DATA PROTECTION STATEMENT

1. GENERAL PROVISIONS

The Hercules Investment Kft., HU-1026 Budapest, Pasaréti u. 25, the operator of Hotel Civitas shall ensure that data processing is lawful and expedient in all cases where it processes personal data. The purpose of this data protection statement is to ensure that guests who make a reservation and give access to their personal data receive appropriate information already at the point of reservation or prior to giving access to their personal data with regards to the duration and under which conditions and guarantees our firm processes their data. Our company shall regard the contents of this data protection statement as mandatory and shall abide by its contents in each instance where it handles personal data.

We reserve the right, however, to change the terms of this unilateral declaration, in which case we will inform the persons concerned in advance. Should you have any questions with regards to the contents of this brochure please write us. Data processing related to our firm’s activities is based on voluntary contribution, or in some cases the data processing is necessary in order to take steps at the request of the data subject prior to entering into a contract;

Our data processing activities comply with applicable laws, in particular to the following:

  • The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”)
  • The Act CXII of 2011 on Informational Self-determination and Freedom of Information (Hungarian abbreviation: “Info.tv”).

The firm’s data and contact data are as follows:
Name: Hercules Investment Kft.
PPB: HU-1026 Budapest, Pasaréti u. 25
Company registry number: 01-09-932586
TIN: 13718680-2-41
Phone: +36 99 788 228
E-mail: info@civitashotel.com

We provide the following information regarding individual instances of data processing:

2. DATA PROCESSING IN RELATION TO ONLINE HOTEL BOOKING

Our company provides an opportunity for online lodging reservation in order that our customers may book a room free of charge in a quick, convenient way in Hotel Civitas.

Personal data processor: Hercules Investment Kft. , HU-1026 Budapest, Pasaréti u. 25

The purpose of data processing: to render the reservation of lodgings easier, more efficient and free of charge, contacting the guest with hotel reservation.
Legal basis of data processing: the prior consent of the person who reserves lodging. By accepting this data protection statement, the data subject expressly consents to the processing of his/her personal data according to this section.
The scope of processed personal data: title; surname and given name; address (country, postcode, city, street, street number; phone number; e-mail address; in case of a company name of company and PBB; bank card number; SZÉP card number (identifier, name displayed on card). If filling in an online check-in form, the following information will also be managed by the accommodation: identity document number (identity card, passport or driving license), nationality, place and date of birth, vehicle registration number.
Duration of data processing: two years after the last day of stay as stated in the reservation.
Engagement of data controller: our company uses the services of an information service provider for the online lodging system as follows:

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Providing an opportunity for online lodging reservation and operating a pre-arrival email module through RESnWEB system.

By accepting this data protection statement, the data subject gives his express consent that the data controller shall engage further data controllers in order to render its services more convenient and customized as follows:

Name of additional data controller PPB Description of data processing task
Hostware Kft. 1149 Budapest, Róna utca 120-122 Hungary In the event that Hostware Front Office hotel system is used, performance of tasks related to customer management.
BIG FISH Payment Services Kft. 1066 Budapest, Nyugati tér 1-2 Hungary Providing data communications for payment transactions between the vendor’s and the payment provider’s systems, ensuring traceability for the transaction partners.
OTP Mobil Kft. 1093 Budapest, Közraktár u. 30-32. Hungary Providing data communications for payment transactions between the vendor’s and the payment provider’s systems, providing customer service for users, confirming transactions and providing fraud-monitoring to protect the interests of the users.
Barion Payment Zrt. 1117 Budapest, Infopark sétány 1. I. épület Hungary Providing data communications for payment transactions between the vendor’s and the payment provider’s systems, providing customer service for users, confirming transactions and providing fraud-monitoring to protect the interests of the users.
Creative Management Kft. 8200 Veszprém, Boksa tér 1. A. ép. Hungary Performance of tasks related to server hosting.
Wildbit, LLC* 225 Chestnut St, Philadelphia, PA 19106, USA The owner of the software which is integrated into the booking system. This software is responsible for sending e-mail confirmations and notifications in the event of booking, requesting and providing proposals, customer satisfaction surveys, pre-arrival information and gift voucher selling.
D-Edge SAS 14/16 Boulevard Poissonnière, 75009 Paris, France D-Edge Channel Manager to manage the rates and availabilities on multiple distribution websites.
thePass Kft. 1061 Budapest, Király utca 30-32. A. ép. 105. SabeeApp to perform tasks related to customer management and to manage the rates and availabilities on multiple distribution websites.

The possible negative consequences of not providing personal data: Providing data is voluntary. It is important to note that filling in the fields marked with * is mandatory, and in case of non-completion, no reservation can be made. Leaving the remaining fields blank does not have such a consequence.

The rights of the data subject: the data subject (the person whose data our company processes)

  1. shall have the right to request access to the personal data related to him/her,
  2. shall have the right to request their rectification,
  3. shall have the right to request their erasure,
  4. shall have the right to revoke their consent for data processing at any time with effect for the future. Such revocation has no effect for the past, i.e. it does not affect the legitimacy of the data processing carried out up to the revocation.
  5. in the event that the conditions listed in Article 18 of the GDPR are met, shall have the right to request that the processing of his/her personal data be restricted (that is, that our firm does not erase or destroy the data until a court or other authority is applied to for a maximum of thirty days, and in addition that our company does not the process the data with another purpose),
  6. has the right to contest the processing of personal data,
  7. has the right to exercise his/her right to data portability. In accordance with this latter right the data subject has the right to receive the personal data related to him/her in Word or Excel format, further has the right to request that our company forward these data to another data controller.

Other information related to data processing:

  • By booking, the data subject also states that the information provided is true and he/she has reached the age of 16.
  • We try to help our guests prepare their journey and shorten the time they spend on arrival with practical and relevant information, weather forecasts, programme offers, option of online check-in, so we send them pre-arrival email information about accommodation, travel and programme info. Based on the pre-arrival letter, the guests can fill in an online check-in form to speed up their check-in on arrival.
  • Our company takes every technological and organisational measure to avoid an eventual personal data breach (for instance, if the files containing personal data are damaged, disappear, or become accessible to unauthorised persons). Should a personal data breach nevertheless take place, we shall keep records in order to supervise the necessary measures as well as to inform the affected data subjects. This record shall contain the scope of affected personal data, the circle and number of data subjects affected by the privacy incident, the date, circumstances, effects of the personal data breach as well as the measures taken to deal with it, as well as other data as defined by the laws regulating data processing.
  • Our company concluded a data processing agreement for the scope of data processing tasks, in which the NetHotelBooking Kft. undertakes that in the event of the engagement of another data controller it shall apply on a mandatory basis the same data protection and data processing guarantees included in data processing contract with us, thus we ensure the lawful management of personal data in case of data controllers.

3. DATA PROCESSING IN RELATION TO REQUESTING QUOTES

Our company provides an opportunity for our guests to request a proposal in an electronic way. The proposal is provided by our company while taking account of actual room availability through an automated system.

Personal data processor: Hercules Investment Kft. , HU-1026 Budapest, Pasaréti u. 25

Purpose of data processing: to receive information prior to booking about hotel prices
Legal basis of data processing: the prior consent of person who reserves lodging, Article 6 Section 1 Point a) of the GDPR, or necessary in order to take the steps requested by the data subject prior to the conclusion of a data processing contract – Article 6 Section 1 Point b of the GDPR
Scope of processed personal data: title; surname and given name; phone number; e-mail address; number of guests.
Duration of data processing: two years after the last day of stay as stated in the reservation.
Engagement of data controller: our company uses the services of an information service provider for the online proposal system in accordance with the following:

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Hungary Operating the proposal requesting and sending module

By accepting this data protection statement, the data subject gives his express consent that the data controller shall engage further data controllers in order to render its services more convenient and customized as follows:

Name of additional data controller PPB Description of data processing task
Creative Management Kft. 8200 Veszprém, Boksa tér 1. A. ép. Hungary Performance of tasks related to server hosting.
Wildbit, LLC* 225 Chestnut St, Philadelphia, PA 19106, USA The owner of the software which is integrated into the booking system. This software is responsible for sending e-mail confirmations and notifications in the event of booking, providing a requesting and providing proposals, customer satisfaction surveys, pre-arrival information and gift voucher selling.

* Parties are aware that the registered seat of the other data processor specified in point a) is in a third country. For this reason, Data Processor expressly informs Data Controller that Wildbit, LLC has included the standard data protection clauses recommended and adopted by the European Commission in the Data Protection Supplement of its General Terms and Conditions. Therefore, even without the authorisation from a supervisory authority, transfer of data to Wildbit, LLC constitutes a transfer of data provided with appropriate safeguards, and has no legal impediments.

Possible negative consequences of not providing personal data: Providing data is voluntary. It is important to note that filling in the fields marked with * is mandatory, and in case of non-completion, no request for proposal can be made and the hotel cannot provide a proposal. Leaving the remaining fields blank does not have such a consequence.

The rights of the data subject: the data subject (the person whose data our company processes)

  1. shall have the right to request access to the personal data related to him/her,
  2. shall have the right to request their rectification,
  3. shall have the right to request their erasure,
  4. shall have the right to revoke their consent for data processing at any time with effect for the future. Such revocation has no effect for the past, i.e. it does not affect the legitimacy of the data processing carried out up to the revocation.
  5. in the event that the conditions listed in Article 18 of the GDPR are met, shall have the right to request that the processing of his/her personal data be restricted (that is, that our firm does not erase or destroy the data until a court or other authority is applied to for a maximum of thirty days, and in addition that our company does not the process the data with another purpose),
  6. has the right to contest the processing of personal data,
  7. has the right to exercise his/her right to data portability. In accordance with this latter right the data subject has the right to receive the personal data related to him/her in Word or Excel format, further has the right to request that our company forward these data to another data controller.

Other information related to data processing: our company takes every technological and organisational measure to avoid an eventual personal data breach (for instance, if the files containing personal data are damaged, disappear, or become accessible to unauthorised persons). Should a personal data breach nevertheless take place, we shall keep records in order to supervise the necessary measures as well as to inform the affected data subjects. This record shall contain the scope of affected personal data, the circle and number of data subjects affected by the privacy incident, the date, circumstances, effects of the personal data breach as well as the measures taken to deal with it, as well as other data as defined by the laws regulating data processing.

Our company concluded a data processing agreement for the scope of data processing tasks, in which the NetHotelBooking Kft. undertakes that in the event of the engagement of another data controller it shall apply on a mandatory basis the same data protection and data processing guarantees included in data processing contract with us, thus we ensure the lawful management of personal data in case of data controllers.

4. DATA PROCESSING RELATED TO NEWSLETTERS SUBSCRIPTION

Our company maintains contact with its guests via a newsletter, in which it informs its guests about its services, news relating to its operation as well as available discounts.

Personal data processor: Hercules Investment Kft. , HU-1026 Budapest, Pasaréti u. 25

Purpose of data processing: maintaining contact with potential guests
Legal basis of data processing: consent of the data subject – Article 6 Section 1 Point a of GDPR.
Description of legitimate interest: maintenance and development of business relationships with partners and guests
Scope of processed personal data: name; e-mail address
Duration of data processing: our company processes e-mail addresses until such date that unsubscription occurs.
Engagement of data controller: our company uses the services of an information service provider for the online lodging system as follows:

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Hungary Storage of e-mail marketing database.

By accepting this data protection statement, the data subject gives his express consent that the data controller shall engage further data controllers in order to render its services more convenient and customized as follows:

Name of additional data controller PPB Description of data processing task
Creative Management Kft. 8200 Veszprém, Boksa tér 1/A Hungary Operation of newsletter sending system.
MailerLite 11341 Lithuania, Vilnius, Paupio g. 46 Operation of newsletter sending system.

Possible negative consequences of not providing personal data: The data subject will not be able to receive the company’s newsletter.

The rights of the data subject: the data subject (the person whose data our company processes)

  1. shall have the right to request access to the personal data related to him/her,
  2. shall have the right to request their rectification,
  3. shall have the right to request their erasure,
  4. shall have the right to revoke their consent for data processing at any time with effect for the future. Such revocation has no effect for the past, i.e. it does not affect the legitimacy of the data processing carried out up to the revocation.
  5. in the event that the conditions listed in Article 18 of the GDPR are met, shall have the right to request that the processing of his/her personal data be restricted (that is, that our firm does not erase or destroy the data until a court or other authority is applied to for a maximum of thirty days, and in addition that our company does not the process the data with another purpose),
  6. has the right to contest the processing of personal data,
  7. has the right to exercise his/her right to data portability. In accordance with this latter right the data subject has the right to receive the personal data related to him/her in Word or Excel format, further has the right to request that our company forward these data to another data controller.

You are able to unsubscribe from our company’s newsletter by sending an e-mail to this e-mail address info@civitashotel.com, or by clicking the icon “Unsubscribe” found in this newsletter. In this case we will immediately delete your e-mail address from our database.

Other information related to data processing: our company takes every technological and organisational measure to avoid an eventual personal data breach (for instance, if the files containing personal data are damaged, disappear, or become accessible to unauthorised persons). Should a personal data breach nevertheless take place, we shall keep records in order to supervise the necessary measures as well as to inform the affected data subjects. This record shall contain the scope of affected personal data, the circle and number of data subjects affected by the privacy incident, the date, circumstances, effects of the personal data breach as well as the measures taken to deal with it, as well as other data as defined by the laws regulating data processing.

Our company concluded a data processing agreement for the scope of data processing tasks, in which the NetHotelBooking Kft. undertakes that in the event of the engagement of another data controller it shall apply on a mandatory basis the same data protection and data processing guarantees included in data processing contract with us, thus we ensure the lawful management of personal data in case of data controllers.

5. PROCESSING OF PERSONAL DATA RELATED TO CUSTOMER SATISFACTION SURVEYS

As a hotel it is our goal to provide high-quality services to our guests, therefore we continually request feedback from our guests about their experiences while staying at our hotel.

Personal data processor: Hercules Investment Kft. , HU-1026 Budapest, Pasaréti u. 25

Purpose of data processing: requesting feedback from our guests in order to further develop and improve our services.
Legal basis of data processing: the legitimate interest of the hotel operator – Article 6 Section 1 Point f) of GDPR.
Description of legitimate interest: our company has a legitimate interest to receive information related to improvement of its services on the basis of guest feedback.
Scope of processed personal data: name, gender, e-mail address
Duration of data processing: two years after the last day of stay as stated in the reservation.

Engagement of data controller: our company uses the services of an information service provider for the online lodging system as follows:

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Hungary Operating the customer satisfaction module

By accepting this data protection statement, the data subject gives his express consent that the data controller shall engage further data controllers in order to render its services more convenient and customized as follows:

Name of additional data controller PPB Description of data processing task
Creative Management Kft. 8200 Veszprém, Boksa tér 1. A. ép. Hungary Performance of tasks related to server hosting.
Wildbit, LLC* 225 Chestnut St, Philadelphia, PA 19106, USA The owner of the software which is integrated into the booking system. This software is responsible for sending e-mail confirmations and notifications in the event of booking, requesting and providing proposals, customer satisfaction surveys, pre-arrival information and gift voucher selling.

* Parties are aware that the registered seat of the other data processor specified in point a) is in a third country. For this reason, Data Processor expressly informs Data Controller that Wildbit, LLC has included the standard data protection clauses recommended and adopted by the European Commission in the Data Protection Supplement of its General Terms and Conditions. Therefore, even without the authorisation from a supervisory authority, transfer of data to Wildbit, LLC constitutes a transfer of data provided with appropriate safeguards, and has no legal impediments.

Possible negative consequences of not providing personal data: The affected data subject will not receive our company’s customer satisfaction survey.

The rights of the data subject: the data subject (the person whose data our company processes)

  1. shall have the right to request access to the personal data related to him/her,
  2. shall have the right to request their rectification,
  3. shall have the right to request their erasure,
  4. shall have the right to revoke their consent for data processing at any time with effect for the future. Such revocation has no effect for the past, i.e. it does not affect the legitimacy of the data processing carried out up to the revocation.
  5. in the event that the conditions listed in Article 18 of the GDPR are met, shall have the right to request that the processing of his/her personal data be restricted (that is, that our firm does not erase or destroy the data until a court or other authority is applied to for a maximum of thirty days, and in addition that our company does not the process the data with another purpose),
  6. has the right to contest the processing of personal data,
  7. has the right to exercise his/her right to data portability. In accordance with this latter right the data subject has the right to receive the personal data related to him/her in Word or Excel format, further has the right to request that our company forward these data to another data controller.

Other information related to data processing: our company takes every technological and organisational measure to avoid an eventual personal data breach (for instance, if the files containing personal data are damaged, disappear, or become accessible to unauthorised persons). Should a personal data breach nevertheless take place, we shall keep records in order to supervise the necessary measures as well as to inform the affected data subjects. This record shall contain the scope of affected personal data, the circle and number of data subjects affected by the privacy incident, the date, circumstances, effects of the personal data breach as well as the measures taken to deal with it, as well as other data as defined by the laws regulating data processing.

Our company concluded a data processing agreement for the scope of data processing tasks, in which the NetHotelBooking Kft. undertakes that in the event of the engagement of another data controller it shall apply on a mandatory basis the same data protection and data processing guarantees included in data processing contract with us, thus we ensure the lawful management of personal data in case of data controllers.

6. PROCESSING OF PERSONAL DATA RELATED TO GIFT VOUCHER PURCHASE

Our company provides the opportunity to purchase gift vouchers electronically. The gift voucher is provided by our company via an automated system on our website.

Personal data processor: Hercules Investment Kft. , HU-1026 Budapest, Pasaréti u. 25

Purpose of data processing: gift voucher purchase and delivery
Legal basis of data processing: the prior consent of the person who purchases the gift voucher: by accepting this data protection statement, the data subject consents to the data processing under this clause.
Scope of personal data handled: title; surname and first name; address (country, zip code, city, street, house number); telephone number; email address (both purchaser and beneficiary), ; in case of a company name of company and PBB; bank card number; SZÉP card number (identifier, name displayed on card).
Duration of data processing: two years after the expiration date of the gift voucher.

Engagement of data controller: our company uses the services of an information service provider for the online gift voucher system as follows:

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Hungary Operating the gift voucher selling module

By accepting this data protection statement, the data subject gives his express consent that the data controller shall engage further data controllers in order to render its services more convenient and customized as follows:

Name of additional data controller PPB Description of data processing task
Creative Management Kft. 8200 Veszprém, Boksa tér 1. A. ép. Hungary Performance of tasks related to server hosting.
BIG FISH Payment Services Kft. 1066 Budapest, Nyugati tér 1-2 Hungary Providing data communications for payment transactions between the vendor’s and the payment provider’s systems, ensuring traceability for the transaction partners.
OTP Mobil Kft. 1093 Budapest, Közraktár u. 30-32. Hungary Providing data communications for payment transactions between the vendor’s and the payment provider’s systems, providing customer service for users, confirming transactions and providing fraud-monitoring to protect the interests of the users.
Barion Payment Zrt. 1117 Budapest, Infopark sétány 1. I. épület Hungary Providing data communications for payment transactions between the vendor’s and the payment provider’s systems, providing customer service for users, confirming transactions and providing fraud-monitoring to protect the interests of the users.
Wildbit, LLC* 225 Chestnut St, Philadelphia, PA 19106, USA The owner of the software which is integrated into the booking system. This software is responsible for sending e-mail confirmations and notifications in the event of booking, requesting and providing proposals, customer satisfaction surveys, pre-arrival information and gift voucher selling.

* Parties are aware that the registered seat of the other data processor specified in point a) is in a third country. For this reason, Data Processor expressly informs Data Controller that Wildbit, LLC has included the standard data protection clauses recommended and adopted by the European Commission in the Data Protection Supplement of its General Terms and Conditions. Therefore, even without the authorisation from a supervisory authority, transfer of data to Wildbit, LLC constitutes a transfer of data provided with appropriate safeguards, and has no legal impediments.

Possible negative consequences of not providing personal data: Providing data is voluntary. It is important to note that filling in the fields marked with * is mandatory, and in case of non-completion, the affected data subject will not be able to purchase gift vouchers. Leaving the remaining fields blank does not have such a consequence.

The rights of the data subject: the data subject (the person whose data our company processes)

  1. shall have the right to request access to the personal data related to him/her,
  2. shall have the right to request their rectification,
  3. shall have the right to request their erasure,
  4. shall have the right to revoke their consent for data processing at any time with effect for the future. Such revocation has no effect for the past, i.e. it does not affect the legitimacy of the data processing carried out up to the revocation.
  5. in the event that the conditions listed in Article 18 of the GDPR are met, shall have the right to request that the processing of his/her personal data be restricted (that is, that our firm does not erase or destroy the data until a court or other authority is applied to for a maximum of thirty days, and in addition that our company does not the process the data with another purpose),
  6. has the right to contest the processing of personal data,
  7. has the right to exercise his/her right to data portability. In accordance with this latter right the data subject has the right to receive the personal data related to him/her in Word or Excel format, further has the right to request that our company forward these data to another data controller.

Other information related to data processing: our company takes every technological and organisational measure to avoid an eventual personal data breach (for instance, if the files containing personal data are damaged, disappear, or become accessible to unauthorised persons). Should a personal data breach nevertheless take place, we shall keep records in order to supervise the necessary measures as well as to inform the affected data subjects. This record shall contain the scope of affected personal data, the circle and number of data subjects affected by the privacy incident, the date, circumstances, effects of the personal data breach as well as the measures taken to deal with it, as well as other data as defined by the laws regulating data processing.

Our company concluded a data processing agreement for the scope of data processing tasks, in which the NetHotelBooking Kft. undertakes that in the event of the engagement of another data controller it shall apply on a mandatory basis the same data protection and data processing guarantees included in data processing contract with us, thus we ensure the lawful management of personal data in case of data controllers.

7. COOKIE PROCESSING

In the interest of providing customized service, the data processor places a small data packet or cookie on the customer’s computer and, in case of a subsequent visit, reads it back. If the browser sends back a previously saved cookie, the data processor managing the cookie has the opportunity to connect the user’s previous visits with the current one, however, exclusively in relation to its own content.

The purpose of data processing: identification of users, tracing users, distinguishing users from one another, to identify the workflow of users, to store data provided in the course of workflow, to avoid data loss, web analytics, provision of customized service.
Legal basis of data processing: consent of the data subject.
The scope of processed data: identification number, date, time, and the previously visited webpage.
The duration of data processing: maximum 90 days

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Hungary Identifying users and their workflow and sessions, storing data provided in the course of workflow and sessions, avoiding data loss, web analytics, provision of customized service

Other information related to data processing: Users are able to delete cookies from their own computers and may disable the use of cookies in their browsers. Users can usually manage cookies in the browser’s Tools/Settings menu under Data Protection/History/Individual Settings menu, under either Cookies or Track options.

Possible negative consequences of not providing personal data: it may become impossible to take advantage of the services provided with regards to services described in points 2-5 above.

8. SERVER LOG FILES

When visiting the webpage nethotelbooking.net, the server automatically stores information on the user’s activities in log files.

The purpose of data processing: when a webpage is visited, the service provider supervises the operation of its services, and in order to prevent abuse it records the visitors’ data.

Legal basis of data processing: Article 6 Section 1 Point f) of GDPR. Our company has a legitimate interest in the webpage’s safe operation.

Type of processed personal data: identification number, date, time, the address of the visited page.

Duration of data processing: maximum 90 days

Name of data controller PPB Description of data processing task
NetHotelBooking Kft. 8200 Veszprém, Boksa tér 1/A Hungary Recording of visitors’ data and information necessary for server operation

Further information: our company does not connect the data that emerges in the course of the protocol analysis with other data, it makes no effort to identify the user. The address of the visited pages, as well as the data relating to date and time are insufficient to identify the affected data subject, however, they may be sufficient in conjunction with other data (for instance, data provided in the course of registration) to reach conclusions about to the user.

Data processing of external service providers in relation to protocols:
The portal’s html code contains links independent from our company that are received from external servers and refer to external servers. The server of the external service provider is connected directly to the user’s computer. We would like to call our visitors’ attention to the fact that the service providers of these links are able to collect user data (for instance, IP address, browser, operating system data, movement of the mouse pointer, address of the website visited and date of visit) during direct connection to their servers on account of the direct communication with the user’s browser. An IP address is a series of numbers with which the computers and mobile devices of users can be identified unambiguously.

Through IP addresses it is even possible to identify the geographical location of the visitor using a given computer. The address of the visited pages, as well as the data relating to date and time are insufficient to identify the affected data subject, however, they may be sufficient in conjunction with other data (for instance, data provided in the course of registration) to reach conclusions about to the user.

9. OTHER DATA PROCESSING

We provide information in relation to data processing activities not included in this data protection statement when we request such data. We inform our customers that certain authorities, bodies with a public service missions and courts may contact our company for the purpose of disclosing private data. If the body affected designated the precise purpose and scope of data to be turned over, our company provides personal data only to the extent and to the degree which is indispensable for the purpose of the request and if the fulfilment of the request is prescribed by law.

10. MODE OF PERSONAL DATA STORAGE, SECURITY OF DATA PROCESSING

Our company’s computer systems and other data storage devices can be found in the seat of the company and on the servers rented by the data processor. Our company selects and operates the information technology devices used to process personal data in the course of providing its services that

  1. the data processed are available to the authorised persons (availability);
  2. its authenticity and authentication are guaranteed (the authenticity of data processing);
  3. its integrity can be verified (data integrity);
  4. the data are protected against unauthorised access (data confidentiality).

We take special care of data security, furthermore we also take the technical and organisational measures and develop the procedural rules necessary to enforce the GDPR guarantees. We protect the data with appropriate measures against, in particular, unauthorised access, alteration, transmission, public disclosure, erasure or destruction, as well as unavailability due to accidental destruction, damage, and furthermore unavailability on grounds of alteration in the technologies used to access the data.

The computer system and network of our company and its partners are protected against computer fraud, computer viruses, theft via computers, and computer attacks whose purpose is service denial. The operator ensures a high level of safety through taking security measures both on the level of server and application. The daily backup of the data has been resolved. Our company takes every possible measure in order to avoid a personal data breach, and in the event that such personal data breach should take place we shall immediately take action – in accordance with our incident management rules – in order to minimize risk and to control damage.

11. RIGHTS OF DATA SUBJECTS, REMEDIES

The data subject has the right to request information about the processing of his/her personal data, and request the rectification of his/her personal data, or – with exception of the mandatory data processing – request the erasure of his/her data or withdraw consent, or make use of his/her right to data portability and contest in the manner specified at the time of data collection, or through the contact details of the data processor mentioned above.

Upon request of the data subject we shall provide the data in electronic format without delay, but latest within 30 days, in accordance with our relevant rules. We shall fulfil the requests of the data subjects with regards to the rights below free of charge.

Right of information:

Our company shall take appropriate measures to provide any information referred to in Articles 13 and 14 of the GDPR and any communication under Articles 15 to 22 and 34 of the GDPR relating to processing to the data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language while remaining precise at the same time.

The right to information can be exercised in written form, through the contact details provided under Point 1. Upon request of the data subject – following the verification of his/her identity – information may be provided in oral form. We would like to inform our customers that if our company’s employees have doubts with regards to the identity of the data subject, we may request further information necessary to confirm the personal identity of the data subject.

The data subject’s right of access to data:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Should his/her personal data be processed, the data subject shall have the right to get access to the personal data, and the following information included in the list below:

  • Purposes of the data processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries (outside of the European Union) or international organisations;
  • the envisaged period for which the personal data will be stored;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • information on the source of personal data; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In addition to the above, in the event that personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

The right to rectification:

According to this right anyone shall have the right to obtain from our company the rectification of inaccurate personal data or the completion of incomplete data concerning him or her.

The right of erasure:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. the personal data have been unlawfully processed;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services.

The erasure of personal data cannot be initiated, if the data processing is necessary for any of the following purposes:

  1. for exercising the right of freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  4. for the establishment, exercise or defence of legal claims.

Right to restrict data processing:

We shall restrict data processing on the basis of Article 18 of GDPR, that is, where one of the following applies:

  1. the accuracy of the personal data is contested by the data subject, in this case the restriction applies to the period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  4. the data subject has objected to processing; in this case the restriction applies to the time period pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, the personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The data subject shall be informed by the controller before the restriction of processing is lifted.

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller. Our company is able to fulfil such a request by the data subject in Word or Excel format.

The right to object:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated individual decision-making, including profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right cannot be applied, if the data processing

  1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. is authorised by Union or Member State law to which the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  3. is based on the data subject’s explicit consent.

The right to withdraw consent:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Procedural rules:

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Damages and compensation:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage.

A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

The right to apply to Court and the data protection authority procedure:

The data subject may apply to the court in the event that his/her rights have been infringed upon. The court gives the case priority.

Complaints are to be lodged with the Nemzeti Adatvédelmi és Információszabadság Hatóság (National Data Protection and Freedom of Information Authority).

The authority’s address: Hungary 1055 Budapest, Falk Miksa u. 9-11., postal address: 1374 Budapest, Pf.: 603.,
Telephone: +36 1 391 1400,
E-mail: ugyfelszolgalat@naih.hu