Privacy Statement of Mystery Hotel Budapest Ltd.
ON THE HOTEL’S DATA PROCESSING OPERATIONS
The present Privacy Statement contains all information about the data processing operations of our hotel, Mystery Hotel Budapest (hereinafter referred to as ‘Hotel/data controller’) regarding its data subjects, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: General Data Protection Regulation/GDPR) and with the Hungarian Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter referred to as ‘Privacy Act’) and other relevant legislation on ensuring the protection of personal data.
To maintain the security of your personal data, our Hotel will take the necessary and appropriate measures to ensure that our online users – when using our websites www.mysteryhotelbudapest.com, www.mysteryhotelbudapest.hu, www.spasecretgarden.com and www.thegreathallbudapest.com for online booking –, our guests and other data subjects shall be provided with information on the processing of their personal data in a consistent, transparent, comprehensible and easily accessible way and to facilitate the exercise of your rights as a data subject.
This Privacy Statement is an annex to the Privacy Regulation (hereinafter referred to as ‘Regulation’) available at the seat of our Hotel. Please read the contents of this statement carefully and feel confident to contact us with your questions.
DESCRIPTION OF DATA CONTROLLER AND DATA PROCESSORS
The publisher of the present Privacy Statement as the Data Controller/Hotel:
Mystery Hotel Budapest Limited Liability Company
Registered seat: 45 Podmaniczky Street, Budapest 1064, Hungary
Company Registration Number: 01-09-295026;
Tax number: 25896811-2-42;
Represented by: Tamás Antal Scheffler as managing director;
Email address: email@example.com
Our Hotel is considered to be the data controller when managing the personal data of the ones concerned. We also use data processors to provide our services and perform our activities. Data processors are bound by the obligation of confidentiality with regard to the data obtained. Data processors treat personal data in accordance with the agreement between them and our Hotel to the extent of performing their duties.
According to the General Data Protection Regulation and the Privacy Act a data processor can be a natural or legal person, public authority, agency or any other body that processes personal data on behalf of our Hotel as data controller. (Section 8 Article 4 of GDPR)
Based on the applicable regulations, in order to entrust a data processor, our Hotel does not need to ask for the prior consent of the data person concerned (data subject), but you need to be informed about the process. Accordingly, our Hotel informs the ones concerned about the contact details of the data processors, who may handle the given data strictly for the purpose specified by our Hotel for the safety of our guests and for faster and more convenient administration.
- Our external contractors on booking and sales
Our Hotel contracts with external partners who ensures the booking and sales activities as data controllers, through their own network, IT system and services, within the frame of their own data management rules. If necessary for their activities, they store the personal data on their own servers. For more information on data management and the duration of data storage, please contact our partners. You can find the names of these partners in the register of our Hotel’s data processing operations. The register is publicly available at our Hotel’s reception or can be sent to you upon request.
We inform our guests that their data transferred to our partners will be subject to our Hotel’s Regulation only if their data is received in our system. Before that, their data is handled by our external partners listed in the registry.
Once your data is received in our system, it will be fully managed in accordance with the present Privacy Statement and our Regulation.
- Our IT, security and financial data processing partners
Our Hotel contracts with external partners to manage our IT, security and financial services, who manages the personal data of the natural persons concerned as described in Chapter V of this Privacy Statement. You can find the names of these partners in the register of our Hotel’s data processing operations.
For the purposes of the present Privacy Statement, in accordance with Article 4 of the GDPR Regulation:
- ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3.‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
- ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
- ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
- ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; The term “health data” at the time of entry into force of the Regulation in Hungarian legislation: the physical, mental and psychological state of the person concerned, abnormal passion, circumstances of the illness or death, the cause of death, reported by him or her, or by the health care network; tested, measured, mapped or derived data; and any data related to the foregoing, such as behavior, environment, occupation;
- ‘data of identity’ means the surname, first name, maiden name, gender, place and date of birth, mother’s maiden name and surname, place of residence, residence, social security identification number (hereinafter referred to as TAJ number); or any of them, if suitable or suitable for identifying the subject.
Our hotel handles the processing of personal data of those concerned, in accordance with Article 5 of the GDPR Regulation, taking into account the following principles. Also, our employees are obliged to act in accordance with the following principles to protect the personal data of the data subjects.
- Principle of legality, fairness and transparency: our hotel processes personal data in a lawful, fair and transparent manner in relation to the data subject;
- Principle of purpose limitation: personal data is collected for a specific, explicit and legitimate purpose and is not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Principle of data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Principle of accuracy: personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Principle of storage limitation: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) of the GDPR Regulation subject to implementation of the appropriate technical and organisational measures required by the GDPR Regulation in order to safeguard the rights and freedoms of the data subject;
- Principle of integrity and confidentiality: personal data shall be processed
in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- Principle of accountability: Our hotel as data controller is responsible for 1-6. and, if necessary, prepared to demonstrate compliance.
LAWFUL TREATMENT OF THE DATA SUBJECT’S PERSONAL DATA
- [Data process operation with the consent of the data subject]
(1) In case of data processing based on consent, the consent of the data subject to the processing of personal data shall be requested by our Hotel prior to the start of data processing. If data processing serves multiple purposes at the same time, the consent must be given for all data processing purposes.
(2) Where the consent of the data subject is given by means of a written declaration covering other matters as well, the request for consent shall be clearly distinguished from those other matters in a clear and easily accessible form, in a simple language, and shall not contain unfair terms. Any part of the statement containing the consent of the data subject that does not meet the requirements of the law is not binding.
(3) In order for the data subject’s consent to be based on the information given by our Hotel, the data subject must at least be aware of the identity of the controller and the purpose of the processing of personal data. Giving consent is not considered to be voluntary if the person concerned does not have a real or free choice and is unable to deny or withdraw consent without without it causing any damage to him or her.
(4) Data process is considered to be lawful if it is required in the context of a contract or at an intention to conclude a contract. Our Hotel shall not set up a condition for entering into a contract by requesting personal data that is not necessary for the performance of the contract.
(5) The possibility of withdrawing consent shall be made available to the data subject in an understandable, easily accessible form, in a clear and simple manner and shall not contain unfair terms.
(6) If personal data has been recorded with the consent of the data subject, the Hotel may process the recorded data without further specific consent for the fulfillment of its legal obligation unless otherwise provided by law and after the withdrawal of the consent of the data subject.
(7) The consent should be voluntary, meaning it is free from all external influences and can possibly serve as a legal basis if there is a real choice for the data subject and there is no risk of deception, intimidation, coercion or other significant negative consequences in the event of denial of consent. In the absence of a voluntary decision, our Hotel does not have the appropriate legal basis for data processing.
(8) One specific matter of the legal basis for consent is Section (3) Article 6 of the Privacy Act, which requires the consent of the parent for the lawfulness of data processing involving minors under 16 years of age.
- [The Hotel’s obligation on providing information]
Our Hotel keeps the present Privacy Statement available to those concerned in an easily accessible way on its website and at its seat. The Statement informs the data subject in a publicly accessible manner, before and during the processing of the data, of all facts related to the management of their data, including the purpose and legal basis of the data process, the person entitled to data processing, the duration of the data process, about the fact if the personal data of the data subject is processed according to the data subject’s consent (Section 5 Article 6 of the Privacy Act) and regarding who is entitled to know the data. The provision of information by our Hotel also covers the rights and remedies of the data subject concerned.
- [Data process operation based on the fulfillment of a legal obligation]
Data process operation based on the fulfillment of a legal obligation is independent from the consent of the data subject. Before starting the data process our Hotel must inform the data subject, that the process of data is based on a legal obligation. In such case our Hotel informs the data subject in a clear and detailed way before the beginning of the data process operation about all facts related to the process of his or her data, especially the purpose and legal basis of the data process, the person entitled to data processing, the duration of the data process, about the fact that the personal data is processed according to a legal obligation and regarding who is entitled to know the data. The provision of information by our Hotel also covers the rights and remedies of the data subject concerned. In case of mandatory data process, the information may also be given by disclosing a reference to the provisions of the legal obligation that contains the necessary information covered by this paragraph.
- [Data process operation based on the Hotel’s legitimate interest]
Personal data may be processed if the data processing is necessary for the purpose of enforcing the legitimate interest of our Hotel, exceptionally a third party, unless the right to the protection of the personal data of the data subject and the respect of his or her privacy represents a higher value than that legitimate interest. Such legitimate interest may make the data processing subject lawful, regardless of the consent of the data subject if that the legitimate interest only restricts the right and privacy of the data subject to the extent necessary and proportionate. In the case of such interest-based data process, the principle of graduality and, if possible, the presence of the data subject shall be ensured.
DATA PROCESS OPERATIONS ON THE WEBSITE OF OUR HOTEL AND SOCIAL MEDIA PLATFORMS
- [Contacting us via our Hotel’s website]
(1) The natural person initiating a contact through the website shall provide the following information necessary to establish the contact:
- name 1 (surname, first name);
- email address;
- any other personal data provided by the data subject voluntarily as a content of his or her message.
(2) The purpose of processing the personal data is:
- Providing information about our Hotel’s services, establishing contact between the natural person and our Hotel.
- Contacting the user via electronic manner or via telephone call.
- Information on Hotel products, services and terms and conditions.
- In case of a clear, additional consent of the data subject, information about our Hotel’s special offers.
(3) The legal basis for data process is the consent of the data subject.
(4) The recipients of the personal data and the categories of these recipients are the Hotel’s employees, its data processing partners and the IT service provider.
(6) The duration of personal data storage (retention period) shall last until the end of the service provided, until the obligatory retention period defined by the law or until the consent of the data subject is withdrawn (until a request on deleting the data is submitted by the data subject).
What is a cookie?
Other platforms, where cookies are unavailable or cannot be used, other technologies that are similar to cookies may be used, such as ad IDs on Android mobile devices.
There are two types of cookies: “session cookies” and “persistent cookies”.
A „session cookie” is only temporarily stored by your computer, notebook or mobile device until you leave the site; these cookies help the system to record information so you do not have to re-enter or fill in the information again. The validity of session cookies is limited to the current session of the user, with the purpose of preventing data loss (for example, when filling out a longer form). At the end of the session or closing the browser, this type of cookies are automatically deleted from the visitor’s computer.
The “persistent cookies” are stored on your computer, notebook or mobile device after you leave the website. With these cookies, the website recognizes you as a returning visitor. Persistent cookies can be used to identify you through the server-side by user ID, so in all cases where user authentication is essential – eg. webshop, netbank, webmail – it is a necessary conditions for proper operation. Presistent cookies alone do not carry personal data and are only suitable for identifying the user together with the data stored in the server database. The risk of such cookies is that they actually do not identify the user but the browser, that is, when someone is in a public place (e.g. enters a webshop in a net cafe or in a library) and does not quit the account after leaving, then another person using the same computer can gain unauthorized access to that webshop on behalf of the original user.
How do I enable or disable cookies?
Most web browsers automatically accept cookies, but visitors can either delete or reject them. Because each browser is different, you can set your own cookie preferences individually using the browser toolbar. If you do not want to allow any cookies from our website, you can change your web browser settings to receive notification of the cookies you send or simply reject all cookies. However, you can also delete cookies stored on your computer or mobile device at any time. For more information about the settings, see your browser’s Help center. Please note that if you choose to disable cookies, will not be able to use certain features of our website.
What cookies do we use?
Essential tools for website operation:
Such cookies are necessary for the proper functioning of the website, in this case the legal basis for data process operation is Section (3) Paragraph 13/A. § of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services. No data transfer is made.
- a) Filling instructions
The purpose of data process operation: Helps you fill out your datasheets by offering you a pre-filled out form.
The time of data process operation: It lasts for the duration of your stay on the website.
- b) Help in searching
The purpose of data process operation: Helps you find what you are looking for in the fastest way.
The time of data process operation: It lasts for the duration of your stay on the website.
- c) Spell checker
The purpose of data process operation: Automatically improves presumed bounce errors.
The time of data process operation: It lasts for the duration of your stay on the website.
- d) Identifying a language setting
The purpose of data process operation: During the visit of the website, the system identifies you as a custom user with a standard cookie to remember your language settings.
The time of data process operation: This setting (cookie) is stored for 29 days.
- e) Social Media Cookie (Facebook, Instagram, Google+, Youtube)
The purpose of data process operation: This cookie allows you to share the content of the website.
The time of data process operation: This cookie is stored for the duration of the sharing.
- f) Multimedia Player (youtube)
The purpose of data process operation: This cookie allows you to play videos on the website.
The time of data process operation: This cookie is stored for the duration of playing the multimedia.
Cookies collecting statistical data
These cookies only collect statistical data, so they do not process personal data. During their operation, they observe how you use the website, which topics you look at, what you click on, how you scroll the website, which pages you visit. However, the information is only collected anonymously. For example, you can find out how many visitors we have ont he website per month. Additionally, these statistics help us adjust our site to user needs. Google Tag Manager (and Google Analytics), also Hotjar helps gathering such data.
The purpose of handling such cookies is to send personalized ads.
Legal basis for data process operaiton: In all cases, your data is processed by your consent, which you enter in the pop-up window on the website. You may revoke your consent at any time, but the revocation does not affect the prior lawful processing of the data. In case of revocation, the ads designed for you will not appear on any other interface.
- a) Categorization by location of visit:
Data processing time: 269 days.
- b) Customized Facebook offers:
Data management time: up to 180 days.
- c) Tracking the click on Hotel ads:
Data processing time: 2 years.
If you wish to exercise any of the rights set forth above or wish to contact us for any other reason in connection with the above described data process operations, please notify us by email to firstname.lastname@example.org.
- [Data process operation via the Hotel’s Facebook, Instagram and LinkedIn account]
(1) For the purpose of advertising and promoting the products and services of our Hotel, we maintain a Facebook, Instagram and LinkedIn account (hereinafter collectively referred to as: social media platforms) on our own or through our data processing partners.
(2) Complaints submitted to the Hotel through our social media platforms are not considered to be formally submitted.
(3) Personal data published by visitors on the social media platforms of the Hotel are not processed by us.
(4) Visitors are subject to the Privacy and Service Terms of the social media platforms.
(5) In case of an unlawful or offensive content posted on our social media platforms, the Hotel may exclude the affected person from the site without notice and may delete his or her comment.
(6) Our Hotel is not responsible for any unlawful data content or comments published by our social media platform users. Our Hotel is not responsible for any problems that may result from malfunctioning of the social media platforms, causing a breach in personal data protection.
(7) The provisions in this section also apply to any of our future social media platforms.
- [Data process operations regarding our newsletter service]
(1) The natural person registering for the newsletter service on our Hotel’s website may give his or her consent to the processing of his or her personal data by ticking the relevant box. When signing up, we provide the present Privacy Statement available with a link. The person registering may opt out of the newsletter by unsubscribing at any time by using the “Unsubscribe/Leiratkozás” button on the email newsletter, or by submitting an e-mail to us with his or her request to unsubscribe. In such case, all data concerning him or her will be deleted immediately.
(2) The scope of data processed:
- name (surname, first name),
- email address.
(3) The purpose of processing personal data:
- sending newsletter about our Hotel’s products and services,
- sending ads and special offers.
(4) The legal basis for data process is the consent of the data subject.
(5) Recipients of personal data and categories of recipients are employees of our Hotel who perform tasks related to customer service and marketing activities; our IT service provider for the purpose of fulfilling hosting, advertising and development.
(6) The duration of the storage of personal data shall remain until the newsletter service is in place or until the consent of the data subject is withdrawn (until a cancellation request is made).
The duration of personal data storage (retention period) shall last until the end of the newsletter service provided or until the consent of the data subject is withdrawn (until a request on deleting the data is submitted by the data subject).
SPECIAL PROVISIONS CONCERNING THE HANDLING OF HOTEL HOTELS
- [Booking via the Hotel’s website]
(1) For the purpose to conclude and perform a contract our Hotel processes the following personal data of the person concerned (guests) for the provision, performance and termination of the contract:
- first and last name,
- email address,
- payment details (payment method, cardholder’s name, credit or debit card details).
(2) This process is also considered to be lawful if the data processing is necessary in case for us to take measures at the request of the data subject prior to the conclusion of the contract. The personal data are addressed to the Hotel, its employees and data processors. The duration of the storage of personal data, with the exception of the payment details provided for in point 3, shall be the time specified in the relevant applicable law or if there is none, then 5 years after the termination of the contract. After that period of time, all data shall be deleted.
(3) For the purpose to conclude and perform the contract our Hotel may process the payment information of the natural person contracted as a guest (payment method, cardholder’s name, credit or debit card details) for the purpose of concluding, performing or terminating the contract. This data management is also considered lawful if the data processing is necessary to take action at the request of the data subject prior to the conclusion of the contract.
The scope of data processed is the method of payment, name of the cardholder (name on the card), card number, expiration date.
The legal basis of data processing: the purpose to conclude and perform to the contract. Information on data processing operations may also be provided in the contract. Providing the data is a condition for the possibility to perform our services.
Recipients of the personal data is the Hotel, its employees and data processors. If the data subject pays the Hotel service fee (ig. booking fees) by bank card payment, the payment data is addressed to the external data processing contractor of our Hotel. The Hotel does not see the payment information on it, it receives only a TOKEN code, which can be linked to the payment, but which cannot be traced back to the natural person. The payment processor processing the data has the necessary security and IT measures and systems to ensure the secure handling of payment data. If it is necessary in the event of a temporary inactivity or other absence of the payment service system, the payment data will be handled encrypted by the Hotel.
Duration of data storage: credit and debit card data are encrypted, their disclosure is possible only for the purpose of the transaction, only to the authorized person. Once the service is complete, the data can no longer be detected, access is not possible. Data will be deleted after 8 years.
(4) The natural person concerned shall be informed prior to the commencement of data processing about our present Privacy Statement uploaded to the website of the Hotel, stating that the data management is based on the performance of the contract. Information on data process may also be provided in the contract. The person concerned shall also be informed about the transfer of his or her personal data to one of our data processors.
- [Booking at the Hotel’s reception]
For the purpose to conclude and perform a contract our Hotel processes the following personal data of the person concerned (guests) for the provision, performance and termination of the contract. The data are obtained by filling in the registration card provided at the reception of the Hotel.
- first and last name,
- date of birth,
- passport number or ID card number,
- phone number,
- the name of the natural persons who use the Hotel’s service together with the guest as further guests,
- type of Hotel service (leisure, business, event, other),
- the signature of the guest.
This process is also considered to be lawful if the data processing is necessary in case for us to take measures at the request of the data subject prior to the conclusion of the contract. The personal data are addressed to the Hotel, its employees and data processors. The duration of the storage of personal data shall be the time specified in the relevant applicable law or if there is none, then 5 years after the termination of the contract. After that period of time, all data shall be deleted.
If the guest pays the service fee at the Hotel’s reception by credit or debit card payment, the Hotel will process the payment details as stated in the previous Section (3) Point 1 of the present Statement.
- [Booking via Telephone and Email]
The provisions of the present Chapter’s Point 1 and 2 shall apply.
- [Booking via a third party agency]
(1) Our Hotel may use the services of a third party agency for the purpose of concluding, performing, terminating a contract for booking hotel services.
(2) In the course of the service referred to in Paragraph (1), the personal data of the natural person concerned is provided to and processed by the third party agency as data controller. The third party agency shall forward the data of the natural person concerned to the Hotel for booking. If the service is used by the person concerned, the Hotel will receive the incoming data, manage it and keep it as a data controller in accordance with the present Chapter’s Point 1 and 2.
- [Data process operations at our events]
(1) Our Hotel processes the following data of the data subject during the events organized in the Hotel. The legal basis of data process the consent of the data subject, and the process is made only if it complies with the legal conditions, judicial practice and the obligation to inform data subject.
- email address
- recorded images, sound and moving images of the person concerned.
(2) The consent of the data subject shall be obtained prior to the commencement of the processing of the data. At any time, at the request of the data subject, the recorded image, sound and moving image captured of the data subject must be deleted.
(3) The Hotel shall perform the data processing described in Paragraph (1) Point 1 of this section while taking into account the following statements and legal practice:
- a) According to the provisions of the Privacy Act, a person’s face, image is considered to be personal data, taking a picture and any operation performed on such data is considered to be data processing, subject to the consent of the person concerned. The consent should be voluntary, decisive and based on appropriate information, along which the data subject has the possibility to give an unambiguous consent to the full or specific handling of his or her personal data.
- b) In the case of minors, the consent or subsequent approval of a legal representative of a minor of 16 years of age or older shall not be required for the validity of his or her consent. After the age of 16, the minor may declare the use of his or her personal data independently; However, prior to the age of 16, prior or subsequent approval by the legal representative is always required, otherwise the consent to the data processing s considered null and void and the data processing is considered unlawful in the absence of a legal basis.
- c) Consent can be given by means of implied consent. The consent should be voluntary, definite and based on appropriate information, otherwise it is not considered acceptable. After giving all appropriate information regarding data process operations at the event, the Hotel considers entering to the venue of the event and participation in it as an implied consent from the data subject. Such a behavior of the data subject shall be if he or she knows that in the room that he or she enters, image recording is made or can be made. However, the consent to take a photograph, sound or video content does not mean authorizing its use as well, as the right to disposal of the use of these media is independent from the permission to record.
- d) Recording image, sound and moving image – even through an implied consent – does not constitute the authorization to publish the recorded media. Thus, with the exception of mass recordings, the voluntary consent of the person concerned must be obtained for the publication of those recordings. If a non-compliant data process was made – eg. due to the lack of consent – and it would initiate procedures against the data controller, the data controller must prove the lawfulness of the data process operation, as in the case of doubt in accordance with the current legal practice it must be presumed that the data subject did not give his or her consent. Therefore, from the point of view of data controllers for the purposes of this point (d), asking for the written consent of the data subject is recommended, with the exception of mass recordings.
- e) In accordance with the provisions of the Civil Code of Hungary, the consent of the data subject to the recording and the use of the record is not required in case of mass and public recordings. It is necessary, on a case-by-case basis, to examine whether the recording is a mass recording. If it is not mass or public recording, publication of the recording is only lawful with the consent of the data subject or, in the case of minors under 16 years of age with the consent of his or her legal representative.
- f) The Hotel informs data subjects about the management of the data at the events held in our venue through our present Privacy Statement published on our website and placed at the reception. In addition, the Hotel will, if necessary, provide information on the processing of the data if the consent of the data subject is required through a special notice (on the registration card or on the back of the entry ticket to the event) when entering the event. The Hotel informs the data subject about the identity of the data controller, the purpose of the data process, the location of the availability of the recordings, and the manner in which the person concerned may request that the recording is not made public or how the recording may be deleted, and where the present Privacy Statement can be found.
- [Data process operations regarding food sensitivity and food allergy]
Our Hotel manages the personal data of the ones affected by food sensitivity and food allergy, which is considered as a special health data within the meaning of Article 6 of the GDPR Regulation, in order to ensure the health security of our permanent guests and guests attending events and other events. The data processed by the Hotel: food sensitivity, food allergy. The Hotel handles the data until the day after the event or until the guest has a contractual relationship with the Hotel (as long as the service is in progress). The data is then deleted.
RULES ON SAFETY CAMERA SYSTEMS
- [Data process operation of safety camera surveillance]
(1) In the area of our Hotel, at venues opened for our guests we use electronic monitoring systems for the protection of human life, bodily integrity, personal freedom, business secrecy and property protection, which allows the recording of images. Through this, the conduct of the person concerned that the camera records is also considered as personal data.
(2) Legal basis for data processing is the legitimate interests of our Hotel and the consent of the data subject.
(3) Our Hotel is obliged to place a warning sign, information on the location of the electronic monitoring system in a clearly visible place, in order to inform third parties wishing to appear in the area. Such a sign or information should be provided for each camera. This information includes the fact that electronic monitoring system is being used, the purpose of recording and storing the data and its duration, the person applying the system, the storage location of the record containing the personal data and about the rights of the persons concerned.
(4) Recording the persons entering the observed area may be made and handled with their consent. The consent may also be given by an implied consent, in particular if the natural person entering the observed area enters the area despite the indication of the use of an electronic surveillance system at its entrance.
(5) Recordings may be kept for up to 3 (three) business days, if not used, then shall be deleted. It is considered to be a use if the recorded image and other personal data are to be used as evidence in court or other official procedures.
(6) Anyone whose right or legitimate interest affects the recording of the data may, within 3 (three) business days from the date of recording, request the data controller not to destroy or delete the data.
(7) It is not possible to use a camera surveillance system in a room where observation may violate human dignity, especially in hotel rooms, changing rooms, showers, and toilets. The camera’s position should not be directed specifically at the surveillance of the data subject. The fact that the camera’s overall angle of view includes the workspace in which the person concerned carries out its activities does not constitute an explicit observation of the data subject if it is proportionate and justified to the data subject [eg. reception desk/ kitchen area, where the recording is not specifically, exclusively and unambiguously aimed at monitoring the reception/kitchen/foreground, but with the area observed from the security point of view (eg. safety of guests and staff) these places are also in the picture at a proportional and a reasonable extent].
(8) If no one can legally stay at the area of Hotel – especially outside the operating hours – then the entire area of the workplace can be observed.
(9) In addition to those authorized by the law, the staff of the surveillance system, the manager and deputy manager of our Hotel, the employee supervisor of the area monitored are authorized to view the data recorded by the camera system for the purpose of detecting violations and monitoring the operation of the system.
DATA SECURITY MEASURES
- [Data security measures]
(1) For the purposes of personal data security, our Hotel is obliged to take all technical and organizational measures and establish the procedural rules necessary to ensure data protection regarding any of its data management activities.
(2) Our Hotel protects the data by appropriate measures against accidental or unlawful destruction, loss, alteration, injury, unauthorized disclosure or unauthorized access to it.
(3) Our Hotel classifies and manages personal data as confidential. We require confidentiality from our employees and data processing partners regarding the processing of personal data.
(4) Our Hotel protects the IT system with a firewall and virus protection.
(5) With regard to the data arriving through our Hotel’s website, electronic data processing and record keeping is carried out by means of a computerized information system that meets the requirements of data security. The IT system ensures that only those who need it for the performance of their tasks can access the data in a targeted and controlled manner.
(6) If the data of the natural persons concerned are handled by a paper-based document suitable for our Hotel’s data processing operations, they must be managed and kept at the premises of our Hotel, in accordance with the provisions of the Regulations and the present Privacy Statement (legal basis, scope of processed data, retention period).
(7) Our Hotel ensures the control of incoming and outgoing electronic communications for the protection of personal data.
(8) Only competent persons should have access to documents that are in progress and undergoing data processing, and those must be kept securely closed.
(9) Appropriate physical protection of the data and the means and documents carrying them must be ensured.
(10) Taking into account the data security measures contained in this chapter and strict adherence to the regulations is the duty of all employees of our hotel.
MANAGEMENT OF PERSONAL DATA BREACH
- [Concept of personal data breach]
(1) A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;. (Article 4 of GDPR Regulation 12)
(2) The most common reported breaches may include: loss of laptop or mobile phone, unsafe storage of personal data; unsafe transfer of data, unauthorized copying, forwarding of clients, guest, customer, partner lists, attacks against the server, breaking the website.
- [Managing and remedy of personal data breach]
(1) Prevention, management of personal data breach, compliance with applicable legal requirements is the responsibility of our hotel manager.
(2) Access and access attempts must be registered in the IT systems and analyzed continuously.
(3) If our Hotel’s employees notice a breach in the course of performing their controlling duties, they shall observe the personal data breach and notify the Hotel manager immediately.
(4) Employees of our Hotel are required to report to our hotel manager or to the one in charge of the employer’s rights, if they observe a data protection breach or any sign or event regarding a possible breach.
(5) Personal data breaches can be reported at our central e-mail address, telephone number, so guests, contractors, partners and others considered can report the underlying signs or events and security weaknesses.
(6) In the event of a personal data breach being reported, the hotel manager, with the involvement of the IT, financial and operational manager, will immediately examine the notification, identifying the breach, deciding whether it is a real breach or a false call. The following should be examined and established:
(a) the date and place of the event (breach);
- b) description, circumstances and effects of the event (breach),
(c) the range and number of data compromised during the breach;
- d) the scope of persons affected by the compromised data,
(e) the description of the measures taken to prevent the breach;
(f) the description of the measures taken to prevent, remedy and reduce the damage.
(7) In the event of a personal data breach, the affected systems, persons, data must be delimited and separated, and the evidence supporting the incident must be collected and preserved. It is then possible to start repairing the damage and restoring the lawful operation.
- [Register of personal data breach]
- A record of personal data breach shall be kept, including:
- a) the scope of the personal data concerned,
- b) the scope and number of data subjects affected by the personal data breach;
- c) the date of the personal data breach,
- d) the circumstances and effects of the personal data breach;
- e) the steps taken to remedy the personal data breach;
- f) other data specified in the law regarding the relevant data processing operation.
(2) Data relating to personal data breach in the register shall be retained for 5 years.
RIGHTS, LEGAL REMEDIES OF THE RELATED PERSON
Below, our Hotel informs the data subject about the rights and remedies available to the natural person concerned with regard to the protection of personal data.
- [The right to preliminary information]
The data subject is entitled to be informed of facts and information related to data process operations prior to the commencement of these operations. (Articles 13-14 of GDPR Regulation)
- [The right of access by the data subject]
The data subject has the right to receive feedback from the Controller on whether personal data are being processed and, if such processing is in progress, the data subject shall have access to personal data and related information as defined in the GDPR Regulation. (Article 15 of GDPR Regulation).
- [The right to rectification]
Upon request, the data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (Article 16 of GDPR Regulation).
- [The right to erasure (“the right to be forgotten”)]
Upon request, the data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay if one of the grounds set out in the GDPR Regulation applies. (Article 17 of GDPR Regulation)
- [Right to restriction of processing]
Upon request, the data subject shall have the right to obtain fro the Controller restriction of processing if the conditions specified in the GDPR Regulation are met. (Article 18 of GDPR Regulation)
- [Notification obligation regarding rectification or erasure of personal data or restriction of processing]
The Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out all recipient to whom or with whom the personal data have been disclosed, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the Controller shall inform the data subject about those recipients. (Article 19 of GDPR Regulation)
- [The right to data portability]
By applying the conditions set out in the GDPR Regulation, shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. (Article 20 of GDPR Regulation)
- [The right to object]
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1) (data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; the legitimate interests of the controller or by a third party, with exceptions) (Article 21 of GDPR Regulation)
- [Automated individual decision-making, including profiling]
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. (Article 22 of GDPR Regulation)
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22. (Article 23 of GDPR Regulation)
- [Communication of a personal data breach to the data subject]
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. (Article 34 of GDPR Regulation)
- [Right to lodge a complaint with the supervisory authority]
The data subject has the right to lodge a complaint to the supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the GDPR Regulation. (Article 77 of GDPR Regulation)
- [Right to an effective judicial remedy against the supervisory authority]
Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them, or if the supervisory authority does not handle the complaint or does not inform the person concerned of the progress or the outcome of the complaint within three months. (Article 78 of GDPR Regulation)
- [Right to an effective judicial remedy against the controller or the processor]
Each data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under the GDPR Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR Regulation. (Article 79 of GDPR Regulation)
SUBMISSION OF THE DATA SUBJECT’S APPLICATION OF REQUEST AND THE MEASURES TAKEN BY HOTEL AS DATA CONTROLLER
- [Measures based on the request of the data subject]
(1) Our Hotel as data controller shall inform the data subject of the measures taken on his or her request for the exercise of his or her rights without undue delay, but no later than one month after application of the request.
(2) Where necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by a further two months. Our Hotel shall inform the data subject of the extension of the deadline by indicating the reasons for the delay within one month of receiving the application of request.
(3) If the data subject submitted the application by electronic means, the information shall, as far as possible, be provided by electronic means, unless otherwise requested by the data subject.
(4) If our Hotel does not take any measures following the request by the data subject, we must inform the data subject without any delay, but at the latest within one month from receiving the application of the request, of the reasons for the non-execution of the measure and also about the data subject’s right to lodge a complaint with the supervisory authority and his or her right to appeal at court.
(5) Our Hotel provides the information set out in Articles 13 and 14 of the GDPR Regulation and the information on the rights of the data subject (Articles 15 to 22 and 34 of the GDPR Regulation) free of charge. If the data subject’s application of request is unfounded without any doubt or is highly exaggerative, in particular because of its repetitive nature, our Hotel may charge fee calculated based on the administrative costs of providing for the requested information or refuse to take measures. It is our Hotel who bears the burden of proving that the application of request is unfounded highly exaggerative.
(6) If our Hotel as data controller has reasonable doubts as to the identity of the natural person submitting the request, we may request further information necessary to confirm the identity of the person concerned.
- Contact details of the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information
Postal address: 1530 Budapest, Pf .: 5.
Phone number: +36 (1) 391-1400