II. SOME DATA MANAGEMENTS
1. DATA MANAGEMENT IN CONNECTION WITH ONLINE ACCOMMODATION
Our company offers the possibility to book accommodation online in order to book a room in our hotels in a fast, convenient and cost-free way.
Purpose of data management: to make the booking of accommodation easier, free of charge and more efficient.
Legal basis for data processing: Prior consent of the person lodging the accommodation [Article 6 (1) GDPR (a) of the GDPR], the need to take action at the request of the data subject prior to the conclusion of the contract between the Controller and the Data Controller [Article 6 (1) GDPR]. (b)].
The scope of personal data handled: address; last name and first name; address (country, zip code, city, street, house number); telephone number; e-mail address; in the case of a company, the company name and registered office, bank card number, SZÉP card details (ID, name on the card), representative, contact name, e-mail address and telephone number.
Period of data management: Two years after the last day of the reservation date of stay.
Data Processing Recruitment: Our company uses an IT service provider for your online accommodation system as follows.
The name of the data processor
NetHotelBooking Kft.
Knighthosting LLC
Headquarter
8200 Veszprém, Boksa tér 1/A
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Description of the data processing task
Operation of the contracting module
Operation of the Website
By accepting this information, you expressly consent to the use of additional data processors by NetHotelBooking Ltd. to make the service more convenient and customized as follows:
The name of the data processor
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA
8200 Veszprém, Boksa tér 1. The int.
Description of the data processing task
Owner of Mandrill software integrated into the reservation system. This software is responsible for sending automated emails showing confirmations, notifications when booking, bidding and measuring satisfaction
performing server hosting tasks
Possible Consequences of Failure to Provide Information: The hotel cannot bid.
Rights of the data subject: the data subject (the person whose personal data is
processed by our company)
(a) request information on the processing of, and access to, personal data
relating to him or her;
(b) apply for their correction,
(c) request their cancellation,
(d) request, under the conditions of Article 18 of the GDPR, to restrict the
processing of your personal data (that is, not to delete or destroy your data until a court or authority has requested it, but for a maximum of thirty days; handle)
(e) object to the processing of personal data;
(f) exercise the right to data portability. Under the latter law, the data subject has the right to receive personal data in word or excel format and to forward such data to another data controller upon request.
Other Information on Data Management: Our company takes all necessary technical and organizational measures to prevent a possible privacy incident (eg, damage to, loss of, or access to unauthorized files containing personal data). In the event of an incident occurring, we will keep a record of the personal data involved, the scope and number of those affected, the date, circumstances, effects and measures taken to remedy the incident and to inform the data subject. other data specified in the law requiring data processing.
Our company has entered into a data processing contract for data processing tasks, in which data processors undertake to apply, in the event of further processing, the data protection and data processing guarantees that are required by the data processing contract.
3. SERVICE, ACCOUNTING DATA MANAGEMENT
In order to fulfill the contract with our hotel guests, including payment of hotel service fees, our company manages the personal data of our guests. Purpose of data management: use of hotel services by the data subject, determination and billing.
Legal basis for data processing: need to execute a contract in which one of theparties is concerned [Article 6 (1) (b) of the GDPR] and
Article 69 (1) and (2) of Act C of 2000 on Accounting fulfillment of a legal obligation under the provisions of [GDPR Article 6 (1) (c)]
Personal data handled: surname and first name, place of birth, time, address, email address, telephone number, identity card number, vehicle license plate number, nationality, signature
Duration of data processing: 5 years from the date on which the data subject is provided with the personal data by the data subject (limitation period). In the case of an invoice, the period of data management shall be 8 years from the date of the submission of the personal data by the data subject to the preparation of the report, business report or accounting for the financial year.
Use of data processor: none.
Possible consequences of failure to provide information: The data subject will not be able to use our hotel services.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
(a) request information on the processing of, and access to, personal data
relating to him or her;
(b) apply for their correction,
(c) request their cancellation,
d) request, under the conditions of Article 18 of the GDPR, to restrict the
processing of your personal data (that is, not to delete or destroy your data until a court or authority has requested it, but for a maximum of thirty days; handle)
(e) object to the processing of personal data;
(f) exercise the right to data portability. Under the latter law, the data subject has the right to receive personal data in word or excel format and to forward such data to another data controller upon request.
Other Information on Data Management: Our company takes all necessary technical and organizational measures to avoid a possible privacy incident (eg, damage, loss, unauthorized access to personal data files). In the event of an incident occurring, we will keep a record of the personal data involved, the scope and number of those affected, the date, circumstances, effects and measures taken to remedy the incident and to inform the data subject. other data specified in the law requiring data processing.
4. DATA MANAGEMENT ON GIFT CARD SHOPPING
Guests of our hotels can apply for a gift voucher on our company website. The details (in what name) and value of this gift voucher to be issued are determined by the applicant. Upon receipt of the gift voucher – at the amount stated therein – our hotel guests have the option to pay with this gift voucher at our hotels instead of the usual payment methods (cash, credit card / bank transfer). Purpose of data management: purchase of gift certificates
Legal basis for data processing: Prior consent of the person lodging the accommodation [Article 6 (1) (a) GDPR]
The personal data handled include: first name and first name; telephone number; email address, billing information (name, zip code, city, street, house number), mailing address (name, zip code, city, street, house number).
Duration of data management: until the gift certificate is successfully delivered. In the case of an invoice, the period of data management shall be 8 years from the date of the submission of the personal data by the data subject to the preparation of the report, business report or accounting for the financial year.
Data Processing Recruitment: Our company uses an IT service provider to operate your online gift voucher purchase system as follows.
The name of the data processor
Knighthosting LLC
Knighthosting LLC
Service4You Hospitality Kft.
Headquarter
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
H-1037 Budapest, Folyondár utca 9/B
Description of the data processing task
Operating an online gift voucher purchase module
Operation of the Website
Operation of the WebsiteGift certificate delivery
Possible consequences of failure to provide information: The person concerned cannot purchase a gift certificate.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
(a) request information on the processing of, and access to, personal data
relating to him or her;
(b) apply for their correction,
(c) request their cancellation,
d) request, under the conditions of Article 18 of the GDPR, to restrict the
processing of your personal data (that is, not to delete or destroy your data until a court or authority has requested it, but for a maximum of thirty days; handle)
(e) object to the processing of personal data;
(f) exercise the right to data portability. Under the latter law, the data subject has the right to receive personal data in word or excel format and to forward such data to another data controller upon request.
Other Information on Data Management: Our company takes all necessary technical and organizational measures to prevent a possible privacy incident (eg, damage to, loss of, or access to unauthorized files containing personal data). In the event of an incident occurring, we will keep a record of the personal data involved, the scope and number of those affected, the date, circumstances, effects and measures taken to remedy the incident and to inform the data subject. other data specified in the law requiring data processing.
Our company has entered into a data processing contract for data processing
tasks, in which data processors undertake to apply, in the event of further
processing, the data protection and data processing guarantees that are required by the data processing contract.
5. DATA MANAGEMENT FOR SUBSCRIPTION TO NEWSLETTER
Newsletters inform subscribers of our offers, news and promotions. You can subscribe to our company newsletter either on https://service4you.hu/ or on our hotel website. By subscribing to this newsletter, you consent to be contacted for newsletters concerning our company and all our hotels. Subscribing to a newsletter is not a condition of any of our services beyond sending newsletters.
Purpose of data management: sending newsletter
Legal basis for processing the data: consent of the data subject [Article 6 (1) (a) GDPR].
The scope of personal data processed: first name and first name, email address
Duration of data management: Until you unsubscribe from the newsletter.
Use of a data processor:
For the online newsletter system, we will use the help of an IT service provider as follows.
The name of the data processor
Knighthosting LLC
Knighthosting LLC
Headquarter
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Description of the data processing task
Storage and operation of a newsletter database
Operation of the Website
Possible Consequences of Failure to Provide Data: The data subject will not receive a newsletter from our company.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
(a) request information on the processing of, and access to, personal data
relating to him or her;
(b) apply for their correction,
(c) request their cancellation,
d) request, under the conditions of Article 18 of the GDPR, to restrict the
processing of your personal data (that is, not to delete or destroy your data until a court or authority has requested it, but for a maximum of thirty days; handle)
(e) object to the processing of personal data;
(f) exercise the right to data portability. Under the latter law, the data subject has the right to receive personal data in word or excel format and to forward such data to another data controller upon request.
You can unsubscribe from the newsletter at any time by sending an email to our company at info@service4you.hu or by clicking the unsubscribe icon in the newsletter. In this case, your personal newsletter sending information will be immediately removed from our database.
Other Information on Data Management: Our company takes all necessary technical and organizational measures to avoid a possible privacy incident (eg, damage, loss, unauthorized access to personal data files). In the event of an incident occurring, we will keep a record of the personal data involved, the scope and number of those affected, the date, circumstances, effects and measures taken to remedy the incident and to inform the data subject. other data specified in the law requiring data processing.
Our company has entered into a data processing contract for the data processing tasks, in which data processors undertake to apply the data protection and data management guarantees required by the data processing contract in case of additional data processing, therefore our company ensures the lawful processing of personal data.
6. PERSONAL DATA MANAGEMENT IN RESPECT OF SATISFACTION MEASUREMENT
Our goal is to provide our hotel guests with a high standard of service, so we are constantly asking for feedback from our guests during their stay at our hotel.
Purpose of data management: Requesting feedback from hoteliers to further develop and improve our hotel service.
Legal basis for the processing: Data controller’s legitimate interest [GDPR Article 6 (1) (f)], consent of the data subject [GDPR Article 6 (1) (a)].
Marking a legitimate interest: Our company has a legitimate interest in providing us with feedback to improve our services.
The range of personal data that we process: first and last name, gender, email address.
Period of data management: Two years after the last day of the reservation date
of stay.
Data Processing Recruitment: Our company uses an IT service provider for your online accommodation system as follows.
The name of the data processor
NetHotelBooking Kft.
Knighthosting LLC
Headquarter
8200 Veszprém, Boksa tér 1/A
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Description of the data processing task
Operation of the Satisfaction Module
Operation of the Website
By accepting this information, you expressly consent to the Data Processor employing additional data processors to make the service more convenient, as follows:
The name of the data processor
The Rocket Science Group, LLC
Headquarter
675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA/h4>
Description of the data processing task
Owner of Mandrill software integrated into the reservation system. This software is responsible for sending automated emails showing confirmations, notifications when booking, bidding and measuring satisfaction
Possible Consequences of Failure to Provide Data: The data subject will not receive a satisfaction questionnaire from our company.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
(g) request information on the processing of, and access to, personal data
relating to him or her;
(h) apply for their correction,
(i) have the right to request their cancellation,
j) request, under the conditions set forth in Article 18 of the GDPR, to restrict the processing of personal data (that is, not to delete or destroy the data until a court or authority has requested it, but for a maximum of thirty days; handle)
(k) object to the processing of personal data,
(l) exercise the right to data portability. Under the latter law, the data subject has the right to receive personal data in word or excel format and to forward such data to another data controller upon request.
Other Information on Data Management: Our company takes all necessary technical and organizational measures to prevent a possible privacy incident (eg, damage to, loss of, or access to unauthorized files containing personal data). In the event of an incident occurring, we will keep a record of the personal data involved, the scope and number of those affected, the date, circumstances, effects and measures taken to remedy the incident and to inform the data subject. other data specified in the law requiring data processing.
Our company has entered into a data processing contract for data processing tasks, in which data processors undertake to apply, in the event of further processing, the data protection and data processing guarantees that are required by the data processing contract.
7. COOKIE TREATMENT AND GOOGLE ANALYTICS
Data Manager uses Google Analytics to provide a small amount of data on a user’s computer, places a cookie and reads it back later. If the browser returns a previously saved cookie, the cookie management service provider may link the current visit of the user to the previous cookie, but only to its own content.
Purpose of data management: identification, tracking, differentiation of users, identification of the current session of users, storage of data provided during the session, prevention of data loss, web analytics measurements, personalized service.
Legal basis for processing the data: consent of the data subject [Article 6 (1) (a) GDPR].
The range of data to be handled: IP address, date, time, and the page you previously visited.
Duration of data management: maximum 90 days from the date of visit to the website
Data Processing Recruitment: Our company uses the following IT service providers as described below.
The name of the data processor
NetHotelBooking Kft.
Knighthosting LLC
Headquarter
8200 Veszprém, Boksa tér 1 / A
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Description of the data processing task
Recording visitor data
Operation of the Website
Further information on data management: The user can delete a cookie from his or her computer or disable the use of cookies in his or her browser.
For more information about setting your cookie preferences within your browser, please see the following policies:
Internet Explorer
Firefox
Chrome
Safari
Learn more about Google Analytics at https://policies.google.com/privacy. Possible consequences of non-provision of data: impossibility of using the service as outlined in section II.1-6 above.
When you visit our website, the web server automatically logs the user’s activity.
Purpose of data management: during the visit to the website the service provider records the visitor data in order to check the operation of the services and to prevent abuse.
Legal basis for the data management: Article 6.1 (f) of the GDPR
Marking of legitimate interest: Our company has a legitimate interest in the safe operation of the website.
The type of personal data handled: ID number, date, time, address of the page you visit.
Duration of data management: maximum 90 days from the date of visit to the website.
Data Processing Recruitment: Our company uses an IT service provider for server logging as follows.
The name of the data processor
NetHotelBooking Kft.
Knighthosting LLC
Headquarter
8200 Veszprém, Boksa tér 1 / A
12-45 River Rd Suite 354 | Fair Lawn, NJ, 07410
Description of the data processing task
Recording of visitor data and information necessary for the operation of the server
Operation of the Website
Further information: Our company does not combine data obtained from the analysis of logs with other information, nor does it attempt to identify the user’s identity. The addresses of the pages visited, as well as the date and time data alone are not suitable for identifying the data subject, but in combination with other data (eg provided during registration) they can be used to draw conclusions about the user.
Third Party Logging Data Management:
The html code of the portal contains links from an external server that are
independent of our company and point to an external server. The external service server is directly connected to the user’s computer. Please note that the providers of these links are able to collect user data (eg IP address, browser, operating system data, mouse cursor, page visited and date of visit) due to direct connection to their server, direct communication with the user’s browser.
An IP address is a series of numbers that uniquely identifies computers, mobile devices on the Internet.
IP addresses can be used to locate a visitor using a particular computer geographically. The addresses of the pages visited, as well as the date and time data alone are not suitable for identifying the data subject, but in combination with other data (eg provided during registration) they can be used to draw conclusions about the user
9. OTHER DATA MANAGEMENTS
Data handling not listed in this brochure will be provided at the time of data collection. We inform our clients that certain authorities, public authorities and courts may contact our company for personal information. Our company will provide such bodies with personal data only to the extent and to the extent necessary to fulfill the purpose of the request and provided that the request is provided for by law, provided that the specific purpose and scope of the data have been indicated to them.
III. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT
Our computer systems and other data storage locations are located at the headquarters and on servers leased by the data processor. Our company selects and operates the IT tools used to manage your personal data in the course of providing the service in such a way that the managed data:
(a) accessible to those entitled (availability);
(b) its authenticity and authentication are assured (authenticity of data
management);
(c) its unchangeability can be demonstrated (data integrity);
(d) be protected against unauthorized access (confidentiality of data).
We pay particular attention to the security of the data, and take the technical and organizational measures and procedures necessary to enforce the GDPR warranties. In particular, the data shall be protected by appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and against accidental destruction, damage or unavailability due to changes in technology used.
Both our company and our partners’ IT systems and networks are protected against computer-aided fraud, computer viruses, computer hacking and denial of service attacks. The operator also provides security through server-level and application-level security procedures. Daily data backup is resolved. In order to avoid privacy incidents, our company will take all possible measures, and in the event that such an incident occurs, we will take immediate action to minimize the risks and prevent damage, in accordance with our internal policies.
IV. RIGHTS OF STAKEHOLDERS, REMEDIES
The data subject may request information on the processing of his or her personal data, and may request the rectification, deletion, cancellation of his or her personal data, except for mandatory data processing, exercise his or her right to data storage and protest.
Upon request by the data subject, the information will be provided in electronic form without delay, but no later than 30 days, in accordance with our applicable policies. Requests by those concerned to enforce the rights below will be executed free of charge.
Right to information:
Our company shall take appropriate measures to ensure that the persons
concerned have all the information on the processing of personal data referred to in Articles 13 and 14 of the GDPR and in Articles 15 to 22. and Article 34 shall provide each piece of information in a concise, transparent, comprehensible and easily accessible form, but in a clear and unambiguous manner, but in a precise manner
The right to be informed may be exercised in writing through the contact details provided in point 1. Upon request, the person concerned may also be provided orally, upon verification of his or her identity. We inform our clients that if any of our employees have any doubts about the identity of the data subject, we may ask for information to confirm the data subject’s identity
The data subject’s right of access:
The data subject shall have the right to receive feedback from the controller as to whether the processing of his or her personal data is ongoing. Where personal data are being processed, the data subject shall have the right of access to the personal data and to the following information listed.
• Purposes of data management;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular third-country recipients (outside the European Union) or international organizations;
• the envisaged period for which the personal data will be stored;
• the right to limit rectification, erasure or data management and the right to
object;
• the right to lodge a complaint to the supervisory authority;
• information on data sources; the fact that automated decision-making,
including profiling, and intelligible information about the logic used and the
significance and likely consequences for the data subject of such data management.
In addition, in the event of the transfer of personal data to a third country or to an international organization, the data subject shall have the right to be informed of appropriate guarantees regarding the transfer.
Right of rectification:
Under this right, anyone may request the correction of inaccurate personal data
held by us and the completion of incomplete data.
Right to delete:
The data subject shall have the right to delete personal data concerning him or her without undue delay on any of the following grounds:
(a) personal data are no longer required for the purpose for which they were
collected or otherwise processed;
(b) the data subject has withdrawn his consent as the basis for the processing
and there is no other legal basis for the processing;
(c) the data subject objects to the processing and there is no legitimate and
legitimate reason for the processing;
(d) unlawful processing of personal data is established;
(e) personal data must be deleted in order to comply with a legal obligation
under Union or national law applicable to the controller;
(f) personal data have been collected in connection with the provision of
information society services.
Deletion of data shall not be initiated if the processing is necessary for the following purposes:
(a) for the exercise of the right to freedom of expression and information;
(b) to fulfill an obligation under the Union or national law applicable to the
controller for the processing of personal data or to carry out a task in the public interest or in the exercise of official authority vested in the controller;
(c) for public health purposes or for archival, scientific and historical research or statistical purposes in the public interest;
(d) or for the filing, enforcement or defense of legal claims.
Right to restrict data management:
At the request of the data subject, we limit the processing of data under the conditions of Article 18 of the GDPR, ie if:
(a) the data subject contests the accuracy of the personal data, in which case the restriction shall be for a period which allows the accuracy of the personal data to be verified;
(b) the data processing is unlawful and the data subject opposes the erasure of
the data and instead requests that their use be restricted
(c) the controller no longer needs personal data for the purposes of data
processing but the data subject requires them to assert, assert or defend a legal claim; obsession
(d) the data subject has objected to the processing; in this case, the restriction shall apply for a period until it is established whether the legitimate grounds of the data controller prevail over those of the data subject. Except where stored, personal data may be processed only with the consent of the data subject, or for the purpose of making, enforcing or defending legal claims, protecting the rights of any other natural or legal person, or for important public interests of the European Union. The data subject shall be informed in advance of the lifting of the restriction on data management.
Right to carry data:
The data subject shall have the right to receive personal data concerning him or her which he or she has made available to the data controller in a structured, widely used, machine-readable format and to forward such data to another data controller. Our company can fulfill such request of the data subject in word or excel format.
Right of objection:
Where personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for this purpose, including profiling, in so far as it relates to direct marketing. If you object to the processing of personal data for the purpose of direct marketing, the data cannot be processed for this purpose.
Automated decision making on individual matters, including profiling:
The data subject shall have the right not to be subject to a decision based solely on automated data management, including profiling, which would have legal effects or be substantially affected by him. The above authority does not apply if data management
(a) necessary for the conclusion or performance of a contract between the data
subject and the controller;
(b) it is made available under Union or national law applicable to the controller, which shall have the rights, freedoms and legitimate interests of the data subject
(c) establish appropriate protection measures; obsession
(d) is based on the explicit consent of the data subject.
Right of Withdrawal:
The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of the consent shall not affect the legality of the consent based data management prior to the withdrawal.
Rules of procedure:
The controller shall inform the data subject without undue delay, but in any case within one month of receipt of the request, in accordance with Articles 15 to 22 of GDPR. Measures taken following an application under Article. Where necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month from the receipt of the request.
If the data subject has filed the application by electronic means, the information shall be provided by electronic means unless the data subject requests otherwise.
If the Data Controller does not act on the data subject’s request, it shall inform the data subject without delay, but no later than one month from the receipt of the request, of the reasons for the non-action and of the data subject’s recourse to the supervisory authority.
Unless it proves impossible or requires a disproportionate effort, the controller shall inform all recipients of any rectification, erasure or restriction on the processing of personal data with or to whom the personal data have been communicated. At the request of the data subject, the controller shall inform those addressees.
Compensation and damages:
Any person who has suffered material or non-material damage as a result of a breach of the Data Protection Regulation shall be entitled to compensation from the controller or the processor for the damage suffered. The data controller shall only be liable for damages caused by the data processing if he has failed to comply with the obligations specifically imposed on the data processors by the law, or if he has disregarded or acted in contravention of the lawful instructions of the data controller. If several controllers or processors, or both controllers and processors, are involved in the same data processing and are responsible for the damage caused by the data processing, each data controller or processor shall be jointly and severally liable for the entire damage.
The controller or the processor shall be released from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
Access to Justice and Data Protection Authority Procedure:
If the data subject considers that the Data Controller has violated his or her right to the protection of personal data in the course of his or her data processing, he or she may, in accordance with applicable law, seek redress from the competent authorities as follows:
– lodge a complaint with the National Data Protection and Freedom of Information Authority
address: 1125 Budapest, Erzsébet Szilágyi alley 22 / c .;
Website: www.naih.hu;
email: ugyfelszolgalat@naih.hu;
phone: + 36-1-391-1400
(hereinafter referred to as “NAIH”)
– apply to the competent court.
The court will deal with the matter out of turn.
The Data Controller undertakes to cooperate fully with the court or NAIH involved in these proceedings and to disclose the data relating to the processing to the NAIH or the court concerned.
V. MISCELLANEOUS PROVISIONS
The Data Controller undertakes to ensure that all data management related to its activities complies with the requirements set out in this Prospectus, the Internal Regulations of the Data Controller, which impose the same requirements as in this Prospectus, and the applicable legislation.
The Data Controller reserves the right to change this information at any time by notifying those concerned of any changes by means of a notice published on its website after the changes have been made.
If you have any questions regarding this information, please email us.
Last updated: 01.05.2018
