English
Magyar
RomânăPrivacy Policy
Data Controller: Körös-Maros Vidékfejlesztési és Ökogazdálkodási Alapítvány (továbbiakban Adatkezelő)
Registered Office: 5711 Gyula, Külterület 4.
Tax Number: 18387830-2-04
Registration Number: 04-01-2270
Email: info@gyulavarikastely.hu
Phone: +36 30 545 4471
Website: www.kastely-apartman.hu
The Data Controller declares that during data processing, it acts in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Infotv.).
The Data Controller respects the personal rights of its Guests, and therefore has prepared the following Data Protection Notice (hereinafter referred to as the Notice), which is available electronically on the Data Controller’s official website and in printed form at the Kastély Apartment and Sörház.
This Notice provides general guidance on the data processing that occurs during the provision of services by the Data Controller. The method of data processing may differ from the provisions of this Notice on a case-by-case basis, but the Data Controller will inform the Guest of any such differences and their exact nature in advance. The Data Controller will provide information on any data processing not included in this Notice before the data processing in question takes place.
The Data Controller processes personal data only for a predetermined purpose, for the necessary duration, and for the purpose of exercising rights and fulfilling obligations. The Data Controller only processes personal data that is essential for achieving the purpose of the data processing and is suitable for achieving that purpose.
For the validity of a minor’s declaration of consent, the consent or subsequent approval of their legal representative is required.
In all cases where the Data Controller uses the provided data for a purpose other than the original purpose of data collection, it will inform the data subject, request their prior, explicit consent, and provide them with the opportunity to prohibit the use of their data.
Personal data that comes to the knowledge of the Data Controller during data processing may only be accessed by persons acting on behalf of the Data Controller or in an employment relationship with the Data Controller, who have a task related to the given data processing due to their job description.
1. Definitions
Data Subject: Any natural person who is identified or can be identified—directly or indirectly—based on personal data.
Personal Data: Data that can be linked to the data subject—in particular their name, identification mark, and one or more pieces of information characteristic of their physical, physiological, mental, economic, cultural, or social identity—as well as any conclusion that can be drawn from the data concerning the data subject.
Special Data: Personal data relating to racial origin, nationality, political opinion or party affiliation, religious or other philosophical beliefs, membership in an interest-representing organization, sexual life, as well as personal data relating to health status, pathological passions, and criminal personal data.
Consent: The voluntary and clear expression of the data subject’s will, which is based on proper information, and by which they give their unambiguous consent to the processing of their personal data—in its entirety or for specific operations.
Objection: A statement by the data subject by which they object to the processing of their personal data and request the cessation of the data processing or the deletion of the processed data.
Data Controller: The natural or legal person, or an organization without legal personality, who or which, alone or jointly with others, determines the purposes of data processing, makes and executes decisions concerning data processing (including the tools used), or has them executed by a Data Processor they have commissioned.
Data Processing: Any operation or set of operations performed on data, regardless of the procedure used, including in particular the collection, recording, systematization, storage, alteration, use, retrieval, transmission, disclosure, synchronization or connection, blocking, deletion and destruction, as well as the prevention of further use of the data, the making of photographs, sound or visual recordings, and the recording of physical characteristics suitable for identifying a person (e.g., fingerprint or palm print, DNA sample, iris image).
Data Transfer: Making data accessible to a specified third party.
Disclosure: Making data accessible to anyone.
Data Deletion: Making data unrecognizable in a way that its restoration is no longer possible.
Data Marking: Providing data with an identifier for the purpose of distinguishing it.
Data Blocking: Providing data with an identifier for the purpose of permanently or for a specified period limiting its further processing.
Data Processing: The performance of technical tasks related to data processing operations, regardless of the method and tools used to perform the operations, and the location of the application, provided that the technical task is performed on the data.
Data Processor: The natural or legal person, or an organization without legal personality, who or which performs data processing based on a contract concluded with the Data Controller—including a contract concluded on the basis of a legal provision.
Third Party: A natural or legal person, or an organization without legal personality, who or which is not identical to the data subject, the Data Controller, or the Data Processor.
Data Protection Incident: The unlawful handling or processing of personal data, including, in particular, unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage.
Person with Third-Country Citizenship: Any person other than a Hungarian citizen who is not a citizen of a member state of the European Economic Area, including a stateless person.
European Economic Area (EEA): The member states of the European Union, Iceland, Liechtenstein, and Norway as participating member states, and Switzerland as a state with the same legal status.
2. Purposes of Data Processing
2.1. Hotel Services
In the context of providing services, the processing of all data related to the data subject is based on voluntary consent, and its purpose is to ensure the provision of the service, maintain contact, and present the Data Controller’s services. The Data Controller stores the personal data contained in this section for a period in accordance with the current tax and accounting regulations and deletes them after the expiration of the deadline.
For some services, it is possible to provide additional data in the comments section, which helps to fully understand the Guest’s needs, but this is not a condition for making a room reservation or using other services.
2.1.1. Request for Quotation, Room Reservation
In the case of online, in-person (paper-based), or telephone requests for quotations and room reservations, the Data Controller requests/may request the following data from the Guest:
- Surname
- First name
- Place of residence (address, city, postal code, country)
- Email address
- Phone number
2.1.2. Registration Form
When using certain accommodation services, the Guest fills out a registration form, by handing over which to the employees working at the Data Controller’s facility, they consent to the Data Controller processing the following mandatory data for the purpose of fulfilling its obligations specified in the relevant laws (in particular, those related to immigration and tourist tax) for as long as the competent authority can check the fulfillment of the obligations specified in the given laws:
- Surname
- First name
- Permanent address
- Place and date of birth
- Personal identification number
- Citizenship
The provision of the mandatory data by the Guest is a condition for using the accommodation service. By signing and handing over the registration form, the Guest consents to the Data Controller processing and archiving the personal data indicated on the registration form for the necessary period for the purpose of exercising its rights and fulfilling its obligations.
2.2. Camera System
For the personal and property safety of the Guests, outdoor surveillance cameras operate on the premises of the accommodation property operated by the Data Controller. By entering the property, the Guest consents to the Data Controller making a video recording of them and processing and archiving it for the necessary period (168 hours) for the purpose of exercising its rights and fulfilling its obligations.
2.3. Facebook / Messenger
The Data Controller is available on the Facebook social media portal and the Messenger communication system operated by Meta Platforms Inc. The purpose of data processing is to share the Data Controller’s content (advertisements, information). With the help of Facebook and Messenger, the Guest can initiate a room reservation and inquire, request information about the accommodation, or provide preliminary information and coordinate with the Data Controller regarding the reservation. Information on the data processing of the Facebook page and the Messenger messaging system can be obtained from the privacy policies and regulations on the Facebook website, at www.facebook.com.
2.4. Website Visit Data
The Data Controller’s website may also contain links that are not operated by the Data Controller, but merely serve to inform visitors (e.g., Attractions). The Data Controller has no control over the content and security of websites operated by other persons and is therefore not responsible for them.
2.5. Email
The Data Controller ensures that anyone can contact the staff of the accommodation by email. The Data Controller processes the messages until the question is answered, after which it archives the emails and stores them for 5 years.
3. Data Security
The Data Controller treats personal data confidentially and does not disclose it to unauthorized persons. It protects personal data in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and inaccessibility resulting from a change in the technology used. The Data Controller takes all necessary security measures to ensure the technical protection of personal data.
The Data Controller’s employees use personal data only to the extent necessary and only for authorized purposes. To ensure this, they have undertaken a confidentiality obligation, which remains in effect even after the termination of their employment.
4. Data Transfer
The Data Controller reserves the right to transfer the personal data it processes to the competent authorities and courts, in accordance with their requests, even without the data subject’s specific consent, in cases specified by law.
For the purpose of verifying the legality of data transfers and informing the data subject, the Data Controller maintains a data transfer log, which contains the date of the transfer of the personal data it processes, the legal basis and recipient of the data transfer, the definition of the scope of the transferred personal data, and other data specified in the law prescribing the data processing.
The Data Controller reserves the right to transfer the personal data it processes to the competent authorities and courts, in accordance with their requests, even without the data subject’s specific consent, in cases specified by law.
5. Data Processors
A specific list of the Data Controller’s data processors can be requested by sending an email to info@gyulavarikastely.hu or a regular letter by post, which the Company will fulfill in writing within 30 days.
6. Legal Remedies
6.1. Information
Upon a request sent by the data subject to the email address info@gyulavarikastely.hu or to the Data Controller’s name and address (Körös-Maros Regional Development and Eco-Farming Foundation, 5711 Gyula, Külterület 4.), the Data Controller will provide information about the data it processes and the data processed by the Data Processor it has commissioned, their source, the purpose of the data processing, its legal basis, duration, the name and address of the data processor, and its activities related to the data processing, the circumstances and effects of the data protection incident, and the measures taken to remedy it, as well as—in the case of a data transfer of the data subject’s personal data—the legal basis and recipient of the data transfer. This information is provided free of charge once a year with respect to the same data, and for a fee thereafter, within a maximum of 25 days from the submission of the request.
For the purpose of checking measures related to the data protection incident and informing the data subject, the Data Controller maintains a log that contains the scope of the data subject’s personal data, the group and number of data subjects affected by the data protection incident, the date, circumstances, and effects of the data protection incident, and the measures taken to remedy it, as well as other data specified in the law prescribing the data processing.
In the case of a refusal to provide information, the Data Controller will inform the data subject in writing on the basis of which provision of which law the refusal was made and will inform the data subject of the legal remedies available to them.
6.2. Rectification
If the personal data does not correspond to the truth and the truthful personal data is available to the Company, the Data Controller will rectify the personal data. The Data Controller will notify the data subject of the rectification, as well as all those to whom the data may have been previously transmitted for data processing purposes. The notification may be omitted if, considering the purpose of the data processing, this does not harm the data subject’s legitimate interests. The provisions of point 7.1 are applicable to rectification upon request, the processing deadline, and the possibility of legal remedy.
6.3. Deletion and Blocking, Objection
The provisions of Sections 17–21 of the Infotv. are applicable to the deletion and blocking of personal data and objection to data processing.
6.4. Judicial Enforcement
In the event of a violation of their personal rights, the data subject may turn to the court. The provisions of Section 22 of the Infotv., Sections 2:51–2:54 of Act V of 2013 on the Civil Code, and other relevant legal provisions are applicable to judicial proceedings.
6.5. Damages and Compensation
If the Data Controller causes damage by unlawful processing of the data subject’s data or by violating data security requirements, or infringes the data subject’s personal rights, compensation can be claimed from the Data Controller.
The Data Controller is exempt from liability for the damage caused and from the obligation to pay compensation if it proves that the damage or the infringement of the data subject’s personal rights was caused by an unavoidable cause outside the scope of data processing.
The Data Controller is also responsible to the data subject for the damage caused by the Data Processor and is also obliged to pay the data subject the compensation due in the event of a personal rights infringement caused by the Data Processor. The Data Controller is exempt from liability and the obligation to pay compensation if it proves that the damage or the infringement of the data subject’s personal rights was caused by an unavoidable cause outside the scope of data processing. Damages and compensation cannot be claimed to the extent that they arose from the data subject’s intentional or grossly negligent conduct.
7. Other Provisions
The Data Controller reserves the right to modify this Notice and will notify the data subjects of any such modification. The Data Controller does not take responsibility for the accuracy of the data provided by website visitors or Guests.
For data protection issues, you can always ask for the help of the Hungarian National Authority for Data Protection and Freedom of Information:
President: dr. Péterfalvi Attila, Data Protection Commissioner
Mailing address: 1534 Budapest, Pf.: 834
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Website: http://www.naih.hu
Email: ugyfelszolgalat@naih.hu