Relating to hotel management and guests
This Privacy Policy (“Policy”) is to inform data subjects in compliance with Article 13 AND 14 of Regulation (EU) 2016/679 (General Data Protection Regulation) of the EU Parliament and Commission in relation to the processing of personal data during the course of providing and preparing hotel services.
Company name of data controller: ZIPAR Hungary Kft. (hereinafter referred to as: “Controller”)
Official Seat: 1054 Budapest Kálmán Imre utca 19.
Mailing address: 1054 Budapest Kálmán Imre utca 19.
Tax ID number: 13776912-2-41
Registration Number: 01-09-872603
Represented by: Tamás Flesch, Managing Director
Hotel1: Hotel Parlament
Email address: hotel@parlament-hotel.hu
Phone number: +36 1 374 6000
Fax: +36 1,373 08 43
Website: www.parlament-hotel.hu
Hotel2: Hotel Palazzo Zichy
Email address: info@hpz.hu
Phone number: +36 1 235 4000
Fax: +36 1 235 4009
Website: www.hotel-palazzo-zichy.hu
During the pursuit of its hotel management activities the Controller shall process the personal data of the following natural persons (hereinafter referred to as: Data Subjects): guests
The Controller shall process the following personal data relating to the Data Subject:
The Data Subject shall disclose the data to be processed to the Controller by the following channels:
The Controller shall obtain personal data for processing from the following source(s):
Personal data processing is necessary for the purpose of preparing and performing a contract for the provision of hotel services (hereinafter referred to as: the “Contract”).
Purpose of personal data processing:
The duration of data processing shall be the same as the preparation and in case of concluding a contract the performance thereof, except for the following cases:
With regard to the fact that the Controller is unable to prepare and perform the contract without disclosure of the above personal data the Data Subject shall be obliged to provide them to the Controller. Failure to do so may result in the Controller refusing to prepare or perform the contract with the Data Subject.
In the event of failure to conclude a contract or the termination of a contract the Controller shall not erase the personal data from its database. Data entered into Fidelio shall be anonymized after 1 year.
The Controller shall control the Data Subject’s personal data for the purpose of compliance with the following legal regulations for the following lengths of time:
With consideration to the fact that the data processing described in this section is the Controller’s legal obligation, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.
The Controller shall control the Data Subject’s personal data on the grounds of legitimate interests for the following purposes and for the following lengths of time:
The purpose of data processing under this section is to enable the Controller to exercise his legitimate interests.
The duration of data processing shall be the same as the preparation and in case of concluding a contract the validity thereof.
With consideration to the fact that the data processing described in this section is the Controller’s or third party’s legitimate interest, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.
Personal data shall be processed on the basis of the Data Subject’s consent (voluntary expression of explicit will, based on specific and proper information). The Data Subject shall give his or her consent to the Controller on the check-in card or the guest satisfaction questionnaire.
Consent shall be voluntary and the Data Subject shall have the right to revoke his or her consent at any time without restrictions via a written notification to the Controller. The Data Subject may send his or her written notification to either of the contact details contained in section 1 of the Privacy Policy.
Revoking his or her consent shall result in no consequences to the Data Subject. However, revoking his or her consent shall not affect the lawfulness of data processing on the grounds of consent prior to revoking it.
The Controller does not pursue automated decision-making, including profiling.
The Controller shall transmit the Data Subject’s personal data to the following persons and organizations (data processors):
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and if so, access to the personal data and the following information:
Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.
The Controller shall have the right to request clarification or specification of the requested information or data processing activities from the Data Subject prior to responding to the Data Subject’s request.
In the event that the Data Subject’s right of access set forth in this section adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the Data Subject’s request to the extent that is necessary and proportionate.
Where the Data Subject requests several copies of the above information, the Controller may charge a reasonable and proportionate fee based on administrative costs.
If the Controller does not process the personal data specified by the Data Subject, the former shall also inform the Data Subject of this fact in writing.
The Data Subject shall have the right to request the rectification of inaccurate personal data concerning him or her. The Data Subject shall have the right to have incomplete personal data completed.
Upon exercising his or her right of rectification/completion the Data Subject shall indicate exactly which data are inaccurate or incomplete and shall also communicate to the Controller the correct and complete data. The Controller has the right to request that the Data Subject provide proper proof of the rectified data, primarily with proper documentation.
The Controller shall perform the rectification of inaccurate personal data without undue delay the.
Following rectification of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.
The Data Subject shall have the right to request that the Controller erase his or her personal data without undue delay where one of the following grounds applies:
The Data Subject shall submit his or her request relating to erasure in writing and shall specify the reason for requesting the erasure of each personal data.
In the event that the Controller grants the Data Subject his or her request of erasure, the former shall erase the specified personal data from all databases and duly inform the Data Subject of it.
Where the Controller is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. In its communication the Controller is obliged to inform the other controllers that the Data Subject had requested the erasure of all links to or copies of his or her personal data, as well as any copies thereof.
Following erasure of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.
The Controller is not obliged to erase the personal data in cases where the processing is necessary:
The Data Subject shall have the right to request that the Controller restrict the processing or use of his or her personal data without undue delay where one of the following grounds applies:
Where processing has been restricted, such personal data shall, with the exception of storage, shall only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.
A Data Subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
Following restriction of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.
Considering that the Controller does not perform any data processing carried out in the public interest and has no official authority, does not pursue scientific or historical research and does not process data for statistics purposes, the right to object may be exercised on the grounds of data processing on the grounds of legitimate interests.
In the event that the the personal data of the Data Subjects are processed on the grounds of legitimate interests it is an imperative guarantee that the Data Subject shall be ensured proper information regarding the data processing of his or her data and his or her right to object. The Data Subject shall be expressly informed of this right latest at the time of initial contact.
The Data Subject is entitled to object to the processing of his or her personal data on the above grounds and in such cases the Controller shall no longer have grounds to lawfully process the Data Subject’s personal data, except in cases where it can be demonstrated that:
The Data Subject is entitled to object to the processing of his or her personal data for direct market purposes, however, unlike in the case of data processing on the grounds of other legitimate interests, where the Data Subject objects to processing for direct marketing purposes the Controller shall not have the right to examine whether it still has any other grounds to proceed with the processing.
Where the Data Subject objects to processing for direct marketing purposes, the Controller shall no longer process the Data Subject’s personal data for such purposes.
During profiling the personal aspects of the Data Subjects are evaluated with the use of any form of automated processing. Such evaluations are suitable to analyze or predict aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
The right to object also includes profiling on the grounds of legitimate interests in the form of special data processing operations. Where profiling is done for purposes relating to direct marketing the Controller shall no longer perform profiling of the Data Subject on the basis of his or her personal data upon the objection of the Data Subject.
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller.
The right to data portability may only be exercised in relation to the personal data provided by the Data Subject to the Controller and
Otherwise, in cases where it is technically possible, the Controller shall directly transmit the Data Subject’s personal data to another controller designated in the Data Subject’s written request. The right to portability as defined in this section does not give rise to an obligation for the controllers to introduce or maintain technically compatible data processing systems.
With regard to data portability the Controller shall provide the data media required to transfer the data to the Data Subject free of charge.
In the event that the Data Subject’s right to data portability adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the Data Subject’s request to the extent that is necessary and proportionate.
Measures taken in relation to data portability do not mean the erasure of the data. The Controller shall store the data up to the point that the Controller has relevant purposes and sufficient legal grounds to do so.
The Data Subject shall have the right to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
The Data Subject shall not have the right to request exemption from decision based on automated data processing if the decision is necessary for entering into, or performance of, a contract, or if the decision is based on the Data Subject’s explicit consent or is made possible by EU or member state law.
In cases where the automated data processing is necessary for the purposes of entering into, or performance of, a contract or is based on the Data Subject’s decision, the Data Subject shall have the right to request human intervention from the part of the Controller, express his or her views and have the right to contest the decision.
During the course of its data processing activities the Controller shall implement all measures to avoid the inclusion of special categories of personal data in automated decision-making processes. However, in cases where this cannot be avoided special categories of personal data can only be used for automated decision-making if the data processing is based on the Data Subject's consent or is necessary due to substantial public interest or EU or member state law.
The Data Subject shall have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information if he or she considers that the processing of his or her personal data by the Controller infringes on the effective data protection legislation, especially the GDPR.
The contact details for the National Authority for Data Protection and Freedom of Information:
Website: http://naih.hu/
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mailing address: 1530 Budapest, Pf.: 5.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Email address: ugyfelszolgalat@naih.hu
The Data Subject shall have the right to lodge a complaint with other supervisory authorities, in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement.
Without prejudice to his or her right to lodge a complaint, the Data Subject shall have the right of access to the courts where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data.
Proceedings against the Controller shall be brought before the courts of Hungary, as its activities are based in Hungary.
Pursuant to § 22. (1) of the effective Information Act, the Data Subject may also bring proceedings before the courts where the Data Subject has his or her place of habitual residence. The contact details of the Hungarian courts are available at: http://birosag.hu/torvenyszekek.
Since the Controller does not qualify as a public authority acting as an official authority of any member state, the Data Subject may bring proceedings before the courts with jurisdiction and authority at the place of the Data Subject’s place of residence in the event that his or her habitual residence is in another EU member state.
The Data Subject shall have the right to mandate a not-for-profit body, organization or association which has been properly established in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise on his or her behalf the right to receive compensation, the right to an effective judicial remedy against a supervisory authority or to bring a legal suit in front of the courts.
Where the Controller has reasonable doubts regarding the identity of the person making the request relating to sections 4.1 – 4.6 of this Policy, the Controller may request that the Data Subject provide access to additional information needed to verify his or her identity.
The Controller reserves the right to modify this Policy at any time. The Controller shall notify the Data Subject of such modifications at least 8 days prior to their entering into force via publishing on its website
* * *
Budapest, December 17, 2018
Tamás Flesch, Managing director
Savim Hungary Szolgáltató Kft.