This Privacy Policy (hereinafter referred to as the “Policy”) is provided by Noémi Havasi, the accommodation provider (hereinafter referred to as the “Data Controller”), as the owner of BORHÁZ APARTMAN (address: Eger, Koszorú street 69.)
The Data Controller considers itself legally bound by the rules, provisions and obligations described in this Privacy Notice and applies them in its operations and declares that the data protection rules and procedures described and applied in this document comply with the applicable national and European Union data protection legislation. The Data Controller further declares that it attaches importance to the right to informational self-determination, in particular with regard to personal data, and that it will take all available organisational, operational, regulatory and technological measures within its sphere of influence to respect and enforce these rights.
The Data Controller may change the Privacy Notice at any time, subject to the obligation to publish it and to inform the Data Subjects.
1. Data and contact details of the Data Controller
- Name: Havasi Noémi
- Address: 3300 Eger, Koszorú utca 69.
- Contact details: info@borhazapartman.hu; +36703633309
- Tax number: 66687287-1-30
- NTAK registration number: MA19013645
2. Personal data processed by the Data Controller and their use
2.1. Administrative data
Data processed in case of contact by phone or email or direct booking on the borhazapartman.hu website:
- Name
- e-mail address
- phone number
Purpose of data processing: contact.
Legal basis for processing: consent of the Data Subject (acceptance of the Privacy Policy).
2.2. Data related to the use of the borhazapartman.hu website (Browser Cookie)
The HTTP cookie is a small data packet that is created by the server containing the visited website during the internet browsing process via the client’s web browser, on the first visit, if enabled in the browser. Cookies are stored on the user’s computer in a predefined location, which varies according to the browser type. On subsequent visits, the browser sends the stored cookie back to the web server, together with various information about the client. Cookies allow the server to identify the user, collect various information about the user and analyse it. The main functions of cookies are:
- collect information about visitors and their devices;
- They remember visitors’ individual preferences, which are used, for example, when they make online transactions, so that they do not have to be re-entered;
- make it easier, simpler, more convenient and smoother to use the website;
- make it unnecessary to re-enter data already entered;
- generally improve the user experience.
By using cookies, the Data Controller carries out data processing, the main purposes of which are:
- user identification
- identification of individual sessions
- identification of the devices used for access
- storing certain data provided
- storing and transmitting tracking and location information
- storage and transmission of data required for analytical measurements
Purpose of processing: to improve the functioning of the website
Legal basis for processing: opt-in consent of the Data Subject.
2.3. Data required for the use of the accommodation
Purpose of data processing:
- To issue an invoice
- To report turnover to the National Tourist Information Centre
Data used
- name, address, price of the service, payment method chosen, date of use of the service
- name, sex, date and place of birth, nationality, municipality, date of arrival and departure
Legal basis/Law
- Paragraph (2) of Article 169 of the Invoice Act
- Government Decree 235/2019 (X. 15.)
3. Purpose, method and legal basis of processing
3.1 General data processing policy
The Data Controller processes personal data in the data processing operations listed in section 2, in each case for the purposes and on the basis of the legal basis specified in the data processing operation.
The processing of personal data is always carried out with the Data Subject’s voluntary consent, which the Data Subject has the right to withdraw at any time.
The Data Controller is obliged, by law, in certain cases and under certain unusual conditions, to process, transfer, transmit, store certain personal data in a manner different from that described in the Data Processing. In such cases, the Data Controller shall ensure that the Data Subjects are notified, where this is permitted or not expressly prohibited by the relevant legal provisions.
3.2. Legal basis for the processing
The Controller processes personal data on the basis of the following legislation:
- GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) Act V of 2013 – Civil Code (Civil Code);
- Act CXII of 2007 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Info tv.);
- Act V of 2013 on the Civil Code (hereinafter: Civil Code);
- Act LIII. of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter: Pmtv.);
- Act C of 2000 on Accounting (hereinafter: Accounting Act);
- Act CLV of 1997 on Consumer Protection (hereinafter referred to as the “Consumer Protection Act”);
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Eker tv.);
- Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities (hereinafter referred to as ‘Act XLVIII;)
- the CL Act of 2017 on the Rules of Taxation (hereinafter referred to as “CL Act”);
- Act CXVII of 1995 on Personal Income Tax (hereinafter: the Personal Income Tax Act);
- Act C of 1990 on Local Taxes (hereinafter referred to as the “Act on Local Taxes”);
- Municipal Decree No. 11/2012 (III.30.) of the General Assembly of the Municipality of the City of Eger (hereinafter: Municipal Decree) on the Tourist Tax.
4. Data storage and security
The Data Controller stores personal data on its integrated IT system. The elements of the system are located in the following geographical, physical locations:
Data Controller’s address: 3300 Eger, Kallómalom u. 32.
The Data Controller processes personal data primarily on its IT system, which is adequately built and protected. In the operation of the IT system, it ensures an adequate level of basic information security attributes of the data stored, processed and transmitted thereon, such as the data processed:
- Integrity, authenticity and integrity of the data;
- Confidentiality (Confidentality), only those authorised to have access to it, to the extent that they are not authorised to do so;
- Availability, the data is accessible and available to the right holders for the expected period of availability. The necessary IT infrastructure is available and operational.
5. Transmission, processing, access to data
The Data Controller shall not disclose or transfer the data to third parties other than those listed in point 2.
6. Rights of the data subject
The Data Subject may exercise, inter alia, the rights described below in relation to the personal data processed by the Controller.
6.1 Right of access of the Data Subject (Article 15 GDPR)
The Data Subject has the right to receive feedback from the controller as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and the following information:
- the purposes of the processing;
- the categories of personal data of the Data Subject;
- the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
- the envisaged duration of the storage of the personal data;the right to lodge a complaint with a supervisory authority;
- the Data Subject’s right to rectification, erasure or restriction of processing and to object to processing;
- the right to lodge a complaint with a supervisory authority;
- where the data have not been collected from the Data Subject, any available information about their source;
- the fact of automated decision-making, including profiling, and the logic used and clear information on the significance of such processing and its likely consequences for the Data Subject.
The Data Controller shall provide the Data Subject with 1 copy of the personal data subject to processing. For additional copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs. If the Data Subject has made the request by electronic means, the Controller shall provide the information in a commonly used electronic format, unless the Data Subject requests otherwise, within a maximum of 30 days of the date of submission.
6.2 Right of rectification (Article 16 GDPR)
The Data Subject shall have the right to obtain, upon request and without undue delay, the rectification of inaccurate personal data relating to him or her and the right to obtain the integration of incomplete personal data, having regard to the purposes of the processing.
6.3 Right to erasure (Article 17 GDPR)
The Data Subject shall have the right to obtain from the Controller, upon his or her request, the erasure of personal data relating to him or her without undue delay and the Controller shall be obliged to erase personal data relating to the Data Subject without undue delay where one of the following grounds applies:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Controller;
- the personal data have been collected in connection with the provision of information society services.
The erasure of data cannot be initiated if the processing is necessary:
- for the exercise of the right to freedom of expression and information;
- to comply with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
- on grounds of public interest in the field of public health;
- for archiving, scientific and historical research or statistical purposes carried out in the public interest;
- for the establishment, exercise or defence of legal claims.
6.4 Right to restriction of processing (Article 18)
At the Data Subject’s request, the Controller shall restrict processing if one of the following conditions is met:
- the Data Subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the data and requests instead the restriction of their use;
- the Controller no longer needs the personal data for the purposes of processing but the Data Subject requires them for the establishment, exercise or defence of legal claims; or
- the Data Subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the Data Subject.
Where processing is subject to restriction, personal data other than storage may be processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
6.5 Right to data retention (Article 20)
The Data Subject has the right to receive the personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and to transmit such data to another Controller.
6.6 Right to object (Article 21)
The Data Subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data, including profiling based on the aforementioned provisions. In such a case, the Controller may no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests or rights of the Data Subject or for the establishment, exercise or defence of legal claims.
6.7 Automated decision-making in individual cases, including profiling (Article 22)
The Data Subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
6.8 Right of withdrawal
The Data Subject has the right to withdraw his/her consent to the processing of his/her personal data at any time.
6.9 Remedies
In the event of a breach of his/her rights, the Data Subject may request information, seek redress or lodge a complaint via the contact details provided in point 1. If these are unsuccessful, the Data Subject is entitled to take legal action or apply to the National Authority for Data Protection and Freedom of Information.
Contact details of the National Authority for Data Protection and Freedom of Information (NAIH)
- Name: National Authority for Data Protection and Freedom of Information (NAIH)
- Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
- Postal address: 1530 Budapest, PO Box 5.
- Tel: +36 (1) 391-1400
- Fax: +36 (1) 391-1410
- E-mail: ugyfelszolgalat@naih.hu
- Website: http://www.naih.hu
8. Other provisions
In the event of a request by a public authority or other body based on other legal obligations, the Data Controller may be obliged or required to disclose data. In such cases, the Controller shall endeavour to disclose only such personal data as is strictly necessary for the purposes of the obligation to disclose.
16th June 2024.