DATA PROTECTION INFORMATION
(Newsletter subscribe)

THE Vasutas Önkéntes Támogatási Alap Egyesület is the manager of Hotel Forrás Zalalakaros (address: H-8749 Zalakaros, Termál utca 6.; website: https://hotelforraszalakaros.hu in all cases ensures the legality and practicality as regards the handling of the personal data managed by it. The purpose of this information is to provide people making reservation in the Hotel Forrás Zalakaros*** with adequate information about the conditions, guarantees and duration of the personal data processing even before making the reservation or providing their personal data. Our company in all cases involving the processing of personal data adheres to the contents of this declaration, we consider the contents thereof obligatory for us.

The data and contact details of our company are as follows:

Name: Vasutas Önkéntes Támogatási Alap Egyesület Hotel Forrás Zalakaros
Premise: -8749 Zalakaros, Termál utca 6.
Company Registration Number: G.PK. 64805/I.3265
Tax number: 19653613-2-42
Represented by: Kömíves Zoltán Managing Director
Phone: +36 93 540 116
E-mail: info@hotelforraszalakaros.hu
Website: https://hotelforraszalakaros.hu
(hereinafter also referred to as: “Data Manager”)

Our data management complies with all applicable laws, in particular:

➢(EU) No 2016/679 Regulation of the European Parliament and Council (27. April 2016.) – the protection of personal data of natural persons with regard to the processing of such data and about the free movement of such data, and on the repealing of 95/46/EK Regulation (General Data Protection Regulation, hereinafter “GDPR”);

➢Law No CXII of 2011 on the right to informational self-determination and
freedom of information;

➢ Law No V of 2013 on the Civil Code;

➢Law No C of 2000 on public accountancy;

➢Law No CL of 2017 on the order of taxation;

➢Law CXXXIII of 2005 on the rules of personal and property protection and
private detective activities; (hereinafter referred to as: “Szvtv.”);

➢Law XLVIII of 2008 on the Fundamental Terms and Given Limitations of
Economic Advertising Activity;

➢ Law CVIII of 2001 on certain aspects of e-commerce services and services related to the information society.

We provide the following information regarding our given data management
procedures.

II. DATA MANAGEMENT AS REGARDS SUBSCRIBING TO THE NEWSLETTER

We inform people who subscribe to the newsletter about our offers, news and
promotions.

You have the possibility to subscribe to the newsletter of Hotel Forrás Zalakaros*** (https://hotelforraszalakaros.hu). If you subscribe to this newsletter, you agree to be contacted with the newsletter regarding Hotel Forrás Zalakaros***

Subscribing to the newsletter – besides sending out the newsletters – is not a condition to take use of any of our services.

The purpose of the data management: to send out the newsletter.

The legal basis for data handling is: the prior consent of the person concerned [Article 6 Par. (1) Section a) of the GDPR].

Scope of managed personal data: first and surname, e-mail address

Duration of the data management: until unsubscribing from the newsletter.

Using a data processor: Our company uses the services of an information technology service provider for the online newsletter sending system as follows:

Name of the data processor

Address

Description of the data processing job

Knighthosting LLC

12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410

Storing and running the newsletter sending database

Name of the data processor

Address

Description of the data processing job

Knighthosting LLC

12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410

Operation of the website

Possible consequences of the lack of data services: The concerned person does not receive a newsletter from our company.

Rights of the person concerned: the person concerned (whose personal information is handled by our company)

a) may request information on the processing of his/her personal data or to access these personal data,
b) may request the rectification of the data,
c) may request the deletion thereof,
d) in case the conditions of GDPR Article 18. are met, he/she may request the limitation of the processing of the personal data (which means that our company does not delete or destroy the data until a court or official order, but only for maximum 30 days, and beyond this the company shall not process the data for any other reasons).
e) may object to the processing of personal data,
f) exercise his/her right for data transmission. Under the latter law, the concerned person is entitled to receive his/her personal data in a word or excel format, and he/she is further entitled to ask the data to be forwarded by our company to another data processor.

You can unsubscribe from our newsletter at any time by sending an e-mail to our company to info@hotelforraszalakaros.hu or by clicking on the unsubscribe icon in the newsletter. In this case, your personal information related to the newsletter sending will be deleted from our database without delay.

Other information about data processing: Our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage, loss of files containing personal information and to prevent unauthorized access). In the event of an incident occurring, we keep a record of the necessary measures and in order to be able to inform the concerned persons, which includes the circle of the given personal data, the circle and number of the people affected by the data protection incident, the time of the data protection incident, its circumstances, effects and the measures taken to remedy the data protection incident, and all other data specified in the law governing the data management.

Our company has concluded a data processing contract with the data processors in which the data processors undertake that in case they use further data processors, they will obligatorily use the data protection and data processing guarantees that are required from them by the data processing agreement, taking this into consideration we provide the legal processing of the personal data even in case of data processors.

III. STORAGE OF PERSONAL DATA, SAFETY OF THE DATA MANAGEMENT

The computing systems and other data retention locations of our company are located at the headquarters and on the servers rented by the data processor. Our company selects and manages the IT tools used to manage personal data for the provision of the service in a way that:

a) it is accessible for the authorized persons (availability);
b) its authenticity and certification is provided (credibility of data management);
c) its unchanged nature can be verified (data integrity);
d) it is protected from unauthorized access (confidentiality of data).

We pay particular attention to the security of the data, and we also take the technical and organizational measures and develop the procedures necessary to enforce the GDPR guarantees. We protect the data by appropriate measures, particularly against unauthorized access, modification, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and the unavailability due to the applied technology.

The IT system and network of our company and our partners is protected against computer-aided fraud, computer viruses, computer intrusions, and against attacks leading to a service denial. The operator also provides for the security through server-level and application-level security measures. The daily data backup is provided for. In order to avoid data protection incidents, our company will take all possible measures, in case such an incident occurs – according to our internal rules – we take immediate actions to minimize the risks and to remedy the damages.

IV. THE RIGHTS OF THE PARTIES CONCERNED, LEGAL REMEDY OPPORTUNITIES

The Party concerned may request information about the handling of his/her
personal data, may request the rectification of his/her personal data or – with the exception of the mandatory data handling – may request the deletion, cancellation of his/her data, he/she may use his/her right to transfer his/her data, to protest as indicated at the time of the recording of the data, and at the above contact details of data manager.

At the request of the person concerned, we provide the information in electronic format without delay, but no later than 30 days, in accordance with our applicable regulations. Requests for the fulfilment of the below rights are provided free of charge to the concerned persons.

Right to receive information:

Our company takes appropriate actions to ensure that we provide all the information as regards the handling of personal data to persons concerned as mentioned in Article 13. and 14. of the GDPR according to articles 15-22. and 34. in a concise, transparent, comprehensible and easily accessible form, in a clear and straightforward, but at the same time in a precise manner.

The right to receive information can be exercised in writing through the contact details given in point 1. At the request of the person concerned – after the verification of his/her identity – oral information may also be given. We inform our customers that in case the co-workers of our company have concerns about the identity of a concerned person, we may request information from him/her that is needed for the verification of his/her identity.

The right to access of the concerned person:

The person concerned has the right to be informed by the data manager about whether his/her personal data is being processed, or not. In case his/her personal data is being managed, the concerned person has the right to have access to his/her personal information and to the information listed below.

• The purposes of the data management;
• the categories of the personal data involved;
• recipients or recipient categories to whom the personal data has been or will be communicated, including in particular third (non-EU) country recipients or the international organizations;
• the intended duration of the storage of personal data;
• the right to correct or delete the data or to limit the data management;
• the right to file a complaint addressed to the supervisory authority;
• information about data sources; the fact of automated decision making, including the creation of a profile, as well as information about the logic applied and information about the significance of such data management, and about the consequences it may have for the person concerned.

In addition to the above, in case personal data is transferred to third countries or to an international organization the concerned person has the right to receive information about the guarantees of the data transfer.

The right for correction:

Under this law, anyone may request the correction of his/her inaccurate personal data processed by our company and the completion of incomplete data.

Right to delete:

The person concerned has the right, on any of the following grounds, to request from us the deletion of his/her personal data without undue delay:

a) personal data are no longer required for the purpose for which they have been collected or otherwise managed;
b) the party concerned withdraws his/her consent for the data management and
the data management has no other legal basis;
c) the party concerned is objecting the processing of his/her data and there is no primary legal basis for the data management;
d) the unlawful handling of personal data is the case;
e) personal data is to be deleted in order to comply with the legal obligation imposed on the data manager by the Union or by the Member State law;
f) the collection of the personal data is done in connection with the provision of information society services.

Deletion of the data cannot be requested if the management of the data is
required for the following purposes:

a) to exercise the right to freedom of expression and information gathering;
b) to meet the obligation to manage personal data under the law of the Union or of the Member States applicable to the data manager, or for the purpose of
processing data for public interest or for the purpose of doing a task within the framework of public authority permit issued for the data controller;
c) on the basis of public interest relating to public health or archiving, scientific and historical research purposes or for statistical purpose;
d) or for the submission, validation or protection of legal claims.

Right to restrict data management:

At the request of the person concerned, we restrict the processing of data in the cases mentioned in Article 18. of the GDPR, that is:

a) if the person concerned disputes the accuracy of the personal data, the restriction concerns the period of time which allows for checking the accuracy of the personal data;
b) if the data management is unlawful and the person concerned opposes the deletion of the data and, instead, he/she requests the restriction of the data management;
c) the data manager no longer needs the personal data for data processing, but the person concerned requires them to submit, enforce or protect legal claims; or
d) the person concerned objected the data management; in this case, the
restriction applies to the period of time that is needed to verify whether the legitimate reasons of the data manger prevail over the legitimate grounds of the person concerned.

If the data management is restricted, personal data with the exception of storage may be managed only with the consent of the person concerned or for the submission, validation or protection of legal claims or for the protection of the rights of other natural or legal persons, or for the public interest of the European Union or of a Member State. The concerned person must be informed of the discontinuation of the limitation of data handling in advance.

Right to data transfer:

The concerned person shall have the right to receive the personal data that he/she has provided to the data manger in a sectioned, widely used machinereadable format and to transfer such data to another data manager. Our company can execute such a request of the concerned party in word or excel format.

Right to object:

If the management of the personal data is done for direct business acquisition, the person concerned is entitled to object at any time the management of personal data relating to that purpose, including the creation of a profile, if such is related to direct business acquisition. In the event of the objection of the handling of personal data for direct business acquisition, the data cannot be managed for this purpose.

Automated decision-making in individual cases, including the creation of a profile:

The concerned person shall be entitled to be excluded from the scope of decision making based solely on automated data management – including the creation of a profile – that would have a legal effect on him/her, or would have a similarly significant effect on him/her. The above right does not apply if the data management

a) is necessary for the conclusion and performance of a contract between the concerned person and the data manager;
b) is based on a Union or Member State law applicable to the data manager,
which determines actions to be taken for the
c) protection of the legitimate interests of the data subject; or
d) is based on the express consent of the person concerned.

Right of withdrawal:

The person concerned has the right to withdraw his/her consent at any time. The withdrawal of the consent does not affect the lawfulness of the data management based on consent prior to the withdrawal.

Procedural rules:

Data manager informs the concerned person without undue delay, but in any
case within one month from the receipt of the request, on the measures taken on the basis of Articles 15-22. of the GDPR. If necessary, this deadline may be extended by two additional months taking into account the complexity of the application and the number of applications. Data manager shall inform the
person concerned about the extension of the deadline by indicating the reasons for the delay within one month counted form the receipt of the application.

If the person concerned has submitted the request electronically, the information will be provided electronically, unless the person concerned requests it otherwise.

In case the data manager fails to take action upon the request of the concerned person, he shall inform the person concerned without delay but not later than one month after the receipt of the request about the reasons for not complying with the request, and about the fact the concerned party may submit a complaint at the supervisory authority and may exercise his/her right to seek legal remedy at the court.

Data manager shall inform all recipients about all corrections, cancellations, or restrictions of the data management to whom he/she communicated personal data unless this proves impossible or would require disproportionate efforts. At the request of the concerned person, the data manager shall inform him/her about the recipients thereof.

Compensation and damages:

Any person who has suffered material or non-material damage as a result of the violation of the data protection regulation is entitled to receive compensation for the damage sustained from the data manager or the data processor. The data processor shall only be held liable for damages caused by the data management if he/she has failed to comply with the statutory obligations specifically imposed on the data processors or if he/she has disregarded the legitimate instructions of the data manager or acted contrary to it. If several data managers or several data processors or both the data manager and the data processor are involved in the same data handling, and are liable for the damage caused by the data handling, each data manager or data processor is jointly liable for the total damage.

The data manager or the data processor shall be exempt from the liability if he/she is able to prove that he/she is not liable in any way for the act giving rise to the damage.

Right to turn to court and the data protection authority procedure:

If the person concerned thinks that the data manager has violated his right to protect his/her personal data during his/her data management, he/she may seek legal remedy on the basis of the respective legal regulations from the competent authorities, as follows:

– may file a complaint to the Hungarian National Authority for Data Protection and Freedom of Information
address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
website: www.naih.hu;
e-mail address: ugyfelszolgalat@naih.hu;
phone: +36-1-391-1400
(hereinafter: “HNADPFI”);
– may turn to the competent court.
The court proceeds with the case out of turn.

ata manager undertakes to fully cooperate with the concerned court or the
HNADPFI in all these proceedings, and to provide the information needed about
the data management to the HNADPFI or to the court concerned.

V. MISCELLANEOUS PROVISIONS

The data manager undertakes to ensure that all data management related to his activity is in accordance with the requirements set out in this declaration, as well as in accordance with his internal regulations – making requirements that are similar to the contents of this very declaration – and in accordance with the respective legal regulations.

Data manager reserves the right to change this declaration at any time, provided that after the implementation of the changes, he informs the concerned person by means of a notice published on the website of the Hotel Forrás Zalakaros***.

Should you have any questions about the contents of this declaration, please send us an e-mail.

Last updated: 23.02.2019