Data management and privacy policy

Introduction

The Hotel, in the context of data processing, hereby informs its customers, guests and visitors to its website about the personal data it processes, its principles and practices regarding the processing of personal data, and the ways and means of exercising the rights of data subjects.
The Hotel is committed to protecting the personal data of its users and partners, and attaches the utmost importance to respecting the right of information self-determination of its customers. The Hotel declares that it respects the privacy rights of its partners, customers and visitors to its website. The personal data recorded will be treated confidentially, in accordance with data protection legislation and international recommendations, in compliance with this Privacy Policy, and will take all security, technical and organisational measures to guarantee the security of the data.
The Hotel reserves the right to change this policy at any time. Naturally, the Hotel will inform its clients, partners and guests of any changes in due time. The partner who becomes a customer of the Hotel accepts the following and consents to the processing of data as set out below.

1./ The purpose of the Code

The purpose of this Policy is to ensure that the Hotel complies with applicable data protection legislation, in particular the following:

• Act CXII of 2011 - on the Right to Informational Self-Determination and Freedom of Information
• Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;
• Act XLVII of 2008 - on the prohibition of unfair commercial practices against consumers;
• Act XLVIII of 2008 - on the basic conditions and certain limitations of economic advertising activities.

2./The Scope of the Code

2.1 Temporal Scope

These Rules are in force from 29 January 2014 until further notice and until revoked.

2.2 Personal Scope

This Policy applies to the Hotel, to the persons whose data are included in the processing covered by this Policy and to persons whose rights or legitimate interests are affected by the processing.

2.3 Material Scope

This Policy applies to all processing of personal data carried out by all departments of the Hotel.

3./ Concepts

For the purposes of these Rules, the following definitions shall apply

(a) data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data;
(b) personal data: data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn therefrom concerning the data subject;
(c) consent: a voluntary and explicit expression of the data subject’s wishes, based on adequate information, by which he or she gives his or her unambiguous agreement to the processing of personal data concerning him or her, either in full or in relation to specific operations;
(d) objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;
(e) 'controller' means a natural or legal person or an unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes decisions regarding the processing (including the means to be used) and carries it out or has it carried out by a processor on its behalf;
(f) 'processing' means any operation or set of operations which is performed upon data, whatever the procedure used, such as collection, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment or combination, blocking, erasure and destruction, as well as prevention of further use, taking of photographs, sound recordings or images and recording of physical characteristics which can be used to identify a person;
(g) 'processor' means a natural or legal person or an unincorporated body which, under a contract with the controller, including a contract concluded pursuant to a legal provision, carries out the processing of data;
(h) 'processing' means the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
(i) third party: a natural or legal person or unincorporated body other than the data subject, the controller or the processor;
(j) transfer: making data available to a specified third party;
(k) disclosure: making the data available to anyone;
(l) erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it;
(m) data marking: the marking of data with an identification mark to distinguish it;
(n) 'data blocking' means the marking of data with an identification mark for the purpose of limiting their further processing permanently or for a specified period of time;
(o) data destruction: the complete physical destruction of the data medium containing the data;

4./Basic principles for data management

Personal data may be processed if

a) with the consent of the data subject, or
b) it is ordered by law or, on the basis of a law, on the basis of a decree of a local authority within the scope specified in the law, for a purpose in the public interest (mandatory data processing).

Personal data may also be processed where obtaining the data subject's consent would involve an impossible or disproportionate effort and the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data.
The declaration of an incapacitated minor and a minor under the age of 16 with limited capacity to act requires the consent of his or her legal representative, except for those parts of the service where the declaration is for processing of a processing of a mass nature occurring in everyday life and does not require any special consideration.

Where the data subject is unable to give his or her consent due to incapacity or for other reasons beyond his or her control, the personal data of the data subject may be processed to the extent necessary to protect his or her vital interests or those of another person or to prevent or protect against imminent danger to life, limb or property of a person, as long as the obstacles to consent persist. If the personal data have been collected with the consent of the data subject, the controller shall, unless otherwise provided by law,
(a) for the purpose of complying with a legal obligation to which it is subject; or
(b) for the purposes of the legitimate interests pursued by the controller or by a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the data subject's consent.
Personal data may be processed only for specified purposes, for the exercise of rights and the performance of obligations. The processing must comply with this purpose at all stages and the collection and processing must be fair.

Only personal data that is necessary for the purpose of the processing, is adequate for the purpose, and only to the extent and for the duration necessary for the purpose.

Personal data can only be processed with informed consent.
The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory. The data subject must be informed, in a clear, plain and detailed manner, of all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller and of the processor, the duration of the processing, whether the controller is processing the data subject's personal data with the data subject's consent and for the purposes of complying with a legal obligation to which the controller is subject or for the purposes of the legitimate interests pursued by a third party, and the identity of the recipients of the data. The information should also cover the rights and remedies of the data subject in relation to the processing.

The processing must ensure that the data are accurate, complete and up-to-date and that the data subject can be identified only for the time necessary for the purposes for which the data are processed.

Employees of the Hotel's departments who process personal data are obliged to keep the personal data they receive as business secrets. Persons who process personal data and have access to them are required to sign a confidentiality statement.

5./Scope of personal data, the purpose, legal basis and duration of processing

The Controller processes personal data only for specific purposes, for the exercise of a right and in the interest of fulfilling an obligation. At all stages of the processing, it shall comply with the purpose of the processing. The data are collected and processed fairly and lawfully. The Data Controller shall endeavour to ensure that only personal data which is necessary for the purpose of the processing and adequate for the purpose of the processing is processed. Personal data shall only be processed to the extent and for the duration necessary to achieve the purpose.
The attention of the data providers to the Hotel is drawn to the fact that if they do not provide their own personal data, the data provider is obliged to obtain the consent of the data subject.

5.1 Data management on the website

The legal basis for data processing on the website is the User's consent and Article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
b) Data processed: date and time of the visit, IP address of the visiting User's computer, browser type, name, telephone, e-mail address, date and time, number of adults, number and age of children, type of residence, and other personal data provided by the User.
c) The time limit for the deletion of the data: 5 years from the booking of the room, in the case of a request for a quote, immediately if no contract has been concluded; and in the case of consent to the sending of the newsletter, until the consent is withdrawn. In the case of accounting documents, the Service Provider shall keep them for 8 years pursuant to Article 169 (2) of Act C of 2000 on Accounting.

d) You may request the deletion or modification of your personal data in the following ways:

• by post (8749 Zalakaros, Üdülő sor 6.)
• by e-mail (info@aquathermhotel.hu)

e) We inform our Users that the court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the data protection commissioner, or other bodies authorized by law may request the Service Provider to provide information, to disclose or transfer data, or to provide documents.
f) The Hotel shall disclose personal data to the authorities only to the extent and to the extent that is indispensable for the purpose of the request, provided that the authorities have indicated the exact purpose and scope of the data.g) The Hotel shall treat the data and information provided by the Guests and necessary for the performance of the Service in accordance with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information.
h) The Hotel shall process the Users' personal data for the purpose of providing the Service (full use of the website, e.g. booking, sending newsletters), only to the extent and for the duration necessary for that purpose. The data processing shall comply with this purpose at all stages.
i) Process personal data that are technically necessary for the provision of the service. If the personal data were collected with the consent of the User, the Hotel shall, unless otherwise provided by law,
i) for the purpose of performing a legal obligation to which it is subject, or
ii) Process it for the purposes of the legitimate interests pursued by the Hotel or a third party, where such interests are proportionate to the restriction of the right to the protection of personal data, without further specific consent and even after the withdrawal of the User's consent.
j) In addition, the Hotel only collects information about Users (IP address, time of use, website visited, browser program and one or more cookies that allow the unique identification of the browser), which it uses exclusively for the development and maintenance of the Services and for statistical purposes. The Service Provider will use the data processed for these statistical purposes only in a form that does not personally identify you. In order to improve the quality of the Services, the Hotel will place a file containing a series of characters, a so-called cookie, on the User's computer, provided that the User consents. If the User does not consent, he/she shall indicate this in advance using the contact details specified in section "Data management on the website", point d.
k) The Hotel shall transfer the personal data it processes to third parties only for the purpose of developing and/or operating certain services of the hotel used by the User. The Hotel shall not use or otherwise misuse the personal data it processes for the purposes of third parties.
l) The Sites may contain links to external servers (not managed by the Hotel), and the sites accessible through these links may place their own cookies or other files on your computer, collect data or request personal information. The Hotel excludes all liability for these.
m) By using the Service, the User consents to the Hotel collecting and processing his/her personal data as described in this Privacy Policy for the purpose of providing the Service in its entirety.

5.2 Processing of business cards

a) Legal basis for processing: the User's voluntary consent, which is obtained by the User's act of providing the hotel with his/her business card containing his/her personal data.
b) The data processed: name, telephone number, address, e-mail address, place of work, its address and other personal data on the business card.
c) Purpose of the processing: to establish contact and facilitate contact between persons.
d) The provisions of this Privacy Notice shall apply accordingly to the transfer of business cards and their processing.
e) Time limit for the deletion of data: until the withdrawal of the consent, i.e. until the instruction to destroy the business card.

5.3 Newsletter, DM activity

a) Pursuant to Article 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities, the User expressly consents in advance to being contacted by the hotel with advertising offers and other mailings at the contact details provided at the time of registration (e.g. e-mail address or telephone number).
b) Furthermore, the Customer agrees, subject to the provisions of this information, that the Hotel may process his/her personal data necessary for the sending of advertising offers.
c) c) The Hotel will not send unsolicited advertising messages and the User may unsubscribe from receiving such offers without any restriction and without giving any reason, free of charge. In this case, the Hotel shall delete all personal data necessary for sending advertising messages from its records and shall not contact the User with further advertising offers. The User can unsubscribe from the advertising by clicking on the link in the message.
d) Purpose of data processing: sending electronic newsletters containing commercial advertising messages to the User, informing him/her about current information and products.
e) Legal basis for processing: voluntary consent of the data subject and Article 6(5) of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activities.
f) Data processed: name, e-mail address, telephone number, date, time.
g) Deadline for deletion of data: until the withdrawal of the consent, i.e. unsubscription.

6./ Data security

a) The Hotel shall take all necessary security, organisational and technical measures to ensure the highest level of security of personal data and to prevent their unauthorised alteration, destruction and use.
b) The Hotel shall take all necessary measures to ensure data integrity, i.e. the accuracy, completeness and up-to-date status of the personal data it processes and/or handles.
c) The Hotel shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, transmission, disclosure, deletion or destruction, accidental destruction, damage and loss of accessibility due to changes in the technology used.
d) The Hotel therefore reserves the right to inform its customers and partners if it detects a security vulnerability in its system, and at the same time to restrict access to the Service Provider's system, services or certain of its functions until the vulnerability is resolved.
e) In order to ensure the security of the data stored on the network, the Hotel shall prevent the loss of data by continuous mirroring on the server.
f) The Hotel performs daily backups of active data in databases containing personal data.
g) On the network handling personal data. The Hotel shall ensure virus protection on an ongoing basis.
h) Access to the data and data files managed on the network of the Hotel shall be secured by user name and password.

7./ Information on data management

a) The User may request information about the processing of his/her personal data, as well as the rectification or - with the exception of data processing required by law - the deletion of his/her personal data, in the manner indicated when the data was collected or at the contact details of the Service Provider.
b) Upon the User's request, the Hotel shall provide information about the data processed by it, their source, the purpose, legal basis and duration of the data processing. The Hotel shall provide the information in writing and in an intelligible form within the shortest possible time from the date of the request, but not later than 30 days.
c) The hotel will correct the personal data if it is not accurate and the accurate personal data is available to it.
d) The Hotel shall block the personal data if the User so requests or if, on the basis of the information available to it, it is assumed that deletion would harm the legitimate interests of the User. The blocked personal data may be processed only for as long as the data processing purpose which precluded the deletion of the personal data persists.
e) The Hotel shall delete the personal data if the processing is unlawful, the User requests it, the processed data is incomplete or incorrect - and this situation cannot be lawfully remedied - provided that the deletion is not excluded by law, the purpose of the processing has ceased, or the statutory period for storing the data has expired, or the court or the National Authority for Data Protection and Freedom of Information has ordered it.
f) The controller has 30 days to erase, block or rectify the personal data. If the hotel does not comply with the User's request for rectification, blocking or erasure, it shall inform the User in writing within 30 days of the reasons for the refusal.
g) The Hotel shall notify the Customer of the rectification, blocking and deletion, as well as all those to whom it has previously transmitted the data for processing purposes. It shall refrain from such notification if this does not prejudice the legitimate interests of the Customer with regard to the purpose of the processing.

8./ Verification

a) The compliance with data protection regulations, in particular with the provisions of this Policy, shall be continuously monitored by the heads of the departments responsible for data processing at the Hotel.

b) The Hotel and Operations Manager and the Data Protection Officer delegated by the Hotel shall monitor the processing of data at the Hotel once a year.

9./ The Data Protection Officer and the Privacy Policy

a)The Hotel shall appoint an internal data protection officer under the direct supervision of the Hotel, whose duties shall include:
i. The Hotel shall. i. Contribute to or assist in making decisions related to data processing and ensuring the rights of data subjects.
Ensure compliance with the provisions of this Act and other legislation on data processing, as well as with the data protection and data security requirements of the data protection and data management policy.
Investigate the notifications received and, if unauthorised processing is detected, request the head of the processing department or the data processor to cease such processing.
Keep internal data protection records.
v. Ensure data protection education.

10./ Legal remedy

a) The User may object to the processing of his/her personal data if.

ii. the processing or disclosure of the personal data is necessary solely for the performance of a legal obligation to which the Service Provider is subject or for the purposes of the legitimate interests pursued by the Service Provider, the data recipient or a third party, unless the processing is required by law;
iii. the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes;
iv. in other cases specified by law.

b) The Hotel shall examine the objection within the shortest possible time from the date of the request, but not later than 15 days, decide whether the objection is justified and inform the applicant in writing of its decision. If the Hotel establishes that the objection of the data subject is justified, it shall cease processing the data, including further collection and transmission, and block the data, and shall notify the objection and the measures taken on the basis of the objection to all those to whom it has previously transmitted the personal data concerned by the objection and who are obliged to take action to enforce the right to object.

c) If the User does not agree with the decision of the hotel, he/she may appeal against it to the court within 30 days of its notification.

d) The User may take legal action against the hotel in case of violation of his/her rights. The court will decide the case out of turn.

A legal remedy and complaint may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, P.O. Box 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu