PRIVACY NOTICE
(Booking)

1. Name, seat and representative of the controller

• Name: Kolping Hotel Kft.
• Seat: 8394 Alsópáhok Fő út 120.
• Statutory representative: Csaba Baldauf Managing Director
• Contact person in relation to data protection matters: Judit Nyírő Deputy Director responsible for operation

2. Data protection officer

• Dr. Boldizsár Morvay - dpo@kolping.hotel.hu

3. Definition of the processed data

- name, e-mail address, phone number, address, number of persons who wish to use the service, number of children who wish to use the service and their age provided by the data subject

4. Purpose of processing

- booking of a hotel service, communication with regard to the booking and sending informational messages necessary for the performance of the contract.

5 Legal basis for processing

- performance of the contract (point (b) of Article 6(1) of the GDPR)

6. . Legal consequences of failure to provide data

If the controller cannot fulfil the booking, data processing will not take place.

7. Transfer of personal data

a.) the data will only be transferred to data-processing company operating the online quotation and booking systems; the name of that processor: Morgens Design Kft. seat: 8800 Nagykanizsa, Csányi László utca 2.

b.) for the purpose of providing the electronic mail sending function, the following data processor, located in a third country outside the European Union, will process data for sending informational messages necessary for the performance of the contract. The name of the data processor: ActiveCampaign, LLC; registered office: 1 North Dearborn Street, 5th floor, Chicago, IL 60602.

c.) data will also be transferred to the following banks that carry out bank transactions: – OTP Bank Nyrt, (H-1051 Budapest, Nádor utca 21.) OTP Mobil Kft. (H-1143 Budapest, Hungária krt. 17.) K&H Bank Zrt. (H-1095 Budapest, Lechner Ödön fasor 9.)

d.) the e-mail address and phone number will be transferred within the European Union in encrypted (SHA-256 hash algorithm), non-reversible form for statistical and analytical purposes and for personalised advertising to the following company:
– Google Ireland Limited (address: Google Building Gordon House, Barrow St, Dublin 4, Ireland)

e.) the e-mail address and phone number will be transferred to a third country, to the following company in encrypted (SHA-256 hash algorithm), non-reversible form for statistical and analytical purposes and for personalised advertising:
– META Inc (1601 WILLOW ROAD MENLO PARK, CA 94025-USA)
– Microsoft Inc (One Microsoft Way. Redmond, Washington 98052-6399-USA)

8. Data transfer and its legal basis

– with regard to the transfer of data under 7.a.c: performance of contract
– with regard to the transfer of data under 7.b.d.e: the data subject’s consent

9. Duration of the processing of personal data

• the controller will process the personal data acquired during the booking until the purpose of the processing exists, namely until the contractual relationship with the data subject exists. The following data shall be excluded:
  • name, address: Article 169 of Act C of 2000 on Accounting - for 8 years
  • name and age of guests: due to local tax liability, until the last day of the 5th year following the current year as set out in Article 78 (3) and Article 202 (1) of Act CL of 2017 on the Rules of Taxation
• if the booking is unsuccessful, data will be processed until the day it becomes unsuccessful.
• any data that is not included in the scope of data set out above in point 3 but has been sent by the data subject either by e-mail or mail, will be erased immediately

10. Information about the rights of the data subject

The data subject shall have the right:

• to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
• to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
• to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if certain other conditions are met.
• to obtain from the controller restriction of processing if
  • the accuracy of the personal data is contested by the data subject /the restriction lasts until the controller verifies the accuracy of the personal data,/
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
• to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract, and it is carried out by automated means.
• where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

11. Information about profiling, automated decision-making

- profiling and automated decision-making do not take place

12. Data storage, data security

The controller and the organisation involved as a processor store the data on their own computing devices which are held at the registered seat, and in the case of the processor, they can be found in a server farm. The controller and processor choose and operate their IT devices so that the data processed could be accessed by the authorised persons, their credibility and validation remain assured, it could be verified that they had not been modified and they are protected against unauthorised access. Data are protected against unauthorised access, modification, transfer, disclosure, erasure or destruction as well as accidental destruction, damage and unavailability due to the change of the applied technology in such a way that, by having regard to the current technological development, the controller takes care of the protection of processing security with technological, organisational and structural measures that provide an adequate level of protection against the risks associated with processing.

13. Right of access to the competent authority

In the event of any breach of their rights, the data subject may have recourse to court against the controller. The reconsideration of the legal action falls within the competence of the regional court (Contact detail of Zalaegerszeg Regional Court: 8900 Zalaegerszeg Várkör u 2.). At the data subject’s option, the action can be brought to the regional court in whose jurisdiction the data subject’s home address or temporary residence is located. Such cases will be given priority by the court.

You may lodge an appeal or a complaint to the Hungarian National Authority for Data Protection and Freedom of Information. Name: Hungarian National Authority for Data Protection and Freedom of Information Seat: 1055 Budapest, Falk Miksa utca 9-11. Postal address: 1363 Budapest, Pf.: 5. Phone: 06.1.391.1400 Fax: 06.1.391.1410 E-mail: ugyfelszolgalat@naih.hu Website: http://www.naih.hu

14. How to access the Privacy Policy

The Privacy Policy of the controller is available at https://kolping.hotel.hu/en/privacy-policy.