PRIVACY NOTICE
(upon guest check-in)

1. Name, seat and representative of the controller

• Name: Kolping Hotel Kft.
• Seat: 8394 Alsópáhok Fő út 120.
• Statutory representative: Csaba Baldauf Managing Director
• Contact person in relation to data protection matters: Judit Nyírő Deputy Director responsible for operation

2. Data protection officer

• Dr. Boldizsár Morvay - dpo@kolping.hotel.hu

3. Definition of the processed data

3.1 accommodation user 
-        surname and given name;
-        surname and given name at birth;
-        place and date of birth, sex, nationality;
-        mother’s maiden name;
-        identifying details of identification document or travel document;
for third-country nationals, visa or residence permit number, date and place of entry;
3.2. address of the accommodation, start and expected end date of stay;
3.3. registration number
3.4. phone number
3.5. e-mail address
3.6. number of previous hotel stays (application for regular’s programme)
3.7. usage data of the room key card
3.8. information about having food allergy

4. Purpose of processing

• Name, address required for billing
• Data in Sections 3.1 and 3.2 are necessary to comply with legal requirements (to protect the rights, safety and property of the data subject and of others, and to monitor compliance with the provisions on the residence of third-country nationals and persons having the right of free movement and residence)
• Data in Section 3.3 (vehicle registration number) is required for parking
• The purpose of data in Section 3.4 (telephone number) is to ensure that the guest can be reached during their stay
• Data in Section 3.5 (e-mail address) is requested for marketing purposes
• The purpose of processing data in Section 3.6 (number of stays to date) is to ensure the guest’s participation in the loyalty programme
• Data in Section 3.7, i.e. the hotel key card usage data, is required for asset protection purposes
  Information on food allergies in Section 3.8 is required to ensure meals that are appropriate for the guest’s state of health

5. Legal basis for processing

• as regards name and address, the fulfilment of legal obligations laid down in Article 169 of Act C of 2000 on Accounting - point (c) of Article 6(1) of the GDPR
• as regards the name and age of service users, the fulfilment of legal obligations laid down in Articles 30 and 31 of Act C of 1990 on Local Taxes - point (c) of Article 6(1) of the GDPR
• In the case of data in Sections 3.1 and 3.2, compliance with the legal obligation under the provisions of Article 9/H of Act CLVI of 2016 on State Functions Pertaining to the Development of Tourism Regions – Article 6 (1) (c) of the GDPR
• as regards the e-mail address and phone number as well as the identity card No. and nationality, the data subject’s consent - point (a) of Article 6(1) of the GDPR
• as regards the registration number, the performance of the contract - point (b) of Article 6(1) of the GDPR
• the data subject’s consent in respect of regular customer data – Article 6 (1) (a) of the GDPR
• as regards the data of the room key card, the legitimate interest of the controller - point (f) of Article 6(1) of the GDPR

6. Legal consequences of failure to provide data

- the data subject cannot use the controller’s service, thus the processing will not take place.

7. Transfer of personal data

7.1.
Data pursuant to Sections 3.1. and 3.2 are transferred to the Hungarian Tourism Agency, the operator of the Closed Guest Information Database system (Vendég Információs Zárt Adatbázis, VIZA), i.e. the tourism hosting service provider, who is the data processor of the accommodation provider with regard to the data received in the system.
In this capacity, the Hungarian Tourism Agency, as the data processor

1. shall manage the guest data solely on the basis of the instructions of the accommodation provider, and may only carry out operations in relation to them in accordance with the Tourism Act and Article 14 of Government Decree No. 235/2019 (X. 15) on the Implementation of the Act on the State’s Responsibilities Regarding the Development of Tourism Regions;

2. shall ensure that its employees performing duties related to its functions as tourism hosting service provider are bound by confidentiality obligations in relation to guest data;

3. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk by encrypting data and therefore preventing its employees from accessing guest data;

4. shall not engage another data processor without prior specific or general written authorisation of the accommodation provider;

5. taking into account the nature of the processing, shall assist the accommodation provider by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of its obligations in relation to the exercise of the rights of the data subject;

6. shall assist the accommodation provider in compliance with its obligations regarding security of processing and handling of possible incidents, taking into account the nature of processing and the information available to the processor;

7. after the termination of the data processing relationship, act in accordance with the accommodation provider’s instructions on guest data and copies thereof, unless the data processor is required by law or by a binding legal act of the European Union to continue to store the guest data;

8. shall provide the accommodation provider with all the information necessary to verify compliance with the obligations set out in the data processing relationship and to enable and assist any checks, including on-site inspections, carried out by the accommodation provider or by a person authorised by the accommodation provider;

9. shall inform the accommodation provider without delay if the data processor believes that any of their instructions infringe the provisions on the protection of personal data.

Pursuant to statutory authorisation, only the police may carry out targeted searches of encrypted data stored in the VIZA system by electronic means. Searches may be initiated for the purposes of law enforcement, crime prevention, the protection of public order, public safety, the order of state borders, the rights, safety and property of the person concerned and others, and the conduct of search under wanted notice. As a result of the search, the police will only be able to obtain certain information about the person who meets their search criteria, such as the accommodation provider where the person is registered as a user, when the person arrived and when the person is expected to leave or has left. Subsequently, the police may request – by stating the purpose of the request – the transfer of other data processed by the accommodation provider, who shall provide the requested data free of charge.

7.2.
the data will only be transferred to data-processing company operating the online quotation and booking systems; the name of that processor: Flexys Kft. seat: 1037 Budapest, Máramaros utca 23/a

7.3. 
the e-mail address will be transferred within the European Union in encrypted (SHA-256 hash algorithm), non-reversible form for statistical and analytical purposes and for personalised advertising to the following company:
– Google Ireland Limited (address: Google Building Gordon House, Barrow St, Dublin 4, Ireland)

7.4. 
the e-mail address will be transferred to a third country, to the following company in encrypted (SHA-256 hash algorithm), non-reversible form for statistical and analytical purposes and for personalised advertising:
– META Inc (1601 WILLOW ROAD MENLO PARK, CA 94025-USA)
– Microsoft Inc (One Microsoft Way. Redmond, Washington 98052-6399-USA)

8. Data transfer and its legal basis

- Fulfilment of legal obligation in respect of Section 7.1
- In respect of Section 7.2: performance of contract (operation of hotel management system)
- In respect of Sections 7.3 and 7.4: the data subject’s consent

9. Duration of the processing of personal data

• billing name, address – 8 years
• data in Sections 3.1 and 3.2, except for the name and address on the invoice – by the last day of the first year following the date on which data were made available
• e-mail address – until unsubscription, until the withdrawal of processing
• registration number, phone number and the data of the room key card until departure
• data of earlier stay – until withdrawal

10. Information about the rights of the data subject

The data subject shall have the right:

• to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
• to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
• to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay if certain other conditions are met.
• to obtain from the controller restriction of processing if
  • the accuracy of the personal data is contested by the data subject /the restriction lasts until the controller verifies the accuracy of the personal data,/
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the controller no longer needs the personal data, but they are required by the data subject for the establishment, exercise or defence of legal claims.
  • the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
• to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract, and it is carried out by automated means.
• where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
• not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

11. Information about profiling, automated decision-making

- profiling and automated decision-making do not take place

12. Data storage, data security

The controller and the organisation involved as a processor store the data on their own computing devices which are held at the registered seat, and in the case of the processor, they can be found in a server farm. The controller and processor choose and operate their IT devices so that the data processed could be accessed by the authorised persons, their credibility and validation remain assured, it could be verified that they had not been modified and they are protected against unauthorised access. Data are protected against unauthorised access, modification, transfer, disclosure, erasure or destruction as well as accidental destruction, damage and unavailability due to the change of the applied technology in such a way that, by having regard to the current technological development, the controller takes care of the protection of processing security with technological, organisational and structural measures that provide an adequate level of protection against the risks associated with processing.

13. Right of access to the competent authority

In the event of any breach of their rights, the data subject may have recourse to court against the controller. The reconsideration of the legal action falls within the competence of the regional court (Contact detail of Zalaegerszeg Regional Court: 8900 Zalaegerszeg Várkör u 2.). At the data subject’s option, the action can be brought to the regional court in whose jurisdiction the data subject’s home address or temporary residence is located. Such cases will be given priority by the court.

You may lodge an appeal or a complaint to the Hungarian National Authority for Data Protection and Freedom of Information. Name: Hungarian National Authority for Data Protection and Freedom of Information Seat: 1055 Budapest, Falk Miksa utca 9-11. Postal address: 1363 Budapest, Pf.: 5. Phone: 06.1.391.1400 Fax: 06.1.391.1410 E-mail: ugyfelszolgalat@naih.hu Website: http://www.naih.hu

14. How to access the Privacy Policy

The Privacy Policy of the controller is available at https://kolping.hotel.hu/en/privacy-policy.