The purpose of this Privacy Policy is to set out the processing of personal data by Anita, Judit and Kovács Apartments as Data Controller (also Data Controller, Service Provider). It sets out the data protection and processing principles applied, the data protection and processing policy of the Service Provider, which the Service Provider acknowledges as binding upon itself, with particular regard to the protection of personal data provided by Users.

By using the website operated by the Service Provider or by using any of the Service Provider’s services, the User consents to the processing of his/her personal data in accordance with the provisions of this Privacy Policy.

The scope of this Notice also covers the processing of personal data by processors who have entered into a data processing contract with the Service Provider.

DATA OF THE SERVICE PROVIDER AS DATA CONTROLLER

Name:	Kovács Anita	Kovács Judit	Kovács Pál
Adress:	Gyenesdiás, Vörösmarty u. 24	Gyenesdiás, Váci M. u. 6.	Gyenesdiás, Vörösmarty u. 23.
Tax ID:	75248385-1-40	75204938-1-40	74830198-1-40
Website:	www.apartmankovacs.hu
E-mail:	info@apartmankovacs.hu
Reg. authority:	Gyenesdiási Közös Önkormányzati Hivatal
Reg. number:	764/2002.	767/2002.	316/1997.
NTAK reg.	MA19015734	MA19004745	MA19015733

I. Basic concepts

personal data: any information relating to an identified or identifiable natural person (data subject) which can be associated with him or her, in particular the name, the identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and any inference relating to the data subject which can be drawn from the data.

data file: the set of data processed in a register;

data subject: a natural person identified or identifiable, directly or indirectly, on the basis of any information;

data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

third party: a natural or legal person or an unincorporated body other than the data subject, the controller or the processor;

data protection: the totality of technologies and organisational methods that enable the integrity, integrity, usability and confidentiality of the collected data assets;

data breach: a breach of data security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

data management: Any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, structuring, storage, adaptation or alteration, use, retrieval, disclosure, transmission, dissemination or otherwise making available to the public or otherwise making accessible, alignment or combination, restriction, erasure or destruction of data or preventing their further use, taking of photographs, sound recordings or images, or any other physical means of identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans).

data controller: a natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the processing (including the means used) or has the data processed by a processor.

transfer: making data available to a specified third party.

erasure: rendering data unrecognisable in such a way that it is no longer possible to retrieve it.

restriction of processing: the marking of stored personal data for the purpose of limiting their future processing;

consent: a voluntary, explicit and unequivocal indication of the data subject’s wishes, based on specific and adequate information, by which the data subject signifies his or her agreement to the processing of personal data concerning him or her, either in full or in relation to specific operations, by means of a statement or an act which unambiguously expresses his or her consent.

Consent shall be deemed to be given if the data subject, when consulting the website or when finalising a reservation, ticks a corresponding box or makes the relevant technical settings, or by any other statement or action which, in the context of the particular case, unambiguously indicates his or her consent to the intended processing of personal data.

Mandatory processing: where processing is required by law or, in accordance with the law and within the scope specified therein, by a regulation of a local authority, for a purpose which is in the public interest.

disclosure: making data available to the public.

profiling: any form of automated processing of personal data whereby personal data are used to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict characteristics associated with the performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements of that natural person.

II. Purpose of data processing

The Data Controller processes the personal data of the Guests for the following purposes, based on the voluntary consent of the user:

for the purpose of requesting accommodation, making a reservation
for the purpose of issuing an invoice before the Guest leaves the accommodation
for the purpose of communication in relation to the booking
When subscribing to the website newsletter, the user voluntarily provides his/her data, which will

be stored for the purpose of sending occasional promotional newsletters about the accommodation. The user may unsubscribe from the newsletter at any time.

III. Legal basis for data processing

The Data Controller processes the personal data of guests on the following legal basis:

For the purpose set out in point II. a), Article 6(1)(b) GDPR, i.e. the performance of a contract to which the Guest, as data subject, is a party.

In the case of the purpose in point II. b), Article 6(1) c) GDPR, i.e. the fulfilment of a legal obligation on the controller, namely the obligation to prepare a receipt or invoice.

For the purpose of point II. c), the data are processed on the basis of Article 6(1)(a) of the GDPR in order to provide you with adequate information on the material circumstances of the contractual relationship.

Where processing is necessary for other purposes or on other legal bases than those mentioned above, the controller must inform the data subject individually, prior to the start of the processing, of all relevant information and of their rights in relation to the processing to be carried out.

IV. Scope of the data processed

Guest interest: Personal data processed: name (first and last name), e-mail address, telephone number

The use of the online booking platform on the website of the Data Controller does not require a separate registration, but the following personal data must be provided in order to make a reservation.

The scope of the personal data processed is: Name (first and last name), Telephone number, E-mail address, Billing address

Guest chechk in: Personal data processed: Name (first and last name), Date of birth, Address, ID/Passport number

Tourist discount card registration: Personal data processed: Name (first and last name), year of birth, address

Billing: Personal data processed: Name (first and last name), billing address

Complaints handling: Personal data processed: Name (first and last name), e-mail address, telephone number, address

V. Duration of data management

The processing of the Guest’s personal data starts from the date of the reservation and is deleted after 5 years from the date of the Guest’s departure from the accommodation.

The Guest’s name and billing address will be processed for the period of 8 (eight) years as provided for in the Accounting Act, after which they will be destroyed by the Controller.

VI. Data protection

The Data Controller will take all necessary steps to ensure the security of the personal data provided by the Guests, both in the network system and in the storage and safekeeping of the data.

The reservation system through the website of the Data Controller is hosted by an external secure hosting service provider, which does not have access to the data managed on this hosting. The data controller’s work processes are carried out on a password and anti-virus protected computer.

VII. Data processors

The Processor processes personal data on behalf of the Data Controller under the terms and conditions set out in the Data Processing Contract. The conditions for the processing of and access to Personal Data by the Processor are set out in the Data Processor Agreement between the Controller and the Processor.

Data Processor(s) for online booking/request for quotation.

MediaCenter.com.Hungary is the data controller of the website.

VIII. Guest rights and enforcement options

The Guest has the right to receive feedback from the controller as to whether his/her personal data are being processed and, if so, to be informed of the data processed and of any relevant information concerning the processing.

The Customer may request the controller to correct inaccurate personal data concerning him/her without undue delay. Taking into account the purposes of the processing, the Customer may request the integration of his/her personal data.

The Controller shall erase the personal data without undue delay if the processing of the data is unlawful, incomplete or inaccurate, the purpose of the processing has ceased or the period of storage has expired or has been ordered by a court or public authority, or the erasure is necessary to comply with a legal obligation to which the Controller is subject.

Where the controller processes personal data on the basis of the data subject’s consent, the data subject may withdraw that consent. If there is no other legal basis for the processing, the controller shall erase the personal data concerned by the withdrawn consent.

The Guest shall have the right to obtain from the controller, at his/her request, the restriction of processing where

– the Guest contests the accuracy of the personal data – for the time necessary to verify the accuracy;

– the processing is unlawful but the Customer objects to the erasure of the data and requests the restriction of use;

– the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of a legal claim; or

– the data subject objects to the processing of his or her data on grounds of public interest or legitimate interest pursued by the controller or a third party.

During the restriction period, the controller shall not use the personal data for any purpose other than storage.

Enforcement:

The Guest may send a written request concerning the processing of data to the address of the controller on paper or by e-mail.

In the event of a breach of his/her rights, the data subject may bring an action before the competent court at the address of the controller or, at his/her option, the competent court at his/her place of residence or, failing that, at his/her place of domicile, and may bring an action before the courts of law.

The Service Provider reserves the right to amend this Policy at any time by unilateral decision. Thus, as the Data Controller, in the event of an amendment to this Notice, the Service Provider is entitled (but not obliged) to inform the data subject of the amendment by sending a system message. Data Subjects are entitled to exercise their rights in relation to data processing as set out in this Notice and in the applicable law.

In addition, the guest may lodge a complaint with the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet Fasor 22/c., hereinafter referred to as “NAIH”) and initiate an investigation on the grounds that there is a violation of rights or an imminent threat of such violation in connection with the processing of his/her personal data.

IX. Guiding legislation

Regulation 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation” or “GDPR”).

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Infotv.”).

Act V of 2013 on the Civil Code (“Civil Code”) and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities (“Act XLVIII”).

Act CXXX of 2016 on the Code of Civil Procedure

Information about the use of cookies

What is a cookie?

The Data Controller uses so-called cookies when you visit the website. A cookie is a set of letters and numbers that our website sends to your browser to save certain settings, facilitate the use of our website and help us to collect some relevant statistical information about our visitors.

Some of the cookies do not contain any personal information and cannot be used to identify the individual user, but some of them contain a unique identifier – a secret, randomly generated sequence of numbers – that is stored on your device, thus ensuring your identification. The duration of each cookie is described in the relevant description of each cookie.

Legal background and legal basis for cookies:

The legal basis for processing is your consent pursuant to Article 6(1)(a) of the Regulation.

Main features of the cookies used by the website:

Acceptance of cookies: you accept the cookie storage statement in the warning window when you visit the site. The lifetime is 365 days.

If you do not accept cookies, certain features will not be available to you. For more information on how to delete cookies, please click on the links below:

Gyenesdiás, 15th November 2022

Privacy policy