred?:
no
-
In order to improve the quality of the service, the data subjects can submit their opinions online.
-
Providing the data is not mandatory, they only serve to accurately investigate any complaints and to ensure that the Data Controller responds to the guest.
-
The Data Controller may also use the opinions received in this way and any related data that cannot be traced back to the given Guest and cannot be linked to the Guest's name for statistical purposes.
-
The Data Controller stores the provided personal data in a separate data file, separately from other data provided. This data file can only be accessed by authorized employees of the Data Controller.
5.8. Bicycle rental13
The processed data are as follows:
Surname*, First name*, Room number*
Purpose of data management:
Scheduling of bicycle rentals
Legal basis for data management:
Contract performance (GDPR Article 6 (1) point b)
Duration of data management:
Guests using the service during their stay at the hotel until check-out.
Will data be transferred?:
No
A rental contract is drawn up for the use of bicycles, which is destroyed after the guest checks out.
5.9. Playhouse child supervision14
The processed data are as follows:
Caregiver's last name*, Caregiver's first name*, Room number*, Telephone number*, Child's name*
Purpose of data management:
General administration
Legal basis for data management:
Legitimate interest (GDPR Article 6 (1) point f)
Duration of data management:
1 day (The form used on the day of supervision will be destroyed at the end of the day.)
Will data be transferred?:
No
The parent or guardian must provide their contact information when the child is handed over to the animators for supervision.
5.10. Electronic monitoring system
The processed data are as follows:
Image*
Purpose of data management:
Personal and property security
Legal basis for data management:
Consent (Article 6(1)(a) GDPR)
Duration of data management:
3 days
Will data be transferred?: no
The recorded images are forwarded if, based on the recordings, it seems probable that a crime (violation) has been committed, in which case the recordings may be forwarded to the investigative authority, or if other legal proceedings need to be initiated based on the recordings, in which case the recordings will be sent to the competent authority are forwarded to a court or authority.
-
In the area of the Accommodation operated by the Data Controller, cameras are in operation for the safety of the guests' lives, physical health and property, and information boards call the attention of those concerned to their operation. Regarding the legal operation of the surveillance system, the Data Controller acts in accordance with the provisions made in this information sheet and the camera regulations and makes them available to those concerned.
-
Special rules for the operation of the camera surveillance system:
-
In accordance with the provisions of this information, the camera surveillance system is governed by a separate regulation, the current version of which is available at the reception of the Accommodation.
-
The camera system records images.
-
The purpose of data management: personal and property security.
-
The place where the recording is stored: the accommodation operated by the Data Controller at Béke utca 56, Velence.
-
The legal basis for data management: the voluntary consent of the data subject based on the Operator's information posted in the form of signs. Consent can also be given in the form of suggestive behavior. Suggestive behavior, especially if the person concerned enters or stays in the units affected by the camera surveillance system.
-
The Operator must ensure that the personal data of the person concerned, especially his private secrets and the circumstances of his private life, are protected from the knowledge of unauthorized persons.
-
Electronic monitoring systems cannot be used in places where monitoring may violate human dignity, such as in changing rooms, showers and washrooms, toilets, and rest areas. Camera surveillance is proportionate to its purpose, the Data Controller does not conduct unlimited and direct surveillance.
-
Storage duration of the recording: If the recorded image is not used, it must be destroyed or deleted no later than 3 days after the recording. Use is considered if the recorded image and other personal data are used as evidence in court or other official proceedings.
-
The person whose right or legitimate interest is affected by the recording of the image or other personal data may, within 3 days from the date of recording, request that the data manager not destroy or delete the data by proving his right or legitimate interest.
-
Upon request of a court or other authority, the recorded recording and other personal data must be sent to the court or authority immediately. If an inquiry is not made within thirty days of the request not to be destroyed, the recorded image and other personal data must be destroyed or deleted, unless the camera surveillance system has not yet expired.
-
6. Website visit data (References and links)
6.1. The Data Controller's website may also contain links that are not operated by the Data Controller and are only for the information of visitors. The Data Controller has no influence on the content and security of the websites operated by the partner companies, so it is not responsible for them.
6.2. Please review the data management regulations and data protection declarations of the pages you visit before entering your data in any form on that page.
6.3. Analytics, cookies
-
The Data Controller uses an analytical tool to monitor its websites, which creates a series of data and monitors how visitors use the Internet pages. The system creates a cookie when you view the page, with the aim of recording information related to the visit (visited pages, time spent on our pages, browsing data, exits, etc.), which, however, cannot be linked to the person of the visitor. This tool helps to improve the ergonomics of the website, to create a user-friendly website, in order to enhance the online experience of the visitors. The Data Controller does not use analytical systems to collect personal information. Most Internet browsers automatically accept cookies, but visitors have the option to delete them or refuse them automatically. Since every browser is different, the visitor can set their cookie preferences individually using the browser toolbar. You may not be able to use certain features on our website if you choose not to accept cookies.
-
On the website, we use a session cookie (small data package), which is valid until the end of the given session, i.e. it is created for the duration of the visit, after which it is automatically deleted from the user's computer. The so-called cookie is necessary for the security of the website, for user-friendly solutions, for a better user experience.
7. STORAGE OF PERSONAL DATA, INFORMATION SECURITY
7.1. Personal data can only be handled in accordance with the activities according to Chapter 5, according to the purpose of data management.
7.2. It is possible to modify and delete personal data, withdraw voluntary consent, and request information about the handling of personal data by sending a notification to vivavelence@gmail.com.
7.3. The Data Controller ensures the security of the data. To this end, it takes the necessary technical and organizational measures, develops procedural rules and enforces them.
7.4. The Data Manager protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction and damage, as well as against becoming inaccessible due to changes in the technology used. The data manager takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, access to unauthorized persons). In the event of an incident that does occur, the data controller keeps a record for the purpose of checking the necessary measures and informing the data subject, which includes the range of personal data concerned, the range and number of persons affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, and other data specified in the law that prescribes data management.
7.5. In order to enforce the conditions of data security, the Data Controller ensures the appropriate preparation of the Employees concerned.
7.6. When determining and applying measures for data security, the Data Controller takes into account the state of the art at all times and chooses from several possible data management solutions the one that ensures a higher level of protection of personal data, unless it would represent a disproportionate difficulty.
7.7. As part of its duties related to IT protection, the Data Controller ensures in particular:
-
About the measures ensuring protection against unauthorized access, including the protection of software and hardware devices, as well as physical protection (access protection, network protection);
-
About the measures that ensure the possibility of restoring data files, including regular backups and the separate, safe handling of copies (mirroring, backups);
-
Protection of data files against viruses (virus protection);
-
About the physical protection of data files and the devices that carry them, including protection against fire damage, water damage, lightning strikes, and other elemental damage, as well as the reparability of damage caused by such events (archiving, fire protection).
7.8. The Data Controller provides the required level of protection during the processing of the data - especially their storage, correction, deletion - when requesting information or protesting.
7.9. Data transmission takes place with the consent of the data subject, without prejudice to his interests, confidentially, with the provision of a fully adequate IT system, and in compliance with the purpose, legal basis and principles of data management. The Data Controller will not forward the data subject's personal data or make them available to third parties without their consent, unless this is required by law.
7.10. The other data concerned, which cannot be linked directly or indirectly, and cannot be identified - hereafter anonymous - are not considered personal data.
8. EXERCISE OF THE RIGHTS OF THE SUBJECT
8.1. Your rights are affected
The data subject may request information from the Data Controller about the management of his personal data, as well as request the correction, deletion, or withdrawal of his personal data, limitation of data processing, and may exercise his right to data portability and objection.
a.) Right to information:
At the request of the data subject, the Data Controller shall take appropriate measures in order to provide data subjects with all the information and information specified in the General Protection Regulation regarding the handling of personal data in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly worded.
b.) The data subject's right to access:
The data subject is entitled to receive feedback from the Data Controller as to whether his personal data is being processed, and if so, he is entitled to access the personal data and the following information:
• the purposes of data management;
• categories of personal data concerned;
• the recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients in third countries and international organizations;
• the planned period of storage of personal data; the right to rectification, deletion or limitation of data processing and the right to protest; the right to submit a complaint to the supervisory authority;
• information about data sources;
• the fact of automated decision-making, including profiling, as well as comprehensible information about the applied logic and the significance of such data management and the expected consequences for the data subject.
The Data Controller makes a copy of the personal data subject to data management available to the data subject. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Data Controller provides the information in electronic form.
The right to information can be exercised in writing via the contact details indicated in point 1. At the request of the person concerned, information can also be given orally after valid proof of identity and identification.
c.) Right to rectification:
The data subject may request the correction of inaccurate personal data concerning him or her managed by the Data Controller and the addition of incomplete data.
d.) Right to erasure:
If one of the following reasons exists, the data subject has the right to request that the Data Controller delete his/her personal data without undue delay:
• personal data are no longer needed for the purpose for which they were collected or otherwise processed;
• the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management;
• the data subject objects to data processing and there is no overriding legal reason for data processing;
• personal data were handled illegally;
• the personal data must be deleted in order to fulfill the legal obligation prescribed by the European Union or member state law applicable to the Data Controller.
• the collection of personal data took place in connection with the offering of services related to the information society.
Data deletion cannot be initiated if data management is necessary:
• for the purpose of exercising the right to freedom of expression and information;
• for the purpose of fulfilling the obligation according to the European Union or national law applicable to the data controller, which prescribes the processing of personal data, or for the execution of a task carried out in the public interest or in the context of the exercise of public authority conferred on the data controller;
• in the field of public health, or for archival, scientific and historical research purposes or for statistical purposes, on the basis of public interest;
• or to present, assert or defend legal claims.
e.) The right to restrict data processing:
At the request of the data subject, the Data Controller restricts data processing if one of the following conditions is met:
• the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period that allows checking the accuracy of the personal data;
• the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use;
• the Data Controller no longer needs the personal data for the purpose of data management, but the data subject requires them to submit, enforce or defend legal claims; obsession
• the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the Data Controller's legitimate reasons take precedence over the data subject's legitimate reasons.
If data management is subject to restrictions, personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the European Union or a member state. The Data Controller informs the data subject in advance of the lifting of restrictions on data management.
f.) Right to data portability:
The data subject has the right to receive the personal data concerning him/her provided to the Data Controller in a segmented, widely used, machine-readable format, and to forward this data to another data controller.
g.) Right to protest:
The data subject has the right to object at any time, for reasons related to his own situation, to the processing of his personal data necessary for the execution of a task carried out in the public interest or in the context of the exercise of public authority granted to the data controller, or to the processing necessary to assert the legitimate interests of the Data Controller or a third party.
In the event of a protest, the Data Controller may no longer process the personal data, unless it is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are related to the submission, enforcement or defense of legal claims.
In order to obtain direct business, the Data Controller does not process personal data.
8.2. Procedural rules
The Data Controller shall inform the data subject without undue delay, but in any case within one month of the receipt of the request, of the measures taken following the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The Data Controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request. If the data subject submitted the request electronically, the information will be provided electronically, unless the data subject requests otherwise.
If the Data Controller does not take measures following the data subject's request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, and of the fact that the data subject may file a complaint with a supervisory authority and exercise his right to judicial redress.
The Data Controller provides the requested information and information free of charge. If the data subject's request is clearly unfounded or - especially due to its repeated nature - excessive, the Data Controller may charge a reasonable fee, taking into account the administrative costs associated with providing the requested information or information or taking the requested action, or may refuse to take action based on the request.
The Data Controller informs all recipients of all corrections, deletions or data management restrictions carried out by it, to whom or to whom the personal data was communicated, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the Data Controller informs about these recipients.
The Data Controller makes a copy of the personal data subject to data management available to the data subject. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject submitted the request electronically, the information will be provided in electronic format, unless the data subject requests otherwise.
8.3. Compensation and damages
Any person who has suffered material or non-material damage as a result of a violation of the General Protection Regulation is entitled to compensation from the Data Controller or data processor for the damage suffered. The Data Processor is only liable for damages caused by data processing if it has not complied with the obligations specified in the law, which are specifically imposed on data processors, or if it has ignored or acted contrary to the lawful instructions of the Data Controller.
If both the Data Controller and the data processor are involved in the same data processing and are liable for the damages caused by the data processing, the Data Controller and the data processor are jointly and severally liable for the entire damage.
The Data Controller or the data processor is exempted from liability if it proves that it is not in any way responsible for the event causing the damage.
8.4. Data protection official procedure
The data subject may submit a complaint regarding the handling of his personal data by the Data Controller to the National Data Protection and Freedom of Information Authority, as a supervisory authority. Contact details of the supervisory authority
National Data Protection and Freedom of Information Authority (NAIH)
address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
postal address: 1530 Budapest, Pf.: 5.
e-mail: ugyfelszolgalat@naih.hu
telephone: +36 (1) 391-1400
fax: +36 (1) 391-1410
In the case of violation of the rights of a deceased person with offensive, hateful, or exclusionary content, rectification, or violation of the rights of a deceased person, you can file a report or complaint:
National Media and Communications Authority
address 1015 Budapest, Ostrom u. 23-25.
e-mail: info@nmhh.hu
mail address: 1525. Pf. 75
phone: (06 1) 457 7100
fax: (06 1) 356 5520
9. DATA PROTECTION INCIDENT REPORTING SYSTEM
9.1. Data protection incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.
9.2. Notification of the data protection incident to the supervisory authority
-
The Data Controller shall report the data protection incident to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident became known to the competent supervisory authority, unless the data protection incident is likely to pose no risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons justifying the delay must also be attached.
-
After becoming aware of the data protection incident, the Data Processor shall notify the data controller without undue delay. (24 hours maximum)
-
If and to the extent that it is not possible to provide the information at the same time, it can be provided later in parts without further undue delay.
-
The Data Controller keeps records of data protection incidents, indicating the facts related to the data protection incident, its effects and the measures taken to remedy it.
9.3. Informing the data subject about the data protection incident
-
If the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons, the data controller shall inform the data subject of the data protection incident without undue delay (maximum 24 hours).
-
The nature of the data protection incident must be clearly and comprehensibly described in the information given to the data subject, and the above-mentioned information and measures must be communicated.
-
The data subject does not need to be informed if any of the following conditions are met:
-
the Data Controller has implemented appropriate technical and organizational protection measures and these measures have been applied to the data affected by the data protection incident, in particular those measures - such as the use of encryption - that make the personal data unintelligible to persons not authorized to access the personal data data;
-
after the data protection incident, the Data Controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject mentioned in the previous paragraph is unlikely to materialize in the future;
-
providing information would require a disproportionate effort. In such cases, the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.
Date: September 14, 2021
Józsáné Szilvia Román
Manager