The European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Regulation 95/46/EC - hereinafter GDPR ) Article 12 (1), and CXII of 2011 on the right to informational self-determination and freedom of information. Act (hereinafter referred to as Infotv.) based on point a) of § 14.
1. Data and contact details of the data controller:
Name: Géza István Simon
Headquarters: 3300 Eger, Kisfaludy Sándor út 7.
Telephone number: +36 70 567 3977, +36 20 381 1992
E-mail: valleyvendeghazeger@gmail.com
Place of accommodation service:
Valley Guesthouse
3300 Eger, Szalóki út 8.
NTAK registration number: MA24090384
In all cases, the data controller ensures the legality and expediency of the data management in relation to the personal data it manages.
2. Personal data (GDPR article 4 point 1): any information relating to an identified or identifiable natural person ("data subject"), the natural person can be identified who directly or indirectly, in particular an identifier, such as a name, number, location data, online identifier or the natural person's physical, physiological, genetic, it can be identified based on one or more factors related to its intellectual, economic, cultural or social identity.
3. Purpose of data management: advance information about the accommodation, provision of online accommodation booking, provision of other accommodation services, contact via newsletter.
4. Scope of processed personal data: surname and first name, place and time of birth, residential address (country, postal code, city, street, house number), telephone number, e-mail address, citizenship, personal identification number or passport number, bank card number, SZÉP card data (ID, name on the card ) vehicle registration number.
5. Legal basis for data management: According to Article 6 (1) GDPR:
the) the data subject has given his consent to the processing of his personal data for one or more specific purposes,
b) data processing is necessary for the performance of a contract in which the data subject is one of the parties, or it is necessary for taking steps at the request of the data subject prior to the conclusion of the contract,
c) data management is necessary to fulfill the legal obligation of the data controller,
d) data management is for the enforcement of the legitimate interests of the data controller or a third party
necessary.
6. Using a data processor:
Activity provided by data processor: Storage service
Name of data processor: RACKFOREST ZRT.
Headquarters: 1132 Budapest, Victor Hugo utca 11. 5th em. B05001.
Phone number: +36 1 211 0044
E-mail: info@rackforest.hu
Web address: https://rackforest.com/
7. Duration of data management: two years after the last day of the stay according to the reservation, until receipt of the unsubscribe from the newsletter service.
8. Data provision to authorities, bodies performing public duties, courts
In order to fulfill a legal obligation, certain authorities, bodies performing public duties, and courts may contact the data controller for the purpose of communicating personal data. The data manager will only release personal data to the above organizations if the relevant organization has indicated the exact purpose and scope of the data, if required by law, to the extent that is absolutely necessary to achieve the purpose of the request.
9. The rights of the person affected by the data processing (data subject) (GDPR Chapter III):
the) Right to transparent information (GDPR Article 12-14): With this data protection information, the data controller declares in relation to the data controller, data protection officer, the purpose and legal basis of the data management, its duration, the source of the data, the data subject's rights, and the legal remedy. Verbal information can also be given to the person concerned - after proof of identity.
b) Right of access of the data subject GDPR Article 15): The data subject may request from the data controller access to his/her personal data, a copy of his/her personal data.
The data controller must provide feedback to the data subject on the question of whether their personal data is being processed, if such data is being processed, then the data subject is entitled to access the following information:
- the purposes of data management,
– categories of personal data concerned,
- the recipients, or the categories of those to whom or to which the personal data is disclosed or will be disclosed,
– the planned period of storage of personal data, and in the absence of this, the specific aspects of its determination,
- the data subject's right to ask the data controller to correct, delete or limit the processing of his or her personal data, to object to the processing of his or her personal data,
– the right to submit a complaint to a supervisory authority,
– if the data were not collected from the data subject, then all available information about their source,
– the fact of automated decision-making, including profiling, the logic used in these cases, and the understandable information regarding such data management regarding the significance of these and their consequences for the data subject.
c) Correction, deletion and restriction of data processing of the data subject (GDPR Article 16-18):
ca) the data subject has the right to have inaccurate personal data corrected without undue delay upon request by the data controller. Subject to the purpose of data management, the data subject may request the addition of incomplete personal data with a statement.
cb) the right to erasure - based on the "right to be forgotten", personal data must be erased if
– the purpose of data management has ceased,
- the data subject has withdrawn his consent and there is no other legal basis for data processing,
- the data processing is based on a legitimate interest, or is of public interest, or is necessary for the performance of a task performed by the data controller in the context of the exercise of a public authority, and the data subject objects to the data processing,
- data management is illegal,
- it is necessary to delete it in order to fulfill the obligation prescribed by the EU or Member State law applicable to the data controller,
- the data was deleted in relation to services related to information services offered directly to children.
CC) based on the right to limit data processing, the data controller limits data processing at the request of the data subject if
- the data subject disputes the accuracy of the personal data,
- data processing is illegal and the data subject opposes the deletion of personal data,
- the data controller no longer needs the personal data, but the data subject requires them to present, enforce or defend legal claims.
- the data processing is based on a legitimate interest, or is of public interest, or is necessary for the performance of a task carried out in the framework of the exercise of the authority of the data controller, and the data subject objects to the data processing.
The data controller shall inform the data subject of the measures taken on the basis of the request within one month from the receipt of the request (without undue delay). The deadline can be extended by another two months in view of the number and complexity of the applications. The data controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay. For requests submitted electronically by the data subject, the information must be provided electronically, if possible, unless the data subject requests otherwise.
d) Notification obligation related to the correction or deletion of personal data or restriction of data processing (GDPR Article 19): The data controller informs all recipients of the correction, deletion or restriction of data processing, unless this is impossible , or involves a disproportionately large effort. At the request of the data subject, the recipients must be informed.
e) Right to data portability (Article 20 GDPR):
The data subject has the right to receive the personal data concerning him/her provided to the data controller in a segmented, widely used, machine-readable format (e.g. Word, Excel) and to forward this data to another data controller. The data subject is also entitled to - if this is technically feasible - request the direct transmission of personal data between data controllers.
f) The right to object (GDPR Article 21): The data subject has the right to object to the processing of his personal data based on a legitimate interest for reasons related to his own situation, or if the data processing is in the public interest or is necessary for the execution of a task carried out in the exercise of rights within the framework of a public authority, including profiling based on these legal grounds. In the above cases, the data controller may continue to process the personal data only if it proves that the data processing is justified by compelling legitimate reasons that take precedence over the rights and interests of the data subject, or that are related to the presentation, enforcement or defense of legal claims.
d) In case of automated decision-making, the right of the data subject (GDPR Article 22): The data subject has the right not to be subject to the scope of a decision based solely on automated data management, including profiling, which would have legal effects on him or significantly affect him, unless:
- necessary for the conclusion or performance of the contract between the data subject and the data controller,
- is made possible by EU or Member State law applicable to the data controller, which also includes appropriate measures to protect the rights and legitimate interests of the data subject,
– is based on the express consent of the data subject.
Even in the case of automated decision-making, the data controller is obliged to ensure the data subject at least the right to request human intervention on the part of the data controller, to express his point of view, or to submit an objection to the decision.
10. Use of legal remedy:
the) An investigation can be initiated at the National Data Protection and Freedom of Information Authority (GDPR Article 57, Article 77, Infotv. § 51/A-58)
By filing a report with the National Data Protection and Freedom of Information Authority (hereinafter the Authority), anyone (not only the person concerned) can initiate an investigation, citing that a violation of rights has occurred in connection with the handling of personal data, or there is an immediate risk of such violation. If official proceedings are initiated by Infotv. is not mandatory, the Authority may initiate an investigation ex officio.
The Authority may reject an anonymous report without a substantive investigation, so it is important that the report is not anonymous.
The Authority's investigation is free of charge, its costs are advanced and borne by the Authority. As a general rule, the Authority makes its decision within two months of receiving the notification.
Contact information of the Authority:
National Data Protection and Freedom of Information Authority
1125 Budapest, Szilágyi Erzsébet fasor 22/c.
website: www.naih.hu
telephone: +36 1 31 1400
b) Judicial enforcement (GDPR Article 79, Infotv. § 23):
The data subject may go to court against the data controller or – in connection with data processing operations within the scope of the data processor’s activities – against the data processor if, according to his judgment, the data controller or the data processor entrusted by him or acting on the basis of his instructions has used his personal data in accordance with the law or the European It is treated in violation of the regulations defined in the mandatory legal act of the Union.
The lawsuit must be initiated before the court of the data controller or the court of the data processor's place of business. The procedure can also be initiated before the court of the Member State of the habitual residence of the person concerned.
The data manager or the data processor is obliged to prove that the data management complies with the regulations for the management of personal data, defined in legislation or in a mandatory legal act of the European Union.
In Hungary, the person concerned may - at his or her choice - initiate the lawsuit before the competent court based on his or her place of residence.
In the lawsuit, the data subject may demand compensation or damages from the data controller as follows:
– If the data controller causes damage to others by illegally handling the data subject's data or by violating data security requirements, he is obliged to compensate them.
– If the data controller violates the data subject's right to privacy by illegally handling the data subject's data or violating the requirements of data security (e.g.: communicating personal data to an unauthorized person or making it public), the data subject may demand damages from the data controller.
Final word
During the preparation of the information sheet, we paid attention to the following legislation:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL On the protection of natural persons with regard to the processing of personal data and on the free flow of such data and on the repeal of Regulation 95/46/EC (General Data Protection Regulation) (April 2016) 27.)
- CXII of 2011 Act - on the right to self-determination of information and freedom of information (hereinafter: Infotv.)
- CVIII of 2001 Act - on certain issues of electronic commercial services and services related to the information society (mainly § 13/A)
- XLVII of 2008 law - on the prohibition of unfair commercial practices towards consumers;
- XLVIII of 2008 Act - on the basic conditions and certain limitations of economic advertising (especially § 6.a)
- XC of 2005. Act on Electronic Freedom of Information
- Act C of 2003 on electronic communication (specifically § 155.a)
- 16/2011. no. Opinion on the EASA/IAB Recommendation on Best Practices for Behavioral Online Advertising
- The recommendation of the National Data Protection and Freedom of Information Authority on the data protection requirements of prior information
- Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data and repealing Regulation 95/46/EC