Effective 25 May 2018
1. INTRODUCTION AND DEFINITIONS
This policy applies to the processing of personal data relating to hotel services provided by Penres a.s. Magyarországi Fióktelepe, Batthyány Lajos utca 7, Esztergom 2500; The Company manages your specific personal data and special data, defining the purpose and means of the data processing and therefore is a data controller (the "Data Controller" or "Company"). The Company may share and process this information with its contractors; for the purposes of data processing, data processing contracts have been concluded between themselves under Article 28 of the GDPR, which guarantee the rights of all data subjects for processing.
Personal data: any information relating to an identified or identifiable natural person ("data subject"); identifiable by a natural person who, directly or indirectly, in particular by reference to one or more factors such as name, number, function, online identification or one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of the physical persons identified.
Special Information: Data that identifies you based on your racial or ethnic origin, religion, political or philosophical beliefs or trade union membership, as well as information about your health or sexual life, genetic data, or biometric information that uniquely identifies a person.
Contractual partner: a natural person with whom the Company has concluded a contract in the framework of its business activities.
Data management: any operation or combination of operations, whether automated or not, performed with personal data or files, such as collecting, recording, systematizing, segmenting, storing, transforming or altering, obtaining, accessing, using, communicating, disseminating or otherwise item, alignment or connection, restriction, deletion, or destruction.
Data controller: any natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.
Recipient: any natural or legal person, public authority, agency or any other authority to which personal data has been supplied, whether or not it is a third party. Public authorities having access to personal data in the context of a special investigation in accordance with the law of a Member State shall not be considered as recipients; the treatment of such data by such public authorities shall comply with the applicable data protection rules applicable for processing purposes.
Third party: any natural or legal person, public authority, agency or any other body which is not the data subject, data controller, data processor or persons authorized to process personal data under the direct control of the data controller or data processor.
2.TYPES OF PERSONAL DATA COLLECTED
During the establishment and existence of a contractual relationship, the data controller may manage your personal data, in particular those that you have communicated to the company prior to the contractual relationship or during the contractual relationship to establish a contractual relationship (see below). In particular, the operator shall process the following types of personal data:
- identification information such as your full name, photo, date of birth, social security number, gender, and other
- contact information such as home address, postal address, personal phone numbers and email addresses, bank account details, payment details, contact details the person designated by the person to be contacted in the event of an emergency.
3. PURPOSE AND LEGAL BASIS OF PERSONAL DATA PROCESSING
The Data Controller collects and uses your personal information for the purpose of performing a contract that you have concluded or has already concluded between you and the company or for the purposes of an insurance contract. The data shall be processed in accordance with Article 6 (2). 1, par. (B) GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data). is not bound by your consent.
In cases where the processing of personal data is not necessary for the performance of the contract, the Data Controller may, in limited cases, explicitly request consent to a particular use of your personal data. In any case, if the data controller requests your consent, you can refuse your consent and revoke it at any time.
Please note that consent to the processing of personal data of children under the age of 16 is required with the consent or consent of the parent exercising parental responsibility for the child.
For the sake of completeness, please note that the data controller may collect and use personal data (pursuant to Article 6 of the GDPR without consent) if necessary for other legitimate purposes, such as:
- exercise other legitimate interests of the data controller;
- investigating incidents or breaches of legal obligations that may arise;
- cases necessary to comply with laws and regulations, such as the collection and provision of data in accordance with legal requirements or tax regulations, or at the request of the police;
- is subject to judicial authorization or in the exercise or defense of the legal rights of the data controller;
- cases necessary to protect your vital interests (or others).
4. RECIPIENTS OF PERSONAL DATA
The Data Controller may also share your personal information with third-party data processors, including:
- those who supply data controller products or services (for example, financial and legal advisors, other consultants, data storage support providers and information systems);
- other third parties, if the sharing of personal data (1) with your consent or (2) is necessary to (i) fulfill legal obligations, (ii) assert or present an actual or potential claim, or (iii) protect your vital interests (or (iv) for the performance of contracts between the data controller and a third party.
The Data Controller may also disclose your personal data (including sensitive data) to its contractors.
5. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
Personal data will not be disclosed to third countries or international companies.
6. DURATION OF DATA STORAGE
Your personal information will only be kept for as long as is necessary to achieve the objectives set out in this policy and in this privacy statement (or for any other purpose that you have been notified to you) or for a period specified in third party contracts, applicable law or other company policy.
In particular, the Data Controller seeks to ensure that your personal data is stored and, where necessary, securely deleted or destroyed in accordance with the Controller's internal regulations and legal requirements.
7. DATA PROTECTION RIGHTS
As an interested party, you have the following rights:
- the right of access to your personal data (Article 15 of the GDPR),
- the right to rectify personal data (Article 16 of the GDPR),
- the right to delete personal data (Article 17 of the GDPR),
- the right to limit data management (Article 18 of the GDPR),
- the right to data portability (Article 20 of the GDPR),
- the right to object to data processing (Article 21 of the GDPR),
- the right to be exempted from automated decision-making,
- the right to withdraw consent to data management,
- the right to lodge a complaint with the following authorities:
National Privacy and Information Office:
H-1125 Budapest, Erzsébet Szilagyi Avenue 22 / c, Hungary, tel.: +36 1 391 1400, +36 1 391 1410, firstname.lastname@example.org
Applicable privacy standards
Please note that there may be restrictions and exceptions to the data subject's rights. If a claim is made, the data controller will try to work with you to negotiate any exceptions or restrictions. If you have any questions about your rights or would like to address the need to exercise your rights to personal data set out in this policy, please contact the contact persons below in writing.
8. CONTACT REGULATOR
If you have any questions or comments regarding this information or the data administrator's privacy practices, please feel free to contact us at email@example.com.
The Data Controller has the right to change the text of this policy and privacy statement at any time by posting a new version on its website.