Data Control Information
DATA CONTROL INFORMATION
Hunguest Hotels Zrt. Napfényfürdő Aquapolis
Hunguest Hotels Zrt. Napfényfürdő Aquapolis (Registered office: 6726 Szeged, Torontál tér. 6., corporate registration number: 01-10-140409, tax number: 12155169-2-44; hereinafter referred to as: “Napfényfürdő” or “Data Controller”) acknowledges the contents of this legal announcement as binding. It undertakes to ensure that the data control activities relating to its service comply with the requirements defined in this information and in the effective laws and regulations.
The scope of this information covers the control of personal data supplied on the online portals of the Service Provider at www.napfenyfurdoaquapolis.com and www.hotelforrasszeged.hu, and in relation to the hotel services used at HUNGUEST Hotel Forrás owned and operated by Hunguest Hotels Zrt.
This information on the control of personal data supplied in relation to the online portal at napfenyfurdoaquapolis.com (hereinafter referred to as “Website”), and the used hotel services is constantly available at www.napfenyfurdoaquapolis.com and www.hotelforrasszeged.hu.
Napfényfürdő reserves the right to change this information at any time. The modifications of this information become effective as soon as they are published on the Website.
If you have any question, the answer to which is not clear based on this information, then please contact us and our colleague will respond to you.
Although Napfényfürdő is committed to keeping the quality of its services as high as possible, it shall not be liable for any loss or damage arising from the use of the system.
Napfényfürdő is committed to the protection of the personal data of its partners and users and considers extremely important to respect the right of information self-determination of its clients. Napfényfürdő handles personal data confidentially, and will take all security, technical and organisational measures that guarantee the security of data.
Napfényfürdő presents its data control principles and the requirements it set to itself as data controller and complies with below. The data control principles of Napfényfürdő are in line with the effective legislation on data protection, including especially the following:
- Act LXIII of 1992 on the protection of personal data and the publicity of data of public interest (hereinafter referred to as the “Data Protection Act”);
- Act CXIX of 1995 on the management of names and addresses for research and the direct solicitation of new business;
- Act CVIII of 2001 on electronic trading services and certain issues concerning services in an information society;
- Act XLVII of 2008 on the Prohibition of Unfair Trade Practices against Consumers;
- Act XLVIII of 2008 on the basic conditions for and certain limits to commercial advertising.
2.1. personal data shall mean data relating to any (identified or identifiable) specific natural person as well as conclusions drawn from the data in regard to the data subject. In the course of data processing, the data in question shall be treated as personal as long as the data subject remains identifiable through it. A person is identifiable when they can be identified based on a name and identification number or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
2.2. consent shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;
2.3 objection shall mean a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed;
2.4. data controller shall mean any natural or legal person, or organisation without legal personality who/which determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or contracts a data processor to execute it;
2.5. data control shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; e.g., collecting, recording, registering, classifying, storing, modifying, using, transferring, disclosing, synchronizing or connecting, blocking, deleting and destructing the data, as well as preventing their further; Taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans) are also considered data control;
2.6. data transfer shall mean ensuring access to the data for a third party;
2.7. disclosure shall mean ensuring open access to the data;
2.8. data deletion shall mean turning of data into an unrecognisable form, from which they cannot be restored anymore;
2.9. blocking of data shall mean any action that makes the forwarding, access to, public disclosure, transformation, alteration, destruction, deletion, interconnection or coordination and use of data impossible either permanently or for a specified period;
2.10. data destruction shall mean complete physical destruction of the data carrier recording the data;
2.11. data processing shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution;
2.12. data processor shall mean any natural or legal person or organisation without legal personality processing personal data based on an order of the data controller;
2.13. third party shall mean any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor;
2.14. third country shall mean any state that is not a state of the European Economic Area.
3. PRINCIPLES OF THE DATA CONTROL ACTIVITIES OF LIGETFÜRDŐ KFT.
Personal data may be processed under the following circumstances: a) when the data subject has given consent, or b) when processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein.
The consent of the legal representative is not required for the consent of a legally incapacitated person or a minor with limited legal capacity, because the purpose of the declaration is a registration, made every day on a wide scale without any special consideration.
Personal data may be processed only for specified purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of processing must be satisfied in all stages of data processing.
The personal data controlled must be essential for the purpose for which they were recorded, and must be suitable to achieve that purpose, only to the extent and for the time required for achieving the objective.
Personal data may be controlled only with consent based on adequate information.
The data subject shall be clearly, understandably and specifically informed of all aspects concerning the controlling of their personal data, such as the purpose for which his data are required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation and the persons to whom the data may be disclosed. Information shall also be provided on the data subject’s rights and remedies.
The controlled personal data must comply with the following requirements:
a) their recording and control is lawful and fair;
b) they must be accurate, complete and, if necessary, up-to-date;
c) they must be stored in a way that ensures that the data subject may be identified only for the period required for the storing of data.
It is prohibited to use any general or unique personal ID that may be used without any restriction.
Personal data can be forwarded and different controlled data may be interconnected with the consent of the data subject or when permitted by law and when the requirements of data control are fulfilled for all personal data.
Personal data (also including special data) may be transferred from the country to a data controller or data processor operating in a third country, regardless the data medium or method of data transmission when the data subject gave expressed consent to it or when permitted by law and when adequate protection is guaranteed for the transferred personal data while they are controlled and processed in the third country. Transfer of data to the Member States of the European Economic Area shall be considered as if the transmission took place within the territory of the Republic of Hungary.
4. SCOPE OF PERSONAL DATA, PURPOSE, TITLE AND DURATION OF DATA CONTROL
Within the services, all data related to the data subjects are controlled based on voluntary consent.
Napfényfürdődoes not take responsibility for the accuracy of the data provided by the users or guests.
4.1. DATA OF THE VISITORS OF THE WEBSITE
When users visit the Websites, Napfényfürdő records their IP address, the time of the visit and the title of the viewed page for technical reasons and for preparing statistics on the habits of the users. The server shall store the data for a week.
In order to provide customised services, the Service Provider places small data packages known as cookies on the user’s computer. The primary objective of the cookies is to support statistics and to distinguish between new and regular users as well as to provide assistance with the login.
The user can delete the cookies from their computer or may set up their browsers to reject cookies.
4.2. RECORDING OF DATA OF EXTERNAL SERVICE PROVIDERS ON THE WEBSITE
The html code of www.napfenyfurdoaquapolis.com and www.hotelforras.hu websites is independent from Napfényfürdő and contains references received from and pointing to an external server.
One of such external servers supports the independent audit of the visits to the Website and other web analytical data (Google Analytics). The data controllers can provide more information on the control of such data. Available at www.google.com/analytics
4.3. REGISTRATION DATABASE
Some of the services offered by Napfényfürdő require registration. Without registration, no activity can be performed on the portal. With a successful registration on the Website, the user’s data provided during registration are entered into the registration database.
The personal data supplied by the user and contained in the registration database are controlled in order to provide services available through the Websites and requiring registration to registered users. The users can find more information on the services that require registration at the Websites.
With the registration, the data subject consents to the Service Provider’s controlling the personal data provided during registration for the purposes indicated above. The Service Provider controls the personal data provided during registration, for the purpose specified herein, until the data subject withdraws in writing the consent to the control of such data for the purpose specified herein. In such a case, all data of the data subject will be deleted from the registration database.
With the registration, the data subject also expressly consents to the use of their personal data supplied to Napfényfürdő for registration as long as Napfényfürdő is entitled to control them, also in the marketing activities of Napfényfürdő Based on such consent Napfényfürdő shall be especially but not exclusively entitled to send offers and other information to the data subject by post, e-mail, or in other forms and messages.
Napfényfürdő shall have the right to use the personal data of the data subjects until they withdraw their consent to the use of their data for marketing purposes in writing. It also constitutes the withdrawal of consent to the use of data for marketing purposes when the data subject withdraws consent to the control of their personal data by the Service Provider in the registration database as indicated above.
In the registration database the Service Provider controls and manage the surname and first name, e-mail address, phone number, home address, password, date of registration and IP address at registration of the data subject.
The data subject can also provide the number of the frequent guest card (when available). Further data may also be supplied in order to learn more about the user, make the Service Provider’s activity easier and customise the newsletter and services: where did the user first hear about the Service Provider, gender, date of birth, school qualifications, occupation, family status, sector of employment, account managing bank, type of internet connection, operating system, type of browser, regularly visited websites, regularly visited e-commerce pages and scope of interest.
The database also contains whether or not the user requests a newsletter via e-mail. The user can subscribe for the newsletter during registration. Data control relating to the newsletter is covered in a separate section.
The majority of the supplied data may be modified on the Websites. The Service Provider may be requested in writing to delete some or all data through the e-mail address provided on the Websites or by using other contact information included in this information, which shall constitute the withdrawal of consent to the control of personal data in the registration database.
Each user may subscribe for the newsletter service on the Websites by providing their name, e-mail address and home address. Users can subscribe for the newsletter in a separate menu item or by using other services. The Service Provider sends regular newsletters to the users who subscribed for it informing them of the latest and current news and hotel offers. The contents of the distributed newsletters may vary according to the data supplied by the users.
By providing their name, e-mail address and home address when subscribing for the newsletter service, the user consents to the Service Provider sending them newsletters, other offers and information via e-mail messages and controlling the personal data supplied by the user for such purposes. The Service Provider is entitled to control data as specified in this section until the user provides a written declaration stating the withdrawal of their consent to the control of their data for the purpose defined herein.
In addition, the Service Provider’s system can also send other messages containing services occasionally.
Users can unsubscribe from the newsletter referred to in this section by clicking to the “Unsubscribe from the newsletter” reference, contained in each newsletter. The unsubscription constitutes the withdrawal of consent for the control of the e-mail address provided by the user for the purpose specified herein.
4.5. FREQUENT GUEST SCHEME
The members of the HUNGUEST Hotels Frequent Guest scheme expressly consent to the control of their personal data supplied to Ligetfürdő Kft. in relation to joining the Frequent Guest scheme when they apply for the Frequent Guest scheme or at any time while being a member of the scheme by Napfényfürdő to operate its Frequent Guest scheme. Based on the data subject’s consent, Napfényfürdő is entitled to control the collected personal data form the date of their supply as long as the data subject is a member of the Frequent Guest Scheme. Each member of the Frequent Guest scheme also expressly consents to the use of their personal data supplied to Napfényfürdő also for marketing activities as long as Napfényfürdő is entitled to control them. Based on such consent Napfényfürdő shall be especially but not exclusively entitled to send offers and other information to the data subject by post, or in other forms and messages.
Based on the consent of the members of the Frequent Guest scheme to the control of their personal data, Napfényfürdő is also entitled to forward the data subject’s personal data to its contractor having a contract with Napfényfürdő for the operation of the Frequent Guest scheme. That contractor shall also be entitled to control and use of the personal data provided by the data subject either to Napfényfürdő or directly to the contractor within the scope and for the period covered by the consent referred to above.
Napfényfürdő and its contractor may not forward the personal data of the data subject to any third party, but it does not exclude an option of employment of a data processor by Napfényfürdő or its contractor.
If a member of the Frequent Guest scheme withdraws the consent to the control of their personal data with an expressed written declaration addressed to Napfényfürdő to such an extent that the Frequent Guest scheme can no longer be applied to the data subject, also including cases when the data subject withdraws consent to the transfer of their personal data to the contractor of Napfényfürdő, the respective declaration of the data subject shall constitute termination of membership in the Frequent Guest scheme. In that case, the data subject’s rights relating to the Frequent Guest scheme shall cease to exist 6 months from the receipt of the declaration by Napfényfürdő, the card will be invalidated and the personal data of the data subject will be deleted from the Frequent Guest system.
4.6. ROOM RESERVATION REQUEST
Each user can send a reservation request to the selected hotel by using the form available on the Websites. The user enters the data of the requested reservation (including especially the date of arrival and departure, number of guests, etc.), and their name, telephone number, e-mail address and home address in the form used for the reservation request.
The user may subscribe for the newsletter on the form used for the reservation request. The rules pertaining to the newsletter service are summarised in a separate section.
4.7. USE OF HOTEL SERVICES
Each guest using the services of the hotel completes a registration form.
By signing the registration form, the guest consents to the control of the mandatory data specified below by the Service Provider to fulfil the obligations defined in the applicable legislation (including especially the legislation on immigration and tourism tax) and to prove the performance of such obligations as long as the competent authority may check the performance of certain obligations specified in the legislation. The mandatory data to be supplied are as follows: name, address, citizenship, place and date of birth. The supply of the mandatory data by the guest is a prerequisite of using the hotel service.
By using the registration form, the guest also consents to the control and archiving of the personal data provided on the registration form by the Service Provider to prove the establishment, performance and execution of the contract and for any claim enforcement within the statutory time limit.
The guest may also declare on the hotel registration form, giving consent to the use of the personal data provided on the registration form for the marketing activities of Napfényfürdő as long as Napfényfürdő is entitled to control those data. Based on such consent Napfényfürdő shall be especially but not exclusively entitled to send offers and other information to the data subject by post, e-mail, or in other forms and messages.
Napfényfürdő shall have the right to use the personal data of the data subjects until they withdraw their consent to the use of their data for marketing purposes in writing.
The Service Provider may be contacted by sending the name, e-mail address and home address and the message in the form available through the Website or via e-mail. The Service Provider uses the messages only for ordinary purposes and will save them once the matter has been finally settled.
4.9. OTHER DATA CONTROL
Information on data control not listed in this information will be provided when the data are recorded.
We wish to inform the user that the court, the prosecutor and the investigating authority may contact the Service Provider to request the supply or transmission of information, data or documents (Act on Criminal Procedure, Article 71.) Napfényfürdő discloses personal data to authorities, when the respective authority specifies the exact purpose and scope of data, only to such an extent that is absolutely required to fulfill the request.
5. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA CONTROL
Napfényfürdőselects and operates the IT equipment used for controlling personal data and providing services making sure that the controlled data:
a) are accessible by the authorised parties (availability);
b) are authentic and genuine (authenticity of data control),
c) remain certifiably unchanged (data integrity)
d) are protected against unauthorised access (data confidentiality).
Napfényfürdő applies technical, organisation and internal measures to ensure the security of data control and shall always provide adequate protection against risks occurring in relation to data management.
In the course of data control Napfényfürdő maintains
a) confidentiality: by protecting the information and making it accessible only to authorised parties;
b) integrity: by protecting the accuracy and completeness of the information and the processing method;
c) availability: by ensuring that when an eligible user needs it, they are actually access the required information and that the related devices are available.
The information system and network of Napfényfürdő are protected against computer supported fraud, spying activities, sabotage, vandalism, fire and flood, as well as attacks by computer viruses, intrusion and service refusal. The operator applies protection procedures on the server and in the applications to guarantee security.
We also inform our users that, irrespective of the protocol (e-mail, web, ftp, etc.) the electronic message sent online are vulnerable to network threats that may lead to unlawful activities, dispute of the contract or disclosure or modification of information. In order to protect the users from such threats, the Service Provider takes all reasonable precautionary measures. It monitors its systems to be able to record any security discrepancy and to provide evidence for each security event. In addition, the system monitoring also helps checking the efficiency of the applied precautionary measures.
6. DATA AND CONTACT INFORMATION OF THE DATA CONTROLLER
Name: Hunguest Hotels Zrt. Napfényfürdő Aquapolis
Address: 6726 Szeged, Torontál tér 6.
Company registration number: 01-10-140409
Tax number: 12155169-2-44
Data management registration IDs: NAIH-58730
Represented by: Szabó Mihály and Szabó Tamás, Executive Directors
7. DATA TRANSFERS
Even without a specific consent from the data subject, Napfényfürdő is entitled to disclose data controlled by it to the competent authorities and courts in cases defined in the legislation.
8. LEGAL REMEDY OPTIONS
The persons involved may request information on or the correction of the control of their personal data, and may request, except for cases when required so by legal provisions, the deletion of their personal data in a manner as indicated for the services available on the Website, or via electronic contact through the Website or with a written request sent to the registered office of the Service Provider.
Upon the data subject’s request Napfényfürdő as data controller shall provide information concerning the data relating to him, including those processed by a data processor on its behalf, the purpose, grounds and duration of processing, the name and address (registered office) of the data processor and on its activities relating to data processing, and the parties to whom data are/were disclosed and the purpose of the disclosure. The data controller must comply with requests for information without any delay, and provide the information requested in an intelligible form, in writing at the data subject’s request, within not more than 30 days. The information shall be provided free of charge if no information request was submitted to the data controller for the category of data in the current year. In any other case Napfényfürdő may decide to reimburse the costs.
Napfényfürdő shall delete personal data when processed unlawfully, requested by the data subject, the purpose of processing no longer exists or the legal time limit for storage has expired, so ordered by court or by the Data Protection Commissioner.
When data are rectified, blocked, or erased, the Data Subject and all recipients to whom it was transmitted for processing shall be notified by Napfényfürdő. The notification may be omitted when it does not violate the lawful interest of the data subject with a view to the purpose of data control.
The data subject shall have the right to object to the processing of data relating to them if
a) personal data are controlled (forwarded) solely for the purpose of enforcing a right or lawful interest of the controller or the recipient, unless processing is ordered by law;
b) personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research;
c) the law provides for the exercising of rights to object.
In the event of objection, Napfényfürdő shall suspend the data control and shall simultaneously investigate the cause of objection within the shortest possible time of no more than 15 days and shall notify the data subject in writing of its outcome. If, according to the findings of the controller, the data subject’s objection is justified, the controller shall terminate all processing operations (including data collection and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection. If the data subject disagrees with the decision taken by the controller, the data subject shall have the right to turn to court within 30 days of the date of delivery of the decision.
Napfényfürdő shall not delete the data of the data subject if processing has been prescribed by law. However, data may not be disclosed to the data recipient if the data manager agrees with the objection or if the court has found the objection justified.
In the event of any infringement of his rights, the data subject may turn to court action against the data controller. The court shall hear such cases in priority proceedings.
Napfényfürdő shall compensate for any damage caused to a data subject as a result of unlawful data control or by any breach of technical data security requirements. The data controller may be exempted from liability if the damage was caused by reasons beyond its control.
No compensation shall be paid when the damage was caused by intentional or serious negligent conduct on the part of the aggrieved party.
You can turn to the Data Protection Commissioner’s Office for legal remedy and with any complaint:
Name: Data Protection Commissioner’s Office
Registered office: 1051 Budapest, Nádor u. 22.
Postal address: 1387 Budapest, P.O. Box 40.
Phone: +36.1.475.7186, 475.7100