Weather: A few clouds, 18 °C / 64 °F
Local time: 01:18 am

Ozone - Hungary, 1066. Budapest, Ó utca 3.
East Station - Hungary, 1076. Budapest, Thököly út 6.

+36 30 477 5175

* Best Price Guarantee
+
BOOK NOWCLOSE

Privacy Policy

O3 Hostel Service Kft., hereinafter referred to as “the Company”, fulfills its prior obligation to provide information regarding the processing of personal data of the data subjects as provided by the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) 2016/679 All information provided under this Regulation shall be made available to data subjects in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner

 

I. NAME OF THE DATA MANAGER

The Company informs the data subject that it is considered as a data controller in the management of its personal data.

COMPANY NAME: O3 Hostel Service Kft.
OFFICE: 2310 Szigetszentmiklós, Sellő utca 12..
COMPANY NUMBER: 13-09-190601
TAX NUMBER: 26202824-2-13
PHONE: +36 30 569 29 49
NAME OF REPRESENTATIVE: Szőke Györgyné
E-MAIL: info@ozonebudapest.com

Personal data may be accessed by employees of the Company having access rights related to the relevant data management purpose, or persons or organizations performing data processing activities under the Service Contracts to the extent and to the extent required by the Company to carry out their activities

 

II. NAME OF THE DATA PROCESSORS

COMPANY NAME: Airbnb Payments OK Ltd.
OFFICE: Suite 1, 3rd Floor 11-12 St. James’s Square, London, SW1J 4LB United Kingdom
POSTAL ADDRESS: Suite 1, 3rd Floor 11-12 St. James’s Square, London, SW1J 4LB United Kingdom
NAME OF THE REPRESENTATIVE: Sharda Mehta, Hadi Moussa
E-MAIL: terms@airbnb.com
PURPOSE OF DATA PROCESSING: Hotel reservation, financial and accounting services

COMPANY NAME: Booking.com B.V.
OFFICE: Herengracht 597, 1017 CE, Amszterdam, Hollandia
POSTAL ADDRESS: Herengracht 597, 1017 CE, Amszterdam, Hollandia
NAME OF THE REPRESENTATIVE: Glenn Fogel
E-MAIL: www.booking.com
PURPOSE OF DATA PROCESSING: Hotel reservation, financial and accounting services

COMPANY NAME: You and thePass Kft.
OFFICE: 1075 Budapest, Madách Imre út 13-14. A épület
POSTAL ADDRESS: 1075 Budapest, Madách Imre út 13-14. A épület
NAME OF THE REPRESENTATIVE: Herman Szabolcs
E-MAIL: www.sabeeapp.com
PURPOSE OF DATA PROCESSING: Hotel reservation, financial and accounting services

COMPANY NAME: KBOSS Kft.
OFFICE: 1031 Budapest, Záhony u. 7/C.
POSTAL ADDRESS: 1031 Budapest, Záhony u. 7/C.
NAME OF THE REPRESENTATIVE: Stygár-Joó János
E-MAIL: info@szamlazz.hu
PURPOSE OF DATA PROCESSING: Financial and accounting services

COMPANY NAME: PCP Informatikai Kft.
Seat: 2315 Szigethalom, Thököly Imre u. 40.
COMPANY NUMBER: 13-09-145353
TAX NUMBER: 23194182-2-13
PHONE: +36 70 410 5964
NAME OF THE REPRESENTATIVE: Pongrácz János
E-MAIL: info@pcpinformatika.hu
PURPOSE OF DATA PROCESSING: domain name service, hosting service. The Company will use an external data processor entrusted with the personal data processed on the basis of its voluntary consent to operate and maintain its website. IT system maintenance, marketing services

COMPANY NAME: Néveryné Bézi Judit Ev.
OFFICE: 2315 Szigethalom, Szabadkai u. 110.
POSTAL ADDRESS: 2315 Szigethalom, Szabadkai u. 110th
TAX NUMBER: 60453583-1-33
PHONE: +36 70 610 14 52
E-MAIL: bezi.judit@gmail.com
PURPOSE OF DATA PROCESSING: Accounting service

COMPANY NAME: Mintafirka Bt.
OFFICE: 2310 Szigetszentmiklós, Sellő u. 12.
POSTAL ADDRESS: 2310 Szigetszentmiklós, Sellő u. 12.
PHONE: +36 24 44 99 80
NAME OF THE REPRESENTATIVE: Szőke Györgyné
PURPOSE OF DATA PROCESSING: Financial and accounting services

COMPANY NAME: T&Sz Bt.
OFFICE: 2310 Szigetszentmiklós, Sellő u. 12.
POSTAL ADDRESS: 2310 Szigetszentmiklós, Sellő u. 12.
PHONE: +36 24 44 99 80
NAME OF THE REPRESENTATIVE: Szőke Györgyné
PURPOSE OF DATA PROCESSING: Financial and accounting services

COMPANY NAME: Orosz Mónika Ev.
OFFICE: 1116 Budapest, Vajda u. 14.
POSTAL ADDRESS: 1116 Budapest, Vajda u. 14.
NAME OF THE REPRESENTATIVE: Orosz Mónika
PURPOSE OF DATA PROCESSING: Financial and accounting services

COMPANY NAME: Kashirina Dina Ev.
OFFICE: 1138 Budapest, Viza utca 7/B 8/6.
POSTAL ADDRESS: 1138 Budapest, Viza utca 7/B 8/6.
NAME OF THE REPRESENTATIVE: Kashirina Dina
PURPOSE OF DATA PROCESSING: Financial and accounting services

COMPANY NAME: Vagrin Viktor Ev.
OFFICE: 1112 Budapest, Kérő u. 2. VII. 44.
POSTAL ADDRESS: 1112 Budapest, Kérő u. 2. VII. 44.
NAME OF THE REPRESENTATIVE: Vagrin Viktor
PURPOSE OF DATA PROCESSING: Financial and accounting services

COMPANY NAME: Szőke György Ev.
OFFICE: 1112 Budapest, Kérő u. 2. VII. 44.
POSTAL ADDRESS: 1112 Budapest, Kérő u. 2. VII. 44.
NAME OF THE REPRESENTATIVE: Szőke György
PURPOSE OF DATA PROCESSING: Financial and accounting services

 

III. DEFINITIONS

1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); identifiable by a natural person who, directly or indirectly, in particular by reference to one or more factors such as name, number, position, online identification or to one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of the natural person identified;

2. “processing” means any operation or combination of operations carried out on an automated or non-automated basis in relation to the collection of personal data or files, such as collection, recording, filing, filing, storage, conversion or alteration, retrieval, access, use, communication, otherwise made available, coordinated or linked, restricted, deleted or destroyed;

3. “restriction of data management” means the marking of stored personal data with the aim of limiting their processing in future;

4. “profiling” shall mean any form of automated processing of personal data for the purpose of assessing personal data relating to an individual, in particular with regard to work performance, the financial situation, the state of health, personal preference, interest, reliability, behavior, location or used to analyze or predict movement-related characteristics;

5. “pseudonymisation” means the processing of personal data in such a way that it is no longer possible to ascertain, without further information, which specific individual is the individual, provided that such additional information is stored separately and technical and organizational measures are taken; by ensuring that such personal data cannot be linked to identified or identifiable natural persons;

6. “filing system” means a collection of personal data, in whatever form, centralized, decentralized or functional or geographical, accessible according to specified criteria;

7. “controller” shall mean the natural or legal person, public authority, agency or any other body which determines the purposes and means of the processing of personal data, alone or jointly with others; where the purposes and means of data processing are determined by Union or Member State law, the controller or the specific criteria for designating the controller may be defined by Union or Member State law;

8. “processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

9. “recipient” means the natural or legal person, public authority, agency or any other body to whom personal data are disclosed, whether a third party or not. Public authorities which have access to personal data in the framework of a specific inquiry in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

10. “third party” means any natural or legal person, public authority, agency or any other body which is not the data subject, the controller, the processor or any person who, under the direct control of the controller or the processor, authorized to manage it;

11. “consent of the data subject” means the voluntary, explicit and unambiguous expression of the will of the data subject, by which the data subject indicates his or her consent to the processing of personal data concerning him or her by means of a statement or act of unambiguous confirmation;

12. “data protection incident” means any breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;

13. “undertaking” means any natural or legal person, whatever its legal form, including an association of undertakings and associations carrying on a regular economic activity.

 

IV. LEGAL BASIS OF DATA MANAGEMENT

1. Contribution of the data subject

(1) The lawfulness of the processing of personal data must be based on the consent of the data subject or have some other legitimate basis laid down by law.

(2) In the case of processing on the basis of the data subject’s consent, the data subject may give his consent to the processing of his personal data as follows:

(a) in writing, in the form of a statement giving consent to the processing of personal data,

(b) electronically, by expressly conducting a check on the Company’s website, by ticking the box or by making technical settings in connection with the use of information society services, and by any other statement or act which, in that context, the intended handling clearly indicates.

(3) Therefore, silence, pre-ticked box or omission do not constitute consent.

(4) The consent shall cover all data-processing activities for the same purpose or purposes.

(5) Where data processing serves several purposes at the same time, consent shall be given for all data processing purposes. If the consent of the data subject is given after the electronic request, the request shall be clear and concise and shall not unnecessarily impede access to the service for which the consent is requested.

(6) The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of the consent shall not affect the legality of the consent based data management prior to the withdrawal. The data subject must be informed before consent is given. Withdrawal of consent should be possible in the same simple manner as the withdrawal of consent.

2. Performance of the contract

(1) Data processing shall be considered lawful if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to the conclusion of the contract.

(2) Contributions to the processing of personal data not necessary for the performance of the contract shall not be a condition for the conclusion of the contract.

3. Compliance with a legal obligation to which the controller is subject or protection of the vital interests of the data subject or other natural person

(1) The legal basis for the processing of a data subject to the fulfillment of a legal obligation shall be determined by law, so the consent of the data subject to the processing of personal data is not required.

(2) The data controller shall inform the data subject of the purpose, legal basis and duration of the data processing about the person of the data controller, as well as of his or her rights and of the possibilities of legal remedy.

(3) The controller shall have the right to manage the data required to fulfill a legal obligation to which the data subject is subject, following the withdrawal of the data subject’s consent.

4. Execution of tasks in the public interest or in the exercise of public authority vested in the controller, or in the legitimate interests of the controller or of a third party.

(1) The legitimate interests of the controller, including the controller with whom the personal data may be communicated, or of a third party, may constitute a legal basis for the processing, provided that the interests, fundamental rights and freedoms of the data subject are not overridden the reasonable expectations of the data subject. Such a legitimate interest may be, for example, where there is a relevant and appropriate link between the data subject and the controller, for example where the data subject is a client of the controller or is employed by him.

(2) In order to determine whether a legitimate interest exists, due consideration shall be given, inter alia, to whether the data subject can reasonably expect, at the time of the collection of the personal data and in the context, that the data will be processed for that purpose.

(3) The interests and fundamental rights of the data subject may prevail over the interests of the controller where the processing of personal data takes place in circumstances in which the data subjects do not expect any further processing.

 

V. RIGHTS RELATED TO THE PROCESSING OF DATA OF THE PERSON CONCERNED

1. The Company shall briefly provide the following information regarding the rights of the person concerned:

The data subject shall have the right:

(a) for information before data processing commences,

(b) receive feedback from the controller that his or her personal data is being processed and, if so, have the right to receive personal data and the following information,

(c) request rectification, erasure of your data, notification to the controller of the occurrence thereof,

(d) request a restriction on the processing of data, and receive a notification from the controller on the occurrence thereof,

(e) data portability,

(f) object to the processing of personal data in the public interest or to the legitimate interest of the controller.

(g) be exempt from automatic decision making, including profiling,

(h) complaining to the supervisory authority. The complainant may exercise the right to complain at the following contact details: National Data Protection and Freedom of Information Authority, Address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c., Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 ., www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu

(i) effective judicial redress against the supervisory authority,

(j) Effective judicial redress against the controller or the processor

(k) For reporting a privacy incident.

 

2. Detailed information on the rights of data subjects

Right to information

(1) The data subject shall have the right to obtain information on the processing of data prior to the commencement of data processing activities.

(2) Information to be made available when personal data are collected from the data subject:

a. the identity and contact details of the controller and, if any, of the controller;

b. contact details of the data protection officer, if any;

c. the purpose of the intended processing of personal data and the legal basis for the processing;

d. in the case of processing based on Article 6 (1) (f) of the Regulation, the legitimate interests of the controller or of a third party;

e. where appropriate, the recipients or categories of recipients of the personal data

f. where appropriate, the fact that the controller intends to transfer personal data to a third country or an international organization and the existence or absence of a Commission decision on adequacy, or in Article 46, Article 47 or Article 49 of Regulation (1) in the case of the data referred to in the second subparagraph of paragraph 1, an indication of the appropriate and appropriate guarantees and a reference to the ways in which copies may be obtained or available.

(3) In addition to the information referred to in paragraph (1), in order to ensure fair and transparent processing of personal data, the controller shall provide the data subject with the following additional information:

a. the period for which the personal data will be stored or, where this is not possible, the criteria for determining this period;

b. the right of the data subject to request from the controller access, rectification, erasure or restriction on the processing of personal data concerning him or her, and the right of the data subject to data portability;

c. the right to withdraw the consent at any time in the case of processing based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, without prejudice to the lawfulness of the processing carried out on the basis of the consent;

d. the right to lodge a complaint to the supervisory authority;

e. whether the provision of personal data is based on a legal or contractual obligation or a precondition for entering into a contract and whether the data subject is required to provide personal data and the potential consequences of failure to provide such data;

f. the fact that the automated decision-making process referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in these cases, information on the logic used and the significance and expected impact of such processing has consequences.

(4) Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a. the identity and contact details of the controller and, if any, of the controller;

b. contact details of the data protection officer, if any;

c. the purpose of the intended processing of personal data and the legal basis for the processing;

d. the categories of personal data concerned;

e. the recipients or categories of recipients of the personal data, if any;

f. where appropriate, the fact that the controller intends to transfer personal data to a third country recipient or an international organization and the existence or absence of a Commission decision on adequacy, or in Article 46, Article 47 or Article 49 of the Regulation ( In the case of the data referred to in the second subparagraph of paragraph (1), an indication of the appropriate and appropriate guarantees and a reference to the ways in which they may be obtained or available.

(5) Where the controller intends to further process personal data for purposes other than the purpose for which they were obtained, the controller shall inform the data subject before such further processing and of any relevant additional information referred to in paragraph (2).
(6) Paragraphs (1) to (3) shall not apply if and to the extent that:

a. the data subject already has the information;

b. the provision of such information proves impossible or would involve a disproportionate effort, in particular for archiving in the public interest, for scientific and historical research or for statistical purposes, subject to the conditions and guarantees provided for in Article 89 (1) or the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously undermine the objectives of this processing. In such cases, the controller must take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by making the information publicly available;

c. the acquisition or communication of the data is expressly provided for in Union or national law applicable to the controller, which lays down appropriate measures to safeguard the data subject’s legitimate interests; obsession

d. personal data must remain confidential on the basis of the obligation of professional secrecy imposed by Union or Member State law, including the obligation of legal confidentiality.

Right of access of the data subject

(1) The data subject shall have the right to obtain from the controller feedback on the processing of his or her personal data and, if such processing is in progress, to have access to the personal data and to the following information:

a. the purposes of data management;

b. the categories of personal data concerned;

c. the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular third-country recipients or international organizations;

d. where appropriate, the intended period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;

e. the right of the data subject to request the controller to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;

f. the right to lodge a complaint with a supervisory authority;

g. if data are not collected from the data subject, all available information on their source;

h. the fact that the automated decision-making process referred to in Article 22 (1) and (4) of the Regulation, including profiling, and, at least in these cases, clear information on the logic used and the importance of such data management and with expected consequences.

(2) Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate guarantees in accordance with Article 46.

(3) The controller shall provide the data subject with a copy of the personal data subject to the processing. For the additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request by electronic means, the information shall be provided in a widely used electronic format, unless otherwise requested by the data subject.

 

Right of the data subject to rectification and erasure

Right to rectification

(1) The data subject shall have the right to obtain from the controller the rectification of any inaccurate personal data concerning him or her at his or her request without undue delay. Having regard to the purpose of the processing, the data subject shall have the right to request that personal data which are incomplete be corrected, including by means of a supplementary declaration.

Right to erasure (“the right to forget”)

(1) At the request of the data subject, the data subject shall have the right to delete personal data relating to him without undue delay, and the data controller shall have the right to delete personal data relating to him without undue delay if any of the following grounds applies:

a. personal data are no longer needed for the purpose for which they were collected or otherwise processed;

b. the data subject has withdrawn his or her consent to the processing under Article 6 (1) (a) of the Regulation (consent to the processing of personal data) or Article 9 (2) (a) of the Regulation (giving consent); other legal basis;

c. the data subject objects to the processing pursuant to Article 21 (1) of the Regulation (right of objection) and there is no overriding legitimate reason for the processing, or the data subject under Article 21 (2) of the Regulation (personal data processing for business purposes) protest) protests against data management;

d. unlawful processing of personal data;

e. personal data must be deleted in order to comply with a legal obligation under Union or national law applicable to the controller;

f. personal data have been collected in connection with the provision of information society services referred to in Article 8 (1).

(2) Where the controller has disclosed personal data and is required to delete it at the request of the data subject, it shall take reasonable steps, including technical measures, to inform the controllers, having regard to the technology available and the costs of its implementation, that the person concerned requested them to delete the links to or copy or duplicate that personal data in question.

(3) Paragraphs (1) and (2) shall not apply where the processing is necessary for:
the. for the exercise of the right to freedom of expression and information;

a. to fulfill an obligation under Union or Member State law applicable to the controller for the processing of personal data or to carry out a task in the public interest or in the exercise of official authority vested in the controller;

b. pursuant to Article 9 (2) (h) and (i) of the Regulation and Article 9 (3) of the Regulation on grounds of public interest in the field of public health;

c. in accordance with Article 89 (1) of the Regulation, for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, where the right referred to in paragraph 1 is likely to render impossible or seriously jeopardize such processing; obsession

d. for the filing, enforcement or defense of legal claims.

Right to restrict data management

(1) At the request of the data subject, the data subject shall have the right to restrict data processing where any of the following applies:

a. the data subject disputes the accuracy of the personal data, in which case the limitation relates to the period during which the controller can verify the accuracy of the personal data;

b. the processing is unlawful and the data subject opposes the deletion of the data and calls instead for a restriction on their use;

c. the controller no longer needs personal data for the purpose of processing, but the data subject requires them to make, assert or defend a legal claim; obsession

d. the data subject has objected to the processing in accordance with Article 21 (1) of the Regulation; in this case, the restriction shall apply for a period until it is ascertained whether the data controller’s legitimate reasons take precedence over the legitimate interests of the data subject.

(2) Where personal data processing is subject to a restriction under paragraph (1), such personal data shall, with the exception of the storage, only with the consent of the data subject, or for the purpose of claiming, asserting or defending legal claims, or and is of overriding public interest in a Member State.

(3) The controller shall inform the data subject at whose request the processing was restricted pursuant to paragraph 1 in advance of the lifting of the restriction.

Notification obligation to correct or delete personal data or to restrict data management

(1) The controller shall inform any recipient to whom or which personal data have been communicated of a rectification, erasure or restriction, unless this proves impossible or involves a disproportionate effort.

(2) At the request of the data subject, the controller shall inform those addressees.

The right to data portability

(1) The data subject shall have the right to receive personal data concerning him which have been made available to him by a controller in a well-structured, widely used machine-readable format, and to transmit such data to another controller without being hindered by the controller to whom the personal data have been made available if:

a. data processing pursuant to Article 6 (1) (a) of the Regulation (data subject’s consent to the processing of personal data) or Article 9 (2) (a) of the Regulation (data subject’s explicit consent to data processing), or Is based on a contract within the meaning of paragraph 1 (b); and

b. data management is automated.

(2) In exercising his right to data portability under paragraph (1), the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between data controllers.
(3) The exercise of the right referred to in paragraph (1) of this Article shall be without prejudice to Article 17 of the Regulation. That law shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) The right referred to in paragraph (1) shall be without prejudice to the rights and freedoms of others.

Right to protest

(1) The data subject shall have the right to object at any time to the processing of his or her personal data in the exercise of a public interest or public authority or to the processing of data subject to the legitimate interests of the controller or third party (e) or (f), including profiling based on those provisions. In such a case, the controller may not further process personal data unless the controller demonstrates that the processing is justified by compelling legitimate reasons, which take precedence over the interests, rights and freedoms of the data subject, or which are necessary to assert, assert or defend legal claims. related.

(2) Where personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for this purpose, including profiling, in so far as it relates to direct marketing.

(3) Where the data subject objects to the processing of personal data for the purpose of direct marketing, the personal data may no longer be processed for this purpose.

(4) The law referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject at the time of first contact and shall be clearly and separately identified from any other information.

(5) In relation to the use of information society services and by way of derogation from Directive 2002/58 / EC, the data subject may also exercise his right of objection by automated means based on technical specifications.

(6) Where personal data are processed for scientific and historical research or statistical purposes in accordance with Article 89 (1) of the Regulation, the data subject shall have the right to object to the processing of personal data concerning him or her for reasons relating to his or her situation, except , if the processing is necessary for the performance of a task carried out in the public interest.

Right to be exempted from automated decision-making

(1) The data subject shall have the right not to be subject to a decision based solely on automated data processing, including profiling, which would have legal effects or be substantially affected by him.

(2) Paragraph 1 shall not apply where the decision:

a. necessary for the conclusion or performance of a contract between the data subject and the controller;

b. it is made possible by Union or national law applicable to the controller, which shall also lay down appropriate measures to protect the rights and freedoms and the legitimate interests of the data subject; obsession

c. is based on the explicit consent of the data subject.

(3) In the cases referred to in points (a) and (c) of paragraph 2, the controller shall take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including at least the right of the data subject to request human intervention. and object to the decision.
(4) The decisions referred to in paragraph 2 may not be based on the special categories of personal data referred to in Article 9 (1) of the Regulation, except where Article 9 (2) (a) or (g) applies and the person concerned appropriate measures have been taken to protect the rights, freedoms and legitimate interests of the Member States.

Right of the data subject to submit complaints and redress

Right to complain to the supervisory authority

(1) The data subject shall have the right to complain to the supervisory authority pursuant to Article 77 of the Regulation, if the data subject considers that the processing of personal data concerning him or her is in breach of this Regulation.

(2) The data subject shall have the right to lodge a complaint through the following contact details:
National Data Protection and Freedom of Information Authority Address: 1125 Budapest, Szilágyi Erzsébet fasor 22 / c Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410 www: http://www.naih.hu e-mail: ugyfelszolgalat@naih.hu

(3) The supervisory authority to which the complaint is lodged shall inform the client of the procedural developments and the outcome of the complaint, including that the client is entitled to a judicial remedy pursuant to Article 78 of the Regulation.

Right to an effective judicial remedy before a supervisory authority

(1) Without prejudice to any other administrative or judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a decision of the supervisory authority which is legally binding on it.

(2) Without prejudice to other administrative or non-judicial remedies, any data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or informs the person concerned of the complaint lodged pursuant to Article 77 of the Regulation. procedural developments or their outcome.

(3) Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

(4) Where proceedings are brought against a decision of a supervisory authority which has previously been the subject of an opinion or a decision of the Board under the consistency mechanism, the supervisory authority shall be required to forward that opinion or decision to the court.

The right to an effective judicial remedy against the controller or the processor

(1) Without prejudice to any administrative or non-judicial remedy available to the supervisory authority, including the right of appeal to the supervisory authority under Article 77, any person concerned shall be entitled to an effective judicial remedy where he considers that his personal data have been their rights under this Regulation have been infringed.

(2) Proceedings against the controller or the processor shall be brought before the courts of the Member State where the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject is habitually resident, unless the controller or the processor is a public authority of a Member State.

Limitations

(1) Union or national law applicable to the controller or the processor may limit the application of Articles 12 to 22 by legislative measures. Articles 34 and 12 to Articles 22 to 22; the rights and obligations set out in Article 5, provided that the restriction respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society for the protection of:

a. national security;

b. defense;

c. public safety;

d. the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the protection and prevention of threats to public security;

e. other important general interest objectives of the Union or of a Member State, in particular important economic or financial interests of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;

f. protection of judicial independence and legal proceedings;

g. prevent, investigate, detect and conduct ethics violations for regulated professions;

h. in the cases referred to in points (a) to (e) and (g), the control, inspection or regulatory activity connected, even occasionally, with the exercise of official authority;

i. the protection of the data subject or of the rights and freedoms of others;

j. enforcement of civil claims.

(2) The legislative measures referred to in paragraph 1 shall contain, where appropriate, detailed provisions at least on:

a. for purposes of data management or categories of data management,

b. categories of personal data,

c. the scope of the restrictions introduced,

d. guarantees to prevent misuse or unauthorized access or transfer,

e. to determine the controller or the categories of controllers,

f. the duration of the data storage and any applicable guarantees, taking into account the nature, scope and purposes of the data processing or categories of data processing,

g. risks to the rights and freedoms of those concerned, and

h.the right of the data subjects to be informed of the restriction, unless this would adversely affect the purpose of the restriction.

Reporting a privacy incident

(1) Where a data protection incident is likely to present a high risk to the rights and freedoms of natural persons, the controller shall, without undue delay, inform the data subject of the data protection incident.

(2) The information referred to in paragraph 1 shall provide the data subject with a clear and unambiguous description of the nature of the data protection incident and shall, as a minimum, specify the name and contact details of the data protection officer or other contact person providing further information, the likely consequences of the data security incident, the measures taken or planned by the data controller to remedy the data incident, including, where appropriate, measures to mitigate possible adverse consequences of the data incident.

(3) The data subject need not be informed as referred to in paragraph 1 if any of the following conditions are met:

a. the controller has implemented appropriate technical and organizational security measures and has been applied to the data affected by the data protection incident, in particular measures such as the use of encryption, the data which render unauthorized persons unauthorized;

b. the controller has taken further measures following the data protection incident to ensure that the high risk to the data subject’s rights and freedoms referred to in paragraph 1 is no longer likely to materialize;

c. information would require a disproportionate effort. In such cases, the data subjects shall be informed through publicly available information or similar measures shall be taken to ensure that the data subjects are provided with equally effective information.

(4) Where the controller has not already notified the data subject of the data protection incident, the supervisory authority, after considering whether the data protection incident is likely to present a high risk, may order the data subject to be informed or to determine whether one of the conditions referred to in paragraph (3) is met.

 

VI. PROCEDURE APPLICABLE TO THE APPLICANT ‘S REQUEST

(1) The Company shall facilitate the exercise of the rights of the data subject and shall not deny the data subject’s request for the exercise of his or her rights as set out in this Privacy Policy unless he proves that he cannot be identified.

(2) The undertaking shall inform the data subject, without undue delay, and in any event within one month of receipt of the application, of the action taken on it. Where necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the time limit, indicating the reasons for the delay, within one month of receipt of the request.

(3) Where the data subject has made an application by electronic means, the information shall, as far as possible, be provided by electronic means, unless otherwise requested by the data subject.

(4) Where the undertaking does not act on the data subject’s request, it shall inform the data subject without delay and, at the latest within one month of receipt of the application, of the reasons for the non-action and of his or her complaint to the supervisory authority and right of appeal.

(5) The Company shall provide the data subject free of charge with the following information and measures: feedback on the processing of personal data, access to the data being processed, rectification, addition, deletion, restriction on data management, data portability, objection to data management.

(6) Where the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller may charge a fee of HUF 5000 or refuse the request, taking into account the administrative costs of providing the requested information or information or taking the requested action. .

(7) The controller shall bear the burden of proving the manifestly unfounded or excessive nature of the request.

(8) Without prejudice to Article 11 of the Regulation, where the controller has substantiated doubts as to Articles 15 to 21 of the Regulation. The applicant may request further information concerning the identity of the natural person who made the request in accordance with Article (6), which is necessary to confirm the identity of the data subject.

 

VII. PROCEDURE TO BE APPLIED IN THE CASE OF PERSONAL DATA BREACH

(1) A data protection incident within the meaning of the Regulation is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access of personal data transmitted, stored or otherwise processed.

(2) Loss or theft of a device containing personal data (laptops, mobile phones), or loss of code to decrypt the data encrypted by the data controller, making it inaccessible, ransomware infection, Until the payment of a ransom, make the data managed by the controller inaccessible, attack against the IT system, e-mail containing incorrectly sent personal data, publication of the address list, etc.

(3) If a privacy incident is detected, a representative of the Company shall promptly conduct an investigation to identify the privacy incident and determine its possible consequences. The necessary measures must be taken to prevent damage.

(4) The data protection incident shall be reported to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after it is brought to the attention of the competent supervisory authority, unless it is likely that the rights and freedoms of natural persons would not be compromised. for. If the notification is not made within 72 hours, the reasons for the delay shall also be provided.

(5) The data controller shall notify the controller without undue delay after becoming aware of it.

(6) The notification referred to in paragraph 3 shall at least:

a. a description of the nature of the data protection incident, including, where possible, the categories and approximate number of data subjects, as well as the categories and approximate number of data affected by the incident;

b. the name and contact details of the Data Protection Officer or other contact person providing further information shall be provided;

c. a description of the likely consequences of a privacy incident;

d. a description of the measures taken or planned by the controller to remedy the privacy incident, including, where appropriate, measures to mitigate any adverse consequences that may result from the privacy incident.

(7) Where and where it is not possible to supply information simultaneously, it may be disclosed at a later stage without further undue delay.

(8) The controller shall keep records of data protection incidents, indicating the facts surrounding the data incidents, their effects and the measures taken to remedy them. This register enables the supervisory authority to verify compliance with the requirements of Article 33 of the Regulation.

 

VIII. WEBSITE-RELATED DATA MANAGEMENT

Information about visitor information on the Company’s website

(1) During visits to the Company’s website, one or more “cookies”, hereinafter referred to as “cookies”, are small pieces of information that are sent to the browser by the server and sent back to the server each time it receives a request to the server – will be sent to the visitor’s computer, which will uniquely identify his or her browser, provided that the visitor has given his or her explicit (active) consent to this site by following clear and unambiguous information.

(2) Cookies are used solely to improve the user experience and to automate the login process. Cookies used on this website do not store personally identifiable information and the Company does not handle personal data in this area.

Sign up, newsletter signup

(1) The legal basis for data processing shall be the consent of the data subject in the case of registration, newsletter sign-up, by ticking the checkbox next to the word “registration” or “newsletter sign-up” on the Company’s website.

(2) Stakeholder Registration, Newsletter Subscription: Any natural person wishing to subscribe to the Company Newsletter or to register on the Website and giving consent to the processing of their personal data.

(3) The scope of data to be processed in case of newsletter sign-up: name, email address.

(4) The scope of the managed data upon registration: name, address, e-mail address, telephone number, login password.

(5) Purpose of data management in case of newsletter sign-up: informing the data subject about the services, products of the Company, changes in them, informing about news and events.

(6) Purpose of data processing in case of registration: contact preparation for the conclusion of a contract, provision of free services on the website to the data subject, access to the non-public content of the website.

(7) The recipients of the data (who may become aware of the data) in the case of newsletter sign-up or registration are: the head of the company, the customer relationship officer, the data processing staff of the company website.

(8) Duration of data processing in case of newsletter subscription, registration: in case of newsletter subscription until unsubscription, in case of registration, at the request of the data subject.

(9) The data subject may at any time unsubscribe from the newsletter or request the cancellation of his / her registration (personal data). You can unsubscribe from the newsletter by clicking on the unsubscribe link in the footer of the emails sent to them, or by mailing them to your Company’s headquarters.

Data management relating to direct marketing activities

(1) The legal basis for the Enterprise to process data for direct marketing purposes shall be the consent of the data subject, which shall be unambiguous and explicit. The explicit, explicit prior consent of the data subject shall be provided on the Company’s website by ticking the box next to the consent to direct marketing request following the information regarding the management of your data.

(2) The data subject may also give his / her consent on paper, in accordance with Article 2 of these Rules. by completing the form attached to this Annex.

(3) Stakeholders: Any natural person who consents, explicitly and explicitly, to the Company’s personal data being processed for direct marketing purposes.

(4) The purposes of data management are: advertising, supplying of offers related to the provision of services, supply of goods, notification of promotions by electronic or postal means.

(5) The recipients of the personal data are the Head of the Company, the employees who perform customer service and marketing tasks on the basis of their job.

(6) The scope of personal data processed: name, address, telephone number, e-mail address.

(7) Duration of data processing: until the data subject has withdrawn the processing of personal data for direct marketing purposes.

Data management relating to hotel reservations

(1) The provisions of the above provisions shall apply to the registration on the Website, the data management activities relating to the subscription to the Newsletter and the provision of information to visitors.

(2) On-line hotel bookings, that is, the conclusion of contracts, shall be made on the website of the Enterprise in accordance with CVIII. Therefore, the purpose of the data management is to prove the fulfillment of the obligation of the service provider regarding the consumer information required by law, to prove the conclusion of the contract, to establish the contract, to determine its content, to monitor its fulfillment, the billing of any fee (s) arising therefrom and the enforcement of any related claims.

(3) In the case of booking accommodation on the website, the legal basis for data management shall be the performance of the contract and the fulfillment of the legal obligation.

(4) Categories of data subject to data management: name, address, telephone number, login password, bank account number of the hotelier.

(5) Categories of Data Controlled Persons: Any natural person who signs up on the Company’s website, subscribes to a newsletter, and accepts accommodation.

(6) The categories of recipients of the data are: Company Manager, Customer Relationship, Sales, Data Processing Staff, Company Accounting, and Data Processing.

(7) The place of data management shall be the seat of the Enterprise.

(8) Duration of data management: 5 years from termination of contract.

 

IX. DATA MANAGEMENT ACTIVITIES RELATED TO THE PERFORMANCE OF THE CONTRACT

(1) The Enterprise shall handle the personal data of its natural persons – customers, buyers, suppliers – in the context of its contractual relationship. The data subject shall be informed of the processing of personal data.

(2) Stakeholders: Any natural person entering into a contractual relationship with the Enterprise.

(3) The legal basis of data management is the fulfillment of the contract, the purpose of the data management is the communication, the enforcement of claims arising from the contract, and ensuring compliance with contractual obligations.

(4) The recipients of the personal data are: the head of the Company, the employees of the Company performing customer service and bookkeeping duties and data processors.

(5) Personal data processed: name, address, registered office, telephone number, e-mail address, tax number, bank account number, entrepreneurial passport number, prime passport number.

(6) Duration of data management: 5 years from the date of termination of the contract.

 

X. INFORMATION ON DATA MANAGEMENT IN USE OF ELECTRONIC MONITORING SYSTEM

(1) Our company operates an electronic monitoring and recording system (camera system) in its customer area / owned units. Upon entering the monitored area (room) indicated by this sign, the electronic surveillance system will record the image and action of the data subject.

(2) The legal basis for the camera surveillance is the voluntary contribution of the person concerned, based on information provided by our company in the form of awareness boards. The consent of the data subject may take the form of explicit implicit behavior. Such explicit impersonation is when entering or staying in a room / area monitored by an electronic monitoring and recording system. If you do not wish to give your consent, do not enter the premises / area or unit indicated by the notice board.

(3) The purpose of recordings shall be to protect human life, bodily integrity, personal liberty, the protection of business secrecy, the prevention of, and the detection of, infringements for the protection of personal and property, and to document the circumstances of any accident occurring in the customer area; the protection of the public domain of an insurer which is necessary for the public to carry out its tasks. The camera surveillance system does not record sound.

(4) The legal basis for camera surveillance is the voluntary contribution of the data subject based on information provided by the Enterprise in the form of notice boards. The consent of the data subject may take the form of explicit implicit behavior. Such explicit impersonation is when entering or staying in a room / area monitored by an electronic monitoring and recording system.

(5) The location of the recordings (personal data) recorded by the electronic monitoring system The headquarters of our company, the duration of the storage of the recordings is 3 working days from the making.

(6) The scope of the data processed is the captured image and other personal data of the camera system operated.

(7) The personal data recorded by camera recording may be known to: Business manager, employees operating the camera system, data processor performing the operation for the purpose of detecting violations and checking the operation of the system.

 

XI. PROVISIONS RELATING TO DATA SECURITY

(1) The Company may process personal data only in accordance with the activities set out in these Rules and for the purpose of data management.

(2) The Enterprise shall ensure the security of the data and shall undertake to take all necessary technical and organizational measures to enforce the data security, privacy and confidentiality rules and to establish the necessary procedural rules to enforce the laws and regulations specified above.

(3) The Company shall protect the data by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, and loss of access due to changes in the technology used.

(4) The technical and organizational measures to be taken by the Enterprise to ensure data security are set out in the Enterprise Privacy Policy.

(5) The Enterprise shall, when defining and applying data security measures, take into account the state of the art and, in the case of several possible data management solutions, shall choose a solution ensuring a higher level of protection of personal data, unless it would be disproportionate.

 

 XII. RULES CONCERNING DATA PROCESSING

(1) The rights and obligations of the data processor in relation to the processing of personal data shall be determined by the data controller in accordance with the law and the specific laws governing data processing.

(2) The Company declares that it is not competent to make a substantive decision on data processing in the course of its activities; store and preserve.

(3) The Company shall be responsible for the legality of the instructions given to the processor regarding the data processing operations.

(4) It is the duty of the Enterprise to provide the data subjects with information on the identity of the data processor and the place of data processing.

(5) The Enterprise shall not authorize the data processor to use further data processors.

(6) The contract for the processing of data shall be in writing. Data processing cannot be entrusted to an organization that is interested in a business that uses the personal data to be processed.

Dated 25.05.2018