Privacy Statement

The Data Controller hereby provides you with information relating to the processing of your personal data:

I.    Data of the Data Controller:

Name:                          Holiday Beach Budapest Hotel
Registered seat:         Piroska u. 3-5, HU-1039 Budapest
Phone:                         +36-1/240-1261
Email address:            frontdesk[at]holidaybeach[dot]hu
Hereinafter referred to as:  'Data Controller'

Data of the Data Controller’s representative:
Name:       Zsolt Szendrői 
Title:          Piroska u. 3-5, HU-1039 Budapest
Email address:    szendroi.zsolt[at]holidaybeach[dot]hu

Data of the Data Protection Officer assigned by the Data Controller:
Name:            Eszter Kocsis 
Title:               Piroska u. 3-5, HU-1039 Budapest
Email address:   kocsis.eszter[at]holidaybeach[dot]hu  

Data of the Data Protection Consultant assigned by the Data Controller:
Name:           Zsolt Budai 
Title:              Piroska u. 3-5, HU-1039 Budapest
 Phone:          +36-1/240-1261
Email address:  budai.zsolt[at]holidaybeach[dot]hu

In case you have any questions related to this Statement, or you would like to exercise your rights based on this Statement, please contact the data protection officer/consultant at one of the above contacts, who will be happy to be at your disposal. 

II.     Data protection obligations of the Data Controller:

The Data Controller considers the provisions contained in this Statement binding. The Data Controller agrees to comply with all effective applicable regulations, in particular Regulation 2016/679 of the European Parliament and of the Council on General Data Protection Regulation ('GDPR'). The Data Controller retains the right to modify this Statement at any time, and shall notify you of any changes in a timely manner.

III.     Information on data processing:

3.1. Data processing related to newsletters: 

    a) The purpose of data processing: identifying data subjects and distinguishing them from each other, establishing contacts, sending newsletters, preparing statistics, sending e-mail newsletters including economic ads for those interested, market research, information on current information and events (e.g., workshops, placement tests), special offers, creating personalized offers, keeping contact.

    b) The legal basis of data processing: your voluntary consent. However, you are entitled to withdraw your consent at any time, which, however, does not affect the lawfulness of the processing of data carried out before. 

    c) Scope of the processed data, in particular: name, e-mail address.

    d) Recipients of personal data about you: companies providing system administrator services, website operation services or lawyer’s services, in particular the following persons:

          Website operation: Netfort Bt., Szent István ltp. 17. IV/25, HU-7900 Szigetvár

    e) The Data Controller may not transfer your personal data to any third countries or to international organizations.

    f) Time-limit for storing personal data: five (5) years subsequent to your last activity (e.g. clicking on a newsletter). 

    g) Providing your personal data shall not be based on legislation or contractual obligation, providing your personal data is not a precondition of entering into contract. Consequences of failure to provide your data: you will not be informed about our current news, and you will not be able to attend events announced by the Data Controller.  

    h) The Data Controller will not use automated decision-making when processing your Personal
         Data.

3.2. Data processing in connection with online orders:

    a) The purpose of data processing: identifying and distinguishing the data subjects from each other; entering into contacts; record keeping, tracking, fulfilling and accounting of orders; preparing statistics; complaint management; managing legal procedures.

    b) The legal basis of data processing: performing the contract entered into between the Data Controller and you, to meet the requirements of accounting and tax legislation.

    c) The scope of the processed data: in particular name, address, tax identification number, e-mail address, telephone number, data on the payment method, credit card information, shipping information, billing information, order ID, customer ID, user name, password, data on the ordered products/services and data on their purchase price/fee, data relating to persons travelling together, data relating to complaints or legal proceedings. 

    d) Recipients of your personal data: Companies providing system administrator services, website operation services, accounting, auditing or lawyer’s services for the Data Controller, credit card companies, courier companies, in particular the following companies:
    • name (address),
    • name (address).

    e) The Data Controller shall not transfer your personal data to third countries or to international organizations.

    f) Time-limits for storing personal data: on the basis of the legal relationship between you and the Data Controller, eight (8) years after all legal obligations of the Data Controller are terminated.

    g) Consequences of failure to provide your data: you will be unable to submit orders, or such orders may not be fulfilled.

    h) The Data Controller will not use automated decision-making when processing your personal data.

3.3. Data processing of cookies on the website: www.holidaybeach.hu:

    a) The purpose of data processing: to identify data subjects, to track and differentiate data subjects from each other, to identify current sessions of users, to store data provided during sessions, to prevent data loss, and to perform web analytics. 

    b) The legal basis of data processing: your voluntary consent. However, you are entitled to withdraw your consent at any time, which, however, does not affect the lawfulness of the processing of data carried out before. 

    c) Scope of the processed data: time, date, ID, previously viewed websites.

    d) Recipients of your personal data: -.

    e) The Data Controller shall not transfer your personal data to any third countries or to international organizations.

    f) Time-limits for storing Personal Data: until consent is withdrawn. The data subject is able to delete the cookie from his/her personal computer, or to disable the use of cookies in the browser. Cookies may usually be set in the settings menu of the browser, in the Tools/Settings menu in Privacy settings.

    g) Providing your Personal Data shall not be based on legislation or contractual obligation, providing your personal data is not a precondition of entering into contract. Consequences of failure to provide your data: you may not be able to use the website or its functions and services, or use will be limited.  

    h) The Data Controller will not use automated decision-making when processing your Personal 
         Data. 

IV.     Your right relating to data processing:

In connection with processing your personal data, you have the following rights: 

4.1. Right to access:

You have the right to be informed by the Data Controller if any of your personal data are being processed, and if so, you have the right to access such personal data and the following information: 
    a) the purposes of data processing; 
    b) the categories of the personal data concerned; 
    c) the recipients or categories of recipients to whom or which your personal data were disclosed or will be disclosed, including in particular third country recipients or international organizations; 
    d) the planned duration of storage of your personal data, or if it cannot exactly be determined, the criteria for the definition of such period; 
    e) you may request the Data Controller the rectification, erasure or restriction of processing your personal data, and you may object to the processing of such personal data; 
    f) the possibility of submitting complaints addressed to any supervisory authority; 
    g) if the data were not collected from you, all available information regarding the source thereof; 
    h) whether the Data Controller performs automated decision-making or profiling, and if so, comprehensible information on the analytics used, on the relevance of such data processing, and on the consequences to the data subject. 
You are entitled to be informed by the Data Controller about the appropriate data protection guarantees if your personal data are transmitted to a third country or to an international organization. 

Upon request, the Data Controller will provide you with one copy of the processed personal data. You may be charged a reasonable administration fee for any additional copies by the Data Controller. If you submitted the request electronically, the requested information shall be made available to you in electronic format, unless you expressly requested otherwise.

4.2. Right to rectification 

You are entitled to have the Data Controller rectify your incorrect personal data without delay. Taking into account the purpose of the data processing, you are also entitled to request that your incomplete personal data are completed.  

4.3. Right to data erasure 

You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay. 

The Data Controller shall have the obligation to erase your personal data without undue delay where one of the following grounds applies: 
    a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    b) you have withdrawn your consent on which the data processing was based, and there is no other legal ground for the processing; 
    c) you object to the processing, and there are no overriding legitimate grounds for the processing;
    d) the personal data have been unlawfully processed by the Data Controller; 
    e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law, which the Data Controller is subject to; 
    f) the personal data have been collected in relation to the offer of information society services for children. 

Right to erasure (right to be forgotten): where the data Controller has made the personal data public and is obliged pursuant to erase such personal data, the Data Controller, taking account of available technology and the cost of implementation, shall take reasonable steps to inform any other controllers, who/which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of those personal data.

ATTENTION! You shall not be entitled to the right of erasure or to the right to be forgotten in case processing is necessary: 

    a) for exercising the right of freedom of expression and information; 
    b) for compliance with a legal obligation which requires processing by Union or Member State law which the Data Controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; 
    c) for reasons of public interest in the area of public health; 
    d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or 
    e) for the establishment, exercise or defence of legal claims. 

4.4. The right to restriction of processing 

You shall have the right to obtain from the Data Controller restriction of processing where one of the following applies: 
    a) you contest the accuracy of the personal data; such restriction shall be valid for a period enabling the Data Controller to verify the accuracy of the personal data; 
    b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; 
    c) the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; 
    d) you have objected to processing; in this case such restriction shall be valid for a period until it is determined whether the legitimate grounds of the Data Controller override those of the data subject. 

Where data processing has been restricted under the above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of your legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

You will be informed by the Data Controller before the restriction of processing is lifted.

4.5. The right to object 

ATTENTION! You will have the right to object on grounds relating to your particular situation, at any time to the processing of your personal data, but only in cases where 
    • the legal basis for the data processing is the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, or 
    • the data processing is required for the exercise of the legitimate interests of the Data Controller or a third party, including profiling as well.

In this case, the Data Controller may no longer process such personal data. The Data Controller may exceptionally continue to process your personal data if the Data Controller demonstrates such compelling legitimate grounds for the processing, which override your interests and rights, or are needed for the establishment, exercise or defence of legal claims. 

ATTENTION! In addition to the above, regardless of the previous point, you will have the right to object at any time to the processing of your personal data for those purposes, which include profiling to the extent that it is related to direct marketing. Where you object to processing Personal Data for direct marketing purposes, the personal data may no longer be processed for such purposes.

Where personal data are processed for scientific or historical research purposes or statistical purposes, on grounds relating to your particular situation, you will have the right to object to the processing of your personal data. However, you shall not have the right to protest if the processing is necessary for the performance of a task carried out for reasons of public interest.

In respect of using the services of the information society and as derogation from Directive 2002/58/EC, you may exercise your right to object via automated devices based on technical specifications as well. An example of such objection is the following: you install a programme suitable for your browser to prevent the possibility of tracking you, or your location, to hide your IP address from the public, or to prevent your browser from displaying commercials, ads, etc. 

4.6. Right to data portability 

You will exclusively be entitled to this right if the data processing is based on your consent, or on a contract concluded with the data subject, and such processing is automated. 

In this case, you will have the right to receive your personal data that you have provided in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller. You are also entitled to request - if technically feasible - the direct transfer of the personal data between the data controllers.

However, you will not be entitled to exercise your right to data portability if the data processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller. 

4.7. Procedure rules governing the acts of the Data Controller in the event you exercise your rights:

Please submit your request relating to the exercise of your rights to the data protection officer/consultant indicated in point I., at any of the contact details specified therein.

The Data Controller shall, without undue delay, but in any event within one month subsequent to the receipt of the request, inform you about the measures determined in respect of your request to exercise your rights.  Such deadline may be extended by two months if necessary, taking into account the complexity of the request and the number of requests, and you must be informed about such extension. You will be notified of any extension of the deadline by the Data Controller within one month after the request is received, indicating the reason for the extension. If you submitted the request electronically, the requested information shall be made available to you in electronic format, unless you expressly requested otherwise. 

If the Data Controller does not take action on your request, the Data Controller shall inform you without delay, but no later than within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. 

The Data Controller shall provide such information and measures free of charge. Where your request is manifestly unfounded or excessive – in particular because of its repetitive character – the Data Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication, or of taking the action requested; or may refuse to act upon the request. The Data Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.  

The Data Controller shall inform each recipient, whom or which the personal data have been disclosed to, of any rectification, erasure or restriction unless this proves impossible or involves a disproportionate effort. Upon your request, the Data Controller shall inform you on these recipients.

V.    Right of appeal: 

5.1. Complaint to the data protection officer/consultant:
In case of a complaint regarding the processing of your personal data, please contact the data protection officer/consultant, who shall immediately examine your complaint and inform you about the results: 
Name:            Zsolt Budai 
Title:               Piroska u. 3-5, HU-1039 Budapest
Phone:           +36-1/240-1261
Email address:        budai.zsolt[at]holidaybeach[dot]hu 

5.2. Complaint to the Data Protection Authority:
You have the right to lodge a complaint to a supervisory authority - in particular in the European Member State of your habitual place of stay, place of work or the place of the alleged infringement - in case you believe that the processing of your personal data violates the GDPR regulation or other legislation. The supervisory authority to which the complaint has been submitted shall be obliged to inform you about the developments and the outcome of the procedure relating to the complaint, including your rights to judicial remedies.

In Hungary, you may submit your complaint to the National Authority for Data Protection and Freedom, as supervisory authority. 
Name: National Authority for Data Protection and Freedom of Information
Registered office: Szilágyi Erzsébet fasor 22/C, HU-1125 Budapest
Postal address: P.O. Box: 5, 1530 Budapest
Telephone: 06 1 391 1400
Fax: 06 1 391 1410
E-mail: ugyfelszolgalat[at]naih[dot]hu
Website: http://www.mvh.gov.hu/

5.3. Right to compensation:
Any person, who has suffered material or non-material damage as a result of an infringement of the GDPR, shall have the right to receive compensation from the Data Controller or the data processor(s) for the damage suffered.

Any Data Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR, specifically directed to data processors or where it has acted outside or contrary to the lawful instructions of the Data Controller.

Where more than one data controller or data processor are involved in the same processing and they are responsible for damage caused by processing, each data controller or data processor shall be held liable for the entire damage. 

A data controller or data processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

5.4. Right to judicial remedy
You will have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the processing of your personal data in non-compliance with the GDPR. 

Proceedings against a data controller or a data processor shall be brought before the courts of the Member State where the data controller or data processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence, unless the Data Controller or Data Processor is a public authority of a member state acting in the exercise of its public powers.

VI.    Data Security:

The Data Controller obliges to apply appropriate and effective physical, IT, organizational and administrative measures to keep the confidentiality, integrity and availability of your personal data.

Budapest, 23 May 2018.