PRIVACY POLICY – KőSZIKLA GUESTHOUSE
(2623. Kismaros Őz utca 3.)
Private accommodation provider (Papp Levente tax number: 58481079-1-33, registered office: 2623 Kismaros, Őz utca 3., email: info@kosziklavendeghaz.hu, hereinafter: Data Controller, Accommodation Provider) is committed to ensuring that visitors to the Website (hereinafter : Data subjects) respect their right to privacy and their right to the protection of their personal data, and in the course of its operation comply with the data protection regulation of the European Union (hereinafter: GDPR), the Hungarian Data Protection Act (hereinafter: Infotv.) and other legislation, as well as guidelines and act in accordance with established data protection practice, taking into account the most important international recommendations related to data protection.
The accommodation service provider, as Data Controller, acknowledges the content of this legal notice as binding on itself. It undertakes to ensure that the data management related to its services meets the requirements set out in this information sheet and the applicable legislation. The concepts used in the Information correspond to the concepts defined in Infotv. and the GDPR regulation, and their interpretation.
THE DATA MANAGEMENT ACTIVITY OF THE ACCOMMODATION PROVIDER IS IN ACCORDANCE WITH THE FOLLOWING LAWS RELATING TO DATA PROTECTION
- Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) – on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as Regulation 95/46/EC in force its externalization (General Data Protection Regulation, GDPR);
- CXII of 2011 Act – on the right to self-determination of information and freedom of information (Infotv.)
- Act V of 2013 – on the Civil Code (Ptk.)
Personal data can be processed if the Data Subject has given his consent to the processing of his personal data for one or more specific purposes;
- data management is necessary to fulfill a contract in which the Data Subject is one of the parties, or it is necessary to take steps at the Data Subject’s request prior to the conclusion of the contract;
- data processing is necessary to fulfill the legal obligation of the Data Controller;
- data management is necessary to protect the vital interests of the Data Subject or another natural person;
- data management is in the public interest or is necessary for the execution of a task performed in the framework of the exercise of public authority granted to the Data Controller;
- data management is necessary to enforce the legitimate interests of the Data Controller or a third party.
DATA MANAGEMENT PURPOSES
- in the event of contact initiated by visitors, identifying the Data Subjects and ensuring the possibility of informing and maintaining contact with them (sending newsletters);
- ensuring the safe use and technical operation of the Website and its control.
- in the case of a reservation, identification of the contracting party, processing of the reservation.
- in order to use the accommodation service, as well as the provision of NTAK\VISA data required by law, it is necessary to identify the guest and to record the guest data upon arrival. More information: https://vizainfo.hu/vendegek
We would like to inform you that in connection with functions invited using the icons of external service providers appearing on the website (Facebook, Twitter, Linkedin, Instagram), the accommodation service provider does not perform data management activities, in these cases the Data Controller is the external company providing the service.
LEGAL BASIS OF DATA MANAGEMENT
- the legal basis for the processing of data generated during contact initiated by the visitor and subscription to the newsletter is Article 6, point 1 a) of the GDPR, i.e. the Data Subject’s consent;
- the data related to the secure technical operation of the Website, which ensure it – including the IP address of the visitors – are treated on the legal basis of legitimate interest.
- in the case of a reservation, GDPR Article 6, 1. b), i.e. data processing is necessary to fulfill a contract in which the data subject is one of the parties, or it is necessary to take steps at the request of the data subject prior to the conclusion of the contract
- The legal basis for the data processing required for data provision is Article 6, point 1 c) of the GDPR, i.e. the data processing is necessary to fulfill the legal obligation of the data controller;
SCOPE OF MANAGED DATA
- When using the contact initiation form, the name; phone number; we manage e-mail address data.
- During the operation of the Website, we treat the IP address of the computer or mobile device of the visitors (Data Subjects) and the approximate geographical location that can be inferred from it as technical data (logging); operating system type, features and version number; browser type and version number; activity on the Website; the exact time of the visit; time spent on the Website; the use of the function or service used on the Website; we can also create cookies on the Data Subject’s device.
- In case of reservation
the name, address, telephone number and e-mail address of the person making the reservation.
- When the guest checks in, the accommodation provider uses the document reader to record the following data via the accommodation management software in the storage provided by the accommodation provider designated by the Government Decree: surname and first name; surname and first name at birth; place and time of birth; gender; his nationality; his mother’s birth surname and first name; the identification data of the document suitable for personal identification or travel document (in the case of a guest over the age of 14). In the case of guests under the age of 14, the accommodation may also record the listed data based on the statement of its representative (e.g. parent, guardian).
DURATION OF PERSONAL DATA STORAGE
- The data generated in the case of contact initiated by the visitor or subscription to the newsletter will be processed until the consent is revoked.
- The data related to the secure technical operation of the website, including the visitors’ IP addresses, will be kept for 1 month.
- The retention period for the data provided by the person making the reservation during the reservation is 8 years after the year of acceptance of the annual report of the contract and, in the case of accounting documents, the accounting document related to the contract, for the year following the issuance of the accounting document, based on Section 169 (2) of the Accounting Act.
RECIPIENTS OF PERSONAL DATA AND CATEGORIES OF RECIPIENTS
Users of the Data Manager and Data Processing Accommodation service providers who carry out partnership and customer service activities and are authorized to do so, their IT staff in the case of data related to technical operation.
REQUIRED DATA PROCESSORS
The operator of the Vendégem Szálláshely application is Magyar Turisztikai Ügynökség Zrt. (head office: 1027 Budapest, Kacsa utca 15-23., tax number: 10356113-4-41)
The hosting provider of the website and booking system is Sybell Informatika Kft. (head office: 1158 Budapest, Késmárk u. 7/B II. em. 206., tax number: 25859502-2-42)
Billingo Technologies Zrt., invoicing software operator (head office: 1133. Budapest, Árbóc utca 6., tax number: 27926309-2-41)
USE OF COOKIES
Like other similar commercial websites, the Accommodation service provider uses the usual technology called cookies, as well as the technical log files of the web server, in order to obtain information about how the Data Subjects use the Website.
The use of cookies and web server log files enables the accommodation service provider to check website traffic and adapt the website content to your personal needs.
A cookie is a small information package (file) that often carries an anonymized unique identifier. When you visit a website, the website asks your computer for permission to store this file in an area of your computer’s hard drive specifically designated for storing cookies.
Each website you visit can send a cookie to your computer if the browser settings you use allow it. However, in order to protect your data, your browser only allows the given website to access the cookies that the given website sent to your computer, i.e. a website cannot access cookies sent by other websites. Browsers are usually set to accept cookies.
However, if you do not wish to receive cookies, you can set your browser to reject cookies. In this case, it is possible that some elements of the Website will not work effectively when you browse the Website. Cookies cannot obtain other information from your computer’s hard drive and do not carry viruses.
More information:
https://support.google.com/analytics/topic/2919631?hl=hu&ref_topic=1008008
SECURITY OF THE DATA HANDLED BY US
The Accommodation service provider takes care of the appropriate data backup of the IT data and the technical environment of the Website, which it operates with the necessary parameters based on the retention period of the individual data, thereby guaranteeing the availability of the data within the retention period, and permanently destroys them at the end of the retention period.
Incidents involving personal data detected during its operation or reported to it are investigated in a transparent manner, according to responsible and strict principles, within 72 hours. Handles and registers incidents that occur.
INFORMATION REGARDING THE RIGHTS OF THE PERSONS INVOLVED
The rights you have in relation to data management are as follows:
RIGHT TO TRANSPARENT INFORMATION:
You have the right to receive information about the facts and information related to data management before data management begins. In order to ensure this right, we have created this Data Management Notice.
ACCESS RIGHTS OF THE DATA PARTICIPANT:
The Data Subject has the right to receive feedback from the Data Controller as to whether his personal data is being processed and if such data processing is in progress, you are entitled to access the following:
- to the managed personal data and the category of personal data, the purpose of the data management
- to the recipients or the category of recipients to whom the personal data has been disclosed or will be disclosed by the Data Controller,
- for the planned period of storage of personal data or, if this is not possible, for the criteria for determining this period.
RIGHT TO CORRECTION:
The data subject may request that the accommodation service provider corrects or completes his/her personal data that is incorrect, inaccurate or incomplete. Before correcting the erroneously entered data, the Accommodation service provider may examine the reality and accuracy of the data concerned.
RIGHT OF WITHDRAWAL:
The Data Subject has the right to withdraw his consent at any time in the case of data processing based on his consent, which does not affect the legality of the data processing carried out on the basis of consent before the withdrawal.
THE RIGHT TO DELETE („THE RIGHT TO BE FORGOTTEN”):
The data subject has the right to request that the Data Controller delete personal data concerning him without undue delay, and the Data Controller is obliged to do so. You are not entitled to this right in the case of data processing based on a legal obligation.
THE RIGHT TO LIMIT DATA PROCESSING (BLOCKING RIGHT):
The Data Subject is entitled to request that the Data Controller restrict data processing in the following cases:
- if the Data Subject disputes the accuracy of the data management, in this case the limitation applies to the period that allows the data controller to check the accuracy of the personal data,
- if the data management is illegal and the Data Subject opposes the deletion of the data and instead requests the restriction of its use,
- if the Data Controller no longer needs the personal data for the purposes of data management, but the Data Subject requires them to present, enforce or defend legal claims,
- if the Data Subject objected to data processing, in this case the restriction applies to the period until it is determined whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the data subject.
THE RIGHT TO DATA PORTABILITY:
The Data Subject has the right to receive the personal data relating to him/her provided to the Data Controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without being hindered by the data controller, to whom you provided the personal data. The Data Subject has the right to data portability if:
- the data processing is based on the consent of the data subject, or on the consent given to the processing of special categories of personal data for one or more specific purposes, or on a contract pursuant to Article 6 (1) point b) of the GDPR, and
- data management is automated.
THE RIGHT TO OBJECT:
The Data Subject has the right to object to the processing of his personal data at any time for reasons related to his own situation, if the data processing is in the public interest or is necessary for the execution of a task carried out in the framework of the exercise of a public authority vested in the data controller, or the data processing is for the enforcement of the legitimate interests of the data controller or a third party necessary, including profiling. The Data Controller shall not terminate the data processing based on the objection, if the data processing is justified by compelling legitimate reasons that take priority over the interests, rights and freedoms of the data subject, or which are related to the submission, enforcement or defense of legal claims.
AUTOMATED DECISION-MAKING IN INDIVIDUAL CASES, INCLUDING PROFILING:
The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have a legal effect on him or affect him to a similar extent. Data controllers do not use automated decision-making.
NOTIFICATION OF THE DATA PROTECTION INCIDENT:
If a potential data protection incident is likely to result in a high risk to your data, rights and freedoms, the Data Controllers will inform you of the data protection incident without undue delay.
THE RIGHT TO COMPLAINT WITH THE SUPERVISORY AUTHORITY:
If the Data Subject has a complaint regarding the handling of his personal data, in order to handle the case more quickly and efficiently, he should contact the Data Controller before submitting the complaint and submit a request to exercise the relevant data subject’s right.
You have the right to complain to a supervisory authority if, in your opinion, the handling of personal data violates data protection legislation.
NATIONAL DATA PROTECTION AND FREEDOM OF INFORMATION AUTHORITY
Headquarters: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363
Budapest, Pf.: 9.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Short name of office storage: NAIH
Office gate ID (KR ID): 429616918
THE RIGHT TO AN EFFECTIVE COURT REMEDY AGAINST THE SUPERVISORY AUTHORITY:
You are entitled to an effective judicial remedy against the legally binding decision of the supervisory authority regarding you.
THE RIGHT TO AN EFFECTIVE COURT REMEDY AGAINST THE DATA CONTROLLER OR DATA PROCESSOR:
Without prejudice to the right to file a complaint, the Data Subject is entitled to an effective judicial remedy by initiating a civil lawsuit if, in his opinion, his rights have been violated as a result of inappropriate handling of his personal data. The adjudication of the lawsuit falls under the jurisdiction of the Capital District Court, but the person concerned may, according to his choice, initiate the lawsuit also before the court competent for his place of residence.
MANAGEMENT AND REPORTING OF DATA PROTECTION INCIDENTS
A data protection incident is any event that involves the unlawful handling or processing of personal data managed, transmitted, stored or processed by the Data Controller, including in particular unauthorized or accidental access, alteration, communication, deletion, loss or destruction, as well as accidental destruction and result in injury. The person responsible for data protection investigates the reported or detected data protection incident immediately, and then, within 24 hours of becoming aware of the data protection incident, makes a proposal for the prevention and management of the data protection incident.
The Data Controller guarantees that data management is carried out in compliance with the applicable legal provisions in all respects.