This Privacy Notice (hereinafter: Notice) provides information to the Data Subjects (hereinafter: Data Subject) about the personal data processed in the course of the services provided by TÓ HOTEL Kft. based on article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council.
Name of the Controller: TÓ HOTEL Kft. (hereinafter: Company or Enterprise)
registration number: 01-09-865933
Controller’s registered seat: 1185 Budapest, Rimaszombat utca 11.
Controller’s e-mail address: firstname.lastname@example.org
Controller’s representative: Mrs. Julianna Karacs Zagyva, managing director
- Processing the Data Subjects’ data
2.1. Data subjects
TÓ HOTEL Kft. processes the personal data of natural persons using the services provided by the Company.
2.2. Categories of the processed personal data
The Controller processes the following personal data of the Data Subjects:
- Place and date of birth;
- E-mail address;
- Number of personal identity card, passport.
2.3. The purpose and the legal basis of data processing
The purpose of data processing is to identify the guests, to keep contacts with them as well as to protect the guests’ person and property in the course of the services provided by TÓ HOTEL Kft.
Data may be processed:
- In order to prepare the conclusion of a contract for providing services and to fulfill the service contract;
- In order to fulfill legal obligations;
- Based on the legitimate interest of the Controller or a third party.
Data processing based on the Data Subject’s consent
In this case, personal data are processed based on the Data Subject’s consent (voluntary, concrete and clear declaration of intent based on appropriate information). The consent is given voluntarily and the Data Subject may withdraw his/her consent at any time, without restriction, via notification addressed to the Controller.
Withdrawing the consent shall not impose any consequences on the Data Subject. However, withdrawing the consent does not affect the lawfulness of consent-based processing before the withdrawal.
- Rights of the Data Subjects
3.1. Right to access
Data Subjects have the right to obtain from the Enterprise confirmation as to whether or not their personal data are being processed, and, where that is the case, whether they are entitled to access the personal data and the following information:
- Purposes of data processing with regard to the given personal data,
- Categories of the personal data concerned,
- Categories of recipients to whom the personal data of the Data Subject have been, or will be communicated, especially including recipients in third countries and international organizations (if data are forwarded to recipients in third countries and international organizations, the Data Subject may request information as to whether the data are forwarded under appropriate guarantees),
- The period for which the personal data concerned are planned to be stored, or if that is not possible, the criteria used to determine that period,
- Rights of the Data Subject (right to rectification, erasure or restriction, right to data portability, as well as the right to object to processing such personal data),
- Right to lodge a complaint with a supervisory authority,
- Where the data are not collected by the Enterprise from the Data Subject, any available information as to their source,
- The fact of automated decision-making regarding the personal data concerned, also including profiling; if data are processed in this manner, the information shall cover the applied logic as well as the expected significance and the envisaged consequences of such processing for the Data Subject.
Where the Data Subject made the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.
Before fulfilling the request, the Enterprise may request the Data Subject to correct the contents of the request and to accurately indicate the requested information and data processing activities.
If the access right of the Data Subject hereunder adversely affects other people’s rights and freedoms, thus specifically other people’s business secrets or intellectual property, the Enterprise may reject the fulfilment of the Data Subject’s request at the required and proportionate rate.
If the Data Subject requests several copies of the above information, the Enterprise may charge an administrative fee that is reasonable and proportionate with making extra copies.
If the Enterprise does not process the personal data indicated by the Data Subject, the Enterprise shall also notify the Data Subject about this fact in writing.
3.2. Right to correction
Data Subjects have the right to request correction of their personal data. If the personal data relevant to the Data Subject are deficient, the Data Subject may request supplementation of the personal data.
When exercising the right to correction/supplementation, the Data Subject shall indicate which data are inaccurate or deficient, and shall also inform the Enterprise about the full and accurate data. In a justified case, the Enterprise may call on the Data Subject to evidence the corrected data to the Enterprise in an appropriate manner, primarily through documents.
The Enterprise shall correct and supplement the data without unjustified delay.
After fulfilling the Data Subjects’ request to enforce their right to correction, the Enterprise shall immediately notify the persons to whom the Data Subjects’ personal data were disclosed, provided that it is not impossible or it does not require disproportionate efforts from the Enterprise. Upon request, the Enterprise shall inform the Data Subject about those recipients.
3.3. Right to erasure (‘right to be forgotten’)
The Data Subjects may request the Enterprise to delete their personal data without any unjustified delay if any of the below reasons prevail:
- The personal data indicated by the Data Subject are no longer necessary in relation to the purpose for which they were collected or otherwise processed by the Enterprise,
- The Enterprise processed the personal data (also including special data) based on the Data Subjects’ consent, the Data Subjects withdrew their consent in writing and the data processing has no other legal ground,
- The Data Subject objects to data processing that is based on the Enterprise’s legitimate interest, and the Enterprise has no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or which are connected to the establishment, enforcement or defence of legal claims,
- The Enterprise processed the personal data unlawfully,
- The personal data processed by the Enterprise have to be erased for compliance with a legal obligation set forth in an EU or Member State law to which the Enterprise is subject,
- The Data Subjects object to data processing and there is no overriding legal ground for data processing.
Data Subjects shall submit their erasure request in writing, and shall indicate what personal data should be erased and for what reason.
When exercising the right to erasure, the Enterprise shall act in consideration of the procedural rules specified in paragraph 4.3.
If the Enterprise accepts the Data Subjects’ erasure request, it shall erase the processed personal data from all records and shall appropriately notify the Data Subjects about this fact.
If the Enterprise is obliged to delete the Data Subjects’ personal data, the Enterprise shall take all reasonable measures – also including technical measures – that are also required for notifying those controllers about the obligatory erasure of the personal data who accessed the Data Subjects’ personal data as a result of their disclosure.
In the notification the Enterprise shall notify the other controllers about the fact that the Data Subjects requested erasure of the links to their personal data or erasure of the copy or copies of such personal data.
After fulfilling the Data Subjects’ request to enforce their right to erasure, the Enterprise shall immediately notify the persons to whom the Data Subjects disclosed their personal data, provided that it is not impossible or it does not require disproportionate efforts from the Enterprise. The Enterprise shall inform the Data Subject about those recipients if it is requested by the Data Subject.
The Enterprise is not obliged to erase personal data if data processing is required for:
- Exercising the right of freedom to express opinion and to receive information,
- Fulfilling the obligation of personal data processing imposed on the Enterprise by a Hungarian or EU law,
- Performing a task carried out in the public interest or within the framework of exercising official authority vested in the Enterprise,
- Implementing a public interest concerning the area of public health,
- Archiving in public interest and for scientific and historical or statistical purpose, provided that data processing would probably become impossible or seriously endangered if the Data Subject exercised his/her right to be forgotten,
- Establishing, exercising or defending legal claims.
3.4. Right to limit data processing
Data Subjects may request the Enterprise to limit the processing and the use of their personal data without delay if any of the below reasons prevail:
- The accuracy of the personal data is contested by the Data Subject (in this case, the limitation lasts until the Enterprise verifies the accuracy of the personal data),
- The Enterprise processed the personal data unlawfully but the Data Subject requests limitation instead of erasure,
- The purpose of data processing ceased to exist for the Enterprise but the Data Subject requires them in order to submit, enforce or protect legal claims,
- The Data Subject objects to data processing that is based on the Enterprise’s legitimate interest, and the Enterprise has no compelling legitimate grounds for processing which override the interests, rights and freedoms of the Data Subject or that are connected to the establishment, enforcement or defence of legal claims; in this case, the limitation exists until it is established whether the Enterprise’s legitimate reasons are given priority over the Data Subject’s legitimate reasons.
In the case of limitation, personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or legal entity or in an important public interest of the Union or a Member State.
The Enterprise shall be previously inform the Data Subject about terminating the limitation of data processing.
After fulfilling the Data Subjects’ request to enforce their right to limitation, the Enterprise shall immediately notify the persons to whom the Data Subjects disclosed their personal data, provided that it is not impossible or it does not require disproportionate efforts from the Enterprise. The Enterprise shall inform the Data Subject about those recipients if requested by the Data Subject.
3.5. Right to object
Exercising the right to object may arise in the case of data processing based on a legitimate interest since the Enterprise deals with no data processing in public interest and has no public authority either, conducts no scientific or historical research and no data are processed for statistical purposes.
If the data of the Data Subjects are processed based on a legitimate interest, it is an important, safeguard-type provision that proper information and the enforcement of the right to object must be guaranteed for the Data Subjects with regard to data processing. The attention of the Data Subject shall be expressly drawn to this right at the latest upon making the first contact.
Based on this, the Data Subjects may object to processing their personal data, and in this case the Enterprise may no longer process the Data Subjects’ personal data unless it can be prove that
- Data processing by the Enterprise is justified by compelling legitimate reasons that are given priority over the Data Subjects’ interests, rights and freedoms, or
- Data processing is required for submitting, enforcing or protecting the legal claims of the Enterprise.
3.5.1. Right to object in the case of direct marketing
In the event of data processing for direct marketing, the GDPR also recognizes that the existence of legitimate interest can be presumed in the case of related data processing.
Therefore, in the case of direct marketing activities pursued by the Enterprise, the Data Subjects may also object to processing their personal data for this purpose, however, as against data processing based on other legitimate interest, the Enterprise cannot consider – as a result of the objection – whether the data processing can still be continued if objected by the Data Subject.
If the Data Subject objects to data processing for the purpose of direct marketing, the personal data of the Data Subject may no longer be processed by the Enterprise for this purpose.
Upon profiling the personal features of the Data Subjects are assessed through various automated methods. Such assessments may be used, e.g. for analyzing or forecasting the Data Subjects’ characteristics related to work performance, economic status, health condition, personal preferences, interests, reliability, behaviour, place of residence or movement.
The right to object also covers profiling based on a legitimate interest, as a specific data processing operation. If, however, profiling is carried out for the purpose of direct marketing, personal data-based profiling shall also be terminated if it is objected by the Data Subject.
3.6. Right to data portability
Data Subjects have the right to receive their personal data processed by the Enterprise in a structured, commonly used and machine-readable format and have the right to transfer those data to another controller without any limitation by the Enterprise.
The right to data portability may be exercised for personal data that the Data Subject disclosed to the Enterprise and
- Data processing is based on the Data Subject’s consent or on a contractual legal ground and
- Data processing is carried out by automated means.
If technically feasible, the Enterprise transfers the personal data, upon request by the Data Subject, directly to another controller specified in the Data Subject’s request. The right to data portability hereunder shall not raise any obligation for the controllers to introduce or maintain technically compatible data processing systems with each other.
Within the scope of data portability, the Enterprise shall provide the data carrier to the Data Subject free of charge. If the right of the Data Subject to data portability affects adversely other people’s rights and freedoms, thus specifically other people’s business secrets or intellectual property, the Enterprise may reject the fulfilment of the Data Subject’s request to the required extent.
Action taken with regard to data portability shall not mean deletion of the data, but the Enterprise continues to record them until the Enterprise has an appropriate purpose and legal ground for data processing.
3.7. Right to decide on automated decision-making in individual cases, including profiling
The GDPR does not define the term of automated decision-making, but basically it covers all processes whereby the entered data are assessed exclusively with computerized tools, without human intervention, under pre-defined aspects/algorithm, and the decision made as a result of this assessment involves significant consequences for the Data Subject.
The GDPR mentions as an example the rejection of online credit applications through automatic decision-making or online labour force selection without human intervention.
As against this, the term of profiling is accurately specified and laid down in the GDPR, as can also be seen in the previous paragraph, and the point is that the personal characteristics of the Data Subjects are assessed with some automated method. If the Enterprise makes an automated decision on the Data Subject’s personal data, also including profiling, it shall be mentioned in the Privacy Notice. In this case, the Privacy Notice contains information about the applied logic, as well as the significance and the envisaged consequences of such data processing for the Data Subject.
The Data Subjects have the right to request not to be affected by the scope of the decision exclusively based on automated data processing, also including profiling, which would impose a legal impact on them or would affect them in a similarly significant manner. Data Subjects may not request exemption from the effect of the decision based on automated data processing if the decision is required for concluding or fulfilling a contract or the decision-making is facilitated by an EU or member state law or the decision is based on the Data Subject’s express consent.
If automated data processing is required for concluding or fulfilling a contract or it is based on the Data Subject’s consent, the Data Subject has the right to request human intervention from the Enterprise, to express their standpoint and to submit a complaint about the decision.
In the course of data processing, the Enterprise shall do its best to avoid involving data into automated decision-making that pertain to the special category of personal data. If, however, this cannot be avoided, automated decision can be made about the special categories of personal data only if data processing is based on the Data Subjects’ consent or it is required for a significant public interest based on the law of the EU or a member state and appropriate measures have been taken in order to protect the Data Subjects’ rights.
3.8. Right to legal remedy
3.8.1. Right to complaint
If the Data Subjects find that processing their personal data by the Enterprise violates the provisions of the effective privacy regulations, thus specifically those of the GDPR, they may submit a complaint to the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
Contacts of the Hungarian National Authority for Data Protection and Freedom of Information:
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mail address: 1530 Budapest, Pf.: 5.
Data subjects may also submit a complaint to another supervisory authority, especially established in the EU member state of their usual residence, workplace or at the place of the presumed violation of law.
3.8.2. Right to turn to court (right to start an action)
The Data Subjects may turn to court – regardless of their right to submit a complaint – if their rights specified in the GDPR have been violated upon processing their personal data. A lawsuit may be started at a Hungarian court against the Enterprise, being a controller pursuing its activities in Hungary.
Data Subjects may also institute the lawsuit at the court competent at their residence, under article 22 (1) of the current Info Act. The availability of Hungarian courts can be found through the following link: http://birosag.hu/torvenyszekek.
Since the Enterprise is not regarded as a public authority organization acting by exercising the public authority licenses of a member state, the Data Subject may also launch the lawsuit at a court having power and competence at the place of usual residence if the place of usual residence of the Data Subject is in another member state of the European Union.
3.8.3. Other options for enforcing claims
Data Subjects have the right to mandate a non-profit body or association – which has been properly constituted in accordance with the law of an EU member state, has statutory objectives which are in the public interest and is active in the field of protecting the Data Subjects’ rights and freedoms with regard to the protection of their personal data – to lodge the complaint on their behalf, to carry out a court review of the resolution of the supervisory authority, to file an action or to exercise the right to receive compensation on behalf of the Data Subjects.
- Effect and other provisions
This Privacy Notice shall enter into effect on 25 May 2018. The Controller reserves the right to modify this Notice at any time. The Controller notifies the Data Subjects about the modification via publication at its website, at least 8 days prior to the entry into effect of the modification.
Dated: Budapest, 25 May 2018