Data processing information

„KELET-REST” Ltd.

registered office: 4400 Nyíregyháza, Sóstói út 70.

 company registration number: 15-09-067593

tax number: 12832277-2-15

hereinafter: Service Provider/Data Controller hereby informs its customers, guests and visitors to its website of the following regarding the processing of personal data and the rights of the data subject in this context.

The Service Provider is committed to the protection of its personal data, thus ensuring that data subjects are treated confidentially and in accordance with the provisions of this statement, in full compliance with the applicable laws at all times. The Hotel declares that it respects the personal rights of its partners, customers and visitors to its website.

By providing the data of the data subject who comes into contact with the Service Provider, the data subject accepts the following and consents to the data processing specified below.

Purpose and scope of the data protection policy

The purpose of this Policy is to ensure that the Service Provider complies with the relevant legal provisions during data processing.

This Policy shall enter into force upon publication on the Website. The date of publication of this Policy shall be December 15, 2023.

The scope of this Policy shall cover the Service Provider, the Data Subjects, and those persons whose rights or legitimate interests are affected by data processing.

The scope of this Policy shall cover data processing carried out in all organizational units of the Service Provider and through the Website.

Definitions:

Personal data: data relating to a data subject - in particular the name, an identifier and one or more physical, physiological, mental, economic, cultural or social identity of the data subject - and the conclusion that can be drawn from it concerning the data subject.

Data processing: any operation or set of operations performed on data, regardless of the method used, such as in particular collection, recording, recording, structuring, storage, alteration, use, consultation, transmission, disclosure, alignment or combination, blocking, erasure and destruction, as well as preventing further use of the data, taking photographs, audio or video recordings and recording physical characteristics suitable for identifying a person.

Data controller: the natural or legal person or an organisation without legal personality who, alone or jointly with others, determines the purposes of the processing of data, takes and implements the decisions relating to the processing of data (including the means used), or has them implemented by a processor entrusted by him.

Data processor: the natural or legal person or an organisation without legal personality who processes data on the basis of a contract concluded with the data controller, including a contract concluded on the basis of a legal provision.

Recipient: the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which have access to personal data in the context of an individual investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing.

Data subject: any natural person who is identified or identifiable, directly or indirectly, on the basis of personal data.

Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the data subject, by a statement or by a clear and unambiguous act, signifies agreement to the processing of personal data concerning him or her.

Data processing: the performance of technical tasks relating to data processing operations, regardless of the method and means used to carry them out and the place of application, provided that the technical task is carried out on the data.

Data marking: the assignment of an identification mark to data in order to distinguish them.

Data destruction: the complete physical destruction of the data carrier containing the data.

Data transfer: the making the data available to a specified third party.

Data erasure: the rendering of data unrecognizable in such a way that their recovery is no longer possible.

Data blocking: providing the data with an identification mark in order to permanently or for a specific period of time limit its further processing.

Third party: a natural or legal person or an organization without legal personality who is not the same as the data subject, the data controller or the data processor.

Website: www.sostopark.hu

Consent: the voluntary and definite declaration of the data subject's wishes, which is based on appropriate information and by which he gives his unambiguous consent to the processing of personal data concerning him - in full or covering certain operations.

Disclosure: making the data accessible to anyone.

Objection: the statement of the data subject by which he objects to the processing of his personal data and requests the termination of the data processing or the deletion of the processed data.

Legal basis for data processing

Personal data may be processed by the hotel if

a) the data subject consents to it, or

b) it is ordered by law or – based on the authorization of law, within the scope specified therein – by a local government decree for a purpose based on public interest (mandatory data processing).

Personal data may also be processed if obtaining the data subject’s consent is impossible or would entail disproportionate costs, and the processing of the personal data is necessary for the fulfillment of a legal obligation to which the data controller is subject, or for the enforcement of the legitimate interests of the data controller or a third party, and the enforcement of this interest is proportionate to the restriction of the right to protection of personal data.

The consent of a minor under the age of 16 with limited legal capacity is required for the declaration of an incapacitated person and a minor under the age of 16 with limited legal capacity, except for those parts of the service where the declaration is intended for mass data processing occurring in everyday life and does not require special consideration.

If the data subject is unable to give consent due to incapacity or other unavoidable reasons, the personal data of the data subject may be processed to the extent necessary to protect the vital interests of the data subject or of another person, as well as to avert or prevent an immediate threat to the life, physical integrity or property of persons, while the obstacles to consent exist.

If the personal data were collected with the data subject's consent, the data controller may process the collected data, unless otherwise provided by law

a) for the purpose of fulfilling a legal obligation to which the data subject is subject, or

b) for the purpose of enforcing the legitimate interests of the data controller or a third party, if the enforcement of such interests is proportionate to the restriction of the right to the protection of personal data, without further specific consent, and even after the data subject's consent has been withdrawn.

Personal data may only be processed for specific purposes, in order to exercise a right and fulfil an obligation. Data processing must comply with this purpose at all stages, and the collection and processing of the data must be fair.

Only personal data that is essential for the purpose of data processing, suitable for achieving the purpose, and only to the extent and for the period necessary to achieve the purpose may be processed.

Personal data may only be processed with informed consent. The provision of personal data by the data subject or his/her representative, or the confirmation of having read the information contained in this statement, shall be deemed to be consent as described above.

The data subject shall be informed before the start of data processing whether the data processing is based on consent or is mandatory. The data subject shall be informed - clearly, intelligibly and in detail - of all facts related to the processing of his/her data, in particular the purpose and legal basis of data processing, the person authorised to process and process the data, the duration of data processing, whether the data subject's personal data are processed by the data controller with the consent of the data subject and for the purpose of fulfilling a legal obligation applicable to the data controller or for the purpose of enforcing the legitimate interests of a third party, and who may have access to the data. The information must also include the rights and legal remedies of the data subject in relation to data processing. The Service Provider fulfils the above obligation by publishing this statement.

During data processing, the accuracy, completeness and up-to-dateness of the data must be ensured, and the data subject must only be identified for the period necessary for the purpose of data processing.

Employees performing data processing at the Service Provider's organizational units are obliged to keep the personal data they have learned as a business secret. Persons who process personal data and have access to them are obliged to make a Confidentiality Statement.

The Data Controller processes personal data exclusively for specific purposes, in the interests of exercising rights and fulfilling obligations. The data processing complies with the purpose of data processing at all stages. The data is collected and processed fairly and lawfully. The Data Controller strives to process only such personal data that is essential for the achievement of the purpose of data processing and is suitable for achieving the purpose. Personal data may only be processed to the extent and for the period necessary for the achievement of the purpose.

If the person providing personal data does not provide their own personal data, the person providing the data is obliged to obtain the consent of the person concerned.

Data processing on the Website

a) The legal basis for data processing on the Website is: the User’s consent, or Act CVIII of 2001 on certain issues of electronic commerce services and information society services, Section 13/A (3).
b) The scope of the processed data:

- date and time of accessing the Website,

- IP address of the User’s computer,

- type of browser,

- name of the User,

- telephone number,

- e-mail address,

- date and time of arrival and departure,

- number of adult guests, number and age of children,

- type of care,

- other personal data provided by the User, in particular

- personal identification data,

- in case of using the self check-in service

- passport number,

- identification number of other personal documents.

c) Deadline for deleting data: 5 years from the date of booking, in the case of a request for quotation, if no contract has been concluded immediately; and in the case of consents given to send the newsletter until the consent is withdrawn. In the case of accounting documents, the Service Provider retains them for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.
d) The deletion or modification of personal data can be initiated in the following ways:

- by post (4400 Nyíregyháza, Sóstói út 70.)

- by e-mail (info@sostopark.hu)

e) We inform our Users that the court, the prosecutor, the investigating authority, the misdemeanor authority, the administrative authority, the data protection commissioner, or other bodies authorized by law may contact the Service Provider to provide information, communicate, transfer data, or make documents available.
f) The Service Provider will only provide the authorities with personal data to the extent and insofar as the authority has specified the exact purpose and scope of the data, which is absolutely necessary to achieve the purpose of the request.
g) The Service Provider processes the data and information provided by the guests and necessary for the provision of the Service in accordance with the provisions of Act CXII of 2011 on the right to information self-determination and freedom of information.
h) The Service Provider processes the personal data of the Users for the purpose of providing the service (full use of the Website, e.g. booking, sending a newsletter), exclusively to the extent and for the period necessary for that purpose. The data processing complies with this purpose at all stages.
i) It also processes the personal data that are technically absolutely necessary for the provision of the service. If the personal data was collected with the consent of the User, the Service Provider may process the collected data, unless otherwise provided by law, for the purpose of fulfilling the legal obligation applicable to it, or for the purpose of enforcing the legitimate interests of the Service Provider or a third party, if the enforcement of this interest is proportionate to the restriction of the right to the protection of personal data, without further separate consent, and even after the withdrawal of the User's consent.
j) In addition, the Service Provider only collects information about Users (IP address, time of use, website viewed, browser program, and one or more cookies enabling the unique identification of the browser) that it uses exclusively for the development and maintenance of the Services and for statistical purposes. The Service Provider uses the data processed for these statistical purposes only in a form unsuitable for personal identification. In order to improve the quality of the Services, the Service Provider places a file containing a character string, a so-called cookie, on the User's computer, if the User consents to this. If the User does not consent, it will be notified in advance at the contact details specified in point d).
k) The Service Provider transfers the personal data it manages to third parties only for the development and/or operation of certain services of the Service Provider - used by the User. The Service Provider does not use the personal data it manages for the purposes of third parties and does not misuse them in any other way.
l) The Websites also contain links to external servers (not managed by the Service Provider), and pages accessible through these links may place their own cookies or other files on your computer, collect data, or request personal data. The Service Provider excludes any liability for these. m) By using the service, the User consents to the Service Provider collecting and processing his/her personal data in accordance with the provisions of this data protection notice, for the purpose of providing the service in its entirety.

Newsletter

a) Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Conditions and Certain Limitations of Economic Advertising Activity, the User expressly and in advance consents to the Service Provider contacting him/her with advertising offers and other communications at the contact details provided upon registration (e.g. e-mail address or telephone number).
b) Furthermore, the Customer, bearing in mind the provisions of this information, consents to the Service Provider processing his/her personal data necessary for sending advertising offers.
c) The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from the sending of offers free of charge, without restriction or justification. In this case, the Service Provider will delete all personal data - necessary for sending advertising messages - from its records and will not contact the User with further advertising offers. The User may unsubscribe from advertisements by clicking on the link in the message.
d) Purpose of data management: sending electronic newsletters containing commercial advertising messages to the User, providing information about current information, offers and services.
e) Legal basis for data management: voluntary consent of the data subject and Section 6 (5) of Act XLVIII of 2008 on the basic conditions and certain limitations of commercial advertising activities.
f) Scope of data managed: name, e-mail address, telephone number, date, time.
g) Deadline for data deletion: until the consent declaration is withdrawn, i.e. until unsubscribing.

Data security

a) The Service Provider takes all necessary and expected security steps, organizational and technical measures to ensure the security of personal data and to prevent their unauthorized alteration, destruction and use.
b) The Service Provider shall take all necessary and expected measures to ensure data integrity, i.e. the accuracy, completeness and up-to-dateness of the personal data it manages and/or processes.
c) The Service Provider shall protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage and inaccessibility resulting from changes in the technology used.
d) The Service Provider therefore reserves the right, if it detects a security breach in its system by its customers or partners, to inform its customers and partners about it and at the same time restrict access to the Service Provider's system, services or certain functions until the security breach is eliminated.
e) The Service Provider shall avoid data loss by continuously mirroring the data stored on the network.
f) The Service Provider performs daily backups of the active data of the databases containing personal data.
g) On the network that manages personal data. The Service Provider continuously ensures virus protection.
h) Access to data and data files managed on the Service Provider's network must be ensured with a username and password.

Participants in data management

Considering that data management takes place during the use of a specific software, the Data Manager notes that the data managed during the use of the subject software may come into the possession of the following persons, given that certain subprograms of the software are supervised and developed by a third party.

The following third parties, in addition to the Data Controller, are entitled to access the data processed during the Data Controller's activities:

Name: SabeeApp Could Hotel Management

Head office: 1075 Budapest, Madách Imre út 13-14

E-mail: support@sabeeapp.com

Tel: (06 1) 998 91 86

Scope of transmitted data: name, address, telephone number, email address, booking parameters of the booking guest

Information on data processing

a) The data subject may request information from the data controller about the processing of his or her personal data, the correction of his or her personal data, and the deletion or blocking of his or her personal data - with the exception of mandatory data processing.
b) At the request of the data subject, the data controller shall provide information about the data subject's data processed by him or her or by a data processor commissioned by him or her or on his or her instructions, their source, the purpose, legal basis, duration of the data processing, the name, address of the data processor and its activities related to the data processing, the circumstances, effects of the data protection incident and the measures taken to prevent it, and - in the case of the transfer of the data subject's personal data - the legal basis and recipient of the data transfer.

The information is free of charge if the person requesting the information has not yet submitted a request for information to the data controller regarding the same data scope in the current year. In other cases, a cost reimbursement may be established. The amount of the cost reimbursement may also be stipulated in the contract concluded between the parties. The already paid reimbursement must be refunded if the data was processed unlawfully or the request for information led to a correction.

c) The Service Provider shall correct the personal data if it is not true and personal data that is true is available to it.

d) The Service Provider shall block the personal data if the User requests this or if, based on the information at its disposal, it can be assumed that the deletion would violate the User's legitimate interests. Blocked personal data may only be processed as long as the purpose of the data processing that precluded the deletion of the personal data exists.
e) The Service Provider shall delete the personal data if its processing is unlawful, the User requests it, the processed data is incomplete or incorrect - and this condition cannot be legally remedied - provided that the deletion is not excluded by law, the purpose of the data processing has ceased, or the statutory deadline for storing the data has expired, or it has been ordered by the court or the National Data Protection and Freedom of Information Authority.
f) The data controller has 25 days to delete, block or correct the personal data. If the Service Provider does not meet the User's request for correction, blocking or deletion, it shall communicate the reasons for the refusal in writing within 25 days.
g) The Service Provider shall notify the Client of the correction, blocking and deletion, as well as all those to whom the data was previously forwarded for data processing purposes. The notification may be omitted if this does not violate the legitimate interests of the data subject with regard to the purpose of data processing.

Control

a) Compliance with data protection regulations, in particular those contained in this statement, is continuously monitored by the heads of the organizational unit performing data management at the Service Provider

b) The Service Provider, or the data protection officer appointed by it, checks the data processed once a year.

Legal remedies

a) The user may object to the processing of his or her personal data if

- the processing or transmission of personal data is necessary exclusively for the fulfillment of a legal obligation applicable to the Service Provider, or for the enforcement of the legitimate interests of the Service Provider, the data recipient or a third party, unless the data management is ordered by law;

- the use or transmission of personal data is for the purpose of direct marketing, public opinion polling or scientific research;

- in other cases specified by law.

b) The Service Provider shall examine the objection within the shortest possible time from the submission of the application, but no later than 15 days, and shall make a decision on its merits and shall inform the applicant of its decision in writing. If the Service Provider determines that the objection of the data subject is well-founded, it shall terminate the data processing - including further data collection and transmission - and block the data, and shall notify all those to whom the personal data subject to the objection was previously transmitted about the objection and the measures taken on its basis, who are obliged to take measures to enforce the right to object.
c) If the User does not agree with the decision of the Service Provider, he may appeal to the court against it - within 30 days from its notification.
d) In the event of a violation of his rights, the User may appeal to the court against the Service Provider. The court shall proceed with the case expeditiously.
e) You can file a complaint with the National Data Protection and Freedom of Information Authority. The Authority’s contact details are:

1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, P.O. Box: 5.

Telephone: +36 -1-391-1400

Fax: +36-1-391-1410

Email: ugyfelszolgalat@naih.hu

Nyíregyháza, December 14, 2023

„KELET-REST” Kft.

Data controller