PRIVACY POLICY
OF KOLPING HOTEL KFT.

1. The purpose of the policy

The aim of the policy is to provide information for the data subject, taking into consideration the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Info Act) and the provisions of Regulation 2016/679/EU of the European Parliament and the Council [GDPR], about the personal data processed by the controller defined in point 2, about the aim of data processing, its method, and about any other fact about the processing of data, especially but not limited to the rights regarding the processing of personal data, and about the possibilities for legal remedy.

2. Name, registered office, representative of the controller

• Name: Kolping Hotel Kft.
• Registered office: 8394 Alsópáhok, Fő utca 120.
• Legal representative: Baldauf Csaba, chief executive officer
• Contact person regarding data protection issues: Nyírő Judit, deputy director for operation

3. Name, contact information and legal status of the data protection officer

• Dr. Morvay Boldizsár - dpo@kolping.hotel.hu

Legal status of the data protection officer:
The controller shall assure that the data protection officer takes part properly and in a timely manner in any and all issue that is in connection with the protection of personal data. Resources have to be provided for keeping the data protection officer professionally well- informed regarding data protection.
The data protection officer may not accept any instruction from anyone regarding its duties. Neither the controller, nor the processor may dismiss the data protection officer, nor may they penalize him or her for performing his or her tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
The data protection officer may fulfil other tasks and duties, but any such task and duty shall not result in a conflict of interests.

Tasks of the data protection officer:

• Informs and advises professionally the controller or the processor and the employees who carry out the processing of data;
• monitors compliance with the policies of the controller or processor in relation to the protection of personal data;
• provides advice where requested as regards the data protection impact assessment and monitors its performance;
• cooperates with the supervisory authority.

4. Legal acts regarding data processing

- Article VI of the Fundamental Law of Hungary;

- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: “Info Act”);

- Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

5. Definitions used in the present policy

• processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
• processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
• controller (service provider): the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
• personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
• biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
• recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
• data subject: the natural person whose personal data are processed
• consent of the data: subject any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
• GDPR: Regulation 2016/679/EU of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
• third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
• Info Act: Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information
• employee: any person, contractor and their agents who are in an employment relationship with the Service Provider or any other relationship the aim of which is performing work, especially contracts for providing services or agency contracts. 
• profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
• personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
• special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation

6. Data protection impact assessment

The controller shall be responsible for performing the data protection impact assessment regarding the rights and freedoms of natural persons, by assessing the source, nature, specifications and gravity of the risk. When deciding what measures are suitable for substantiating that the processing of personal data is in line with the GDPR, the findings of the impact assessment shall be taken into account. The controller shall consult the National Authority for Data Protection and Freedom of Information (NAIH) prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of suitable measures in terms of the available technology and the costs of execution taken by the controller to mitigate the risk. In case it shall be necessary in the future to perform data protection impact assessment regarding high risk data processing, it shall be performed by using the open source software (original name: “PIA” software, hereinafter referred to as: impact assessment software) published by the French data protection authority (Commission Nationale de l'Informatique et des Libertés, hereinafter referred to as: CNIL), which is also recommended by NAIH.

The controller shall prepare a separate policy regarding the data protection impact assessment.

7. Test of weighting interests - in case of data processing based on legitimate interest

In case of data protection based on legitimate interest (GDPR Section 6 (1) f)) the weighting of interests shall be concluded based on NAIH/2015/3731/2/V állásfoglalás. According to this, the test of weighting of interests is a process consisting of several steps, during which the legitimate interest of the data processor, and as the counterpoint of weighting, the interest of the data subject, the given fundamental right have to be identified, and finally based on the weighting, it has to be established whether the personal data may be processed or not.

Steps to be applied when performing the test of weighting interests:

• 1. step - examining whether the data processing is necessary, or it can be managed otherwise
• 2. step - the most accurate definition of the legitimate interest
• 3. step - defining the purpose of data processing, and the kind of personal data that is processed and for how long
• 4. step - establishing the aspects of the data subjects
• 5. step - performing the weighting

The controller shall prepare a separate policy regarding the test of weighting interests.

8. Processing and protecting personal data

8. 1. Tasks and competence, responsibilities of the controller

The primary controller shall compensate any damage which a person may suffer as a result of processing the personal data of the data subject unlawfully, or as a result of breaching the requirements regarding technical data protection. The controller shall be held liable towards the data subject for the damage caused by the processor as well. The controller shall be exempt from liability for damages if he or she proves that the damage was caused by unavertable reasons beyond the processing of data. No compensation shall be paid where the damage was caused by intentional or severely negligent conduct on the part of the person whose rights had been violated.

8.2. Tasks and competence, responsibilities of the processor

The rights and responsibilities of the processor regarding the processing of personal data shall be laid down by the controller in line with the present policy and with the applicable legal regulations. The processor shall be liable for the processing, modification, deletion, forwarding and disclosing of the personal data within the sphere of its activities and the boundaries laid down by the controller. It has to be included in the agreement concluded with the processor that based on the provisions of the controller, the processor may use another processor according to the provisions of the controller when performing its processing activities, and that it is possible to immediately terminate the agreement if the provisions relating to data processing are breached.

9. Principles and fundamental provisions

• Principle of lawfulness, fairness and transparency:
  (Any collection and processing of personal data should be lawful and fair, also transparent for the data subject.)
• Principle of purpose limitation:
  (According to the Info Act, personal data may be processed only for specified purposes, for the implementation of certain rights or obligations. All stages of data processing operations shall have to be in line with the purpose of processing. The personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.)
• Principle of data minimisation:
  (Based on the principle of minimisation, the controller may only process personal data that is necessary in relation to the purposes for which they are processed)
• Principle of accuracy:
  (Data processed by the controller shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.)
• Principle of storage limitation:
  (Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.)
• Principle of integrity and confidentiality:
  (Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.)
• Principle of accountability:
  (The controller shall be responsible for, and be able to demonstrate compliance with the principles and rules of data processing.)
• Principle of security of personal data:
  (The controller shall plan and perform data processing so that the privacy of the data subjects is protected when applying the provisions of the Info Act and other provisions relating to data processing. The controller shall provide the security of data, it shall take any and all necessary technical and organizational measures and shall establish those procedural rules that are necessary for the enforcement of the provisions of the Info Act and other data protection and confidentiality rules. By using appropriate technical or organizational measures, the controller shall protect the data by appropriate measures, especially against unauthorized access, modification, forwarding, disclosure, deletion or destruction, against accidental destruction or damage, against becoming accessible because of change in the applied technology. For the protection of data sets stored in different electronic filing systems, the controller and within its scope of activities the processor shall implement appropriate technical measures to prevent - unless this is permitted by law - the interconnection of data stored in these filing systems and the identification of the data subjects. In order to maintain security and to prevent processing an infringement of the GDPR, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account state of the art science and technology and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

10. Rights of the data subjects

• The right of access:
  (The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and information about the circumstances regarding processing. The controller shall provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
• Right to rectification:
  (The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her, and to request that incomplete personal data are completed.)
• Right to erasure:
  (The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
  • a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of GDPR, and where there is no other legal ground for the processing;
  • c) the data subject objects to the processing pursuant to Article 21(1) of GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) of GDPR;
  • d) the personal data have been unlawfully processed by the controller;
  • e) the personal data have to be erased for compliance with a legal obligation;
  • f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of GDPR (conditions applicable to child's consent).

The controller shall not erase the data if data processing is necessary based on one of the reasons below:

• • a) for exercising the right of freedom of expression and information;
  • b) for compliance with a legal obligation regarding the processing of personal data;
  • c) for the establishment, exercise or defence of legal claims.
    
    
• Right to restriction of processing:
  (The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
  • a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  • b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is liftedRight to object : (The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) of GDPR, including profiling based on those provisions. In this case the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.)
• Right to data portability:
  (The data subject shall have the right to receive the personal data concerning him or her in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) of GDPR or on a contract pursuant to point (b) of Article 6(1) of GDPR; and b) the processing is carried out by automated means.)

11. Detailed rules regarding data processing

11. 1. Providing information regarding data processing

Data subjects shall have the right to obtain information about the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.

The information that is provided has to contain the following:

• the identity and contact information of the controller
• the contact information of the data protection officer
• the purpose of the processing of personal data, and the legal base for data processing
• the legitimate interests if data processing is based on “legitimate interests”
• the recipients of personal data
• the planned duration of data processing
• the rights of the data subject
• whether the submission of data is a prerequisite for the conclusion of the agreement, and what consequences it may have if the data are not provided
• if relevant, automated decision making, including profiling as well
• the legal remedies available for the data subjects.

11.2 The lawfulness of data processing

Processing shall be lawful if the controller has at least one of the following legal bases that applies for data processing:

• the data subject has given consent to the processing of his or her personal data
• processing is necessary for the performance of a contract to which the data subject is party
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary in order to protect the vital interests of the data subject
• processing is necessary for the performance of a task carried out in the public interest
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

11.3 The scope of personal data processed by the controller, the purpose of data processing, the duration of data processing shall be found in the register of data processing activities that form Annex 1 of the present policy, which shall be disclosed by the controller on its homepage.

The register of data processing activities shall contain:

• the purpose of data processing,
• the types of data,
• the legal base for processing,
• the data subjects,
• the sources of data,
• the type of data forwarding, its recipients and legal base,
• the time limit for the erasure of the given data type,
• if data are processed, the data of the processor, the place of processing, the activities of the processor in connection with data processing.

Regarding the data processing activities indicated in the data processing register, separate privacy policies have been prepared, which form Annexes 1-21 of the register.

11. 4. Duration of data processing

Data shall be stored for the shortest possible time. When establishing this time limit, the controller’s data processing purpose, as well as legal regulations applicable for the storing of data have to be taken into consideration.

11. 5. Internal transmission of data

Personal data may only be transmitted within the controller’s organization in line with the principle of purpose limitation, and right to access may only be given if there is a proper purpose.

11. 6. Data transmission for third persons

Personal data may only be transmitted to any third person based on law, or under the consent of the data subject, provided that the conditions regarding data processing are fulfilled regarding all personal data. Controller has to examine before transmitting the data whether the legal conditions are met, and that the conditions for data processing are met regarding any and all personal data following the transmission. Before transmitting data for the same controllers, regarding the same data subject, with the same purpose, the data protection officer shall be involved in the examination whether the transmission is lawful or not. No separate examinations are needed regarding transmissions subsequent to this. The data protection officer shall keep a data transmission register regarding transmissions, and shall store it in line with the regulations. The data transmission register has to be stored until the end of the fifth year following the year when the data communication or transmission was made (in special cases, for twenty years).

The register of data transmission shall contain:

• the time of the transmission of the personal data processed by the data transmitter,
• the scope of transmitted data,
• the legal base and recipient of data transmission (name, address, registered seat),
• name and phone number of the person responsible for data transmission.

11.7 Transmitting data abroad or to third countries

Before the transmission of data, the controller - together with the data protection officer - has to examine whether the legal conditions are met, and that the conditions for data processing are kept regarding any and all personal data following the transmission.

11.8 Special data, including biometric data are not processed by the data controller.

12. Personal data breach

According to GDPR, personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

12.1 Reporting personal data breach

As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the competent supervisory authority (NAIH) about the personal data breach without undue delay and, where feasible, not later than 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If reporting is not performed within 72 hours, the reasons that justify the delay have to be attached as well.

12.2 Investigating and handling personal data breach

The data protection officer inspects the reporting, requests data from the person making the reporting, who shall fulfil this request within 2 working days.

The provision of data has to include:

• time and place of data breach
• the description, circumstances and effects of data breach
• the scope and volume of data included in the breach
• the persons involved in connection with the data
• the description of measures taken in order to avert the breach,
• the description of the measures taken in order to prevent, avert, mitigate the damage.

The data protection officer shall make a suggestion regarding the necessary measure. The person responsible for the processing of data shall inform the data protection officer within two days following the performance of the given measures about the specific measures taken regarding averting personal data breach

12.3 Register of personal data breach

The controller shall keep a register on breaches of personal data. According to GDPR, the controller shall provide suitable technical and organizational measures in order to be able to explore and evaluate vulnerabilities and security breaches. Thus the controller, above documenting personal data breach, shall use suitable processes and measures to explore and handle security breaches in time.

13. Modification of the present policy

The present policy shall enter into force on 30 November 2018. The controller is entitled to modify the policy unilaterally - provided it is not against the law. The policy is available at the registered office of the controller.

Alsópáhok, 30. November 2018