{"id":628,"date":"2024-11-28T08:23:04","date_gmt":"2024-11-28T08:23:04","guid":{"rendered":"https:\/\/lellerelax.hu\/?page_id=628"},"modified":"2024-12-13T14:59:28","modified_gmt":"2024-12-13T14:59:28","slug":"adatkezelesi-tajekoztato","status":"publish","type":"page","link":"https:\/\/lellerelax.hu\/en\/adatkezelesi-tajekoztato\/","title":{"rendered":"Information on data management"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Pursuant to Article 12(1) of the European General Data Protection Regulation (Regulation (EU) 2016\/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95\/46\/EC \u2013 hereinafter GDPR) and Section 14(a) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter Infotv.).<\/p>

1. Data and contact details of the data controller:<\/h4>

Name:<\/strong> BSZP Lake Balaton Ltd.
Headquarters:<\/strong> 8638 Balatonlelle, Tab\u00e1n utca 27.
Phone number:<\/strong> (+36) 30-651-9503
E-mail:<\/strong> info@lellerelax.hu<\/p>

Location of accommodation service:<\/strong>
Tiny Relax Guest House
8638 Balatonlelle, Tab\u00e1n k\u00f6z 38.
NTAK registration number: EG22034750<\/strong><\/p>

and\u00a0<\/p>

Penti Relax Guest House
8638 Balatonlelle, Hull\u00e1m utca 11.
NTAK registration number: EG24102339<\/strong><\/p>

The data controller shall in all cases ensure the lawfulness and appropriateness of the data processing with regard to the personal data it processes.<\/p>

2. Personal data (GDPR Article 4, point 1):<\/strong>\u00a0any information relating to an identified or identifiable natural person (\u201cdata subject\u201d), an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.<\/p>

3. Purpose of data processing:<\/strong>\u00a0providing advance information about the accommodation, providing online accommodation bookings, providing other accommodation services, keeping in touch via newsletter.<\/p>

4. Scope of personal data processed:<\/strong>\u00a0surname and first name, place and time of birth, address (country, postal code, city, street, house number), telephone number, e-mail address, citizenship, personal identification number or passport number, bank card number, SZ\u00c9P card data (identification number, name on the card), vehicle registration number.<\/p>

5. Legal basis for data processing:<\/strong>\u00a0According to Article 6(1) of the GDPR:<\/p>

the)<\/strong>\u00a0the data subject has given consent to the processing of his or her personal data for one or more specific purposes,<\/p>

b)<\/strong>\u00a0the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject's request prior to entering into a contract,<\/p>

c)<\/strong>\u00a0the data processing is necessary for the fulfillment of a legal obligation to which the data controller is subject,<\/p>

d)<\/strong>\u00a0the data processing is for the purposes of the legitimate interests of the data controller or a third party<\/p>

necessary.<\/p>

6. Use of a data processor:<\/strong><\/p>

Activity provided by the data processor: Hosting service<\/p>

Name of data processor: RACKFOREST ZRT.<\/p>

Registered office: 1132 Budapest, Victor Hugo Street 11, 5th floor, B05001.<\/p>

Phone number: +36 1 211 0044<\/p>

Email: info@rackforest.hu<\/p>

Web address: https:\/\/rackforest.com\/<\/p>

\u00a0<\/p>

Barion payment option\u00a0<\/b><\/p>

The website offers the option to pay the full amount of the reservation by Barion Smart Gateway<\/b> using an online payment system. Barion is a secure and convenient payment method that allows transactions with a bank card or Barion balance.<\/p>

During the payment process, the following data may be transmitted to Barion Payment Zrt., which is responsible for processing the transaction:<\/p>

\u2022The booking amount,<\/p>

\u2022Transaction ID,<\/p>

\u2022Contact details provided by the customer (e.g. name, email address).<\/p>

The purpose of data processing is solely to process the payment transaction. Barion Payment Zrt. complies with international PCI DSS standards, which ensure the secure handling of data.<\/p>

For more information, please visit Barion Data Protection Policy<\/a> to the side.<\/p>

If you have any questions about online payments, please feel free to contact us. Your security and convenience are of utmost importance to us!<\/p>

7. Duration of data processing:<\/strong>\u00a0two years after the last day of the booked stay, or in the case of newsletter service, until the receipt of the unsubscribe from the newsletter.<\/p>

8. Provision of data to authorities, bodies performing public tasks, and courts<\/strong><\/p>

In order to fulfill a legal obligation, certain authorities, public bodies and courts may contact the data controller to disclose personal data. The data controller will only disclose personal data to the above organisations \u2013 provided that the organisation concerned has indicated the precise purpose and scope of the data \u2013 if required by law and to the extent that is strictly necessary to achieve the purpose of the request.<\/p>

9. Rights of the person affected by the data processing \u2013 data subject \u2013 (GDPR Chapter III):<\/strong><\/p>

the)<\/strong>\u00a0Right to transparent information (GDPR Articles 12-14): The data controller, within the scope of its information obligation, declares with this data protection notice the data controller, data protection officer, the purpose and legal basis of data processing, its duration, the source of the data, the rights of the data subject, and the legal remedy. The data subject may also be provided with verbal information \u2013 after verification of identity.<\/p>

b)<\/strong>\u00a0Right of access of the data subject (GDPR Article 15): The data subject may request access to the personal data concerning him or her from the data controller and a copy of his or her personal data.<\/p>

The data controller must provide feedback to the data subject on whether their personal data is being processed; if such data is being processed, the data subject has the right to access the following information:<\/p>

\u2013 the purposes of data processing,<\/p>

\u2013 the categories of personal data concerned,<\/p>

\u2013 the recipients or categories of recipients to whom or to which the personal data have been or will be disclosed,<\/p>

\u2013 the planned period of storage of personal data, or, in the absence thereof, the specific aspects of its determination,<\/p>

\u2013 the right of the data subject to request the data controller to correct, delete or restrict the processing of his or her personal data, and to object to the processing of his or her personal data,<\/p>

\u2013 the right to submit a complaint to a supervisory authority,<\/p>

\u2013 if the data were not collected from the data subject, all available information regarding their source,<\/p>

\u2013 the fact of automated decision-making, including profiling, the logic applied in these cases, and understandable information on such data processing, its significance and its consequences for the data subject.<\/p>

c)<\/strong>\u00a0Rectification, erasure and restriction of data processing of the data subject (Articles 16-18 of the GDPR):<\/p>

ca) the data subject has the right to obtain from the controller, upon request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the data processing, the data subject may request the completion of incomplete personal data by means of a declaration.<\/p>

cb)<\/strong>\u00a0the right to erasure \u2013 under the \u201cright to be forgotten\u201d, personal data must be erased if<\/p>

\u2013 the purpose of data processing has ceased to exist,<\/p>

\u2013 the data subject has withdrawn his\/her consent and there is no other legal basis for the data processing,<\/p>

\u2013 the data processing is based on a legitimate interest, or is in the public interest, or is necessary for the performance of a task carried out by the data controller in the exercise of official authority, and the data subject objects to the data processing,<\/p>

\u2013 the data processing is unlawful,<\/p>

\u2013 erasure is necessary to comply with an obligation imposed on the controller by EU or Member State law,<\/p>

\u2013 the data was deleted in relation to services related to information services offered directly to children.<\/p>

c)<\/strong>\u00a0based on the right to restrict data processing, the data controller restricts data processing at the request of the data subject if<\/p>

\u2013 the data subject disputes the accuracy of the personal data,<\/p>

\u2013 the data processing is unlawful and the data subject opposes the deletion of personal data,<\/p>

\u2013 the data controller no longer needs the personal data, but the data subject requires them for the establishment, exercise or defense of legal claims.<\/p>

\u2013 the data processing is based on a legitimate interest, is in the public interest, or is necessary for the performance of a task carried out by the data controller in the exercise of official authority, and the data subject objects to the data processing.<\/p>

The controller shall inform the data subject of the action taken on the request within one month of receipt of the request (without undue delay). The deadline may be extended by a further two months in view of the number and complexity of the requests. The controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay. For requests submitted by the data subject electronically, the information shall be provided electronically, if possible, unless the data subject requests otherwise.<\/p>

d)<\/strong>\u00a0Notification obligation in relation to the rectification or erasure of personal data or restriction of processing (Article 19 GDPR): The controller shall inform any recipient to whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The data subject shall be informed of the recipients upon request.<\/p>

e)<\/strong>\u00a0Right to data portability (Article 20 GDPR):<\/p>

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format (e.g. Word, Excel) and to transmit these data to another controller. The data subject shall also have the right, where technically feasible, to request the direct transmission of the personal data between controllers.<\/p>

f)<\/strong>\u00a0Right to object (GDPR Article 21): The data subject has the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her based on legitimate interests or where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, including profiling based on these legal grounds. In the above cases, the controller may only continue to process the personal data if it demonstrates compelling legitimate grounds for the processing which override the rights and interests of the data subject or for the establishment, exercise or defence of legal claims.<\/p>

g)<\/strong>\u00a0The right of the data subject in the event of automated decision-making (Article 22 of the GDPR): The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her, unless:<\/p>

\u2013 necessary for the conclusion or performance of a contract between the data subject and the data controller,<\/p>

\u2013 it is permitted by Union or Member State law applicable to the controller, which also includes appropriate measures to protect the rights and legitimate interests of the data subject,<\/p>

\u2013 is based on the explicit consent of the data subject.<\/p>

Even in the case of automated decision-making, the data controller must ensure that the data subject has at least the right to request human intervention from the data controller, to express his or her position, or to object to the decision.<\/p>

10. Access to legal remedies:<\/strong><\/p>

the)<\/strong>\u00a0An investigation can be initiated at the National Data Protection and Freedom of Information Authority (GDPR Article 57, Article 77, Infotv. \u00a7 51\/A-58)<\/p>

Anyone (not only the data subject) may initiate an investigation by filing a report with the National Data Protection and Freedom of Information Authority (hereinafter referred to as the Authority) on the grounds that a violation of the law has occurred in connection with the processing of personal data, or that there is an immediate threat of such a violation. If the initiation of an official procedure is not mandatory according to the Infotv., the Authority may initiate an investigation ex officio.<\/p>

The Authority may reject an anonymous report without a substantive investigation, therefore it is important that the report is not anonymous.<\/p>

The Authority's investigation is free of charge, and its costs are paid in advance and borne by the Authority. The Authority shall, as a general rule, make its decision within two months of receipt of the notification.<\/p>

Contact details of the Authority:<\/p>

National Data Protection and Freedom of Information Authority<\/p>

1125 Budapest, Szil\u00e1gyi Erzs\u00e9bet fasor 22\/c.<\/p>

website: www.naih.hu<\/p>

phone: +36 1 31 1400<\/p>

b)<\/strong>\u00a0Judicial enforcement (Article 79 of the GDPR, Section 23 of the Information Act):<\/p>

The data subject may bring proceedings against the data controller or, in connection with data processing operations falling within the scope of the data processor's activities, against the data processor if, in his or her opinion, the data controller or the data processor acting on his or her behalf or on his or her instructions processes his or her personal data in violation of the provisions on the processing of personal data set out in law or in a binding legal act of the European Union.<\/p>

The action must be brought before the courts of the Member State in which the controller or processor is established. The proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence.<\/p>

The data controller or processor must prove that the data processing complies with the requirements set out in law or in a binding legal act of the European Union regarding the processing of personal data.<\/p>

In Hungary, the person concerned may, at his or her choice, also initiate the lawsuit before the court competent for his or her place of residence or stay.<\/p>

The data subject may claim compensation or damages from the data controller in the lawsuit as follows:<\/p>

\u2013 If the data controller causes damage to another person by unlawfully processing the data subject's data or by violating data security requirements, he or she is obliged to compensate for the damage.<\/p>

\u2013 If the data controller violates the data subject's personal rights by unlawfully processing the data subject's data or by violating data security requirements (e.g. communicating personal data to an unauthorized person or making it public), the data subject may claim damages from the data controller.<\/p>

Closing remarks<\/strong><\/p>

When preparing this information, we took into account the following legislation:<\/p>