Hunguest Zrt. - DATA PROCESSING INFORMATION NOTE

2019. február 11.

3. Legal basis of data processing: consent of the data subject

3.1. The legal basis of the data processing performed by the Controller shall be the consent given by the User pursuant to point a) of paragraph (1) of § 6 of GDPR.

3.2. The User shall give his or her consent by ticking the checkbox in front of the data processing statement. The User can read the Data Processing Information Note at any time by clicking on the ‘Data Processing Information Note’ link appearing at the bottom of each page of the website, or by clicking on the link indicated by the ‘Data Processing Information Note’ text part in the Data Processing statement referred to in this section, by means of which the Controller provides for the unambiguous, detailed and advance information of the User. By selecting the checkbox in front of the Data Processing statement, the User shall state to have read the Data Processing Information Note and give his or her consent to processing his or her data as described in this present information note in the knowledge thereof.

4. Data processing without further specific consent of the data subject or after the withdrawal of the consent

4.1. The Controller shall be entitled to process the data recorded with the consent of the data subject User without the further specific consent of the data subject User or even after the withdrawal of the consent based on paragraph (1) of § 6 of GDPR, as follows:

4.2. If the personal data was recorded with the consent of the data subject User, unless otherwise provided for in the law, the Controller shall be entitled to process the recorded data without the further specific consent of the data subject User and even after the withdrawal of the consent of the data subject User, in the following cases:

• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

4.3. Prior to commencing the data processing with reference to the aforementioned legitimate interest the Controller shall be obligated to perform the so-called interest balancing test in each case. The interest balancing test is a three-step process in which the Controller shall identify its legitimate interest and the interest of the data subject User constituting the counter point of weighting, as well as its fundamental right concerned with the planned data processing. Finally, based on the outcome of the weighting, the Controller shall determine whether or not the personal data can be processed based on point f) of paragraph (1) of § 6 of GDPR.

4.4. The Controller shall inform the data subject User of the result of the interest balancing test in such a way that, based on the information, the User can clearly identify the legitimate interest based on which and why the fact that the Controller processes his or her personal data without his or her consent is considered to be a proportional restriction.

4.5. In the course of performing the interest balancing test the Controller shall act as set forth in Opinion no. 6/2014 of the Data Protection Working Party of the Council of the European Union comprising the relevant statements. The Opinion can be read at the following link:
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_hu.pdf#h2-2

5. Other possible legal bases for data processing based on law

5.1. Based on § 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter referred to as: Ekertv.), the Controller shall inform the User of the following:

In order to provide the services the Controller shall be entitled to process the personal data which are inevitably necessary for providing the services. In the case of identity of other conditions, the Controller shall choose and always manage the assets used in the course of providing the services in such a way that personal data will only be processed if the same is inevitably necessary for the provision of the service and for the fulfilment of other purposes defined in this Act, however, even in this respect, only to the extent and time necessary. (The document titled ‘Information on the Use of Cookies’ and Chapter 6 of this present information note define the further rules of the technically necessary data processing.)

The Controller shall only use the data in relation to taking the services for any purpose other than those defined above – including, in particular, improving the efficiency of the service, the delivery of electronic advertisements or other addressed content to the user for market research purposes – with the prior determination of the purpose of processing the data and subject to the consent of the User.

6. Data Processing to ensure the operation of information technology services

6.1. Scope of data subjects affected with the data processing: All Users visiting the website, regardless of taking the services available on the website.

6.2. Legal basis of data processing: In respect of the data processing inevitably necessary for providing the services, § 13/A of Ektv. In respect of the analysis of visits and data processing enabling marketing activities, the consent given by the User pursuant to point a) of paragraph (1) of § 6 of GDPR. The user can give his or her consent to the technical data collection serving for the analysis of the visits and marketing purposes by ticking the checkboxes in the information window popping up when the User starts browsing the website.

6.3. Defining the scope of data processed: The information technology related data processing affects the scope of data necessary for the functionality of the cookies used to operate the website and the use of the log files applied by the web host service provider.

Data processed in order to enable user-friendly browsing:

• the web pages opened and the order in which they were opened in the course of visiting the website
• the IP address of the device used by the User.

Scope of data processed to measure the traffic of the website:

• the web pages opened and the order in which they were opened in the course of visiting the website
• the viewing frequency of the certain web pages of the website
• from which other website the User landed at this website
• Determining the geographic location of the User visiting the website (based on the data of the internet service provider, only approximate data on the location of the device used for browsing)
• starting time of browsing the website
• time of leaving the website (finishing browsing)
• duration of browsing the website.

6.4. Purpose of data processing: The use of cookies and the log files is necessary for operating the website in a user-friendly and safe manner. The purpose of data processing implemented through these is to ensure the user-friendly operation of the website for the data subject User and to collect anonymous data about the use of the website.

Within this:

• Identifying the User’s browsing tool, remembering the identity data – for the duration of browsing – based on the IP address. This makes browsing smoother, since without that the User should identify himself or herself or repeat processes on each page he or she visits.

The data required for the following purposes are recorded anonymously and may not be personally linked:

• Measuring the traffic of the website, measuring the frequency of viewing certain pages of the website, and measuring the duration of browsing certain pages of the website so that the Controller can shape the website as user-friendly as possible.
• Identifying the location of the User (the User’s device used for browsing), regional mapping of the extent of interest in the services of the Controller.
• Identification of the website from which the User landed on this website so that the Controller may become familiar with other topics of interest to Users who are interested in its services or so that the Controller may measure the effectiveness of the activity promoting its services.

The Controller’s IT system uses Google Analytics tools to measure these data. Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as the owner and operator of Google Analytics assets also accesses these anonymous data. Google Inc. also uses the above information to deliver targeted advertisements to the browsing user in addition to making the aforementioned analyses. In doing so, Google Inc., by linking the anonymous data and the IP address of the browsing device, determines the range of interests which can be explored based on the browsing habits of that device, and then delivers targeted advertisements to that device. Apart from the anonymous data listed in this section, Google Inc. does not have access to the additional information referred to in this Information Note.

6.5. Duration of data processing: The Controller processes a part of the data for the duration of browsing and stores certain data for a variable period of time, but up to 2 years.

The data necessary for ensuring the user-friendly operation of the website (the IP address, the order of the pages visited during browsing the website) are recorded until the end of the browsing session (i.e. for the duration of browsing the website) and are deleted when browsing is finished. The Controller processes this type of data by means of the assets of its own IT system, no third party can access these data with the exception of the IT data processing (see below the chapter titled ‘Employing a Data Processor’.

The Controller’s IT system records the data which serve as the basis for measuring the traffic and usage habits of the website are recorded anonymously from the beginning, and these cannot be linked to a person. The Controller’s IT system uses Google Analytics tools to measure these data. The Controller stores these data by means of cookies which function permanently but maximum up to 2 years and which are recorded on the device the User uses for browsing. The User may at any time erase these cookies in the settings of his browser.

6.6. The method of data storage: Anonymously on the Controller’s IT system in separate data processing lists. The data necessary for ensuring the user friendly operation of the website (IP address, the order of the pages visited during browsing the website) are not stored. The cookies providing the data are stored on the device of the User. The log files used by the web host service provider are stored on the hosting service provider’s server.

6.7. The User can find out more about the information on the processes of the IT data processing and the IT data processing implemented by means of Google Analytics tools from the information note which is accessible from the warning message which pops up when the User starts browsing the website, or by clicking on the label ‘Information on the use of cookies’ on the website, as well as on the https://www.google.com/intl/hu_ALL/analytics/support online help page of Google Analytics. The Controller only uses the functions listed above out of the ones recommended by Google Analytics.

7. Data Processing in relation to sending newsletters

7.1. The data subject affected by the data processing is the User who signs up by filling in the fields for signing up for the newsletters on the website. Furthermore, also the User who gives his or her consent to sending the newsletter in a written form when concluding a paper-based contract with the Controller or also in a written form without concluding a paper-based a contract with the Controller.

7.2. Legal basis of data processing: The User’s consent based on points a) of paragraph (1) of § 6 of GDPR and paragraphs (1) and (2) of § 6 of Grt. The User gives his or her free consent after gaining knowledge of this present Data Processing Information Note by filling in the fields for signing up to the newsletters and by ticking the statement on the consent available there, or by ticking the statement on the consent appertaining to sending the newsletter incorporated into the written contract and by signing the contract or by completing and signing a separate paper-based statement. By doing so, the User states that he or she consents to the processing of his or her data in conformity with the Data Processing Information Note or the contract/statement and to sending the newsletters.

In addition to sending useful information, the newsletter service also targets direct marketing by the Controller. The User may sign up to this service regardless of the use of the other services. The use of this service is based on a voluntary decision made by the User after receiving proper information. If the User does not use the newsletter service, it does not cause any disadvantage for him or her in using the website and taking its additional services. The Controller does not make the use of its any other services conditional upon the use of its direct marketing service.

7.3. Defining the scope of data processed:

• Surname
• Christian name
• e-mail address.

7.4. Purpose of data processing: sending newsletters for the User by the Controller, by way of e-mail. Sending newsletters means sending information, promotional offers, and promotional content on the services of the Controller, news and current affairs.

7.5. Duration of data processing: The Controller processes the data processed for sending the newsletters until the withdrawal of the User’s relevant consent (until unsubscribing), or until the data are erased at the User’s request.

7.6. The method of data storage: On the Controller’s IT system in separate data processing list or by filing the paper-based contracts/statements in the case of data handed over by the User for the Controller for sending the newsletters on a paper-based format.

8. Data processing lists

8.1. Information technology data processing related lists: The anonymous lists containing User’s data referring to their browsing habits – as listed in section 6 – or a temporary list recording the IP addresses of User’s device currently used for browsing during the browsing session, kept solely in the information system of the Controller. Data processing is performed only until the end of the browsing session on the latter list. (The other data are stored on the User’s device but the Controller does not keep of list of such data on its own.)

8.2. Newsletter list: Kept with data recorded for the purpose of sending newsletters, messages, information materials and promotional offers via e-mail – as listed in section 7. The Controller processes the data processed until the withdrawal of the User’s consent (until unsubscribing), or until the data are erased at the User’s request.

8.3. Data transfer record: In order to control the lawfulness of the data transfer and inform the data subject the Controller keeps a data transfer record which contains the date of transferring the personal data processed by the Controller, the legal basis and addressee of the data transfer, the definition of the scope of the personal data transferred, as well as the other data specified in the law stipulating the processing of the data.

8.4. Personal data breach record: This is a record on the unlawful processing or manipulating personal data and the measures taken to prevent these. It includes the scope of personal data affected by the breach, the range and number of the data subjects affected by the personal data breach, the date, circumstances, effects of the personal data breach, and the measures taken to prevent these and – in the case of data processing based on a legal obligation – the other data specified in the law stipulating the processing of the data.

8.5. In order to achieve the data processing objectives – in conformity with the foregoing – the Controller stores the data in the form of separate lists and in databases separated by data processing objectives in its IT system and also stores the data processed for the purpose of sending newsletters by means of filing the paper-based contracts/statements.

9. Duration of data processing

9.1. The duration of processing the data in conformity with the certain data processing objective lasts as long as set forth in the description of the data processing according to objectives hereinabove. The Controller processes the data of the data subject User until the above-mentioned data processing objectives have been achieved, or until the User’s consent is withdrawn or the data are erased at the request of the data subject User.

9.2. According to this, the data processing is performed until the withdrawal of the consent statement, the fulfilment of the erasure request, the cancellation of the registration, the un-subscription from the newsletter, or, in the relevant cases, the fulfilment of the statutory obligation. At any time the User shall have the right to object to the data processing, request the termination of the data processing, the elimination of certain methods of data processing and the erasure of the data for certain or all purposes. In these cases, the duration of the data processing last until the receipt and procession of such requests – which shall be performed by the Controller without undue delay but maximum within 10 business days. The user shall have the right to unsubscribe from the newsletter at any time by using the unsubscribe link in the newsletters and by sending a written request to the info@hunguesthotels.hu e-mail address or may also submit his or her objections or requests outlined above by way of e-mail. The Controller only considers a request sent by way of e-mail as verified if that is sent from the User’s e-mail address given for the Controller in connection with the use of the website, or in the course of subscribing to the newsletters or in the written contract/statement and registered with the Controller, maintaining however, that using another e-mail address does not result in ignoring the request.

10. Data storage method

10.1. The Controller stores the data in the form of separate lists and in databases separated by data processing objectives in its IT system and also stores the data processed for the purpose of sending newsletters by means of filing the paper-based contracts/statements.

11. Erasure of data, restricting data processing

11.1. The data processing is terminated in all respects and data are deleted within 10 business days as of receipt of the User’s relevant request, including also the erasure of the already transferred data at a new Controller (provided that the erasure is not excluded by law).

11.2. Instead of the erasure, the Controller restricts the processing of personal data if the User requests this or if, based on the information at its disposal, it can be assumed that the erasure would violate the legitimate interests of the User. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject User’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

11.3. Furthermore, the Controller erases the personal data if

• the processing is unlawful;
• the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
• The data processed are incomplete or inaccurate – and this status cannot be corrected lawfully – presuming no law prohibits the erasure,
• the objective of data processing has terminated or the legally stipulated deadline of data storage has expired;
• it is ordered by the court or the Hungarian National Authority for Data Protection and Freedom of Information.

12. Data transfer

12.1. The Controller only transfers data to authorities in case of a legal obligation.

12.2. The Controller does not transfer data for third parties for business or marketing purposes.

12.3. The Controller keeps a data transfer record on the data transferred.

13. Using a data processor

13.1. Data processing in relation to the use of cookies

13.1.1. Scope of data subjects affected by the data processing: All Users visiting the website, regardless of taking the services available on the website.

13.1.2. The Controller uses as data processor

GOOGLE INC.

Short name: GOOGLE INC.
Trade registration number: 20031277465
Tax number: 20031277465
Company seat: 1600 Amphitheatre Parkway Mountain View CA 94043 US
Site: 1600 Amphitheatre Parkway Mountain View CA 94043 US
Mailing address: 1600 Amphitheatre Parkway Mountain View CA 94043 US

Telephone: -
E-mail: not available
Website: https://www.google.hu/

business company as online marketing service provider (hereinafter referred to as: the Data processor).

13.1.3. Legal basis of data processing: Based on the consent of the User under point a) of paragraph (1) of § 6 of GDPR, the Controller shall be entitled to use a data processor, subject to the prior notification of the User. The User freely consents to the Controller’s using a data processor by means of his or her consent given freely for the Controller for processing his or her data – in any of the manner set forth in the above chapters – after gaining knowledge of the Data Processing Information Note and receiving proper information.

13.1.4. Defining the data affected by the data processing: The data processing affects the data set forth in Chapter 6 of this present information note.

13.1.5. Purpose of the data processing: To ensure the functionality of the website in respect of information technology for the data subject User through the data processing necessary for the operation of the website and the provision of the services offered by the website, and delivering targeted advertisements to the User’s device used for browsing.

13.1.6. Duration of the data processing: It is the same as the data processing periods set forth in Chapter 6 of this present Information Note.

13.1.7. Processing the data exclusively means the technical operations necessary for the operation of the website in respect of information technology and delivering the targeted advertisements.

13.2. No data processing is performed for any other purpose.

13.3. The Data Processors have no interest in the business activities of the Controller.

13.4. The Controller does not use any data processor other than the Data Processors indicated above.

14. User’s data processing related rights

14.1. Right of access of the data subject: Upon the request of the data subject User, the Controller provides information on the data of the data subject User processed by the Controller or the Data Processor assigned by or upon the order of the Controller, the sources of the data, the objective, legal basis, duration of the data processing, the name, address and the data processing related activities of the Data Processor, the circumstances and effects of any personal data breach, the measures taken to avert such breaches, furthermore – in the case of transferring the personal data of the data subject – the legal basis and addressee of the data transmission. The Controller provides the information in a written form within 25 days as of the submission of the relevant request. The fulfilment of the first submission of such a request for a given calendar year is free of charge, in other cases it costs HUF 1,000 (except for: unlawful data processing or if the request leads to a data rectification.)

Right to rectification: The data subject User shall have the right to request the rectification of his or her processed data, which the fulfils without undue delay but maximum within 15 days. Taking into account the purposes of the processing, the data subject User shall have the right to request incomplete personal data completed, including by means of providing a supplementary statement.

Right to data portability: The data subject User shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and shall have the right to have these data transmitted to another controller without hindrance by the controller to which his or her personal data have been provided, if:

1. the processing is based on the User’s consent or a contract; and
2. the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to the foregoing, the data subject User shall have the right to have the personal data transmitted directly from one controller to another, where this is technically feasible.

Right to restriction of processing: The Controller marks the personal data processed by the Controller for the purpose of restricting the data processing. The User shall have the right to obtain from the controller restriction of processing where one of the following applies:

1. The accuracy of the personal data is contested by the data subject User, in which case the restriction applies for the period enabling the Controller to verify the accuracy of the personal data.
2. the processing is unlawful and the data subject User opposes the erasure of the personal data and requests the restriction of their use instead;
3. the Controller no longer needs the personal data for the purposes of the processing but they are required by the data subject for the establishment, exercise or defence of legal claims; or
4. the data subject User has objected to processing the data based on the legitimate interest of the Controller; in which case the restriction applies for the period while it is verified whether the legitimate grounds of Company override those of the data subject User.

Right to object: The data subject User shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the Controller’s legitimate interest, including profiling based on the referred to provisions. In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

14.2. Each User shall have the right to reject or prohibit the inclusion of their name and address details, contact details on the list of direct marketing lists, the use thereof for direct marketing purposes – and within that for a specific purpose – for sending newsletters or transferring them to third parties, and request the other restriction of the use of his or her personal data, the elimination of processing them in all or certain lists in the possession of the Controller, including data already transferred to third parties. The Controller shall perform the erasure within 10 business days as of receipt of the relevant request and informs the data subject User of fulfilling his or her request within another 15 days.

14.3. Right to erasure („right to be forgotten”): The Controller erases the personal data if

1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
2. the data subject User withdraws his or her consent on which the processing is based and there is no other legal ground for the processing;
3. the User objects to the data processing and there are no overriding legitimate grounds for the data processing, or the data subject objects to the data processing for the purpose of direct marketing;
4. the personal data have been unlawfully processed;
5. the personal data have to be erased for compliance with a legal obligation set forth in the Union or Member State law to which our Controller is subject;
6. the personal data have been collected in relation to the offer of information society services.

Where the controller has made the personal data public and is obligated to erase the personal data pursuant to the foregoing, then the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps – including technical measures – to inform controllers which are processing the personal data that the data subject User has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

14.4. The Controller shall inform the data subject User, as well as all those to whom the data was previously transferred for data processing purposes, of the rectification, restriction and erasure. The notification may be omitted if this does not violate the legitimate interest of the data subject User regarding the purpose of data processing.

14.5. The User shall have the right to submit his or her comments and requests by post to the Controller’s address specified in section no. 1.1 or in an e-mail to the info@hunguesthotels.hu e-mail address. The Controller only considers a request sent by way of e-mail as verified if that is sent from the User’s e-mail address given for and registered with the Controller. In the case of an e-mail the date of receipt shall be the first business day immediately following the sending.

14.6. If the Controller fails to comply with the request of the data subject User for the rectification, restriction or erasure of the data, then the Controller informs the data subject User of the factual and legal causes of rejecting the request for the rectification, restriction or erasure of the data in a written form within 25 days as of receiving the relevant request. In the case of rejecting the request for the rectification, restriction or erasure of the data, the Controller informs the data subject User of the following:

• Regarding the decision of the Controller, the User may turn to Authority (Hungarian National Authority for Data Protection and Freedom of Information 1125 Budapest, Szilágyi Erzsébet fasor 22/c, mailing address: 1530 Budapest, P.O. Boksz: 5, telephone: +36 1 391 1400, Fax: +36 1 391 1410, E-mail: ugyfelszolgalat@naih.hu) and
• In the case of violating his or her rights, or if the Controller fails to comply with his or her objection to processing his or her personal data, the data subject User may shall have the right to turn to court within 30 days as of communicating the decision or the last day of the aforesaid deadline. The judgement of the lawsuit falls within the scope of the court. The lawsuit may be initiated in front of the court according to the place of residence or stay of the Data Subject – to the discretion of the data subject User.

15. Data protection, data security

15.1. Within the scope of its data processing activities, the Controller shall provide for the security of the data and shall enforce the legislation and the other data and privacy related regulations by means of technical and organisational measures and internal procedural rules. The Controller shall, in particular, protect the data processed against unauthorized access, alteration, transfer, disclosure, erasure or destruction, as well as incidental loss or damage, furthermore, becoming inaccessible due to change in technology.

15.2. In order to achieve this the Controller shall use the http protocol with the ‘https’ scheme to access the website, by means of which the web communication can be encrypted and uniquely identified. In addition to this, the Controller shall store the data processed in encrypted data files that are stored in separate data processing lists for each data processing purpose, to which access may only be provided for the Controller’s specified employees who perform tasks in relation to pursuing the activities on this website and whose job responsibility involves the protection of the data and the responsible processing thereof in conformity with this present information note and the relevant legislation.

15.3. The Controller’s IT system records the data which serve as the basis for measuring the traffic and usage habits of the website are recorded anonymously from the beginning, and these cannot be linked to a person.

15.4. The data processing is only performed to the extent necessary and proportionate to achieve the legitimate purpose set forth in this present information note and based on the applicable laws and recommendations and with appropriate security measures.

16. Enforcement of right

16.1. The data subjects shall have the right to enforce their rights based on Act V of 2013 on the Civil Code and Act CXII of 2011 on Informational Self-Determination and Freedom of Information in front of a court or may turn to the Hungarian National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mailing address: 1530 Budapest, P.O. Box: 5.
Telephone: +36 1 391 1400
Facsimile: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Website: http://www.naih.hu/

In the case of opting for turning to court the lawsuit may be initiated in front of the court according to the place of residence or stay of the data subject – to the discretion of the data subject User – since judging the case falls within the scope of competence of the court of law.

24 May 2018

Hunguest Zrt.