Privacy Policy

This Privacy Policy (‘Policy’) informs data subjects with respect to the personal data processed in connection with the use of the website of the hotel operated by Data Controller, the reservation of hotel services and rooms, and the payment for the services rendered, requesting quotations, filling out registration sheets, subscribing to newsletters, maintaining a registry of lost and found items, the use of electronic surveillance system in accordance with Article 13 AND 14 of Regulation (EU) 2016/679 of the European Parliament and the Council (‘GDPR’).

1. Data Controller and their contact details

 

Company name of the Data Controller: P.S. Hotel Korlátolt Felelősségű Társaság
Registered office: HU-1037 Budapest, Montevideo u. 3/A
Mailing address: HU – 9600 Sárvár, Vadkert utca 4.
E-mail address: info.sarvar@parkinn.com
Phone number: +36 95 530 100
Fax: +36 95 530 101
Website: www.parkinnsarvar.hu

2. Processing of the data of data subjects

 

2.1. Data subjects involved

Data Controller processes the data of the following persons (hereinafter as ‘Data Subject’) when pursuing the data processing purposes determined in the title: persons visiting the website of the hotel, persons subscribing to newsletters, guests requesting a quotation or making reservations, persons using the services of the hotel.

2.2. Categories of processed personal data

The Data Controller processes the following personal data of Data Subjects for the data processing purposes determined in the title:

  • first and last name of the Data Subject
  • e-mail address of the Data Subject
  • telephone number of the Data Subject
  • residential address of the Data Subject
  • in case of economic operators, the company name and registered office of the Data Subject
  • bank card details of the Data Subject
  • SZÉP card details of the Data Subject
  • date of birth of the Data Subject
  • number of the rooms reserved by the Data Subject
  • data of arrival and departure
  • license plate number
  • data of the accompanying persons
  • the method of payment

Data Subject shall provide the personal data processed to the Data Controller through the hotel’s website, via the online booking system, while reserving rooms or requesting quotations, subscribing to newsletters, and by way of filling out the printed registration sheet.

2.3. Purposes, legal ground and period of data processing

The processing of the personal data is necessary for the preparation and performance of the contract for reserving accommodation (hereinafter: ‘Contract’).

The detailed conditions for providing the services under the Contract are specified in the General Terms and Conditions (hereinafter: ‘GTCs’) and the documents referred to therein.

2.3.1 Data processing in relation to making reservations online

Data Controller provides an online facility for reserving accommodation to ensure that the Data Subject may reserve his/her room in Park Inn by Radisson Sárvár Resort & Spa hotel swiftly, conveniently and free of charge.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: to facilitate making reservations, making it free of charge and more efficient, to communicate with the guest making the reservation.

Legal ground of data processing: prior consent of the person making the reservation. By accepting this Policy, the Data Subject provides his/her explicit consent to the processing of his/her data under this clause.

The scope of the personal data processed: addressing; first and last name; residential address (country, postal code, city, street, house number;) telephone number; e-mail address; in case of economic operators the company name and registered office, bank card number, SZÉP card details (identifier, the name displayed on the card)

The duration of the processing: two years following the last day of the stay as recorded in the reservation. Engaging the services of a Data Processor: our company engages the services of a IT service provider for the online reservation system.

Name of the Data Processor Registered office Description of the Data Processing operations
NetHotelBooking Kft. H-8200 Veszprém, Boksa tér 1/A Providing an opportunity for making reservations online, operating a pre-arrival e-mail module via the RESnWEB system

By accepting this Privacy Policy, the Data Subject explicitly consents to the Data Processor’s engaging the services of further data processors in order to provide a more convenient and customized service in accordance with the followings:

Name of the further data processor Registered office Description of the Data Processing operations
The Rocket Science Group, LLC* 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA The owner of the Mandrill software integrated in the booking system. This software is responsible for sending automated emails that display confirmations and notifications in case of making reservations, quotations and when conducting satisfaction surveys.
Oracle Hungary Kft. H-1095 Budapest, Lechner Ödön fasor 7. Performing client management operations when using the Opera Front Office hotel management system
BIT SOFT HU Kft.

H-1108 Budapest, Bányató u. 13.

Performing client management operations when using the Opera Front Office hotel management system
BIG FISH Payment Services Kft.

H-1066 Budapest, Nyugati tér 1-2

Carrying out the data communication required for the payment transactions between the merchant and the payment service provider systems, providing retrievability of transactions for partner merchants
OTP Mobil Szolgáltató Kft.

H-1093 Budapest, Közraktár u. 30-32.

Carrying out the data communication required for the payment transactions between the merchant and the payment service provider systems, providing customer service support to users, confirmation of transactions and fraud-monitoring carried out for the protection of the users.
Creative Management Kft.

H-8200 Veszprém, Boksa tér 1/A

Performing server hosting operations

*The registered office of the Data Processor is located in the United States, therefore data transferred to it is regarded as a data transfer to a third country. However, The Rocket Science Group voluntarily joined the Privacy Shield Agreement concluded by the European Union and the United States government, undertaking to provide a high level protection of the personal data, therefore there is no further legal obstacle in the way of data transfers.

Potential consequences of failing to provide the data:

Considering the fact that the Data Controller cannot prepare, conclude or complete the Contract without the above personal data, the Data Subject shall be obliged to provide the Data Controller with such personal data. Should the Data Subject fail to provide such data, the Data Controller shall be entitled to refuse the conclusion or the completion of the Contract.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing:

  • we intend to help guests with their travel preparations and would like to shorten the time they spend with checking-in on arrival by providing practical and relevant information, weather forecast, program recommendations and online check-in, and for this reason we send them a so-called pre-arrival email containing information about their accommodation, travel and program opportunities.
  • our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which NetHotelBooking Kft., when engaging further data processors, shall apply the same data protection and data processing safeguards that it is bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.

2.3.2 Data processing in relation to the requesting of quotations

Data Controller provides an opportunity for Data Subjects to request quotations by electronic means. The quotations are provided by the Data Controller via an automated system with respect to free capacity.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: preliminary enquiry into the prices of the hotel

Legal ground of data processing: prior consent of the person making the reservation, Article 6 (1) a) of the GDPR, and data processing is necessary in order to take steps at the request of the data subject prior to entering into a contract – Article 6 (1) b) GDPR

The scope of the personal data processed: addressing; first and last name; telephone number; e-mail address; number of hotel guests.

The duration of the processing: two years following the last day of the stay as recorded in the reservation.

Engaging the services of a Data Processor: our company engages the services of a IT service provider to operate the online quoting system.

Name of the Data Processor Registered office Description of the Data Processing operations
NetHotelBooking Kft.

H-8200 Veszprém, Boksa tér 1/A

Operating the quoting module

By accepting this Privacy Policy, the Data Subject explicitly consents to the Data Processor’s engaging the services of further data processors in order to provide a more convenient and customized service in accordance with the followings:

Name of the further data processor Registered office Description of the Data Processing operations
The Rocket Science* Group, LLC 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA The owner of the Mandrill software integrated in the booking system. This software is responsible for sending automated emails that display confirmations and notifications in case of making reservations, quotations and when conducting satisfaction surveys.
Creative Management Kft.

H-8200 Veszprém, Boksa tér 1/A

performing server hosting operations

*The registered office of the Data Processor is located in the United States, therefore data transferred to it is regarded as a data transfer to a third country. However, The Rocket Science Group voluntarily joined the Privacy Shield Agreement concluded by the European Union and the United States government, undertaking to provide a high level protection of the personal data, therefore there is no further legal obstacle in the way of data transfers.

Potential consequences of failing to provide the data: The hotel is not able to provide a quote.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which NetHotelBooking Kft., when engaging further data processors, shall apply the same data protection and data processing safeguards that it is bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.

2.3.3 Data processing in relation to the purchase of gift vouchers

Our company provides an opportunity to purchase gift vouchers by electronic means. Our company provides gift vouchers by means of an automated system on our website.

Controller of personal data: NetHotelBooking Kft., HU-8200 Veszprém, Boksa Tér 1/A

Purposes of data processing: the purchase and delivery of gift vouchers

Legal ground of data processing: prior consent of the buyer of the gift voucher: by accepting this Policy, the Data Subject grants his/her consent to the processing under this clause.

The scope of the personal data processed: addressing; first and last name; residential address (country, postal code, city, street, house number;) telephone number; e-mail address (both of the giver and of the receiver)

The duration of the processing: two years following the expiry date of the gift voucher.

Engaging the services of a Data Processor: our company engages the services of a IT service provider to operate the online gift voucher system.

Name of the Data Processor Registered office Description of the Data Processing operations
NetHotelBooking Kft. H-8200 Veszprém, Boksa tér 1/A Operating the gift voucher module

By accepting this Privacy Policy, the Data Subject explicitly consents to the Data Processor’s engaging the services of further data processors in order to provide a more convenient and customized service in accordance with the followings:

Name of the further data processor Registered office Description of the Data Processing operations
The Rocket Science Group, LLC* 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA The owner of the Mandrill software integrated in the booking system. This software is responsible for sending automated emails that display confirmations and notifications in case of reservations, quotations, pre-arrival emails, satisfaction surveys and the purchase of gift vouchers.
BIG FISH Payment Services Kft.

H-1066 Budapest, Nyugati tér 1-2

Carrying out the data communication required for the payment transactions between the merchant and the payment service provider systems, providing retrievability of transactions for partner merchants
OTP Mobil Szolgáltató Kft.

H-1093 Budapest, Közraktár u. 30-32.

Carrying out the data communication required for the payment transactions between the merchant and the payment service provider systems, providing customer service support to users, confirmation of transactions and fraud-monitoring carried out for the protection of the users.
Creative Management Kft.

H-8200 Veszprém, Boksa tér 1/A

Performing server hosting operations

*The registered office of the Data Processor is located in the United States, therefore data transferred to it is regarded as a data transfer to a third country. However, The Rocket Science Group voluntarily joined the Privacy Shield Agreement concluded by the European Union and the United States government, undertaking to provide a high level protection of the personal data, therefore there is no further legal obstacle in the way of data transfers.

Potential consequences of failing to provide the data: The person giving the gift is not able to buy a gift voucher.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. may withdraw his/her consent to processing: in such cases the withdrawal of the consent shall not affect the lawfulness of processing based on the consent before its withdrawal.
  5. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  6. may object to the processing of the personal data,
  7. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which NetHotelBooking Kft., when engaging further data processors, shall apply the same data protection and data processing safeguards that it is bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.

2.3.4 Data processing related to newsletter subscriptions

Data Controller communicates with its guests via newsletters, recommending its services to them and notifying them about the news and the promotions related to its operations.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: communicating with potential guests

Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR

Determining legitimate interests: maintaining and developing business relations with partners and guests

Scope of personal data processed: name, e-mail address

Duration of data processing: our Company processes e-mail addresses until they are unsubscribed from the newsletters.

Engaging the services of a Data Processor: our company engages the services of an informatics service provider for the sending of newsletters.

Name of the Data Processor Registered office Description of the Data Processing operations
Wanadis Kft.

H-1112 Budapest, Budaörsi út 153.

Storing the newsletter mailing database

By accepting this Privacy Policy, the Data Subject explicitly consents to the Data Processor’s engaging the services of further data processors in order to provide a more convenient and customized service in accordance with the followings:

További adatfeldolgozó neve Registered office Description of the Data Processing operations
The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000
Atlanta, GA 30308 USA
Operating a newsletter mailing system

Potential consequences of failing to provide the data: The Data Subject does not receive newsletters from our Company.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

You may unsubscribe from the newsletter by sending an e-mail to our Company to info.sarvar@parkinn.com or by clicking on the unsubscribe icon within the newsletter. In such a case, we will immediately delete your e-mail address from our database.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which NetHotelBooking Kft., when engaging further data processors, shall apply the same data protection and data processing safeguards that it is bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.

2.3.5 Managing cookies

In the interest of providing a customized service, Data Controller saves a small data package, a so-called cookie, on the user’s computer which it retrieves during subsequent visits. When the browser sends back a cookie saved earlier, the operator managing that cookie will be able to link the current visit of the user to his/her previous visits, but only in connection with its own content.

Purposes of data processing: identification, tracking of and distinguishing users, identification of current user sessions and the storing of the data provided in the meantime, prevention of data loss, web analytics measurements, personalized service.

Legal ground of data processing: the consent of the Data Subject.

Scope of personal data processed: unique identification number, dates and times and previously visited pages. Duration of data processing: max. 90 days

Name of the Data Processor Registered office Description of the Data Processing operations
Viacom Kft.

H-2360 Gyál, Deák Ferenc utca 17.

Operating the website

Further information in connection with data processing: The user may delete the cookie from his/her computer or may ban the use of cookies in his/her browser. Cookies can usually be managed in the Tools/Settings menu of the browsers under the Privacy/History/Preferences menu, under the name of ‘cookie’ or ‘tracking’.

Potential consequences of failing to provide the data: the use of the service may not be possible in respect of the services described in points 2-5 above.

2.3.6 Server logs of the website

Upon visiting the parkinnsarvar.hu website, the webserver automatically logs the activity of the user.

Purposes of data processing: in order to control the operation of the services and to prevent abuse, the Service Provider records the visitors’ data during their visit to the website.

Legal ground of data processing: Article 6 (1) f) of the GDPR. The secure operation of the website is the legitimate interest of our Company.

Scope of personal data processed: identification number, dates, times, the URL of the pages visited. Duration of data processing: max. 90 days

Name of the Data Processor Registered office Description of the Data Processing operations
NetHotelBooking Kft.

H-8200 Veszprém, Boksa tér 1/A

Recording visitors’ data and the information required for the operation of the server
Viacom Kft.

H-2360 Gyál, Deák Ferenc utca 17.

Operating the website
Viacom Kft.

H-2360 Gyál, Deák Ferenc utca 17.

Webhosting service

Additional information: our Company does not link the data acquired during the analysis of the log files to any other information, it does not aim to identify the user. The URL of the pages visited, and the dates, times alone are not suitable for the identification of the Data Subject, however, when linked to other data (e.g. provided during registration) they become suitable for being used to draw conclusions relevant to the user.

Data processing related to logging by third-party service providers: The HTML code of the portal contains links from and to third-party servers independent from our Company. The third-party server is directly connected to the device of the user. We would like to advise our visitors that the providers of such links may collect user data (e.g. IP address, browser and operating system data, mouse pointer positions, the URL of the visited pages and the date of the visits) because of the direct connection to their servers and the direct communication with the user’s browser. An IP address is a numerical sequence which allows to unambiguously identify the computers and mobile devices of users going on the Internet.

An IP address may allow a visitor using a particular computer to be geographically localized, too. The URL of the pages visited, and the dates, times alone are not suitable for the identification of the Data Subject, however, when linked to other data (e.g. provided during registration) they become suitable for being used to draw conclusions relevant to the user.

2.3.7 Processing the data on the registration sheet

The hotel requests guests to fill out a registration sheet when checking in, which contains the personal data of the guests. The data provided on the registration sheet are stored in the hotel software and in paper form.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: communicating while the guest is staying at the hotel, communicating after their departure, sending birthday greetings, distinguishing between guests, supporting the reporting of tourist tax, managing the frequent guest program, statutory obligations.

Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR

Scope of personal data processed: name, e-mail address, telephone number, date of birth, residential address, license plate number, room number, date of arrival/departure, data of accompanying persons, newsletter subscriptions, payment method.

Duration of data processing: On the registration sheet, the guest grants his/her consent to the storing of his/her personal data, the hotel stores the data for a period of 8 years after the consent is provided.

Engaging a Data Processor: Opera 5.5 E17 Front Office software for hotels

Name of the Data Processor Registered office Description of the Data Processing operations
Oracle Hungary Kft.

H-1095 Budapest, Lechner Ödön fasor 7.

 Storing the data of guests / Data Subjects
BIT SOFT HU Kft.

H-1108 Budapest, Bányató u. 13.

 Storing the data of guests / Data Subjects

Potential consequences of failing to provide the data: The Data Subject cannot occupy his/her room.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which Oracle Hungary Kft. and BIT SOFT HU Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore we ensure that the processing of the personal data is lawful even in the case of the data processor.

2.3.8  Processing data related to reservations made via telephone

The hotel may sell its rooms via the telephone, after which it requests a written order from the guests. The hotel records reservations made on the telephone, together with the data of the person making the reservation, using the hotel’s software.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: making room reservations.

Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR

Scope of personal data processed: name, telephone number, e-mail address.

Duration of data processing: The hotel stores the data for a period of 8 years after the consent is provided.

Engaging a Data Processor:

Name of the Data Processor Registered office Description of the Data Processing operations
Oracle Hungary Kft. H-1095 Budapest, Lechner Ödön fasor 7.  Storing the data of guests / Data Subjects
BIT SOFT HU Kft. H-1108 Budapest, Bányató u. 13.  Storing the data of guests / Data Subjects

Potential consequences of failing to provide the data: The reservation is not created.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which Oracle Hungary Kft. and BIT SOFT HU Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore the processing of the personal data is lawful even in the case of the data processor.

2.3.9 Processing of data related to lost and found items

The hotel maintains a registry of the items found in the rooms and the community areas after the departure of the guests.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: maintaining a registry of lost and found items, notifying guests, returning found items

Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR

Scope of personal data processed: room number, name, denomination and date of found item

Duration of data processing: the hotel stores the found items for 6 months i.e. it stores the data relating to such items for 6 months after they have been entered on the list. If a found item is collected by its owner, the data will be deleted, as well.

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

2.3.10 Data processing related to correspondence

Data Controller communicates with guests and interested persons via the e-mail addresses used by the Data Controller.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: communication with the guests

Legal ground of data processing: the consent of the Data Subject – Article 6 (1) a) of the GDPR

Scope of personal data processed: name, e-mail address, content of the e-mail.

Duration of data processing: 5 years

Engaging a Data Processor:

Name of the Data Processor Registered office Description of the Data Processing operations
Creative Management Kft.

H-8200 Veszprém, Boksa tér 1/A

Providing online storage
Microsoft Magyarország Kft.

H-1031 Budapest, Graphisoft Park 3.

Maintaining the e-mailing software on the workstations

The rights of the Data Subject: the Data Subject (whose personal data are processed by our company)

  1. may request to obtain access to the personal data concerning him/her,
  2. may request the rectification of such data,
  3. may request the erasure of such data,
  4. subject to the fulfilment of the conditions set forth in Article 18 of the GDPR, he/she may request the limitation of the processing of his/her personal data (i.e. that our company shall not erase or destroy such data until requested by a court or an authority or up to a period of thirty days, and shall not process such data for any other purposes),
  5. may object to the processing of the personal data,
  6. may exercise his/her right to data portability. In the meaning of this latter right, the Data Subject shall have the right to receive the personal data concerning him or her in Word or Excel format, furthermore, he/she shall have the right to transmit those data to another controller on his/her request.

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which Microsoft Magyarország Kft. and Creative Management Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore the processing of the personal data is lawful even in the case of the data processor.

2.3.11 Data processing during payment

The guests can pay in cash, with gift vouchers, SZÉP cards, Erzsébet vouchers and by bank cards.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: issuing an invoice for the services rendered

Legal ground of data processing: the voluntary consent of the Data Subject

Scope of personal data processed: the name, address, list of services, total amount, method of payment, date of issue, date of performance displayed on the invoice

Duration of data processing: 8 years

Engaging a Data Processor:

Name of the Data Processor Registered office Description of the Data Processing operations
SIX Payment Services (Europe) S.A. 10, rue Gabriel Lippmann, L-5365 Munsbach In the case of card payments, the identifier, amount, date

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

2.3.12 Electronic surveillance system

A security camera footage is recorded in the premises of the Park Inn by Radisson Sárvár Resort & Spa.

Security camera footages are recorded in the park, car park, indoor community areas, service areas of the hotel. Only the authorized appointed personnel have right to access and view the camera footages.

Controller of personal data: P.S. Hotel Kft., HU-1037 Budapest, Montevideo u. 3/A

Purposes of data processing: facilitating the security of the guests and the staff, protecting values, providing evidence as proof of violations, clarifying disputed issues.

Legal ground of data processing: the voluntary consent of the Data Subject by entering the premises.

Duration of data processing: 50 days for the foreign exchange desk and 7 days for other areas.

Name of the Data Processor Registered office Description of the Data Processing operations
S-Group Közép-európai Zrt.

H-9600 Sárvár Batthyány u. 63.

Maintenance of the camera system

Nevada Security Kft.

H-2016 Leányfalu Sasülés u. 5.

Maintenance of the camera system

Other information in connection with data processing: Our company makes every necessary technical and organizational measure to prevent any data breach (e.g. the corrupting or loss of files containing personal data, or the disclosure of such files to unauthorized parties). Should a data breach occur nonetheless, we maintain records to control the necessary measures and to inform the Data Subjects, which records contain the scope of the personal data affected, the scope and the number of persons affected by the data breach, the time, circumstances and effects of the data breach as well as the measures taken to eliminate it, and any other data determined in the legislation requiring the processing.

Our company concluded a data processing contract for data processing operations in which S-Group Közép-európai Zrt. and Nevada Security Kft., when engaging further data processors, undertake to apply the same data protection and data processing safeguards that they are bound by under the data processing contract, therefore the processing of the personal data is lawful even in the case of the data processor.

2.3.13 Other data processing

We provide information on any data processing not listed in this Policy when the data is collected. We would like to inform our Customers that certain public authorities or bodies, courts may request our Company to disclose personal data. Our Company shall only disclose personal data to such bodies – if the body involved has determined the exact purpose and the scope of the data – if and to the extent it is absolutely necessary for the realization of that particular request and if compliance with such request is required by law.

2.4 Consent of the Data Subject

The processing of personal data is based on the Data Subject’s consent (freely given, specific, informed and unambiguous indication of the data subject’s wishes). Data Subject shall grant his/her consent by

  • (I) Accepting the Privacy Policy while requesting a quote online or directly, making a reservation, subscribing to the newsletters,
  • (II) Accepting the use of cookies by using the website,
  • (III) Accepting the information about data processing provided on the registration sheet by using the services of the venue, and by providing his/her signature.

The granting of the consent is voluntary, and the Data Subject shall be entitled to withdraw his/her consent at any time without limitation by sending a notice to the Data Controller. The Data Subject may send the notice to any of the contact details specified in Section 1 of this Policy.

The withdrawal of the consent shall not have consequences on the Data Subject. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

3. Rights of the Data Subject

 

3.1 Right of access by the data subject

The Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  • (I) purposes of data processing related to the personal data in question,
  • (II) categories of personal data involved,
  • (III) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (in the case of data transfer to recipients in third countries or international organisations, the Data Subject may request information as to whether the data transfer is carried out with the appropriate guarantees),
  • (IV) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • (V) rights available to the Data Subject (rectification, deletion or erasure, right to data portability, as well as right to object to the processing of personal data),
  • (VI) the right to lodge a complaint with a supervisory authority,
  • (VII) if the Data Controller has obtained the data from another source than the Data Subject, all information available concerning the source,
  • (VIII) the existence of automated decision-making, including profiling, and, if such data processing occurs, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.

Before fulfilling the request, the Data Controller may request the Data Subject to specify the content of the request, the requested information and/or the exact indication of the data processing activities.

If the right of access by the Data Subject may result also in a realisation of damage or interference with the rights and freedoms of other natural persons, in particular the business secrets and intellectual property of others, the Data Controller is entitled to refuse to fulfill the request in a necessary and proportionate manner.

Should the Data Subject request the above information in more than one copy, the Data Controller is entitled to charge the Data Subject with the reasonable and proportionate administrative fee for the preparation of extra copies.

If the Data Controller does not process the personal data indicated by the Data Subject, the Data Controller shall inform the Data Subject thereof in writing.

3.2 Right to rectification

The Data Subject is entitled to request the rectification of his/her personal data. If the personal data of the Data Subject are incomplete, the Data Subject may request the completion of his/her personal data.

When exercising the right to rectification or correction, the Data Subject shall indicate which data are incorrect or incomplete, and shall inform the Data Controller of the accurate and complete data. In justified cases, the Data Controller may invite the Data Subject to demonstrate the validity of the corrected data for the Data Controller in an appropriate manner – primarily with an official document.

The Data Subject shall perform the rectification or completion of data without undue delay.

After fulfilling the Data Subject’s request to enforce his/her right to rectification, the Data Controller shall immediately inform thereof the persons to whom it has disclosed the personal data of the Data Subject, provided that it does not prove to be impossible or does not involve a disproportionate effort on behalf of the Data Controller. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.

3.3 Right to erasure (‘right to be forgotten’)

The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay if any of the following reasons apply:

  • (I) the personal data specified by the Data Subject are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller,
  • (II) the Data Controller processed the personal data (including special data) on the basis of the Data Subject’s consent, and the Data Subject has withdrawn consent in writing, and there is no other legal ground for the processing,
  • (III) the Data Subject objects to the data processing carried out on the basis of the Data Controller’s legitimate interest, and there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims,
  • (IV) the Data Controller has processed the personal data unlawfully,
  • (V) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject,
  • (VI) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing.

The Data Subject shall submit his/her request concerning the erasure in writing and shall indicate which personal data he/she wishes to be erased.

If the Data Controller approves the Data Subject’s request concerning the erasure, then it shall erase the processed personal data from all of its databases, and shall inform the Data Subject thereof in an appropriate manner.

Where the Data Controller is obliged to erase the personal data of the Data Subject, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who have become aware of the Data Subject’s personal data due to their publication. In its information, the Data Controller shall inform other controllers that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

After fulfilling the Data Subject’s request to enforce his/her right to erasure, the Data Controller shall immediately inform thereof the persons to whom it has disclosed the personal data of the Data Subject, provided that it does not prove to be impossible or does not involve a disproportionate effort on behalf of the Data Controller. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.

The Data Controller is not obliged to erase the personal data if the data processing is necessary:

  • (I) for exercising the right of freedom of expression and information,
  • (II) for the completion of the Data Controller’s obligations concerning the processing of personal data arising from Hungarian or EU law,
  • (III) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,
  • (IV) for reasons of public interest in the area of public health,
  • (V) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the exercise of the Data Subject’s right to be forgotten is likely to render impossible or seriously impair the achievement of the objectives of that processing
  • (VI) for the establishment, exercise or defence of legal claims.

3.4 Right to restriction of processing

The Data Subject shall have the right to obtain from the Data Controller the restriction of the processing of personal data concerning him or if any of the following reasons apply:

  • (I) the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data,
  • (II) the Data Controller has processed the personal data unlawfully, but the Data Subjects requests restriction instead of erasure,
  • (III) the purposes of the processing have ceased to exist for the Data Controller, but they are required by the Data Subject for the establishment, exercise or defence of legal claims,
  • (IV) the Data Subject objects to the data processing carried out on the basis of the Data Controller’s legitimate interest, and there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims, pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The Data Controller shall inform the Data Subject before the restriction of processing is lifted.

After fulfilling the Data Subject’s request to enforce his/her right to restriction of data processing, the Data Controller shall immediately inform thereof the persons to whom it has disclosed the personal data of the Data Subject, provided that it does not prove to be impossible or does not involve a disproportionate effort on behalf of the Data Controller. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.

3.5 Right to object

Considering the fact that the Data Controller does not perform data processing in the public interest, there is no official authority vested in the Data Controller, it does not carry out scientific or historic research, and the data processing is not carried out for statistical purposes, the exercise of the right to object may arise in the case of data processing based on its legitimate interest.

If the processing of the Data Subject’s personal data is based on the legitimate interest of the Company, it is an important safeguard provision that the Data Subject shall have the right to appropriate information and shall be able to exercise his/her right to object. Such right shall be communicated to the Data Subject no later than a the time of the first contact.

Based on the above the Data Subject is entitled to object to the processing of his/her personal data, and in such cases, the Data Controller may not continue to process the personal data of the Data Subject, unless

  • (I) the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or
  • (II) for the establishment, exercise or defence of legal claims of the Data Controller.

3.5.1 Right to object for the purposes of direct marketing

Where personal data are processed for the purposes of direct marketing, the Data Subject should have the right to object to such processing, and contrary to the cases where data processing is based on the legitimate interest of the Data Controller, the Data Controller may not have right to decide whether it may continue the processing of personal data after the Data Subject’s objection.

If the Data Subject objects to the processing of personal data for the purposes of direct marketing, then the Data Controller may not continue to process the data of the Data Subject.

3.5.2 Profiling

Profiling consists of any form of automated processing of personal data evaluating the personal aspects relating to Data Subjects. Such evaluations may be used to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The right to object covers profiling based on legitimate interest as specific data processing operation. If profiling is carried out for direct marketing purposes, then after the Data Subject’s objection, profiling based on his/her personal data shall be immediately terminated.

3.6 Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller.

Right to data portability may be exercised in the case of personal data which have been provided by the Data Subject to the Controller, and

  • (I) If the data processing is based on the Data Subject’s consent or on a contractual legal ground, and
  • (II) the processing is carried out by automated means.

If technically feasible, at the Data Subject’s request, the Data Controller shall transfer the personal data directly to another controller specified by the Data Subject in his/her request. The right to data portability under this section does not give rise to any obligation according to which data controllers shall introduce or maintain technically compatible data processing systems.

Within the framework of data portability, the Data Controller shall provide the Data Subject with the data carrier free of charge.

If the Data Subject’s right to data portability may result also in a realisation of damage or interference with the rights and freedoms of other natural persons, in particular the business secrets and intellectual property of others, the Data Controller is entitled to refuse to fulfill the request in a necessary manner.

Measures taken within the framework of data portability do not include the deletion of data, the Data Controller stores such data until the Data Controller has an appropriate purpose or legal ground for data processing.

3.7 Right to automated individual decision-making, including profiling

The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The Data Subject shall not have the right to request exemption from being subject to a decision solely based on automated processing, if the decision is necessary for the conclusion or completion of contract, is allowed by EU or Member State law, or is based on the Data Subject’s explicit consent.

If the automated processing is necessary for the conclusion or completion of the contract, or is based on the Data Subject’s consent, then the Data Subject is entitled to obtain human intervention, to express his or her point of view, to challenge the decision.

During its data processing activities, the Data Controller take all reasonable efforts to avoid the inclusion of special categories of personal data to automated decision-making. If this cannot be avoided, then automated decision-making may be carried out with respect to special categories of personal data only if data processing is based on the Data Subject’s consent, or is necessary for reasons of substantial public interest, on the basis of Union or Member State law, and appropriate measures have been taken in order to protect the rights of the Data Subject.

3.8 Right to remedy

3.8.1 Right to lodge a complaint

If the Data Subject considers that the processing of personal data relating to him or her carried out by the Data Controller infringes data protection laws, in particular the provisions of the GDPR, the Data Subject shall have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.

Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:

Webpage: http://naih.hu/
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: H-1530 Budapest, Pf.: 5.
Phone No.: +36-1-391-1400
Fax: +36-1-391-1410
Email: ugyfelszolgalat@naih.hu

The Data Subject shall also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement.

3.8.2 Right to initiate legal actions

The Data Subject may initiate legal actions – regardless of his or her right to lodge a complaint, if during the processing of his or her personal data, his or her rights under the GDPR have been infringed.

Legal actions against the Data Controller as data controller having a place of operation in Hungary may be initiated at Hungarian courts.

The Data Subject may initiate legal actions at the court of his or her habitual residence in accordance with Section 22 (1) of Act CXII of 2011. The contact details of the Hungarian courts may be available at the following link: http://birosag.hu/torvenyszekek.

For proceedings against the Data Controller, the Data Subject should have the choice to bring the action before the courts of the Member States where the Data Subject resides, if the place of residence of the Data Subject is in another Member State, considering the fact that the Data Controller is not a public authority of a Member State acting in the exercise of its public powers.

3.8.3 Other possibilities to enforce claims

The data subject shall have the right to mandate a not-for-profit organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to initiate judicial review against the decision of the supervisory authority, and to exercise the right to receive compensation on his or her behalf.

4. Other provisions

 

Where the Data Controller has reasonable doubts concerning the identity of person making the request under Sections 3.1.–3.8. of this Policy , the Data Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.

The Data Controller reserves the right to modify this Policy at any time. The Data Controller shall  inform the Data Subject of the modification no later than 8 days before its entry into force.

Sárvár, 31 December 2019

P.S. Hotel Kft.
Represented by: Bálint Tölli – Hotel Director

Kdy k nám chcete přijet?