G.D.P.R.

General Data Protection Regulation

I. Introduction

This document (hereinafter referred to as ‘Policy’) is intended to provide adequate information regarding the activities carried out within the framework of the management of personal data of natural persons by ARAZ Limited Liability Company (hereinafter referred to as "Controller"), as operator of Boutique Hotel Budapest (address: H-1056 Budapest, So utca 6., Hungary; hereinafter referred to as ‘Hotel’). The content of the Policy is based in particular on the relevant provisions of the following national and European Union legislation:

· Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as ‘GDPR’);
· Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (hereinafter referred to as ‘Infotv.’); · Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services (hereinafter referred to as ‘Ekertv.’);
· Act C of 2003 on Electronic Communication (hereinafter referred to as ‘Eht.’);
· Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter referred to as ‘Grt.’);
· Act C of 2000 on Accounting (hereinafter referred to as ‘Sztv.’);
· Act CL of 2017 on the Rules of Taxation (hereinafter referred to as ‘Art.’);
· Act C of 1990 on Local Taxes (hereinafter referred to as ‘Htv.’);
· Municipality Decree of Belváros-Lipótváros 38/2010. (XII.2.) on the Local Introduction of a Tourist Tax (hereinafter referred to as ‘Önkr.’);
· Act CXXXIII of 2005 of the Rules on Personal and Property Protection Actitvities and Private Investigation (hereinafter referred to as ‘Szvmtv.’);
· Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (hereinafter referred to as ‘Nlktv.’);
· Act V of 2013 on the Civil Code (hereinafter referred to as ‘Ptk.’)
· Act XIX of 1998 on Criminal Proceedings (hereinafter referred to as ‘Be.’),
· Act II of 2012 on Infringements, Infringement Proceedings and Infringement Registration System (hereinafter referred to as ‘Szabstv.’)
· Act CLV of 2016 on Official Statistics (hereinafter referred to as ‘Stattv.’) 4.
· Governmental Decree 388/2017 (XII.13.) on the Mandatory Reporting of the National Statistical Data Collection Program (hereinafter referred to as ‘OSTAPr.’);
· Act II of 2007 on the Entry and Residence of Third-Country Nationals (hereinafter referred to as ‘Hmtv.’);
· Governmental Decree 114/2007 (V.24.) on the Entry and Residence of Third-Country Nationals (hereinafter ‘Hmtv vhr.’):
· Act CLV. of 1997 on Consumer Protection (hereinafter referred to as ‘Fgytv.’)

The text of the Policy is available in English language continuously and can be retrieved from the website https://boutiquehotelbudapest.com and in hard copy at the Controller's seat and at the location of effective data processing at H-1056 Budapest, So utca 5., Hungary.

PLEASE READ THIS POLICY CAREFULLY!

II. Controller

Name: Araz Kereskedelmi és Szolgáltató Limited Liability Company
Abbreviated name: Araz Kereskedelmi és Szolgáltató Ltd.
Seat / Head of premises: H-1195 Budapest, Üllői út 283, Hungary.
Company registration number: 01-09-977563 (Company Registry Court of Budapest – Capital Regional Court)
Tax number: 23777581-2-43
Phone number: +36 1 357-6240
Fax: +36 1 357-6241
E-mail: zeina@zeinahotels.com
Location of effective data processing: H-1056 Budapest, So utca 6., Hungary.
Contact data of effective data processing:
Phone number: +36 1 920-2100
Fax: +36 1 9202122
E-mail: boutiqueinfo@zeinahotels.com
Homepage: https://boutiquehotelbudapest.com/
Data Protection Officer: Pursuant to Article 37 of the GDPR, the Controller is not required to appoint a data protection officer

III. Terms and definitions

‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Processing’ means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;

‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

‘Processor’ means a natural or legal person, a public authority, agency or any other body that processes personal data on behalf of the controller;

‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

‘Consent of the data subject’ means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

‘Personal data breach’ means a breach of security resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed;

'Data concerning health' means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

'Main establishment' means:
a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

'Representative' means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation; ‘Supervisory authority’ means an independent public authority established by a Member State in accordance with Article 51 of the GDPR;

‘Supervisory authority concerned’ means a supervisory authority which is concerned by the processing of personal data because:
(a) the controller or the processor is established on the territory of the Member State of that supervisory authority;
(b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
(c) a complaint has been lodged with that supervisory authority;

‘Cross-border processing of personal data’ means either:
(a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or
(b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

'Relevant and reasoned objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;

‘International organization’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

‘Third country’ means any state that is not an EEA State.

IV. Processing

1. Processing of Hotel Reservations

1.1. Request for Quotation

Guests have the option of requesting a quotation from the Controller by electronic means and to decide on an event or service upon having received the quotation. With regard to booking a room, such option is not provided.

Datas managed	purpose	Lawfulness
Name (Last name / First name)	Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Providing targeted service, Providing information on the prices and conditions of the services provided by the Controller	Consent
E-mail address	Contacting the guest, Further contact, Providing targeted service, Providing information on the prices and conditions of the services provided by the Controller
Time of arrival, departure, special services, method of payment.	Tailored services. Information about the services, prices, and conditions provided by the Controller.

Lawfulness of processing: Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);

Duration of the processing:
(a) In case of non-reservation or cancellation without legal consequences, the data will be deleted immediately;
(b) In case of failure to conclude a contract or termination of a contract, for a period of five (5) years after the failure to conclude a contract or termination of the contract;
(c) Until the guest's consent is withdrawn;

Consequences of failure to provide data: the Controller is not capable to provide an offer or information on the prices and conditions of the services.

1.2 Reservation as registered guest

The Data Controller provides the possibility, as a registered customer, to book, modify or even delete the accommodation with the help of previously provided and stored data.
After registration, an integrated Internet Booking Engine (IBE), managed by Navarino Services Limited, is available from the Data Controller Website (http://boutiquehotelbudapest.com) (link: https://be.synxis.com/?&chain=19832&hotel=64766&locale=en-US&start=searchres) is available and can be used to make reservations. The data provided during the booking will be handled by the Data Controller in the Maistro Business Software. The following data will / may be required for registration and will be managed:

Datas managed

Purpose

Lawfulness

NAME
Last name/First name

Contacting guest, identifying guests, separating guests, providing tailored service, confirming successful registration.

Consent

E-mail address

Lawfulness of processing: Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);

Duration of processing: Until the guest's consent is withdrawn

Consequences of failure to provide data: registration will not be completed.

Data transfer:

Company

Head Office

Type

Tasks

Lawfulness

Navarino Services Limited

Navarino House, Network Point, Range Road,

Witney, Oxfordshire, OX29 0YN,

United Kingdom

data processer

Owner of Navarino software integrated into the reservation system; manager of the Navarino Internet Reservation Engine (IBE)

Data management is required to perform the contract

Maistro Informatikai Kft.

1182 Budapest, Rudawszky u. 10.

data processer

Owner and developer of hotel and restaurant management software

Data management is required to perform the contract

1.3. Hotel reservations online

Vie the Controller’s website (http://boutiquehotelbudapest.com) guests have the option of making hotel reservation online. From the website of the Controller, an integrated internet booking engine managed by Navarino Services Limited (Internet Booking Engine [IBE]) (link: https://be.synxis.com/?&chain=19832&hotel=64766&locale=en-US&start=searchres)) can be accessed and used for hotel reservation. The following information provided during booking will be entered into the Maistro management software used by the Controller.

Processed data categories	Purpose	Lawfulness
Name (Last name / First name)	Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Compliance with legal obligations Performance of the contract
Address (domicile or place of residence) [country, postal code, city, street, street number]
Phone Number	Contacting the guest, Further contact, Providing targeted service	Consent
E-mail address		Consent Performance of the contract
Information about the reservation (Date and time, Date of arrival, Date of departure, Number of adults, Number of children, Age of children, Board type, Room type, Payment method, Debit / Credit card details (Card number, Cardholder's name, Validity period, Cvv code), License plate number	Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Compliance with legal obligations Performance of the contract

Processed personal data:
(a) the processed personal data is directly provided to the Controller by the guest, or
(b) the processed personal data will be collected and queried by the Controller via sources listed as per Annex 1 to this Policy (by name and registered seat) (see Annex 1):

Név	Székhely
1000 út Kft.	Magyarország, 1061 Budapest Jókai tér 9
Agoda	Szingapúr, 049712 Cecil Street 30, Prudential Tower #19-08
Booking.com B.V.	Hollandia, 1017 CE Amszterdam Herengracht 597
Cosmos Utazási Iroda Kft.	Magyarország, 1056 Budapest Só utca 2.
Der Touristik Deutschland GmbH	Németország, D-60439, Frankfurt am Main Emil-von-Behring-Strasse 6.
Eurotours GmbH	Ausztria, A-1020 Bécs Lassallestrasse 3.
JACTravel	Egyesült Királyság, EC1Y 2AB London, City Road 30
Expedia/Travelscape	USA, 10190 Las Vegas Covington Cross dr. Nv 89144
GULLIVERS TRAVEL ASSOCIATION	Egyesült Királyság, EC1M7GT London, Gullivers House,Goswell road 27.
Harmony Tours Kft.	Magyarország, 1136 Budapest Tátra utca 11. III./1.
Barceló Destination Services S. L.U	Spanyolország, 07080 Palma De Mallorca, Complejo Mirall Balear, Torre A, 5ª Planta, Camí Son Fangos, 100 07007
HotelTonight Inc.	USA, 94103 CA, San Francisco, 901 Market St, Ste 310
Kompas Touristik International Kft.	Magyarország, 1072 Budapest Rákóczi út 14.
Miki Travel Limited	Egyesült Királyság, EC4V3BJ London, Vintners Place, Upper Thames st 68.
Mondial GmbH&CoKG	Ausztria, A-1040 Operngasse 20b
Navarino Services Limited	Egyesült Királyság, OX29 0YN Witney Network Point, Range Road Unit 1D
OK-World Travel Service Kft.	Magyarország, 1137 Budapest Pozsonyi út 36.
Budapest Welcome Touristic	Magyarország, 1052 Budapest Kristóf tér 3.
Robinson Tours Kft.	Magyarország, 8230 Balatonfüred, Gombás köz 5.
Start Tourist 94 Kft.	Magyarország, 1051 Budapest Hercegprímás utca 11.
Stream2 B.V.	Hollandia, 5161 NR, Sprang Capelle, Waspiksedijk 14.
WebBeds FZ LLC t/a SunHotels	Egyesült Arab Emírségek, 07011 Dubai Dubai Media City Al Shatha Tower 1714-1715.
Thomas Cook Touristik GmbH	Svájc, CH-8808 Pfäffikon SZ, Poststrasse 4.
Tour Trading-91 Kft.	Magyarország, 1056 Budapest Nyári Pál utca 10.
Verecke Kft.	Magyarország, 2013 Pomáz, Mandics utca 2.
VOYAGE PRIVE SARL	Franciaország, 13100 Aix en Provence du Club Hippique, Le Patio avenue 684.

· Pursuant to Article 13/A (1) to (2) of the Ekertv.: The service provider may process the data of personal identity and address necessary to identify the person requesting the service for the purpose of establishing a contract on the provision of a service related to the information society, defining and modifying its content, monitoring its performance, billing the charges derived therefrom and enforcing claims related thereto. The service provider may process the natural data of personal identity related to the provision of a service related to the information society, address and data related to the date, time and place of use connected to the billing of charges derived from the contract on the provision of a service related to the information society.

(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 166 (3) of the Sztv.: The accounting certificate must be issued at the date and at the time of the occurrence of the economic transaction or event, or the taking or execution of the economic measure, in Hungarian language.

· Pursuant to Article 169 (2) of the Sztv.: Accounting certificates directly and indirectly supporting the bookkeeping (including G / L accounts, analytical and / or detailed records), shall be preserved in a readable form for at least eight years, retrievable in a manner consistent with the accounting records.

Duration of the processing:
(a) In case of cancellation without legal consequences, the data will be deleted immediately;
(b) In case of failure to conclude a contract or termination of a contract for a period of five (5) years after the failure to conclude a contract or termination of the contract;
(c) In the case of issuance of accounting records, for 8 (eight) years from the date of issue;
(d) Until the guest's consent is withdrawn; Consequences of failure to provide data: no booking / contract is made for the given room.

Consequences of failure to provide data: room reservation will not be created.

Processing is required for the performance of the contract tot he following:

Company

Head Office

Type

Tasks

Lawfulness

Navarino Services Limited

Navarino House, Network Point, Range Road,

Witney, Oxfordshire, OX29 0YN,

United Kingdom

data processer

Owner of Navarino software integrated into the reservation system; manager of the Navarino Internet Reservation Engine (IBE)

Data management is required to perform the contract

Maistro Informatikai Kft.

1182 Budapest, Rudawszky u. 10.

data processer

Owner and developer of hotel and restaurant management software

Data management is required to perform the contract

1.4. Hotel Reservations by Phone

The Processor also sells the rooms of the Hotel via telephone, after which it requires a written confirmation / order from the guests.

Processed data categories	Purpose of processing	Lawfulness of processing
Name (Last name / First name)	Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Compliance with legal obligations Performance of the contract
Address (domicile or place of residence) [country, postal code, city, street, street number]
Phone Number	Contacting the guest, Further contact, Providing targeted service	Consent
E-mail address		Consent Performance of the contract
Information about the reservation (Date and time, Date of arrival, Date of departure, Number of adults, Number of children, Age of children, Board type, Room type, Payment method, Debit / Credit card details (Card number, Cardholder's name, Validity period, Cvv code), License plate number	Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Compliance with legal obligations Performance of the contract

Lawfulness of processing:

(a) Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Fulfilment of a contract - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Article 6 (1) (b) of the GDPR);

· Pursuant to Article 13/A (1) to (2) of the Ekertv.: The service provider may process the data of personal identity and address necessary to identify the person requesting the service for the purpose of establishing a contract on the provision of a service related to the information society, defining and modifying its content, monitoring its performance, billing the charges derived therefrom and enforcing claims related thereto. The service provider may process the natural data of personal identity related to the provision of a service related to the information society, address and data related to the date, time and place of use connected to the billing of charges derived from the contract on the provision of a service related to the information society.

(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 166 (3) of the Sztv.: The accounting certificate must be issued at the date and at the time of the occurrence of the economic transaction or event, or the taking or execution of the economic measure, in Hungarian language.
· Pursuant to Article 169 (2) of the Sztv.: Accounting certificates directly and indirectly supporting the bookkeeping (including G / L accounts, analytical and / or detailed records), shall be preserved in a readable form for at least eight years, retrievable in a manner consistent with the accounting records.

Consequences of failure to provide data: no booking / contract is made for the given room.

Data transmission:

Company	Head Office	Type	Tasks	Lawfulness
Maistro Informatikai Kft.	1182 Budapest, Rudawszky u. 10.	data processer	Owner and developer of hotel and restaurant management software	Data management is required to perform the contract

1.5. Check-in Process and Check-in

When Guests arriving at the Hotel prior to occupying the booked and confirmed room shall fill in a hotel check-in form, which contains the guest's personal information. The data of the check-in form is retained by the Controller on a hotel software and in hard copy.

Scope of processed data for guests arriving from third countries	Scope of processed data for guests arriving from EEA-states	Purpose of processing	Lawfulness of processing
Name (Last name / First name)		Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it, Complying with reporting obligations, record-keeping obligations and tax return	Consent Compliance with legal obligations Performance of the contract
Address (domicile or place of residence) [country, postal code, city, street, street number]
Phone Number		Contacting the guest, Further contact, Providing targeted service	Consent
E-mail address
Place and date of birth		Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it, Complying with reporting obligations and record-keeping obligations	Consent Compliance with legal obligations Performance of the contract
Mother’s name	-	Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Establishing a contract, Defining its content, Complying with reporting obligations and record-keeping obligations	Consent Compliance with legal obligations Performance of the contract
Sex	-	Complying with reporting obligations and record-keeping obligations	Consent Compliance with legal obligations Performance of the contract
Nationality
Passport ID number		Identifying guests, Distinguishing guests from each other, Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Establishing a contract, Defining its content, Complying with reporting obligations and record-keeping obligations	Consent Compliance with legal obligations Performance of the contract
Number of permit allowing entry or stay	-	Complying with reporting obligations and record-keeping obligations	Consent Compliance with legal obligations Performance of the contract
Place and time of entry	-
License plate number		Processing the room reservation request, Connecting the room and the guest concerned, Reserving the room concerned, Providing targeted service, Issuing an invoice, Complying with accounting obligations, Establishing a contract, Defining and modif ying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Compliance with legal obligations Performance of the contract
Debit / Credit card details (Card number, Cardholder's name, Validity period, Cvv code)		Processing the room reservation request, Reserving the room concerned, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Performance of the contract

· Pursuant to Article 13/A (1) to (2) of the Ekertv.: The service provider may process the data of personal identity and address necessary to identify the person requesting the service for the purpose of establishing a contract on the provision of a service related to the information society, defining and modifying its content, monitoring its performance, billing the charges derived therefrom and enforcing claims related thereto. The service provider may process the natural data of personal identity related to the provision of a service related to the information society, address and data related to the date, time and place of use connected to the billing of charges derived from the contract on the provision of a service related to the information society.

(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 166 (3) of the Sztv.: The accounting certificate must be issued at the date and at the time of the occurrence of the economic transaction or event, or the taking or execution of the economic measure, in Hungarian language.
· Pursuant to Article 169 (2) of the Sztv.: Accounting certificates directly and indirectly supporting the bookkeeping (including G / L accounts, analytical and / or detailed records), shall be preserved in a readable form for at least eight years, retrievable in a manner consistent with the accounting records.
· Pursuant to the authority as per Article 47 (1) (c) of the Stattv., Article 1 (a) of the OSTAPr. lays down a reporting obligation for legal persons engaged in economic activities in Hungary regarding data collection as per Section 2 (1) of Annex 12;
· Pursuant to the authority as per Article 1 (2) - (3), Article 9 (1) - (2) of the Önkr. states: the person obliged to collect the tax shall record in a register (guestbook) the number of guest nights spent and the amount paid for accommodation. The register must include the guest's name, address, the number of guest nights spent as well as the accommodation charges and the amount of the tax collected;
· Pursuant to Article 73 (1) to (2) of the Hmtv.: a third-country national must inform the immigration authority of his / her accommodation by communicating the following information: a) 15. the natural person identification data specified in Article 94; (b) the identification data of the travel document; (c) the address of the accommodation; d) the date of arrival to and expected departure from the accommodation; (e) the number of the visa or residence permit and (f) the date and place of entry. (2) The data of a thirdcountry national staying in a commercial accommodation or other accommodation maintained by a legal entity referred to in paragraph (1) shall be registered by the host according to the standard form (guestbook);
· Pursuant to Article 153 (1) to (2) of the Hmtv. vhr.: The guestbook as per Article 73 (2) of the Act, containing information on the data of third-country nationals, may be managed at accommodations under the Act on Commerce and at non-profit community recreation locations (hereinafter referred to as ‘Accommodation required to manage a guestbook’) by a manual method (in the form of a book) or by a computer.

Duration of the processing:
(a) In case of cancellation without legal consequences, the data will be deleted immediately;
(b) In case of failure to conclude a contract or termination of a contract for a period of five (5) years after the failure to conclude a contract or termination of the contract;
(c) In the case of issuance of accounting records, for 8 (eight) years from the date of issue;
(d) Until the lapse of the right of establishing taxes,
(e) Until the guest's consent is withdrawn;

Consequences of failure to provide data: no booking / contract is made for the given room.

Data transmission:

Name of the recipient	Head Office	Role	Data processing task	Legal basis
Hungarian Central Statistical Office	1024 Budapest, Keleti Károly utca 5-7.	Independent Controller	-	Compliance with legal obligations
Budapest Capital District V. Belváros-Lipótváros Municipality	1051 Budapest, Erzsébet tér 4.	Independent Controller	-	Compliance with legal obligations
Immigration and Asylum Office	1117 Budapest, Budafoki út 60.	Independent Controller	-	Compliance with legal obligations
Maistro Informatics Ltd.	1182 Budapest, Rudawszky u. 10.	Processor	Owner and developer of the hotel and restaurant management software	Processing is required for the performance of the contract

2. Processing Related to Services

2.1. Magnetic Card Access Control System

The Controller allows guests to access the Hotel areas, especially the reserved room by using a magnetic card. 16.

The Controller's employee enters into the Maistro management software used by the Controller data as per Sections 1.2 - 1.4. and the following data of the Guest

Processed data categories

Purpose of processing

Legal bases

Name (Last name / First name)

Personal and property protection, Prevention and detection of perpetration, Surprising the perpetrator, as well as proof of violations and the recording of the fact of entry

Consent Performance of the contract

Enforcement of a legitimate interest

and connects them with the data concerning the room number, magnetic card number, magnetic card recording date, arrival date (booking data), departure date (booking data).

After that, the employee of the Controller writes the magnetic card, which means that on the magnetic card the room number, the days of arrival and departure are being recorded. The personal data of the guest will not be recorded on the magnetic card.

Lawfulness of processing:
(a) Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Fulfilment of a contract - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Article 6 (1) (b) of the GDPR);
(c) Enforcement of a legitimate interest - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6 (1) (f) of the GDPR; the Controller has a legitimate interest in the protection of personal and property rights)

Duration of the processing:
(a) In case of reservation cancellation without legal consequences, the data will be deleted immediately;
(b) In case of failure to conclude a contract or termination of a contract for a period of five (5) years after the failure to conclude a contract or termination of the contract;
(c) Until the guest's consent is withdrawn;

Consequences of failure to provide data: no booking / contract is made for the given room.

Data transmission:

Company	Head Office	Type	Tasks	Lawfulness
Maistro Informatikai Kft.	1182 Budapest, Rudawszky u. 10.	data processer	Owner and developer of hotel and restaurant management software	Data management is required to perform the contract

2.2. Processing Related to Payment:

The Controller ensures that, in addition to or instead of cash, the Guest may settle up for the offset of the products / services from a bank account or debit card (including credit cards).

Processed data categories	Purpose of processing	Lawfulness of processing
Bank account number	Payment transactions, Hotel reservations or performance of a contract	contract Consent Performance of the contract
Cardholder's name
Card number
Expiry date
CVV code

Consequences of failure to provide data: no booking / contract is made for the given room.

Data transmission: the data is handled by the contractual partner of the Controller, details of which can be obtained from the website www.otp.hu.

Name	Head Office	Role	Data processing task	Legal basis
OTP Bank Nyrt.	1051 Budapest, Nádor utca 16.	Independent Controller	-	Processing is required for the performance of the contract

2.3. Shuttle Service

The Controller will arrange for the guest's transfer / airport shuttle transfer from the airport (Ferenc Liszt International Airport) to and from the Hotel prior to booking.

Processed data categories	Purpose of processing	Lawfulness of processing
Name (Last name / First name)	Contacting the guest, Further Contact Contact, Identifying the guest, Distinguishing guests from each other, Providing targeted service, Establishing a contract, Defining and modifying its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Compliance with legal obligations Performance of the contract
Date of arrival / departure
Flight number
Number of persons to be transported

· Pursuant to Article 13/A (1) to (2) of the Ekertv.: The service provider may process the data of personal identity and address necessary to identify the person requesting the service for the purpose of establishing a contract on the provision of a service related to the information society, defining and modifying its content, monitoring its performance, billing the charges derived therefrom and enforcing claims related thereto. The service provider may process the natural data of personal identity related to the provision of a service related to the information society, address and data related to the date, time and place of use connected to the billing of charges derived from the contract on the provision of a service related to the information society.

(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 166 (3) of the Sztv.: The accounting certificate must be issued at the date and at the time of the occurrence of the economic transaction or event, or the taking or execution of the economic measure, in Hungarian language.
· Pursuant to Article 169 (2) of the Sztv.: Accounting certificates directly and indirectly supporting the bookkeeping (including G / L accounts, analytical and / or detailed records), shall be preserved in a readable form for at least eight years, retrievable in a manner consistent with the accounting records.

Consequences of failure to provide data: In such case no contract shall be concluded for the given service.

Data transmission:

Recipient

Head Office

Role

Data processing task

Legal basis

CAB Magyarország Zártkörűen Működő Részvénytársaság

2161

Csomád, Kossuth Lajos utca 79.

Processor

Direct delivery of a transfer service

Processing is required for the performance of the contract

2.4. Parking Service

In the case of a prior reservation, the Controller provides its guests with a parking service in its private parking lot for a specified period of time.

Processed data categories	Purpose of processing	Lawfulness of processing
Name (Last name / First name)	Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Providing targeted service, Establishing a contract, Defining and its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it	Consent Compliance with legal obligations Performance of the contract
Time of arrival and departure
License plate number

· Pursuant to Article 13/A (1) to (2) of the Ekertv.: The service provider may process the data of personal identity and address necessary to identify the person requesting the service for the purpose of establishing a contract on the provision of a service related to the information society, defining and modifying its content, monitoring its performance, billing the charges derived therefrom and enforcing claims related thereto. The service provider may process the natural data of personal identity related to the provision of a service related to the information society, address and data related to the date, time and place of use connected to the billing of charges derived from the contract on the provision of a service related to the information society.

(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 166 (3) of the Sztv.: The accounting certificate must be issued at the date and at the time of the occurrence of the economic transaction or event, or the taking or execution of the economic measure, in Hungarian language.
· Pursuant to Article 169 (2) of the Sztv.: Accounting certificates directly and indirectly supporting the bookkeeping (including G / L accounts, analytical and / or detailed records), shall be preserved in a readable form for at least eight years, retrievable in a manner consistent with the accounting records.

Consequences of failure to provide data: In such case no contract shall be concluded for the given service.

2.5. Off-PremiseParking Service

In the case of a prior reservation, the Controller provides its guests with a parking service in an Off-Premise private parking lot for a specified period of time

Processed data categories

Purpose of processing

Lawfulness of processing

No of days for parking

Contacting the guest, Further contact, Identifying guests, Distinguishing guests from each other, Providing targeted service, Establishing a contract, Defining and its content, Monitoring its fulfilment, Billing derived charges and enforcing claims related to it

Consent

Compliance with legal obligations

Performance of the contract

License plate number

· Pursuant to Article 13/A (1) to (2) of the Ekertv.: The service provider may process the data of personal identity and address necessary to identify the person requesting the service for the purpose of establishing a contract on the provision of a service related to the information society, defining and modifying its content, monitoring its performance, billing the charges derived therefrom and enforcing claims related thereto. The service provider may process the natural data of personal identity related to the provision of a service related to the information society, address and data related to the date, time and place of use connected to the billing of charges derived from the contract on the provision of a service related to the information society.

(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 166 (3) of the Sztv.: The accounting certificate must be issued at the date and at the time of the occurrence of the economic transaction or event, or the taking or execution of the economic measure, in Hungarian language.
· Pursuant to Article 169 (2) of the Sztv.: Accounting certificates directly and indirectly supporting the bookkeeping (including G / L accounts, analytical and / or detailed records), shall be preserved in a readable form for at least eight years, retrievable in a manner consistent with the accounting records.

Consequences of failure to provide data: In such case no contract shall be concluded for the given service.

Recipient	Head Office	Role	Data processing task	Legal basis
BLACK WILD SECURITY Kft.	1195 Budapest, Üllői út 283. I. em. 3.	Processor	parking services	Processing is required for the performance of the contract

2.6. Guestbook, Handling of Quality-Related Customer Complaints

The Controller provides the guest the opportunity to write an opinion, comment or complaint to be examined to the guestbook available at the reception desk, by simultaneously providing his / her data, or by the Controller taking minutes about the complaint.

Processed data categories (in particular in case of a complaint)	Purpose of processing	Lawfulness of processing
Name (Last name / First name)	Contacting the guest, Further contact, Providing targeted service Handling of quality complaints about the services provided by the Controller	Consent Compliance with legal obligations Performance of the contract
Address (place of residence) [country, postal code, city, street, street number]
Place, time and way of submitting the complaint
Detailed description of the guest complaint
List of records, documents and other evidence presented by the guest
Signature of the person who has written the minutes and
Place and date where the the signature of the guest minutes have been

Lawfulness of processing:
(a) Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Fulfilment of a contract - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (Article 6 (1) (b) of the GDPR);
(c) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Article 17/A (5) Fgytv.: the minutes drawn up on the complaint must include the following:
a) name and address of the consumer;
b) place, time and way of submitting the complaint;
c)a detailed description of the consumer's complaint, any records presented by the consumer, list of documents and other evidence;
d) a statement by the company on its position regarding the consumer complaint, in case the immediate investigation of the complaint is possible;
e) the name of the person drawing up the minutes and the signature of the consumer - with the exception of oral complaints communicated by phone or with the use of other means of electronic communication;
f) place and date where the minutes were recorded;
g) in case of oral complaints communicated via phone or with the use of other means of electronic communication, the unique identification number of the complaint.

· Pursuant to Article 17/A (7) Fgytv.: The company shall retain the minutes and the copy of the reply recorded on the complaint for five years, and it shall present them to the supervising authorities on request.

Duration of the processing:
(a) Minutes (on complaint) shall be retained for 5 (five) years following their record;
(b) Until the guest's consent is withdrawn;

Consequences of failure to provide data: the data subject cannot exercise his/her consumer rights.

Data transmission: The Controller shall retain the minutes and the copy of the reply recorded on the complaint, and it shall present them to the supervising authorities on request.

3. Protection of persons and property

3.1. Lost and Found Objects

The Controller keeps records of the objects found in the room and / or the lobby area after the guest has left.

Processed data categories	Purpose of processing	Lawfulness of processing
room number	Records of lost and found objects, Notification of the owner, Return of the object found	Consent Compliance with legal obligations
date of found
description of article
name of recipient

Lawfulness of processing:
(a) Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);

· Pursuant to Articles 5:54- 5:64 of the Ptk.: Items found in a building or room that are open to the public are to be handed over to the operator's staff without delay. Ownership of such a thing cannot be claimed by the finder. If the person authorized to receive the found item can be identified, the operator shall notify him/her and will hand it over to him/her without delay. If the person authorized to receive cannot be identified, the operator shall retain the item for three months after the handover or, if no retention is possible, to the notary within eight days of the handover. If the claimant does not appear for the item within three months, the operator or the notary shall sell it.

Duration of the processing:
(a) The data will be erased and destroyed upon receipt by the owner of the object found or in case of a handover to the notary following the handover;
(b) In the case of sales, following 1 (one) year from the date of the finding;
(c) Until the guest's consent is withdrawn;

Consequences of failure to provide data: the Controller cannot fulfil its statutory obligation.

3.2. Electronic Surveillance System

Within the Hotel area, the Controller operates an electronic surveillance system (video surveillance system). The security cameras are located as follows and serve the monitoring of the following areas / premises:

Camera Location	Monitored area
So street main entrance	public area at the main entrance
Above the So street elevator	Reception area
Above the reception	Reception/Main entrance
Bar wall	Bar Area
Lobby wall	Lobby area
Lobby wall	Lobby area
Restaurant wall	Restaurant area
Szarka street entrance	public area at Szarka street entrance
So street floor 1 above elevator	So street, floor 1 corridors
So street floor 2 above elevator	So street, floor 2 corridors
So street floor 3 above elevator	So street, floor 3 corridors
So street floor 4 above elevator	So street, floor 4 corridors
So street floor 5 above elevator	So street, floor 5 corridors
So street floor 6 above elevator	So street, floor 6 corridors
So street floor 7 above elevator	So street, floor 7 corridors
Szarka street floor 1 above elevator	Szarka street, floor 1 corridors
Szarka street floor 2 above elevator	Szarka street, floor 2 corridors
Szarka street floor 3 above elevator	Szarka street, floor 3 corridors
Szarka street floor 4 above elevator	Szarka street, floor 4 corridors
Szarka street floor 5 above elevator	Szarka street, floor 5 corridors
Szarka street floor 6 above elevator	Szarka street, floor 6 corridors
Szarka street floor 7 above elevator	Szarka street, floor 7 corridors
Garage wall	Garage area towards So street
Garage wall	Garage area towards Szarka street

Purpose of data processing:
the prevention and detection of perpetration for the protection of human life, physical integrity and property; surprising the perpetrator, as well as proof of perpetrations, the identification of unauthorized entrants to the Hotel, the recording of the fact of entry, the documentation of the activities of unauthorized persons, investigation of the possible occurrence of the circumstances of work and other accidents.

Lawfulness of processing:
(a) In case of entering the Hotel area, consent of the guest - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Enforcement of a legitimate interest - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1) (f) of the GDPR; the Controller has a legitimate interest in the protection of personal and property rights)

Processed data categories:
the image of the persons entering the Hotel as well as other personal details recorded by the surveillance system.

Duration of data processing: 3 (three) days or more in case of legitimate interest.

Use of recordings:
Person authorized to view the current image of the cameras: the Controller's authorized employees.

Person authorized to view the camera recordings: the Controller's authorized employees.

Person authorized to record the camera recordings on a data carrier: the Controller's authorized employees. The stored recordings of the camera surveillance and recording system operated by the Controller can only be viewed by authorized persons solely for the purpose of demonstrating violations of human life, physical integrity and property as well as in order to identify the perpetrator. Any data subject whose right or legitimate interest is affected by the recording of an image can request with the justification of his or her right or legitimate interest the recording not to be cancelled or deleted by the Controller until the court or the authority is requested, but for a maximum of 30 days. The person on the record may ask for information about the recording made by the electronic surveillance system, request a copy, or if there is another person present in the recording, can gain insight into the recording. The data subject may request the deletion of the recording on him/her, the modification of the recording data or may object to the processing. The Controller records the insights into the stored recordings, the name of the person performing it, the reason and the time of gaining insight to the data by taking minutes.

Data transfer: in the case of an offense or criminal procedure, to the authorities, courts and tribunals that carry them out.

Scope of the transmitted data:
images taken by the camera system with relevant information.

Lawfulness of data transfer

· Pursuant to Article 71 (1) of the Be.: The court, the public prosecutor and the investigating authority may turn to a public and local government body, authority, public body, business organization, foundation, public foundation and association for the provision of information, disclosure, transfer of data or filing of records, and may set a period between eight and thirty days for its completion. The requested party must restore all encrypted and hidden data to their original state prior to delivery or disclosure, and give access to the data for the requesting party. The requested party must provide the data supply free of charge, including the processing of data, the recording of data in writing or in electronic form, and the forwarding of data. The requested party must comply with the request within the set deadline, unless the law requires otherwise, or give notification of the hindrance of performance.
· Pursuant to Article 151 (2) (a) of the Be.: the court, the public prosecutor or the investigating authority shall order, with the exception of the property, the impoundment of the item, information system, data medium or data contained in such a system, which constitutes a means of proof;
· Pursuant to Article 171 (2) of the Be.: a member of the authority and the official person, and if required by a separate law, the public body is obliged to denounce a criminal offense known to him/her under his /her authority - if the perpetrator is known by indicating the person. The denunciation must be accompanied by the evidence, if this is not possible, their retention must be ensured.
· Pursuant to Article 75 (1) (a) of the Szabstv.: the authority dealing with administrative offences, the body conducting the preparatory procedure, and, for the offense for which a fine may be imposed on the ground under the law, the person authorized to impose a fine may impound and may temporarily confiscate the item constituting a physical evidence;
· Pursuant to Article 78 (3) of the Szabstv.: the denunciation must include a description of the place and time of the act being denounced, the description of the circumstances of the offense, the indication of the evidence and the known personal data of the person being prosecuted. If possible, the evidence must be attached to the denunciation.

4. Other Types of Processing

4.1. Logging of the https://boutiquehotelbudapest.com/ Server

When visiting the website https://boutiquehotelbudapest.com/, the web server automatically logs user activity.

Processed data categories	Purpose of processing	Lawfulness of processing
Date	While visiting the site, the Controller logs the visitor data in order to check the functionality of the services and to prevent abuse.	Consent Enforcement of a legitimate interest
Time
User IP
IP of visited page
IP of previously visited page
Data related to the operating system of the user

Lawfulness of processing:
(a) Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Enforcement of a legitimate interest - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1) (f) GDPR; the Controller has a legitimate interest in the safe operation of the website)

Duration of the processing: 90 (ninety) days after having visiting the site

Data transmission:

Recipient	Head Office	Role	Data processing task	Legal basis
MORGENS Design Ltd.	8800 Nagykanizsa, Csányi László utca 2.	Processor	Logging information necessary to operate the site, to enable funcionality of visitor data and the website	Processing is required for the performance of the contract
PIARSOFT Kft.	1134 Budapest, Csángó utca 4/b	Processor	Web domain and storage service, website development, and maintenance	Processing is required for the performance of the contract

Further information: the Controller does not link the data generated by the analysis of the log files with other information and does not attempt to identify the user. The addresses of the pages visited, as well as the date and time data are not suitable themselves for identifying the data subject, but after linking to other data (such as those provided during registration) they may be utilised to draw conclusions about the user.

Data processing of external service providers related to logging:
the html code of the portal contains hyperlinks from and to an external server, independent from the Controller. The server of the external service provider is connected directly to the user's computer. We are reminding our visitors that the providers of these links are able to collect user data (e.g. IP address, browser and operating system details, cursor movement, visited page title, and time of visit) due to direct connection to their server and direct communication with the user's browser. The IP address is a series of numbers by which the computers and mobile devices of users on the Internet can clearly be identified. IP addresses can also geographically locate a visitor using that computer. The addresses of the pages visited, as well as the date and time data are not suitable themselves for identifying the data subject, but after linking to other data (such as those provided during registration) may be utilised to draw conclusions about the user.

4.2. Application for Employment

The application materials, which contain the personal data of the data subjects and which are needed to fill any vacant positions on an ad hoc basis, are handled confidentially by the Controller. By voluntarily submitting your application, you agree that the Controller will store and manage the personal data he / she is aware of, until the end of the selection procedure. If you withdraw your application at your own discretion, personal data recorded during the procedure will be deleted immediately.

V. Cookie Information

In order for the Controller's website to work as efficiently as possible, the Controller uses cookies, primarily the so-called session cookie, which is required to browse the site, use the features and enables, among other things, the user operations related to functions or services on the given site to be remembered. Without using ‘session cookies’, the smooth use of the website cannot be guaranteed. Their expiration date extends for the duration of that visit, cookies are automatically deleted at the end of the session or when the browser is closed.

Otherwise, via the cookies a website recognizes recurring users and allows the Controller to collect data about its user behavior, for example, in which country the user has accessed the site, its browser software and operating system, its IP address, the pages it has viewed on the site and the features it has used.

A cookie is an information package of variable content sent by the web server that is stored on the user's computer and provides an opportunity to query some of its data. Cookies are short text files placed by the viewed websites on a user's computer browser, cell phone, or other device providing Internet access. Cookies will not connect to your system and will not harm your files. Cookies may be ‘permanent’ or ‘temporary’ ones. The permanent cookie is stored by the browser for a specific time, provided that the user does not delete it prior to that, while the temporary cookie is not stored by the browser and is automatically deleted by closing the browser. Cookies are ‘passive’, that is, they do not contain executable files, viruses or spyware, and do not have access to the user's hard drive data. Please note that these cookies alone cannot identify the visitor personally.

You can delete your cookie from your computer at any time or disable it in your browser settings.

VI. Data processors

In general, only employees of the Controller have direct access to personal data provided by the data subjects.

The Controller primarily transmits personal data of the data subject to such addressees that are established within the European Union or which provide adequate guarantees (such as an EUUS Privacy Shield) that their data processing meets the requirements of GDPR. In addition, for destinations outside the European Union, out of administrative reasons personal data may be transmitted to a third country. The transmission of data is legitimate pursuant to Article 49 (1) (b) of the GDPR, given that the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.

In accordance with Article 13 (2) (f) of the GDPR, we hereby inform you that in the data processing activities of the Controller, no automated decision-making or profiling will take place.

6.1. Permanent Data Processors

Name and address of the data processor	Purpose of data processing	Processed data categories
Navarino Services Limited Navarino House, Network Point, Range Road, Witney, Oxfordshire, OX29 0YN, United Kingdom	Owner of the Navarino software, integrated into the booking system; the manager of the Navarino Internet Booking Engine (IBE)	1. pontban megjelölt adatok
Maistro Informatics Ltd. 1182 Budapest, Rudawszky u. 10	Owner and developer of the hotel and restaurant management software	The data indicated in Section 1
MORGENS Design Ltd. 8800 Nagykanizsa, Csányi László utca 2	2 Logging information necessary to operate the site, to enable functionality of visitor data and the website	The data indicated in Section 4.1
PIARSOFT Ltd. 1134 Budapest, Csángó utca 4 / b	Hosting services, site development and maintenance	The data indicated in Section 4.1
NPN.HU Ltd. 1183 Budapest, Szil utca 11	Accounting	The data required for carrying out of the accounting tasks indicated in Section 1
CAB Magyarország Zrt. 2161 Csomád, Kossuth Lajos utca 79.	Transfer service	The data indicated in Section 2.3
BLACK WILD SECURITY Kft. 1195 Budapest, Üllői út 283. I. em. 3.	Parking service	The data indicated in Section 2.5
TELLUM Informatikai és Szolgáltató Kft. 2473 Vál, Petőfi Sándor utca 88.

The Processor shall perform the processing in accordance with the instructions of the Controller, may perform no substantive decisions regarding processing, may process personal data that he or she has knowledge of only in accordance with the terms of the Controller, it may not perform data processing for its own purposes and is obliged to store and preserve personal data as required by the Controller. The Processor may not involve any further data processor without the prior or written authorization of the Controller.

VII. Social Media Plug-Ins

The website may contain plug-ins (‘plug-ins’) of TripAdvisor LLC (400 1st Avenue Needham, MA 02494, USA; ‘TripAdvisor’), Facebook Inc. (1601 S. California Ave, Palo Alto, CA 94304, USA; ‘Facebook’ and ‘Instagram’); YouTube LLC), Google LLC ( 1600 Amphitheater Parkway in Mountain View, California, USA, ’Google+’), and Pinterest Inc. (651 Brannan Street, San Francisco, CA 94103) / Pinterest-Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland). The related services are provided by TripAdvisor, Facebook, YouTube, Google+ or Pinterest (collectively referred to as ‘Service Providers’). The plug-in will forward to the Service Providers information on which websites you have opened. If you are logged in to your user account while browsing our Website, Service Providers can compare the information you are interested in (that is, information you have reached) with your user account. When using plug-in functions (for example commenting), the browser will forward this information directly to the Service Providers for retention.

For more information about Facebook's privacy policy, please see the link below: http://www.facebook.com/policy.php

For more information about TripAdvisor's privacy policy, please see the link below: https://tripadvisor.mediaroom.com/UK-privacy-policy

For more information on privacy policies of Google+ and YouTube, please see the link below: https://policies.google.com/privacy?hl=hu

If you want to avoid that the Service Providers link the visiting of our website to your user account, you must log out of the user accounts prior to opening our website.

VIII. Data Security Measures and the Way Data Is Processed

The Controller shall ensure that the data security is proportionate to the risk and shall take the technical and organizational measures and establish the procedural rules, which are necessary to enforce the provisions of the GDPR, the Infotv. and other privacy and data protection rules. 34. The Controller shall protect data by risk-proportionate measures against any unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as any unintentional destruction or damage or unavailability resulting from a change in the technique used. Within this framework, the Controller stores your personal information in a passwordprotected and / or encrypted database. The Controller protects the data within the framework of a risk-proportional protection with firewalls, antivirus software, encryption mechanisms, content filtering, and other technical and process solutions. Privacy incidents are being continuously monitored.

The Controller stores hard copy and personal data files in a lockable room equipped with fire and property protection. Manually handled documents containing personal data are filed in order to fulfil the retention obligation of the Controller, which room shall also be a lockable area with fire and property protection.

IX. Rights of the Data Subject and Enforcement Options

You may exercise your rights listed in the following points by submitting an oral or written request to the Controller. The contact details of the Controller are provided in Section II of the Policy.

1. Information on the Treatment of Your Personal Data
At the request of the data subject, the Controller shall provide information on the data it manages or a data processor has processed upon its assignment or its commission, their source, the purpose of the processing, its legal basis and duration, the name and address of the Processor, activities related to processing, conditions and effects of the privacy incident as well as the preventative measures taken, and in case of the transmission of the data subject's personal data, the legal basis of the transfer and its recipient. Upon the data subject’s request, the Controller shall provide information in writing, in a clearly understandable form.as soon as possible, but no later than 25 days following the submission of the request.

2. Access to Personal Data
The data subject has the right to be informed by the Controller if any of its personal data are being processed, and if so, it has the right to access such personal data and the following information:
a) the purposes of processing;
b) the categories of the personal data concerned;
c) the recipients or categories of recipients to whom or which personal data were disclosed or will be disclosed, including in particular third country recipients or international organizations;
d) where appropriate, the intended duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
e) the right of the data subject to request the Controller rectification, erasure or restriction of the processing of its personal data, and to object to the processing of its personal data;
f) the right to lodge a complaint addressed to a supervisory authority;
g) if the data was not collected from the data subject, all available information about their source;
h) he fact of an automated decision-making, including profiling, and at least in such cases, the logic used and the understandable information about the nature of such processing and the likely consequences regarding the data subject.

Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed about the appropriate guarantees regarding the transfer.

On request, the Controller shall provide the data subject with one copy of the processed personal data. The Controller may charge the data subject a reasonable administration fee for any additional copies by. If the application has been submitted electronically, the information should be provided in a widely used electronic format, unless otherwise requested by the data subject.

The right to request a copy should not adversely affect the rights and freedoms of others.

3. Right to Rectification
The data subject shall have the right to make the Controller rectify its incorrect personal data immediately. Taking into account the purpose of processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.

4. Right of Erasure (so-called ‘right to be forgotten’):
The data subject shall have the right to request the Controller erasure of its personal data without undue delay and the Controller shall delete the personal data of the data subject without undue delay, if one of the following reasons exists:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws its consent on which the data processing is based, and there is no other legal ground for the processing;
c) the data subject objects to the data processing, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation as per a Union or Member State law to which the Controller is subject;
f) the personal data have been collected in relation to the offering of information society services.

If the Controller has made the personal data public and is obliged pursuant to the above to erase such personal data, by taking account of available technology and the cost of implementation, the Controller shall take reasonable steps to inform Controllers processing the data that the data subject has requested the erasure by such controllers of any links to those personal data, or their copy or replication.

Deletion of data cannot be initiated if processing is required for the following reasons: to exercise the right to freedom of expression and the right of information; the fulfilment of an obligation under a Union or Member State law for the processing of personal data, applicable to the Controller, or for the performance of a task carried out of public interest or in the exercise of a public authority delegated to the Controller; for the purpose of archiving, scientific and historical research or for statistical purposes in the public health field, out of public interest; or for the submission, enforcement or protection of legal claims.

5. Right to Restriction of Processing
The data subject shall have the right to request that the Controller restrict the processing if one of the following conditions is met:
a) the data subject contests the accuracy of the personal data; such restriction shall be valid for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the submission, enforcement or protection of legal claims;
d) the data subject has objected to processing; in this case, such restriction shall be valid for a period until it is determined whether the legitimate grounds of the Controller override those of the data subject.

Where processing has been restricted pursuant to the above, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the submission, enforcement or protection of your legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Prior to the discontinuation of the limitation of processing, the Controller informs the data subject at whose request the processing has been restricted.

The Controller shall inform each recipient of any rectification, erasure or restriction related to processing, whom or which the personal data have been disclosed to, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the Controller informs it on the recipients.

6. Right to Data Portability
The data subject shall have the right to receive personal data to be provided to the Controller in a widely used, machine-readable format and shall be entitled to transfer these data to another Controller without being obstructed by the Controller to whom it has provided personal information, if:
a) the processing is based on the consent of the data subject or a contract; and
b) the processing is carried out in an automated way. In exercising the right to data portability as described above, the data subject is entitled to request the direct transfer of personal data between Controllers, if technically feasible. The exercise of this right shall be without prejudice to the right to erasure. This right does not apply in the case where the processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. The right referred to in this paragraph shall not adversely affect the rights and freedoms of others.

7. Right of Withdrawal
The data subject has the right to withdraw its consent to the processing of its personal data at any time, the exercise of which right does not affect the lawfulness of the processing performed on a basis of a consent prior to withdrawal.

8. Lodging a Complaint with a Supervisory Authority
In order to enforce the right to the protection of personal data, it is possible to apply to the National Data Protection and Information Authority, based on which application a proceeding of the data protection authority can be launched. If the proceeding of the data protection authority is preceded by an investigation based on notification, the notifying person shall be notified of the initiation or termination of the data protection authority proceedings.

Name: National Authority for Data Protection and Freedom of Information
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C
Mailing address: 1530 Budapest, P.O. Box 5
Phone number: +36 1 391 1400 Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Homepage: http://www.naih.hu 38.

9. Right to Apply to the Courts

The data subject may apply to the court in case of violations of its rights. Such court proceedings shall be conducted under priority. The Controller shall demonstrate that processing is in compliance with the law. The lawsuit can be initiated by the data subject, according to its choice, before the competent court of domicile or place of residence. Also such party may be involved in the action which otherwise has no legal capability in the lawsuit. For the sake of success, the National Authority for Data Protection and Freedom of Information can intervene in the case in question.

If the court upholds the application, the Controller is required to provide information, rectification, blocking, deletion of data and annulment of the decision by automated data processing and taking into account the right of protest of the data subject.

The court may order the disclosure of its judgment by publishing the identifying data of the Controller by publishing it, if it is required by the interests of data protection and by a greater number of data subjects protected by this Act.

X. Information on a Privacy Incident (Breach)

If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject of the privacy incident without undue delay.

The information provided to the data subject must clearly and easily disclose the nature of the privacy incident and shall include at least the name and contact details of the informing contact person, the likely consequences of the privacy incident and any actions taken or planned by the data controller to remedy the privacy incident, including measures to mitigate the possible adverse consequences of the privacy incident.

The data subject shall not be informed if any of the following conditions are met:
a) the Controller has implemented appropriate technical and organizational protection measures and applies these measures to data covered by the privacy incident, in particular measures such as the use of encryption that make it impossible for persons who are not entitled to gain access to personal data;
b) the Data Controller has taken further measures following the privacy incident to ensure that the high risk for the rights and freedoms of the data subject is no longer likely to be realized;
c) the provision of the information would involve a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that information of the data subject is equally effective.

If the Controller has not yet notified the data subject of the privacy incident, the supervisory authority may, after considering whether the privacy incident is likely to pose a high risk, impose the informing of the data subject or determine whether one of the necessary conditions has been met. 39.

XI. Final Provisions

We hereby inform you that, for the purpose of providing information, transferring information or submitting documents, other bodies may turn to the Controller, by virtue of the authority of the court, the public prosecutor, the investigating authority, the offending authority, the administrative authority and the National Data Protection and Information Authority.

The Controller will provide to the authorities only the extent of personal data essential for the implementation of the objective of the inquiry, if the authority has specified the objective and the scope of the data.

Detailed information on processing activities not included in the Policy is given when data is recorded. The Controller reserves the right to modify the contents of this Policy at any time. Amendments to this Policy shall enter into force upon being disclosed on the Website, thus we recommend that you periodically review the content of the modifications made.