General Terms and Conditions (GTC) - LINK
1. PURPOSE, SCOPE AND APPLICABLE LAW OF THE PRIVACY NOTICE
The purpose of this Privacy Notice is to set out the Watercolour Apartment House the data protection and data management principles and the data protection and data management policy applied by the website, which Ferenczy Ernő Ervin, as the data controller, acknowledges as binding. When drafting the provisions of the Information Notice, we have taken particular account of the provisions of Regulation 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation" or "GDPR"), the 2011 Act on the Right to Information Self-Determination and Freedom of Information of the European Parliament and of the Council of 15 June 2011 on the right to information. Act CXII of 2013 ("Infotv."), Act V of 2013 on the Civil Code ("Civil Code") and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities ("Grtv."). The scope of this Privacy Notice is limited to the provisions of the https://akvarellzebegeny.hu website (hereinafter referred to as the "Website"). Unless otherwise stated, this Policy does not cover services and processing related to promotions, sweepstakes, services, other campaigns and content published by third parties advertising or otherwise appearing on the Websites. Unless otherwise stated, the scope of this Policy does not extend to the services and data processing of websites, service providers to which the Websites contain links. The scope of this Notice does not cover the processing of data by persons (organisations, companies) whose information, newsletters, advertising mailings or promotional material the User has received from the Website.
2. DEFINITIONS
Data management: any operation or set of operations which is performed on Personal Data, regardless of the procedure used, in particular the collection, recording, organisation, structuring, storage, adaptation, alteration, use, consultation, consultation, use, disclosure, transmission, dissemination or otherwise making available, disclosure, alignment or combination (including profiling), restriction, erasure and destruction of Personal Data.
Data Controller: the person, as defined in point 3, who, alone or jointly with others, determines the purposes and means of the processing.
Personal data or information: any data or information that allows a natural person User to be identified, directly or indirectly.
Data Processor: the service provider who processes personal data on behalf of the Data Controller.
User: the natural person who provides on the Website the data listed in points 8 and 9 below.
External service provider: third party service partners used by the Data Controller or the Website Operator, either directly or indirectly, in connection with the provision of certain services, to whom Personal Data are or may be transferred or who may transfer Personal Data to the Data Controller for the provision of their services. Third party service providers are also those service providers that are not in cooperation with the Controller or the operators of the services, but by accessing the Website, collect data about Users, which may be used to identify the User, either individually or in combination with other data. Furthermore, in providing the hosting service, the Data Controller also considers the User as an External Service Provider for the purposes of the data management activities carried out on the hosting service it uses.
Factsheet: this Privacy Notice of the Data Controller.
3. THE IDENTITY AND ACTIVITIES OF THE CONTROLLER
name: Ernő Ervin Ferenczy
seat: 2627 Zebegény, Csalogány út 1.
phone: +36-70-380-6528
e-mail: foglalas@akvarellzebegeny.hu
Data protection officer: Ernő Ervin Ferenczy
Title of data protection officer: self-employed
Tax number: 75652960-2-33
The Data Controller is an individual entrepreneur based in Hungary.
The Data Controller operates the Website.
4. THE PRINCIPLES, METHODS OF DATA PROCESSING AND APPLICABLE LAW
4.1 The Data Controller shall act in good faith, fairness and transparency, in cooperation with the Users in the course of data processing. The Data Controller processes only the data specified by law or provided by Users for the purposes set out below. The scope of the Personal Data processed shall be proportionate to the purposes of the processing and shall not go beyond those purposes.
4.2 In all cases where the Data Controller intends to use the Personal Data for a purpose other than that for which it was originally collected, the Data Controller shall inform the User thereof and obtain his or her prior explicit consent or provide the User with the opportunity to prohibit such use.
4.3 The Controller does not verify the Personal Data provided to it. The person providing the Personal Data is solely responsible for the correctness of the Personal Data provided.
4.4 The Personal Data of a person under the age of 16 may be processed only with the consent of the person who is the legal guardian of the person concerned. The Data Controller is not in a position to verify the eligibility of the person giving consent or the content of the consent, so the User or the person who is the legal guardian of the person concerned guarantees that the consent is in accordance with the law. In the absence of a declaration of consent, the Data Controller shall not collect Personal Data relating to a data subject under the age of 16.
4.5 The Data Controller shall not transfer the Personal Data it processes to third parties other than the Data Processors specified in this Notice and, in certain cases referred to in this Notice, to External Service Providers.
An exception to the provisions of this point is the use of data in aggregate statistical form, which may not contain any other data that can identify the User concerned, and therefore does not constitute Data Processing or data transfer.
In certain cases, the Data Controller may make available to third parties the available Personal Data of the User concerned, in response to a formal judicial or police request, legal proceedings, or due to a reasonable suspicion of infringement of copyright, property rights or other rights, or due to a threat to the interests of the Data Controller, or to the provision of the service, etc.
The Data Processors of the Data Controller listed in this Privacy Notice and the External Service Providers shall, after 25 May 2018, record, process or process the Personal Data transferred to them by the Data Controller and processed or processed by them in accordance with the provisions of the GDPR and shall make a declaration to the Data Controller to that effect.
4.6 The Data Controller shall notify the User concerned of the rectification, restriction or deletion of the Personal Data processed by it, as well as all those to whom the Personal Data was previously transmitted for the purpose of processing. The notification may be omitted if this does not prejudice the legitimate interests of the User with regard to the purpose of the Processing.
4.7 In view of the relevant provisions of the GDPR, the Data Controller is not obliged to appoint a Data Protection Officer, as the Data Controller is not a public authority or a body with public responsibilities, the activities of the Data Controller do not involve operations that require systematic and systematic large-scale monitoring of Users, and the Data Controller does not process sensitive data or personal data relating to criminal convictions and offences.
4.8 The Data Controller shall process personal data in accordance with applicable law. The legislation governing the processing of personal data includes in particular:
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "the Infotv.");
- Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Economic Advertising Activities (hereinafter referred to as "Grtv.");
- Regulation 2016/679 of the European Parliament and of the Council;
- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services;
- Article 169 of Act C of 2000 on Accounting (concerning the retention of supporting documents).
5. LEGAL BASIS FOR PROCESSING
5.1.Taking into account the nature of the Data Controller's activities, the legal basis for data processing is the voluntary, explicit consent of Users based on appropriate information (Infotv. 5 (1) (a)), the fulfilment of the legal conditions applicable to the accommodation service and, in the case of profiling, the appropriate information of the User in accordance with the provisions of the GDPR, as well as Article 6 (1) (f) of the GDPR. The Users voluntarily contact the Data Controller, voluntarily book accommodation, voluntarily register, voluntarily use the services of the Data Controller. In the absence of the Users' consent, the Data Controller shall process data only if expressly authorised to do so by law.
5.2 The User has the right to withdraw his/her consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.
5.3.The Data Controller records the IP address of the User when the User accesses certain websites in connection with the provision of the service, with regard to the legitimate interest of the Data Controller and for the lawful provision of the service (e.g. to filter unlawful use or unlawful content), even without the User's consent.
5.4. Transfers of Data to Processors as set out in this Policy may be made without the User's specific consent. Unless otherwise provided by law, the disclosure of personal data to third parties or public authorities is only possible on the basis of a final decision by a public authority or with the prior express consent of the User.
5.5. When providing any User's e-mail address and the data provided when requesting an offer or ordering accommodation services (e.g. name, telephone number, etc.), the User also assumes responsibility for the fact that only the User will use the e-mail address and the data provided by the User to order services. With regard to this assumption of responsibility, any liability in connection with a request for an offer or service made from the e-mail address and/or data provided shall be borne solely by the User who provided the e-mail address and the additional data.
5.6 The legal basis for processing is in certain cases a legal provision. The main legislation that also provides for data processing is the legislation set out in section 4.8. The data contained in the receipt issued by the Data Controller shall be processed by the Data Controller in accordance with the Accounting Act.
5.7 The legal basis for the processing may be the substantial legitimate interests of the Controller, in which case, in accordance with the relevant provisions of the GDPR, the Controller has carried out and may continue to carry out an interest test demonstrating that the processing is necessary for the purposes of the legitimate interests pursued by the Controller and that those interests are not overridden by the rights and freedoms of the data subject which require the protection of personal data. The Controller shall, upon request, provide the data subject with the information referred to in this paragraph as set out in this Notice.
6. THE PURPOSE OF THE PROCESSING
The Data Controller processes personal data only for specific purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, it shall comply with the purpose of the processing. The data are collected and processed fairly and lawfully. The Data Controller shall endeavour to process only personal data that is necessary for the purpose of the processing and is adequate for the purpose. Personal data shall only be processed to the extent and for the duration necessary to achieve the purpose.
The purpose of data processing is primarily the operation of the Website and the provision of the Controller's services.
The purpose of the processing based on the above:
- identifying the User, contacting the User;
- to fulfil the obligations incumbent on the Data Controller, to exercise the rights of the Data Controller;
- advertising, research, if the User has given his/her specific consent;
- analyses, statistics, development of services - for these purposes, the data controller uses only anonymised data, aggregated data that cannot be personally identified;
- protect the rights of Users.
7. SOURCE OF DATA
The Data Controller processes only the personal data provided by the Users and does not collect data from other sources.
The data is provided when the User subscribes. The User fills in the form during the booking process, where he/she provides his/her name, e-mail address and telephone number.
8. SCOPE OF THE DATA PROCESSED
The Data Controller processes only the personal data provided by Users. The data processed are the following:
surnames, first names, nicknames, e-mail address, mobile phone number, contact name, contact email address, contact phone number.
In addition to the above, the Data Controller processes technical data, including the IP address, as described in point 12.
9. DESCRIPTION OF THE DATA MANAGEMENT PROCESS
The source of the data is the User, who provides the data when requesting an offer or ordering (booking) an accommodation service. The provision of the data on the request for quotation and service order forms is mandatory, unless expressly indicated otherwise.
The User provides the data independently, the Data Controller does not give any mandatory guidelines or content requirements. The User expressly consents to the processing of the data provided by him. In addition to the data requested by the Data Controller, the User is entitled to provide other data in his/her profile, the legal basis for the processing of the data in this case is also the voluntary consent of the User.
If the User registers for a promotion organised by the Data Controller (e.g. on Facebook) and provides the data requested there, the User accepts the data management information related to the promotion. In this case, by providing the data, the User does not register on the Website, but consents to the processing of the data provided as set out in the promotion's prospectus.
10. TECHNICAL DATA AND COOKIE MANAGEMENT
The Data Controller's system automatically records the IP address of the user's computer, the starting time of the visit and, in some cases, depending on the computer's settings, the type of browser and operating system. The data thus recorded cannot be linked to other personal data. The data are processed for statistical purposes only. The User acknowledges that the Watercolour Apartment House website operated by us, macros / cookies ("cookies") are used, including but not limited to browser cookies, tracking cookies and computer cookies.
Cookies allow the Website to recognise previous visitors. Cookies help the Data Controller, as the operator of the Website, to optimise the Website, to tailor the services of the Website to the users' habits. Cookies can also be used to
- remember the settings so that the user does not have to re-enter them when they go to a new page,
- remember previously entered data, so you don't have to re-enter it,
- analyse the use of the website in order to make improvements using this information to ensure that it works as well as possible for the user,
- the user can easily find the information they are looking for.
If the Data Controller displays various content on the Website through external web services, this may result in the storage of some cookies that are not under the control of the Data Controller, and therefore it has no control over the data collected by these websites or external domains. Information about these cookies is provided in the policies for the relevant service.
The Data Controller uses cookies to serve advertisements to Users through Google and Facebook. The processing is carried out without human intervention.
COOKIES FOR MARKETING PURPOSES
Title | Description | classification | Expiry time |
_ga | Google Analytics cookie. More information | Cookies for marketing | 2 years |
_gid | Google Analytics cookie. More information | Cookies for marketing | 24 hours |
_dc_gtm_UA-#* | Google Tag Manager cookies. More information | Cookies for marketing | 1 minute |
_fbp | Facebook Pixel cookies. More information here and here. | Cookies for marketing | 30 days |
The user can set their web browser to accept all cookies, reject all cookies, or notify the user when a cookie is received. The setting options are usually found in the "Options" or "Settings" menu of the browser. By disabling the use of cookies, the User acknowledges that without a cookie, the functionality of the Website is not fully functional.
The English language www.aboutcookies.org website also provides detailed information on how to set up your website in different browsers.
[matomo_opt_out]
11. DATA TRANSMISSION
The Data Controller shall only transfer personal data to third parties if the User has given his/her unambiguous consent - knowing the scope of the data transferred and the recipient of the data transfer - or if the transfer is authorised by law.
The Data Controller is entitled and obliged to transmit to the competent authorities any Personal Data at its disposal and stored by it in accordance with the law, which Personal Data it is required to transmit by law or by a final and binding obligation of a public authority. The Data Controller shall not be held liable for such transfers and the consequences thereof.
In all cases, the Data Controller shall document the transfers and keep records of the transfers.
12. DATA PROCESSING
The Data Controller is entitled to use a data processor for the performance of its activities. Processors do not take decisions on their own, they are only entitled to act in accordance with the contract concluded with the Data Controller and the instructions received. The Controller shall monitor the work of the processors. Processors shall be entitled to engage an additional processor only with the consent of the Controller.
The Data Controller shall identify the data processors used in this Notice.
The data processors used by the Data Controller:
Shared space provider: Websupport Hungary Ltd.
Head office: 1132 Budapest, Victor Hugo u. 18-22.
13. EXTERNAL SERVICE PROVIDERS
In the course of operating the Website, the Data Controller uses External Service Providers, with which the Data Controller cooperates.
Personal Data processed in the systems of Third Party Service Providers is governed by the Third Party Service Providers' own privacy policies. The Data Controller shall use its best efforts to ensure that the External Service Provider processes the Personal Data transferred to it in accordance with the law and uses it only for the purposes specified by the User or set out in this Policy.
The Data Controller will inform Users about the data transfers to External Service Providers in the context of this Notice.
14. DATA SECURITY, ACCESS TO DATA
The Data Controller shall ensure the security of the data, take the technical and organisational measures and establish the procedural rules necessary to enforce the applicable laws, data protection and confidentiality rules. The Data Controller shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage and against inaccessibility resulting from changes in the technology used.
The Data Controller shall keep records of the data processed by it in accordance with the applicable laws, ensuring that the data may only be accessed by employees and other persons acting in the interests of the Data Controller (data processors) who need to know the data in order to perform their job or task. The data may only be accessed within the employee's organisation if they are logged. The employees of the data controller shall only carry out individual searches and operations on the data at the request of the User or if this is necessary for the provision of the service.
The Data Controller shall take into account the state of the art when defining and applying measures for data security. The Data Controller shall choose among several possible data processing solutions the one which ensures a higher level of protection of personal data, unless this would involve a disproportionate effort.
The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
- measures to protect against unauthorised access, including the protection of software and hardware devices and physical protection (access protection, network protection);
- measures to ensure that data files can be recovered, including regular backups and separate secure management of copies (mirroring, backups);
- protecting data against viruses (virus protection);
- the physical protection of data files and the media on which they are stored, including protection against fire, water, lightning and other natural hazards, and the recoverability of damage caused by such events (archiving, fire protection).
Employees and other persons acting on behalf of the Data Controller shall keep secure the data media containing personal data which they use or have in their possession, regardless of the means of recording the data, and shall protect them against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or damage.
The Data Controller shall operate the electronic register by means of an IT program that meets the requirements of data security. The programme shall ensure that access to the data is limited to the persons who need it for the performance of their tasks, and only for the purposes for which it is intended and under controlled conditions.
15. DURATION OF DATA PROCESSING
The Controller shall delete personal data if.
- (a) the processing is unlawful;
If it is found that the data is being processed unlawfully, the Data Controller will delete it without delay.
- b) at the request of the User (except for processing based on law);
The User may request the deletion of data processed on the basis of the User's voluntary consent. In this case the Data Controller will delete the data. Deletion may only be refused if the processing of the data is authorised by law. The Data Controller shall in any case provide information on the refusal of the request for erasure and on the law authorising the processing.
- (c) the data is incomplete or inaccurate, and this situation cannot be lawfully remedied, provided that erasure is not excluded by law;
(d) the purpose of the processing has ceased or the statutory time limit for the storage of the data has expired;
Erasure may be refused (i) for the exercise of the right to freedom of expression and information, or (ii) where the processing of Personal Data is authorised by law; and (iii) for the establishment, exercise or defence of legal claims.
The Data Controller shall inform the User of the refusal of the request for erasure in each case, indicating the reasons for the refusal. Once the request for erasure of personal data has been complied with, the previous (erased) data can no longer be restored.
As the Data Controller provides a continuous service to the User, the relationship between the parties is not time-limited. Therefore, unless the User requests otherwise, the Data Controller shall process the data for as long as the relationship between the Data Controller and the User exists and for as long as the Data Controller is able to provide the User with the service.
All other data will be deleted by the Controller if it is clear that the data will no longer be used, i.e. the purpose of the processing has ceased.
- e) ordered by a court or the National Authority for Data Protection and Freedom of Information
If a court or the National Authority for Data Protection and Freedom of Information issues a final order for the deletion of the data, the Data Controller will carry out the deletion.
Instead of deletion, the Data Controller shall block the personal data - after informing the User - if the User so requests or if the information available to the Data Controller suggests that deletion would harm the legitimate interests of the User. The personal data blocked in this way may be processed only for as long as the processing purpose which precluded the deletion of the personal data persists. The Controller shall mark the personal data it processes if the User contests its accuracy or correctness but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.
In the case of processing required by law, the erasure of data shall be governed by the law.
In the event of deletion, the Data Controller shall render the data unidentifiable. Where required by law, the Controller shall destroy the storage medium containing the personal data.
16. RIGHTS OF USERS AND THEIR VALIDATION
16.1 The Data Controller shall inform the User about the processing of the data at the time of contacting the User. The User shall also have the right to request information about the processing at any time.
Upon the User's request, the Data Controller shall provide information about the User's data processed by the Data Controller or by a data processor appointed by the Data Controller or under its instructions, the source of the data, the purpose, legal basis and duration of the data processing, the name and address of the data processor and its activities related to the data processing, the circumstances and effects of the data breach and the measures taken to remedy the data breach, and, in the event of the transfer of the User's personal data, the legal basis and the recipient of the data transfer. The Data Controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but not later than 25 days from the date of the request, upon the User's request. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information in the current year for the same set of data. In other cases, a fee may be charged. The fee already paid shall be refunded if the data have been unlawfully processed or if the request for information has led to a correction.
16.2 The User may request the Controller to correct the personal data incorrectly provided. In the event that the data to be corrected are regularly provided, the Controller shall, if necessary, inform the recipient of the data of the correction and shall draw the User's attention to the fact that the correction must be initiated with another controller.
16.3 The User may request the deletion of his/her personal data, except for data processing required by law. The Controller shall inform the User of the erasure.
16.4. The User may object to the processing of his/her personal data in accordance with the provisions of the Information Act.
16.5.The User may submit a request for information, rectification or deletion in writing, by letter addressed to the registered office or place of business of the Data Controller or by e-mail to the Data Controller at zoltan@fotografus.com.
16.6 The User may request the Controller to restrict the processing of his/her Personal Data if the User disputes the accuracy of the Personal Data processed. In such a case, the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the Personal Data. The Controller shall mark the Personal Data it processes if the User contests its accuracy or correctness but the incorrectness or inaccuracy of the contested Personal Data cannot be clearly established.
The User may request that the Controller restrict the processing of his/her Personal Data even if the processing is unlawful, but the User opposes the erasure of the processed Personal Data and instead requests the restriction of their use.
The User may also request the restriction of the processing of his/her Personal Data by the Controller if the purpose of the processing has been achieved, but the User requires the processing of his/her Personal Data by the Controller for the establishment, exercise or defence of legal claims.
16.7 The User may request the Controller to transfer Personal Data provided by the User and processed by the User in an automated manner to the Controller in a structured, commonly used, machine-readable format and/or to another controller.
16.8 If the Data Controller does not comply with the User's request for rectification, blocking or erasure, the Data Controller shall inform the User in writing within 25 days of receipt of the request of the reasons for refusal of the request for rectification, blocking or erasure. In the event of refusal of a request for rectification, erasure or blocking, the controller shall inform the User of the possibility of judicial remedy and of recourse to the National Authority for Data Protection and Freedom of Information.
16.9.The User may make the above declarations related to the exercise of his/her rights at the contact details of the Data Controller provided in Section 2.
16.10. The User may lodge a complaint directly with the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.huIn case of violation of his rights, the User shall be entitled to take legal action pursuant to Article 22 (1) of the Information Act. The court of law shall have jurisdiction to decide on the action. At the User's option, the lawsuit may be brought before the court of the User's domicile or residence. Upon request, the Controller shall inform the User in detail of the possibilities and means of legal remedy.
17. CHANGES TO THE PRIVACY NOTICE
17.1 The Data Controller reserves the right to amend this Policy at any time by unilateral decision. The Data Controller may (but is not obliged to) inform Users of any modification of this Policy by sending a system message. On the basis of the information contained in the notification, the User shall be entitled to exercise his/her rights in relation to data management as set out in this Policy and in the applicable legislation.
17.2. The User accepts the current provisions of the Terms and Conditions by entering the Website, and the consent of the individual User is not required.