Introduction

Statute 2016/679 of the European Parliament and Council (from now on: Statute) pertains to natural persons’ protection in relation to the handling of personal data and the free flowing of all such data, as well as the repealing of statute 95/46/EK [general GDPR statute]. When handling personal data, the handler of said data ensures that, in accordance with the Statute, all information relevant of the usage of the data is provided for the data owner in a concise, easily accessible and easily comprehensible way.

Statute CXII (2011), pertaining to informational autonomy and informational freedom, ordains prior notice and information to be given to the data owner.

This notice is allowed to be provided in an electronical format, enabling the data handler to display the notice on its website.

Gasztro-Kristály Ltd. – Hotel Kristály Imperial**** (from now on: Company) complies with the statutes by displaying the following electronical notice.

I. CHAPTER
Definitions

The most important concepts included in the statute:

  1. personal information: any information pertaining to an identified or identifiable natural person (data owner); a natural person is a person who can be identified – directly or indirectly – based upon any identifier, which can include the following: name, number, location-related information, online identifier, or information related to the person’s bodily, physiological, genetical, mental, economical, cultural or social identity;
  2. data handling: any automatic or non-automatic action or actions performed on a natural person’s personal data, including collection, registration, systematisation, sectioning, storage, modification or alteration, query, viewing, usage, forwarding, spreading or any other method of making the data accessible, coordination or interconnection, limitation, deletion or destruction;
  3. data handler: a natural or legal person, agency, public authority or any other body that – on its own or in cooperation with some other authority – determines the purpose and means of handling personal data; if the purpose and means of data handling are determined by Union or national law, the data handler or the conditions of the data handler’s designation may be defined by Union or national law;
  4. data processor: a natural or legal person, agency, public authority or any other body that handles data on the data handler’s behalf;
  5. the data owner’s consent: the clear declaration of the owner’s consent; the consent has to be voluntary and based on properly supplied information; this way, the owner signals – by way of a declaration or another, unmistakable act of consent – their agreement to have their personal data handled;
  6. data protection incident: a safety breach that results in the accidental or illegal destruction, loss, alteration or unauthorised publication of personal data that has been forwarded, stored, or otherwise handled.
II. CHAPTER
Data handler and representatives

The data handler (from now on: our company):

Company name: Gasztro-Kristály Vendéglátó Zártkörű Részvénytársaság – Kristály Imperial Hotel****

Headquarters: 2800 Tatabánya II., Árpád út. 17.

Company registration number: 11-10-000387

Tax number: 10337666-2-11

Telephone number: +36 34 383 614

Fax: +36 34 383 577

E-mail address: info@hotelkristaly.eu

Website: www.hotelkristaly.eu

Representative: Andrea Tiba-Szogyenyi

III. CHAPTER
The purpose of handling personal data, legal framework, and the duration of data storage
    1. The purpose of handling personal data:
    • securing statutory and contractional rights, fulfilment of duties
    • identification of guests
    • keeping in contact with guests
    • securing and conducting room reservations
    • conducting check-in and check-out
    • securing and conducting other services offered by our company
    • registration, investigation and handling of guest complaints
    • ensuring the safety of the person and property of the guests
    • ensuring the safety of the data handler’s property
    1. Legal framework of data handling:
    2. A) Handling data based on the data owner’s consent

    If the company wishes to handle personal data based on the owner’s consent, the handling has to be conducted as stated by the GDPR form provided to the data owner.

    The following actions taken by the data owner qualify as consent: checking a relevant box on the company’s website, adjusting information-related technological settings, taking an action or making a declaration that clearly states the owner’s consent to the handling of their personal data. Remaining silent, not altering a pre-checked box or the lack of a relevant action does not qualify as consent.

    The scope of the owner’s consent includes all data handling actions taken for the same purpose. If a set of data is handled for multiple purposes, the owner’s consent to all of these purposes is required.

    If the owner’s declaration of consent pertains to other matters as well – e.g. sales  / contract matters – the part pertaining to data handling has to be clearly marked and visibly separated from the various other aspects, and explained to the owner in an easily accessible and clear way.

    The company is not allowed to oblige the owner to consent to the handling of personal data in order to enter into a contract, if the data to be handled does not fall within the scope of the contract.

    The revocation of consent has to be made equally as easy as the giving of said consent.

    If the data are registered with the owner’s consent, the handler is allowed to handle the data without special permission from the owner, and even after the revocation of the owner’s consent – unless stated otherwise by a relevant law or statute.

    The lack of data handling can preclude the parties’ entering into a contract, or the completion of the contract.

     

    1. B) The handling of data required for the completion of the contract

    This section pertains to the handling of data that is required for the handler to ensure its rights and demands stated by the contract, and to protect itself against illegal demands. The lack of data handling can preclude the parties’ entering into a contract, or the completion of the contract.

     

    1. C) Data handling based on the completion of a legal duty

    When data are handled based on a legal foundation, the scope, purpose and duration of data handling and storage are determined by the relevant laws.

    This type of data handling is not reliant on the owner’s consent, since the process is defined by the legal framework. In such cases, the owner has to be informed about the obligatory nature of data handling and all the details of the process prior to the commencement of the data handling – especially the purpose and legal foundation of the handling of their data, the person or persons authorised to handle it, the duration of data storage and handling, the fact that the handling is conducted on a legal basis, and the list of persons authorised to access the data. The information provided to the owner has to include the owner’s rights and methods of complaint. The data handler is allowed to compile with these rules by informing the owner of the relevant statute.

    Considering that, in these cases, the handler is complying with the relevant laws by requesting the owner to provide their personal data, the owner is obliged to provide said data, and the lack of data handling can preclude the parties’ entering into a contract, or the completion of the contract.

    1. The duration of the storage of handled data:
    • based on the purpose for which the owner’s data is handled, the duration of its storage might vary, making it impossible to define a uniform duration
    • the basis on which the company determines the duration of data handling includes the purpose and legal framework of data handling, and all relevant conditions of the handling process [e.g. legal statutes, the period of time required for the establishing and carrying out of the contract, the time required for the handling of complaints, and other relevant deadlines]
IV. CHAPTER
The company’s website, cookie usage
    1. Website

    Our company’s website can be found on the server of MAXER Hosting, located in the BIX Internet centre.

    Our newsletter is sent out to subscribers via the Mailchimp software.

    Our company protects personal data from unauthorised access, alteration, forwarding, publication, deletion or destruction, as well as accidental destruction or damage.

    Our company, in cooperation with the operators of the server, employes measures that adequately ensure the protection of personal data of possible threats.

    1. Cookies

    Visitors to the company’s website have to be informed of the usage of cookies, and permission for their usage has to be asked of the visitor – excepting cookies that are crucial for the operation of the website.

    Cookies are pieces of information sent by the website to the browser, to be stored and later used to load the contents previously visited. Cookies may have expiration dates, but some never expire. Later on, each time the client makes a http(s) request, the cookies are sent by the browser to the server. This way, data stored on the user’s computer is modified.

    The point of a cookie is to mark users when they enter the site, so that it is from the onwards able to handle the user appropriately. One of its inherent dangers is that users are not always aware of this. In some cases, cookies might enable the operators of the website or other services providers whose content is embedded in the website to track users. When this happens, a profile might be created of the user, making all information stored in the form of cookies personal data.

    Users are not obliged to accept the usage of cookies. By altering the browser’s settings, they can refuse all cookies, or request to get notified every time the system is in the process of sending a cookie. Most browsers accept cookies by default, but, most of the time, these settings can be modified to prevent automatic acceptance and; in this case, the user is presented with the option to accept or refuse cookies each time.

V. CHAPTER
The data owner’s rights

Our company is obliged to enforce the data owner’s rights in each case when personal data is handled.

(Statute 12-23.; 34.; 77-79.)

  1. Transparent communication, and the enforcing of the owner’s rights

The data handler is obliged to provide the data owner with all relevant information in a concise, clear, comprehensible and easily accessible manner, especially in the case of information intended for children. Information has to be provided in writing or in some other way, including an electronic format. Provided that the data owner has been clearly identified, oral communication regarding data usage is also acceptable, if requested by the owner.

If the data owner makes a request regarding the handling of their data, the handler has up to one month to inform the owner of the outcome of said request. This deadline can be extended by two additional months if the conditions stated in the Statute are met. In such cases, the owner has to be notified of the delay and its cause.

If no action is taken regarding the owner’s request within one month of the receiving of the request, the handler is obliged to inform the owner of the causes of the delay / lack of action, and of the fact that the owner has the right to file a complaint at the authority in charge.

The handler provides the owner with information regarding the handling of their data free of charge. In some exceptions – specified by the Statute – a fee can be charged for such information.

 

  1. The owner’s right to receiving advance notice of data collection and handling

The data owner has the right to receive advance notice of details about the handling of their personal data.

This means that the owner has to be notified of the following:

  • the identity of the data handler and their representatives
  • contact information of the data handler and their representatives
  • the purpose of the handling of personal data, and the framework within which it is to be conducted
  • in cases when the data handling is conducted in order to ensure the legitimate interest of a third party, the data owner has to be informed of said interests
  • the persons who are allowed to access the data, and the category these persons fall into
  • if so, the owner has to be informed of the fact that the handler plans to forward the data to a foreign country or a foreign authority

In order to ensure an honest and transparent data handling process, the owner has to be provided with additional information regarding the following:

  • the duration of the storage of personal data, or, if that is not possible, the factors based on which the duration is determined
  • the owner’s right to access, modify, delete the data, to limit the scope of its handling
  • in the case of data handling based on the owner’s consent, notice has to be given of the owner’s right to revoke their consent, thus limiting the handler’s right to handle the information – this does not pertain to data handling conducted prior to the revocation of the owner’s consent
  • the owner’s right to issue a complaint to the authority in charge
  • the basis on which the handling of the data is conducted – this can be the contract, a legal document, etc. – and whether the collection of personal data is a prerequisite of the owner’s entering into a contract with the handler, as well as the potential consequences of the owner’s refusal to provide said data
  • in the case of an automated cookie usage, the owner is to be informed of its implications, including the creation of a profile, as well as the possible results of the automated data handling

If the handler wishes to conduct additional handling of the owner’s information for purposes different from the original one, prior notice has to be given to the owner of this new purpose.

 

  1. Providing information to the data owner; the information to be provided – in cases when the source of the personal information is not the owner

If the handler did not receive the personal information from the data owner themselves, the owner has to be notified of the process within one month after the data have been acquired. If the personal information is used only to contact the owner, notice of the source of the personal information has to be given at least once – when contact is made between handler and owner. If the data is to be shared with a third party, the owner has to be informed of the details of the handling of their data the first time when the information is shared with the third party at the latest.

 

  1. The owner’s right of access

The owner has the right to receive information regarding whether the processing of their data is ongoing, and if it is, the owner also has the right to gain access to the information specified in #2 and #3.

If such a request is made, the handler is obliged to provide the owner with a copy of the data being handled. For any requests for further copies, the handler might charge a sensible fee.

 

  1. The owner’s right of correction

The owner has the right to request the handler to correct any inaccuracies in their personal information without unjustified delay.

Based on the purpose of the handling of the personal data, the owner might have the right to request the modification of their data by way of an additional declaration.

 

  1. The owner’s right of deletion

The owner has the right to request the deletion of any of their personal data without unjustified delay; in these cases, the handler is obliged to comply with the request, if:

  • the data has been processed, or is no longer needed for the purpose for which the data were originally collected
  • the owner has revoked their consent, and the handling of their data has no other foundation
  • the owner opposes to the handling of their data, and the data handling has no other basis
  • the data was handled in an unauthorised manner
  • the handler is required to delete the data in order to comply with Union or national law
  • the data were collected in the framework of the proffering of services directly related to children

The owner’s right of deletion cannot be carried out if the data are required for any of the following reasons:

  • the ensuring of freedom of speech or freedom of information
  • the completion of the handler’s obligations regarding Union or national law
  • public interest related to public health issues
  • archiving that is in the interest of the public, scientific and/or historical research – in cases when the deletion of the data would directly endanger these ends
  • the issuing, validation or protection of legal interest

 

  1. The owner’s right to limit data handling

If the owner limits the handling of their data, all actions – excepting storage – can be made only based on the owner’s consent, or in order to ensure the issuing, validation or protection of legal interest, or to remain compliant with Union or national law.

The owner has the right to request the limitation of the handling of their data, if any of the following is true:

  • the owner disputes the authenticity of the data; in this case, limitation can be requested for the period of time the handler needs in order to check the authenticity of the information
  • the handling of the data is illegal, and the owner, instead of requesting the deletion of their personal informaiton, requests to have their handling limited
  • the handler no longer needs the data for the original purpose, but the owner needs them for the issuing, validation or protection of legal interest
  • the owner opposed to the handling of their data; in such cases, the limitation can be requested for the time needed to determine whether the handler has a stronger basis for the handling of the data

Before the limitation is lifted, the owner has to be notified.

 

  1. The handler’s obligation of notification regarding the correction / deletion or personal data or the limitation of data processing

If personal data is corrected, deleted or limited in its handling,  the handler has to notify all persons with whom the personal data has been shared – except in cases when such notice is impossile or exceedingly difficult to give. When requested, the handler also has to inform the data owner of these circumstances / actions.

 

  1. The owner’s right of data portability

When the conditions specified by the Statute are met, the data owner has the right to to receive all the personal information they have given over to a data handler in a format that is sectioned, widely used and readable by a standard computer; the owner also has the right to share these data with another handler, provided that this action does not pause an obstacle to the original handler, if

  • the data handling is based on the owner’s consent or on a contract, and
  • the data is handled in an automatic manner.

The owner also has the right to request the data to be transferred from one handler to the next directly.

The owner’s right of data portability cannot violate section 17 of the Statute [pertaining to the deletion of data]. The owner’s right of data portability is not applicable to cases when the handling of the owner’s data is conducted for public interest, or is required of the handler by law or public interest. This right cannot limit the freedom or rights of other persons.

 

  1. The owner’s right of objection

If the owner’s circumstances justify it, the owner has the right to object to the handling of their personal data, if the data are handled on the basis of public interest (section 6, 1/e) or legitimate interest (section 6, f), which includes the creation of a profile founded on one of the bases listed above. In such cases, the handler no longer has the right to process the owner’s data, unless they are able to prove that the data are being handled for legitimate reasons of higher importance than the owner’s rights and freedom, or reasons that are related to the issuing, validating or protecting of legal interest.

If the data are handled for the purpose of business acquisition, the owner always has the right to object to the handling of their information for this end, including the creation of a profile (if the profile is also created for the purpose of business acquisition). If the owner objects to such use of their data, the handler no longer has the right to process said information for this end.

The data owner has to be notified of this right upon first contact with the handler; this notice has to be given in a clear manner, well separated from the rest of the information being shared with the data owner at the time.

The owner can use their right of objection via automated devices as well, if these devices meet the relevant mechanical requirements.

If the personal data are being handled for reasons of scientific / historical study or for statistical purposes, the owner has the right to object to such use of their data, unless the data handling is justified by public interest.

 

  1. Automated decision-making in individual cases, including the creation of a profile

If a decision has been made based solely on automated data handling (including profile-creation), the owner has the right not to be involved in the scope if this decision – provided that said decision would significantly impact the data owner.

This right is not applicable when the decision

  • is necessary for a contract between the data owner and the handler to be established
  • the handler is authorised to make the decision based on a Union or national law that also pertains to the owner’s rights and freedoms, as well as the protection of their legitimate interests
  • is based on the owner’s explicit consent.

In the first and third case mentioned above, the handler is obliged to take measures to protect the owner’s rights, freedom and legal interest, including the owner’s rights to request their data to be handled by a human, to express their opinion, and to issue an official objection to the handling of their data.

 

  1. Limitations

Union or national law applicable to the data owner and data handler may limit the scope of their rights and duties, provided that the law in question does not violate fundational human rights and freedoms.

 

  1. Notifying the data owner of data protection incidents

If the data protection incident is likely to greatly impact the owner’s rights and freedoms, the handler is obliged to notify the owner without any unjustified delay. This notice has to clearly specify the particulars of the incident, including:

  • the name and contact information of the data handler or the person authorised to give further information
  • the likely or possible results of the incident
  • the measures taken by the data handler to resolve the situation, including the measures taken for the purpose of lessening the possible negative impact of the incident.

The owner does not have to be notified if any of the following is true:

  • the handler has taken appropriate technical measures, and these measures apply to the data involved in the protection incident; one of these measures is classification, which makes the data inaccessible to persons unauthorised to access the data in question
  • following the incident, the handler has taken measures that make it highly unlikely for the possible negative impact on the owner’s rights and freedoms to be realised
  • notifying the owner would be exceedingly difficult. In such cases, the owner has to be notified by means of publicly shared information, or by other measures that ensure the effective notification of the owner.

 

  1. The owner’s right of legal remedy

The right to issue a complaint

If the owner feels that the handler has violated data protection laws [especially GDPR], they have the right to issue a complaint with the National Office of Data Protection and Informational Freedom.

Contact information:

Website: http://naih.hu/

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Post address: 1530 Budapest, Pf.: 5.

Telephone number: +36-1-391-1400

Fax: +36-1-391-1410

E-mail: ugyfelszolgalat@naih.hu

The owner also has the right to issue a complaint with another official body that is closer to their home address, to their workplace, or to the place of the suspected data violation.

The right to contact a legal body

Regardless of their right of issuing a complaint, the owner has the right to turn to a court of justice if their GDPR rights have been violated during the data handling process.

As a domestic institution, the data handler can be sued at a Hungarian court of law.

According to statute CXII. 22 § (1) of 2011, the owner has the right to sue the handler at the court of law in charge of the area of owner’s place of residence.

Considering that the handler does not qualify as an authority acting on behalf of any member of the European Union, the owner has the right to sue the handler at a court of law established in another member country of the Union.

Other options for the validation of interest

The owner has the right to entrust the issuing of a complaint or the suing of the handler to a non-profit organisation that was founded in accordance with the legal framework of a Union member, and whose founding charter states that their goals are the protection of public interest and the protection of the data owner’s rights  and freedoms related to the handling fo their personal data.

VI. CHAPTER
Additional provisions

If the data handler has any doubts regarding the identity of the person acting on behalf of the data owner in issues of data handling, they have the right to request any necessary information regarding the identity of said person.

The handler maintains the right to alter their privacy policy information at any time. Data owners have to be notified of any such planned change at least 15 days before the alteration is made, by way of a public notification displayed on the data handler’s website.

Tata, 2018

Gasztro Kristály Zrt.