2019. február 11.
Data processing information note
1. Identification of Controller and this present website
1.1. Please be informed that this website is operated by
HUNGUEST Hotels Szállodaipari Zártkörűen Működő Részvénytársaság
Trade registration number: 13-10-041729 - Registry Court of the Tribunal of Budapest Region
Tax number: 12155169-2-44
Company seat: 2053 Herceghalom, Zsámbéki út 16
(hereinafter referred to as: Controller).
1.2. This present website: the website, the web pages and the sub-pages which are accessible at the following Internet address:
2. Stipulation of the Hungarian law, scope of this present information note
2.1. The service of the above-defined Controller (hereinafter referred to as: the Controller) operating the website which is accessible at the above-defined Internet address (hereinafter referred to as: the website) is provided for Hungary and from Hungary. Accordingly, the Hungarian law shall govern the provision of the service and the Users during the use of the service (also in respect of the data processing). The Controller shall process the users’ data primarily based on the following provisions
2.2. The scope of this present Information note shall extend to the use of the interface of the website and the data processing performed during the use of electronic services made available there.
2.3. For the purposes of this present Information Note, User shall mean the natural person browsing the site, regardless of which service of the site the person uses, or the natural person who only browses the site but do not use any of the services.
3. Legal basis of data processing: consent of the data subject
3.1. The legal basis of the data processing performed by the Controller shall be the consent given by the User pursuant to point a) of paragraph (1) of § 6 of GDPR.
3.2. The User shall give his or her consent by ticking the checkbox in front of the data processing statement. The User can read the Data Processing Information Note at any time by clicking on the ‘Data Processing Information Note’ link appearing at the bottom of each page of the website, or by clicking on the link indicated by the ‘Data Processing Information Note’ text part in the Data Processing statement referred to in this section, by means of which the Controller provides for the unambiguous, detailed and advance information of the User. By selecting the checkbox in front of the Data Processing statement, the User shall state to have read the Data Processing Information Note and give his or her consent to processing his or her data as described in this present information note in the knowledge thereof.
4. Data processing without further specific consent of the data subject or after the withdrawal of the consent
4.1. The Controller shall be entitled to process the data recorded with the consent of the data subject User without the further specific consent of the data subject User or even after the withdrawal of the consent based on paragraph (1) of § 6 of GDPR, as follows:
4.2. If the personal data was recorded with the consent of the data subject User, unless otherwise provided for in the law, the Controller shall be entitled to process the recorded data without the further specific consent of the data subject User and even after the withdrawal of the consent of the data subject User, in the following cases:
4.3. Prior to commencing the data processing with reference to the aforementioned legitimate interest the Controller shall be obligated to perform the so-called interest balancing test in each case. The interest balancing test is a three-step process in which the Controller shall identify its legitimate interest and the interest of the data subject User constituting the counter point of weighting, as well as its fundamental right concerned with the planned data processing. Finally, based on the outcome of the weighting, the Controller shall determine whether or not the personal data can be processed based on point f) of paragraph (1) of § 6 of GDPR.
4.4. The Controller shall inform the data subject User of the result of the interest balancing test in such a way that, based on the information, the User can clearly identify the legitimate interest based on which and why the fact that the Controller processes his or her personal data without his or her consent is considered to be a proportional restriction.
4.5. In the course of performing the interest balancing test the Controller shall act as set forth in Opinion no. 6/2014 of the Data Protection Working Party of the Council of the European Union comprising the relevant statements. The Opinion can be read at the following link:
5. Other possible legal bases for data processing based on law
5.1. Based on § 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services (hereinafter referred to as: Ekertv.), the Controller shall inform the User of the following:
The Controller shall only use the data in relation to taking the services for any purpose other than those defined above – including, in particular, improving the efficiency of the service, the delivery of electronic advertisements or other addressed content to the user for market research purposes – with the prior determination of the purpose of processing the data and subject to the consent of the User.
6. Data Processing to ensure the operation of information technology services
6.1. Scope of data subjects affected with the data processing: All Users visiting the website, regardless of taking the services available on the website.
6.2. Legal basis of data processing: In respect of the data processing inevitably necessary for providing the services, § 13/A of Ektv. In respect of the analysis of visits and data processing enabling marketing activities, the consent given by the User pursuant to point a) of paragraph (1) of § 6 of GDPR. The user can give his or her consent to the technical data collection serving for the analysis of the visits and marketing purposes by ticking the checkboxes in the information window popping up when the User starts browsing the website.
6.3. Defining the scope of data processed: The information technology related data processing affects the scope of data necessary for the functionality of the cookies used to operate the website and the use of the log files applied by the web host service provider.
Data processed in order to enable user-friendly browsing:
Scope of data processed to measure the traffic of the website:
The data required for the following purposes are recorded anonymously and may not be personally linked:
The Controller’s IT system uses Google Analytics tools to measure these data. Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as the owner and operator of Google Analytics assets also accesses these anonymous data. Google Inc. also uses the above information to deliver targeted advertisements to the browsing user in addition to making the aforementioned analyses. In doing so, Google Inc., by linking the anonymous data and the IP address of the browsing device, determines the range of interests which can be explored based on the browsing habits of that device, and then delivers targeted advertisements to that device. Apart from the anonymous data listed in this section, Google Inc. does not have access to the additional information referred to in this Information Note.
6.5. Duration of data processing: The Controller processes a part of the data for the duration of browsing and stores certain data for a variable period of time, but up to 2 years.
The data necessary for ensuring the user-friendly operation of the website (the IP address, the order of the pages visited during browsing the website) are recorded until the end of the browsing session (i.e. for the duration of browsing the website) and are deleted when browsing is finished. The Controller processes this type of data by means of the assets of its own IT system, no third party can access these data with the exception of the IT data processing (see below the chapter titled ‘Employing a Data Processor’.
The Controller’s IT system records the data which serve as the basis for measuring the traffic and usage habits of the website are recorded anonymously from the beginning, and these cannot be linked to a person. The Controller’s IT system uses Google Analytics tools to measure these data. The Controller stores these data by means of cookies which function permanently but maximum up to 2 years and which are recorded on the device the User uses for browsing. The User may at any time erase these cookies in the settings of his browser.
6.6. The method of data storage: Anonymously on the Controller’s IT system in separate data processing lists. The data necessary for ensuring the user friendly operation of the website (IP address, the order of the pages visited during browsing the website) are not stored. The cookies providing the data are stored on the device of the User. The log files used by the web host service provider are stored on the hosting service provider’s server.
7. Data Processing in relation to sending newsletters
7.1. The data subject affected by the data processing is the User who signs up by filling in the fields for signing up for the newsletters on the website. Furthermore, also the User who gives his or her consent to sending the newsletter in a written form when concluding a paper-based contract with the Controller or also in a written form without concluding a paper-based a contract with the Controller.
7.2. Legal basis of data processing: The User’s consent based on points a) of paragraph (1) of § 6 of GDPR and paragraphs (1) and (2) of § 6 of Grt. The User gives his or her free consent after gaining knowledge of this present Data Processing Information Note by filling in the fields for signing up to the newsletters and by ticking the statement on the consent available there, or by ticking the statement on the consent appertaining to sending the newsletter incorporated into the written contract and by signing the contract or by completing and signing a separate paper-based statement. By doing so, the User states that he or she consents to the processing of his or her data in conformity with the Data Processing Information Note or the contract/statement and to sending the newsletters.
In addition to sending useful information, the newsletter service also targets direct marketing by the Controller. The User may sign up to this service regardless of the use of the other services. The use of this service is based on a voluntary decision made by the User after receiving proper information. If the User does not use the newsletter service, it does not cause any disadvantage for him or her in using the website and taking its additional services. The Controller does not make the use of its any other services conditional upon the use of its direct marketing service.
7.3. Defining the scope of data processed:
7.4. Purpose of data processing: sending newsletters for the User by the Controller, by way of e-mail. Sending newsletters means sending information, promotional offers, and promotional content on the services of the Controller, news and current affairs.
7.5. Duration of data processing: The Controller processes the data processed for sending the newsletters until the withdrawal of the User’s relevant consent (until unsubscribing), or until the data are erased at the User’s request.
7.6. The method of data storage: On the Controller’s IT system in separate data processing list or by filing the paper-based contracts/statements in the case of data handed over by the User for the Controller for sending the newsletters on a paper-based format.
8. Data processing lists
8.1. Information technology data processing related lists: The anonymous lists containing User’s data referring to their browsing habits – as listed in section 6 – or a temporary list recording the IP addresses of User’s device currently used for browsing during the browsing session, kept solely in the information system of the Controller. Data processing is performed only until the end of the browsing session on the latter list. (The other data are stored on the User’s device but the Controller does not keep of list of such data on its own.)
8.2. Newsletter list: Kept with data recorded for the purpose of sending newsletters, messages, information materials and promotional offers via e-mail – as listed in section 7. The Controller processes the data processed until the withdrawal of the User’s consent (until unsubscribing), or until the data are erased at the User’s request.
8.3. Data transfer record: In order to control the lawfulness of the data transfer and inform the data subject the Controller keeps a data transfer record which contains the date of transferring the personal data processed by the Controller, the legal basis and addressee of the data transfer, the definition of the scope of the personal data transferred, as well as the other data specified in the law stipulating the processing of the data.
8.4. Personal data breach record: This is a record on the unlawful processing or manipulating personal data and the measures taken to prevent these. It includes the scope of personal data affected by the breach, the range and number of the data subjects affected by the personal data breach, the date, circumstances, effects of the personal data breach, and the measures taken to prevent these and – in the case of data processing based on a legal obligation – the other data specified in the law stipulating the processing of the data.
8.5. In order to achieve the data processing objectives – in conformity with the foregoing – the Controller stores the data in the form of separate lists and in databases separated by data processing objectives in its IT system and also stores the data processed for the purpose of sending newsletters by means of filing the paper-based contracts/statements.
9. Duration of data processing
9.1. The duration of processing the data in conformity with the certain data processing objective lasts as long as set forth in the description of the data processing according to objectives hereinabove. The Controller processes the data of the data subject User until the above-mentioned data processing objectives have been achieved, or until the User’s consent is withdrawn or the data are erased at the request of the data subject User.
9.2. According to this, the data processing is performed until the withdrawal of the consent statement, the fulfilment of the erasure request, the cancellation of the registration, the un-subscription from the newsletter, or, in the relevant cases, the fulfilment of the statutory obligation. At any time the User shall have the right to object to the data processing, request the termination of the data processing, the elimination of certain methods of data processing and the erasure of the data for certain or all purposes. In these cases, the duration of the data processing last until the receipt and procession of such requests – which shall be performed by the Controller without undue delay but maximum within 10 business days. The user shall have the right to unsubscribe from the newsletter at any time by using the unsubscribe link in the newsletters and by sending a written request to the email@example.com e-mail address or may also submit his or her objections or requests outlined above by way of e-mail. The Controller only considers a request sent by way of e-mail as verified if that is sent from the User’s e-mail address given for the Controller in connection with the use of the website, or in the course of subscribing to the newsletters or in the written contract/statement and registered with the Controller, maintaining however, that using another e-mail address does not result in ignoring the request.
10. Data storage method
10.1. The Controller stores the data in the form of separate lists and in databases separated by data processing objectives in its IT system and also stores the data processed for the purpose of sending newsletters by means of filing the paper-based contracts/statements.
11. Erasure of data, restricting data processing
11.1. The data processing is terminated in all respects and data are deleted within 10 business days as of receipt of the User’s relevant request, including also the erasure of the already transferred data at a new Controller (provided that the erasure is not excluded by law).
11.2. Instead of the erasure, the Controller restricts the processing of personal data if the User requests this or if, based on the information at its disposal, it can be assumed that the erasure would violate the legitimate interests of the User. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject User’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
11.3. Furthermore, the Controller erases the personal data if
12. Data transfer
12.1. The Controller only transfers data to authorities in case of a legal obligation.
12.2. The Controller does not transfer data for third parties for business or marketing purposes.
12.3. The Controller keeps a data transfer record on the data transferred.
13. Using a data processor
13.1.1. Scope of data subjects affected by the data processing: All Users visiting the website, regardless of taking the services available on the website.
13.1.2. The Controller uses as data processor
Short name: GOOGLE INC.
Trade registration number: 20031277465
Tax number: 20031277465
Company seat: 1600 Amphitheatre Parkway Mountain View CA 94043 US
Site: 1600 Amphitheatre Parkway Mountain View CA 94043 US
Mailing address: 1600 Amphitheatre Parkway Mountain View CA 94043 US
E-mail: not available
business company as online marketing service provider (hereinafter referred to as: the Data processor).
13.1.3. Legal basis of data processing: Based on the consent of the User under point a) of paragraph (1) of § 6 of GDPR, the Controller shall be entitled to use a data processor, subject to the prior notification of the User. The User freely consents to the Controller’s using a data processor by means of his or her consent given freely for the Controller for processing his or her data – in any of the manner set forth in the above chapters – after gaining knowledge of the Data Processing Information Note and receiving proper information.
13.1.4. Defining the data affected by the data processing: The data processing affects the data set forth in Chapter 6 of this present information note.
13.1.5. Purpose of the data processing: To ensure the functionality of the website in respect of information technology for the data subject User through the data processing necessary for the operation of the website and the provision of the services offered by the website, and delivering targeted advertisements to the User’s device used for browsing.
13.1.6. Duration of the data processing: It is the same as the data processing periods set forth in Chapter 6 of this present Information Note.
13.1.7. Processing the data exclusively means the technical operations necessary for the operation of the website in respect of information technology and delivering the targeted advertisements.
13.2. No data processing is performed for any other purpose.
13.3. The Data Processors have no interest in the business activities of the Controller.
13.4. The Controller does not use any data processor other than the Data Processors indicated above.
14. User’s data processing related rights
14.1. Right of access of the data subject: Upon the request of the data subject User, the Controller provides information on the data of the data subject User processed by the Controller or the Data Processor assigned by or upon the order of the Controller, the sources of the data, the objective, legal basis, duration of the data processing, the name, address and the data processing related activities of the Data Processor, the circumstances and effects of any personal data breach, the measures taken to avert such breaches, furthermore – in the case of transferring the personal data of the data subject – the legal basis and addressee of the data transmission. The Controller provides the information in a written form within 25 days as of the submission of the relevant request. The fulfilment of the first submission of such a request for a given calendar year is free of charge, in other cases it costs HUF 1,000 (except for: unlawful data processing or if the request leads to a data rectification.)
Right to rectification: The data subject User shall have the right to request the rectification of his or her processed data, which the fulfils without undue delay but maximum within 15 days. Taking into account the purposes of the processing, the data subject User shall have the right to request incomplete personal data completed, including by means of providing a supplementary statement.
Right to data portability: The data subject User shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and shall have the right to have these data transmitted to another controller without hindrance by the controller to which his or her personal data have been provided, if:
In exercising his or her right to data portability pursuant to the foregoing, the data subject User shall have the right to have the personal data transmitted directly from one controller to another, where this is technically feasible.
Right to restriction of processing: The Controller marks the personal data processed by the Controller for the purpose of restricting the data processing. The User shall have the right to obtain from the controller restriction of processing where one of the following applies:
Right to object: The data subject User shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the Controller’s legitimate interest, including profiling based on the referred to provisions. In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
14.2. Each User shall have the right to reject or prohibit the inclusion of their name and address details, contact details on the list of direct marketing lists, the use thereof for direct marketing purposes – and within that for a specific purpose – for sending newsletters or transferring them to third parties, and request the other restriction of the use of his or her personal data, the elimination of processing them in all or certain lists in the possession of the Controller, including data already transferred to third parties. The Controller shall perform the erasure within 10 business days as of receipt of the relevant request and informs the data subject User of fulfilling his or her request within another 15 days.
14.3. Right to erasure („right to be forgotten”): The Controller erases the personal data if
Where the controller has made the personal data public and is obligated to erase the personal data pursuant to the foregoing, then the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps – including technical measures – to inform controllers which are processing the personal data that the data subject User has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
14.4. The Controller shall inform the data subject User, as well as all those to whom the data was previously transferred for data processing purposes, of the rectification, restriction and erasure. The notification may be omitted if this does not violate the legitimate interest of the data subject User regarding the purpose of data processing.
14.5. The User shall have the right to submit his or her comments and requests by post to the Controller’s address specified in section no. 1.1 or in an e-mail to the firstname.lastname@example.org e-mail address. The Controller only considers a request sent by way of e-mail as verified if that is sent from the User’s e-mail address given for and registered with the Controller. In the case of an e-mail the date of receipt shall be the first business day immediately following the sending.
14.6. If the Controller fails to comply with the request of the data subject User for the rectification, restriction or erasure of the data, then the Controller informs the data subject User of the factual and legal causes of rejecting the request for the rectification, restriction or erasure of the data in a written form within 25 days as of receiving the relevant request. In the case of rejecting the request for the rectification, restriction or erasure of the data, the Controller informs the data subject User of the following:
15. Data protection, data security
15.1. Within the scope of its data processing activities, the Controller shall provide for the security of the data and shall enforce the legislation and the other data and privacy related regulations by means of technical and organisational measures and internal procedural rules. The Controller shall, in particular, protect the data processed against unauthorized access, alteration, transfer, disclosure, erasure or destruction, as well as incidental loss or damage, furthermore, becoming inaccessible due to change in technology.
15.2. In order to achieve this the Controller shall use the http protocol with the ‘https’ scheme to access the website, by means of which the web communication can be encrypted and uniquely identified. In addition to this, the Controller shall store the data processed in encrypted data files that are stored in separate data processing lists for each data processing purpose, to which access may only be provided for the Controller’s specified employees who perform tasks in relation to pursuing the activities on this website and whose job responsibility involves the protection of the data and the responsible processing thereof in conformity with this present information note and the relevant legislation.
15.3. The Controller’s IT system records the data which serve as the basis for measuring the traffic and usage habits of the website are recorded anonymously from the beginning, and these cannot be linked to a person.
15.4. The data processing is only performed to the extent necessary and proportionate to achieve the legitimate purpose set forth in this present information note and based on the applicable laws and recommendations and with appropriate security measures.
16. Enforcement of right
16.1. The data subjects shall have the right to enforce their rights based on Act V of 2013 on the Civil Code and Act CXII of 2011 on Informational Self-Determination and Freedom of Information in front of a court or may turn to the Hungarian National Authority for Data Protection and Freedom of Information:
Hungarian National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mailing address: 1530 Budapest, P.O. Box: 5.
Telephone: +36 1 391 1400
Facsimile: +36 1 391 1410
In the case of opting for turning to court the lawsuit may be initiated in front of the court according to the place of residence or stay of the data subject – to the discretion of the data subject User – since judging the case falls within the scope of competence of the court of law.
24 May 2018
HUNGUEST Hotels Zrt.