Privacy Policy
DATA MANAGEMENT INFORMATIONThe K.Z.M.+ RÉGIÓ Kft. (head office: 1061 Budapest, Király utca 52. 8. ; company registration number: 01 09 959480; tax number: 12282373-2-42; hereinafter referred to as the "Company") this Privacy Policy (hereinafter referred to as: "Information Notice"), the Company intends to ensure compliance with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (hereinafter "GDPR") and the Act on the Right to Information Self-Determination and Freedom of Information of 2011 on the right to information (hereinafter "Act on the Right to Information Self-Determination and Freedom of Information"). CXII of 2011 (hereinafter referred to as the "Infotv.").
The scope of the Prospectus covers all processes in which personal data is processed by all organisational units of the Company.
The temporal scope of this Notice is until its withdrawal. The Company reserves the right to amend this Notice and will notify you accordingly by publishing the amended Notice on its website.
I. Data Controller
- Data Controller.
- The company has its registered office at 1061 Budapest, Király utca 52. 8.
- Company registration number: 01 09 959480
- Tax number: 12282373-2-42
- Telephone number: +3613540954
- E-mail address: info@callashouse.com
II. General concepts
(a) data subject: a natural person who is identified or identifiable on the basis of any information (a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person);
(b) personal data: any information relating to an identified or identifiable natural person (data subject) (such data which can be associated with the data subject shall include, in particular, the name, the identification number and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and the inference which can be drawn from the data concerning the data subject);
(c) special categories of data: any data which fall within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons;
(d) 'controller' means the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the processing (including the means used) or has them executed by a processor, within the limits set by law or by a legally binding act of the European Union;
(e) 'processing' means any operation or set of operations which is performed upon the data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of further use, taking of photographs, sound recordings or images, or any other physical means of identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
(f) 'processor' means a natural or legal person or an unincorporated body which processes personal data on behalf of or under the instructions of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;
(g) 'personal data breach' means a breach of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, transmission or access to personal data transmitted, stored or otherwise processed.
Other legislation referred to:
- Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities
- Szvmt.: Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation
- Act C of 2000 on Accounting
- Tht.: Act CXXXIII of 2003 on Condominiums
III. Data processing by the Company
WEBSITE VISIT
No personal data are required to consult the information published on the Company's website https://callashouse.com. The Company uses Google Analytics cookies to analyse visitors' preferences in order to ensure the user-friendliness of the website (e.g. number of visitors to the website and sub-pages, duration of the visit, order of viewing pages, search terms used to access the website, browser type, geographical location of the computer.) The cookies used on the website only record the anonymous IP address of the visitor's computer and do not collect any personal data that could identify an individual. The Company does not process any personal data other than the visitor's anonymised IP address in connection with this activity.
ADVERTISEMENT
In the case of enquiries or requests for quotations on the Company's website, in person, by e-mail or by telephone, in addition to the data relating to the intended stay, the following personal data must be provided: name, e-mail address or telephone number. The purpose of data processing is to contact and maintain contact with you and to send you information and offers. The legal basis for the processing is the consent of the data subject [Article 6(1)(a) GDPR] and the legitimate interests of the data subject and of the Company [Article 6(1)(f) GDPR]. The processing lasts until the date of the data subject's request for erasure or until the data subject's consent is withdrawn.
RESERVATION, PAYMENT
In connection with reservations and payments made on the Company's website, in person, by e-mail or by telephone, the Company shall apply the provisions of the Szvt. 169, the Company shall process personal data, address data and contact information necessary for issuing a receipt. If the guest is from a third country, the Company is also required by law to record additional data, such as:
- personal identification data (name at birth, place and date of birth, sex, mother's name at birth, nationality);
- identification data of the travel document;
- address of the accommodation;
- the date and time of the beginning and end of the use of the accommodation;
- visa/residence permit number and
- date and place of entry. The purpose of data processing is the conclusion and performance of the contract between the Company and the guest, the maintenance of contact, the provision of parking space, the issuing of invoices. The legal basis for the processing is the consent of the data subject [Article 6(1)(a) GDPR] and the conclusion and performance of the contract between the data subject and the Company [Article 6(1)(b) GDPR]. The duration of the processing is 8 (eight) years after the performance of the contract, in accordance with the legal requirements for the retention of supporting documents under the Civil Code.
DIRECT MARKETING
If the data subject subscribes to the Company's newsletter, the Company will send him/her a newsletter at a frequency of its own choice. By subscribing to the newsletter, the data subject consents to the processing of his/her personal data by the Company. To subscribe to the newsletter, the name, address, telephone number and e-mail address must be provided in order to enable the delivery of the messages. The data will be processed by the Company until the data subject requests their deletion or withdraws his/her consent. The possibility to unsubscribe is provided by a direct link in each newsletter. The purpose of the data processing is direct marketing by the Company through direct marketing activities, in the context of which the data subject is informed about the Company's services. The legal basis for data processing is the voluntary consent of the data subject and the application of the Act on the basic conditions and certain limitations of commercial advertising activities. Article 6 (5). The duration of data processing shall last until the date of the data subject's request for cancellation or until the data subject's consent is withdrawn.
PROCESSING OF JOB APPLICANTS' DATA
The Company processes the personal data contained in the CVs and other documents submitted to it directly or through a recruitment agency. The purpose of the processing is to notify the data subject of job vacancies that are most relevant to his/her qualifications and interests, to arrange an appointment with the data subject and to carry out the selection procedure. The legal basis for the processing is the data subject's voluntary consent [Article 6(1)(a) GDPR], which is given by the data subject by sending his/her CV and related documents. The duration of the processing is the duration of the employment relationship in case of a successful application, in case of an unsuccessful application, the application file of the unsuccessful applicants will be deleted after the selection.
PROCESSING OF DATA RELATING TO CCTV SURVEILLANCE
The Company operates an electronic surveillance and recording system in areas marked with a camera pictogram or warning information at its headquarters (monitored areas). The camera system monitors the common areas of the hotel. The camera surveillance system records the images and actions of persons entering the monitored area. The camera surveillance system does not record sound. Only authorised employees of the data controllers are entitled to view the actual images and recordings from the cameras. The camera system is operated by the Company and does not use any service provider, so the Company is the only data controller. The purpose of data processing is to protect property and persons in the building, to protect business secrets and to prove possible abuses and infringements. The legal basis for data processing is based on the voluntary consent of the data subject (access to the building) [Article 6(1)(a) GDPR] on the one hand, and on the legal possibility provided by Section 25 of the Act on the Protection of Personal Data. The duration of data processing is 15 (fifteen) days from the date of the recording, after which the recordings are automatically deleted in accordance with Section 25 of the Act.
IV.
The personal data may be accessed by employees of the Company who have access rights in relation to the relevant data processing purpose, or by persons or organisations performing data processing or outsourcing activities for our Company on the basis of service contracts, to the extent and to the extent necessary for the performance of their activities, as determined by our Company.
The Company uses the services of the following data processors in the course of data processing under service contracts for this purpose.
a) Marketing Professors Ltd.
The above company operates the Company's website and performs electronic data processing activities for the Company.
d) thePass Kft. (registered office: 1074 Budapest, Dohány utca 12-14., tax number: 24327567242)
c) SZI-BA Könyvelés Kft (1188. Budapest, Deák Ferenc utca 35/A, tax number: 32085264-1-43)
The above company provides the Company's accounting and payroll, thus it performs data processing activities with regard to the receipts issued by the Company (and the personal data processed on them), as well as the data processed in connection with the payroll.
V. Rights in relation to data processing and their enforcement
5.1. Right to request information and right of access
The data subject may request in writing to be informed by the Company:
a) what personal data,
b) on what legal basis,
c) for what purpose,
d) from what source,
(e) for what purpose, for what purpose, for what purpose, and for how long it is processed,
f) to whom, when, under what law, to which personal data, to which personal data has the Company granted access or to whom has the Company transferred the personal data.
The Company shall comply with the data subject's request within a maximum of 15 (fifteen) days by sending an e-mail or postal letter to the contact details provided by the data subject.
The Company may ask the data subject to clarify the content of the request and to specify the information or processing activities requested before granting the request.
Where the right of access of the data subject under this point adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Company shall be entitled to refuse to comply with the data subject's request to the extent necessary and proportionate.
In the event that the data subject requests more than one copy of the above information, the controller shall be entitled to charge a reasonable fee proportionate to the administrative costs of producing the additional copies.
Where the Company does not process the personal data indicated by the data subject, it shall also inform the data subject in writing.
5.2 Right to rectification
The data subject may request in writing that the Company rectify personal data that is inaccurate, incorrect or incomplete. In such a case, the Company shall without undue delay, but no later than within 5 (five) days, correct or rectify the personal data indicated or, if compatible with the purposes of the processing, supplement them with additional personal data provided by the data subject or with a declaration by the data subject on the personal data processed. The Company shall notify the data subject thereof by electronic or postal mail to the contact details provided by the data subject.
The Company shall be exempted from the obligation to rectify where
(a) the accurate, correct or complete personal data are not available to him or her and are not provided by him or her to the Company; or
(b) the accuracy of the personal data provided by the data subject cannot be established beyond reasonable doubt.
5.3 Right to erasure
The data subject may request the Company in writing to erase his/her personal data. The data subject shall submit his/her request for erasure in writing and shall indicate the reasons for which he/she wishes to have the personal data erased.
The Company shall refuse the erasure request if a law obliges the Company to continue to store the personal data. If the Company is not under such an obligation, the Company shall comply with the data subject's request within a maximum of 15 (fifteen) days and shall notify the data subject thereof by electronic or postal mail to the contact details provided by the data subject.
5.4. Right to blocking
The data subject may request in writing that his/her personal data be blocked by the Company. The blocking shall last for as long as the reason indicated by the data subject makes it necessary to store the data. The data subject may request the blocking of data, for example, if he or she believes that his or her personal data have been unlawfully processed by the Company, but it is necessary for the purposes of official or judicial proceedings initiated by the data subject that the personal data are not deleted by the Company. In such a case, the Company will continue to store the personal data until the authority or court requests it, after which it will delete the data and notify the data subject thereof by e-mail or post to the contact details provided by the data subject.
5.5 Right to restriction of processing
The data subject may request in writing that the Company restrict the processing of his or her personal data. During the period of restriction, the Company or a data processor acting on its behalf or under its instructions may carry out processing operations other than storage of the personal data concerned by the restriction solely for the purposes of pursuing the legitimate interests of the data subject or as provided for by law. The restriction of processing may be requested by the data subject when and for as long as necessary,
(a) where the data subject contests the accuracy, correctness or completeness of the personal data processed by the Company or the processor and the accuracy, correctness or completeness of the personal data processed cannot be established beyond reasonable doubt (for the period necessary to resolve the doubt),
(b) where the data should be erased but there are reasonable grounds to consider, on the basis of a written statement by the data subject or on the basis of information available to the Company, that erasure would undermine the legitimate interests of the data subject (for the period of the legitimate interest not to erase),
(c) where the data should be deleted but are necessary to preserve them as evidence in proceedings by or with a public authority (until the investigation or proceedings have been concluded).
In the case of restriction, personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State of the European Union.
The Company shall inform the data subject in advance of the lifting of the restriction on processing.
The Company shall, without undue delay after complying with the data subject's request to exercise his or her right to restriction, inform the persons to whom the personal data of the data subject have been disclosed, provided that this is not impossible or involves a disproportionate effort on the part of the Company. The Company will inform the data subject of these recipients at his or her request.
5.6 Right to object
Where the processing of data subjects' data is based on a legitimate interest, the data subject shall be provided with adequate information and the right to object to the processing. This right shall be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject.
The data subject shall have the right to object on this basis to the processing of his or her personal data and in such a case the Company shall no longer process the personal data of the data subject unless it can be demonstrated that
(a) the processing is justified by compelling legitimate grounds on the part of the Company which override the interests, rights and freedoms of the data subject; or
(b) the processing relates to the establishment, exercise or defence of legal claims by the Company.
If the data subject objects to the processing for direct marketing purposes, the Company may no longer process the data subject's data for these purposes.
5.7.
5.7.1. Dispute resolution with the Company
Data subjects may lodge their objections or requests concerning the processing of their personal data with the Company orally (in person) or in writing (in person or by means of a document delivered by another person or by post or e-mail) using the contact details indicated in Section I, under the name of the Data Controller.
5.7.2 Right to lodge a complaint
If your objections, complaints or requests regarding your personal data have not been satisfactorily resolved with the Company, or if you consider at any time that there has been or is an imminent risk of a breach of rights in relation to the processing of your personal data, you have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information.
Contact details of the National Authority for Data Protection and Freedom of Information
Headquarters. Address for correspondence: 1530 Budapest, Pf. 5, 1530 Budapest
Phone: +36(1)3911400
Fax: +36(1)3911410
E-mail: ugyfelszolgalat@naih.hu
Web: naih.hu
5.7.3. Right to apply to the courts (right of action)
The data subject may, irrespective of his/her right to lodge a complaint, take legal action if his/her rights under the GDPR or the Infotv. have been infringed in the processing of his/her personal data.
The Company, as a data controller established in Hungary, may be sued before a Hungarian court.
The data subject may also bring the action before the court of the place of residence. The contact details of the courts in Hungary can be found at the following link: http://birosag.hu/torvenyszekek.
VI. Other information
6.1. Enforcement of rights in relation to personal data after the death of the data subject
For a period of five years after the death of the data subject, the rights to which the deceased person was entitled during his or her lifetime may be exercised by a person authorised by the data subject by means of an administrative order or a declaration made to the controller (in a public or private document with full probative value). If the data subject has not made such a declaration, the rights of the deceased during his or her lifetime may be exercised by his or her close relative within the meaning of the Civil Code within five years of the death of the data subject (in the case of more than one close relative, the first to exercise the rights shall be the first to exercise them).
6.2 Special provisions on camera recordings
6.2.1 Right to request information
The data subject may request information within 15 (fifteen) days from the date of the recording about what is shown in the recording in relation to the data subject. The request must specify where and when the recording was made and how the data subject can be identified. The Company shall comply with the request within 15 (fifteen) days.
6.2.2. Right to blocking
Within 15 (fifteen) days from the date of the recording, the data subject may request that the data not be destroyed or erased by the data controllers (blocking) by justifying his/her right or legitimate interest. The request must specify where the recording was made, at what time, how the data subject can be identified and the reason for the blocking. At the same time as the blocking, it is advisable for the data subject to initiate the necessary official or judicial proceedings, as the Company only releases the recordings in response to a request from an authority or court.
6.2.3. Right of access
The data subject may request access to the recordings made of him/her within 15 (fifteen) days of the date on which the recording was made. The request must specify where and at what time the recording was made, how the data subject can be identified and on which day the data subject wishes to have access to the recording. The Company will be able to provide access on working days from Monday to Friday, between 9 a.m. and 3 p.m.
