.svg)
Mystery Hotel Budapest Kft.’s Privacy Policy Regarding the Processing of Data Subjects’ Personal Data
This Privacy Notice (hereinafter: Notice) contains information for data subjects regarding the data processing activities of our hotel, Mystery Hotel Budapest (hereinafter: Hotel/Data Controller), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR), as well as Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Infotv.) and other relevant legislation designed to ensure the protection of personal data.
To ensure the security of your personal data, our hotel takes the necessary and appropriate measures to ensure that our online users—when browsing or making online reservations on the websites www.mysteryhotelbudapest.com, www.mysteryhotelbudapest.hu, www.spasecretgarden.com, and www.thegreathallbudapest.com — our guests, and other data subjects—receive all information regarding the processing of their personal data in a concise, transparent, understandable, and easily accessible form, expressed clearly and in plain language, and to facilitate the exercise of your rights as a data subject.
This Notice constitutes Appendix 1 to the Privacy Policy (hereinafter: the Policy) available at our Hotel’s headquarters. Please read the contents of this Notice carefully; if you have any questions, please do not hesitate to contact us.
Chapter I
Identification of the data controller and data processors
Name of the Data Controller
The publisher of this Information Notice, which is also the Data Controller/Hotel:
Mystery Hotel Budapest, Limited Liability Company
Headquarters: 1064 Budapest, Podmaniczky Street 45;
Company registration number: 01-09-295026;
Tax ID number: 25896811-2-42;
Represented by: Tamás Antal Scheffler, Managing Director;
Email address: nikoletta@mysteryhotelbudapest.com
Website: www.mysteryhotelbudapest.com, www.mysteryhotelbudapest.hu, www.spasecretgarden.com, www.thegreathallbudapest.com
List of Data Processors
Our hotel acts as a data controller when processing the personal data of data subjects. We also engage data processors to provide our services and carry out our operations. Data processors are bound by a duty of confidentiality regarding the data they receive in this manner. Data processors handle personal data in accordance with the contract established between them and our hotel, as the data controller, and only to the extent necessary to fulfill their tasks.
Under the GDPR and the Information Act, a data processor is any natural or legal person, public authority, agency, or any other body that processes personal data on behalf of our Hotel as the data controller. (Article 4(8) of the GDPR)
Under the law, our Hotel is not required to obtain the data subject’s prior consent to engage a data processor, but we are required to inform you. Accordingly, our Hotel informs data subjects of the details and contact information of the data processors to whom our Hotel, as the data controller, has transferred personal data for the purposes of ensuring our guests’ safety and facilitating faster and more convenient service, and who may process such data strictly for the specified purposes.
1. Our external contractual partners who assist with reservations and sales
In connection with reservations and sales, our hotel engages external contractors to process the personal data of the guests concerned; these contractors provide the related IT and other services through their own systems and networks, and, within this framework—subject to their own data processing policies—process the personal data transferred to them; if necessary to perform the operations they carry out, they store the personal data transferred in this manner on their servers. You can obtain more detailed information about data processing and the duration of data storage by contacting our partners. The names of these partners can be found in the register of data processing activities, which is publicly available at our Hotel and will be provided to you upon request.
We would like to inform our guests that the data they provide to these partners will only be subject to our Hotel’s privacy policy once it has been received by our Hotel’s system. Prior to that, their data is processed by our sales partners.
Once your data has been received by our hotel’s system, it will be processed in full accordance with the provisions of this Notice.
2. Our IT, security, and financial data processing partners
Our hotel uses an external service provider to perform its IT, security, and financial services, and this provider processes the personal data of data subjects in accordance with the provisions of Chapter V of this Notice. The names of these data processors can be found in the record of data processing activities.
Chapter II
Definitions
For the purposes of this Notice—in accordance with Article 4 of the GDPR:
1. “personal data” means any information relating to an identified or identifiable natural person (“data subject”); a natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
2. “data processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
3. “restriction of processing”: the marking of stored personal data with the aim of limiting their future processing;
4. “profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to assess job performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movement;
5. “pseudonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and technical and organizational measures are implemented to ensure that the personal data cannot be linked to identified or identifiable natural persons;
6. “controller” means the natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, Union or Member State law may also determine the controller or specific criteria for designating the controller;
7. “data processor”: a natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the data controller;
8. “recipient”: a natural or legal person, public authority, agency, or any other body to whom or which personal data are disclosed, whether or not a third party. Public authorities that have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
9. “third party”: a natural or legal person, public authority, agency, or any other body other than the data subject, the controller, the processor, or those persons who, under the direct authority of the controller or processor, are authorized to process personal data;
10. “consent of the data subject”: a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
11. “data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed;
12. “Health data”: 1. In accordance with the text of the GDPR: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person that reveals information about the natural person’s health. 2. The definition of “health data” under the Health Act at the time the Regulation entered into force: data concerning the data subject’s physical, mental, and emotional condition, pathological addictions, as well as the circumstances of illness or death and the cause of death, whether provided by the data subject or another person on their behalf, or detected, examined, measured, imaged, or derived by the healthcare system; as well as any data related to or influencing the foregoing (e.g., behavior, environment, occupation);
13. “personal identification data”: first and last name, maiden name, gender, place and date of birth, mother’s maiden name, place of residence, current address, social security identification number (hereinafter: TAJ number), either collectively or individually, provided that they are or may be suitable for identifying the data subject.
Chapter III:
: Basic Principles
Our hotel processes the personal data of data subjects—in accordance with Article 5 of the GDPR—in accordance with the following principles; our employees are required to act in accordance with the following principles to protect the personal data of data subjects:
1. Principles of lawfulness, fairness, and transparency: Our hotel processes personal data lawfully, fairly, and in a manner that is transparent to the data subject;
2. Principle of purpose limitation: Personal data shall be collected only for specified, explicit, and legitimate purposes, and our Hotel shall not process such data in a manner incompatible with those purposes; Further processing for archiving in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purpose;
3. Principle of data minimization: Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes of the processing;
4. Principle of Accuracy: Personal data must be accurate and, where necessary, kept up to date; Our hotel will take all reasonable measures to ensure that personal data that is inaccurate in relation to the purposes of the processing is erased or rectified without delay;
5. Principle of storage limitation: Personal data must be stored in a form that allows for the identification of data subjects only for as long as is necessary to fulfill the purposes of the processing; personal data may be stored for a longer period only if the processing of personal data is carried out in accordance with Article 89(1) of the GDPR for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the implementation of appropriate technical and organizational measures required by this GDPR to safeguard the rights and freedoms of data subjects;
6. Principle of Integrity and Confidentiality: Our Hotel processes personal data in such a way that appropriate technical or organizational measures are implemented to ensure the security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage;
7. Principle of accountability: As the data controller, our hotel is responsible for ensuring compliance with points 1 through 6 and is prepared to demonstrate such compliance if necessary.
Chapter IV: Lawful Processing of the Personal Data of Data Subjects
1. [Data processing based on the data subject’s consent]
(1) In cases where data processing is based on consent, our Hotel requests the data subject’s consent to the processing of their personal data prior to the commencement of such processing. If the data processing serves multiple purposes simultaneously, consent must be provided for all such purposes.
(2) If the data subject provides consent in a written statement that also covers other matters, the request for consent must be clearly distinguishable from those other matters, presented in an intelligible and easily accessible form, using clear and plain language, and must not contain unfair terms. Any part of the statement containing the data subject’s consent that does not comply with the requirements set forth in the law shall not be binding.
(3) For the data subject’s consent to be considered informed, the data subject must at least be aware of the identity of the data controller and the purpose of the processing of personal data. Consent cannot be considered voluntary if the data subject does not have a genuine or free choice and is unable to refuse or withdraw consent without suffering adverse consequences.
(4) Data processing is considered lawful if it is necessary for the performance of a contract or for taking steps to enter into a contract. Our hotel may not make the conclusion or performance of a contract contingent upon the provision of consent to the processing of personal data that is not necessary for the performance of that contract.
(5) The option to withdraw consent must be made available to the data subject in a comprehensible and easily accessible form, in a clear and simple manner, and must not contain any unfair terms.
(6) If personal data was collected with the data subject’s consent, our Hotel may process the collected data without further specific consent for the purpose of fulfilling a legal obligation to which it is subject, unless otherwise provided by law, and even after the data subject has withdrawn their consent.
(7) Consent must be voluntary, that is, free from any external influence; it may serve as a legal basis only if the data subject has a genuine choice and there is no risk of deception, intimidation, coercion, or other significant negative consequences in the event of refusal to give consent. In the absence of voluntariness, our Hotel does not have a valid legal basis for data processing.
(8) A specific instance of the legal basis for consent is the exception set forth in Section 6(3) of the Information Act, pursuant to which parental consent is required for the lawfulness of data processing involving minors under the age of 16.
2. [Our hotel’s duty to provide information]
Our hotel makes this Privacy Notice readily available to data subjects on its website and at its headquarters. The Privacy Notice provides data subjects, in a publicly accessible format, with clear and detailed information—both before and during the processing of their data—regarding all aspects of the processing of their data, including, in particular, the purpose and legal basis of data processing, the person authorized to process the data, the duration of data processing, whether our Hotel processes the data subject’s personal data pursuant to Section 6(5) of the Information Act (consent of the data subject), and who is authorized to access the data. In this context, our Hotel’s information also covers the data subject’s rights regarding data processing and their options for legal remedies.
3. [Data processing based on the legal basis of compliance with a legal obligation prescribed by law]
Data processing based on the legal obligation prescribed by law is independent of the data subject’s consent. Prior to commencing data processing, our Hotel must inform the data subject that the processing of their data is based on a legal obligation; in this context, our Hotel shall, prior to commencing data processing—through this Notice—clearly and in detail inform the data subject of all facts related to the processing of their data, including, in particular, the purpose and legal basis of the data processing, the person authorized to process the data, the duration of the data processing, whether the data controller processes the data subject’s personal data based on a legal obligation applicable to the data controller, and who is authorized to access the data. The information must also cover the data subject’s rights and remedies regarding the data processing. In the case of mandatory data processing, the information may also be provided by publishing a reference to the legal provisions containing the information set forth in this paragraph.
4. [Data processing based on the data controller’s legitimate interests]
Personal data may also be processed if such processing is necessary to pursue the legitimate interests of our Hotel—or, in exceptional cases, a third party—unless the data subject’s right to the protection of their personal data and to respect for their privacy takes precedence over such interests. This may render the processing of the data subject’s personal data lawful regardless of the data subject’s consent, provided that the legitimate interest restricts the data subject’s right to the protection of personal data and privacy only to the extent that is necessary and proportionate. In the case of such data processing based on a balancing of interests, the principle of proportionality must be applied, and the data subject’s presence must be ensured to the extent possible.
Chapter V
Data Processing on Our Hotel’s Website and Social Media Platforms
1. [Contact us via our hotel’s website]
(1) A natural person who initiates contact through the website shall provide the following information necessary to establish contact:
1. Name (last name, first name);
2. email address;
Other personal data voluntarily provided by the data subject, as set forth in Message 3.
(2) The purpose of processing personal data:
1. Providing information about the Hotel’s services and facilitating communication between the individual user and the Hotel.
2. Contacting the user via email or phone.
3. Information about the Hotel’s products, services, and terms and conditions.
4. Information about the Hotel’s promotions, provided the data subject has given separate consent.
(3) The legal basis for the processing of personal data is the data subject’s consent.
(4) The recipients of personal data, or categories of recipients, include the Hotel’s employees, the Hotel’s data processing partner acting as a data processor, and the employees of the Hotel’s IT service provider who perform hosting and development services.
(6) Personal data will be stored for the duration of the service, for the mandatory retention period prescribed by law, or until the data subject withdraws their consent (or requests erasure).
- [Use of Cookies]
What is a cookie?
A cookie is a small text file that is stored on the hard drive of your computer or mobile device until the expiration date set in the cookie, and is activated during subsequent visits (sending a signal back to the web server). Websites use cookies to record information related to your visit (pages visited, time spent on pages, browsing data, logouts, etc.) and personal settings; however, this data cannot be linked to your identity. This tool helps create a user-friendly website to enhance the online experience for visitors.
On other platforms—where cookies are not available or cannot be used—other technologies may be employed that serve a similar purpose to cookies; an example of this is the advertising ID on Android mobile devices.
There are two types of cookies: “session cookies” and “persistent cookies.”
“Session cookies” are stored temporarily on your computer, laptop, or mobile device only until you leave the website; these cookies help the system remember information so that you do not have to re-enter or fill out the same information repeatedly. The validity period of session cookies is limited exclusively to the user’s current session; their purpose is to prevent data loss (for example, while filling out a lengthy form). Once the session ends or the browser is closed, this type of cookie is automatically deleted from the visitor’s computer.
“Persistent cookies” remain stored on your computer, laptop, or mobile device even after you leave the website. These cookies enable the website to recognize you as a returning visitor. Persistent cookies are capable of identifying you through a server-side ID-user mapping, making them a necessary condition for proper operation in all cases where user authentication is essential—e.g., online stores, online banking, webmail. Persistent cookies do not themselves contain personal data and are only capable of identifying the user in conjunction with the mapping stored in the server’s database. The risk with such cookies is that they actually identify the browser rather than the user; that is, if someone enters an online store in a public place, such as an internet café, library, and does not log out upon leaving, another person using the same computer could later gain unauthorized access to that online store on behalf of the original user.
How can I enable or disable cookies?
Most web browsers automatically accept cookies, but visitors have the option to delete or reject them. Since every browser is different, you can set your cookie preferences individually using your browser’s toolbar. If you do not wish to allow any cookies from our website, you can modify your web browser settings to receive a notification about cookies being sent, or simply reject all cookies. You can also delete cookies stored on your computer or mobile device at any time. For more information about these settings, please refer to your browser’s Help section. Please note that if you decide to disable cookies, you will have to forgo certain features of the website.
What cookies do we use?
Tools essential for the website's operation:
These cookies are essential for the proper functioning of the website; therefore, the legal basis for data processing in this case is Section 13/A(3) of Act CVIII of 2001 on Certain Issues Concerning Electronic Commerce Services and Information Society Services. No data is transferred.
- a) Instructions for completing the form
Purpose of data processing: To assist you in filling out forms by suggesting entries that appear appropriate for you.
Data retention period: for the duration of your visit to the website
- b) Helps with the search
Purpose of data processing: To help you find what you're looking for as quickly as possible
Data retention period: for the duration of your visit to the website
- c) Spell checker
Purpose of data processing: Automatically corrects suspected typos
Data retention period: for the duration of your visit to the website
- d) Identifying the language setting:
Purpose of data processing: When you visit the website, the system uses standard cookies to identify you as a unique user and to remember your language settings.
Data retention period: We store this setting (cookie) for 29 days.
- e) Social media cookies (Facebook, Instagram, Google+, YouTube)
Purpose of data processing: This cookie enables the sharing of content found on the website.
Retention period: We store this cookie until the content is shared.
- f) Multimedia player (YouTube)
Purpose of data processing: This cookie enables you to play videos on the website.
Retention period: We store this cookie for the duration of playback.
Cookies that collect statistical data
These cookies collect only statistical data; they do not process personal information. They track how you use the website, which topics you view, what you click on, how you scroll through the site, and which pages you visit. However, the information is collected exclusively in an anonymous manner. This allows us to determine, for example, how many visitors the site has each month. These statistical data also help us tailor our site to user needs. Google Tag Manager (and Google Analytics) and Hotjar assist in the collection of such data.
Marketing cookies
The purpose of these cookies is to deliver personalized advertisements.
Legal basis for data processing: In all cases, your consent, which you provide via the pop-up window on the website. You may withdraw your consent at any time; however, such withdrawal does not affect the lawfulness of data processing that took place prior to the withdrawal. If you withdraw your consent, advertisements tailored to you will no longer appear on other platforms.
- a) Categorization by location of the visit,
Data retention period: 269 days
- b) Personalized Facebook recommendations
Data retention period: up to 180 days
- c) Tracking clicks on the hotel’s advertisements
Data retention period: 2 years
If you wish to exercise any of the rights set forth in Section 1 in connection with the above, or if you wish to contact us for any other reason regarding the data processing described above, please notify us by sending an email to gdpr@mysteryhotelbudapest.com.
3. [Data Processing on the Hotel’s Facebook, Instagram, and LinkedIn Pages]
(1) In order to promote and publicize our hotel’s products and services, we maintain Facebook, Instagram, and LinkedIn pages (hereinafter collectively referred to as “social media pages”) either directly or through our data processors.
(2) A data protection complaint submitted to the Hotel via the social media site does not constitute a formally filed complaint.
(3) We do not process personal data posted by visitors on the Hotel’s social media pages.
(4) Visitors are subject to the social media site’s Privacy Policy and Terms of Service.
(5) In the event of the publication of unlawful or offensive content on our social media page, the Hotel may, without prior notice, remove the user from the page’s followers and delete their post.
(6) Our hotel is not liable for any content or comments posted on our social media page by users that violate the law. Our hotel is not liable for any errors or malfunctions related to the protection of personal data arising from the operation of the social media platform, nor for any issues resulting from changes to the system’s operation.
(7) The provisions set forth in this section shall also apply to any future pages we create on other social media platforms.
4. [Data processing related to the newsletter service]
(1) Natural persons who register for the newsletter service on our hotel’s website may give their consent to the processing of their personal data by checking the corresponding box. Our hotel does not pre-check this box. During the registration process, we make this privacy notice available via a link. The data subject may unsubscribe from the newsletter at any time by using the “Unsubscribe” button in the email newsletter or by sending a statement via email, which constitutes a withdrawal of consent. In such cases, we will immediately delete all data pertaining to the person who unsubscribed.
(2) The scope of personal data that may be processed includes the following natural persons:
1. Name (last name, first name);
2. Your email address.
(3) The purpose of processing personal data:
1. Sending newsletters regarding the Hotel’s products and services;
2. Sending promotional materials.
(4) The legal basis for the processing of personal data is the data subject’s consent.
(5) Recipients of personal data, or categories of recipients: employees of our hotel who perform tasks related to customer service and marketing activities; and, as data processors, employees of our IT service provider for the purposes of providing hosting services, advertising, and development.
(6) Personal data will be stored for as long as the newsletter service remains active or until the data subject withdraws their consent (or requests deletion).
Chapter VI
Special Provisions Regarding the Processing of Hotel Guests’ Data
1. [Booking a room through the hotel's website]
(1) Our hotel processes the personal data of natural persons who have entered into a contract with us as guests for the purposes of concluding, performing, or terminating the contract necessary for the provision of hotel services, or for granting contractual discounts, pursuant to the legal basis of contract performance.
1. your first and last name,
2. your email address,
3. payment information (payment method, cardholder’s name, credit card details).
(2) Such data processing is considered lawful even if it is necessary to take steps at the data subject’s request prior to entering into a contract. The recipients of the personal data are the Hotel, its employees, and its data processors. The retention period for personal data—with the exception of the payment data specified in Section 3—is the period specified in the applicable legislation in force; in the absence of such a period, or in accordance with it, the data will be retained for 5 years following the termination of the contract, after which they will be deleted.
(3) On the legal basis of contract performance, our hotel processes the payment data (payment method, cardholder name, credit card details) of natural persons who have entered into a contract with us as guests for the purposes of concluding, performing, or terminating the contract necessary for the provision of hotel services, or for granting contractual discounts. Such data processing is considered lawful even if it is necessary to take steps at the data subject’s request prior to entering into the contract.
The scope of the data processed: payment method, cardholder name (name on the card), card number, expiration date.
Legal basis for data processing: based on the performance of a contract. This information may also be provided in the contract. The provision of data is a condition for the provision of the service agreed upon in the contract.
Recipients of the data: The recipients of personal data are the Hotel, its employees, and its data processors. If the data subject pays for hotel services by credit card, the recipient of the payment data is the data processor contracted by the Hotel to handle payment services. The Hotel does not have access to payment data; it receives only a TOKEN code that is linked to the payment via the data processor but cannot be traced back to the natural person. The data processor providing the payment service has the necessary security and IT measures and systems in place to ensure the secure handling of payment data. If necessary due to a temporary malfunction or other failure of the payment service system, the Hotel will handle payment data in an encrypted manner.
Data retention period: Credit card data is encrypted; it may only be disclosed for the purpose of the transaction and exclusively to authorized personnel. Once the service has been completed, the data may no longer be disclosed, and access is no longer possible. The data is deleted after 8 years.
(4) Prior to commencing data processing, the Hotel shall inform the data subject, through the privacy notice posted on the Hotel’s website, that the data processing is based on the legal basis of the performance of a contract. This information may also be provided in the contract. The data subject must also be informed of the transfer of their personal data to a data processor.
2. [Room reservations at our hotel’s front desk]
Our hotel processes the personal data of natural persons who have entered into a contract with us as guests by having them fill out the data collection form provided at the hotel reception, for the purposes of concluding, performing, or terminating the contract necessary for the provision of hotel services, or for granting contractual discounts
1. your first and last name,
2. date of birth,
3. your passport number or ID card number,
4. citizenship,
5. address,
6. your email address,
7. your phone number,
8. the names of any natural persons using the hotel services together with the guest, as additional guests
9. the type of hotel service (leisure, business, event, other),
10. the guest's signature.
This data processing is considered lawful even if it is necessary to take steps at the data subject’s request prior to entering into a contract. The recipients of the personal data are the Hotel, its employees, and its data processors. The retention period for personal data is the period specified in the applicable legislation in force; in the absence of such a period, or in accordance with it, the data will be retained for 5 years following the termination of the contract, after which it will be deleted.
If a guest who is a natural person pays for hotel services at the Hotel’s front desk using a credit card, the Hotel will process the payment data in accordance with the provisions of paragraph (3) of Section 4 above.
3. [Room Reservations by Phone and Email]
The provisions of this section are governed by the provisions of paragraphs 1 and 2 of this chapter.
4. [Room reservations made through a third-party agency]
(1) Our hotel may engage the services of a third party or an agency for the purpose of entering into, performing, or terminating a contract necessary for the provision of hotel services, or for the purpose of granting a contractual discount, pursuant to the performance of the contract.
(2) In the course of the service described in paragraph (1), the data subject provides their personal data to the third-party agency, acting as the data controller, and the third-party agency forwards the data necessary for the data subject’s reservation to the Hotel. If the data subject uses the hotel service, the Hotel shall receive and process the data received and shall keep records of it as a data controller in accordance with the provisions of Sections 1 and 2 of this chapter.
5. [Data Processing at Our Hotel’s Events]
(1) Based on the data subject’s consent—provided that such consent complies with the legal requirements, judicial practice, and information provisions set forth in this section—our hotel processes the following personal data of natural persons participating in events held on the hotel premises:
1. name,
2. email address,
3. photographs, audio recordings, and video recordings.
(2) The consent of the data subject must be obtained before data processing begins. At the request of the data subject, any images, audio recordings, or video recordings made of him or her must be deleted in all cases.
(3) The Hotel shall carry out the data processing referred to in paragraph (1), subparagraph 1 of this section, taking into account the following:
a) Under the provisions of the Information Act, a person’s face or likeness constitutes personal data, and the taking of a photograph, as well as any operation performed on such data, constitutes data processing, for which the data subject’s consent is required. Consent must be voluntary, explicit, and based on adequate information, whereby the data subject gives unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations.
b) In the case of minors, the consent or subsequent approval of a minor’s legal representative is not required for the validity of a legal declaration containing the consent of a minor who has reached the age of 16. After reaching the age of 16, a minor may independently make a declaration regarding the use of their personal data; the consent or subsequent approval of their legal representative is not required for such a declaration. However, prior to reaching the age of 16, the prior or subsequent approval of the legal representative is required in all cases; otherwise, consent to data processing shall be deemed null and void, and data processing shall be considered unlawful due to the lack of a legal basis.
c) Consent may be given through conduct implying consent. Consent must be voluntary, unambiguous, and based on adequate information; otherwise, it cannot be considered valid. The Hotel considers entry into the event venue and participation in the event following the provision of information to constitute conduct implying consent. Such implied consent is deemed to exist if the person concerned is aware that a recording is being made or may be made in the room they are entering. However, consent to the taking of photographs, audio, or video recordings does not automatically imply permission for their use, as the right to dispose of the recordings is separate and independent from the permission to take them.
d) Consent to the creation of photographs, sound recordings, and motion pictures—even if implied by conduct—does not automatically constitute authorization to publish such recordings. Thus, with the exception of mass recordings, the voluntary consent of the data subjects must be obtained for the publication of still images, audio recordings, and video recordings. If proceedings were to be initiated against the data controller due to any non-compliant data processing—such as processing despite the lack of consent—the data controller must prove the lawfulness of the data processing, as, in accordance with applicable legal provisions, in case of doubt, it must be presumed that the data subject did not give their consent. Therefore, from the data controller’s perspective, with the exception of mass recordings, it is generally recommended that the statement of consent be recorded in writing for the use described in this section (d).
e) In accordance with the provisions of the Civil Code, the consent of the data subject is not required for the creation of a photograph or the use of a photograph in the case of a mass photograph or a photograph taken of a public figure in a public setting. With regard to the recordings made, it is necessary to examine on a case-by-case basis whether the photograph qualifies as a mass recording; otherwise, however, the publication of the images is lawful only with the consent of the data subjects or, in the case of minors under the age of 16, with the consent of their parents.
f) The Hotel informs data subjects about data processing at events through its data processing and privacy notice, which is published on its website and displayed at the front desk. In addition, if necessary, the Hotel will provide information regarding data processing subject to consent on a separate notice (on a registration form or on the back of the event ticket) upon entry to the event. The Hotel informs the data subject of the identity of the data controller, the purpose of the data processing, the location where the recordings can be accessed, as well as how the data subject may request that the recording not be made public, how the recording may be deleted, and where the detailed data processing notice containing all relevant facts can be found.
6. [Data processing related to food sensitivities and food allergies]
To ensure the health and safety of both our regular guests and those attending events and other functions, our hotel processes personal data regarding food sensitivities and food allergies, which is classified as special category health data under Article 6 of the Regulation. Data processed by the Hotel: type of food sensitivity or food allergy. The Hotel processes this data until the day following the event or for as long as the guest maintains a contractual relationship with the Hotel (for the duration of the reservation). Afterward, the data is deleted.
Chapter VII: Implementation of a Security, Personal, and Property Protection Camera System at
1. [Data processing related to video surveillance for the purpose of personal and property protection]
(1) In the areas of our hotel open to guests, we use an electronic surveillance system for the purposes of protecting human life, physical safety, personal freedom, trade secrets, and property. This system enables the recording of video footage; accordingly, the behavior of the data subject captured by the camera may also be considered personal data.
(2) The legal basis for data processing is the pursuit of our Hotel’s legitimate interests and the data subject’s consent.
(3) Our hotel is required to post a clearly visible and legible notice or information (hereinafter collectively referred to as “notice” in the context of this Section 1) in a conspicuous location regarding the use of the electronic surveillance system in a given area, in a manner that facilitates the awareness of third parties intending to enter the area. The information must be provided for each individual camera. This information shall include the fact that surveillance is being conducted by the electronic security system, as well as the purpose of the recording and storage of video footage containing personal data captured by the system, the legal basis for data processing, the location where the recordings are stored, the duration of storage, the person using (operating) the system, the group of persons authorized to access the data, as well as information regarding the rights of data subjects and the procedures for exercising those rights.
(4) Recordings of persons entering the monitored area may be made and processed with their consent. Consent may also be implied by conduct, particularly if a natural person entering the monitored area does so despite the presence of a notice or explanation regarding the use of the electronic surveillance system posted at the entrance to the area.
(5) Unless used, recorded footage may be retained for a maximum of 3 (three) business days, after which it will be deleted. Use is deemed to have occurred if the recorded footage or other personal data is intended to be used as evidence in court or other official proceedings.
(6) Any person whose rights or legitimate interests are affected by the recording of video footage may, within 3 (three) business days of the recording, request that the data controller not destroy or delete the data, provided that such person substantiates their rights or legitimate interests.
(7) A video surveillance system may not be used in any premises where surveillance could violate human dignity, including, in particular, hotel rooms, changing rooms, showers, and restrooms. The camera’s position must not be specifically aimed at monitoring the data subject. The fact that the camera’s field of view generally includes the work area where the data subject performs their activities does not constitute explicit surveillance of the data subject if the data subject appears in the footage to a proportionate and justified extent [e.g., a camera monitoring the reception area/kitchen and its surroundings, where the recording is not specifically, exclusively, and unambiguously intended to monitor persons present at the reception desk/kitchen/lobby, but the data subject—and thus potentially their activities—appears in the recording, to a proportionate and justified extent, together with the area monitored for security purposes (e.g., the vicinity of the reception desk)].
(8) If no one is legally permitted to be on the Hotel’s premises—particularly outside of business hours—the entire premises may be monitored.
(9) In addition to those authorized by law, the personnel operating the surveillance system, the manager and deputy manager of our Hotel, and the supervisor of the monitored area are authorized to view the data recorded by the camera surveillance system for the purpose of investigating violations and monitoring the system’s operation.
Chapter VIII
Data Security Measures
1. [Data Security Measures]
(1) With regard to all data processing activities carried out by our hotel, regardless of their purpose or legal basis, we are required to implement the technical and organizational measures and establish the procedural rules necessary to ensure the security of personal data and to uphold data protection standards.
(2) Our hotel protects data through appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure, or unauthorized access.
(3) Our hotel treats personal data as confidential information. We require our employees and data processing partners to maintain confidentiality regarding the handling of personal data.
(4) Our hotel protects its IT system with a firewall and provides virus protection.
(5) With regard to data received through our hotel’s website, electronic data processing and record-keeping are carried out using a computer information system that complies with data security requirements. The IT system ensures that data is accessed only for specific purposes, under controlled conditions, and only by those individuals who need it to perform their duties.
(6) If our Hotel processes the personal data of data subjects on suitable paper-based documents as part of its data processing activities, such data must be processed and stored securely at our Hotel’s registered office, in accordance with the provisions set forth in the Policy and this Notice (legal basis, scope of processed data, retention period).
(7) To protect personal data, our hotel monitors all incoming and outgoing electronic communications.
(8) Only authorized personnel may access documents containing personal data that are currently being processed; such documents must be kept securely locked away.
(9) Adequate physical protection must be ensured for the data and the devices and documents on which it is stored.
(10) It is the job responsibility of every employee of our hotel to observe the data security measures set forth in this chapter and to strictly comply with the relevant regulations.
Chapter IX
Handling Data Breaches
1. [Definition of a data breach]
(1) A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed. (Article 4(12) of the GDPR)
(2) The most commonly reported incidents may include, among others: loss of a laptop or mobile phone; insecure storage of personal data; insecure transmission of data; unauthorized copying or transmission of customer, guest, client, or partner lists; attacks on servers; and website hacking.
2. [Handling and Remediation of Data Breaches]
(1) The prevention and management of data breaches, as well as compliance with applicable legal requirements, are the responsibility of our hotel manager.
(2) Accesses and attempted accesses to IT systems must be logged and analyzed on an ongoing basis.
(3) If our Hotel’s authorized staff members detect a data breach while performing their duties, they must immediately notify the Hotel’s manager.
(4) Our hotel’s employees are required to report any data breach or incident that may indicate one to the hotel manager or the person exercising the employer’s rights.
(5) Data breaches may be reported via our hotel’s central email address or phone number, allowing guests, contractual partners, and data subjects to report related incidents and security vulnerabilities.
(6) In the event of a data breach report, the manager of our hotel—in consultation with the IT, finance, and operations managers—shall immediately investigate the report, during which the incident must be identified and a determination made as to whether it is a genuine incident or a false alarm. The following must be investigated and established:
(a) the date and location of the incident,
b) a description of the incident, its circumstances, and its effects,
c) the scope and volume of data compromised during the incident,
(d) the group of individuals affected by the compromised data,
(e) a description of the measures taken to resolve the incident,
(f) a description of the measures taken to prevent, avert, or mitigate the damage.
(7) In the event of a data breach, the affected systems, individuals, and data must be identified and isolated, and steps must be taken to collect and preserve evidence supporting the occurrence of the breach. Only then may the process of remedying the damage and restoring lawful operations begin.
3. [Recording of Data Breaches]
(1) A record must be kept of data breaches, which shall include:
(a) the categories of personal data concerned,
(b) the categories and number of individuals affected by the data breach,
(c) the date of the data breach,
(d) the circumstances and effects of the data breach,
(e) the measures taken to address the data breach,
(f) any other data specified in the legislation governing data processing.
(2) Data regarding data protection incidents recorded in the register must be retained for 5 years.
Chapter X
Rights of the Data Subject, Remedies
Below, our hotel provides information to data subjects regarding their rights and remedies as natural persons with respect to the protection of personal data.
1. [Right to prior information]
The data subject has the right to be informed of the facts and information relating to the processing of personal data prior to the commencement of such processing. (Articles 13–14 of the GDPR)
2. [The data subject’s right of access]
The data subject has the right to obtain confirmation from the data controller as to whether personal data concerning him or her are being processed, and, where such processing is taking place, the right to access the personal data and the related information specified in the GDPR. (Article 15 of the GDPR).
3. [Right of Rectification]
The data subject has the right to obtain from the controller, upon request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the completion of incomplete personal data, including by means of providing a supplementary statement. (Article 16 of the GDPR).
4. [Right to erasure (“right to be forgotten”)]
The data subject has the right to request that the controller erase personal data concerning him or her without undue delay, and the controller is obliged to erase personal data concerning the data subject without undue delay if any of the grounds specified in the Regulation apply. (Article 17 of the GDPR)
5. [Right to restriction of processing]
The data subject has the right to request that the data controller restrict the processing of their data if the conditions set forth in the Regulation are met. (Article 18 of the GDPR)
6. [Obligation to notify regarding the rectification or erasure of personal data, or the restriction of processing]
The data controller shall inform all recipients to whom the personal data has been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the data controller shall provide information regarding these recipients.
(Article 19 of the GDPR)
7. [Right to data portability]
Under the terms of the GDPR, the data subject has the right to receive the personal data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided. (Article 20 of the GDPR)
8. [The right to protest]
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data pursuant to Article 6(1)(e) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or (f) (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party) (Article 21 of the GDPR).
9. [Automated decision-making in individual cases, including profiling]
The data subject has the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning him or her or similarly significantly affects him or her. (Article 22 of the GDPR)
10. [Restrictions]
Union or Member State law applicable to the controller or processor may, by means of legislative measures, restrict the provisions set forth in Articles 12–22 and Article 34, as well as those provisions of Articles 12–22 (Article 23 of the GDPR)
11. [Notifying the data subject of the data breach]
If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. (Article 34 of the GDPR)
12. [Right to lodge a complaint with the supervisory authority (right to administrative redress)]
The data subject has the right to lodge a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the GDPR. (Article 77 of the GDPR)
13. [The right to an effective judicial remedy against the supervisory authority]
Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them, or if the supervisory authority fails to address the complaint or fails to inform the data subject within three months of the progress or outcome of the proceedings regarding the complaint submitted. (Article 78 of the GDPR)
14. [Right to an effective judicial remedy against the data controller or data processor]
Any data subject is entitled to an effective judicial remedy if they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in a manner that does not comply with the GDPR. (Article 79 of the GDPR)
Chapter XI
Submission of the data subject’s request; measures taken by the Hotel/Hotel data controller
1. [Actions taken in response to the applicant’s request]
(1) As the data controller, our hotel will inform the data subject of the measures taken in response to their request to exercise their rights without undue delay, but no later than one month after receiving the request.
(2) If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by an additional two months. The data controller shall inform the data subject of the extension of the time limit within one month of receiving the request, specifying the reasons for the delay.
(3) If the data subject submitted the request electronically, the information shall be provided electronically where possible, unless the data subject requests otherwise.
(4) If the data controller does not take action in response to the data subject’s request, it shall inform the data subject without delay, but no later than one month from the receipt of the request, of the reasons for the failure to act, as well as of the data subject’s right to lodge a complaint with a supervisory authority and to seek judicial remedy.
(5) Our hotel provides the information required under Articles 13 and 14 of the GDPR, as well as information regarding the data subject’s rights (Articles 15–22 and 34 of the GDPR) and related measures, free of charge. If the data subject’s request is manifestly unfounded or excessive—particularly due to its repetitive nature—the data controller may charge a fee commensurate with the administrative costs of providing the requested information or taking the requested action, or may refuse to act on the request. The burden of proving that the request is manifestly unfounded or excessive lies with the data controller.
(6) If our Hotel, as the data controller, has reasonable doubts regarding the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the data subject.
2. Contact information for the supervisory authority:
National Authority for Data Protection and Freedom of Information
Mailing address: 1530 Budapest, P.O. Box 5.
Email: ugyfelszolgalat@naih.hu
Phone number: +36 (1) 391-1400
