Privacy Policy
This Privacy Policy (‘Policy’) informs data subjects with respect to the personal data processed in connection with the use of the website of the hotel operated by Data Controller, the reservation of hotel services and rooms, and the payment for the services rendered, requesting quotations, filling out registration sheets, subscribing to newsletters, maintaining a registry of lost and found items, the use of electronic surveillance system in accordance with Article 13 AND 14 of Regulation (EU) 2016/679 of the European Parliament and the Council (‘GDPR’).
Company name of the Data Controller: | Úri Hotel 39 Korlátolt Felelősségű Társaság |
Registered office: | HU-1037 Budapest, Montevideo u. 3/A |
Mailing address: | 1014 Budapest, Úri utca 39. |
E-mail address: | reservation@budacastlehotel.com |
Phone number: | +36 1 225 3878 |
Fax: | +36 1 225 3878 |
Website: | www.www.budacastlehotel.com |
Data Controller processes the data of the following persons (hereinafter as ‘Data Subject’) when pursuing the data processing purposes determined in the title: persons visiting the website of the hotel, persons subscribing to newsletters, guests requesting a quotation or making reservations, persons using the services of the hotel.
The Data Controller processes the following personal data of Data Subjects for the data processing purposes determined in the title:
Data Subject shall provide the personal data processed to the Data Controller through the hotel’s website, via the online booking system, while reserving rooms or requesting quotations, subscribing to newsletters, and by way of filling out the printed registration sheet.
The processing of the personal data is necessary for the preparation and performance of the contract for reserving accommodation (hereinafter: ‘Contract’).
The detailed conditions for providing the services under the Contract are specified in the General Terms and Conditions (hereinafter: ‘GTCs’) and the documents referred to therein.
Data Controller provides an online facility for reserving accommodation to ensure that the Data Subject may reserve his/her room in Buda Castle Fashion Hotel swiftly, conveniently and free of charge.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: to facilitate making reservations, making it free of charge and more efficient, to communicate with the guest making the reservation.
Legal ground of data processing: prior consent of the person making the reservation. By accepting this Policy, the Data Subject provides his/her explicit consent to the processing of his/her data under this clause.
The scope of the personal data processed: addressing; first and last name; residential address (country, postal code, city, street, house number;) telephone number; e-mail address; in case of economic operators the company name and registered office, bank card number, SZÉP card details (identifier, the name displayed on the card)
The duration of the processing: two years following the last day of the stay as recorded in the reservation. Engaging the services of a Data Processor: our company engages the services of a IT service provider for the online reservation system.
Name of the Data Processor | Registered office | Description of the Data Processing operations |
NetHotelBooking Kft. | H-8200 Veszprém, Boksa tér 1/A | Providing an opportunity for making reservations online, operating a pre-arrival e-mail module via the RESnWEB system |
By accepting this Privacy Policy, the Data Subject explicitly consents to the Data Processor’s engaging the services of further data processors in order to provide a more convenient and customized service in accordance with the followings:
Name of the further data processor | Registered office | Description of the Data Processing operations |
The Rocket Science Group, LLC* | 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA | The owner of the Mandrill software integrated in the booking system. This software is responsible for sending automated emails that display confirmations and notifications in case of making reservations, quotations and when conducting satisfaction surveys. |
Oracle Hungary Kft. | H-1095 Budapest, Lechner Ödön fasor 7. | Performing client management operations when using the Opera Front Office hotel management system |
BIT SOFT HU Kft. |
H-1108 Budapest, Bányató u. 13. |
Performing client management operations when using the Opera Front Office hotel management system |
BIG FISH Payment Services Kft. |
H-1066 Budapest, Nyugati tér 1-2 |
Carrying out the data communication required for the payment transactions between the merchant and the payment service provider systems, providing retrievability of transactions for partner merchants |
OTP Mobil Szolgáltató Kft. |
H-1093 Budapest, Közraktár u. 30-32. |
Carrying out the data communication required for the payment transactions between the merchant and the payment service provider systems, providing customer service support to users, confirmation of transactions and fraud-monitoring carried out for the protection of the users. |
Creative Management Kft. |
H-8200 Veszprém, Boksa tér 1/A |
Performing server hosting operations |
*The registered office of the Data Processor is located in the United States, therefore data transferred to it is regarded as a data transfer to a third country. However, The Rocket Science Group voluntarily joined the Privacy Shield Agreement concluded by the European Union and the United States government, undertaking to provide a high level protection of the personal data, therefore there is no further legal obstacle in the way of data transfers.
Potential consequences of failing to provide the data:
Considering the fact that the Data Controller cannot prepare, conclude or complete the Contract without the above personal data, the Data Subject shall be obliged to provide the Data Controller with such personal data. Should the Data Subject fail to provide such data, the Data Controller shall be entitled to refuse the conclusion or the completion of the Contract.
The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)
Other information in connection with data processing:
Our company concluded a data processing contract for data processing operations in which NetHotelBooking Kft., when engaging further data processors, shall apply the same data protection and data processing safeguards that it is bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.
Data Controller communicates with its guests via newsletters, recommending its services to them and notifying them about the news and the promotions related to its operations.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: communicating with potential guests
Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR
Determining legitimate interests: maintaining and developing business relations with partners and guests
Scope of personal data processed: name, e-mail address
Duration of data processing: our Company processes e-mail addresses until they are unsubscribed from the newsletters.
Engaging the services of a Data Processor: our company engages the services of an informatics service provider for the sending of newsletters.
Name of the Data Processor | Registered office | Description of the Data Processing operations |
Wanadis Kft. |
H-1112 Budapest, Budaörsi út 153. |
Storing the newsletter mailing database |
By accepting this Privacy Policy, the Data Subject explicitly consents to the Data Processor’s engaging the services of further data processors in order to provide a more convenient and customized service in accordance with the followings:
További adatfeldolgozó neve | Registered office | Description of the Data Processing operations |
The Rocket Science Group, LLC | 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA |
Operating a newsletter mailing system |
Potential consequences of failing to provide the data: The Data Subject does not receive newsletters from our Company.
The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)
You may unsubscribe from the newsletter by sending an e-mail to our Company to info.zalakaros@parkinn.com or by clicking on the unsubscribe icon within the newsletter. In such a case, we will immediately delete your e-mail address from our database.
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
Our company concluded a data processing contract for data processing operations in which NetHotelBooking Kft., when engaging further data processors, shall apply the same data protection and data processing safeguards that it is bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.
In the interest of providing a customized service, Data Controller saves a small data package, a so-called cookie, on the user’s computer which it retrieves during subsequent visits. When the browser sends back a cookie saved earlier, the operator managing that cookie will be able to link the current visit of the user to his/her previous visits, but only in connection with its own content.
Purposes of data processing: identification, tracking of and distinguishing users, identification of current user sessions and the storing of the data provided in the meantime, prevention of data loss, web analytics measurements, personalized service.
Legal ground of data processing: the consent of the Data Subject.
Scope of personal data processed: unique identification number, dates and times and previously visited pages. Duration of data processing: max. 90 days
Name of the Data Processor | Registered office | Description of the Data Processing operations |
Viacom Kft. |
H-2360 Gyál, Deák Ferenc utca 17. |
Operating the website |
Further information in connection with data processing: The user may delete the cookie from his/her computer or may ban the use of cookies in his/her browser. Cookies can usually be managed in the Tools/Settings menu of the browsers under the Privacy/History/Preferences menu, under the name of ‘cookie’ or ‘tracking’.
Potential consequences of failing to provide the data: the use of the service may not be possible in respect of the services described in points 2-5 above.
Upon visiting the www.budacastlehotel.com website, the webserver automatically logs the activity of the user.
Purposes of data processing: in order to control the operation of the services and to prevent abuse, the Service Provider records the visitors’ data during their visit to the website.
Legal ground of data processing: Article 6 (1) f) of the GDPR. The secure operation of the website is the legitimate interest of our Company.
Scope of personal data processed: identification number, dates, times, the URL of the pages visited. Duration of data processing: max. 90 days
Name of the Data Processor | Registered office | Description of the Data Processing operations |
NetHotelBooking Kft. |
H-8200 Veszprém, Boksa tér 1/A |
Recording visitors’ data and the information required for the operation of the server |
Viacom Kft. |
H-2360 Gyál, Deák Ferenc utca 17. |
Operating the website |
Viacom Kft. |
H-2360 Gyál, Deák Ferenc utca 17. |
Webhosting service |
Additional information: our Company does not link the data acquired during the analysis of the log files to any other information, it does not aim to identify the user. The URL of the pages visited, and the dates, times alone are not suitable for the identification of the Data Subject, however, when linked to other data (e.g. provided during registration) they become suitable for being used to draw conclusions relevant to the user.
Data processing related to logging by third-party service providers: The HTML code of the portal contains links from and to third-party servers independent from our Company. The third-party server is directly connected to the device of the user. We would like to advise our visitors that the providers of such links may collect user data (e.g. IP address, browser and operating system data, mouse pointer positions, the URL of the visited pages and the date of the visits) because of the direct connection to their servers and the direct communication with the user’s browser. An IP address is a numerical sequence which allows to unambiguously identify the computers and mobile devices of users going on the Internet.
An IP address may allow a visitor using a particular computer to be geographically localized, too. The URL of the pages visited, and the dates, times alone are not suitable for the identification of the Data Subject, however, when linked to other data (e.g. provided during registration) they become suitable for being used to draw conclusions relevant to the user.
The hotel requests guests to fill out a registration sheet when checking in, which contains the personal data of the guests. The data provided on the registration sheet are stored in the hotel software and in paper form.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: communicating while the guest is staying at the hotel, communicating after their departure, sending birthday greetings, distinguishing between guests, supporting the reporting of tourist tax, managing the frequent guest program, statutory obligations.
Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR
Scope of personal data processed: name, e-mail address, telephone number, date of birth, residential address, license plate number, room number, date of arrival/departure, data of accompanying persons, newsletter subscriptions, payment method.
Duration of data processing: On the registration sheet, the guest grants his/her consent to the storing of his/her personal data, the hotel stores the data for a period of 8 years after the consent is provided.
Engaging a Data Processor: Opera 5.5 E17 Front Office software for hotels
Name of the Data Processor | Registered office | Description of the Data Processing operations |
Oracle Hungary Kft. |
H-1095 Budapest, Lechner Ödön fasor 7. |
Storing the data of guests / Data Subjects |
BIT SOFT HU Kft. |
H-1108 Budapest, Bányató u. 13. |
Storing the data of guests / Data Subjects |
Potential consequences of failing to provide the data: The Data Subject cannot occupy his/her room.
In addition, during check-in, the hotel is obliged to record and transmit the guests’ statutory personal data to the Guest Information Closed Database (VIZA) system via the accommodation management software’s document reader. The scanned data is encrypted and transmitted by the approved accommodation management software’s document reader. Any data found unreadable by the document reader or, which is scanned incorrectly shall be recorded by the hotel in the accommodation management software using manual data entry. The data then are transmitted to VIZA system by the hosting module integrated in the hotel management software.
The controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purpose of data processing: By law the encrypted data stored in the VIZA system can only be searched by police using IT tools. Searches may be carried out for the purposes of law enforcement, crime prevention, protection of public order, public security, order maintenance at the state border, protection of the rights, safety and property of the data subject and others, and conduct of wanted persons proceedings. On the search, the police may obtain information from the accommodation provider only and exclusively with respect to where the person they have specified as the subject of the search stayed at, when they arrived, and when they are expected or depart. Subsequently, the police may also request the transmission of other data processed by the accommodation provider, stating the purpose of the request, and the accommodation provider will provide the data free of charge.
Legal basis for data processing: the amendment to Act CLVI of 2016 on the State’s Responsibilities Regarding the Development of Tourism Regions, which entered into force on 1 January 2021.
Scope of personal data processed:
– First name and surname
– First name and surname at birth*
– Place and date of birth;
– Mother’s maiden name and surname at birth *;
– Citizenship*
– Gender*
– Type of personal identification document or passport
– Document identification number
– Visa or residence permit number**
– Date of entry**
– Place of entry**
In addition, the following data will be recorded in the software by the hotel:
– Address of the accommodation service;
– The address of the accommodation service.
* record only the one of these included in the document presented by the guest
** where relevant
The devices used by the hotel and the VIZA system do not store images of scanned documents.
According to the laws in force in Hungary, it is compulsory for all citizens, regardless of their age, to have an official identity document (identity card, passport or driving licence in card format), which must be presented and scanned during check-in. The guest using the accommodation service shall present his/her identity document to the hotel for the purpose of data recording. The details of children under 14 must also be recorded, but this can be done on the basis of a declaration by the representative, and it is not necessary to ask for the document of the child under 14 and record its identification.
Duration of data storage:
The hotel will store the guest’s data as defined by law in the accommodation management software until the last day of the first year following the date on which the data was recorded. The VIZA system will keep the data transmitted to it for a maximum of two years.
The hosting provider designated by the Government is the Hungarian Tourism Agency (MTÜ). The hosting functions introduced by the amendment are performed by the Guest Information Closed Database (VIZA) system.
Possible consequences of failure to provide the data: the hotel is obliged to refuse to provide accommodation if the requested document is not presented.
The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
Our company concluded a data processing contract for data processing operations in which Oracle Hungary Kft. and BIT SOFT HU Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.
The MTÜ operating the VIZA system:
– manages the guest data exclusively on the basis of the hotel’s instructions, and may only carry out operations in connection with them in accordance with § 14 of the Government Decree 235/2019 (X.15.) on the implementation of the Tourism Act and the Act on the State’s Responsibilities Regarding the Development of Tourism Regions,
– shall ensure that its employees performing the tasks related to the functions of the tourism hosting service provider are bound by non-disclosure acts with regard to guest data.
– shall implement appropriate technical and organisational measures, taking into account the state of the art and the cost of implementation, the nature, scope, circumstances and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the level of risk by encrypting the data and thereby ensuring that its employees do not have access to guest data.
– the accommodation provider shall not use any other data processor without prior written authorisation, either ad hoc or general.
– assist the accommodation provider, to the extent possible, in fulfilling its obligations relating to the exercise of the rights of the data subject with appropriate technical and organisational measures, taking into account the nature of the processing.
– assist the accommodation provider in taking into account the nature of the processing and the information available to the processor, to fulfil its obligations regarding the security of processing and the handling of possible incidents.
– act on the guest data and copies thereof after the termination of the data-processing relationship, as determined by the accommodation provider, unless the accommodation provider is required by law or by a binding legal act of the European Union to continue to store the guest data.
– provide the accommodation provider with all information necessary to verify the fulfilment of the obligations laid down in the data-processing relationship and to enable and facilitate any checks, including on-site inspections carried out by the accommodation provider or by a person authorised by the accommodation provider.
– inform the accommodation provider without delay in case the agency perceives any of the providers ’instructions infringe effective data protection regulations.
The hotel may sell its rooms via the telephone, after which it requests a written order from the guests. The hotel records reservations made on the telephone, together with the data of the person making the reservation, using the hotel’s software.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: making room reservations.
Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR
Scope of personal data processed: name, telephone number, e-mail address.
Duration of data processing: The hotel stores the data for a period of 8 years after the consent is provided.
Engaging a Data Processor:
Name of the Data Processor | Registered office | Description of the Data Processing operations |
Oracle Hungary Kft. | H-1095 Budapest, Lechner Ödön fasor 7. | Storing the data of guests / Data Subjects |
BIT SOFT HU Kft. | H-1108 Budapest, Bányató u. 13. | Storing the data of guests / Data Subjects |
Potential consequences of failing to provide the data: The reservation is not created.
The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
Our company concluded a data processing contract for data processing operations in which Oracle Hungary Kft. and BIT SOFT HU Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore the processing of the personal data is lawful even in the case of the data processor.
The hotel maintains a registry of the items found in the rooms and the community areas after the departure of the guests.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: maintaining a registry of lost and found items, notifying guests, returning found items
Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR
Scope of personal data processed: room number, name, denomination and date of found item
Duration of data processing: the hotel stores the found items for 6 months i.e. it stores the data relating to such items for 6 months after they have been entered on the list. If a found item is collected by its owner, the data will be deleted, as well.
The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
Data Controller communicates with guests and interested persons via the e-mail addresses used by the Data Controller.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: communication with the guests
Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR
Scope of personal data processed: name, e-mail address, content of the e-mail.
Duration of data processing: 5 years
Engaging a Data Processor:
Name of the Data Processor | Registered office | Description of the Data Processing operations |
Creative Management Kft. |
H-8200 Veszprém, Boksa tér 1/A |
Providing online storage |
Microsoft Magyarország Kft. |
H-1031 Budapest, Graphisoft Park 3. |
Maintaining the e-mailing software on the workstations |
The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
Our company concluded a data processing contract for data processing operations in which Microsoft Magyarország Kft. and Creative Management Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore the processing of the personal data is lawful even in the case of the data processor.
The guests can pay in cash, with gift vouchers, SZÉP cards, Erzsébet vouchers and by bank cards.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: issuing an invoice for the services rendered
Legal ground of data processing: the voluntary consent of the Data Subject
Scope of personal data processed: the name, address, list of services, total amount, method of payment, date of issue, date of performance displayed on the invoice
Duration of data processing: 8 years
Engaging a Data Processor:
Name of the Data Processor | Registered office | Description of the Data Processing operations |
SIX Payment Services (Europe) S.A. | 10, rue Gabriel Lippmann, L-5365 Munsbach | In the case of card payments, the identifier, amount, date |
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
A security camera footage is recorded in the premises of the Buda Castle Fashion Hotel.
Security camera footages are recorded in the park, car park, indoor community areas, service areas of the hotel. Only the authorized appointed personnel have right to access and view the camera footages.
Controller of personal data: Úri Hotel 39 Kft., HU-1037 Budapest, Montevideo u. 3/A
Purposes of data processing: facilitating the security of the guests and the staff, protecting values, providing evidence as proof of violations, clarifying disputed issues.
Legal ground of data processing: the voluntary consent of the Data Subject by entering the premises.
Duration of data processing: 7 days
Name of the Data Processor | Registered office | Description of the Data Processing operations |
Gránit-Őr Kft. |
H-8808 Nagykanizsa, Felsőerdő u. 99. |
Maintenance of the camera system |
MITAX Kft. |
H-1141 Budapest, Mogyoródi u. 147/A |
Maintenance of the camera system |
Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.
Our company concluded a data processing contract for data processing operations in which Gránit-Őr Kft. and Mitax Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore the processing of the personal data is lawful even in the case of the data processor.
We provide information on any data processing not listed in this Policy when the data is collected. We would like to inform our Customers that certain public authorities or bodies, courts may request our Company to disclose personal data. Our Company shall only disclose personal data to such bodies – if the body involved has determined the exact purpose and the scope of the data – if and to the extent it is absolutely necessary for the realization of that particular request and if compliance with such request is required by law.
The processing of personal data is based on the Data Subject’s consent (freely given, specific, informed and unambiguous indication of the data subject’s wishes). Data Subject shall grant his/her consent by
The granting of the consent is voluntary, and the Data Subject shall be entitled to withdraw his/her consent at any time without limitation by sending a notice to the Data Controller. The Data Subject may send the notice to any of the contact details specified in Section 1 of this Policy.
The withdrawal of the consent shall not have consequences on the Data Subject. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.
Before fulfilling the request, the Data Controller may request the Data Subject to specify the content of the request, the requested information and/or the exact indication of the data processing activities.
If the right of access by the Data Subject may result also in a realisation of damage or interference with the rights and freedoms of other natural persons, in particular the business secrets and intellectual property of others, the Data Controller is entitled to refuse to fulfill the request in a necessary and proportionate manner.
Should the Data Subject request the above information in more than one copy, the Data Controller is entitled to charge the Data Subject with the reasonable and proportionate administrative fee for the preparation of extra copies.
If the Data Controller does not process the personal data indicated by the Data Subject, the Data Controller shall inform the Data Subject thereof in writing.
The Data Subject is entitled to request the rectification of his/her personal data. If the personal data of the Data Subject are incomplete, the Data Subject may request the completion of his/her personal data.
When exercising the right to rectification or correction, the Data Subject shall indicate which data are incorrect or incomplete, and shall inform the Data Controller of the accurate and complete data. In justified cases, the Data Controller may invite the Data Subject to demonstrate the validity of the corrected data for the Data Controller in an appropriate manner – primarily with an official document.
The Data Subject shall perform the rectification or completion of data without undue delay.
After fulfilling the Data Subject’s request to enforce his/her right to rectification, the Data Controller shall immediately inform thereof the persons to whom it has disclosed the personal data of the Data Subject, provided that it does not prove to be impossible or does not involve a disproportionate effort on behalf of the Data Controller. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay if any of the following reasons apply:
The Data Subject shall submit his/her request concerning the erasure in writing and shall indicate which personal data he/she wishes to be erased.
If the Data Controller approves the Data Subject’s request concerning the erasure, then it shall erase the processed personal data from all of its databases, and shall inform the Data Subject thereof in an appropriate manner.
Where the Data Controller is obliged to erase the personal data of the Data Subject, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who have become aware of the Data Subject’s personal data due to their publication. In its information, the Data Controller shall inform other controllers that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
After fulfilling the Data Subject’s request to enforce his/her right to erasure, the Data Controller shall immediately inform thereof the persons to whom it has disclosed the personal data of the Data Subject, provided that it does not prove to be impossible or does not involve a disproportionate effort on behalf of the Data Controller. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.
The Data Controller is not obliged to erase the personal data if the data processing is necessary:
The Data Subject shall have the right to obtain from the Data Controller the restriction of the processing of personal data concerning him or if any of the following reasons apply:
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The Data Controller shall inform the Data Subject before the restriction of processing is lifted.
After fulfilling the Data Subject’s request to enforce his/her right to restriction of data processing, the Data Controller shall immediately inform thereof the persons to whom it has disclosed the personal data of the Data Subject, provided that it does not prove to be impossible or does not involve a disproportionate effort on behalf of the Data Controller. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.
Considering the fact that the Data Controller does not perform data processing in the public interest, there is no official authority vested in the Data Controller, it does not carry out scientific or historic research, and the data processing is not carried out for statistical purposes, the exercise of the right to object may arise in the case of data processing based on its legitimate interest.
If the processing of the Data Subject’s personal data is based on the legitimate interest of the Company, it is an important safeguard provision that the Data Subject shall have the right to appropriate information and shall be able to exercise his/her right to object. Such right shall be communicated to the Data Subject no later than a the time of the first contact.
Based on the above the Data Subject is entitled to object to the processing of his/her personal data, and in such cases, the Data Controller may not continue to process the personal data of the Data Subject, unless
Where personal data are processed for the purposes of direct marketing, the Data Subject should have the right to object to such processing, and contrary to the cases where data processing is based on the legitimate interest of the Data Controller, the Data Controller may not have right to decide whether it may continue the processing of personal data after the Data Subject’s objection.
If the Data Subject objects to the processing of personal data for the purposes of direct marketing, then the Data Controller may not continue to process the data of the Data Subject.
Profiling consists of any form of automated processing of personal data evaluating the personal aspects relating to Data Subjects. Such evaluations may be used to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The right to object covers profiling based on legitimate interest as specific data processing operation. If profiling is carried out for direct marketing purposes, then after the Data Subject’s objection, profiling based on his/her personal data shall be immediately terminated.
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller.
Right to data portability may be exercised in the case of personal data which have been provided by the Data Subject to the Controller, and
If technically feasible, at the Data Subject’s request, the Data Controller shall transfer the personal data directly to another controller specified by the Data Subject in his/her request. The right to data portability under this section does not give rise to any obligation according to which data controllers shall introduce or maintain technically compatible data processing systems.
Within the framework of data portability, the Data Controller shall provide the Data Subject with the data carrier free of charge.
If the Data Subject’s right to data portability may result also in a realisation of damage or interference with the rights and freedoms of other natural persons, in particular the business secrets and intellectual property of others, the Data Controller is entitled to refuse to fulfill the request in a necessary manner.
Measures taken within the framework of data portability do not include the deletion of data, the Data Controller stores such data until the Data Controller has an appropriate purpose or legal ground for data processing.
The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The Data Subject shall not have the right to request exemption from being subject to a decision solely based on automated processing, if the decision is necessary for the conclusion or completion of contract, is allowed by EU or Member State law, or is based on the Data Subject’s explicit consent.
If the automated processing is necessary for the conclusion or completion of the contract, or is based on the Data Subject’s consent, then the Data Subject is entitled to obtain human intervention, to express his or her point of view, to challenge the decision.
During its data processing activities, the Data Controller take all reasonable efforts to avoid the inclusion of special categories of personal data to automated decision-making. If this cannot be avoided, then automated decision-making may be carried out with respect to special categories of personal data only if data processing is based on the Data Subject’s consent, or is necessary for reasons of substantial public interest, on the basis of Union or Member State law, and appropriate measures have been taken in order to protect the rights of the Data Subject.
If the Data Subject considers that the processing of personal data relating to him or her carried out by the Data Controller infringes data protection laws, in particular the provisions of the GDPR, the Data Subject shall have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.
Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
Webpage: http://naih.hu/
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: H-1530 Budapest, Pf.: 5.
Phone No.: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu
The Data Subject shall also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.
The Data Subject may initiate legal actions – regardless of his or her right to lodge a complaint, if during the processing of his or her personal data, his or her rights under the GDPR have been infringed.
Legal actions against the Data Controller as data controller having a place of operation in Hungary may be initiated at Hungarian courts.
The Data Subject may initiate legal actions at the court of his or her habitual residence in accordance with Section 22 (1) of Act CXII of 2011. The contact details of the Hungarian courts may be available at the following link: http://birosag.hu/torvenyszekek.
For proceedings against the Data Controller, the Data Subject should have the choice to bring the action before the courts of the Member States where the Data Subject resides, if the place of residence of the Data Subject is in another Member State, considering the fact that the Data Controller is not a public authority of a Member State acting in the exercise of its public powers.
The data subject shall have the right to mandate a not-for-profit organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to initiate judicial review against the decision of the supervisory authority, and to exercise the right to receive compensation on his or her behalf.
Where the Data Controller has reasonable doubts concerning the identity of person making the request under Sections 3.1.–3.8. of this Policy , the Data Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.
The Data Controller reserves the right to modify this Policy at any time. The Data Controller shall inform the Data Subject of the modification no later than 8 days before its entry into force.
Budapest, 27. August 2020
Úri Hotel 39 Kft.
Represented by:
Gabor Leitner