DATA PROTECTION NOTICE
(for guests and website visitors)
The details and contact details of our company are as follows:
Hotel Helikon Kft., as the operator of the Hotel Helikon **** SUPERIOR, Keszthely (address: 8360 Keszthely, Mikus Gyula sétány 5., website: www.hotelhelikon.hu), ensures in all cases the legality and expediency of data management with regard to the personal data it manages. The purpose of this information is that our guests who book accommodation and provide their personal data can receive appropriate information about the conditions and guarantees and for how long their data will be processed by our company before making the reservation or providing their personal data. Our company adheres to the contents of this information sheet in all cases involving personal data management, and we consider what is described here mandatory for us.
The details and contact details of our company are as follows:
Name: Hotel Helikon Kft.
Headquarters: H-8360 Keszthely Mikus Gyula sétány 5.
Company registration number: 20 - 09 - 077948
Tax number: 27518397 – 2 – 20
Represented by: András István Csere, managing director
E-mail: info@hotelhelikon.hu
Website: www.hotelhelikon.hu
(hereinafter also referred to as: "Data Controller")
Our data management complies with the relevant legislation, in particular the following:
Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) - on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation, hereinafter: "GDPR");
CXII of 2011 on the right to informational self-determination and freedom of information. law ("Infotv.");
Act V of 2013 on the Civil Code;
➢ Act C of 2000 on accounting;
➢ CL of 2017 on the taxation system. law;
➢ CXXXIII of 2005 on the rules for personal and property protection and private detective activity. law (hereinafter: "Szvtv.");
➢ Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity. law;
➢ CVIII of 2001 on certain issues of electronic commercial services and services related to the information society law.
We provide the following information regarding our individual data management.
I. INDIVIDUAL DATA PROCESSES
1. DATA MANAGEMENT IN CONNECTION WITH ONLINE ACCOMMODATION BOOKINGS
Our company offers the possibility of online hotel reservations so that you can book a room in the Hotel Helikon quickly, conveniently and at no cost.
The purpose of data management is to make accommodation reservations easier, cost-free and more efficient.
Legal basis for data management: prior consent of the person booking the accommodation [GDPR Article 6 (1) para. point a)], the need to take steps at the request of the data subject prior to the conclusion of the contract between the Data Controller and the data subject [GDPR Article 6 (1) para. point b)].
Scope of processed personal data: address; surname and first name; residential address (country, postal code, city, street, house number); telephone number; e-mail address; in the case of a business company, company name and registered office, bank card number, SZÉP card data (identification, name on the card), name of representative, contact person, e-mail address and telephone number.
Duration of processing: two years after the last day of the booked stay.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.
| Name of data processor | Name of data processor | Data processing job description | |
|
NetHotelBooking Kft. |
8200 Veszprém, Boksa tér 1. A. ép. |
Providing the possibility of online booking | |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Running the website |
By accepting this information, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:
| Additional data processor name | Headquarters | Data processing job description |
|
NetHotelBooking Kft. |
8200 Veszprém, Boksa tér 1. A. ép. |
Owner of the software integrated into the reservation system. This software is responsible for sending automatic e-mails with confirmations, notifications in case of reservations, offers and satisfaction measurements. |
|
Hostware Kft. |
1149 Budapest, Róna utca 120-122 |
Performing customer management tasks for the Hostware Front Office hotel system |
|
MKB Bank Nyrt. |
1056 Budapest, Váci u.38. |
Data communication between the merchant and the payment service provider's system for payment transactions, ensuring transaction traceability for merchant partners |
|
MKB Bank Nyrt. |
1056 Budapest, Váci u.38. |
Handling data communication between the merchant's system and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users. |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Perform server hosting tasks |
Possible consequences of not providing the data: no contract for the hotel room.
a) Rights of the data subject: the data subject (the person whose personal data is processed by our company)
b) request information about the processing of personal data concerning him or her and access to those personal data,
c) request the rectification of their personal data,
d) request their deletion,
e) request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and for no other purpose), if the conditions set out in Article 18 of the GDPR are met,
f) object to the processing of personal data,
g) exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data relating to him or her in Word or Excel format and to have those data transmitted to another controller at his or her request.
Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
Our company has entered into a data processing contract for data processing tasks, in which Creative Management Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard, we also ensure the lawful processing of personal data in the case of the data processor.
2. DATA PROCESSING IN THE CONTEXT OF A REQUEST
Our company offers the possibility to request an offer electronically. The offer is made by our automated system, subject to availability.
Purpose of data processing: advance information on hotel prices
Legal basis for processing: prior consent of the person booking the accommodation [Article 6(1)(a) GDPR] or processing necessary to take steps at the request of the data subject prior to the conclusion of the contract [Article 6(1)(b) GDPR]
Personal data processed: address; first and last name; telephone number; e-mail address; number of guests, billing name and address, number and age of children.
Duration of processing: two years after the last day of the booked stay.
Use of a data processor: our company uses the assistance of an IT service provider to operate the online reservation system as follows.
| Name of data processor | Headquarters | Data processing job description |
|
NetHotelBooking Kft. |
8200 Veszprém, Boksa tér 1. A. ép. |
Running the Request for Proposals module |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Running the website |
By accepting this information, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:
| Name of additional data processor | Headquarters | Description of a data processing job |
|
NetHotelBooking Kft. |
8200 Veszprém, Boksa tér 1. A. ép. |
Owner of the resnweb software integrated into the reservation system. This software is responsible for sending automatic e-mails with confirmations, notifications in case of reservations, offers and satisfaction tests. |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Server hosting tasks |
Possible consequences of not providing the data: the hotel cannot make an offer.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) request information about the processing of personal data concerning him or her and access to such personal data,
b) request the rectification of such personal data,
c) request the erasure of such personal data,
d) request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and for no other purpose), if the conditions set out in Article 18 of the GDPR are met,
e) object to the processing of personal data,
(f) exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data relating to him or her in Word or Excel format and to have those data transmitted to another controller at his or her request.
Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
Our company has entered into a data processing contract for data processing tasks, in which Creative Management Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard, we also ensure the lawful processing of personal data in the case of the data processor.
3. PROCESSING OF DATA RELATING TO THE PROVISION OF SERVICES
On 1 January 2021, the amendment to Act CLVI of 2016 on the State Tasks of the Development of Tourist Areas entered into force, which obliges accommodation providers to record the data of the users of accommodation services as defined by law on the storage space provided by the hosting provider designated by the Government for the purposes specified by law.
The VIZA is a multi-factor, asymmetric encryption protected IT system in which, from 1 September 2021, the personal data of all guests staying in Hungarian accommodation, as defined by law, will be stored in encrypted form. The guest data recorded in the accommodation management software by the document scanner will be encrypted in the VIZA system and will only be accessible by the competent authorities.
More information: vizainfo.hu
Purpose of processing: use of a document scanner in the accommodation to comply with the legal obligation. The data stored in the VIZA system may be searched for specific purposes and only by the police, in order to carry out their crime prevention and law enforcement tasks.
Legal basis for processing: to comply with a legal obligation under Act CLVI of 2016 on the State Tasks of the Development of Tourist Areas, which entered into force on 1 January 2021 [Article 6(1)(c) of the GDPR]
Scope of personal data processed: the accommodation provider records the following data via the accommodation management software on a storage space provided by the hosting provider designated by government decree, using the document reader, when the accommodation service user checks in:
- surname and given name;
- surname and given name at birth;
- place and date of birth;
- sex;
- nationality;
- mother's maiden name and surname;
- identification data of the identity document or travel document
- the address of the accommodation service;
- the starting and expected date and time of actual end of use of the accommodation
The devices used by Hotel Helikon and the VIZA system do not store images of scanned documents.
Duration of data processing: the hotel provider will process the data of the guests until the last day of the first year following the day on which the data are made available to it, and the VIZA system will keep the data submitted to it for a maximum of two years.
Use of a data processor: According to the law, the accommodation provider is the data controller of the personal data of the guest and the MTU is the data processor of the accommodation provider for the recording and transmission of data to the VIZA system.
| Name of data processor | Contact | Data processing job description |
| Hungarian Tourism Agency |
1027 Budapest Kacsa u. 15-23. |
Data processor designated by the Government |
| Guest Information Closed Database (VIZA) |
pms@vizainfo.hu |
It performs the functions of the storage facility introduced by the amendment |
The operator of the VIZA system is the tourism hosting provider, which is the data processor of the accommodation service provider with regard to the data entering the system.
In this capacity:
it processes the guest data exclusively on the basis of the instructions of the accommodation provider, and in relation to them it may only carry out the operations pursuant to Article 14 of Government Decree 235/2019 (X. 15.) on the implementation of the Tourism Act and the Act on the implementation of the State Tasks of the Development of Tourist Areas;
ensures that its employees performing the tasks related to its role as a tourist hosting provider are bound by confidentiality obligations with regard to guest data;
implements appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, to ensure a level of data security appropriate to the level of risk, by encrypting data to ensure that its employees do not have access to guest data;
the accommodation provider shall not use any other data processor without prior written authorisation, either ad hoc or general;
assist the accommodation provider, as far as possible, to fulfil its obligations in relation to the exercise of the rights of the data subject, by appropriate technical and organisational measures, taking into account the nature of the processing;
assist the accommodation provider, taking into account the nature of the processing and the information available to the processor, to fulfil its obligations regarding the security of processing and the handling of possible incidents;
act on the guest data and copies thereof after the termination of the data-processing relationship, as determined by the accommodation provider, unless the accommodation provider is required by law or by a legally binding act of the European Union to continue to store the guest data;
provide the accommodation provider with any information necessary to verify compliance with the obligations laid down in the data-processing relationship and to enable and facilitate any checks, including on-site inspections, carried out by the accommodation provider or by a person authorised by it;
promptly inform the accommodation provider if he/she considers that any of his/her instructions infringe the provisions on the protection of personal data.
Possible consequences of failure to provide the data: the accommodation provider (Hotel Helikon **** SUPERIOR, Keszthely) will refuse to provide the accommodation if the document is not presented.
According to the laws in force in Hungary, all citizens, regardless of age, are obliged to have an official identity document (identity card, passport or driving licence in card format), including newborn children. Under the legislation, the data must be recorded for all guests who use the service equally, so there is no reason to waive the recording of data on the basis of age or other variables such as the fee payable for the service, discounts, length of stay, family relationship with the user.
The guest using the accommodation service shall present his/her identity document to the accommodation provider for the purpose of recording the data.
Further information: vizainfo.hu
Other information about data management: our company will take all necessary technical and organisational measures to avoid a possible data protection incident (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
4. PROCESSING OF DATA RELATED TO THE PROVISION OF SERVICES, BILLING
Our company processes the personal data of the guests of Hotel Helikon **** SUPERIOR, Keszthely in order to fulfil the contract with the guests, including the payment of fees related to the use of the hotel services.
The purpose of the data processing is the use of the services provided by Hotel Helikon **** SUPERIOR, Keszthely by the data subject, the determination of the consideration and the invoicing.
Legal basis for processing: the need to perform a contract to which the data subject is a party [Article 6(1)(b) GDPR] and to fulfil a legal obligation pursuant to the provisions of Article 69(1) and (2) of Act C of 2000 on Accounting [Article 6(1)(c) GDPR].
Scope of personal data processed: name, surname, first name, address.
Duration of processing: from the date of the provision of the personal data by the data subject until 5 years after the performance of the contract (limitation period). In the case of invoicing, the period of processing is 8 years from the date on which the personal data were provided by the data subject until the date of the preparation of the accounts, annual report or accounting statement for the financial year concerned.
Use of a data processor: our company uses the services of an accountant for invoicing as follows.
| Name of the data | Headquarters | Description of a data processing job |
|
Profitax Max Kft. |
9022 Győr, Teleki L utca 46. |
Performing accounting tasks |
Possible consequences of not providing the data: the data subject may not use the services of Hotel Helikon **** SUPERIOR, Keszthely.
Rights of the data subject: the data subject (the person whose personal data is processed by our company).
(a) request information about the processing of personal data concerning him/her and access to such personal data,
b) request the rectification of personal data concerning him/her,
c) request the erasure of such personal data,
d) request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and for no other purpose), if the conditions set out in Article 18 of the GDPR are met,
e) object to the processing of personal data,
(f) exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data relating to him or her in Word or Excel format and to have those data transmitted to another controller at his or her request.
Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
Our company has entered into a data processing contract for data processing tasks, in which Profitax Max Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.
5. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTIONS
Our company keeps in touch with its guests by means of a newsletter, to whom it offers its services and informs them about news and promotions related to its operations.
The purpose of data processing is to maintain contact with potential hotel guests, to maintain and develop business relations with partners and hotel guests.
Legal basis for processing: consent of the data subject [Article 6(1)(a) GDPR].
Scope of personal data processed: name and surname, e-mail address
Duration of processing: until unsubscription from the newsletter.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.
| Name of the data | Headquarters | Description of a data processing job |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Storing a newsletter database |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Running the website |
By accepting this information, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:
| Name of additional data processor | Headquarters | Description of a data processing job |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Operation of a newsletter system |
Possible consequences of not providing the data: the data subject will not receive newsletters from our company.
Data subject's rights: the data subject (the person whose personal data is processed by our company).
(a) request information about the processing of personal data concerning him/her and access to such personal data,
b) request the rectification of personal data concerning him/her,
c) request the erasure of such personal data,
d) request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and for no other purpose), if the conditions set out in Article 18 of the GDPR are met,
e) object to the processing of personal data,
(f) exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data relating to him or her in Word or Excel format and to have those data transmitted to another controller at his or her request.
You can unsubscribe from the newsletter at any time by sending an e-mail to info@hoteletopark.hu or by clicking on the unsubscribe icon in the newsletter. In this case, we will immediately delete your personal data related to the newsletter subscription from our database.
Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data involved, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
Our company has concluded a data processing contract for the data processing tasks, in which Creative Management Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.
6. PERSONAL DATA PROCESSING RELATED TO SATISFACTION MEASUREMENT
Our aim is to provide our guests of Hotel Helikon **** SUPERIOR, Keszthely with high quality services, therefore we constantly ask for feedback from our guests about their experiences during their stay in our hotel.
The purpose of data management is to request feedback from our guests in order to further develop and improve our services.
Legal basis for processing: legitimate interest of the controller [Article 6(1)(f) GDPR], consent of the data subject [Article 6(1)(a) GDPR].
Indication of legitimate interest: our company has a legitimate interest in obtaining information to improve our services based on feedback.
Scope of personal data processed: name and surname, gender, e-mail address, arrival and departure date.
Duration of processing: two years after the last day of the booked stay.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.
| Name of the data | Headquarters | Description of a data processing job |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Operating the satisfaction module |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Operating the website |
By accepting this information, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:
| Name of additional data processor | Headquarters | Description of a data processing job |
|
NetHotelBooking Kft. |
8200 Veszprém, Boksa tér 1. A. ép. |
Owner of the resnweb software integrated into the reservation system. This software is responsible for sending automatic e-mails with confirmations, notifications in case of reservations, offers and satisfaction measurements |
Possible consequences of not providing the data: the data subject does not receive a satisfaction questionnaire from our company.
Data subject's rights: the data subject (the person whose personal data is processed by our company)
g) request information about the processing of personal data concerning him/her and access to these personal data,
h) request rectification of the personal data concerning him/her,
(i) request the erasure thereof,
j) request, where the conditions of Article 18 of the GDPR are met, the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until a court or public authority requests it, but for a maximum period of thirty days, and that the data are not processed for any other purpose beyond that period),
k) object to the processing of personal data,
(l) exercise his or her right to data portability. Pursuant to the latter right, the data subject has the right to receive personal data concerning him or her in Word or Excel format and the right to have those data transmitted to another controller at his or her request.
Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data involved, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.
7. COOKIE MANAGEMENT
The Data Controller places a small data package, a cookie, on the user's computer and reads it back during a subsequent visit in order to provide a personalised service. When the browser returns a previously saved cookie, the cookie management service provider has the possibility to link the user's current visit to previous visits, but only in relation to its own content.
The purposes of the processing are: to identify, track and distinguish users, to identify users' current session, to store the data provided during that session, to prevent data loss, to measure web analytics, to provide personalised service.
Legal basis for processing: consent of the data subject [Article 6(1)(a) GDPR].
Scope of the data processed: date, time and the page previously visited.
Duration of processing: maximum 30 days from the date of the visit to the website
Use of a data processor: our company uses the services of an IT service provider for the online accommodation system as follows.
| Name of the data | Headquarters | Description of a data processing job |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Recording visitor data |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Operation of the website |
Further information on data management: the user can delete the cookie from his/her computer or disable the use of cookies in his/her browser.
For more information on how to set your cookie preferences within your browser, please see the following policy:
- Internet Explorer.
- Firefox
- Chrome
- Safari
Possible consequences of non-delivery of data: inability to use the service for the services described in II.1-5 above.
8. SERVER LOGGING OF THE WEBSITE
When you visit www.hotelhelikon.hu, the web server automatically logs your activity.
Purpose of data management: during the visit of the website, the service provider records the visitor's data in order to monitor the operation of the services and to prevent abuse.
Legal basis for processing: legitimate interest of the controller [Article 6(1)(f) GDPR].
Indication of legitimate interest: our company has a legitimate interest in the secure operation of the website.
Type of personal data processed: IP address, ID number, date, time, address of the page visited.
Duration of processing: maximum 90 days from the date of the visit to the website.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.
| Name of the data | Headquarters | Description of a data processing job |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Recording visitor data and information necessary for the operation of the server |
|
Creative Management Kft. |
8200 Veszprém, Ádám Iván u. 2. |
Operating the website |
Additional information: our company does not link the data obtained from the analysis of log files to other information and does not seek to identify the user. The address of the pages visited, as well as the date and time of the visit, are not in themselves suitable for identifying the data subject, but when combined with other data (e.g. data provided during registration) they can be used to draw conclusions about the user.
Logging-related data management by external service providers:
The html code of the portal contains links from and to an external server that is independent of our company. The server of the external provider is directly connected to the user's computer. Please be aware that the providers of these links may collect user data (e.g. IP address, browser, operating system data, mouse cursor movement, visited page title and time of visit) due to the direct connection to their server, direct communication with the user's browser. An IP address is a sequence of numbers that uniquely identifies the computers or mobile devices of users accessing the Internet.
IP addresses can even be used to geographically locate a visitor using a particular computer. The address of the pages visited, as well as the date and time of the visit, are not in themselves suitable for identifying the data subject, but when combined with other data (e.g. data provided during registration) they can be used to draw conclusions about the user.
9. OTHER DATA PROCESSING
Information about data processing not listed in this notice is provided at the time of collection. We inform our customers that certain authorities, public bodies and courts may contact our company for the purpose of disclosing personal data. Our company will disclose personal data to these bodies only to the extent and to the extent strictly necessary for the purpose of the request and to the extent that the execution of the request is required by law, provided that the body concerned has indicated the exact purpose and scope of the data.
III. THE WAY OF STORING THE PERSONAL DATA, THE SECURITY Of THE DATA MANAGEMENT
Our computer systems and other data storage locations are located at our headquarters and on servers leased by the data processor. Our company selects and operates the IT tools used to process personal data in the course of providing the service in such a way that the data processed:
a) accessible to authorised persons (availability);
b) its authenticity and authenticity are assured (authenticity of processing);
c) its integrity can be verified (data integrity);
d) protected against unauthorised access (data confidentiality).
We take particular care to ensure data security, and we take the technical and organisational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, we take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.
Our company and our partners' IT systems and networks are protected against computer fraud, computer viruses, computer intrusions and denial of service attacks. The operator ensures security through both server-level and application-level protection procedures. Daily data backup is provided. In order to avoid data breaches, our company takes all possible measures, and in the event of such an incident, we take immediate action to minimise the risks and repair the damage, in accordance with our internal policy.
IV. DATA SUBJECTS' RIGHTS, REMEDIES
The data subject may request information about the processing of his or her personal data and may request the rectification, erasure or withdrawal of his or her personal data, except for mandatory data processing, and may exercise his or her right to data portability and objection in the manner indicated when the data were collected or by contacting the controller at the above contact details.
At the data subject's request, we will provide the information in electronic form without delay, but no later than 30 days, in accordance with our applicable policies. We will comply with data subjects' requests to exercise the rights set out below free of charge.
Right to information:
We will take appropriate measures to provide data subjects with all the information on the processing of personal data referred to in Articles 13 and 14 of the GDPR and each of the disclosures referred to in Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, but also in a precise manner.
The right to information may be exercised in writing, using the contact details provided in point 1. The data subject may also be provided with information orally at his or her request, after verification of his or her identity. We inform our customers that, if our employees have doubts about the identity of the data subject, we may request the information necessary to confirm the identity of the data subject.
The right of access of the data subject:
The data subject has the right to receive feedback from the controller on whether his or her personal data are being processed. Where personal data are being processed, the data subject has the right to access the personal data and the following information listed below.
• Purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries (outside the European Union) or international organisations;
• the intended duration of the storage of the personal data;
• the right to rectification, erasure or restriction of processing and the right to object;
• the right to lodge a complaint with a supervisory authority;
• information on the data sources; the fact of automated decision-making, including profiling, and the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
In addition to the above, where personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer.
Right of rectification:
Under this right, any person may request the rectification of inaccurate personal data relating to him or her processed by our company and the completion of incomplete data.
Right to erasure:
If one of the following grounds applies, the data subject has the right to have personal data relating to him or her erased without undue delay at his or her request:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) unlawful processing of personal data can be established;
e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data have been collected in connection with the provision of information society services.
The erasure of data cannot be initiated if the processing is necessary for the following purposes:
a) for the exercise of the right to freedom of expression and information;
b) to comply with an obligation under Union or Member State law to which the controller is subject to which requires the processing of personal data or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for archiving, scientific and historical research purposes or for statistical purposes in the public interest in the field of public health;
d) or for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
We restrict processing at the request of the data subject in the circumstances set out in Article 18 of the GDPR, i.e. if:
a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the accuracy of the personal data to be verified;
b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use
c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.
Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction on processing.
Right to data retention:
The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit such data to another controller. Our company can fulfil such a request in word or excel format.
Right to object:
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for those purposes.
Automated decision-making on individual cases, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply where the processing
a) necessary for the conclusion or performance of a contract between the data subject and the controller;
b) is permitted by Union or Member State law applicable to the controller and which is necessary to protect the rights and freedoms and legitimate interests of the data subject
c) establish appropriate measures for its protection;
d) is based on the explicit consent of the data subject.
Right of withdrawal:
The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
Rules of Procedure:
Without undue delay and in any event within one month of receipt of the request, the controller shall inform the data subject of the action taken on the request pursuant to Articles 15 to 22 of the GDPR. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request.
If the data subject has made the request by electronic means, the information will be provided by electronic means unless the data subject requests otherwise.
If the controller does not act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the right to lodge a complaint with the supervisory authority and to seek judicial remedy.
The controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.
Compensation and damages:
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the Data Protection Regulation shall be entitled to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for damage caused by processing only if it has failed to comply with the obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller. Where more than one controller or more than one processor, or both controller and processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the total damage.
The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
Right to apply to the courts and data protection authority procedure
If the data subject considers that the Data Controller has infringed his or her right to the protection of personal data in the course of processing, he or she may, in accordance with the applicable legislation, seek remedies from the competent bodies as follows:
- can lodge a complaint with the National Authority for Data Protection and Freedom of Information
address: 1055 Budapest, Falk Miksa utca 9-11
website: www.naih.hu;
e-mail address: ugyfelszolgalat@naih.hu;
telephone: +36-1-391-1400
(hereinafter referred to as "NAIH")
- can apply to the competent court.
The court will decide the case by default.
The data controller undertakes to cooperate fully with the court or the NAIH concerned in these proceedings, and to provide the NAIH or the court concerned with the data processing data.
V. MIXED PROVISIONS
The Data Controller undertakes to ensure that all data processing in relation to its activities complies with the requirements set out in this Notice, its internal rules, which have the same requirements as this Notice, and the applicable legislation.
The Data Controller reserves the right to modify this information at any time, informing the data subjects of any changes by means of a notice published on the Hotel Helikon **** SUPERIOR, Keszthely website (hotelhelikon.hu) after the changes have been made.
Please email us if you have any questions about the information in this leaflet.
Done: 2021.11.01.
Updated: 2022.01.25.
