4. DATA MANAGEMENT RELATING TO THE PURCHASE OF A GIFT VOUCHER
Guests of the Hotel Forrás Zalakaros*** have the possibility to request a gift voucher on the website of the hotel. The data of the voucher (name) and the amount is to be determined by the person who purchases the voucher. Upon receipt of the gift voucher – at the value indicated on it – the guests of the hotel will be able to pay with the gift voucher instead of the usual payment methods in the hotel (cash, bank card, SZÉP card, bank transfer).
The purpose of the data management: The legal basis for data handling is: the prior consent of the person booking the accommodation [Article 6 Par. (1) Section a) of the GDPR]
Scope of the personal data processed: surname and first name; telephone number; e-mail address, invoicing details (name, zip code, town, street, house number), mailing address (name, zip code, town, street, house number).
Duration of the data management: until the successful delivery of the gift voucher. In the case of issuing the invoice, the duration of the data processing is 8 years from the date the concerned party hands over the personal information and from the date of the preparation of the report, business report and accounting prepared for the given business year.
Use of data processor: our company uses the services of an information technology service provider for the operation of the gift voucher purchasing system.
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
The operation of the online gift voucher module
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
8749 Zalakaros, Termál u.6.
Delivery of the gift voucher
Possible consequences of the lack of data services: The person concerned cannot buy a gift voucher.
Rights of the person concerned: the person concerned (whose personal information is handled by our company)
a) may request information on the processing of his/her personal data or to access these personal data,
b) may request the rectification of the data,
c) may request the deletion thereof,
d) in case the conditions of GDPR Article 18. are met, he/she may request the limitation of the processing of the personal data (which means that our company does not delete or destroy the data until a court or official order, but only for maximum 30 days, and beyond this the company shall not process the data for any other reasons).
e) may object to the processing of personal data,
f) exercise his/her right for data transmission. Under the latter law, the concerned person is entitled to receive his/her personal data in a word or excel format, and he/she is further entitled to ask the data to be forwarded by our company to another data processor.
Other information about data processing: Our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage, loss of files containing personal information and to prevent unauthorized access). In the event of an incident occurring, we keep a record of the necessary measures and in order to be able to inform the concerned persons, which includes the circle of the given personal data, the circle and number of the people affected by the data protection incident, the time of the data protection incident, its circumstances, effects and the measures taken to remedy the data protection incident, and all other data specified in the law governing the data management.
Our company has concluded a data processing contract with the data processors in which the data processors undertake that in case they use further data processors, they will obligatorily use the data protection and data processing guarantees that are required from them by the data processing agreement, taking this into consideration we provide the legal processing of the personal data even in case of data processors.
5. DATA MANAGEMENT AS REGARDS SUBSCRIBING TO THE NEWSLETTER
We inform people who subscribe to the newsletter about our offers, news and promotions.
You have the possibility to subscribe to the newsletter of Hotel Forrás Zalakaros*** (https://hotelforraszalakaros.hu). If you subscribe to this newsletter, you agree to be contacted with the newsletter regarding Hotel Forrás Zalakaros***.
Subscribing to the newsletter – besides sending out the newsletters – is not a condition to take use of any of our services.
The purpose of the data management: to send out the newsletter.
The legal basis for data handling is: the prior consent of the person concerned [Article 6 Par. (1) Section a) of the GDPR].
Scope of managed personal data: first and surname, e-mail address
Duration of the data management: until unsubscribing from the newsletter.
Using a data processor:
Our company uses the services of an information technology service provider for the online newsletter sending system as follows.
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Storing and running the newsletter sending database
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Possible consequences of the lack of data services: The concerned person does not receive a newsletter from our company.
Rights of the person concerned: the person concerned (whose personal information is handled by our company)
a) may request information on the processing of his/her personal data or to access these personal data,
b) may request the rectification of the data,
c) may request the deletion thereof,
d) in case the conditions of GDPR Article 18. are met, he/she may request the limitation of the processing of the personal data (which means that our company does not delete or destroy the data until a court or official order, but only for maximum 30 days, and beyond this the company shall not process the data for any other reasons),
e) may object to the processing of personal data,
f) exercise his/her right for data transmission. Under the latter law, the concerned person is entitled to receive his/her personal data in a word or excel format, and he/she is further entitled to ask the data to be forwarded by our company to another data processor.
You can unsubscribe from our newsletter at any time by sending an e-mail to our company to info@hotelforraszalakaros.hu or by clicking on the unsubscribe icon in the newsletter. In this case, your personal information related to the newsletter sending will be deleted from our database without delay.
Other information about data processing: Our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage, loss of files containing personal information and to prevent unauthorized access). In the event of an incident occurring, we keep a record of the necessary measures and in order to be able to inform the concerned persons, which includes the circle of the given personal data, the circle and number of the people affected by the data protection incident, the time of the data protection incident, its circumstances, effects and the measures taken to remedy the data protection incident, and all other data specified in the law governing the data management.
Our company has concluded a data processing contract with the data processors in which the data processors undertake that in case they use further data processors, they will obligatorily use the data protection and data processing guarantees that are required from them by the data processing agreement, taking this into consideration we provide the legal processing of the personal data even in case of data processors.
6. MANAGING PERSONAL DATA RELATED TO SATISFACTION MEASUREMENT
Our goal is to provide the services of Hotel Forrás Zalakaros*** to our guests at a high standard, therefore we are constantly requesting feedback from our guests about their experiences during their stay in the hotel.
The purpose of data management: to request feedback from hotel guests to further develop and improve the services of Hotel Forrás Zalakaros***.
Legal basis for data processing: It is the legitimate interest of the data manager [Article 6 Paragraph (1) Section f) of the GDPR], to have the approval of the person concerned [Article 6 Paragraph (1) Section a) of the GDPR].
Indication of the legitimate interest: our company has a legitimate interest to receive information in order to develop our services based on feedback.
Scope of managed personal data: first and surname, sex, e-mail address.
The duration of data management: two years after the last day of the reservation date.
Use of data processor: our company uses the services of an information technology service provider for the online accommodation system as follows.
8200 Veszprém, Boksa tér 1/A
Operating the satisfaction measuring module
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
By accepting this prospectus, the concerned person gives his/her express consent for the Data Processor to take us of the services of additional data processors – in order to make the service more comfortable and more tailored – as follows:
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA
The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails and notifications confirming the reservations in case of sending out offers and when surveying satisfaction
Possible consequences of the lack of data services: The concerned person does not receive a satisfaction measuring questionnaire from our company.
Rights of the person concerned: the person concerned (whose personal information is handled by our company)
g) he/she may request information about handling personal information about him/her and also access to such information,
h) he/she may request the rectification of such data,
i) he/she may request the deletion thereof,
j) in case the conditions of GDPR Article 18. are met, he/she may request the limitation of the processing of the personal data (which means that our company does not delete or destroy the data until a court or official order, but only for maximum 30 days, and beyond this the company shall not process the data for any other reasons).
k) may object the processing of personal data,
l) he/she may exercise his/her right for data transmission. Under the latter law, the concerned person is entitled to receive his/her personal data in a word or excel format, and he/she is further entitled to ask the data to be forwarded by our company to another data processor.
Other information about data processing: Our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage, loss of files containing personal information and to prevent unauthorized access). In the event of an incident occurring, we keep a record of the necessary measures and in order to be able to inform the concerned persons, which includes the circle of the given personal data, the circle and number of the people affected by the data protection incident, the time of the data protection incident, its circumstances, effects and the measures taken to remedy the data protection incident, and all other data specified in the law governing the data management.
Our company has concluded a data processing contract with the data processors in which the data processors undertake that in case they use further data processors, they will obligatorily use the data protection and data processing guarantees that are required from them by the data processing agreement, taking this into consideration we provide the legal processing of the personal data even in case of data processors.
7. COOKIE HANDLING AND GOOGLE ANALYTICS
The Data Manager uses the Google Analytics app to place a small data packet called cookie on the user’s computer and will read it back during a future visit. If the browser returns a previously saved cookie, the cookie operator may link the present visit of the user with the past visit, but only as regards with its own content.
The purpose of data management: is to identify, track, distinguish the users from each other, to identify the users’ current work session, to save the data provided during such, to prevent data loss, to provide web analytical measurements, and personalized service.
The legal basis for data handling is: the prior consent of the person concerned [Article 6 Par. (1) Section a) of the GDPR].
The scope of managed data: IP address, date, time, and the previously visited page.
The duration of data management: up to 90 days after visiting the site
Taking use of the data processor: our company uses the services of an information technology service provider as follows.
8200 Veszprém, Boksa tér 1/A
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Further information about data processing: Cookies can be deleted by the user from his own computer or the use of cookies can be disabled in his/her browser.
Further information about the setting of the cookie preferences in your browser can be found in the below policies:
For more information about Google Analytics, please visit: https://policies.google.com/privacy?hl=en. https://policies.google.com/privacy?hl=en.
Possible consequences of the lack of data provision: the impossibility of taking use of the services as regards the services outlined in the above Section II.1-6.
8. WEBSITE SERVER LOGGING
When visiting our website, out web server automatically logs user activity.
The purpose of data management: during the visit of our site, the service provider records the visitor data in order to check the functionality of the services and to prevent abuse.
Legal basis for data processing: Legitimate interest of the data controller [Article 6. Paragraph (1) Section f) of the GDPR]
Designation of the legitimate interest: our company has a legitimate interest in the safe operation of the website.
Type of personal data processed: ID number, date, time, address of the page visited.
The duration of data management: up to 90 days after visiting the site.
Taking use of the data processor: our company uses the services of an information technology service provider for the server logging as follows.
8200 Veszprém, Boksa tér 1/A
Recording the visitor data and the information needed for the server operation
Operation of the website
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Further information: our company does not link data collected during the analysis of the logs with other information, and does not seek to identify the user. The addresses of the pages visited, as well as the date and time data are not suitable for the identification of the person concerned, however when linked with other data (such as those provided during registration) they can help in drawing conclusions about the user.
Data management of external service providers as regards logging:
The html code of the portal contains links to and from external servers that are independent from our company. The server of the external service provider is connected directly to the user’s computer. We call the attention of our visitors to the fact that the service providers of these links are capable of collecting user data as a result of the direct connection to their server and because of the direct communication with the browser of the user (e.g. IP address, browser, operating system details, cursor movement, address of the page visited and the time of visit). The IP address is a series of numbers that can be used to clearly identify the computers and mobile devices of users connecting to the Internet.
With the use of the IP addresses the geographical location of the visitor using the given computer may also be located. The addresses of the pages visited, as well as the date and time data are not suitable for the identification of the person concerned, however when linked with other data (such as those provided during registration) they can help in drawing conclusions about the user.
9. CAMERA MONITORING
At the territory of the Hotel Forrás Zalakaros*** our company uses an electronic monitoring system.
The purpose of THE data management is: The protection of the life and bodily integrity of the persons staying in the Hotel Forrás Zalakaros***, and to upkeep the personal and property security through the use of the electronic monitoring (camera) system.
The camera surveillance by the data processor does not serve the purpose of employer control according to Mt. § 11. Paragraph (1).
The legal basis for data handling is: the voluntary consent of the person concerned according to [Section a) Paragraph (1) of Article 6. of the GDPR], and the validation of the legitimate interests of data manager on the basis of the Szvtv. § 26. Paragraph 1 Section e) and § 31. Paragraphs (1) – (4) [Article 6. of the GDPR, Paragraph (1) Section f)].
The scope of the managed personal data: face copies, voice, and behaviour of persons concerned on the image and sound recordings.
The duration of the data management: 3 working days after the entry of the person concerned into the territory of Hotel Forrás Zalakaros***, or 30 days in case of a public event.
Using a data processor: our company does not use a data processor to operate the electronic monitoring (camera) system.
Rights of the person concerned: the person concerned (whose personal information is handled by our company)
a) may request information on the processing of his/her personal data or to access these personal data,
b) may request the rectification of the data,
c) may request the deletion thereof,
d) in case the conditions of GDPR Article 18. are met, he/she may request the limitation of the processing of the personal data (which means that our company does not delete or destroy the data until a court or official order, but only for maximum 30 days, and beyond this the company shall not process the data for any other reasons).
e) may object to the processing of personal data,
f) exercise his/her right for data transmission. Under the latter law, the concerned person is entitled to receive his/her personal data in a word or excel format, and he/she is further entitled to ask the data to be forwarded by our company to another data processor.
Other information about data processing: Our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage, loss of files containing personal information and to prevent unauthorized access). In the event of an incident occurring, we keep a record of the necessary measures and in order to be able to inform the concerned persons, which includes the circle of the given personal data, the circle and number of the people affected by the data protection incident, the time of the data protection incident, its circumstances, effects and the measures taken to remedy the data protection incident, and all other data specified in the law governing the data management.
Our company has not concluded a data processing contract for data processing, therefore our company undertakes that in case we use further data processors, we will obligatorily use the data protection and data processing guarantees that are required from us by the data processing agreement, taking this into consideration we provide the legal processing of the personal data even in case of the use of data processors.
10. OTHER DATA MANAGEMENT
In case of data management not listed in this information material, we provide information when the data is recorded. We inform our customers that some authorities, public service bodies, courts may approach our company to provide personal information. For these bodies, our company – in case the body has indicated the exact purpose and the scope of the information – provides information only to the extent that is necessary for the achievement of the purpose of the request, and in case the accomplishment of the approach is legally required.
III. STORAGE OF PERSONAL DATA, SAFETY OF THE DATA MANAGEMENT
The computing systems and other data retention locations of our company are located at the headquarters and on the servers rented by the data processor. Our company selects and manages the IT tools used to manage personal data for the provision of the service in a way that:
a) it is accessible for the authorized persons (availability);
b) its authenticity and certification is provided (credibility of data management);
c) its unchanged nature can be verified (data integrity);
d) it is protected from unauthorized access (confidentiality of data).
We pay particular attention to the security of the data, and we also take the technical and organizational measures and develop the procedures necessary to enforce the GDPR guarantees. We protect the data by appropriate measures, particularly against unauthorized access, modification, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and the unavailability due to the applied technology.
The IT system and network of our company and our partners is protected against computer-aided fraud, computer viruses, computer intrusions, and against attacks leading to a service denial. The operator also provides for the security through server-level and application-level security measures. The daily data backup is provided for. In order to avoid data protection incidents, our company will take all possible measures, in case such an incident occurs – according to our internal rules – we take immediate actions to minimize the risks and to remedy the damages.
IV. THE RIGHTS OF THE PARTIES CONCERNED, LEGAL REMEDY OPPORTUNITIES
The Party concerned may request information about the handling of his/her personal data, may request the rectification of his/her personal data or – with the exception of the mandatory data handling – may request the deletion, cancellation of his/her data, he/she may use his/her right to transfer his/her data, to protest as indicated at the time of the recording of the data, and at the above contact details of data manager.
At the request of the person concerned, we provide the information in electronic format without delay, but no later than 30 days, in accordance with our applicable regulations. Requests for the fulfilment of the below rights are provided free of charge to the concerned persons.
Right to receive information:
Our company takes appropriate actions to ensure that we provide all the information as regards the handling of personal data to persons concerned as mentioned in Article 13. and 14. of the GDPR according to articles 15-22. and 34. in a concise, transparent, comprehensible and easily accessible form, in a clear and straightforward, but at the same time in a precise manner.
The right to receive information can be exercised in writing through the contact details given in point 1. At the request of the person concerned – after the verification of his/her identity – oral information may also be given. We inform our customers that in case the co-workers of our company have concerns about the identity of a concerned person, we may request information from him/her that is needed for the verification of his/her identity.
The right to access of the concerned person:
The person concerned has the right to be informed by the data manager about whether his/her personal data is being processed, or not. In case his/her personal data is being managed, the concerned person has the right to have access to his/her personal information and to the information listed below.
• The purposes of the data management;
• the categories of the personal data involved;
• recipients or recipient categories to whom the personal data has been or will be communicated, including in particular third (non-EU) country recipients or the international organizations;
• the intended duration of the storage of personal data;
• the right to correct or delete the data or to limit the data management;
• the right to file a complaint addressed to the supervisory authority;
• information about data sources; the fact of automated decision making, including the creation of a profile, as well as information about the logic applied and information about the significance of such data management, and about the consequences it may have for the person concerned.
In addition to the above, in case personal data is transferred to third countries or to an international organization the concerned person has the right to receive information about the guarantees of the data transfer.
The right for correction:
Under this law, anyone may request the correction of his/her inaccurate personal data processed by our company and the completion of incomplete data.
Right to delete:
The person concerned has the right, on any of the following grounds, to request from us the deletion of his/her personal data without undue delay:
a) personal data are no longer required for the purpose for which they have been collected or otherwise managed;
b) the party concerned withdraws his/her consent for the data management and the data management has no other legal basis;
c) the party concerned is objecting the processing of his/her data and there is no primary legal basis for the data management;
d) the unlawful handling of personal data is the case;
e) personal data is to be deleted in order to comply with the legal obligation imposed on the data manager by the Union or by the Member State law;
f) the collection of the personal data is done in connection with the provision of information society services.
Deletion of the data cannot be requested if the management of the data is required for the following purposes:
a) to exercise the right to freedom of expression and information gathering;
b) to meet the obligation to manage personal data under the law of the Union or of the Member States applicable to the data manager, or for the purpose of processing data for public interest or for the purpose of doing a task within the framework of public authority permit issued for the data controller;
c) on the basis of public interest relating to public health or archiving, scientific and historical research purposes or for statistical purpose;
d) or for the submission, validation or protection of legal claims.
Right to restrict data management:
At the request of the person concerned, we restrict the processing of data in the cases mentioned in Article 18. of the GDPR, that is:
a) if the person concerned disputes the accuracy of the personal data, the restriction concerns the period of time which allows for checking the accuracy of the personal data;
b) if the data management is unlawful and the person concerned opposes the deletion of the data and, instead, he/she requests the restriction of the data management;
c) the data manager no longer needs the personal data for data processing, but the person concerned requires them to submit, enforce or protect legal claims;
d) or the person concerned objected the data management; in this case, the restriction applies to the period of time that is needed to verify whether the legitimate reasons of the data manger prevail over the legitimate grounds of the person concerned.
If the data management is restricted, personal data with the exception of storage may be managed only with the consent of the person concerned or for the submission, validation or protection of legal claims or for the protection of the rights of other natural or legal persons, or for the public interest of the European Union or of a Member State. The concerned person must be informed of the discontinuation of the limitation of data handling in advance.
Right to data transfer:
The concerned person shall have the right to receive the personal data that he/she has provided to the data manger in a sectioned, widely used machine-readable format and to transfer such data to another data manager. Our company can execute such a request of the concerned party in word or excel format.
Right to object:
If the management of the personal data is done for direct business acquisition, the person concerned is entitled to object at any time the management of personal data relating to that purpose, including the creation of a profile, if such is related to direct business acquisition. In the event of the objection of the handling of personal data for direct business acquisition, the data cannot be managed for this purpose.
Automated decision-making in individual cases, including the creation of a profile:
The concerned person shall be entitled to be excluded from the scope of decision making based solely on automated data management – including the creation of a profile – that would have a legal effect on him/her, or would have a similarly significant effect on him/her. The above right does not apply if the data management
a) is necessary for the conclusion and performance of a contract between the concerned person and the data manager;
b) is based on a Union or Member State law applicable to the data manager, which determines actions to be taken for the
c) protection of the legitimate interests of the data subject; or
d) is based on the express consent of the person concerned.
Right of withdrawal:
The person concerned has the right to withdraw his/her consent at any time. The withdrawal of the consent does not affect the lawfulness of the data management based on consent prior to the withdrawal.
Procedural rules:
Data manager informs the concerned person without undue delay, but in any case within one month from the receipt of the request, on the measures taken on the basis of Articles 15-22. of the GDPR. If necessary, this deadline may be extended by two additional months taking into account the complexity of the application and the number of applications. Data manager shall inform the person concerned about the extension of the deadline by indicating the reasons for the delay within one month counted form the receipt of the application.
If the person concerned has submitted the request electronically, the information will be provided electronically, unless the person concerned requests it otherwise.
In case the data manager fails to take action upon the request of the concerned person, he shall inform the person concerned without delay but not later than one month after the receipt of the request about the reasons for not complying with the request, and about the fact the concerned party may submit a complaint at the supervisory authority and may exercise his/her right to seek legal remedy at the court.
Data manager shall inform all recipients about all corrections, cancellations, or restrictions of the data management to whom he/she communicated personal data unless this proves impossible or would require disproportionate efforts. At the request of the concerned person, the data manager shall inform him/her about the recipients thereof.
Compensation and damages:
Any person who has suffered material or non-material damage as a result of the violation of the data protection regulation is entitled to receive compensation for the damage sustained from the data manager or the data processor. The data processor shall only be held liable for damages caused by the data management if he/she has failed to comply with the statutory obligations specifically imposed on the data processors or if he/she has disregarded the legitimate instructions of the data manager or acted contrary to it. If several data managers or several data processors or both the data manager and the data processor are involved in the same data handling, and are liable for the damage caused by the data handling, each data manager or data processor is jointly liable for the total damage.
The data manager or the data processor shall be exempt from the liability if he/she is able to prove that he/she is not liable in any way for the act giving rise to the damage.
Right to turn to court and the data protection authority procedure:
If the person concerned thinks that the data manager has violated his right to protect his/her personal data during his/her data management, he/she may seek legal remedy on the basis of the respective legal regulations from the competent authorities, as follows:
may file a complaint to the Hungarian National Authority for Data Protection and Freedom of Information
address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
website: www.naih.hu;
e-mail address: ugyfelszolgalat@naih.hu;
phone: +36-1-391-1400
(hereinafter: „HNADPFI”)
– may turn to the competent court.
Data manager undertakes to fully cooperate with the concerned court or the HNADPFI in all these proceedings, and to provide the information needed about the data management to the HNADPFI or to the court concerned.
V. MISCELLANEOUS PROVISIONS
The data manager undertakes to ensure that all data management related to his activity is in accordance with the requirements set out in this declaration, as well as in accordance with his internal regulations – making requirements that are similar to the contents of this very declaration – and in accordance with the respective legal regulations.
Data manager reserves the right to change this declaration at any time, provided that after the implementation of the changes, he informs the concerned person by means of a notice published on the website of the Hotel Forrás Zalakaros***.
Should you have any questions about the contents of this declaration, please send us an e-mail.
Last updated: 1.5.2018.
