GDPR | Resbud

PRIVACY POLICY

1. The purpose of the policy

The aim of the policy is to provide information for the data subject, taking into consideration the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Info Act) and the provisions of Regulation 2016/679/EU of the European Parliament and the Council [GDPR], about the personal data processed by the controller defined in point 2, about the aim of data processing, its method, and about any other fact about the processing of data, especially but not limited to the rights regarding the processing of personal data, and about the possibilities for legal remedy.

2. Name, registered office, representative of the controller

Name: RES Szív 2019 Kft.
Registered office: 1063 Budapest, Szív utca 7.
Legal representative: Kovács Dénes Pál, general manager

3. Legal acts regarding data processing

- Article VI of the Fundamental Law of Hungary;

- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: “Info Act”);

- Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

4. Definitions used in the present policy

processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
controller (service provider): the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
data subject: the natural person whose personal data are processed
consent of the data: subject any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
GDPR: Regulation 2016/679/EU of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
Info Act: Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
employee: any person, contractor and their agents who are in an employment relationship with the Service Provider or any other relationship the aim of which is performing work, especially contracts for providing services or agency contracts.
profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation

5. Processing and protecting personal data

5. 1. Tasks and competence, responsibilities of the controller

The primary controller shall compensate any damage which a person may suffer as a result of processing the personal data of the data subject unlawfully, or as a result of breaching the requirements regarding technical data protection. The controller shall be held liable towards the data subject for the damage caused by the processor as well. The controller shall be exempt from liability for damages if he or she proves that the damage was caused by unavertable reasons beyond the processing of data. No compensation shall be paid where the damage was caused by intentional or severely negligent conduct on the part of the person whose rights had been violated.

5.2. Tasks and competence, responsibilities of the processor

The rights and responsibilities of the processor regarding the processing of personal data shall be laid down by the controller in line with the present policy and with the applicable legal regulations. The processor shall be liable for the processing, modification, deletion, forwarding and disclosing of the personal data within the sphere of its activities and the boundaries laid down by the controller. It has to be included in the agreement concluded with the processor that based on the provisions of the controller, the processor may use another processor according to the provisions of the controller when performing its processing activities, and that it is possible to immediately terminate the agreement if the provisions relating to data processing are breached.

6. Principles and fundamental provisions

Principle of lawfulness, fairness and transparency: Any collection and processing of personal data should be lawful and fair, also transparent for the data subject.
Principle of purpose limitation: According to the Info Act, personal data may be processed only for specified purposes, for the implementation of certain rights or obligations. All stages of data processing operations shall have to be in line with the purpose of processing. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.
Principle of data minimisation: Based on the principle of minimisation, the controller may only process personal data that is necessary in relation to the purposes for which they are processed.
Principle of accuracy: Data processed by the controller shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Principle of storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Principle of integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Principle of accountability: The controller shall be responsible for, and be able to demonstrate compliance with the principles and rules of data processing.
Principle of security of personal data: The controller shall plan and perform data processing so that the privacy of the data subjects is protected when applying the provisions of the Info Act and other provisions relating to data processing. The controller shall provide the security of data, it shall take any and all necessary technical and organizational measures and shall establish those procedural rules that are necessary for the enforcement of the provisions of the Info Act and other data protection and confidentiality rules. By using appropriate technical or organizational measures, the controller shall protect the data by appropriate measures, especially against unauthorized access, modification, forwarding, disclosure, deletion or destruction, against accidental destruction or damage, against becoming accessible because of change in the applied technology. For the protection of data sets stored in different electronic filing systems, the controller and within its scope of activities the processor shall implement appropriate technical measures to prevent - unless this is permitted by law - the interconnection of data stored in these filing systems and the identification of the data subjects. In order to maintain security and to prevent processing an infringement of the GDPR, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account state of the art science and technology and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

7. Rights of the data subjects

The right of access: The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information about the circumstances regarding processing. The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
Right to rectification: The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her, and to request that incomplete personal data are completed.
Right to erasure: The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
- a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of GDPR, and where there is no other legal ground for the processing;
- c) the data subject objects to the processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of GDPR;
- d) the personal data have been unlawfully processed by the controller;
- e) the personal data have to be erased for compliance with a legal obligation;
- f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of GDPR (conditions applicable to child's consent).

The controller shall not erase the data if data processing is necessary based on one of the reasons below:

- a) for exercising the right of freedom of expression and information;
- b) for compliance with a legal obligation regarding the processing of personal data;
- c) for the establishment, exercise or defence of legal claims.
Right to restriction of processing: The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
Right to object: (The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions. In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to data portability: The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of GDPR or on a contract pursuant to point (b) of Article 6(1) of GDPR; and b) the processing is carried out by automated means.

8. Detailed rules regarding data processing

8. 1. Providing information regarding data processing

Data subjects shall have the right to obtain information about the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.

The information that is provided has to contain the following:

the identity and contact information of the controller
the contact information of the data protection officer
the purpose of the processing of personal data, and the legal base for data processing
the legitimate interests if data processing is based on “legitimate interests”
the recipients of personal data
the planned duration of data processing
the rights of the data subject
whether the submission of data is a prerequisite for the conclusion of the agreement, and what consequences it may have if the data are not provided
if relevant, automated decision making, including profiling as well
the legal remedies available for the data subjects.

8.2 The lawfulness of data processing

Processing shall be lawful if the controller has at least one of the following legal bases that applies for data processing:

the data subject has given consent to the processing of his or her personal data
processing is necessary for the performance of a contract to which the data subject is party
processing is necessary for compliance with a legal obligation to which the controller is subject
processing is necessary in order to protect the vital interests of the data subject
processing is necessary for the performance of a task carried out in the public interest
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

8.3 The scope of personal data processed by the controller, the purpose of data processing, the duration of data processing shall be found in the register of data processing activities that form Annex 1 of the present policy, which shall be disclosed by the controller on its homepage.

The register of data processing activities shall contain:

the purpose of data processing,
the types of data,
the legal base for processing,
the data subjects,
the sources of data,
the type of data forwarding, its recipients and legal base,
the time limit for the erasure of the given data type,
if data are processed, the data of the processor, the place of processing, the activities of the processor in connection with data processing.

Regarding the data processing activities indicated in the data processing register, separate privacy policies have been prepared, which form Annexes 1-7 of the register.

8. 4. Duration of data processing

Data shall be stored for the shortest possible time. When establishing this time limit, the controller’s data processing purpose, as well as legal regulations applicable for the storing of data have to be taken into consideration.

8. 5. Internal transmission of data

Personal data may only be transmitted within the controller’s organization in line with the principle of purpose limitation, and right to access may only be given if there is a proper purpose.

8. 6. Data transmission for third persons

Personal data may only be transmitted to any third person based on law, or under the consent of the data subject, provided that the conditions regarding data processing are fulfilled regarding all personal data. Controller has to examine before transmitting the data whether the legal conditions are met, and that the conditions for data processing are met regarding any and all personal data following the transmission. Before transmitting data for the same controllers, regarding the same data subject, with the same purpose, the data protection officer shall be involved in the examination whether the transmission is lawful or not. No separate examinations are needed regarding transmissions subsequent to this. The data protection officer shall keep a data transmission register regarding transmissions, and shall store it in line with the regulations. The data transmission register has to be stored until the end of the fifth year following the year when the data communication or transmission was made (in special cases, for twenty years).

The register of data transmission shall contain:

the time of the transmission of the personal data processed by the data transmitter,
the scope of transmitted data,
the legal base and recipient of data transmission (name, address, registered seat),
name and phone number of the person responsible for data transmission.

8.7 Transmitting data abroad or to third countries

Before the transmission of data, the controller - together with the data protection officer - has to examine whether the legal conditions are met, and that the conditions for data processing are kept regarding any and all personal data following the transmission.

8.8 Special data, including biometric data are not processed by the data controller.

9. Personal data breach

According to GDPR, personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

9.1 Reporting personal data breach

As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the competent supervisory authority (NAIH) about the personal data breach without undue delay and, where feasible, not later than 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If reporting is not performed within 72 hours, the reasons that justify the delay have to be attached as well.

9.2 Investigating and handling personal data breach

The data protection officer inspects the reporting, requests data from the person making the reporting, who shall fulfil this request within 2 working days.

The provision of data has to include:

time and place of data breach
the description, circumstances and effects of data breach
the scope and volume of data included in the breach
the persons involved in connection with the data
the description of measures taken in order to avert the breach,
the description of the measures taken in order to prevent, avert, mitigate the damage.

The data protection officer shall make a suggestion regarding the necessary measure. The person responsible for the processing of data shall inform the data protection officer within two days following the performance of the given measures about the specific measures taken regarding averting personal data breach

9.3 Register of personal data breach

The controller shall keep a register on breaches of personal data. According to GDPR, the controller shall provide suitable technical and organizational measures in order to be able to explore and evaluate vulnerabilities and security breaches. Thus the controller, above documenting personal data breach, shall use suitable processes and measures to explore and handle security breaches in time.

10. Modification of the present policy

The present policy shall enter into force on 9 July 2021. The controller is entitled to modify the policy unilaterally - provided it is not against the law. The policy is available at the registered office of the controller.

Description of each processing operation

Processing of website user’s data

Scope of personal data processed: the start and end time of the visit of website user, its IP address and other recorded browsing data (cookie)
Purpose of processing: identification of website visitors, understanding the browsing habits, increasing the user experience
Legal basis for processingthe data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data: from the data subject
Transfer of personal data: does not take place
Deadline for data erasure: until the withdrawal of the data subject’s consent
Related document: Annex 1: Privacy notice - cookies

Direct marketing (sending newsletters)

Scope of personal data processed: name and e-mail address
Purpose of processing: marketing and remarketing purposes, promotion of the controller’s service by sending on-line newsletters
Legal basis for processing: the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data: from the data subject
Transfer of personal data: does not take place
Deadline for data erasure: until the withdrawal of the data subject’s consent
Related document: Annex 2: Privacy notice- subscription for newsletters

Quotation request

Scope of personal data processed: name, e-mail, phone number, address, number of persons who wish to use the service, (number of children, their age)
Purpose of processing: contact, communication, sending personalised offers
Legal basis for processing: performance of the contract /point (b) of Article 6(1) of the GDPR/
Source of data: from the data subject
Transfer of personal data: D-EDGE SAS (66 rue des archives 75003 PARIS, France) on the purpose of operating on-line quotation request system
Deadline for data erasure: - in case of successful quotation request, according to the rule of booking; - if the offer is rejected, until the day of reject; - if no answer arrives to the offer, until the day after the offer validity expires;
Related document: Annex 3: Privacy notice - quotation request

Direct booking

Scope of personal data processed: name, e-mail, phone number, address, number of persons who wish to use the service, (number of children, their age)
Purpose of processing: arranging booking
Legal basis for processing: performance of the contract /point (b) of Article 6(1) of the GDPR/ Data processing with regard to the date of birth on the basis of legislation (Articles 30 and 31 of Act C of 1990) /point (c) Article 6(1) of the GDPR/
Source of data: from the data subject
Transfer of personal data: 1. D-EDGE SAS (66 rue des archives 75003 PARIS, France) on the purpose of operating on-line quotation request system; 2. OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. Operation of the payment system needed for online payment transactions
Deadline for data erasure: - the personal data acquired during the booking will be processed until the contractual relationship with the data subject exists; Excluding: - name, address: under Article 169 of Act C of 2000 on Accounting, for 8 years; - name and age of guests: until the last day of the 5th year following the current year as set out in Article 78 (3) and Article 202 (1) of Act CL of 2017 on the Rules of Taxation
Related document: Annex 4: Privacy notice - booking

Booking through intermediaries

Scope of personal data processed: name, e-mail, phone number, number of persons who wish to use the service, (number of children, their age) and in some cases, credit card information
Purpose of processing: arranging booking
Legal basis for processing: performance of the contract /point (b) of Article 6(1) of the GDPR/ data processing with regard to the date of birth on the basis of legislation (Articles 30 and 31 of Act C of 1990) /point (c) Article 6(1) of the GDPR/
Source of data: from online intermediary companies, travel agencies considered as independent data controllers
Transfer of personal data: online booking sites and travel agencies are considered as independent data controllers; in this process, data processor will not be required
Deadline for data erasure: - the personal data acquired during the booking will be processed until the contractual relationship with the data subject exists; Excluding: - name, address: under Article 169 of Act C of 1990 on Accounting, for 8 years; - name and age of guests: until the last day of the 5th year following the current year as set out in Article 78 (3) and Article 202 (1) of Act CL of 2017 on the Rules of Taxation
Related document: Annex 4: Privacy notice - booking

Scope of data processed: name, address, date and place of birth, telephone number, e-mail address, whether to receive newsletter, date of arrival/departure, number of previous stays, (registration for the frequent guest programme), ID card number, age of guests, nationality
Purpose of data processing: providing discounts, increasing sales, building loyalty
Legal basis for processing: consent of the data subject /Article 6(1)(a) GDPR/
Source of data: from the data subject, from own records
Data transmission: does not take place
Deadline for deletion of data: until the withdrawal of the data subject's consent
Related document Annex 5: Privacy notice - Information on data processing in connection with registration

Regulars’ Programme

Scope of personal data processed: name, number of previous hotel stays
Purpose of processing: providing discounts, increasing sales, building clientele
Legal basis for processing: the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data: from data subject, from own records
Transfer of personal data: does not take place
Deadline for data erasure: until the withdrawal of the data subject’s consent
Related document: Annex 6: Privacy notice - regulars' programme

Billing

Scope of personal data processed: name, address, credit card information
Purpose of processing: providing discounts, increasing sales, building clientele
Legal basis for processing: Fulfillment of legal obligations laid down in Article 169 of Act C of 2000 on Accounting /point (c) of Article 6(1) of the GDPR/
Source of data: from the data subject
Transfer of personal data: OTP Bank Nyrt, K&H Bank Zrt., OTP Pénztárszolgáltató Zrt., MBH Bank Nyrt. For the purpose of conducting payment transaction.
Deadline for data erasure: under Article 169 of Act C of 2000 on Accounting, for 8 years
Related document: Annex 5: Privacy notice - check in

Data management according to § 9/H of the Tourism Act NTAK

Scope of data processed:

1. The user of the accommodation service

- first name and surname of the accommodation user,

- name and surname at birth,

- date and place of birth, sex, nationality

- mother's name and surname at birth,

- the identification data of his/her identity document or travel document and, in the case of third-country nationals, the visa or residence permit number, date and place of entry,

2. The address of the accommodation service, the start and expected end date of the accommodation

Purpose of processing: for the purpose of protecting the rights, safety and property of the data subject and of others, and for the purpose of verifying compliance with the provisions relating to the stay of third-country nationals and persons enjoying the right of free movement and residence
Legal basis for processing: fulfilling a legal obligation pursuant to Article 9/H of Act CLVI of 2016 on State Tasks for the Development of Tourist Areas (Article 6(1)(c) GDPR)
Source of data: from the data subject
Data transmission: Hungarian Tourism Agency
Deadline for deletion of data: Last day of the first year following the date of disclosure
Related document: Annex 5 Privacy notice - check-in

Photo shoot, video recording

Scope of personal data processed: image of the guest and his child
Purpose of processing: promotion of the hotel through social network sites
Legal basis for processing: the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data: from the assigned photographer
Transfer of personal data: does not take place
Deadline for data erasure: until the withdrawal of the data subject’s consent
Related document: Privacy Notice - photo and video

Chat (via website and instant messaging)

Scope of data processed: the surname and first name given to the chat program concerned; gender, identifier (if any); e-mail address, telephone number, questions asked and answered, content of correspondence
Purpose of processing: - marketing (direct marketing) purpose, sale of services; - to provide a question and answer function
Legal basis for processing: consent of the data subject - Article 6(1)(a) GDPR, given by the data subject when starting to use the specific function
Source of data: from the data subject
Data transmission: to the chat program operator
Deadline for deletion of data: until unsubscribing from the chat, but for a maximum of 1 year
Related document: Annex 7: Privacy notice on chat

Internal camera system (10 cameras)

Scope of data handled: images of the guest and their child
Purpose of data processing: to promote the hotel through social networking sites
Legal basis for data processing: consent of the data subject (Article 6(1)(a) GDPR)
Source of data: via the camera system
Data transmission: does not take place
Time limit for deletion of data: until the withdrawal of the data subject's consent
Related document: Privacy Notice - camera system