price calculationonline booking

H-2481 Velence, Béke u. 57 Route Planner

Hotel: +36 22 589 900 | SPA: +36 22 589 971 | reservation@velencespa.com

Online booking

Published on: 25.05.2018

Drafted by/Revised by: Nikolett László – HR officer

Approved by: Roland Sivó – Managing Director

Download full Privacy Policy

The identification data of the Enterprise as the data controller:
[company name, registered office, postal address, e-mail address,
central telephone number, website]:

VRS Part HOTEL Kft.

Registered office:
2481 Velence, Béke u. hrsz. 4481/G

E-mail: info@velencespa.com

Telephone number: +36 22 589 900

Website: https://velencespa.com/ 

Name, contact details of the representative
of the Enterprise as the data controller
[postal address, e-mail address, telephone number]:

Roland Sivó

Postal address: 2481 Velence, Béke u.
hrsz. 4481/G

E-mail: sivo.roland@velencespa.com

Telephone number: +36 70 455 6800

Name and contact details of the data protection officer
[postal address, e-mail address, telephone number]:

Nikolett László 

Postal address:
2481 Velence, Béke u. hrsz. 4481/G

E-mail: hr@velencespa.com 

Telephone number: +36 22 589 940

Definitions, interpretative provisions (also see Article 4 of the GDPR)

‘processor’

a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

‘processing’

any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

‘controller’

the Enterprise as well as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law

‘personal data breach’

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

‘biometric data’

personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data

‘recipient’

a natural or legal person, public authority, agency or another body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law are not regarded as recipients; the processing of those data by those public authorities must be in compliance with the applicable data protection rules according to the purposes of the processing

‘data concerning health’

personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status

‘data subject’

the natural person whose personal data are being processed

‘consent’ of the data subject

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

‘EU Member State’

the member states of the European Union are currently Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Spain, Slovakia, Slovenia, Sweden and the United Kingdom

‘supervisory authority’

an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR (in Hungary the National Authority for Data Protection and Freedom of Information)

‘GDPR’

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

‘genetic data’

personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question

‘third party’

a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data

‘sensitive data’

personal data belonging to special categories of personal data

‘international organisation’

an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries

‘profiling’

any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements

‘personal data’

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

‘special categories of personal data’

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation

‘Enterprise’

VRS Part Hotel Kft. as data controller

Principles of processing

Before starting to process personal data, it must be carefully considered in every case whether processing is actually necessary. Processing personal data may only start provided it can be unequivocally established that the purpose of the processing cannot be achieved in any other way (data minimisation).

The Enterprise is obliged to process the Data Subject’s personal data in a lawful, fair and transparent manner. No one should suffer disadvantage from initiating a procedure with or seeking legal redress or notifying the Enterprise or any other authority specified in the Policy, or for refusing or withdrawing consent for processing based on the Data Subject’s consent (‘disadvantage’ excluding a legal obligation becoming impossible).

The personal data of Data Subjects may only be collected for specific, clear and lawful purposes (purpose limitation). The Enterprise must avoid or subsequently cease all data processing that occurs in a manner that is not compatible with the purpose of processing the personal data in question. The Enterprise is only entitled to process personal data to the extent necessary and is obliged to erase all personal data with regard to which the purpose of the processing has ceased or the legal grounds for processing cannot be verified.

The Enterprise is obliged to introduce control mechanisms that are suitable for ensuring in advance or subsequently through filtering that

  1. the personal data correspond to the purposes of processing already at the time of recording the data and throughout the entire duration of the processing, and
  2. the extent of data processing is limited to what is necessary as regards both the scope of data and the period of processing.

The personal data processed by the Enterprise must be accurate and kept up to date. The Enterprise must take all reasonable measures to ensure that the personal data processed are accurate:

  1. personal data that are unnecessary from the aspect of processing or become unnecessary during processing are immediately erased;
  2. inaccurate personal data are rectified or erased.

Personal data must be stored in a manner that enables the identification of Data Subjects only for the period of time necessary to achieve the purpose of processing the personal data.

Personal data must be processed in a manner that ensures appropriate security for the personal data using appropriate technical or organisational measures, including measures that serve the protection of personal data against unauthorised or unlawful processing, accidental loss, destruction or damage.

Personal data (except special sensitive data)

The Enterprise may process the Data Subject’s personal data – excluding sensitive data – in particular on the following legal grounds:

  1. Consent: Data Subjects – provided the voluntary nature of the consent can be proved – may consent to their personal data being processed. If the Enterprise processes the personal data of a child who is below the age of 16 years in connection with information society services directly offered to a child under 16, the main rule is that such processing is only lawful if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The consent given by the Data Subject is voluntary and can be withdrawn at any time. Withdrawal does not affect the lawfulness of processing performed previously but may influence the sustainability of legal relations requiring data processing.
  2. Drafting or performing a contract: this can be used for processing necessary for the performance of a (service, work, study, etc.) contract to which the Data Subject is a party or if processing is necessary to take steps at the request of the Data Subject prior to entering into the contract.
  3. Fulfilment of a legal obligation: data processing required by European Union or national law.
  4. Legitimate interest: this includes processing which is necessary to fulfil the legitimate interests of the Enterprise or a third party. The legitimate interests of the Enterprise or a third party are laid down in the privacy notice for the particular data processing purpose. Data may only be processed based on legitimate interests if the Enterprise makes a legitimate interests assessment in which it is recorded and assessed whether the legitimate interest of the Enterprise proportionately limits the Data Subjects’ privacy or right to the protection of personal data, and how balance may be ensured between the interests of the Enterprise and of the Data Subject. The legitimate interests assessment is not part of the privacy notice.
  5. [From the aspect of processing, other individual legal grounds for processing may be (see GDPR, Article 6): when processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, or is connected with the performance of a task carried out in the public interest or the exercise of official authority vested in the Enterprise.]

If the Enterprise collects data from the Data Subject but the Data Subject does not give the data to be processed on the above legal grounds, a possible consequence may be refusing the preparation or completion of the given contract or its becoming impossible (e.g. failure to enter into an employment relationship). If the Data Subject only withholds part of the data to be supplied, it must be assessed based on the incomplete data supplied whether failure to provide data may make the conclusion or maintenance of the contract impossible. When data processing is based on the grounds of entering into a contract, the legal consequences of nullification may only be applied by the Enterprise if it can be proved that the completion of the given contract is not possible without the data supplied.

Sensitive data

Data which, in relation to the fundamental rights and freedoms of natural persons, are by nature sensitive and carry risks merit specific protection. The Enterprise may process the Data Subject’s sensitive data – primarily data concerning health – in particular for the following purposes and on the following grounds:

  1. GDPR, Article 9(2)(a): Data Subjects – provided the voluntary nature of the consent can be proved – may give explicit consent to the processing of their personal data. The consent given by the Data Subject is voluntary and can be withdrawn at any time, which does not affect the lawfulness of processing prior to that.
  2. GDPR, Article 9(2)(b): For example, in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law, the Enterprise may process data for the purposes of carrying out obligations and exercising specific rights arising from legislation in the field of employment, social security and social protection.
  3. GDPR, Article 9(2)(f): This legal ground is to be applied for processing sensitive data for the purpose of the establishment, exercise or defence of legal claims. (Also see GDPR, Article 9.)
The Enterprise’s obligation to inform and its measures

The Enterprise must make available certain information to Data Subjects in a clear and understandable way and in a concise, transparent and easily accessible form, and advise Data Subjects of their rights (also see point 6). Furthermore, at the request of Data Subjects the Enterprise may take measures observing certain rules of procedure.

    1. Privacy information

Depending on whether the personal data have been collected from the Data Subject or not, the Enterprise is obliged to make certain information concerning data processing available to the Data Subject.

      1. Joint rules

Based on its obligation to provide information, the Enterprise must inform the Data Subject of the following:

  1. the identity and contact details of the Enterprise and, if applicable, its representative,
  2. the contact details of the data protection officer,
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing,
  4. where the processing is based on point (f) of Article 6(1) of the GDPR, the legitimate interests pursued by the Enterprise or by a third party,
  5. the recipients or categories of recipients of the personal data, if any,
  6. where applicable, the fact that the Enterprise intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the European Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available,
  7. the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period,
  8. the right of Data Subjects to request from the controller access to and rectification or erasure of their personal data or restriction of processing or to object to processing as well as the right to data portability,
  9. where the processing is based on point (a) of Article 6(1) of the GDPR or point (a) of Article 9(2) of the GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal,
  10. the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information,
  11. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
      1. Information to be provided where data are collected from the Data Subject

If the Enterprise collects personal data from the Data Subject, in addition to the above, it has to inform the Data Subject whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.

The information must be provided at the time when the personal data are obtained. If the Data Subject already has the above information, the same information does not need to be provided.

      1. Information to be provided where data are not collected from the Data Subject

Where the Enterprise does not obtain the personal data from the Data Subject, in addition to the above, the Enterprise must inform the Data Subject of the categories of personal data concerning the Data Subject, the source from which the personal data originate, and if applicable, whether it came from publicly accessible sources.

The Enterprise must provide the information at the following times:

  1. within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed,
  2. if the personal data are to be used for communication with the Data Subject, at the latest when first communicating to that Data Subject, or
  3. if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.

The above information does not need to be given if

  1. the Data Subject already has this information,
  2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller must take appropriate measures to protect the Data Subject’s rights and freedoms and legitimate interests, including making the information publicly available,
  3. obtaining or disclosing the data is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the Data Subject’s legitimate interests, or
  4. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
    1. Data Subjects’ rights

Data Subjects may request from the Enterprise access to and rectification or erasure of their personal data or restriction of processing, or may object to the processing of their personal data. Data Subjects also have the right to data portability and legal remedy, and have the right to decide about automated decision-making applied in individual cases, including profiling.

The Enterprise is obliged to provide information about certain rights that Data Subjects have as part of the information to be provided in accordance with point 4.1.

      1. Right of access

Data Subjects are entitled to obtain confirmation from the Enterprise as to whether their personal data are currently being processed and, if that is the case, they are entitled to access their personal data and the following information:

  1. the purposes of data processing with regard to the personal data concerned,
  2. the categories of personal data concerned,
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (where personal data are transferred to a recipient in a third country or to an international organisation, the Data Subject has the right to be informed of the appropriate safeguards relating to the transfer),
  4. the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period,
  5. the Data Subject’s rights (right of rectification, erasure, restriction, right to data portability, and right to object against the processing of such personal data),
  6. the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information,
  7. if the Enterprise did not obtain the data from the Data Subject, any available information as to their source,
  8. the existence of automated decision-making, including profiling, concerning the personal data, and, if applicable, information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

If the Data Subject made the request by electronic means, and unless otherwise requested by the Data Subject, the information is to be provided in a commonly used electronic form.

Prior to fulfilling the request, the Enterprise may request the Data Subject to clarify the contents of the request and accurately indicate the information requested and the processing activities concerned.

If the Data Subject’s right of access described in this point adversely affects the rights and freedoms of others (and in particular their trade secrets or intellectual property), the Enterprise is entitled to refuse the fulfilment of the Data Subject’s request to the necessary and proportionate extent.

In the event that the Data Subject requires the above information in more than one copy, the Enterprise may charge a reasonable fee proportionate with administrative costs for providing the extra copies.

If the Enterprise does not process the personal data specified by the Data Subject, information to this end must also be provided to the Data Subject in writing.

      1. Right to rectification

Data Subjects are entitled to request the rectification of personal data concerning them or ask for incomplete data to be completed.

When exercising the right to rectification/completion, the Data Subject must indicate the specific data which are inaccurate or incomplete, and must inform the Enterprise of the accurate full data. In justified cases, the Enterprise is entitled to ask the Data Subject to verify the rectified data in a suitable way, primarily by a document.

The Enterprise will rectify and complete the data without undue delay.

Immediately after fulfilling the Data Subject’s request to rectify the data, the Enterprise will notify all persons who the Data Subject’s personal data have been disclosed to provided this is not impossible or does not involve a disproportionate effort on the part of the Enterprise. At the request of the Data Subject, the Enterprise will provide information about such recipients.

      1. Right to erasure (‘right to be forgotten’)

Data Subjects have the right to request from the Enterprise the erasure of their personal data without undue delay where one of the following grounds applies:

  1. the personal data specified by the Data Subject are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Enterprise,
  2. the Enterprise processed the Data Subject’s personal data (including sensitive data) based on the Data Subject’s consent, who withdrew this consent in writing, and there is no other legal ground for the processing,
  3. the Data Subject objects to processing performed on the grounds of the Enterprise’s legitimate interests and there are no compelling legitimate grounds for processing by the Enterprise which override the interests, rights and freedoms of the Data Subject or which are connected to the establishment, exercise or defence of legal claims,
  4. the Enterprise processed the personal data unlawfully,
  5. the data processed by the Enterprise have to be erased for compliance with a legal obligation in Union or Member State law to which the Enterprise is subject,
  6. the Data Subject objects to the processing and there are no overriding grounds for the processing.

The Data Subject must submit the request for erasure in writing specifying the personal data that need to be erased.

When exercising the right of erasure, the Enterprise must act observing the rules of procedure laid down in point 4.3.

If the Enterprise agrees to act on the Data Subject’s submission for erasure, it will delete all the processed personal data concerned from its records and inform the Data Subject appropriately.

In the event that the Enterprise is obliged to erase the Data Subject’s personal data, it will take all reasonable measures, including technical measures, in order to also notify of the compulsory erasure of personal data those data controllers who learnt about the Data Subject’s personal data through their disclosure. In the information provided, the Enterprise must notify the other data controllers that the Data Subject has requested the erasure of any links to his or her personal data and any copies or replications of those personal data.

Immediately after fulfilling the Data Subject’s request to erase the data, the Enterprise will notify all persons who the Data Subject’s personal data have been disclosed to provided this is not impossible or does not involve a disproportionate effort on the part of the Enterprise. At the request of the Data Subject, the Enterprise will provide information about such recipients.

The Enterprise is not obliged to erase personal data if data processing is necessary

  1. for exercising the right of freedom of expression and information,
  2. for compliance with a legal obligation imposed on the Enterprise by Hungarian or European Union law which requires the processing of personal data,
  3. for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Enterprise,
  4. for reasons of public interest in the area of public health,
  5. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the Data Subject’s right to be forgotten is likely to render impossible or seriously impair the achievement of the objectives of that processing,
  6. for the establishment, exercise or defence of legal claims.
      1. Request to restrict processing

Data Subjects have the right to request from the Enterprise the restriction of the processing and use of their personal data where one of the following grounds applies:

  1. the accuracy of the personal data is contested by the Data Subject (for a period enabling the Enterprise to verify the accuracy of the personal data),
  2. the Enterprise processed the personal data unlawfully but the Data Subject requests the restriction of their use instead of erasure,
  3. the purpose of the processing of the personal data ceased for the Enterprise, but the Data Subject needs them for the establishment, exercise or defence of legal claims,
  4. the Data Subject objects to processing performed on the grounds of the Enterprise’s legitimate interests and there is no compelling legitimate grounds for processing by the Enterprise which override the interests, rights and freedoms of the Data Subject or which are connected to the establishment, exercise or defence of legal claims; in this case the restriction applies until it is established whether the Enterprise’s legitimate grounds override the Data Subject’s legitimate grounds.

In the event of restriction, such personal data may, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Enterprise must inform the Data Subject before the restriction of processing is lifted.

Immediately after fulfilling the Data Subject’s request to restrict the data, the Enterprise will notify all persons who the Data Subject’s personal data have been disclosed to provided this is not impossible or does not involve a disproportionate effort on the part of the Enterprise. At the request of the Data Subject, the Enterprise will provide information about such recipients.

      1. Right to object

If the Enterprise does not process data in the public interest or has no official authority and does not carry out scientific or historic research, or performs processing for statistical purposes, the right to object may be exercised with regard to processing on the grounds of legitimate interest.

If the Data Subject’s data are processed based on a legitimate interest, an important provision is that obtaining appropriate information as well as the option to exercise the right to object must be ensured for the Data Subject in connection with processing. The Data Subject’s attention must be explicitly drawn to this right at the time of the first communication at the latest.

On this basis, the Data Subject is entitled to object to the processing of his or her personal data and in this case the Enterprise may no longer process the Data Subject’s personal data except if it can be proved that

  1. on the part of the Enterprise processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the Data Subject, or
  2. data processing is linked to the establishment, exercise or defence of the Enterprise’s legal claims.
        1. Right to object to processing for direct marketing purposes

As regards processing for direct marketing (DM) purposes, the GDPR declares that the existence of legitimate interests can be presumed in the case of related processing.

Thus, in the event of direct marketing activities conducted by the Enterprise, Data Subjects are entitled to object to the processing of their personal data for this purpose, but, contrary to processing based on other legitimate interests, following such an objection the Enterprise is not in a position to consider whether the processing can be continued despite the Data Subject’s objection.

If the Data Subject objects to processing for direct marketing purposes, the Enterprise may no longer process the Data Subject’s data for this purpose.

        1. Profiling

During profiling the personal aspects relating to Data Subjects are evaluated using an automated method. Such evaluations can be used, for example, to analyse or predict aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements.

The right to object also extends to profiling as a specific processing operation based on legitimate interests. If profiling is done for direct marketing purposes, following the Data Subject’s objection, profiling based on personal data must also be ceased immediately.

      1. Right to data portability

Data Subjects are entitled to receive their personal data processed by the Enterprise in a structured, commonly used and machine-readable format and to transmit those data to another data controller without hindrance from the Enterprise.

The right to data portability may be exercised with regard to personal data which the Data Subject made available to the Enterprise and

  1. where processing is based on the Data Subject’s consent or on a contractual legal basis and
  2. processing is carried out by automated means.

If this is technically feasible, the Enterprise, at the Data Subject’s request, will transmit the personal data directly to the other controller specified in the Data Subject’s request.

In the course of data portability, the Enterprise is obliged to provide a data carrier for the Data Subject free of charge.

If the right to data portability adversely affects the rights and freedoms of others (and in particular their trade secrets or intellectual property), the Enterprise may refuse the fulfilment of the Data Subject’s request to the necessary extent.

Measures taken in the course of data portability (transfer and movement of data) do not constitute the erasure of data, and the Enterprise keeps such data on record while there is an appropriate purpose and legal grounds for processing data.

      1. Right to decide about automated individual decision-making including profiling

The GDPR does not define the meaning of ‘automated decision-making’. In essence this includes any automated process by which the entered data are only evaluated through computing devices without human intervention based on predefined aspects/algorithms and this evaluation results in a decision that has significant consequences for the Data Subject (e.g. rejection of online loan applications due to automated considerations, online labour force selection without human intervention).

The essence of the concept of ‘profiling’ (see definitions above) is that personal aspects relating to Data Subjects are evaluated using some automated method. If decisions are reached by automated means at the Enterprise in relation to the Data Subject’s personal data, including profiling, reference to this fact must be made in the privacy notice. In this case the privacy notice must contain information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

The Data Subject is entitled to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the Data Subject or which similarly significantly affects the Data Subject.

The Data Subject is not entitled to request exemption from being subject to a decision based solely on automated processing if the decision is necessary for entering into or performing a contract, or it is authorised by Union or Member State law, or it is based on the Data Subject’s explicit consent.

If automated processing is necessary for entering into or performing a contract or is based on the Data Subject’s explicit consent, the Data Subject has the right to obtain human intervention on the part of the Enterprise, to express his or her point of view and to contest the decision.

During data processing, the Enterprise will do its utmost to avoid personal data in special categories being included in automated decision-making. If, however, this cannot be avoided, automated decision-making with regard to personal data in special categories may only take place provided processing is based on the Data Subject’s consent or is necessary due to a significant public interest based on European Union or Member State law and suitable measures to protect the rights of Data Subjects have been taken.

      1. Right to remedy
        1. Right to lodge a complaint

If the Data Subject considers that the processing of his or her personal data by the Enterprise infringes the provisions of the effective data protection legislation and in particular of the GDPR, the Data Subject may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

Website: http://naih.hu/

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Postal address: 1530 Budapest, Pf. 5.

Telephone: +36-1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

The Data Subject also has the right to lodge a complaint with a supervisory authority in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

8.2.Judicial review of a decision by a supervisory authority and other remedies

The Data Subject and the Enterprise have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, and in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority.

Furthermore, the Data Subject has the right to an effective judicial remedy where the supervisory authority which is competent pursuant to Articles 55 and 56 of the GDPR does not handle a complaint or does not inform the Data Subject within three months of the progress or outcome of the complaint lodged.

Proceedings against a supervisory authority must be brought before the courts of the Member State where the supervisory authority is established.

        1. Right to apply to the courts (right to bring legal actions)

Independently of their right to lodge a complaint, Data Subjects may bring an action before the courts if their rights pursuant to the GDPR have been infringed in the course of processing their personal data.

The Hungarian National Authority for Data Protection and Freedom of Information (the ‘Authority’) will impose administrative fines, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article 58(2) of the GDPR; pursuant to Article 83 of the GDPR, the amount of the fine depends on the different circumstances, for example the gravity of the infringement.

The contact details of the courts in Hungary are given on the following link: http://birosag.hu/torvenyszekek.

In view of the fact that the Enterprise is not a public authority of a Member State exercising public powers, the Data Subject may also bring legal action before the court with competence and jurisdiction of the Member State where he or she has habitual residence provided that this is in another Member State of the European Union.

        1. Other option for enforcing rights

The Data Subject has the right to appoint a not-for-profit organisation or association which is constituted in accordance with the law of a Member State and whose statutory objectives include serving the public interest and the protection of rights and freedoms of Data Subjects with regard to their personal data to lodge a complaint, exercise the right to a judicial remedy with regard to a decision of a supervisory authority, bring legal action, or exercise the right to receive compensation on his or her behalf.

        1. Right to compensation

The Enterprise must reimburse any material or non-material damage suffered by another person as a result of the infringement of the following legislation:

  1. GDPR,
  2. delegated acts and implementing acts adopted in accordance with the GDPR,
  3. national law clarifying the rules contained in the GDPR.

The Enterprise will be exempt from the liability to pay compensation if it proves that it is not in any way responsible for the event giving rise to the damages.

Claims for compensation may be submitted to the national court with competence and jurisdiction specified in point 4.2.8.3.

        1. Administrative fine

Administrative fines are to be imposed by NAIH depending on the circumstances of each individual case in addition to or instead of measures referred to in points (a) to (h) and (j) of Article 58(2) of the GDPR; pursuant to Article 83 of the GDPR, the amount of the fine depends on the circumstances such as the gravity of the infringement.

        1. Criminal and/or administrative penalties

Pursuant to Section 70 of the Info Act, if the Authority suspects that a crime has been committed, the Authority will institute criminal proceedings at the body entitled to open criminal proceedings, and, in the case of the suspicion of an offence or misconduct, the Authority will institute infraction or disciplinary proceedings at the body having competence to conduct such proceedings. The body must notify the Authority of its position concerning the opening of the proceedings within 30 days and of the outcome of the proceedings within 30 days of the conclusion of the proceedings.

    1. Rules of procedure

In fulfilling the above obligation to provide information and in taking related measures, the Enterprise must act as described. In addition to the above stated special rules, the Enterprise must act observing the following provisions.

      1. Responding to requests

In connection with measures requested by Data Subjects based on the rights described in points 4.2.1 to 4.2.7, the following rules of procedure must be applied.

Data Subjects may submit their requests to the data protection officer working in the position of HR officer.

Requests must be submitted in writing, by electronic letter or on paper (on a form). If the Data Subject does not submit the request using a printed form, it must be assessed based on its content. If the Data Subject submitted the request by electronic means, the information, if possible, should also be provided in an electronic form unless otherwise requested by the Data Subject.

The Data Subject must specify the exact personal data for which action by the Enterprise is requested.

The Enterprise must respond to the request within 1 (one) month of receiving the request submitted in writing. If necessary, taking into account the complexity of the request as well as the number of requests currently being dealt with, the Enterprise may extend the deadline for responding to the request by another 2 (two) months. The Data Subject must be informed of the fact and reasons for such an extension within 1 month of the receipt of the request.

If the request of the Data Subject is well-founded, the Enterprise will perform the requested action within the procedural deadline, and inform the Data Subject of the fulfilment of the request in writing.

If the Enterprise does not take action in response to the Data Subject’s request, it will provide information of the reasons for not taking action without undue delay but within 1 (one) month of the receipt of the request at the latest, and advise the Data Subject of the option of lodging a complaint with a supervisory authority and seeking a judicial remedy.

      1. Fee for the information supplied, communication provided and action taken

The Enterprise provides the information specified in points 4.1, 4.2.1 to 4.2.7 and 6.2 as well as any communication about Data Subjects’ rights and performs the actions requested free of charge. If, however, the request of the Data Subject is manifestly unfounded or excessive, in particular because of their repetitive character, the Enterprise may, taking into consideration the administrative costs of providing the information or communication or taking the action requested,

  1. charge a reasonable fee or
  2. refuse to act on the request.
      1. Checking the identity of the person making the request

If the Enterprise has reasonable doubts concerning the identity of the person submitting the requests referred to in points 4.2.1 to 4.2.6 of this Policy, the Enterprise may request the provision of additional information necessary to confirm the identity of the Data Subject.

Data transfers

For a specific reason, such as in particular to perform a contract with a third party or an obligation prescribed by law or an employer’s obligation arising from an employment relationship, the Enterprise may transfer the personal data of Data Subjects.

In the case of transfers, with the exception of statutory transfers, the Enterprise will only transfer the personal data of Data Subjects to recipients who are based in the territory of the European Union or who provide suitable safeguards that processing performed by them complies with the requirements of the GDPR.

If the Enterprise transmits personal data to a third country, i.e. outside the European Union, or to an international organisation (or makes data accessible to a data controller operating in a third country or an international organisation), the Enterprise must ensure that the recipient operating in a third country or the international organisation provides safeguards affording equivalent protection for the Data Subject’s personal data to that ensured by the Enterprise in accordance with the provisions of Chapter V of the GDPR.

Where data are transferred to a third country or an international organisation which cannot ensure a suitable level of protection for the personal data in accordance with Chapter V of the GDPR (e.g. certain Asian or African countries), the data may only be transferred without the Data Subject’s consent if the transfer complies with the provisions of Article 49 of the GDPR; failing that, the Data Subject’s explicit consent is required for the transmission of the personal data.

Personal data breach

In the event of a personal data breach, the Enterprise must observe the following rules and act in accordance with them.

    1. Notification to the supervisory authority

The Enterprise must notify a personal data breach regarding the data it processes to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it with at least the following content:

  1. a description of the nature of the personal data breach including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned,
  2. the name and contact details of the data protection officer (if there is one) or other contact point where more information can be obtained,
  3. a description of the likely consequences of the personal data breach,
  4. a description of the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided to the supervisory authority in phases without undue further delay. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.

The personal data breach does not have to be notified if it is likely not to result in a high risk to the rights and freedoms of natural persons. The likelihood and gravity of the risk must be determined based on an objective assessment taking into account the nature, scope, circumstances and purposes of data processing. The following is classified as a risk: if, as a result of the data breach, Data Subjects may suffer from discrimination, become the subjects of identity fraud, or suffer financial loss or damage to reputation, or any other significant economic or social disadvantage.

    1. Communication to the Data Subject

If a Data Subject, in particular an employee of the Enterprise, becomes aware of a personal data breach, he or she is obliged to notify the representative or data protection officer of the Enterprise without delay. As regards the calculation of the fee in connection with the notification, the provisions of point 4.3.2 will apply accordingly.

In every case where the personal data breach is likely to result in a high risk to the rights and freedoms of Data Subjects and the Enterprise becomes aware of the breach, Data Subjects must be informed without undue delay. This communication must describe in clear and plain language the following:

  1. the nature of the personal data breach,
  2. the name and contact details of the data protection officer or other contact point where more information can be obtained,
  3. the likely consequences of the personal data breach,
  4. the measures taken or proposed to be taken by the Enterprise to address the personal data breach, including, where appropriate, measures to mitigate any possible adverse effects arising from the personal data breach.

The Data Subject does not have to be informed if any of the following conditions are met:

  1. the Enterprise has taken appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as encryption;
  2. the Enterprise has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise;
  3. communication would involve disproportionate effort. In such a case, Data Subjects must be informed by public or other customary communication, or a similar measure to provide information in an equally effective manner must be taken.

If the Enterprise has not already communicated the personal data breach to the Data Subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require the Data Subject to be informed or may establish that one of the above conditions apply and thus the Data Subject does not need to be informed.

Records of data processing
    1. Records of processing activities

The Enterprise and the representative of the Enterprise must keep a record of the processing activities under its responsibility in writing, including in the form of an electronic document, pursuant to Article 30 of the GDPR containing the following information:

  1. the name and contact details of the Enterprise and – if applicable – the names and contact details of the joint data controller, the representative of the data controller and the data protection officer,
  2. the purposes of data processing,
  3. a description of the categories of Data Subjects and the categories of personal data,
  4. the categories of recipient to whom the personal data are or will be disclosed including recipients in a third country and international organisations,
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation, and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards,
  6. where possible, the envisaged time limits for erasure of the different categories of data,
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.

The Enterprise and the representative of the Enterprise are obliged to make the records accessible to the supervisory authority on request.

    1. Documenting personal data breach

The Enterprise must keep records of personal data breaches with the following information:

  1. facts related to the personal data breach,
  2. its consequences and
  3. the measures taken to remedy these.

The National Authority for Data Protection and Freedom of Information may view these records and check compliance with Article 33 of the GDPR.

Data protection officer (DPO)

The data protection officer is a person performing independent objective advisory and inspection activities and providing independent objective opinions who is responsible within the Enterprise for revealing errors, deficiencies and irregularities in the area of data protection, ensuring compliance with legislation on data protection and thus in particular forming opinions on existing and planned processing from the viewpoint of data protection, and increasing general awareness of data protection.

Appointing a data protection officer is either compulsory when the conditions laid down in the GDPR exist, or otherwise voluntary; the position may be filled by an employee or an external commissioned service provider. The DPO’s tasks are at least the following:

  1. to provide information and professional advice to the Enterprise or the data processor as well as employees who carry out processing of their obligations under the GDPR or any other Union or Member State provisions on data protection,
  2. to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits,
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35 of the GDPR,
  4. to cooperate with the supervisory authority,
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter.

In the performance of his or her tasks, the data protection officer must have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The Enterprise or the data processor must ensure that the performance of tasks and duties do not result in a conflict of interests. The data protection officer is bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.

In order to ensure that the data protection officer becomes aware of all processes affecting personal data as early as possible and obtains a full picture of the measures intended to be introduced, he or she must be included in related consultations, and the DPO’s opinion must be sought throughout from the start of planning to implementation and thereafter when monitoring subsequent processes. The data protection officer performs inspections based on an inspection plan or, when a data protection infringement is perceived, on a case by case basis. The focus of the inspection plan and the individual planned inspections is determined by the data protection officer based on the performed risk assessment, the findings of previously conducted checks, previously formulated opinions and measures affecting data protection intended to be introduced.

The organisational independence of the data protection officer must be ensured to guarantee that he or she can perform an objective assessment function. The data protection officer may not, in relation to this capacity, be instructed or penalised for performing his or her activities, and must report directly to the top management. If the DPO’s independence is compromised, he or she must report this to the top management of the Enterprise.

The Enterprise must make available to the data protection officer the organisational, administrative and material facilities required to efficiently perform his or her duties, and must publish the DPO’s name and contact details, and make these known to the supervisory authority.

Data protection impact assessment

Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the Enterprise is obliged to carry out an impact assessment (see in particular Article 35(3) of the GDPR). The impact assessment must contain at least the following information:

  1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller,
  2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes,
  3. an assessment of the risks to the rights and freedoms of Data Subjects,
  4. a description of the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of Data Subjects and other persons concerned.
Training

The Enterprise or its data protection officer must ensure awareness-raising and training related to data protection of staff involved in processing operations within the Enterprise (organisation, regularity, testing, legal consequences, revision, etc.).

Joint data processing

when involving another controller or processor

Security of processing

(describing the technical and organisational measures pursuant to Article 32 of the GDPR)

The application of a privacy policy, defining data protection authorisation levels, clean desk policy, password-protected users’ accounts, terminals and laptops, numbered USB sticks, lockable filing cabinets, strictly confidentially handled passwords, use of a firewall, use of encryption methods, use of automatic data destruction processes.

Miscellaneous provisions

In this Policy, Union law or the European Union must be interpreted as the law applicable in EEA countries and the EEA countries respectively.

Scope and the rules of review

This Policy enters into force on 25 May 2018 and is valid until further notice. Upon the entry into force of this Privacy Policy, all internal regulations and employer’s instructions governing the processing of personal data now falling under the scope of the Privacy Policy which were previously in force cease to be effective.

This Privacy Policy is to be reviewed at least once every year on the same day of the year as its date of entry into force and the review must extend to the full contents of any annexes. If it is necessary, the HR officer as the staff member responsible for the review will take measures to amend the Privacy Policy in line with any legislative changes or internal organisational changes, and ensure that the amended Privacy Policy enters into force and is announced and that the persons subject to the Privacy Policy are made aware of the contents of the changes.

It is compulsory for every representative, office holder and agent of the Enterprise to be aware of and comply with the relevant rules of this Privacy Policy, and to perform their duties in full compliance with the provisions of this Privacy Policy.

In the event of a change in legislation and any other reason for amending this Privacy Policy, the privacy notice must be amended taking into account the legislative change and change for any other reason, and the text of the amendment must be made accessible to Data Subjects [in the customary manner and in the same manner as this Privacy Policy is published – complete as appropriate].

Contact

Address: H-2481 Velence, Béke u. 57

Phone: Hotel: +36 22 589 900 | SPA: +36 22 589 971

email: reservation@velencespa.com

Newsletter