INFORMATION FOR GUESTS AND WEBSITE USERS ON THE PROCESSING OF THEIR PERSONAL DATA
(in force from 01.05.2023)
The operator of Maya Apartment (hereinafter: Apartment), as the Data Controller, shall inform its customers, guests and visitors to the website of the provisions of the Directive on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC of the European Parliament and of the Council of 2016. in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of their personal data (hereinafter: GDPR).
Data controller and internal data protection officer:
Mrs Lajos Darázs e.v.
Contact details:
E-mail: info@evapanzio.hu
Website: www.mayaapartman.hu
Postal address: 9600 Sárvár, Rákóczi Ferenc utca 63. Phone: +36 95 321 453, +36 30 939 8812
Internal Data Protection Officer: owner Lajosné Darázs (hereinafter referred to as “Data Controller”)
The operator of the Maya Apartment respects the privacy of its Guests and therefore it will act in accordance with the following privacy policy. The Data Controller reserves the right to change the information in order to bring it into line with the legal background and other internal regulations that may be amended in the meantime. The current version of the Privacy Notice is available at www.mayaapartman.hu.
This information is available at 9600 Sárvár, Zrínyi Miklós utca 9. and accessible through the website, for the provision of services by the Maya Apartment, located at the Maya Apartment.
1. THE PURPOSE OF THE PROCESSING
1.1. The primary purpose of this privacy policy is to set out and comply with the basic principles and provisions regarding the processing of data of natural persons and guests who come into contact with Maya Apartman, in order to protect the privacy of natural persons in accordance with the applicable legal provisions, and to inform the guests of the scope of their personal data processed by the data controller for the purposes of the services, the purposes and methods of the processing and any other facts relating to the processing of the data, in particular, but not limited to, their rights in relation to the processing and the remedies available to them.
1.2. With reference to point 1.1, the purpose of this notice is to ensure that the Apartment fully complies with the provisions of the applicable legislation on data protection, in particular, but not limited to.
Regulation (EU) 2016/679 of the European Parliament and of the Council on General Data Protection Regulation (hereinafter “GDPR”),
on the right of information self-determination and freedom of information of 2011. CXII. Law
on certain aspects of electronic commerce services and information society services of 2001. CVIII. Act,
on prohibiting unfair business-to-consumer commercial practices 2008. XLVII. Act,
on the basic conditions and certain limitations of commercial advertising activities of 2008. XLVIII. the provisions of the Act.
1.3. The Data Controller is therefore committed to protecting the personal data provided by the data subject through the website or other forums or otherwise and processed by it, and to respecting the data subject’s right to information self-determination. In this context, it contributes to the creation of safe and secure internet access for data subjects, in full compliance with the relevant legislation in force.
2. DEFINITION
Data Subject or User or Guest: any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data;
Personal data: data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference which can be drawn from the data concerning the data subject;
Apartment: at 9600 Sárvár, Zrínyi Mikós utca 9. Maya Apartment (NTAK reg. no.: MA21004122), operated by the Data Controller;
Consent: a voluntary and explicit expression of the data subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations;
Data Controller: the natural or legal person or unincorporated organisation who, alone or jointly with others, determines the purpose of the processing of data, takes and implements decisions concerning the processing (including the means used), or implements them with the data processor it has appointed.For the purposes of this information and the Apartman, the Data Controller is: Lajosné Darázs, sole proprietor, with registered office at 63 Rákóczi Ferenc Street, 9600 Sárvár, Hungary., company registration number: No.: 4439285, tax number: 53541240-2-38.;
Data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure and destruction of data, as well as the prevention of their further use, the taking of photographs, audio or video recordings and the recording of physical characteristics which permit identification of a person;
Transmission of data: making data available to a specified third party; Processing of data: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
Data erasure: rendering data unrecognisable in such a way that their recovery is no longer possible; Data blocking: marking data with an identification mark in order to limit their further processing permanently or for a limited period of time;
Data destruction: the complete physical destruction of the data medium containing the data
Data set: the set of data managed in a single register;
Third party: any natural or legal person or unincorporated body other than the data subject, the controller or the processor; Data breach: unlawful processing or processing of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage;
Website: the portal www.mayaapartman.hu and all its sub-sites, operated by the Data Controller;
3. PRINCIPLES OF DATA MANAGEMENT
3.1. Proportionality, necessity principle: only personal data that is necessary for the purpose of the processing and suitable for the purpose may be processed. Personal data may be processed only to the extent and for the duration necessary for the purposes for which they are collected.
3.2. Purpose limitation principle: personal data may only be processed for specified purposes, for the exercise of a right or the performance of an obligation. At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of data must be fair and lawful.
3.3. The personal data will retain this quality during processing as long as the relationship with the data subject can be re-established. Contact with the data subject can be restored if the controller has the technical conditions necessary for restoration.
3.4. The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.
3.5. Voluntary principle: The provision of data by the data subject is voluntary. The Controller processes personal data with the consent of the data subject. Voluntary consent, as consent, is understood as the user’s behaviour by which the user, by using the website, accepts that he/she is automatically covered by all the rules relating to the use of the website.
4. STATEMENTS BY THE CONTROLLER
4.1. The Data Controller declares that.
1. the processing of data in accordance with the 2011 Act on the Right to Informational Self-Determination and Freedom of Information. CXII. act in accordance with the law and the GDPR.
2. the personal data that come to the knowledge of the Data Controller in the course of processing may only be disclosed to persons who have an employment relationship with the Data Controller and to its contractual partners who have a task in connection with the processing.
3. ensure that the information in force at any given time is permanently accessible to the data subject, thus enforcing the principle of transparency.
4. the website treats the personal data of visitors confidentially and in accordance with the legal provisions in force, ensures their security, takes technical and organisational measures and has established rules of procedure to ensure full compliance with the principles of data protection.
5. handles the personal data of the Guests staying at the Maya Apartment confidentially, in accordance with the applicable legal provisions, ensures their security, takes technical and organisational measures and has established procedural rules to ensure full compliance with the principles of data protection. 6. takes and ensures all IT and other measures to facilitate secure data management related to data storage, processing and transmission in order to safeguard the data it processes.
7. shall do its utmost to ensure the protection of personal data processed by it against unauthorised access, alteration, disclosure, deletion, damage or destruction, and to guarantee the necessary technical conditions for this purpose.
8. does not verify the personal data provided to him/her and excludes any responsibility for their accuracy.
9. transfer personal data to a third party only exceptionally and only if and to the extent that the data controller explicitly consents or is permitted by law to do so, and only if the conditions for processing are met for each individual personal data subject.
10. operates exclusively in Hungary, is not part of a multinational hotel chain, and therefore does not need to introduce and operate mandatory organisational regulations.
11. transfers personal data to a controller or processor in a third country as described in this notice.
12. keep a register for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subject, which shall include the scope of the personal data concerned, the number and type of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the legislation requiring the processing.
4.2. The Data Controller excludes any liability for the lawfulness of the processing of the data by a contractual partner having a legal relationship with the Data Controller.
4.3. In order to protect the personal data stored in the files, the Data Controller shall ensure the prevention of accidental or unlawful destruction or accidental loss, access, alteration or unlawful disclosure by applying appropriate security measures.
5. THE ACTIVITIES AND DATA CONCERNED BY THE PROCESSING
5.1. Request for quotation
The data processed are the following:
Name*, E-mail*, Phone number*, City*, Postal code*, Address*, Arrival date*, Departure date*, Number of adults*, Number of children, Type of room*, Board*, Payment method*, Comments
Purpose of processing: to provide an accurate offer, to prepare the reservation.
Legal basis for processing: consent (GDPR 6. Article 2(1)(a))
Duration of data processing:
in the case of a successful bid, according to the rules for reservations,
– in case of rejection of the offer, until the date of rejection,
– if no reply to the offer is received, until the day after the deadline for submission of tenders
Is there a data transfer?: no.
When requesting accommodation through the website in connection with a reservation, the data subject voluntarily provides his/her data to the Data Controller for the purpose of providing the Data Controller with a price offer.
The activity and process concerned by the processing are the following:
The data subject will be taken to the “BOOK” section of the website, where he/she will have the opportunity to provide the data specified in point 5.1, to accept the booking and cancellation conditions and this privacy notice. After providing the data and accepting the terms and conditions and the information, the data subject may submit the data to the Data Controller by clicking on the “Next” button.
The data sent to the Data Controller are processed by the employees of the Data Controller working as the Owner and the Manager of the Pension, using the My Guest application, who record the data received, prepare an offer for the data subject, which is sent to him/her by e-mail.
5.2. Reservations
The data processed are the following:
Name*, E-mail*, Phone number*, Date of arrival*, Date of departure*, Number of adults*, Number of children, Type of room*, Postal code*, City*, Street, house number*, Payment method*, Comment
Purpose of processing: to provide the service, to fulfil the reservation.
Legal basis for processing:
Contract performance (GDPR 6. Article (1)(b))
Consent (GDPR 6. Article 2(1)(a))
Duration of data processing:
The personal data received during the reservation will be processed for the duration of the contractual relationship with the data subject, except for the purposes of the provisions of the Act on Accounting 2000. Data to be kept pursuant to Act C of 2017 for 8 years, and data to be kept pursuant to Act CL of 2017 on the Rules of Taxation for 5 years after the end of the year in question. by the last day of the year.
Is there a data transfer?: no.
Online booking sites and travel agencies are considered as independent data controllers and do not use a data processor in this process.
The activity and process concerned by the processing are the following:
If the data subject accepts the offer and informs the Data Controller orally or in writing, the Data Controller will take the necessary steps to make the reservation.
On behalf of the Data Controller, an employee of the Data Controller who is employed by the Data Controller as a Pension Manager enters the data provided by the data subject into the My Guest application and links them to the apartment of the Maya Apartment, thus creating the room reservation.
The employee with the above-mentioned working hours will notify the person concerned in writing of the reservation of the apartment.
5.3. Registration and the registration form
The data processed are the following:
Surname*, First name*, Company name, Tax number, Address*, Nationality*, Date and place of birth*, Date of arrival*, Date of departure*, ID number*, E-mail address, Purpose of trip
Purpose of processing:
Liaison and compliance with legal obligations
Legal basis for processing:
Legal obligation (GDPR 6. Article (1)(c))
Consent (GDPR 6. Article 2(1)(a))
Duration of data processing:
The personal data provided will be processed for the duration of the contractual relationship with the data subject, except for the purposes of the Hungarian Accounting Act 2000. data to be kept pursuant to Act C of 2017 for 8 years, and data to be kept pursuant to Act CL of 2017 on the Rules of Taxation for 5 years after the end of the year in question. by the last day of the year, or in accordance with the rules in force for the regular guest programme
Will data be transferred? NTAK
Upon arrival, the data subject shall fill in a notification form before occupying the booked apartment, in which he/she consents to the Data Controller processing the data provided below for the purposes of fulfilling its obligations under the applicable legislation, or for the purposes of proving such fulfilment, and for the purpose of identifying the Guest, for as long as the competent authority is able to verify the fulfilment of the obligations under the relevant legislation:
The activity and process concerned by the processing are the following:
The provision of the mandatory data by the Guest is a condition of using the services of Maya Apartment.
By signing the registration form, the guest consents to the Data Controller processing and archiving the data provided by filling in the registration form for the purposes of the conclusion of the contract, the proof of performance and fulfilment, and the possible enforcement of claims within the above-mentioned period.
VIZA data reporting:
In addition to filling in the registration form, the accommodation management software records the guest data via the document reader. In addition to the National Tourist Information Centre (NTAK), the data will also be entered into the Closed Visitor Information Database (VIZA), which will host the data. The hosting provider of the database is the Hungarian Tourism Agency (MTÜ).
The accommodation provider will record the following data using the document scanner: surname and first name;
surname and given name at birth; place and date of birth; sex;
your nationality;
the identification data of the identity document or travel document.
Under current law in Hungary, all citizens, regardless of age, are required to have an official identity document (identity card, passport or driving licence in card format), including newborns. According to the legislation, the recording of data is obligatory for all users equally, so it is not possible to exclude the recording of data on the basis of age or other variables, such as the fee to be paid for the service, discounts, length of stay, or family relationship with the user.
Data that cannot be read by the document scanner or is read incorrectly must be entered manually by the accommodation provider in the accommodation management software.
The user of the accommodation service 14. the guest over the age of 18 presents his/her identity document to the accommodation provider for the purpose of recording the data. Failure to present this document will result in the accommodation provider refusing to provide the accommodation.
5.4. Billing
The data processed are the following:
Surname*, First name*, Address, Length of stay, Bank account details*, Billing address, Email address Purpose of data processing:
Invoicing the use of services, billing, payment transactions
Legal basis for processing:
Legitimate interest (GDPR 6. Article 3(1)(f));
Compliance with legal obligations (GDPR 6. Article (1)(c))
Duration of data processing:
the Act on Accounting 2000. Data to be kept pursuant to Act C of 2017 for 8 years , and data to be kept pursuant to Act CL of 2017 on the Rules of Taxation for 5 years after the end of the year in question. whether a data transfer will take place by the last day of the year?
Hórusz-Tax Ltd. (9600 Sárvár, Hunyadi János utca 54.)
Financial institutions concerned (joint processing)
The bank, credit card/bank account details provided by the data subject to the Data Controller are
The Data Controller may use it and may use it only to the extent and for such time as is necessary for the exercise of its rights and the performance of its obligations. The data are processed by the Data Controller’s contractual banking partners. You can find information about this processing on the websites of the relevant Bank.
5.5. Send newsletter
The data processed are: last name*, first name*, e-mail address*.
Purpose of data processing: to inform the data subject about the events, news and latest promotions of the Data Controller. Legal basis for processing:
Consent (GDPR 6. Article 2(1)(a))
Duration of data processing:
Until the date of withdrawal of consent, the date of unsubscription from the newsletter
Is there a data transfer?: no.
Subscription and unsubscription to the newsletter is voluntary.
The purpose of data processing in connection with the sending of newsletters is the management of a database for the purpose of sending newsletters and the provision of the recipient with comprehensive general or personalised information about the latest promotions of the Data Controller.
The Data Controller sends newsletters only with the consent of the data subject.
The personal data provided will be stored by the Data Controller in the Hotelgram software.
The Data Controller shall not transfer the list of personal data or the data to third parties who are not authorised to receive them and shall take all security measures to ensure that they cannot be disclosed to unauthorised persons.
The Data Controller shall process the personal data collected for this purpose only until the data subject unsubscribes from the newsletter list or requests the deletion of his/her data. The Data Controller will review the newsletter list once a year. The objective time limit for data retention is 4 years.
The data subject may unsubscribe from the newsletter at any time by unsubscribing at the bottom of the e-mails and by sending an unsubscribe request to info@evapanzio.hu.
The Data Controller keeps statistics on the readership of the newsletters sent out, by means of the clicks on the links in the newsletters.
A Guest can subscribe to the news feed posted on the Facebook wall by clicking on the “like” link on the Facebook page, unsubscribe by clicking on the “dislike” link on the Facebook page, or delete unwanted news feeds posted on the Facebook wall by using the settings on the Facebook wall.
5.6. Facebook page
The data processed are: photo capture, facebook ID, the name entered there.
Purpose of data management: to use the social networking site to promote Maya Apartment.
Legal basis for processing:
Consent (GDPR 6. Article 2(1)(a))
Duration of data processing:
Until the date of withdrawal of consent, the date of unsubscription
Is there a data transfer?: no.
By clicking on the “like” link on the Facebook page of the Data Controller, the data subject consents to the publication of news and offers of the Data Controller on his/her own message wall.
The Data Controller will also post pictures/movies of events, the apartment, etc. on its Facebook page. If it is not a mass photograph, the Data Controller will always ask for the written consent of the data subject before publishing the images.
For information about the Facebook Page’s privacy practices, please see the Privacy Policy and Guidelines on the Facebook website at www.facebook.com.
5.7. Gift voucher
The processed data are: name of the Customer*, Customer’s e-mail address*, Customer’s telephone number*, Customer’s postal address* (country, postcode, city, street, house number), Customer’s billing address* (country, postcode, city, street, house number), Name of the person(s) receiving the gift.
Purpose of processing: the possibility of purchasing a gift voucher.
Legal basis for processing:
Legal obligation (GDPR 6. Article 2(1) (c))-data required for invoicing (name, address) Performance of the contract (GDPR 6. Article 2(1) (b)) – the purchaser’s e-mail address, telephone number and the details of the person receiving the gift.
Duration of data processing: in accordance with the provisions of Act 2000 on Accounting. Data to be kept pursuant to Act C of 2017 for 8 years, and data to be kept pursuant to Act CL of 2017 on the Rules of Taxation for 5 years after the end of the year in question. by the last day of the year
Is there a data transfer?: no.
The Service Provider allows the Guest to purchase various gift vouchers, which can be used for the services of the Apartment for the given value.
Ordering and using the gift voucher is voluntary.
The Data Controller will issue an invoice for the amount of the voucher agreed and ordered, and after receipt of the amount, will issue a numbered voucher and deliver it to the address provided.
The personal data provided will be stored by the Data Controller in a separate file, separately from other data provided. This data may only be accessed by authorised employees of the Data Controller.
The Data Controller will provide more information on the data management in relation to the Gift Voucher upon request sent to info@evapanzio.hu. You can also request deletion from the data file here.
5.8. Electronic monitoring system
The data processed are as follows. Purpose of processing: security of persons and property.
Legal basis for processing: consent (GDPR 6. Article 3(1)(a)).
Data processing duration:3 days.
Will data be transferred?
The transmission of the recorded images will take place if the images indicate that a criminal offence (offence) is likely to have been committed, in which case the images may be transmitted to the investigating authority, or if other legal proceedings are necessary on the basis of the images, in which case the images will be transmitted to the competent court or authority.
Cameras are operated in the area of the apartment operated by the Data Controller for the safety of life, limb and property of the Guests, and the operation of these cameras is pointed out to the data subjects by information signs. For the lawful operation of the surveillance system, the Data Controller shall act in accordance with the provisions set out in this Notice and the Camera Regulations and shall make them available to the data subjects.
Rules for the operation of the CCTV system:
The camera system records images.
Purpose of processing: security of persons and property.
The place of storage of the recording: at the premises of the Data Controller, 9600 Sárvár, Zrínyi Miklós utca 9. The building is located under the address at.
Legal basis for data processing: the data subject’s voluntary consent on the basis of the Operator’s information in the form of signs. Consent may also be given in the form of implied conduct. In particular, it is abusive behaviour if the person enters or stays in the units covered by the CCTV system.
The Operator must ensure that the personal data of the person concerned, in particular his/her private information and private life, are protected from unauthorised access.
No electronic surveillance system may be used in places where such surveillance could offend human dignity, in particular in changing rooms, showers and toilets, toilets, rest areas. Camera surveillance is proportionate to its purpose, and the Data Controller does not carry out unrestricted and direct surveillance.
Duration of storage of the recording: the recorded image must be destroyed or deleted after a maximum of 3 days from the date of recording if it has not been used. Use is when the recorded images and other personal data are used as evidence in judicial or other official proceedings.
A person whose right or legitimate interest is affected by the recording of an image or other personal data may, within 3 days of the recording, request that the data not be destroyed or erased by the controller by providing evidence of his or her right or legitimate interest.
At the request of a court or other authority, the recorded footage and other personal data must be sent to the court or authority without delay. If no request for non-destruction is made within thirty days of the request, the recorded images and other personal data shall be destroyed or erased, unless the camera surveillance system has not yet expired within the time limit.
6. WEBSITE VISIT DATA
6.1. The website of the Data Controller may also contain links that are not operated by the Data Controller, but are merely for the information of visitors. The Data Controller has no control over the content and security of the websites operated by partner companies and is therefore not responsible for them.
6.2. Please review the privacy policy and privacy statement of the sites you visit before you provide any form of information to those sites.
6.3. Analytics, cookies
1. The Data Controller uses an analytics tool to monitor its websites, which creates a series of data and tracks how visitors use the websites. The system creates a cookie when you visit the site in order to record information about your visit (pages visited, time spent on our pages, browsing data, exits, etc.), but this information cannot be linked to the visitor personally. This tool helps to improve the ergonomics of the website design, creating a user-friendly website to enhance the online experience of visitors. The Data Controller does not use analytics systems to collect personal information. Cookies are automatically accepted by most internet browsers, but visitors have the option to delete them or automatically reject them. As each browser is different, the visitor can set the cookie settings individually, using the browser toolbar. your preferences. You may not be able to use certain features of our website if you choose not to accept cookies.
2. On the website, we use a session cookie (small data packet), which is valid until the end of the session, i.e. for the duration of the visit, after which it is automatically deleted from the user’s computer. The so-called. cookie is necessary for the security of the website, for user-friendly solutions and for a better user experience.
3. The technological background for the hosting of the website is provided by Weborient Kft. (Registered office: 9600 Sárvár, Szatmár utca 31. fsz. 2., Tax number: 22630485-2-18, as Data Processor.
7. STORAGE OF PERSONAL DATA, INFORMATION SECURITY
7.1. Personal data only 5. in accordance with the activities under Chapter 3, in accordance with the purpose of the processing.
7.2. You can modify and delete your personal data, withdraw your voluntary consent and request information about the processing of your personal data by sending a notification to info@evapanzio.hu.
7.3. The Data Controller shall ensure the security of the data. To this end, it takes the necessary technical and organisational measures, establishes the rules of procedure and enforces them.
7.4. The Data Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage and inaccessibility resulting from changes in the technology used. The data controller will take all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, the controller shall keep a record of the personal data concerned, the number and categories of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the legislation requiring the processing, in order to monitor the measures required and to inform the data subject.
7.5. The Data Controller shall ensure the appropriate training of the staff concerned in order to enforce the conditions of data security.
7.6. When determining and applying data security measures, the Controller shall take into account the state of the art and shall choose among several possible data processing solutions the one which ensures a higher level of protection of personal data, unless this would involve a disproportionate effort.
7.7. The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
1. Measures to protect against unauthorised access, including protection of software and hardware devices and physical protection (access protection, network protection);
2. measures to ensure the possibility of recovery of the data files, including regular back-ups and separate secure management of copies (mirroring, backup);
3. Protection of data against viruses (virus protection);
4. the physical protection of data files and the media on which they are stored, including protection against fire, water, lightning and other natural hazards, and the recoverability of damage caused by such events (archiving, fire protection).
7.8. The Data Controller shall provide the level of protection required for the processing of the data, in particular their storage, rectification, erasure, when the data subject requests information or objects.
7.9. Transfers will be made with the consent of the data subject, without prejudice to his or her interests, in confidence and with the provision of a fully adequate IT system, and in compliance with the purposes, legal basis and principles of the processing. The Data Controller shall not disclose the personal data of the data subject to third parties without the consent of the data subject, unless required by law.
7.10. Other non-identifiable data that cannot be directly or indirectly associated with the data subject, hereinafter referred to as anonymous data, are not considered personal data.
8. EXERCISE OF THE DATA SUBJECT’S RIGHTS
8.1. Rights of the person concerned
The data subject may request information from the Data Controller about the processing of his or her personal data, and may request the rectification or erasure of his or her personal data, the withdrawal of the data, the restriction of data processing, and exercise his or her right to data portability and objection.
a.) Right to information:
At the request of the data subject, the Data Controller shall take appropriate measures to provide the data subject with all the information and particulars concerning the processing of personal data provided for in the General Data Protection Regulation in a concise, transparent, intelligible and easily accessible form, in clear and plain language.
b.) The right of access of the data subject:
The data subject has the right to receive feedback from the Data Controller on whether his or her personal data are being processed and, if so, the right to access the personal data and the following information:
– the purposes of the processing;
– the categories of personal data concerned;
– the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
– the intended period of storage of personal data; the right to rectification, erasure or restriction of processing and the right to object; the right to lodge a complaint with a supervisory authority;
– information on data sources;
– the fact of automated decision-making, including profiling, as well as the logic used and clear information on the significance of such processing and its likely consequences for the data subject.
The Data Controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. At the request of the data subject, the Data Controller shall provide the information in electronic form.
The right to information in writing is set out in 1. through the contact details indicated in point (a). Upon request, information may also be provided orally to the data subject, following a credible proof of identity and identification.
c.) Right of rectification:
The data subject may request the correction of inaccurate personal data concerning him or her processed by the Controller and the completion of incomplete data.
d.) Right to erasure:
The data subject shall have the right, upon request and without undue delay, to obtain the erasure of personal data concerning him or her by the Data Controller on one of the following grounds:
– the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
– the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
– the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
– the personal data have been unlawfully processed;
– the personal data must be erased in order to comply with a legal obligation under European Union or Member State law applicable to the Data Controller.
– personal data are collected in connection with the provision of information society services.
The erasure of data cannot be initiated if the processing is necessary:
– to exercise the right to freedom of expression and information;
– for the purposes of complying with an obligation under European Union or national law to which the controller is subject to which the processing of personal data is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
– for archiving, scientific and historical research purposes or for statistical purposes in the field of public health or in the public interest;
– or to bring, enforce or defend legal claims.
–
e.) The right to restriction of processing:
At the request of the data subject, the Data Controller shall restrict processing if one of the following conditions is met:
– the data subject contests the accuracy of the personal data, in which case the restriction applies for a period of time which allows the accuracy of the personal data to be verified;
– the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
– the Controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
– the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.
Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or of a Member State. The Controller shall inform the data subject in advance of the lifting of the restriction on processing.
f.) Right to data retention:
The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and to transmit such data to another controller.
g.) Right to object:
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
In the event of an objection, the Data Controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The Data Controller does not process personal data for direct marketing purposes.
8.2. Procedural rules
The Data Controller shall inform the data subject of the action taken on the request without undue delay and in any event within one month of receipt of the request. If necessary, and taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, stating the reasons for the delay. If the data subject has made the request by electronic means, the information will be provided by electronic means unless the data subject requests otherwise.
If the controller does not take action on the data subject’s request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.
The Data Controller shall provide the requested information and data free of charge. Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller may charge a reasonable fee, taking into account the administrative costs of providing the information or information requested or of taking the action requested, or may refuse to act on the request.
The Data Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. The Data Controller will inform the data subject of these recipients upon request.
The Data Controller shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request by electronic means, the information will be provided in electronic format, unless the data subject requests otherwise.
8.3. Damages and compensation
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the General Data Protection Regulation shall be entitled to receive compensation from the Data Controller or the Processor for the damage suffered. The Processor shall be liable for damage caused by the processing only if it has failed to comply with the obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the Controller.
Where both the Controller and the Processor are involved in the same processing and are liable for the damage caused by the processing, the Controller and the Processor shall be jointly and severally liable for the entire damage.
The Controller or the processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
8.4. Data Protection Authority procedure
The data subject may lodge a complaint about the processing of his or her personal data by the Data Controller with the National Authority for Data Protection and Freedom of Information as supervisory authority. Contact details of the supervisory authority:
National Authority for Data Protection and Freedom of Information (NAIH) Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
postal address: 1530 Budapest, Pf.: 5.
e-mail: ugyfelszolgalat@naih.hu
phone: +36 (1) 391-1400 fax: +36 (1) 391-1410
You can file a complaint or a complaint in case of violation of your rights in relation to content that is offensive to minors, hateful, exclusionary, corrective, violation of the rights of a deceased person, violation of reputation:
National Media and Communications Authority
address: 1015 Budapest, Ostrom u. 23-25.
e-mail: info@nmhh.hu mailing address: 1525. Pf. 75 tel: (06 1) 457 7100 fax: (06 1) 356 5520
9. DATA BREACH NOTIFICATION SYSTEM
9.1. Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
9.2. Notification of a personal data breach to the supervisory authority
1. The Data Controller shall notify the data protection incident to the competent supervisory authority without undue delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it must be accompanied by the reasons justifying the delay.
2. The Processor shall notify the Controller of the personal data breach without undue delay after becoming aware of it. (24 hours maximum)
(3) If and to the extent that it is not possible to provide the information simultaneously, it may be provided in instalments at a later date without further undue delay.
4. The Data Controller shall keep a record of the data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it.
9.3. Informing the data subject about the personal data breach
1. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay (maximum 24 hours).
2. The information provided to the data subject shall clearly and plainly describe the nature of the personal data breach and communicate the information and measures referred to above.
3. The data subject need not be informed if any of the following conditions are met:
the Data Controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in the previous paragraph is no longer likely to materialise;
information would require a disproportionate effort. In such cases, the data subjects should be informed by means of publicly disclosed information or by a similar measure which ensures that the data subjects are informed in an equally effective manner.
Dated: 2023. 1 May.
Mrs Lajos Darázs Owner
Maya Apartment