Privacy Policy

Szallas.hu Zrt.

Last update: 02.11.2021

Szallas.hu Zrt. (headquarters: 3525 Miskolc, Régiposta street 9, e-mail: info@revngo.com, tel.: +36 30 344 2000, company registration number: 05-10-000622, tax number: 26721761-2-05) as the data controller (hereinafter referred to as "Data Controller"), acknowledges the contents of this Privacy Policy as binding. The Data Controller operates this accommodation website (hereinafter referred to as the "Website") and the related accommodation websites of the Data Controller. The purpose of this notice is to provide information to users of the website (hereinafter referred to as "Data Subjects") about the data processing carried out by the Data Controller, its data protection and data management principles and the Data Controller's data protection and data management policy.

 

I.            Subject of the Statement

The Data Controller undertakes to ensure that all processing of data relating to its activities complies with the requirements set out in this notice and in the applicable legislation. The Data Controller is committed to protecting the personal data of its customers and users, and attaches the utmost importance to respecting the users' right to information self-determination. The Data Controller treats personal data confidentially and takes all security, technical and organisational measures to ensure the security of the data.



 

II.          Definitions

"'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

 

"'processing' means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

 

"restriction of processing": the marking of stored personal data for the purpose of restricting their future processing;

 

"controller" means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or specific criteria for the designation of the controller may also be determined by Union or Member State law;

 

"processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

 

"processing" means the performance of technical tasks related to processing operations by a controller, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

 

"third party": a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data;

 

"the data subject's consent" means a freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;

"data breach" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

 

"data subject" means a natural person who is or may be identified on the basis of any information;

 

"transfer" means the making available of data to a specified third party;

 

"recipient" means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing.


"profiling" means any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with that person's preferences, interests, reliability, behaviour, location or movements;

 

This information and the terms used in it are consistent with

·        Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;

·        Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;

·        Act C of 2003 on electronic communications;

·        Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "the Information Act");

·        Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter "GDPR");

·        Act V of 2013 on the Civil Code ("Civil Code");

·        Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Economic Advertising Activities (hereinafter referred to as "Act XLVIII");

·        Act XLVII of 2008 on the Prohibition of Unfair Commercial Practices against Consumers;

·        With recommendations from the National Authority for Data Protection and Freedom of Information.

  

III.          Principles of data management

The Data Controller:

·        processes personal data lawfully and fairly and in a transparent manner ("lawfulness, fairness and transparency");

·        collects personal data only for specified, explicit and legitimate purposes and does not process them in a way incompatible with those purposes ("purpose limitation");

·        the personal data processed by the data controller are adequate and relevant for the purposes of the processing and the processing is limited to what is necessary ("data minimisation");

·        the personal data processed by us are accurate and up to date ("accuracy");

·        store personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("limited storage");

·        processes personal data in a way that ensures adequate security ("integrity and confidentiality") of personal data.



IV.          Details of data processing

The Data Controller carries out the following processing in relation to the Website:

 

Data processing scope

Personal data processed

Legal basis

Purpose of data processing

Retention period

 

1. Data processing related to the sending of the newsletter

E-mail address 

Last name 

First name

Date(s) of subscription

Source of subscription

Birthdate (optional) 


Newsletter activity (fact and time of opening, fact and number of clicks on links)

Consent of the Data Subject (Article 6(1)(a) GDPR)

Informing Data Subjects about the latest offers, selected according to the Data Subject's interests. To do this

based on the user

your browsing and newsletter activity.

For more information, see point V.

Until the Data Subject unsubscribes.

For more information on the retention of personal data, see Section V.

2. Registration on website and mobile app (account/profile creation)

E-mail address 

Password 

Last name 

First name

Date of registration

Phone number (optional)

Date of birth (optional)

Address (optional)

  • Country
  • Ir. number, municipality
  • Street, house number


Unique account identification code

Favourite accommodation details, date of marking, deletion

Bookings made by entry (active departed and cancelled)

For mobile application, additional information: chosen currency, language

Consent of the Data Subject (Article 6(1)(a) GDPR)

Facilitate service delivery;

facilitate future bookings;

select and collect your favourite accommodation;

store details of previously made bookings and purchases in your account;

view special offers available to registered users.

Until the registration is cancelled.

If the registration is not confirmed by the Data Subject via the link in the e-mail message sent (double opt-in), the Data Controller will send two additional reminders to the Data Subject. Within 15 days of the second e-mail being sent, the data provided at the time of the registration will be deleted if confirmation has not taken place by then.

 

3. Participation in a loyalty programme

Membership date

Membership ID/number

Membership status (active, deleted)



Point transaction data (amount of points, type, place and time of point transaction, amount of expired points)

Processing is necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR)

The Data Controller intends to provide loyalty points and other benefits to users registered for the Programme through its Loyalty Programme. The purpose of data processing is the conclusion and performance of this contract and the related communication.

As long as claims arising from the relevant contract are enforceable (general limitation period: 5 years).

4. Link to Facebook / Google / Apple account

Account/profile registration taken over from Facebook:

Last name 

First name

E-mail address

Profile ID

Your Facebook profile picture will also appear on your account



For newsletters:

E-mail address 

Last name 

First name

the data subject's consent (Article 6(1)(a) GDPR)

In order to speed up the registration or newsletter subscription, the Data Subject may also use his/her own Facebook / Google / Apple account to fulfil the necessary data provision obligation.

According to the time specified in the registration or newsletter data management.

 

5. Purchase-related data processing:



Reservations created and in force (active)

Accounting data:

Name

User's unique identification code (user ID)

Based on the decision of partners (data processors), the Data Controller may request an address when making a reservation, which in this case:

  • Country
  • Ir. number, municipality
  • Street, house number

Payment method and details, including the recording of the flow of funds and the balance associated with the user in the case of online payment



Reservation details, unique identifier, date Data generated during the processing of the reservation(s) (request, modification, etc.)

Data on the accommodation booked In case of a reservation in a loyalty programme: points transaction data (amount of points used in the purchase, type of points transaction, location and time)

Processing is necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR)

The Data Controller operates an accommodation booking service, whereby the individual can choose from the accommodation and services offered within the service, make a reservation. If you do not provide your details, the Data Controller will not be able to provide you with the service related to the reservation.



The mandatory retention period for personal data relating to accounting records ("Accounting Data"):



-8 years for accommodation in Hungary.

-For Romanian accommodation 10 years.

-5 years for accommodation in Poland.

-10 years for accommodation in Slovakia.

-For accommodation in Czech Republic 10 years

-5 years for accommodation in Croatia.

 

Non-accounting data:

E-mail address 

Phone number

IP address

Other data provided by the user,

When requesting a quote: optional information on accommodation preferences

For personal data not related to an accounting document ("Non-Accounting Data"):

As long as claims under the relevant contract are enforceable (general limitation period: 5 years).

6. Purchase-related data processing:

Reservations created but cancelled (cancelled)

Accounting data:

Name

User's unique identification code (user ID)

Based on the decision of partners (data processors), the Data Controller may request an address when making a reservation, which in this case:

  • Country
  • Ir. number, municipality
  • Street, house number

Payment method and details, including the recording of the flow of funds and the balance associated with the user in the case of online payment



Reservation details, unique identifier, date Data generated during the processing of the reservation(s) (request, modification, etc.)

Data on accommodation occupied

In case of a reservation in a loyalty program: point transaction data (amount of points used in the purchase, type of point transaction, location and time)





Processing is necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR)

The Data Controller operates an accommodation booking service, whereby the individual can choose from the accommodation and services offered within the service, make a reservation. If you do not provide your details, the Data Controller will not be able to provide you with the service related to the reservation.



If the booking is linked to a financial transaction in which the Data Controller is actively involved in the

The mandatory retention period for personal data relating to accounting records ("Accounting Data"):

-8 years for accommodation in Hungary.

-For Romanian accommodation 10 years.

-5 years for accommodation in Poland.

-10 years for accommodation in Slovakia.

-For accommodation in Czech Republic 10 years.

-5 years for accommodation in Croatia.



For personal data not related to an accounting document ("Non-Accounting Data"):

As long as claims under the relevant contract are enforceable (general limitation period: 5 years



If there is no cash flow linked to the booking: 3 years.

Non-accounting data:

E-mail address 

Phone number

IP address

Other data provided by the user,

When requesting a quote: optional information on accommodation preferences

7. Purchase-related data processing:



The reservation has not been created

Accounting data:

Name

User's unique identification code (user ID)

Based on the decision of partners (data processors), the Data Controller may request an address when making a reservation, which in this case:

  • Country
  • Ir. number, municipality
  • Street, house number

Payment method and details



Reservation details, unique identifier, date Data generated during the processing of the reservation(s) (request, modification, etc.)

Data on accommodation occupied

Non-accounting data:

E-mail address 

Phone number

IP address

Other data provided by the user,

When requesting a quote: optional information on accommodation preferences

Legal basis for the processing: processing is necessary for the purposes of taking steps at the request of the data subject prior to the conclusion of the contract (Article 6(1)(b) GDPR)

Legal basis for retention: legitimate interest of the Controller (Article 6(1)(f) GDPR)

The Data Subject's booking request failed in the process or the Data Subject contacted the Data Controller with a request for a quote, so no contractual relationship was established, but the Data Controller has a legitimate interest in retaining them for possible consumer protection proceedings. 

Retention period: 3 years.

 

8. Purchase process interruption/

data processing in case of termination

Data processed when filling in the reservation form

Name

E-mail

Phone number

Based on the decision of partners (data processors), the Data Controller may request an address when making a booking, which in this case is:

  • Country
  • Ir. number, municipality
  • Street, house number

Legitimate interest of the Controller (Article 6 (1) (f) GDPR)

Retention of data provided during an abandoned purchase process in order to facilitate the continuation of the purchase, the Data Subject does not have to re-enter the data.                                   

The data processed by the User's browser will be stored until the browser is closed (session closure).

In addition, the Data Controller sends a reminder message to the user separately for each accommodation viewed and left in the shopping cart and this data is stored for a maximum of 7 days.

9. System messages

Data of the person using the website service:

Name

E-mail

Booking details

Processing is necessary for compliance with a legal obligation to which the controller is subject (Article 6(1)(c) GDPR)

The Data Controller is obliged to inform the Data Subjects about changes in the operation of the Website and confirmations related to the use of the service.

In the case of obligatory communications relating to the registered account or newsletter service, until the registration is cancelled.

For bookings, according to the cancellation period specified in the points relating to the purchase

10. Share Instagram photos

Photo or video shared by the person concerned

Consent of the Data Subject (Article 6(1)(a) GDPR)

The Data Controller requests the consent of the Data Subject for the use of the photo taken and shared by the Data Subject for marketing purposes. In case of consent, the Controller will process the photograph in accordance with the relevant terms of use.

Until the consent declarations are withdrawn.

 

11. Google Forms based poll

The Data Controller conducts public opinion research anonymously and does not automatically request or record personal data.      

-

Public opinion polls have important marketing value, but they do not require identifiable individuals or personal data. The Data Controller specifically reminds respondents not to share personal data in the free-word fields.

If the Data Controller finds personal data in the responses, it will delete it immediately and irrevocably.

12. Sweepstakes

Personal data included in the prize draw's privacy policy.

the data subject's consent (Article 6(1)(a) GDPR)

The Data Controller occasionally promotes prize games for marketing purposes. The data processing involved may vary from game to game, therefore information on data processing is set out in the data processing information for each competition.

The retention period as set out in the prize draw's privacy policy.

 

13. Customer service

The scope of the data processed by the Data Controller in the context of Customer Service is adapted to the content and the manner of your request, and the data processed may therefore be:

- in the case of telephone enquiries, the voice recording and the data recorded in the case management system;

in the case of an e-mail request, the electronic message and the data recorded in the case management system;

- name, e-mail, phone number, other contact details;

- subject of the request, complaint, case, details;

- data generated during the case management, case outcome, closure;

- in the case of offers and reservations, details of the offer, individual requirements;

- bank account number in the case of a customer complaint that is favourable to the customer;

- data relating to the handling of a refused or cancelled reservation;

In the case of reservation management: processing is necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR)



Other requests: legitimate interest of the Controller (Article 6(1)(f) GDPR).

Collecting offers, sending them to interested parties.

 

In connection with an offer or a reservation, reservation modification, individual terms and conditions, as well as the loyalty program, informing the Data Subject, resolving their requests and questions, supporting and transmitting modification requests, initiating a reservation.

 

Investigating and dealing with complaints and requests.

 

The Data Controller will process the data as described in the section "Data processing in relation to purchases", depending on the booking activity to which the customer service is related.



The data controller will delete the recorded audio material generated during telephone calls after 5 years.

 

14. Ratings given by the data subject

Name (optional)

Municipality (optional)

Traveller category (optional)



Opinion, evaluation about the service, accommodation, programme, settlement of the data controller (optional)

the data subject's consent (Article 6(1)(a) GDPR)

Increasing user confidence in accommodation and ensuring quality of service.



At the request of the Data Subject, the Data Controller shall delete the ratings from all interfaces displayed.

 


 

V.          Additional privacy information about the newsletter service

The Data Controller will review the accuracy of your data and will unsubscribe you from the newsletter if your e-mail address does not work (newsletter bounces), even in the absence of an opt-out.

After the unsubscription, the Data Controller stores the date of the unsubscription and the e-mail address of the Data Subject separately in order to prove the fact of the unsubscription and to compare it with the data of subscribers to the newsletter from third sources through future acquisitions or otherwise, and to avoid sending newsletters to persons who have previously unsubscribed. The use of data for this purpose typically occurs 1-2 times per year by the employee performing the task, subject to approval by the CEO. After unsubscribing, your data will no longer be used in any other way by the Data Controller.

The Data Controller analyses the activity of the Data Subjects in relation to the newsletter. For the purpose of analysis, the newsletter sent contains a web beacon ("web beacon" or "tracking pixel"), which is an image of 1x1 pixel size stored by the Website. The personal data and the web beacon are attached to the e-mail address and a unique identifier (ID), which is also included in the links in the newsletter. The Data Controller receives information about when the newsletter is opened and which links are clicked on, which may reveal the interests of the Data Subject. This data is used to tailor the newsletters to the interests of the Data Subject as much as possible.



 

VI.          Processing of personal data of third parties

Where the Data Subject provides personal data of third parties, it is the Data Subject's responsibility to ensure that the necessary consent to the disclosure is obtained or the other legal basis is fulfilled and to notify the Data Controller of any changes in this regard. Data Subjects must refrain from disclosing personal data of third parties, except where the disclosure is necessary for the performance of a contract with the Controller.



 

VII.          Data processing

The Data Controller uses the data processors listed below in the operation of the Website. Additional data processors may be used on a case-by-case basis and the Data Controller will inform the Data Subjects about this.

·        Your data will be stored on servers provided by our contractual partner Zero Time Service Kft. (2013 Pomáz, Mikszáth Kálmán utca 36/4.) in the European Union.

·        Emarsys eMarketing Systems GmbH (Austria, 1150-Bécs, Märzstrasse 1, 1150-Bécs, Austria) is the data processor for data processing for marketing purposes (e-mail messages, cookies).

·        Certain data (customer email messages, data provided when filling in a form) are stored by the Data Controller in Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, in Google Drive.

·        To improve the user experience, visitor behaviour analysis and market research is carried out using Hotjar's system (Hotjar Ltd., Dragonara Business Centre 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141 Malta, Europe).

·        The Maileon system for the newsletter service is provided by Wanadis Kft. (1112 Budapest, Budaörsi út 153.).

·        In the case of payment by bank card, the following personal data may be transferred to BIG FISH Payment Services Kft. (1066 Budapest, Nyugati tér 1-2.) as the data processor: name of the predecessor, surname, first name, IP address, billing address, shipping address, telephone number, e-mail address, last four digits of the bank card number. Purpose of the data transfer: to carry out the data communication necessary for payment transactions between the merchant and the payment service provider's system, to ensure the traceability of transactions for the merchant's partners.

·        The accountant used by the Data Controller is Oualitax Bt. (registered office: 3525 Miskolc, Toldi utca 9. no. 2/8) may have access to data related to accounting.

·        The auditor used by the Data Controller (as indicated in the company register) has access to data relating to the audit

·        For billing purposes, the Data Controller uses the service of KBOSS.hu Kft. (1031 Budapest, Záhony utca 7/C.) szamlazz.hu.

·        For postage: Magyar Posta Zrt. Hungarian Post (1138 Budapest, Dunavirág utca 2-6.)

·        The recorded voice calls generated during the Customer Service administration are stored by our contractual partner VCC Live Group Zártkörűen Működő Részvénytársaság (registered office: 6725 Szeged, Hópárduc utca 17.).

 

VIII.          Data transmission

·        In order to fulfil the contracts, the following data will be transmitted to the accommodation: name, e-mail address, telephone number, address (if the Partner (data processor) requests address data for the booking), details of the booking, information indicated in the comment, description of the case and its details in case of customer service.

In case of a booking with a card guarantee, the Data Controller will transmit the credit card data provided by the Data Subject. For the purposes of the booking process, the Data Controller stores only a part of the credit card number, from which the credit card number itself cannot be reconstructed. At the end of the transfer process, the partially stored data will also be deleted.

The reviews provided by the Data Subject will be displayed on the websites of the Data Controller and its affiliates that provide accommodation services in Hungary and abroad: (i) https://hotely.cz, (ii) https://sk.revngo.com, (iii) https://revngo.com, (iv) https://de.revngo.com, (v) https://hr.revngo.com, (vi) https://hotelguru.ro, (vii) https://noclegi.pl

·        In order to successfully process accommodation bookings for accommodation in Romania, the Data Controller shall transfer the data to its contractual partner Travelminit International SRL (400267 Cluj-Napoca, Str. Gării, Nr. 21, în Liberty Technology Park, corpul D, intrarea D1, biroul 1B, Jud. Cluj, Romania) and the data are processed jointly.

·        In order to successfully process accommodation bookings for Czech and Slovak accommodation, the Data Controller will transfer the data to its contractual partner Hotel.cz a.s. (Kolbenova 882/5A, Praha 9 190 00) for bookings from Czech and Slovak domestic guests, and to Previo s.r.o. (Kolbenova 882/5A, Praha 9 190 00) for bookings from other language areas.

·        The Data Controller works with a number of partners to provide a wide range of accommodation offers in Croatia, and in order to successfully process certain accommodation bookings in Croatia, the Data Controller transfers the data to the following contracted partners: NOVASOL A/S CVR (17484575 Virumgårdsvej 27 2830 Virum), Travel agency Adriagate d.o.o. (Split, Vukovarska 156, ID code HR-AB-22-060229413, VAT: HR64887759853), Adriatic.hr d.o.o. (Poljička cesta 26,21000 Split, Croatia, VAT number: 16364086764, ID: HR-AB-21-020038491).

   ·        The Data Controller, beside its own contracted Polish and Austrian partners, displays part of NOVASOL A/S CVR (17484575 Virumgårdsvej 27 2830 Virum) Polish and Austrian inventory, thus in certain                         reservations, the Data Controller transfers the data to this contracted partner.


 

IX.          How personal data are stored, security of processing

The Data Controller's computer systems and other data storage locations are located at its headquarters and on its relevant servers. The Data Controller shall select and operate the IT tools used to process personal data in the course of providing the service in such a way that the processed data:

·        accessible only to authorised persons;

·        authenticity and verification;

·        is unchanged;

·        be protected against unauthorised access.

The Data Controller shall take appropriate measures to protect the data against, in particular, unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction, damage or loss, and inaccessibility resulting from changes in the technology used. The Data Controller shall ensure the security of data processing by technical, organisational and organisational measures which provide a level of protection appropriate to the risks associated with the processing, taking into account the state of the art. At the same time, data subjects are informed that electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, the contestation of a contract, or the disclosure or modification of information. The Data Controller will take all reasonable precautions to protect against such threats. The data processed by the Data Controller are primarily accessible to our competent internal staff and are not disclosed to third parties, except for legitimate interests (e.g. debt collection), legal obligations or with the prior explicit consent of the data subject.

The data controller's servers are hosted by one of the largest ISO 27001 certified internet and cloud service providers (Zero Time Service Ltd.), who operate the service in two physically separate server rooms in parallel, with a geo-redundant infrastructure and constant technical and security supervision. The servers are protected by a firewall against unauthorised intruders. The data centres are protected by security guards and access is only possible after appropriate card identification. The addresses of the data centres are 18-22 Victor Hugo Street, 1132 Budapest and 188 Váci Street, 1138 Budapest.

The data processor in charge of sending the newsletter (Wanadis Ltd.) has taken the following steps to ensure the provision of the Maileon service in accordance with the requirements of the GDPR:

·        Monitored and strengthened its security infrastructure and practices for data encryption, in-transit data, inactive data, backups, logs and security alerts.

·        Introduced a new risk analysis and data consultation process.

·        It will anonymise and subsequently delete all data, except for the previously mentioned data necessary to prove unsubscription, if the user unsubscribes or requests the deletion of his/her data.

·        It guarantees that services provided in German data centres meet GDPR criteria and are ISO 27001 certified.

·        The services provided by the owner of Maileon's software (Xqueue GmbH) comply as far as possible with the specifications and standards described in the ISO 27001 certification. The standards convergence and compliance workflow is based on the ITIL framework.



 

X.          Cookies

The Data Subject acknowledges that he or she gives his or her explicit consent to the use of cookies when using the Website (Article 6 (1) (a) GDPR). If the browser used by the Data Subject allows it, the Website may automatically save information about the computer or other device used by the Data Subject for browsing and place so-called cookies on it. The Data Controller provides the possibility for the Data Subject to review the scope of cookies allowed by the Data Subject at a later stage and to modify the cookies allowed. This section explains what cookies are and how the Controller uses them.

The Data Subject may also refuse the use of cookies on his or her own computer or other browsing devices, or in the settings of the browser used to access the Website (usually under Tools/Settings/Privacy/Cookies). By refusing cookies, the Data Subject will not be able to use the full functionality and services of the Website and, as a consequence, the Data Controller cannot guarantee full, smooth and uninterrupted use of the Website. The Data Subject can find more information about cookies on the website of the European Interactive Digital Advertising Association.

Cookies are packets of data that are placed on the Data Subject's computer or other browsing device during a visit to the Website. Cookies have different functions and can be used for different reasons, such as:

·        necessary cookies: their use is essential for the functioning and operation of the Website. Without them, the Website or parts of the Website would not function or would not function properly. The Website operator uses the necessary cookies in accordance with Regulation 2002/58/EC;

·        Functional cookies: these cookies are used to improve the user experience, for example to remember the browsing device, language or personal preferences;

·        statistical cookies: these cookies are anonymised; they help us to understand how a visitor interacts with the Website;

·        marketing cookies: these cookies collect precise information about a visitor's browsing habits, which are used to serve advertising content. These cookies are placed on the Website by external service providers.

The Website uses Google Analytics cookies. These cookies are placed by an external service provider and

·        are under the control of the external service provider, not the Data Controller;

·        are available on all websites that use the service;

·        track the visitor's movement from one page to the next;

·        allows the data controller to display more accurate advertising content.

Detailed information on data management for Google Analytics cookies is available on the following websites:

·        Google Privacy Policy;

·        Information for Google Analytics developers.



 

XI.          Other data processing

We inform the Data Subjects that the court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information ("NAIH") or other bodies authorised by law may request the Data Controller to provide information, data, or documents, and the Data Controller will disclose the requested data to the requesting authority within the legal framework. The Data Controller shall disclose to the authorities, where the authority has indicated the precise purpose and scope of the data, only such personal data as are strictly necessary for the purpose of the request and to the extent strictly necessary for the purpose of the request.




XII.          Rights of the Affected Person

If you have any questions or requests regarding the Data Controller's data processing or this Privacy Notice, please contact the Data Controller's Data Protection Officer, Dr. Balazs Surinya at privacy@szallas.hu.

 

1. Right to information

The Data Subject has the right to request at any time information about the personal data concerning him or her processed by the Data Controller and information about the processing of such data.

The Data Controller shall, upon the Data Subject's request, provide information on the data relating to the Data Subject processed by the Data Controller, the data processed by the Data Controller or by a data processor appointed by the Data Controller, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and its activities related to the processing, the circumstances and effects of any data breach and the measures taken to remedy the same, as well as the legal basis and the recipient of any data transfer.

The right to information can be exercised in writing. The identity of the Data Subject shall be verified by the Data Controller in all cases.

The Data Controller shall provide the Data Subject with a copy of the personal data subject to processing upon request. For additional copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. On the basis of a request made by electronic means, the information shall be provided in electronic format, unless the Data Subject requests otherwise.

Where the Data Subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller may, taking into account the administrative costs of providing the information or information requested or of taking the action requested, charge a reasonable fee or refuse to act on the request.

Following the information, if the Data Subject does not agree with the processing and the accuracy of the processed data, he or she may request the rectification, supplementation, erasure or restriction of the processing of personal data concerning him or her, may object to the processing of such personal data in specific cases, and may exercise a legal remedy as set out in point 6.



2. Right of correction, addition

The Data Subject may request the rectification of inaccurate personal data relating to him or her and the completion of incomplete data.



3. Right to cancellation

If one of the following grounds applies, the Data Subject shall have the right to obtain from the Data Controller, upon his or her request, the deletion of personal data concerning him or her without undue delay:

·        the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Controller;

·        the Data Subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

·        the Data Subject objects to the processing for reasons relating to his or her particular situation and there are no legitimate grounds for the processing;

·        the Data Subject objects to the processing of personal data concerning him or her for direct marketing purposes, including profiling, where it is related to direct marketing;

·        the personal data are unlawfully processed by the Controller;

·        personal data are collected in connection with the provision of information society services directly to children.

The Data Subject may not exercise his or her right to erasure or blocking if the processing is necessary:

·        to exercise the right to freedom of expression and information;

·        in the public interest in the field of public health;

·        for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the exercise of the right of erasure would make such processing impossible or seriously impair it; or

·        to bring, enforce or defend legal claims.



4. Right to restriction of the data processing

At the request of the Data Subject, the Data Controller shall restrict the processing if one of the following conditions is met:

·        the Data Subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the accuracy of the personal data to be verified;

·        the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;

·        the controller no longer needs the personal data for the purposes of processing, but the Data Subject requires them for the establishment, exercise or defence of legal claims; or

·        the data subject has objected to the processing: in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller prevail over those of the data subject.

Where processing is restricted, personal data, other than storage, may be processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State. The controller shall inform the Data Subject in advance of the lifting of the restriction on processing.

The Data Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the Data Subject of these recipients.



5. Right to data retention

The Data Subject has the right to receive personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and to transmit such data to another controller.

The right to data portability can only be exercised for data whose processing is based on the data subject's consent.



6. Right to object

The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data necessary for the purposes of the legitimate interests pursued by the controller.

In the event of an objection, the Data Controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.



7. Automated decision-making in individual cases, including profiling

The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which would have legal effects concerning him or her or similarly significantly affect him or her.

The above right shall not apply where the processing is

·        necessary for the conclusion or performance of a contract between the Data Subject and the controller;

·        is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject; or

·        is based on the Data Subject's explicit consent.



8. Right of withdrawal

The Data Subject has the right to withdraw his or her consent to data processing at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

Procedural rules

The Data Controller shall inform the Data Subject without undue delay, but at the latest within one month of receipt of the request, of the action taken in response to the request sent to the Data Controller for the purpose of exercising the rights granted. Where necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months if necessary.

The Data Controller shall inform the Data Subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay. If the Data Subject has submitted the request by electronic means, the information shall be provided by electronic means, unless the Data Subject requests otherwise. If the controller fails to act on the data subject's request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.



 

XIII.          Remedies

If you have any comments, questions or problems with our Company, our data management or the use of our services, you can contact us using the contact details on our website. Please feel free to contact us with your complaint! Your complaint will be investigated and you will be informed. You can find our contact details in the Contact us section.

You can also take your complaint to court.

You can also lodge a complaint with the National Authority for Data Protection and Freedom of Information:

 

National Authority for Data Protection and Freedom of Information

1055 Budapest, Falk Miksa utca 9-11

Postal address: 1363 Budapest, PO Box 9.

Telephone: 06 (1) 391 1400

Fax: 06 (1) 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu.

 

XIV.          Data protection incident

A data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Data Controller shall keep records for the purposes of monitoring the measures taken in relation to the personal data breach, informing the supervisory authority and informing the Data Subject, which shall include the scope of the personal data affected by the breach, the number and scope of the Data Subjects, the date of the breach, the circumstances, the effects and the measures taken to remedy the breach. If the Data Controller considers that an incident presents a high risk to the rights and freedoms of Data Subjects, it shall inform the Data Subject and the supervisory authority of the personal data breach without undue delay and within 72 hours at the latest.

 

XV.          Consent to data processing

Declaration of the person concerned, which he/she accepts by ticking the checkbox. In the context of consent-based data processing, as a data subject, I voluntarily, explicitly and on the basis of appropriate information consent to the collection, storage and transfer of my data provided on the Website as described in the Privacy Policy. This consent is valid until revoked. I understand that this consent may be withdrawn at any time without giving any reason. In case of withdrawal of my consent and if I request the deletion of my data by the Data Controller, this may result in the termination of my user status. I acknowledge this legal consequence and declare that I will not object to it. I declare that I am fully responsible for the authenticity of the data I have recorded. I understand, acknowledge and confirm that I have read and understood this declaration by ticking the box.

By ticking the relevant checkbox, I consent to the use of the data provided by me for the purpose of providing personalised information and for contacting me by post or in person to promote the offers of the Website.

 

XVI.          Other provisions

Information about data processing not listed in this notice is provided at the time of collection. The Data Controller reserves the right to unilaterally amend this Privacy Notice by making it available to the Data Subject via the website. If the Data Subject does not request the deletion of his or her personal data following the amendment or does not withdraw his or her previously given consent, the Data Subject shall accept the amended Privacy Notice by his or her own free will after the amendment has entered into force.

The leaflet is available at: https://revngo.com/privacy