1. DATA CONTROLLER – NAME AND CONTACT DETAILS
Company name: Malomkert Kft.
Registered office: 2890 Tata, Tópart u 19
Company registration number: Cg. 11-09-026534
Tax number: 26575412-2-11
Website: www.malomeskacsa.hu
(hereinafter referred to as the Data Controller)
If you have any questions about our Privacy Notice, you can contact us using the following contact details:
Email address: [email protected]
Phone Number: +36 30 488 8180
2. CONTENT AND PURPOSE OF THIS NOTICE
This Privacy Notice (hereinafter referred to as the “Privacy Notice”) summarizes how the Data Controller collects, uses, and protects the personal data of users (hereinafter referred to as the “User” or “You”) of the website available at https://www.malomeskacsa.hu (hereinafter referred to as the “Website”). The original and governing version of this Privacy Notice has been drafted in Hungarian. The English and German versions are provided solely as translations for informational purposes. In the event of any discrepancy or question of interpretation, the Hungarian version shall prevail. This Privacy Notice applies only to the processing of personal data of natural persons.
Our company is committed to the protection of personal data and respects the User’s right to informational self-determination. The purpose of this Notice is to provide information on how we process and protect the personal data entrusted to us, as well as to explain how you can contact us if you have any questions regarding the processing of your personal data.
This Privacy Notice defines:
– the identity of the Data Controller,
– the categories of your personal data processed by the Data Controller,
– the legal basis for the processing of personal data,
– the manner in which personal data is processed (including access by the Data Controller and the transfer or disclosure of data to third parties),
– the purpose of the data processing,
– the duration of the data processing, and
- the requirements of data protection and data security; and
– the ways in which Users may exercise their rights.
3. LEGAL BASIS FOR DATA PROCESSING
– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR)
– Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Information Act)
This Privacy Notice shall be governed by Hungarian law. If the laws in force in your country impose stricter obligations on the parties than those set out in this Privacy Notice, you are required to comply with such obligations. However, you acknowledge and accept that the liability of the Data Controller is determined by the laws governing this Privacy Notice, and the Data Controller excludes, to the fullest extent permitted by applicable laws and court decisions, any liability arising from non-compliance with the provisions applicable in the User’s country.
4. DEFINITIONS
Personal data: any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Data Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
Data Processor: the set of data processing operations carried out by a data processor acting on behalf of, or under the instructions of, the data controller.
Data Processor: a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller.
Data Transfer: making data accessible to a specified third party.
Third party: a natural or legal person, public authority, agency, or any other body other than the data subject, the data controller, the data processor, or persons who, under the direct authority of the data controller or data processor, are authorized to process personal data.
Consent of the Data Subject: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Recipient: a natural or legal person, public authority, agency, or any other body to whom personal data is disclosed, regardless of whether it is a third party.
Data Erasure: rendering data unrecognizable in such a way that its restoration is no longer possible.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
5. PRINCIPLES
Personal data shall be processed lawfully, fairly, and in a transparent manner (principle of lawfulness, fairness, and transparency).
Personal data shall be collected only for specified, explicit, and legitimate purposes and shall not be processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purposes (principle of purpose limitation).
The personal data we collect and process shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (principle of data minimization).
We take all reasonable steps to ensure that the personal data we process are accurate and, where necessary, kept up to date. Inaccurate personal data shall be erased or rectified without delay (principle of accuracy).
Personal data shall be stored in a form that permits your identification only for as long as is necessary for the purposes for which the personal data are processed (principle of storage limitation).
By implementing appropriate technical and organizational measures, we ensure a level of security for personal data that is appropriate to the risks involved, protecting them against unauthorized or unlawful processing, accidental loss, destruction, or damage (principle of integrity and confidentiality).
The Data Controller shall be responsible for compliance with the above principles and shall be able to demonstrate such compliance (principle of accountability).
6. LEGAL BASES FOR DATA PROCESSING
The processing of personal data shall be carried out only if at least one of the following conditions is met:
a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
c) the processing is necessary for compliance with a legal obligation to which the Data Controller is subject; d) the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
f) the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
7. DATA PROCESSING RELATED TO OUR GUESTS
Below, you can find information about when we request or collect personal data from you, as well as how long and in what manner we process such data.
Camera surveillance
We hereby inform you that video surveillance is in operation on our premises, during which your image and movements within the monitored area may be recorded. Legal basis for processing: Your consent (Article 6(1)(a) GDPR).
DATA PROCESSORS | PURPOSE OF DATA PROCESSING | ADDRESS OF THE PREMISES | DATA RETENTION PERIOD | DATA PROCESSORS |
Malomkert Kft. | The Data Controller operates a video surveillance system for the protection of its movable and immovable property, the protection of the belongings of guests using its services, the safeguarding of large amounts of cash, as well as for fire prevention and accident prevention purposes. | 19 Tópart Street, 2890 Tata | 3 working days | Derik Technika Ltd. 32 Almási Street, 2890 Tata |
Data Processing Related to Our Website
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Ensuring the proper and high-quality operation of the website, monitoring and improving the quality of our services, identifying malicious visitors who attack our website, measuring website traffic, and carrying out other statistical purposes. | Consent of the data subject (Article 6(1)(a) GDPR) | – IP address | Our designated employees, as well as the designated employees of the website operator | As stated in the cookie policy |
Data Processing Related to Invoicing
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA | ACCESS | DATA RETENTION PERIOD |
For the purpose of maintaining accounting records and supporting accounting documents, both directly and indirectly, as well as ensuring compliance with accounting legislation and other tax regulations.
| Compliance with a legal obligation (Article 6(1)(c) GDPR) based on the accounting legislation (Act C of 2000, Section 169 (1)–(2)). | – Name | Our designated employees | 8 years from the date of invoice issuance |
Data Processing Related to Customer Service and Complaint Handling
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA | ACCESS | DATA RETENTION PERIOD |
For the purpose of identifying you and your case, investigating and resolving complaints and inquiries, and carrying out related procedures. | Compliance with a legal obligation (Article 6(1)(c) GDPR) pursuant to Section 17/A (7) of Act CLV of 1997 on Consumer Protection. | – Name – Email Address – Phone number | Our designated employees | 3 years from the date of the report |
Newsletter Subscription
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Maintaining contact with the User, presenting services, and informing the User about promotions. | Consent of the data subject (Article 6(1)(a) GDPR) | – Name | Our designated employees, as well as the designated employees of the website operator | Until the withdrawal of consent. You may unsubscribe from our newsletters at any time by using the link provided at the bottom of each newsletter or by contacting us through any of our available contact channels. |
Request for a Quote
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Establishing contact, maintaining communication, and sending personalized offers. | Performance of a contract (Article 6(1)(b) GDPR) | Name, email address, telephone number, residential address, number of persons intending to use the service (including the number and age of children). | Our designated employees | In the event of a successful quotation request, in accordance with the rules applicable to the reservation; |
Accommodation Reservation
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Processing room reservations, event venue bookings, and maintaining communication. | Performance of a contract (Article 6(1)(b) GDPR) and processing required by law (Act C of 1990, Sections 30–31) (Article 6(1)(c) GDPR). | Name, email address, telephone number, residential address, number of persons intending to use the service (including the number and age of children). | Our designated employees | For the duration of the contractual relationship with the data subject. |
Accommodation Reservation Through an Intermediary
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Processing room reservations, event venue bookings, and maintaining communication. | Performance of a contract (Article 6(1)(b) GDPR) and processing required by law (Act C of 1990, Sections 30–31) (Article 6(1)(c) GDPR). | Name, email address, telephone number, residential address, number of persons intending to use the service (including the number and age of children). bizonyos esetekben bankkártya adatok | Our designated employees | The personal data received during the reservation process will be processed for the duration of the contractual relationship with the data subject. |
Book a Table
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Processing table reservations, event venue bookings, and maintaining communication. | Performance of a contract (Article 6(1)(b) GDPR) and processing required by law (Act C of 1990, Sections 30–31) (Article 6(1)(c) GDPR). | Name, email address, telephone number, number of persons intending to use the service. | Our designated employees | For the duration of the relationship with the data subject. |
Gift Voucher Redemption
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Provision of services related to the gift voucher. | Performance of a contract (Article 6(1)(b) GDPR) | Name of the purchaser, email address, telephone number, postal address, billing address, | Our designated employees | Data that is not required for invoicing will be processed for a period of 1 year or, if earlier, until the voucher is redeemed. |
Partner Program
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Identification of affiliation with our partner organizations and verification of eligibility for discounts. | Performance of a contract (Article 6(1)(b) GDPR) | Personal data displayed on the data subject’s membership or access card. | Our designated employees | The data will not be stored or recorded. |
Data Processing Pursuant to Section 9/H of the Tourism Act (NTAK)
PURPOSE OF DATA PROCESSING | LEGAL BASIS | DATA PROVIDERS | ACCESS | DATA RETENTION PERIOD |
Protection of the rights, safety, and property of the data subject and other persons, as well as verification of compliance with regulations governing the stay of third-country nationals and persons enjoying the right of free movement and residence. | Compliance with a legal obligation pursuant to Section 9/H of Act CLVI of 2016 on the State Tasks Related to the Development of Tourism Areas (Article 6(1)(c) GDPR). | 1. the guest using the accommodation service | Our designated employees and the Hungarian Tourism Agency | Until the last day of the first year following the date on which the data became known. |
Photography and Video Recording
PURPOSE OF DATA PROCESSING | LEGAL BASIS | CATEGORIES OF PROCESSED DATA | ACCESS | DATA RETENTION PERIOD |
Marketing purposes and promotion of the Malom és Kacsa venue through social media platforms. | Consent of the data subject (Article 6(1)(a) GDPR) | Image and voice of individuals appearing in photographs and video recordings. | Our designated employees, appointed photographer, videographer Data Transfer: data will be transferred to Facebook Inc. and Instagram in a third country – for the purpose of publication on the www.facebook.com and www.instagram.com websites. | Until the withdrawal of consent, but for no longer than 5 years. |
On the website, the Data Controller may request additional personal data from Users for certain activities (e.g. prize draws, promotions); however, providing such data is voluntary. The Data Controller will inform Users about the processing of such data by means of a specific notice and will use the personal data provided only for the stated purpose, in connection with the given activity, and only for the period necessary for that purpose.In all other respects, such data processing shall also be governed by this Privacy Notice.
If the User consents to sharing voluntarily provided personal data on other websites as well (e.g. sharing, liking, etc.), the User acknowledges that such websites are governed by their own privacy policies, for which the Data Controller accepts no responsibility.
We request personal data from visitors to our website only if they wish to use our services. We do not profile our visitors.
If you have any questions regarding data processing, you may request further information via our email address or postal address. We will send our response to the contact details provided by you without undue delay, but no later than within 25 days.
8. DATA PROCESSORS ENGAGED IN DATA PROCESSING
The employees and cooperating partners involved in our data processing and data management activities are authorized to access your personal data to a predefined extent and are bound by confidentiality obligations.
DATA PROCESSOR | PURPOSE OF DATA TRANSFER | DATA PROCESSING OPERATIONS | LEGAL BASIS FOR THE TRANSFER | DATA FIELDS TRANSFERRED | DURATION OF ACCESS |
NETDOOR Kft. Cg. 01-09-936833 1055 Budapest, Akadémia Street 14, Ground Floor 5, Hungary | Website Hosting and Website Maintenance | Access, backup, storage, and deletion | Consent of the data subject (Article 6(1)(a) GDPR) | IP address | As stated in the cookie policy |
Instagram, Facebook (META Inc.) 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland | Facebook Pixel, Cookie Provision of Social Media Platform | Collection, recording, use, retrieval, storage, and deletion of data | Consent of the data subject (Article 6(1)(a) GDPR), as well as Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services. | IP address used by the visitor, browser type, operating system characteristics (selected language settings), date and time of the visit, and the visited page(s)/subpage(s). | Data recorded by the server operated by the social media provider will be stored until the termination of the social media page and the website. Thereafter, such data will be retained only in anonymized form as visitor statistics. |
TikTok Technology Limited | Provision of Social Media Platform | Collection, recording, use, retrieval, storage, and deletion of data | Consent of the data subject (Article 6(1)(a) GDPR), as well as Section 13/A(3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services. | IP address used by the visitor, browser type, operating system characteristics (selected language settings), date and time of the visit, and the visited page(s)/subpage(s). | Data recorded by the server operated by the social media provider will be stored until the termination of the social media page and the website. Thereafter, such data will be retained only in anonymized form as visitor statistics. |
Google LLC | – advertising cookies – analytics cookies | Collection, recording, use, retrieval, storage, and deletion of data | Consent of the data subject (Article 6(1)(a) GDPR) | IP address used by the visitor, browser type, operating system characteristics (selected language settings), date and time of the visit, and the visited page(s)/subpage(s). | Advertising cookies for up to 2 years Analytical cookie up to 1 day or 1 minute |
Elementor Inc. | Elementor cookie | Responsible for website dynamics | Consent of the data subject (Article 6(1)(a) GDPR) | IP address used by the visitor, browser type, operating system characteristics (selected language settings), date and time of the visit, and the visited page(s)/subpage(s). | No expiry date |
Kuula Inc. | Kuula cookies | Load balancing | Consent of the data subject (Article 6(1)(a) GDPR) | IP address used by the visitor, browser type, operating system characteristics (selected language settings), date and time of the visit, and the visited page(s)/subpage(s). | Up to 7 days |
|
|
|
|
|
|
9. COOKIE MANAGEMENT
We would like to inform our visitors that our website uses cookies. The system identifies visitors’ computers by means of a so-called cookie.
An anonymous user identifier (cookie) is a unique string of characters that service providers place on the User’s computer and that is suitable for identification and the storage of profile-related information. It is important to note that such a string, by itself, is not capable of identifying the User in any way; it is only suitable for recognizing the User’s computer. In the online environment, information related to individuals and personalized services can only be provided if service providers are able to identify the habits and preferences of their customers individually. Service providers use anonymous identifiers partly to learn more about their customers’ information usage habits in order to further improve the quality of their services and to offer personalized options to their customers.
Most of the most commonly used web browsers (Chrome, Firefox, etc.) accept and allow the download and use of cookies by default, but it is up to you to modify your browser settings to refuse or block them, or to delete cookies already stored on your computer. For more information on the use of cookies, please see the "help" section of each browser.
Some cookies do not require your prior consent and are briefly explained to you when you first visit our website, such as authentication cookies, multimedia player cookies, load balancing cookies, session cookies for customising the user interface and user-centric security cookies.
Cookies that require your consent, where the processing starts as soon as you visit the site, will be notified to you and your consent will be requested at the start of your first visit.
Our Company does not use or allow cookies that enable third parties to collect data without your consent.
If you accept cookies, you can access information about your use of the site. Through the analysis of statistical data measured in Google Analytics, we are able to optimise the structure and content of the site according to your needs, while ensuring the anonymity of users in all circumstances.
The Data Controller may record information about the websites from which the User accessed the website, as well as the websites visited from the website, including the time and duration of the visit. No conclusions can be drawn about the identity or profile of the data subject from this information.
A technikai adatokat Adatkezelő kizárólag a weboldal technikai üzemeltetése érdekében, valamint statisztikai célokra használja fel. Weboldalainkon a cookie-k segítségével tartja nyilván
- display settings, e.g. font size settings, language usage;
– whether you have acknowledged that you have read the Website’s cookie notice;
– a unique session identifier (so-called session ID).
This data is collected exclusively for internal and statistical purposes, is not disclosed to third parties, and is not used for identification or profiling.
Visitor Analytics: Reports and analyses prepared from User data using general and/or automated statistical methods may be retained by our website for an unlimited period of time. No personal data of the data subject can be reproduced from such data by any means. Data collected on the website is not combined with any data originating from other sources.
You can find out more about Google cookies here: www.google.com/intl/en/policies/privacy.
Name | Description | Expiration date |
1p_JAR | This cookie collects website statistics and measures conversions according to the google.com privacy policy. Anonymous | 1 month |
APISID | Google+ “Like” and sharing-related cookies, in accordance with the privacy policy of google.com. Anonim.l | 2 years |
HSID | Used to store the digitally signed and encrypted identification data associated with the User’s Google Account, as well as the date and time of the most recent login. This cookie helps prevent various types of attacks, including attempts to steal information entered into forms on websites. Anonymous. | 2 years |
NID | This helps us display personalized advertisements to you on Google, in accordance with the privacy policy of google.com. Anonymous. | 6 months |
SAPISID | Google plus like and share, as per google.com's privacy policy. Anonymous. | 2 years |
SIDCC | Security cookie to protect user data, as per google.com privacy policy. | 3 months |
SSID | Used to save Google map data, according to google.com's privacy policy. Anonymous | 2 years |
CONSENT | Cookies required for Google Maps, in accordance with the privacy policy of google.com. Anonim statisztika. | 20 years |
WordPress Cookies
Name | Description | Expiration date |
iw_mobile_menu | Notes whether the mobile menu is shown or the desktop view menu, and whether the mobile menu is closed or open | End of session |
wordpress_test_cookie | Queries whether cookies have been enabled or not. | End of session |
Social sites (Facebook.com, Twitter.com, accounts.google.com)
You may share the content of our website with your friends on social media platforms. These services may place cookies on your computer over which we have no control. It is not possible for us to identify the User through these cookies.
Advertising sites (Google Ads, Facebook, Instagram)
Our websites use remarketing tracking codes provided by advertising platforms. These remarketing codes use cookies to tag visitors. As a result, after visiting our Website, external service providers, including Google and Facebook, may display advertisements on their own websites. These are known as interest-based advertisements. Users of the Website have the option to disable these cookies. It is not possible for us to identify the User through these cookies.
Allow, restrict or block cookies
You can enable or disable cookies in your browser settings. Before changing your settings, please note that some websites, including our Company's website, can only provide the maximum user experience through the use of cookies and the full functionality of the website can only be achieved if cookies are enabled.
Disabling Cookies: If the User does not wish such identifiers to be placed on their computer, they may configure their browser to prevent the placement of unique identifiers or to allow only certain identifiers. In such cases, however, it is possible that the User may not be able to access certain Services, or may not be able to use them in the same way as if the identifiers had been enabled. Acceptance of cookies is not mandatory; however, our Company accepts no responsibility if, due to the refusal of cookies, our website does not function as expected.
Deleting Cookies: Every browser allows the deletion of previously stored cookies, so you may delete them at any time. To do so, please refer to the instructions of the browser you are using. However, after deleting cookies, it is possible that the User may not be able to access certain Services, or may not be able to use them in the same way as before.
You can find information about the most popular browsers and how to manage cookies in the help and support menu of your browser.
10. 10. DATA TRANSMISSION
Our Company may be contacted by courts, prosecutors and other authorities for information, data or documents. In such cases, we must comply with our obligation to provide information to the extent strictly necessary to achieve the purpose of the request.
No other data will be transferred to a 3rd party in the course of the processing activities referred to in this notice.
11. TRANSFER OF DATA TO A THIRD COUNTRY
The data you provide on this website will not be transferred by our Company to a 3rd country, but Google Cookies 3rd data will be transferred by Google to a 3rd country. You can find out more about Google cookies here: www.google.com/intl/en/policies/privacy.
12. AUTOMATED DECISION-MAKING AND PROFILING
The data controller does not use automated decision-making and profiling when using the website.
13. DATA SECURITY
In accordance with Article 32 of the General Data Protection Regulation (GDPR), the Data Controller takes all necessary measures to ensure the security of personal data. The Data Controller also implements the required technical and organizational measures and establishes the procedural rules necessary to ensure compliance with the GDPR as well as other data protection and confidentiality regulations.
The Data Controller stores personal data both in paper form, in a secure and locked manner, and electronically using IT systems, at the Data Controller’s registered office, on its own servers, or on the servers of its data processors.
The Data Controller guarantees an appropriate level of data security in the following ways:
The Company classifies and treats personal data as confidential, links access to the data to job title and authorisation, and imposes confidentiality obligations on employees, and does not make them available to the public. Only authorised administrators have access to documents in the course of work or processing, in accordance with the instructions of the Data Controller, and in any case the administrator keeps documents containing personal data securely locked away when leaving.
The Company shall carry out electronic data processing and record-keeping using a computer program which guarantees that the data are accessed only for the purpose for which they are intended, under controlled conditions and only by those persons (with password, logging of access and operations, etc.) who need to do so in the course of their duties (job duties).
The Company shall ensure an appropriate physical protection of data and the devices and documents carrying them, as well as a secure technical environment.
When processing personal data by automated means, the Company takes measures to ensure that:
· preventing unauthorised data entry,
· preventing the use of automated data processing systems by unauthorised persons using data transmission equipment,
· ensuring that it can be verified and determined to which recipients personal data have been or may be transmitted through data transmission equipment,
· ensuring that it can be verified and determined which personal data were entered into automated data processing systems, when they were entered, and by whom,
· ensuring the recoverability of installed systems in the event of a malfunction, and
· ensuring that reports are generated on errors occurring during automated processing.
Please note, however, that the transfer of data over the Internet cannot be considered a fully secure transfer.
We will make every effort to ensure that our processes are as secure as possible, but we cannot accept full responsibility for any transmission of data via the website or the Internet.
Data Breach Incident: If an incident involving your personal data occurs, the Data Controller will take all necessary measures to reduce the associated risks as soon as it becomes aware of the incident. If, despite the protective measures implemented by the Data Controller (or its data processor), an event involving your personal data is likely to result in a high risk to your rights and freedoms, we will inform you and the competent authority of the incident without undue delay and free of charge.
Links: The Data Controller’s website contains references and links to websites operated by other service providers (including buttons and logos for login and sharing functions), over whose personal data processing practices the Data Controller has no control. Users are advised that by clicking on such links, they may be redirected to the websites of other service providers. In such cases, we recommend that Users read the privacy policies applicable to those websites. This Privacy Notice applies only to the Website operated by the Data Controller. If the User modifies or deletes any of their data on another external website, this will not affect the processing of data carried out by the Data Controller; such changes must also be made separately on the Website.
14. HOW YOU ACCEPT THIS PRIVACY NOTICE AND WHAT YOUR ACCEPTANCE MEANS
By using our website, you confirm that you have fully read, become familiar with, and understood the contents of this Privacy Notice.
When you choose to complete the required fields in the form(s) available on the website and click the Submit (or an equivalent) button, you thereby accept the Data Controller’s processing of your personal data in accordance with this Privacy Notice.
If you do not agree with the above, please do not complete the form with your personal data, do not submit the form by clicking the corresponding button, and do not use the website.
If you make a table reservation in writing, by email, or in any other manner, it is important to note that your personal data will also be processed in accordance with this Privacy Notice.
15. RIGHTS OF USERS
In relation to your personal data processed by the Data Controller, you may request the following (each explained in detail below):
A. access to your data that we process
B. request rectification
C. request the erasure of your data (right to be forgotten)
D. request the restriction of the processing of your data
E. have access to your personal data
F. object to the processing of your data
G. withdraw your consent to the processing of your personal data.
A.) Pursuant to Article 15 of the GDPR, the data subject may request access to personal data concerning him or her as follows:
(1) The data subject shall have the right to obtain from the Controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to obtain access to the personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
(d) where applicable, the envisaged duration of the storage of the personal data or, where this is not possible, the criteria for determining that duration;
(e) the right of the data subject to obtain from the controller the rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of such personal data;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data have not been collected from the data subject, any available information on the sources;
(h) the fact of automated decision-making, including profiling, and, at least in those cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
(3) - (4) The Data Controller shall provide the data subject with a copy of the personal data processed. For any additional copy requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. The right to request a copy shall not adversely affect the rights and freedoms of others.
B.) Pursuant to Article 16 of the GDPR, the data subject shall have the right to obtain from the controller the rectification of personal data relating to him or her.
The data subject shall have the right to obtain from the Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.
C.) Pursuant to Article 17 of the GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her as follows:
(1) The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay if one of the following grounds applies:
(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
(c) the data subject objects to processing for reasons of public interest, in the exercise of official authority or in the legitimate interest of the controller (third party) and there are no overriding legitimate grounds for the processing or the data subject objects to processing for direct marketing purposes;
d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law (Hungarian law) applicable to the controller;
f) the personal data have been collected in connection with the provision of information society services.
(2) Where the controller has disclosed the personal data and is required to erase them pursuant to paragraph 1, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that have processed the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question.
(3) The right of the Data Subject to erasure may be limited only if the following exceptions in the GDPR apply, i.e. if the above grounds apply, the continued retention of the personal data may be considered lawful:
a) for the exercise of the right to freedom of expression and information,
b) to comply with a legal obligation, or
c) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
e) where it is in the public interest in the field of public health,
f) for archiving purposes in the public interest or for scientific or historical research purposes or statistical purposes; or
(h) where necessary for the establishment, exercise or defence of legal claims.
D.) Pursuant to Article 18 of the GDPR, the data subject shall have the right to obtain from the Controller the restriction of the processing of personal data concerning him or her, as follows:
(1) The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller where one of the following conditions is met:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the Controller to verify the accuracy of the personal data;
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
(c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
(d) the data subject has objected to processing in the public interest, in the exercise of official authority or in the legitimate interest of the controller (third party); in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller prevail over the legitimate grounds of the data subject.
(2) Where processing is restricted on the basis of the above, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
(3) The controller shall inform the data subject at whose request the processing has been restricted pursuant to paragraph 1 in advance of the lifting of the restriction.
We will inform all recipients with whom the personal data has been shared about any rectification, erasure, or restriction of processing, unless this proves impossible or would involve a disproportionate effort. Upon request, you may obtain a list of such recipients.
E.) Pursuant to Article 20 of the GDPR, the data subject has the right to the portability of personal data relating to him or her as follows:
(1) The data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, if:
a) where the legal basis for the processing is the consent of the Data Subject or the performance of a contract with the Data Subject
b) and the processing is carried out by automated means.
(2) In exercising the right to data portability, the data subject shall have the right to request, where technically feasible, the direct transfer of personal data between controllers.
(3) The exercise of the right to data portability shall be without prejudice to the right to erasure. The right to data portability shall not apply where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The right to data portability shall not adversely affect the rights and freedoms of others.
F.) Pursuant to Article 21 of the GDPR, the Data Subject shall have the right to object to the Controller processing personal data concerning him or her as follows:
(1) The Data Subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on grounds of public interest, for the exercise of official authority or for the legitimate interests of the controller (third party), including profiling based on such processing. In such a case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
(2) - (3) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.
(4) The right to object shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information shall be clearly displayed and separately from any other information.
(5) In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise the right to object by automated means based on technical specifications.
(6) Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
G.) Pursuant to Article 7(3) of the GDPR, the data subject shall have the right to withdraw consent to the processing of his or her personal data at any time, as follows:
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal. The right to withdraw consent does not affect the right to the processing of personal data that has not been obtained prior to the withdrawal of consent.
16. LEGAL REMEDIES AND ENFORCEMENT OF RIGHTS
The Data Controller shall inform you without undue delay, but in any event within 25 days of receiving your request, about the measures taken in response to your request or the reasons for not taking any action. If the request is complex or a large number of requests are received, this deadline may be extended by one additional month. Information will be provided electronically whenever possible. The provision of information and the implementation of measures are free of charge, except in the case of requests that are manifestly unfounded or excessive, particularly due to their repetitive nature. In such cases, we may charge an administrative fee of HUF 10,000 or refuse to take the requested action. In connection with your request, we may ask for information necessary to verify your identity. The first copy of your personal data processed by us is provided free of charge; for any additional copies, we may charge a fee corresponding to the administrative costs incurred.
If you are dissatisfied with our actions or if you experience unlawful processing of your personal data, you may lodge a complaint with the supervisory authority or exercise your right to seek a judicial remedy. Jurisdiction lies with the competent court. At the choice of the data subject, proceedings may also be initiated before the court of their place of residence or, in the absence thereof, their place of stay within the country.
You are entitled to seek a judicial remedy against a legally binding decision of the supervisory authority relating to you, or if the authority does not handle your complaint or does not inform you within three months about the procedural developments or the outcome of your complaint. Proceedings against the supervisory authority must be brought before the courts of the Member State in which the supervisory authority is established. In proceedings against the supervisory authority, you may also bring the action before the court of your domestic place of residence or, in the absence thereof, your domestic place of stay, or before the court having jurisdiction over the authority’s registered office, according to your choice.
Without prejudice to any other administrative or judicial remedy, any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
Name of authority: | National Authority for Data Protection and Freedom of Information (NAIH) |
Address: | 1055 Budapest, Falk Miksa Street 9–11, Hungary |
Address for correspondence: | 1363 Budapest, P.O. Box 9, Hungary |
Email: | |
Phone: | +36 (1) 391-1400 |
Fax: | +36 (1) 391-1410 |
Website: | www.naih.hu |
If you have any questions that are not clearly answered by this Privacy Notice, please send them to the Data Controller’s email address provided at the beginning of this document.
17. AMENDMENT OF THE PRIVACY NOTICE
The Data Controller may amend this Privacy Notice unilaterally. The current version of the Privacy Notice will always be available on the website.