Privacy policy
CONCERNING THE HOMEPAGE OF KVi Hotel Limited liability company (Cg. 01 09 371929)
Effective: from the 10th day of July, 2018 till withdrawal
1. Introduction
1.1. KVi Hotel Limited Liability Company (Company registration number: Cg. 01 09 371929; tax number: 28742498-2-42; registered seat: 1077 Budapest, Wesselényi utca 28; electronic contact details: info@kvihotel.com.; (hereinafter: „Service Provider, or Controller, respectively”) produces the present Data Management Policy (hereinafter: „Policy”) concerning the provision information, specifically but not exclusively of services (hereinafter „Services”) specified in clause 23 of Section 2 of Act CLXIV of 2005 on commerce.
1.2. The Data Subject is the user of the online accessible websites http://www.kvihotelbudapest.com (hereinafter: „KVi Hotel Homepage”).
1.3. The purpose of the Policy is to specify for the Users of the Service the scope of data handled by the Service Provider, the method, purpose and legal grounds of data processing, as well as to ensure that the constitutional principles of data protection and the requirements of data security are enforced, to prevent unauthorized access to Users' data, the alteration of the data and the unauthorized disclosure or usage of the data.
2. Legal regulations of data protection
2.1 Legal regulations with special significance from the aspect of the Policy:
2.1.
The Decree of the European Parliament and Council (EU) No. 2016/679 on the protection of natural persons with regard to the handling of personal data and the free flow of such data, as well as on the rescission of decree 95/46/EC (hereinafter: „GDPR”)
Hungary’s Basic Law
Act CXII of year 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act)
Act V on Civil Code of 2013 (hereinafter: „Ptk”)
Act CXXXIII of year 2005 on the rules of the protection of persons and property as well the rivate investigation activity (hereinafter: „Property protection law”)
Act CVIII of year 2001 on certain issues of electronic commercial services and information society services (specifically Sections 13/A-13/B)
Act CXIX of year 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing
Act XLVIII of year 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
Act C of 2003 on electronic news release
Act XC of 2017 on criminal procedures
Act C of 2012 on the Criminal Code
as well as the data protection legal regulations in conformity with the seats of the Partners of the Service Provider, unless these violate the Hungarian law and order.
3. Definitions
Data Subject: any specified natural person, identified by the personal data or a natural person who can be identified directly or indirectly;
User: the Data Subject who books on Service Provider’s Website and who concludes a contract for the Service with the Service Provider, and furthermore who was specified as the beneficiary of the Service by the above person(s);
Consent: voluntary and express declaration of the Data Subject based on appropriate information and by which he/she provides his/her unambiguous consent to handle the personal data concerning himself/herself fully or covering certain operations;
Personal data: data that can be connected to the Data Subject, specifically the Data Subject’s name, ID, as well as knowledge typical to his/her one or several physical, physiological, mental, economic, cultural or social identity, and the conclusion concerning the Data Subject that can be drawn from the data;
Controller: the natural or legal entity or organisation without legal entity who or which independently or together with others specifies the purpose of managing the data, makes the decisions and executes them concerning data processing (including the tool used) or has the decision executed by the data processor;
Data processing/handling: irrespective of the applied procedure any operation or the aggregate of operations carried out on the data, in particular collection, recording, organization, storage, alteration, usage, retrieval, forwarding, disclosure, coordination or combination, blocking, deletion and destruction as well as preventing the further use of the data, taking photos, voice or image recordings and recording the physical characteristics suitable to identify a person (e.g. finger- or palmprints, DNA sample, iris image);
Data transmission: making the data accessible to a specified third person;
Data processing: carrying out data processing operations, irrespective of the method and tool used to carry out the operations and the location of the application;
Disclosure: making the data accessible to anybody
Erasing data: making the data unrecognizable in such a way that it is not possible to restore it;
Automatic processing: it includes the following operations if they are carried out in whole or in part with automated tools: data storage, logical or arithmetical operations on the data, alteration, deletion, retrieval and distribution of the data;
Cookie: A cookie is a small text file stored on the hard drive of the computer or the mobile device and is activated at later visits. Webpages use cookies with the purpose to record the information connected to the visit (pages visited, time spent on the page, browsing data, exits etc.) and the personal settings; however, these data cannot be related to the Data Subject. This tool helps to design a user-friendly webpage in order to increase the online experience of the Data Subject. Most of the internet browsers automatically accept cookies; however the Data Subjects have the opportunity to delete or reject them. As all browsers are different the Data Subjects can set their preferences regarding cookies individually, through the toolbar of the browser. If the Data Subject does not want to enable any cookie from the websites visited, he/she can modify the settings of the browser so that he/she receives a notification about the cookies that have been sent or he/she may simply reject all cookies or only cookies sent by certain websites. At the same time the user may delete the cookies stored on his/her computer, notebook or mobile device at any time. For further information concerning settings please refer to the Help of the browser. If the Data Subject decides to disable the cookies he/she must renounce certain functions of the website (e.g. the website would not remember that the Data Subject remained logged in). There are two types of cookies: “session cookies” and “persistent cookies”.
Session cookies: these are stored by the computer, notebook or mobile device only temporarily until the Data Subject leaves the given website; these cookies help the system to remember information while the Data Subject makes a visit from one page to another, so the Data Subject must not repeatedly enter or complete the given information.
Persistent cookies: these are stored on the computer, notebook or mobile device even after leaving the website. With these cookies the website will recognize – although personally would not identify – the Data Subject as a returning visitor. The persistent cookies are stored on the computer or mobile device of the Data Subject as files.
Flash cookies: Adobe Flash Player that is used to run certain types of animated banners and different types of videos (youtube, vimeo) is able to store information on the computer, notebook or mobile device. The acceptance of „Flash cookies” cannot be set through the Web browser. If the Data Subject does not want to receive Flash cookies it must be set on the website of Adobe: www.adobe.com/hu/privacy/cookies.html. If the Data Subject disables Flash cookies it is possible that he/she would not be able to use certain functions of the websites – in this case the Homepage – e.g. the videos attached to the articles would play incorrectly.
System: the entirety of the technical solutions operating the pages and services of the Controllers and their partners accessible through the internet.
Otherwise under the concepts used in the present Policy the contents of the explanations made of the concepts in the KVi Hotel GTC of the Service Provider as well as in section 3 of the Info Act and Article 4 of the GDPR shall be understood with the condition that in case of deviations the contents laid down in the GDPR shall be governing.
4. Voluntary contribution
4.1. In connection with the use of the Homepage Service Provider shall handle the personal data of natural person Data Subjects laid down in this Policy according to their voluntary, informed and explicit consent based on Section 5 paragraph (1)-(2) and Section 6 paragraph (5) of the Info Act while during the actual use of accommodation and related services primarily based on Section 5 paragraph (1) of the Info Act, in the absence of which based on Section 5 paragraph (6) – including in particular the person(s) indicated by the user as beneficiary (beneficiaries) contracted for the Service.
4.2. I.e. Service Provider handles data cording to the law in accordance with the following clauses of the GDPR Regulation: Chapter 6 Article (1) (a) – „the data subject has given consent to the processing of his or her personal data for one or more specific purposes”, (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, (c) „processing is necessary for compliance with a legal obligation to which the controller is subject”, and (f) „processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child – or in case of special categories of the personal data Chapter 9 Article (2) of the GDPR (a) „the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…” and (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.
4.3. With regard to the fact that certain personal data were included in the data processing activity of the Service provider with the voluntary, informed and express consent of the Data Subject for data of Data Subjects where the person of the Data Subject and the person providing the related personal data is not the same, the registered Data Subject is responsible for the authenticity and manageability of the personal data unless the incidental bad faith of the Service Provider excludes this responsibility.
4.4. Service Provider handles the data till the Data Subject requests the deletion of the data or until he/she withdraws his consent; furthermore until the related deadline laid down in the present policy expires. The personal data provided by the registered Data Subject can be handled by the Service Provider – even if the concerned user does not unsubscribe from the KVi Hotel Homepage or if he/she only terminated the possibility to enter the site/application by cancelling the registration the comments and uploaded contents stored there remain – till the Data Subject expressly requests in writing that the management of the data is terminated. The request of the Data Subject aiming at the termination of the data processing without unsubscribing from the KVi Hotel Homepage does not affect his/her right to make use of the Service, however, it may happen that in the absence of the personal data he/she would not be able to make use of certain services. The user acknowledges that sending direct request of advertisement purposes (newsletter, electronic direct marketing, e-DM letter) referred to in Act XLVIII of year 2008 („Grtv”) on the basic requirements and certain restrictions of commercial advertising activities is considered as a separate service.
4.5. By complying with the obligations laid down in Chapter III Article 14 (3) of the GDPR Service Provider – if it did not obtain the personal data from the Data Subject – thus especially if those were provided by a registered user concerning the Data Subject and entitled to use the Service – Service Provider shall notify the Data Subject through the contact details known to it – by email where known and possible – without delay but latest within one month regarding the following:
- the identity and contact details of the Service Provider and – if there is any – Service Provider’s representative;
- contact details of the Data Protection officer, if there is any;
- the planned purpose of handling personal data as well as the legal grounds of the data processing;
- categories of the personal data of the Data Subject;
- addressees of the personal data or the categories of the addressees, if there are any;
- if applicable the fact that Service Provider intends to forward the personal data to an addressee in a third country or any international organisation; in addition the existence or absence of the compliance resolution of the Committee, or in case of data transfer referred to in Article 46, Article 47 or Article 49 paragraph (1) second subparagraph of the GDPR indication of appropriate and suitable guarantees, and reference to the methods or accessibility of obtaining copies of them;
- period of storing personal data, or if this is not possible, the aspects of determining this period;
- if data processing is based on Article 6 paragraph (1) item (f) of the GDPR the lawful interests of the data controller,
- the right of the Data Subject that he/she may request from the controller the access to the personal data concerning him/her, or the correction, deletion of them or the restriction of handling them, and he/she may protest against the handling of the personal data, as well as the right of the Data Subject to data portability;
- in case of data processing based on Article 6 paragraph (1) item (a) or Article 9 paragraph (2) item (a) of the GDPR the right to withdraw the consent at any time which does not affect the lawfulness of data processing that has taken place before the withdrawal based on consent;
- the right to lodge a protest to a supervisory authority;
- the source of personal data and, if applicable, the fact whether the data originate from publicly accessible sources;
- the existence of automated decision-making, including profiling, referred to in Article 24 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
5. Purposes of data processing and the scope of data handled by the Service Provider
5.1. Service Provider declares that it handles personal data only for exercising rights or fulfilling obligations. It does not use the personal data handled for private purposes and data processing always complies with the purpose limitation principle – if the purpose of data processing has terminated or data processing is otherwise unlawful the data will be erased.
5.2. In order to prevent abuse the KVi Hotel Homepage can only be used after registration (hereinafter: „Registration”) based on the prevailing general contractual terms and conditions (hereinafter „KVi Hotel GTC”) of the Service Provider, in order to ensure Services, prevent abuse and avoid safety hazards. Contract aiming at Services is established through the booking (hereinafter: „Booking”) of the Data Subject as user, registered in accordance with the prevailing general contractual terms and conditions of Service Provider.
5.3. Service Provider may handle the personal data of the Data Subjects for the following purposes, in the following scope and proportion:
1. Purpose of data processing:
Booking; specifically
- the identification of the Data Subjects;
- Getting acquainted with the requirements of the Data Subjects;
- Communication with the Data Subjects and providing information to them
Exact description of the processes and operations:
See: KVi Hotel GTC item VI
Expected duration and deadline of data processing:
As a general rule till the deletion of the registration, in cases exceeding that
· for 5 years for the data concerned with regard to the Law on Taxation Section 78 paragraph (3)
· for 8 years for the data concerned with regard to the Law on Accounting Section 169 paragraph (1)-(2)
· In addition for a longer period if legal regulation stipulates it this way
Data controller retains the right to handle the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data processing.
Personal data
- scope, type and categories
Data to be provided depending on the type of Booking if these were not provided during Registration:
a) surname and first name of the Data Subject (if different, name at birth also) entitled to make use of the Service
b) place and date of birth of the Data Subject entitled to make use of the Service
c) mother’s name of the Data Subject entitled to make use of the Service
d) nationality of the Data Subject entitled to make use of the Service
home address (or residence, notification address) email address, phone number or other contact possibility of the Data Subject entitled to use the Service
Legal grounds of data processing
GDPR Regulation, Chapter II. Article 6 paragraph (1) a), b), c), f),
2. Purpose of data processing:
Provision of Service; specifically
- Getting acquainted with the requirements of the Data Subjects;
- Communication with the Data Subjects and providing information to them
Exact description of the processes and operations:
See: KVi Hotel GTC
Expected duration and deadline of data processing:
As a general rule till the deletion of the registration, in cases exceeding that
· for 5 years for the data concerned with regard to the Law on Taxation Section 78 paragraph (3)
· for 8 years for the data concerned with regard to the Law on Accounting Section 169 paragraph (1)-(2)
· In addition for a longer period if legal regulation stipulates it this way
Data controller retains the right to handle the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data processing.
Personal data
- scope, type and categories
Information essential to exercise rights and obligations laid down in the GTC, over and above the data provided during Registration and Booking.
In this scope special data thus data concerning health could also be handled (See: KVi Hotel GTC item XI) with respect to which data processing is carried out exclusively to the extent and by the period laid down in Chapter II Article 9 paragraph (c) and (e) of the GDPR, or in the absence of them in accordance with sub-item (a).
Legal grounds of data processing
GDPR Regulation, Chapter II. Article 6 paragraph (1) a), b), c), f),
3. Purpose of data processing:
To increase customer experience, technically improve the IT system, protection of users’ rights
Exact description of the processes and operations:
Until the permission is granted the KVi Hotel Homepage requests a permission from the visitor of the KVi Hotel Homepage every time the page is opened for using the cookies applied by the KVi Hotel Homepage, for the following purposes: to provide better and faster customer experience, to display tailor-made advertisements based on the automatically recorded data of the registered Data Subject, to prepare statistics, to technically improve the IT system and to protect the rights of the users.
(The above jointly referred to: customizing cookies.)
Expected duration and deadline of data processing:
Until the period provided for the application of the cookies by Service Provider – published on the KVi Hotel Homepage – but not more than cancelling the Registration.
Personal data
- scope, type and categories
The anonymised and/or encoded system data, cookie data, orders submitted during bookings, specific orders and additional consumption data concerning the Data Subjects.
Legal grounds of data processing
GDPR Regulation, Article 22 paragraph (2) item c)
(In consideration of which Article 9 paragraph (2) item a) of the GDPR)
6. Legal grounds of data processing
6.1. Service Provider handles the personal data laid down in this Policy lawfully, specifically particular data in accordance with the following clauses of the GDPR Regulation, Chapter 6 Article (1) (a) – „the data subject has given consent to the processing of his or her personal data for one or more specific purposes”, (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”, (c) „processing is necessary for compliance with a legal obligation to which the controller is subject”, and (f) „processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”
and in case of special categories of the personal data Chapter 9 Article (2) of the GDPR (a) „the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…” and (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.
6.2. Special data may be handled exceptionally only and to the extent and period laid down in Chapter II Article 9 paragraph (2) items c) and e) of the GDPR, or in the absence of them based on sub-item a).
7. Method of data collection
7.1. The data of the Data Subjects according to clause 7 of the present Policy are received and obtained by Service Provider through its KVi Hotel Homepage in every case, based on the voluntary consent of the registering party or the registered Data Subjects, respectively. For the authenticity of the personal data provided it is always the registering entity and the registered Data Subject, respectively, responsible. Service Provider does not verify the personal data given to him.
7.2. By accepting the present Policy the Data Subjects are obliged to accept the provisions of the present Policy and give their consent that Service Provider handles the data included in clause 7.
7.3. By using the KVi Hotel Homepage, and by concluding the contract for the Services, respectively, the Data Subjects expressly accept the present Policy.
8. Principles of Data processing
8.1. Personal data may only be obtained and processed in a fair and lawful manner.
8.2. Personal data may only be stored for specified and lawful purposes and may not be used in any different way.
8.3. The scope of the Personal Data handled must be proportionate to the purpose of their storage, must meet this goal and may not extend beyond it.
8.4. Appropriate safety measures must be taken to protect the personal data stored in the automated data files to prevent accidental or wrongful destruction or accidental loss as well unauthorized access, alteration or distribution.
9. Registering data processing activities
9.1. Service Provider or its representative, if any, keeps a register concerning the data processing activities carried out under the scope of its responsibilities. This register contains the following information:
- the name and contact details of the data controller, and the name and contact details of the joint controller – if any -, the representative of the controller and the data protection officer;
- purposes of data processing;
- representation of the categories of the data subjects as well as of the personal data;
- categories of addressees with whom the personal data are or will be communicated, including addressees or international organisations in third countries;
- information related to the transfer of the personal data to third countries or international organisations, if applicable, including the identification of the third country or international organisation, as well as the description of the appropriate guarantees in case of forwarding in accordance with Article 49 paragraph (1) second sub-paragraph of the GDPR Regulation;
- the deadlines targeted for deleting different data categories, if possible;
- the general description of the technical and organisational measures referred to in Article 32 paragraph (1), if possible;
upon request the Service Provider makes the register available to the supervisory authority.
10. Data Protection officer
10.1. With respect to the fact that the obligatory event laid down in Chapter IV Article 37 of the GDPR subsists – processing special data, regular and systematic monitoring of data subjects on a large scale – a data protection officer was appointed on 1 July, 2018.
Service Provider hereby informs the Data Subjects that in case they observe disquieting procedures, incidents or any other circumstances from the aspect of data protection the lawfulness of which is otherwise objectionable from a legal and/or technical, organisational point, or the investigation of which is at least justified, the Data Subjects can make announcement and get in touch with the data protection officer by informing the competent employee or manager of Service Provider, but independently of him/her, at the following contact details.
Name and contact details of the Data Protection officer: Palicz Péter, dataprotection@kvihotel.com
11. Data transmission
11.1. Service Provider is entitled and obliged to transmit to the competent authorities all personal data available to him and regularly stored by him the transmission of which is made obligatory by legal regulation or legally binding enforcement notice. Service Provider may not be held responsible for such data transmission and for the resultant consequences.
11.2. In addition to the above Service Provider may hand over data exclusively to the Partners associated with Service Provider specifically to Partners who have contractual obligation for Services with respect to the Data Subject; accordingly, Service Provider may hand over data to Partner exclusively for the purpose and to the extent of performing Services.
11.3. In relation to the above and otherwise, if the Service Provider transfers the operation or utilization of the content services on the KVi Hotel Homepage in whole or in part – including the Partners as well – than he can hand over the data processed by him to this third person in full, without requesting explicit endorsement for further handling.
11.4. Service Provider hands over data in addition to the above exclusively to data processors in contractual relationship with him, specifically only to those who are bound by contractual obligation in connection with the KVi Hotel Homepage and the system(s) serving them; accordingly Service Provider hands over data to third persons exclusively and to the extent of fulfilling the goals indicated in the present Policy. This data transmission may not bring the Data Subject concerned into a position more disadvantageous than the data processing and data security rules indicated in the prevailing text of the present Policy.
Data processors of Service Provider
scope of data affected
data processing goal(s) affected
Physical location(s) of data processing
Amazon Web Services, Inc.
Registered office: 410 Terry Avenue North
Seattle, WA 98109-5210 USA
Contact details:
Mailing address: Box 81226 Seattle, WA 98108
Telephone: (206) 266-4064
Fax: (206) 266-7010
E-mail: abuse@amazonaws.com
Name of Data Subject, email address of Data Subject, invoicing number of Data Subject, room type affected by the booking(s), room number affected by the booking(s), name of hotel affected by the booking(s)
Data processing of Customer contracts
Automated cloud service of the KVi Hotel System; performing backup operations of the KVi Hotel System
Amazon Web Services (AWS) EC2 cloud based service provider
More information: https://aws.amazon.com/about-aws/global-infrastructure/?hp=tile&tile=gimap
Clock Software Ltd.
(Company Reg.# 08008667
VAT Registered: GB 171901910)
Registered office: 27 Redcliffe Gardens, London, SW10 9BH, UK
Contact details:
https://www.clock-software.com/company-aboutus/contact-us.html
Name of Data Subject, email address of Data Subject, invoicing number of Data Subject, room type affected by the booking(s), room number affected by the booking(s), name of hotel affected by the booking(s)
Data processing of Customer contracts
Cloud based hotel management (PMS) service
data processing is cloud based, the affected service provider is Amazon WEB services (AWS) EC2 (https://aws.Amazon.com/?nc2=h_lg)
11.5. Service Provider undertakes as a general obligation that any data transmission carried out by the Service Provider may not bring the user concerned into a position more disadvantageous than the data processing and data security rules indicated in the prevailing text of the present Policy.
11.6. Service Provider does not forward the personal data of the Data Subjects to third countries and international organisations (outside the EU, non EEA countries) except when the Data Subject provided its explicit approval and according to the conditions laid down in a written declaration issued by the parties by providing appropriate guarantees that suit the provisions of the GDPR.
The above stipulation does not extend to cases laid down in Article 45 of the GDPR according to which if the purpose of data transmission is a governmental and/or international organisation for which a valid, so-called „adequacy decision” issued by the Committee is in force no separate permit is required for such data transmission. At the date of the present instrument accepted adequacy decision is in force for the following third countries: Andorra, Argentina, Faroe Islands, Guernsey, Israel, Jersey, Canada, Isle of Man, Switzerland, Uruguay, U.S.A. (Privacy Shield), New Zealand – in case of Japan and South Korea the adequacy procedure is in progress.
12. The security of data handling
12.1. In accordance with the obligation of Section 32 of the GDPR Service Provider – by keeping in mind as its obligation – does its utmost so as to ensure the security of the data of the Data Subjects; furthermore he takes the necessary technical and organisational measures and develops the rules of procedure that are required to enforce the rules of the GDPR and other rules of data and secret protection.
12.2. Service Provider handles data primarily in the frame of automatic processing – KVi Hotel Homepage as well as the systems serving them – and handling any data employing humans may only take place exceptionally and to the extent justified. The activities of the Service Provider and the data processors involved by him suits the following requirements: organisational security, security connected to employees, external persons and security connected to the environment, classification and verification of assets, communication and operational management, access control, operational continuity management, systems engineering and maintenance.
12.3. The so-called cloud based applications are also part of the System serving the KVi Hotel Homepage (see: Service Provider’s prevailing general contractual terms and conditions). Service Provider chooses its partners providing cloud services with the utmost possible care – see among the data processors indicated in clause 11.4 – and takes all generally expected measures to conclude contracts with them that keep in view the data security interests of all concerned, are transparent for data handling principles and he regularly inspects data security. Physically the data of the Data Subjects are stored in the cloud. By accepting the present Data Handling Policy the Data Subject expressly agrees to the data transmission required for making use of the cloud-based applications.
12.4. Partners can handle personal data in exceptional cases only, following prior notice and exclusively for providing Services and/or for fulfilling legal obligations – e.g. preserving invoices – for which data handling the present Policy must be applied in an appropriate manner; otherwise the Partners may only carry out data processing activities in connection with performing Services.
12.5. Service Provider protects the data in particular against unauthorized access, alteration, transmission, disclosure, cancellation or destruction as well as against accidental destruction and damages. The data automatically and technically recorded in the course of the operation of Service Provider’s system(s) are stored in the System calculated from the generation of such data for a period justified by the aspect of ensuring the operation of the System. Service Provider ensures that these automatically recorded data cannot be connected to other personal data with the exception of cases made mandatory by the law. If the Data Subject terminated its consent to handle his/her personal data or has unsubscribed from the KVi Hotel Homepage his/her person will not be identifiable from the technical data thereafter, not including the investigating authorities and their experts.
12.6. Links: It is possible that reference or link can be found on Service Provider’s KVi Hotel Homepage pointing to sites maintained by other service providers and financial enterprises (including buttons and logos pointing to login and share options) where Service Provider has no influence on the experience of handling personal data and where Service Provider does not carry out data sharing/data transmission, respectively. Service Provider draws the attention of the Data Subjects that by clicking on such links they may reach the sites of other service providers and financial enterprises. In such cases Service Provider recommends that the Data Subjects by all means read the data handling policies concerning the use of these sites. If the Data Subject modifies or deletes any of his data on an external website this would not affect Service Provider’s data handling, such modification must be made also on the KVi Hotel Homepage.
Service Provider particularly draws the attention of those Data Subjects among the above that during the payment or initiating the payment of the Services the Data Subject is directed through the pop-up window/link on the KVi Hotel Homepage to a financial enterprise independent of Service Provider (Wirecard Central Eastern GmbH (Reininghausstraße 13a | 8020 Graz, Austria; Tel.: +36 1 255 03 36; Fax: +43 316 813681-1203; Email: kapcsolat@wirecard.com; hereinafter: Wirecard)); payment can be initiated and carried out here and Service Provider does not process any data in this respect and has no influence on the data processing carried out by Wirecard during the process.
13. Duration of data handling
13.1. In case of registered Data Subjects until the registration is cancelled.
13.2. The data of not registered Data Subjects are cancelled when the related Service is closed in the system of Service Provider.
13.3. The data provided for the newsletter subscription and Direct Marketing are deleted without delay when the Data Subject unsubscribes or when the registration expires.
13.4. Otherwise Service Provider deletes the data processed upon the request of the Data Subject except the scope of data the continued processing of which is necessary for accounting disputes or other legal disputes between the parties - until they are settled – and/or due to legal regulations. Among the latter, but not exclusively:
for 5 years for the data concerned with regard to the Law on Taxation Section 78 paragraph (3)
for 8 years for the data concerned with regard to the Law on Accounting Section 169 paragraph (1)-(2)
In addition for a longer period if legal regulation stipulates it this way.
13.5. Service Provider retains the right to handle the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data handling.
14. The source of data handling
14.1. The data processed are obtained directly from the registered Data Subject; in consideration of that Service Provider only starts processing the data provided to him – the data are recorded in its system only then – when the registered Data Subject makes a declaration by undertaking criminal liability during the bookings that the data were provided with the knowledge and explicit consent of the Data Subject designated as qualified for the given Service with the purpose of identification and making use of the Service.
15. Possibilities of modifying the Data Handling Policy
15.1. Service Provider retains the right to unilaterally modify the present Policy in the future. He will publish the new Policy on the KVi Hotel Homepage.
16. Providing information, right to object, erasing data, data processing restrictions
16.1. The Data Subject may request information about the handling of his/her personal data and may also request the correction of these personal data – with the exception of data handling ordered by legal regulation – and the deletion of them based on the present Policy, in particular on the contact details provided above.
16.2. Upon the request of the Data Subject submitted by email Service Provider provides information about the data processed, the purpose of data handling, its legal grounds, duration, the name and address (company seat) of the data processing entity and his activities related to data processing, and in addition who and for what purpose do addressees receive or have received the data. The data controller is obliged to respond within the shortest time possible but within maximum fifteen (15) days counted from the submission of the request in an easy to understand manner and free of charge – refunding of costs is charged by Service Provider in exceptional cases only (if the party requesting the information has not yet submitted a request to data controller concerning the same scope of data in the current year). In other cases refunding of costs may be established. The rate of refunding may be laid down in the contract concluded between the parties. The already paid cost refunding must be reimbursed if the data was processed unlawfully or the request for information has led to correction.
If the provision of information to the Data Subject cannot be refused by law, Service Provider gives information about the data of the Data Subject processed by him or by the data processing entity commissioned according to his instructions, the sources of these data, the purpose of data processing, the legal grounds, duration, name and address of the data processing entity and its activities related to data processing, the circumstances of the data protection incident, its effects and the actions taken to prevent them, and furthermore – in case of transmitting the personal data of the Data Subject – about the legal grounds of data transmission and the addressee of it. Moreover the information covers the information specified in Articles 13-14 of Section 2 of the GDPR.
16.3. Service Provider is obliged to correct personal data not corresponding to the facts. Data controller deletes personal data if handling of them is unlawful, the Data Subject requests it – in this case within maximum five (5) days –, if it is incomplete or incorrect – and this status cannot be corrected legitimately – provided that deletion is not excluded by law, if the purpose of data handling has discontinued, the period of storing the data specified by the law has expired or the Court or the National Authority for Data Protection and Freedom of Information has ordered it. Service Provider shall inform about the correction and deletion the Data Subject as well as all other entities to whom he transferred the data for data processing purposes. This notification may be ignored if it does not hurt the rightful interests of the Data Subject in consideration of the purpose of data processing.
16.4. If the Data Subject uses personal data unlawfully or deceptively, or commits a crime, the Service Provider retains the right to preserve the relevant data in case of using them in this manner for demonstration in the incidental litigious and non-litigious procedure until the procedure is concluded. The latter shall be applied appropriately to the case when the Data Subject requested the deletion of the personal data in order to prevent or at least render more difficult the enforceability of the rightful claim of Service Provider and/or Partner.
16.5. The Data Subject may protest against the processing of his personal data, specifically
- if the processing or transmission of the personal data is exclusively required for the fulfilment of legal obligations related to the Service Provider or the enforcement of the rightful interests of the Service Provider, the receiver of the data or a third person except for mandatory data handling;
- if the personal data are used or transmitted for the purposes of directly obtaining business, public-opinion research or scientific research, and
- in other cases as specified by law.
16.6. Service Provider shall examine the protest within the shortest possible period but maximum within fifteen (15) days, makes a decision regarding its cogency and informs the applicant about the decision in writing. Service Provider suspends data processing for the period of the investigation but for maximum five (5) days. If the protest is justified, the head of the organisational unit processing the data shall proceed in accordance with the provisions specified by the GDPR. In addition, the Data Subject may exercise the right for protest using automated devices based on technical specifications by renouncing the Service included in the KVi Hotel GTC, cancelling the registration and applying other related options available in the KVi Hotel system (GDPR Article 21 paragraph (6)).
16.7. If the Service Provider establishes that the protest of the Data Subject is cogent, terminates data handling – including additional data recording and data transmission –, blocks the data, and notifies all to whom he previously transmitted the personal data affected by the protest about the protest and the actions taken, and who are obliged to take measures in order to enforce the right to protest. If the Data Subject does not agree with the decision of the Service Provider, or if the Service Provider neglects the deadline, the Data Subject may go to law within thirty (30) days counted from the date of communicating the decision or the last day of the deadline, respectively.
16.8. Service Provider shall compensate for the damages caused to other parties by the unlawful processing of the data of the Data Subject or by violating the requirements of technical data protection. Service Provider is exempt from responsibility if he demonstrates that the damage was caused by reasons outside the scope of data handling, beyond his control. No compensation for the damage is due if it originates from the deliberate or careless behaviour of the aggrieved party.
16.9. Informing the Data Subjects can be disregarded/rejected or restricted with due regard to the reasons and with detailed explanation set forth in the provisions of Article 13 paragraph (4) and Article 14 paragraph (5) of the GDPR, if
- the Data Subject already possesses the information;
- it proves to be impossible to make the relevant information available or would require disproportionate efforts, especially to archive for public interest, for scientific or historical research or for statistical purposes, in case of data processing performed by taking into account conditions and guarantees laid down in Article 89 paragraph (1) of the GDPR Regulation, or if the obligation to provide information would probably render it impossible or seriously jeopardize the achievements of the targets of this data processing. in such cases Service Provider has to take appropriate measures – including to make the information publicly available – in order to protect the rights, liberty and lawful interests of the Data Subject;
- the EU’s or member state’s law provides for appropriate measures to obtain and communicate the data applicable on the Service Provider that stipulates the appropriate measures serving the protection of the lawful interests of the Data Subject; or
- the personal data should remain confidential based on the professional obligation of confidentiality stipulated by the laws of the EU or a member state, including the obligation of confidentiality based on legal regulation.
16.10. Otherwise the Data Subject is entitled to get access to the personal data concerning him/her as well as to the following information:
- Copies of the personal data (for additional copies cost are charged)
- The purposes of data processing;
- Data categories;
- Data related to automatic decision making and profile creation;
- Information concerning the source in case of taking over data;
- Addressees to whom the data were communicated or will be communicated;
- Information and guarantees in connection of transmitting data to third countries;
- Duration and aspect of storage,
- Rights of the Data Subjects
- Right to call upon to the authorities.
16.11. The way of exercising access rights: If the Data Subject submitted the application electronically the information must be made available in a widely used electronic format unless the Data Subject requests otherwise.
16.12. The right to demand for a copy may not affect negatively the rights and freedom of others.
16.13. If the Service Provider has made the data public and is obliged to delete them in such a way that he makes reasonably expected steps by taking into account available technology and the costs of implementation in order to inform other data processors in connection with the deletion of the relevant links, copies and duplicates.
16.14. Data Subject may not avail itself of the right of deletion and to be forgotten, if data processing is necessary: for the freedom of expression, to perform legal obligation or to exercise public power, in the field of general health for common interest, archiving of public interest, for the purposes of scientific and historical research and to enforce legal demands.
16.15. Service Provider shall restrict data processing upon the request of the Data Subject if
- the Data Subject disputes the accuracy of the personal data
- data processing is unlawful and the Data Subject disapproves of deleting the data
- the Service Provider does not need the data any more but the Data Subject require them to the presentation, enforcement or protection of his/her legal demands;
- the Data Subject protested against data processing and the Service Provider is still carrying out an investigation.
17. Obligation of communication
17.1. Service Provider informs all addressees with whom the data were communicated of any correction, deletion or restriction. Except if this is impossible or requires disproportionate efforts.
18. Data portability
18.1. The Data Subject is entitled to receive his/her data made available to Service Provider:
- in a widely used computer readable structured format
- is entitled to forward them to another data processor
- may request that the data are directly forwarded to another data processor -
- if this is technically feasible
except in case of data processing carried out for public interest or for exercising public authority.
19. Enforcement options
19.1. In case of violating the rights of the Data Subjects the enforcement options against the Service Provider can be exercised at the court of arbitration according to Service Provider’s prevailing general terms and conditions in force, and may appeal to the National Authority for Data Protection and Freedom of Information based on the provisions of the Info Act and the relevant legal regulations (mailing address: 1534 Budapest, P.O.Box: 834; address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.). The court proceeds in the matter out of turn.
I accept the present policy and put it into force on this day.
Dated: in Budapest, 09.19. 2018
KViHotel Limited Liability Company