HOTEL PALOTA LILLAFÜRED KFT. DATA MANAGEMENT NOTICE

GENERAL PROVISIONS

Hotel Palota Lillafüred Szállodaipari Kft., as the operator of CITY HOTEL MISKOLC****, always ensures the legality and expediency of data management with regard to the personal data it handles. The purpose of this information notice is to provide our guests who book accommodation and provide their personal data appropriate information about the conditions and safeguards to which data processing is subject and the duration of data processing by our company before making a reservation or providing their personal data. Our company adheres to the provisions of this information notice in all cases involving the processing of personal data, and we consider what is described here to be binding on us.

However, we reserve the right to change what is described in this unilateral legal statement, in which case we will inform the data subjects in advance. If you have any questions about the content of this information notice, please write to us at the e-mail address info@cityhotelmiskolc.hu . The data processing operations carried out by our company are based on freely given consent, and in some cases, data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

Our data management complies with the relevant legislation, in particular the following:

➢ Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) – on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”)

➢ CXII of 2011 on the right to information self-determination and freedom of information. Act (“Info. tv.”).

Details of the Controller

company name: HOTEL PALOTA LILLAFÜRED

Szállodaipari Korlátolt Felelősségű Társaság

registered office: Erzsébet sétány 1, 3517 Miskolc, Hungary
site: 3529 Miskolc, Csabai kapu 8.
company registration number: 05-09-030476
telephone number: +36-46-331-411
e-mail: info@hotelpalota.hu info@cityhotelmiskolc.hu

DATA PROCESSING IN CONNECTION WITH ONLINE ACCOMMODATION BOOKINGS

Our company offers online and telephone reservation options so that guests can book a room at the City Hotel Miskolc quickly, comfortably and at no cost.

Controller of personal data: Hotel Palota Lillafüred Kft.

The purpose of data processing: to facilitate the reservation of accommodation, to make it cost-free and more efficient, to contact the guest booking the accommodation.

Legal basis for data processing: prior consent of the person booking the accommodation.

Scope of processed personal data: address; surname and first name; residential address (country, postal code, city, street, house number); telephone number; e-mail address; in the case of a business, company name and registered office; bank card number, SZÉP card details (identification number, name as shown on the card).

When filling out the online registration form, the following data is also processed by the accommodation provider: number of identity document (identity card, passport or driver’s license), nationality, place and date of birth, vehicle registration number.

Duration of data processing: two years after the last day of the stay according to the reservation.

Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.

Data Processor Name	Headquater	Data processing task description
PREVIO s.r.o.	Kolbenova 882/5a 190 00 Praha 9	Providing the possibility of online accommodation booking through the PREVIO system

By accepting this privacy notice, the data subject gives his or her express consent to the Data Processor using additional data processors in order to make the service more convenient and customised as follows:

More Data Processor names	Headquarters	Data processing task description
PREVIO s.r.o.	Kolbenova 882/5a 190 00 Praha 9	Performing customer management tasks when using the Previo hotel system Server hosting tasks transmission of online booking data
OTP Mobil Kft.	1093 Budapest, Közraktár u. 30-32. Hungary	Conducting the data communication required for payment transactions between the merchant and the payment service provider’s system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.
OTA (online travel agency)		e.g.: szállás.hu, booking, Expedia, HRS – guests can also book our hotel on the OTA interface. The reservation sytem sends the reservation parameters and the guest’s data (name, phone, email address, special request) by email.
EquiComm Magyarország Kft.	2724 Újlengyel, Petőfi Sándor u. 48.	Management of social media interfaces Facebook account management, Facebook advertising, other social interfaces, e.g. Instagram

Possible consequences of not providing data: no contract will be created for the hotel room.

The rights of the data subject: the data subject (i.e. the person whose personal data is processed by our company):

a) may request access to personal data concerning him or her,
b) may request rectification of such data,
c) may request erasure of such data,
d) may request that the processing of personal data concerning him or her be limited, if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not erase or destroy the data until a court or authority requests it, but for a maximum of thirty days, and beyond that, the data is not processed for any other purpose),
e) may object to the processing of personal data,
f) may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive his or her personal data in Word or Excel format and is also entitled to have this data forwarded to another data controller by our company upon request.

Additional information about data processing:

Our company takes all necessary technical and organisational measures to avoid a possible personal data breach (e.g. damage, disappearance of files containing personal data, access by unauthorised persons). In the event that a personal data breach still occurs, we keep a register for the purpose of checking the necessary measures and informing the data subjects, which includes the scope of personal data affected, the scope and number of people affected by the personal data breach, the date, circumstances, effects of the personal data breach and the measures taken to prevent it, as well as the other data specified in the legislation regulating data processing.

Our company has entered into a data processing contract for the data processing tasks, in which Previo undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the event of the use of an additional data processor, in view of this, we also ensure the legal processing of personal data in the case of the data processor.

DATA PROCESSING RELATED TO RECORDING THE DATA OF GUESTS USING THE SERVICE DURING THE CHECK-IN PROCESS

Our company, as a hotel, has a legal obligation to record and forward the guest’s personal data to the National Tourist Information Centre as a hosting service provider via accommodation management software when the hotel guest checks in.

Controller of personal data: Hotel Palota Lillafüred Kft.

Purpose of data processing: Pursuant to Section 9/H* (1) of Act CLVI of 2016 on state tasks related to the development of tourist areas, protection of the rights, safety and property of the data subject and others, as well as verification of compliance with the provisions on the residence of third-country nationals and persons with the right to free movement and residence

Legal basis for data processing: Section 9/H* (1) of Act CLVI of 2016 on the state tasks relating to the development of tourist areas.

Scope of processed personal data:

a) the first and last name, first and last name at birth, place and date of birth, gender, nationality and mother’s first and last name at birth of the person using the accommodation service
b) details of the identity document or travel document of the person using the accommodation service, in the case of a third-country national, the number of the visa or residence permit, the date and place of entry, and
c) the address of the accommodation service, the start data, expected and actual end date of the use of the accommodation

Duration of data processing: the accommodation provider processes the data of the person using the accommodation service until the last day of the first year after becoming aware of it.

Use of a data processor: in the course of fulfilling the above obligation, our company forwards the data required to be recorded to the National Tourist Information Centre as a storage provider via accommodation management software.

The activities of the hosting service provider – as a data processor of the accommodation provider – exclusively include the storage of the data in an encrypted form (encrypted using the procedure designated in the relevant Government decree) and ensuring access to the data for the accommodation provider and the person or body authorised by law through the accommodation provider. The hosting service provider cannot know the data stored on its servers.

For the purpose of law enforcement, crime prevention, the protection of public order, public safety, the order of the state border, the rights, safety and property of the person concerned and others, and the conduct of warrant proceedings, the Police

a) may perform a search in the data stored by the hosting service provider using an IT tool and, as a result of the search, find out information about the accommodation provider used by the person satisfying the search conditions specified by the Police, and
b) by indicating the purpose of the data request, may request the transfer of data processed by the accommodation provider, which the accommodation provider will do free of charge.

The controller performs the data processing tasks defined in Section 14 of Government Decree 235/2019. (X.15.).

By accepting this privacy notice, the data subject gives his or her express consent to the Data Processor using additional data processors as follows:

Previo s.r.o. (Kolbenova 882/5a 190 00 Praha 9) operates the accommodation management software which supports the mandatory data provision as specified above.

Possible consequences of failure to provide data: The user of the accommodation service presents the above document to the accommodation provider for the purpose of recording the data upon check-in. If no document is presented, the accommodation provider will refuse to provide the accommodation service.

The rights of the data subject: the data subject (i.e. the person whose personal data is processed by our company):

a) may request access to personal data concerning him or her,
b) may request rectification of such data,
c) may request erasure of such data,
d) may request that the processing of personal data concerning him or her be limited, if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not erase or destroy the data until a court or authority requests it, but for a maximum of thirty days, and beyond that, the data is not processed for any other purpose),
e) may object to the processing of personal data,
f) may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive his or her personal data in Word or Excel format and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, access to unauthorized persons). In the event of an incident that still occurs, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of people affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation requiring data management.

DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION

Controller of personal data: Hotel Palota Lillafüred Kft.

The purpose of data processing: contact with potential hotel guests

Legal basis for data processing: prior consent of the person booking accommodation, Article 6 (1)(a) of the GDPR

Scope of processed personal data: first and last name; e-mail address

Duration of data processing: our company manages e-mail addresses until you unsubscribe from the newsletter.

Use of a data processor: our company uses an IT service provider to operate the online quotation system as follows.

Data Processor Name	Headquater	Data processing task description
Webglobe, s.r.o.	Pobřežní 620/3 186 00 Praha 8	Newsletter database storage

More Data Processor names	Headquater	Data processing task description
PREVIO s.r.o.	Kolbenova 882/5a 190 00 Praha 9	Operation of the newsletter system

Possible consequences of failure to provide data: Az érintett nem kap hírlevelet cégünktől

The rights of the data subject: the data subject (i.e. the person whose personal data is processed by our company):

a) may request access to personal data concerning him or her,
b) may request rectification of such data,
c) may request erasure of such data,
d) may request that the processing of personal data concerning him or her be limited, if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not erase or destroy the data until a court or authority requests it, but for a maximum of thirty days, and beyond that, the data is not processed for any other purpose),
e) may object to the processing of personal data,
f) may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive his or her personal data in Word or Excel format and is also entitled to have this data forwarded to another data controller by our company upon request.

You can unsubscribe from the newsletter at any time by sending a letter to our company at info@cityhotelmiskolc.hu. In this case, we will immediately delete your e-mail address from our database.

5. COOKIE MANAGEMENT

In order to provide customized service, the Data Controller stores a small data package on the user’s computer, the so-called it places a cookie and reads it back during the next visit. If the browser returns a previously saved cookie, the cookie management service provider has the opportunity to link the user’s current visit with previous ones, but only with regard to its own content.

The purpose of data management is to: identify, track, and distinguish users from one another, identify the current user session, store the data entered during that session, prevent data loss, web analytics measurements, personalized service.

Legal basis for data management: the consent of the data subject.

Scope of managed data: ID number, date, time, and previously visited page.

Duration of data management: maximum 90 days

Additional information on data management: The user can delete cookies from his computer or disable the use of cookies in his browser. It is usually possible to manage cookies in the Tools/Settings menu of browsers under the Data protection/History/Personal settings menu under the names cookie, cookie or tracking.

Possible consequences of failure to provide data: impossibility of using the service for the services described in points 2-6 above.

WEBSITE SERVER LOGGING

When visiting the nethotelbooking.net web page, the web server automatically logs the user’s activity.

Purpose of data management: during visits to the website, the service provider records visitor data in order to check the operation of the services and prevent abuse.

Legal basis for data management: point f) of Article 6 (1) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

Type of personal data handled: ID number, date, time, address of the page visited.

Duration of data management: maximum 90 days

Data Processor Name	Headquater	Data processing task description
PREVIO s.r.o.	Kolbenova 882/5a 190 00 Praha 9	Recording of visitor data and information necessary for the operation of the server.

Additional information: our company does not connect the data generated during the analysis of the log files with other information, and does not seek to identify the user. The address of the pages visited, as well as the date and time data, are not suitable for identifying the data subject by themselves, but when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

Data processing related to logging by external service providers:

The html code of the portal contains links to and from external servers independent of our company. The servers of the external service providers are directly connected to the user’s computer. We draw our visitors’ attention to the fact that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, cursor movement, address of the page visited and the time of the visit) due to the direct connection to their servers and direct communication with the user’s browser. The IP address is a sequence of numbers with which the computers and mobile devices of users accessing the Internet can be clearly identified.

IP addresses can even be used to locate the visitor using a given computer geographically. On their own, the address of the pages visited and the date and time data are not suitable for identifying the data subject, but when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

OTHER DATA PROCESSING

We provide information on data processing not listed in this notice when the data is collected. We inform our customers that certain authorities, bodies performing public duties, and courts may contact our company for the purpose of providing personal data. If the relevant body has specified the exact purpose and scope of the data, our company will release personal data to these bodies only to the extent that is absolutely necessary to achieve the purpose of the request, and if the fulfilment of the request is required by law.

METHOD OF STORING PERSONAL DATA, SECURITY OF DATA PROCESSING

Our company’s IT systems and other data storage locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used during the provision of the service to process personal data in such a way that:

a) the processed data is accessible to those authorised to do so (availability);
b) the processed data’s authenticity and authentication are ensured (authenticity of data processing);
c) it can be demonstrated that the processed data is unchanged (data integrity);
d) the processed data can be protected against unauthorised access (data confidentiality).

We pay special attention to the security of the data; we also take the technical and organisational measures and develop the procedural rules that are necessary to enforce the safeguards according to the GDPR. We protect the data with appropriate measures, in particular against unauthorised access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and inaccessibility resulting from changes in the technology used.

The IT system and network of our company and our partners are protected against computer-assisted fraud, computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures. Daily data backup is done. In order to avoid personal data breaches, our company takes all possible measures. In the event of such an incident – according to our incident management policy – we take immediate action to minimise the risks and prevent damages.

RIGHTS OF THE DATA SUBJECT, AVAILABLE LEGAL REMEDIES

The data subject may request information about the processing of personal data concerning him or her, and may request the rectification of such personal data, or – with the exception of mandatory data processing – deletion or withdrawal. The data subject may exercise his or her right to data portability and object to the processing in the manner indicated when the data was collected, or at the above contact details of the data controller.

At the request of the data subject, we provide information in electronic form without undue delay, but within 30 days at the latest, in accordance with our relevant policies. We fulfil the requests of the data subjects to exercise the rights below free of charge.

Right to information:

Our company takes appropriate measures in order to provide data subjects with all the information mentioned in Articles 13, 14, 15–22 and 34 of the GDPR regarding the processing of their personal data and to provide such information in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded, and at the same time, in a precise manner.

The right to information can be exercised in writing, via the contact details specified in Section 1. At the request of the data subject, information can also be provided orally after proof of identity. We inform our customers that if the employees of our company have doubts about the identity of the data subject, we can request the provision of the information necessary to confirm the identity of the data subject.

The data subject’s right to access:

The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed. If personal data is being processed, the data subject is entitled to access the personal data and the following information listed.

Purposes of data management;
categories of personal data concerned;
the recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients from third countries (outside the European Union) and international organizations;
planned duration of storage of personal data;
the right to correct, delete or limit data processing and to object;
the right to submit a complaint to the supervisory authority;
information about data sources; the fact of automated decision-making, including profiling, as well as comprehensible information about the applied logic and the significance of such data management and the expected consequences for the data subject.

In addition to the above, if personal data is transferred to a third country or international organization, the data subject is entitled to receive information about the appropriate guarantees for the transfer.

Right of rectification:

Pursuant to this right, anyone can request the correction of inaccurate personal data managed by our company and the addition of incomplete data.

Right to erasure:

If one of the following reasons exists, the data subject has the right to have his/her personal data deleted without undue delay upon request:

a) personal data are no longer needed for the purpose for which they were collected or otherwise processed;
b) the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management;
c) the data subject objects to data processing and there is no overriding legal reason for data processing;
d) illegal processing of personal data can be established;
e) personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller;
f) the collection of personal data took place in connection with the offering of services related to the information society.

Data deletion cannot be initiated if data processing is necessary for the following purposes:

a) for exercising the right to freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
d) or for the establishment, exercise or defence of legal claims.

The right to restrict data processing:

At the request of the data subject, we restrict data processing in the case of conditions in Article 18 of the GDPR, i.e. if:

a) the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period that allows the accuracy of the personal data to be checked;
b) the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use
c) the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to submit, enforce or defend legal claims; obsession
d) the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions, personal data may only be processed with the consent of the data subject, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the European Union or a member state. The data subject must be informed in advance of the lifting of the restrictions on data management.

Right to data portability:

The data subject has the right to receive the personal data concerning him/her provided to the data controller in a segmented, widely used, machine-readable format, and to forward this data to another data controller. Our company can fulfill such a request of the person concerned in word or excel format.

Right to object:

If personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for this purpose, including profiling, where it is related to direct marketing. In case of objection to the processing of personal data for the purpose of direct marketing, the data cannot be processed for this purpose.

Automated individual decision-making, including profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right cannot be applied if the data processing

a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
c) is based on the data subject’s explicit consent.

Right of withdrawal:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Procedural rules:

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out by it to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Compensation and damages:

Any person who has suffered material or non-material damage as a result of a violation of the data protection regulation is entitled to compensation from the controller or the processor for the damage suffered. T A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to go to court and official data protection procedure:

In the event of a violation of his or her rights, the data subject may take action in court against the controller. The court shall give priority to such cases.

You can file a complaint with the National Data Protection and Freedom of Information Authority.

name: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)
adress: 1055 Budapest, Falk Miksa utca 9-11
e-mail: ugyfelszolgalat@naih.hu
telephone: +36 (30) 683-5969

+36 (30) 549-6838

+36 (1) 391 1400