Data Protection and Data Management Regulations

PARÁD PARK Hotel Gyógy-idegenforgalmi és Szolgáltató Kft.
Erzsébet Park Hotel***, Parádfürdő

I. Data of the service provider as data controller

Name: PARÁD PARK Hotel Gyógy-idegenforgalmi és Szolgáltató Kft.
registered office: 3244 Parád (Parádfürdő), Kossuth Lajos út 372.
company registration number: Cg.10-09-025820
tax number: 13195364-2-10
telephone number: +36 (36) 444-044
e-mail: info@erzsebetparkhotel.hu
web: www.erzsebetparkhotel.hu

(hereinafter referred to as the “Data Controller”)

company profile: TEÁOR 5510 Hotel services

The Data Controller, as the operator of Erzsébet Park Hotel***, Parádfürdő (hereinafter: Hotel), hereby informs its customers, guests and visitors to its website (hereinafter collectively: data subjects, user(s) or guest(s)) that it respects the personal rights of its Guests, and therefore acts in accordance with the following data management regulations (hereinafter: Regulations) when processing its data.

The current version of the Privacy Policy is available on the website www.erzsebetparkhotel.hu and is also available on paper at the Hotel reception. The Data Controller reserves the right to change the Policy due to the coordination of the Policy with the legal background and other internal regulations that may be amended in the meantime. The date of the last amendment is indicated at the end of the Policy. This policy regulates the data processing activities related to the services provided by Erzsébet Park Hotel***, Parádfürdő and accessible via the website.

II. PURPOSE OF THE POLICY

1. The primary purpose of this policy is to define and comply with the basic principles and provisions regarding the processing of data of natural persons and Guests who come into contact with the Hotel, in order to ensure that the privacy of natural persons is protected in accordance with the relevant legal provisions.

2. With reference to the provisions set out in point II.1, the purpose of these regulations is to ensure that the Hotel complies in all respects with the provisions of the applicable European Union and Hungarian legislation on data protection, in particular, but not exclusively, with

• Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society
• Act XLVII of 2008 on the prohibition of unfair commercial practices towards consumers,
• Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activity,
• Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter referred to as "Info. Act", and
• Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter referred to as "GDPR")

3. The Data Controller therefore considers it of utmost importance and is committed to protecting the data provided by the data subject via the website or other forum or in any other way, as defined by the GDPR, and to respecting the data subjects' right to informational self-determination. In this context, it contributes to creating safe internet access opportunities for the data subjects by fully complying with the relevant applicable laws.

III. SCOPE OF REGULATIONS

III.1. Temporal scope: This Regulation is effective from November 25, 2015 until further notice or withdrawal.
III.2. Personal scope: The scope of this Regulation extends to the Hotel, to those persons whose data is included in the data processing covered by this Regulation, and to those persons whose rights or legitimate interests are affected by the data processing.
III.3. Subject matter scope: The scope of this Regulation extends to all data processing involving personal data carried out in all organizational units of the Hotel.

IV. DEFINITION OF THE TERMS

Data Subject or User or Guest: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal data: any information relating to the data subject;
Hotel: Erzsébet Park Hotel***, Parádfürdő hotel located at 3244 Parád (Parádfürdő), Kossuth Lajos út 372, operated by the Data Controller;
Consent: a voluntary, specific, adequately informed and unambiguous indication of the data subject’s will, by which the data subject, by a statement or by an unequivocal affirmative action, signifies agreement to the processing of personal data concerning him or her;

Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this policy and the Hotel, the data controller is: PARÁD PARK Hotel Gyógy-tígenforgalmi és Szolgáltató Kft.
registered office: 3244 Parád (Parádfürdő), Kossuth Lajos út 372.

Data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organization, structuring, storage, transformation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or persons who, under the direct authority of the controller or the processor, are authorised to process personal data;
Recipient: the natural or legal person, public authority, agency or any other body to whom or with whom the personal data are disclosed, whether or not a third party;
Data breach: any breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Website: www.erzsebetparkhotel.hu portal, the www.mofetta.com portal and all its subpages, operated by the Data Controller;
Facebook page: the page located on the https://www.facebook.com/Erzsebetparkhotel portal, maintained by the Data Controller.
Instagram page: https://www.instagram.com/erzsebetparkhotel/ is maintained by the Data Controller.

V. PRINCIPLES OF DATA PROCESSING

V.1. Lawfulness, fairness and transparency: Personal data must be processed lawfully and fairly and in a manner that is transparent to the data subject.

V.2. Purpose limitation: Personal data must be collected only for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.

V.3. Data economy: Personal data must be adequate and relevant in relation to the purposes for which they are processed and limited to what is necessary.

V.4. Accuracy: Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes of the processing, are erased or rectified without delay.

V.5. Storage limitation: Personal data must be stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

V.6. Integrity and confidentiality: Personal data shall be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by applying appropriate technical or organisational measures.

V.7. Accountability: The controller shall be responsible for compliance with the above principles and shall be able to demonstrate such compliance.
The data controller shall also comply with the principles of data protection by design and by default in relation to the data processing carried out by it, which include the following:
Data protection by design: The data controller shall, taking into account the state of the art and technology and the costs of implementation, the nature, scope, circumstances and purposes of the data processing, and the varying likelihood and severity of the risk to the rights and freedoms of natural persons, implement appropriate technical and organisational measures, such as pseudonymisation, both when determining the method of data processing and during data processing, with the aim of, on the one hand, effectively implementing data protection principles, such as data economy, and, on the other hand, incorporating the necessary safeguards into the data processing process to meet the requirements of the GDPR and to protect the rights of data subjects.
Data protection by default: The controller must implement appropriate technical and organizational measures to ensure that, by default, only personal data are processed that are necessary for the specific purpose of the processing. This obligation applies to the amount of personal data collected, the extent of their processing, the duration of their storage and their accessibility. In particular, these measures must ensure that, by default, personal data cannot be made accessible to an indefinite number of persons without the intervention of the natural person.

VI. DATA CONTROLLER STATEMENTS

VI.1. The Data Controller declares that
VI.1.1. during data processing, it acts in accordance with the provisions of the GDPR and the Info. Law.
VI.1.2. during data processing, the personal data that the Data Controller has come to know may only be accessed by those persons employed by the Data Controller who have tasks related to the given data processing.
VI.1.3. ensures that the regulations in force at all times are continuously accessible to the data subject, thereby enforcing the principle of transparency.
VI.1.4. the website handles the personal data of visitors confidentially, in accordance with the applicable legal provisions, ensures their security, takes technical and organizational measures, and develops procedural rules in order to fully comply with the principles of data protection.
VI.1.5. the personal data of Guests staying at the Hotel is handled confidentially, in accordance with the applicable legal provisions, ensures their security, takes technical and organizational measures, and develops procedural rules in order to fully comply with the principles of data protection.

VI.1.6. in order to preserve the data it manages, it takes and ensures all measures to facilitate IT and other secure data management related to data storage, data management and data transmission.

VI.1.7. does everything that can be expected of it to ensure the protection of the personal data it processes against unauthorized access, alteration, disclosure, deletion, damage, destruction, and to guarantee the technical conditions necessary for this.

VI.1.8. does not check the personal data provided to it, and excludes liability for their accuracy.

VI.1.9. transmits personal data to third parties only exceptionally and in such cases, and connects the database it processes with another data controller only if the data subject expressly consents to it or if the law permits it, and if the conditions for data processing are met for each individual piece of personal data.

VI.1.10. operates exclusively in Hungary, does not belong to a multinational hotel chain, therefore it is not required to introduce and operate mandatory organizational regulations.

VI.1.11. does not transfer personal data to a data controller or data processor located in a third country (outside the European Economic Area).

VI.1.12. maintains a data management register in accordance with the provisions of the GDPR, which includes, among other things, the purpose of data management, the scope of data subjects and personal data processed, the deadlines for the deletion of individual data categories, and other information required by the GDPR.

VI.2. By applying appropriate security measures to protect personal data stored in automated data files, the Data Controller ensures the prevention of accidental or unlawful destruction or accidental loss, as well as unlawful access, alteration or dissemination.

VII. SCOPE OF ACTIVITIES AND DATA AFFECTED BY DATA PROCESSING

1. Use of Hotel Services

1.1. In the context of the provision of hotel services, the processing of all data relating to the data subject is based on voluntary consent and is intended to ensure the provision of the service and to maintain contact. The personal data contained in this Section VII., with the exceptions set out in the individual sub-sections, shall be retained by the Data Controller for a period in accordance with the applicable tax and accounting regulations and shall be deleted after the expiry of the deadline.

1.2. For certain services, it is possible to provide additional data that helps to fully understand the Guest's needs, but these are not conditions for using the hotel services.

2. Request for quotation

2.1. In the event of a request for an offer via the website http://www.erzsebetparkhotel.hu/online-inquiry the Data Controller requests the following data from the Guest:

Date of arrival*

Date of departure*

Number of rooms*

Number of adults per room*

Number of children per room*

Title*

Last name*

First name*

E-mail address*

Telephone number*

Comment (optional)

The data marked with * are mandatory. If this data is refused, the Data Controller will not be able to prepare an offer in accordance with the request of the data subject.

2.2. The request for an offer is voluntary. The legal basis for data processing is the consent of the data subject.

2.3. The purpose of data processing is to prepare an offer for the use of hotel services for the data subject based on the parameters provided by the data subject and to send it to the data subject, and to send information messages necessary for the performance of the contract.

2.4. The activity and process affected by data processing are the following:

2.4.1. The data subject can access the website interface by clicking on the “Request a quote” menu/button located on the HOME PAGE of the website, in the submenus of the “OFFERS” menu, and in the “BOOKING” menu, where he/she has the opportunity to provide the data specified in point VII.2.2.1. After providing the data, the data subject can send the named data to the Data Controller by clicking on the “Continue” button.

2.4.2.The data sent to the Data Controller are processed by the Data Controller’s employees working in authorized positions using the RESNWEB booking program and an offer is developed for the data subject, which is sent to him/her via the RESNWEB booking system or by e-mail.

2.5. Data processors:

Company name: NetHotelBooking Kft.

Address: 8200 Veszprém, Boksa tér 1/A

Purpose of data processing: Operation of the request for quotation module

Company name: ActiveCampaign, LLC

Address: 1 North Dearborn Street, 5th floor, Chicago, IL 60602

More information: www.activecampaign.com

Purpose of data processing: Providing an electronic mail sending function via ActiveCampaign, LLC’s Postmark mail servers to send informational messages necessary for the performance of the contract.

3. Room reservation

3.1. During the room reservation on the website http://www.erzsebetparkhotel.hu/online-booking the Data Controller requests/may request the following data from the Guest:

Arrival date*

Departure date*

Number of rooms*

Number of adults per room*

Number of children per room*

Age of children*

Selected room type*

Selected price type/package*

Selected additional service
Title*
Last name*
First name*
Company/office name
Street, house number*
City*
Postal code*
Country*
Telephone number*
E-mail address*
Message to the hotel (optional)
Payment information in case of credit card payment:
Cardholder name*
Card type*
Card number*
Expiration date*
CVC*
Payment information in case of SZÉP card payment:
Cardholder name*
Card type*
Card number*
Cardholder phone number*
Expiration*

Data marked with * are mandatory. If you refuse to provide this data, the Data Controller will not be able to reserve a room according to the data subject's request.

3.2. The room reservation is voluntary. The legal basis for data processing is the consent of the data subject.
3.3. The purpose of data processing is to reserve the appropriate room type for the data subject based on the parameters provided by the data subject and to confirm the room reservation to the data subject.
3.4. The activity and process affected by data processing are as follows:
3.4.1. If the data subject reserves the selected room and additional services by providing the data, and accepts the General Terms and Conditions and the Data Processing Information, the room reservation is created.
3.4.2. The data subject immediately receives automatic confirmation of the room reservation from the RESNWEB reservation system.

3.3. Data processors:

Company name: NetHotelBooking Kft.

Address: 8200 Veszprém, Boksa tér 1/A

Purpose of data processing: Providing the possibility of online accommodation booking through the RESnWEB system, operating the pre-arrival e-mail module.

Company name: Hostware Kft.

Address: 1149 Budapest, Róna utca 120-122.

Purpose of data processing: Performing customer management tasks through the Hostware Front Office hotel system. The service provider's data management information can be found at the following link: https://www.hostware.hu/sites/pdf/Adatkezelesi_tajekoztato.pdf

Company name: BIG FISH Payment Services Kft.

Address: 1066 Budapest, Nyugati tér 1-2.

Purpose of data processing: Carrying out the data communication necessary for payment transactions between the merchant and the payment service provider's system, ensuring the traceability of transactions for merchant partners. The service provider's data processing information is available at the following link: https://bigfish.hu/adatvedelmi-tajekoztato

Company name: OTP Mobil Kft.

Address: 1138 Budapest, Váci út 135-139. B. ép. 5. em.

Purpose of data processing: Carrying out data communication between the merchant and the payment service provider's system required for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring for the protection of users. The service provider's data processing information is available at the following link: https://otpmobil.hu/adatkezelesi-tajekoztato/

Company name: Barion Payment Zrt.

Address: 1117 Budapest, Infopark sétány 1. I. épület

Purpose of data processing: To carry out data communication between the merchant and the payment service provider's system for payment transactions, to provide customer service assistance to users, to confirm transactions and to carry out fraud monitoring to protect users. The service provider's data processing information is available at the following link: https://www.barion.com/hu/adatvedelmi-tajekoztato/

Company name: Wildbit, LLC*

Address: 225 Chestnut St, Philadelphia, PA 19106, USA

Purpose of data processing: Owner of the software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations and notifications in the case of booking, request for quotation, quotation, pre-arrival emailing, gift certificate sales and satisfaction measurement. The service provider's data processing information is available at the following link: https://wildbit.com/eu-privacy

Company name: D-Edge SAS

Address: 14/16 Boulevard Poissonnière, 75009 Paris, France

Purpose of data processing: D-Edge Channel Manager for managing prices and availability in one place when using multiple sales channels. The provider's data protection information is available at the following link: https://www.d-edge.com/privacy-policy/

Company name: ActiveCampaign, LLC

Address: 1 North Dearborn St 5th Floor Chicago, IL 60602

Purpose of data processing: Providing the electronic mail function via ActiveCampaign, LLC's Postmark mail servers to send information messages necessary for the performance of the contract.

4. Check-in and Registration Form

4.1. After September 1, 2021, in accordance with the applicable laws, the accommodation provider shall record the legally defined personal data of those using accommodation services in Hungary in its accommodation management software via a document reader and forward it to a storage location, the Guest Information Closed Database (VIZA). The accommodation provider shall record the following data of the user in its accommodation management software upon check-in – in order to protect the rights, safety and property of the data subject and others, and to verify compliance with the provisions on the stay of third-country nationals and persons with the right of free movement and residence. (*third-country national: persons pursuant to Act II of 2007 on the entry and stay of third-country nationals.) The user of the accommodation service shall present the identification document to the accommodation provider for the purpose of recording the data. Data that is not contained in the document shall not be recorded. In the absence of presentation of the document, the accommodation provider shall refuse to provide the accommodation service. Based on legal regulations, the accommodation provider is entitled to request the guest's identity document, and the guest is obliged to present it. The accommodation provider processes the data of the users until the last day of the year following the date of its receipt for the purpose specified in the law. The police may search the data stored in the VIZA system, i.e. the storage location specified by law, with asymmetric encryption, for the purpose of crime prevention, public order, public security, state border order, the protection of the rights, safety and property of the data subject and others, and the conduct of the search procedure. The Data Controller processes the data for the purpose of fulfilling its obligations specified in the relevant laws (in particular, in the laws related to alien policing and tourism tax), or proving such fulfillment, and for the purpose of identifying the Guest, as long as the competent authority can verify the fulfillment of the obligations specified in the given laws:

Family name and first name*

Family name and first name at birth*

Telephone number*

Address*

Date of arrival*

Date of departure*

Identification data of personal identification document or travel document*

Serial number

Citizenship*

Place of birth*

Date of birth*

Gender*

Mother's family name and first name at birth*

Signature*

E-mail address, Newsletter subscription option

Data marked with * are mandatory.

4.2. The provision of mandatory data by the Guest is a condition for using the hotel services. The legal basis for the processing of these data is the fulfillment of the legal obligation applicable to the Data Controller. The legal basis for the processing of other, non-mandatory data is the consent of the data subject.

4.3. The purpose of the processing of the data to be provided is to ensure compliance with the legal obligations applicable to the Data Controller, as specified in Section VII.4.4.1 above, to prove the conclusion or fulfillment of the contract concluded with the Data Controller, and to enforce any claims.

4.4. The purpose of the processing of other data not to be provided is to ensure the use of other hotel services, to improve the quality of the services, and to monitor the popularity of the hotel. By providing the email address on the registration form, the guest has the opportunity to subscribe to the Data Controller's newsletter. The other provisions regarding the newsletter are set out in Section VII.5.

4.5. The data provided by the Guest on the registration form are also applicable to all hotel services and rentals used by the Guest (bicycle rental).

5. Newsletter

5.1. The data subject may subscribe to the newsletter via the website, by e-mail or on paper during the use of certain services at the Hotel with the data specified below..

5.2. Scope of the processed data:

Surname*

First name*

E-mail address*

Booking, request for quotation data

Source

User activity

Website visit data (visited websites, time of visit)

Consent to marketing inquiries

Statistical data of the messages sent (delivery, opening, clicks)

Data marked with * are mandatory. In case of refusal to provide this data, the Data Controller is not able to provide the newsletter service to the data subject.

5.3. Subscription to the newsletter is voluntary. The legal basis for data processing is the data subject's consent.

5.4. The Data Controller sends the newsletter only with the consent of the data subject.

5.5. The purpose of data processing related to sending the newsletter is to maintain contact, provide information, and create and send personalized offers based on user behaviour.

5.6. The Data Controller analyses the data and user habits of those who subscribe to the newsletter in order to later communicate its advertisements to its users in a personalized manner at the contact details they have provided. Segmented data collection for marketing purposes is considered profiling pursuant to Article 4, Section 4 of the GDPR.

5.7. Data collection in accordance with the above is considered profiling, during which personalized marketing messages may be sent to the data subjects as a result of the data voluntarily provided by the data subject, as well as the opening and clicking data measured on the website and in emails.

5.8 The impact of profiling on the data subject: sending personalized marketing messages based on the activities of the data subjects.

5.9. The Data Controller stores the personal data provided in a separate list, separate from data provided to the Data Controller for other purposes; this list may only be accessed by the Data Controller's authorized employees and data processors.

5.10. The Data Controller shall not forward the list or data to a third party or an unauthorized person, and shall take all security measures to ensure that they are not accessed by an unauthorized person.

5.11. The Data Controller shall only process personal data collected for e-purposes until the data subject unsubscribes from the newsletter list.

5.12. The data subject may unsubscribe from the newsletter at any time, at the bottom of the electronic mail, info@erzsebetparkhotel.hu and by sending a cancellation request to the e-mail address.

5.13. You may unsubscribe from the newsletter by post at the following address: PARÁD PARK Hotel Gyógy-idegenforgalmi és Szolgáltató Kft. registered office: 3244 Parád (Parádfürdő), Kossuth Lajos út 372.

5.14. The Data Controller shall keep statistics on the reading of the sent newsletters, using clicks on the links in the newsletters.

5.15. Data Processor:

Company name: ActiveCampaign, LLC

Address: 1 North Dearborn Street, 5th floor, Chicago, IL 60602

More information: www.activecampaign.com

Purpose of Data Processing: To provide electronic mail sending functionality via ActiveCampaign, LLC's Postmark mail servers for the purpose of sending newsletters.

5.16. The Guest can subscribe to the news feed published on the message board on the Facebook page by clicking on the "like" link on the page, and can unsubscribe by clicking on the "dislike" link on the same page, or delete unwanted news feeds appearing on the message board using the message board settings.

6. Wellness-Medical – Mofetta (carbon dioxide medicinal gas bath treatment) – swimming pool

6.1. Only the treating physician has access to the health data necessary for the health service. Other persons performing activities related to the treatment of the data subject (e.g. assistant, masseur) may process health data in accordance with the instructions of the treating physician and to the extent necessary for the performance of their duties.

6.2. The recording of health data is part of the treatment. The treating physician decides which health data needs to be recorded in accordance with professional rules. The data subject may give his/her written consent to the processing of his/her health and personal identification data related to his/her treatment in accordance with the relevant legislation. For this purpose, the data subject must complete a written consent declaration before starting the treatment. In the event of refusal of written consent, the Data Controller is unable to provide the data subject with the treatment.

6.3. The purpose of data processing is to ensure safe and professional treatment.

6.4. Health data may only be forwarded to another doctor or a third party at the Guest's request, and the Guest's consent must be requested before the data recorded in this way can be accessed by a doctor who has not previously treated the Guest, with the proviso that health data may not be forwarded to the Guest's family doctor unless the Guest expressly objects.

6.5. The data controller and the person acting on their behalf, as well as the data processor, are obliged to keep the medical information they have learned confidential.

6.6. The data controller or its authorized representative is exempt from the confidentiality obligation if

6.6.1. the data subject or their legal representative has consented in writing to the transmission of health and personal identification data, within the limitations set forth therein, and
6.6.2. the transmission of health and personal identification data is a legal obligation.

6.7. The data subject has the right to receive information about data processing in connection with medical treatment, to learn about the health and personal identification data relating to them, to inspect the health documentation, and to receive a copy of them – at their own expense.

6.8. The data subject has the right to receive information about data processing in connection with medical treatment, to learn about the health and personal identification data relating to them, to inspect the health documentation, and to receive a copy of them – at their own expense.

6.9. The Data Controller handles the processing of health data in accordance with the Data Protection Act and Act XLVII of 1997 on the processing and protection of health and related personal data.

6.10. The Data Controller has a contractual relationship with the following business entity regarding health services
Company name: VAT-VÍZ Egészségügyi, Kereskedelmi és Szolgáltató Kft.
Registered office: 3996 Füzér, Rákóczi u. 20.
Company registration number: 05-09-017391
Represented by: Dr. Suskó Eszter managing diretor
Telephone number: +36309959404
E-mail address: vatvizkft@gmail.com

6.11.The Guest using the spa service is entitled to use a swimming pool pass, during which the Data Controller processes the following data:
Name
Address
Validity period of the swimming pool pass.

7. Bank card details

7.1. The Data Controller uses and may use the bank, credit card/bank account data provided by the data subject to the Data Controller only to the extent and for the period necessary for the exercise of the data subject's rights and the fulfillment of its obligations. The data is processed by the Data Controller's contractual banking partners. You can find out more about this data processing on the websites of the competent Bank

7.2. The hotel operated by the Data Controller accepts beauty cards and health cards, to which the same data protection as bank card processing applies.

7.3. The Hotel is entitled to use bank card pre-authorization and authorization to ensure the future payment of service fees.

8. Loyalty Program

8.1. The Data Controller’s Loyalty Program is an exclusive service provided to the hotel’s Guests – natural persons – with the aim of providing discounts to returning guests.

8.2. Participants in the given program expressly consent to the Data Controller processing their personal data provided for this purpose for the purpose of operating the Loyalty system and for the purpose of sending a newsletter specifically designed for regular guests. In the event of refusal of consent, the Data Controller is not able to provide the data subject with the discounts and services that are part of the Loyalty Program.

8.3. The Data Controller is entitled to forward the data provided in this way to its agents, subcontractors and data processors who are in a contractual relationship for the purpose of operating the given program, provided that they may not forward the personal data received in this way to third parties other than their data processors. If the recipients of the data transfer differ from those set out in this point, the Data Controller shall provide information about their identity prior to data processing and consent to it.

8.4. If the data subject objects to the data transfer, this will make it impossible for them to participate in the given program, thus entailing their deletion from the program.

8.5. The Loyal Guest program membership status becomes inactive after 5 (five) years from the last use of the hotel service.

8.6. The personal data processed in the programs serve to maintain contact. The personal data processed in the programs are the same as the data on the Guest login form listed in Section VII.4.1.

8.7. The Data Controller stores the provided data in a separate data file, separated from other provided data. This data file may only be accessed by the Data Controller’s authorized employees.

8.8. The Data Controller takes all security measures to ensure that the data is not accessed by unauthorized persons.

8.9. It may be necessary to provide additional personal data in order to participate in the programs; in such cases, the Data Controller will inform the data subject about the purpose, method and duration of data processing at the same time as the data request.

8.10. Data Processor:

Company name: ActiveCampaign, LLC

Address: 1 North Dearborn Street, 5th floor, Chicago, IL 60602

More information: www.activecampaign.com

Purpose of Data Processing: To provide email sending functionality via ActiveCampaign, LLC's Postmark mail servers for the purpose of sending promotional and notification emails.

9. Gift voucher

9.1. The Hotel allows the Guest to purchase various gift vouchers, which can be used for the Hotel's services in the given value.

9.2. Ordering and using the gift voucher is voluntary. The legal basis for data processing is the consent of the data subject.

9.3. Ordering the gift voucher and the scope of data subject to data processing:
9.3.1. The data subject may order the voucher of the amount specified by him/her at the Hotel in person or by telephone or by e-mail sent to info@erzsebetparkhotel.hu, by providing the following data:

name*

e-mail address*

telephone number*

billing name and address*

delivery name and address*

The data marked with * are mandatory. In case of refusal to provide this data, the Data Controller is unable to provide the requested gift voucher to the data subject

9.3.2.After receiving the amount, the Data Controller issues an advance invoice and a serially numbered voucher for the amount of the agreed and ordered voucher and sends it in PDF format to the provided email address.

9.3.3.The purpose of data processing is to prepare a gift voucher requested by the data subject and send it to the data subject.

9.3.4.The Data Controller stores the personal data provided in a separate data file, separated from other data provided. This data file may only be accessed by the Data Controller's authorized employees.

9.3.5.The Data Controller does not forward individual data or the entire data file to a third party and takes all security measures to prevent unauthorized persons from accessing them.

10. Guest questionnaire, complaint management, evaluation system

10.1. As part of the quality assurance process applied by the Data Controller, data subjects can provide their opinion online, via e-mail and paper-based guest questionnaires, through complaint management, or through the evaluation system.

10.2. When filling out the questionnaire or complaint, the Guest provides the following personal data:

name
stay date
room number
contact details (address, e-mail address, telephone number)
other personal data provided by the data subject in the complaint/evaluation

10.3. Providing the data is not mandatory, it only serves to accurately investigate any complaints and to ensure that the Data Controller responds to the guest. The legal basis for data processing is the data subject's consent.

10.4. The purpose of data processing is to receive and process feedback on hotel services, to improve the quality of hotel services and to monitor customer satisfaction, to investigate any complaints and to take appropriate measures.

10.5. The Data Controller may also use the opinions thus obtained and any data provided related to them that cannot be traced back to the given Guest and cannot be linked to the Guest's name for statistical purposes.

10.6. The Data Controller stores the personal data provided in a separate data file, separated from other data provided. This data file may only be accessed by the Data Controller’s authorized employees.

10.7. The Data Controller does not forward individual data or the entire data file to third parties and takes all security measures to prevent unauthorized persons from accessing them.

10.8. The Data Controller processes the data for 5 years from the date of receipt of the complaint.

11. Security camera system

11.1. Cameras are operated in the area of the Hotel operated by the Data Controller for the personal and property safety of the Guests. Information signs are posted to draw the attention of the data subjects to their operation. Regarding the lawful operation of the surveillance system, the Data Controller shall act in accordance with the provisions of this regulation and the camera regulations and shall make them available to the data subjects.

11.2. Scope of the processed data: The image and/or voice of the data subject recorded by the operated camera system.

11.3. Special rules regarding the operation of the camera surveillance system:
11.3.1. In accordance with the provisions of this regulation, the camera surveillance system is governed by a separate regulation, the current version of which is available at the Hotel reception.
11.3.2. The camera system records images.
11.3.3. Purpose of data processing: protection of persons and property.
11.3.4. The place of storage of the recording: Erzsébet Park Hotel***, Parádfürdő 3244 Parád (Parádfürdő), a hotel located at Kossuth Lajos út 372, operated by the Data Controller
11.3.5. The legal basis for data processing: the voluntary consent of the data subject based on the information posted by the Operator in the form of signs. Consent can also be given in the form of suggestive behavior. Suggestive behavior is especially if the data subject enters or remains in the units affected by the camera surveillance system despite the warning information.
11.3.6. The Operator must ensure that the personal data of the data subject, in particular his/her private secrets and the circumstances of his/her private life, are protected from being disclosed to unauthorized persons.
11.3.7. An electronic surveillance system may not be used in a place where surveillance may violate human dignity, in particular in changing rooms, showers and washrooms, toilets, and rest areas. Surveillance with cameras is proportionate to its purpose, and the Data Controller does not conduct unlimited and direct surveillance.
11.3.8. Duration of storage of the recording: If the recorded image is not used, it must be destroyed or deleted no later than 3 working days after it was recorded. Use is considered to be used if the recorded image and other personal data are used as evidence in court or other official proceedings.
11.3.9. A person whose rights or legitimate interests are affected by the recording of the image or other personal data may, within 3 working days of its recording, request that the data controller not destroy or delete it by proving his or her rights or legitimate interests.
11.3.10. Upon request by a court or other authority, the recorded image and other personal data must be sent to the court or authority without delay. If no request is made within thirty days of the request not to destroy it, the recorded image and other personal data must be destroyed or deleted, unless the deadline set out in the regulations has not yet expired.

11.4. The Data Controller has a contractual relationship with the following business entity performing security and protection tasks:

Company name: Key4you Zrt.

Registered office: 2235 Mende, Gárdonyi Géza u.70.

Company registration number: 13-10-041809

Manager: Tányéros Tamás Managing Director

12. Facebook site

12.1. The Data Controller and the hotel operated by the Data Controller and their service units are also available separately on the Facebook community portal.

12.2. The purpose of data management is to share the content on the website. With the help of the Facebook page, the Guest can find out about the latest promotions..

12.3. By clicking on the “like” link on the Data Controller’s Facebook page, the data subject consents to the publication of the Data Controller’s news and offers on his/her own message board..

12.4. The Data Controller also publishes pictures/videos of various current events on his/her Facebook page. If it is not a mass recording, the Data Controller requests the data subject’s written consent before publishing the pictures.

13. Website visit data

13.1. References and links: The Data Controller's website may contain links that are not operated by the Data Controller, but are only intended to inform visitors. The Data Controller has no influence on the content and security of websites operated by partner companies, and is therefore not responsible for them.

13.2. Analytics, cookies: The Data Controller uses an analytical tool to monitor its websites, which creates a data series and monitors how visitors use the websites. The system creates a cookie when the page is viewed, with the aim of recording information related to the visit (pages visited, time spent on our pages, browsing data, exits, etc.), which, however, cannot be linked to the visitor's person. This tool helps to improve the ergonomics of the website, to create a user-friendly website, and to enhance the online experience of visitors. The Data Controller does not use analytical systems to collect personal information. Most web browsers automatically accept cookies, but visitors have the option to delete or automatically decline them. Since each browser is different, visitors can set their cookie preferences individually using the browser toolbar. You may not be able to use certain features of the hotel's website if you choose not to accept cookies. More information about cookies can be found at www.allaboutcookies.org www.allaboutcookies.org.

VIII. INFORMATION SECURITY

VIII.1. Personal data may only be processed in accordance with the activities set out in Chapter VII, in accordance with the purpose of the data processing

VIII.2. The Data Controller shall ensure the IT environment used for the processing of personal data during the provision of the service in such a way that
VIII.2.1. the personal data provided by the data subject is linked only and exclusively with the data and in the manner specified in this regulation,
VIII.2.2. it shall ensure that only employees of the Data Controller who absolutely need it to perform their duties arising from their job obligations have access to the personal data,
VIII.2.3. all modifications to the data shall be made with the date of the modification indicated.
VIII.3. The data is backed up.
VIII.4. Other data of the data subject that cannot be directly or indirectly linked to him/her, that is unidentifiable – hereinafter referred to as anonymous – does not qualify as personal data.

IX. DATA PROCESSOR

IX.1. The operator of the Data Controller's IT system, based on the contract concluded with it, is
Company name: HostWare Kft. /MT-HostWare Számítástechnikai Kft./
Registered office: 1149 Budapest, Róna utca 120.
Telephone: (+36-1) 469-9000
E-mail address: hostware@hostware.hu
which qualifies as a data processor for the purposes of processing personal data.

IX.2. The operation of the Data Controller's website, the recording of visitor data and the information necessary for the operation of the website, based on the contract concluded with it, is
Company name: MORGENS Design Kft./
Registered office: 8800 Nagykanizsa, Magyar utca 79.

which qualifies as a data processor for the purposes of processing personal data. Data processing is necessary for the performance of the contract.

X. LEGAL REMEDIES

In accordance with the applicable data protection legislation, the data subject has the right to: (i) request access to his/her personal data; (ii) request rectification of his/her personal data; (iii) request erasure of his/her personal data; (iv) request restriction of processing of his/her personal data; (v) exercise data portability with regard to his/her personal data; and (vi) object to the processing of his/her personal data.

(i) Right of access: The data subject has the right to receive feedback on whether his/her personal data is being processed and, if such processing is taking place, to have access to his/her personal data and to certain information relating to the processing.

The right of access covers, among others, the following information: the purpose of the processing, the categories of data processed, and the designation of the recipients to whom the data have been transmitted.

The data subject shall also have the right to request a copy of his/her personal data processed by the controller.
(ii) Right to rectification: In certain cases, the data subject shall have the right to have inaccurate personal data concerning him/her rectified or incomplete personal data completed.
(iii) Right to erasure: In certain cases, the data subject shall have the right to have personal data concerning him/her erased, and the controller may be obliged to erase such data.
(iv) Right to restriction of processing: In certain cases, the data subject shall have the right to have the processing of personal data concerning him/her restricted. In such cases, the data concerned may be processed only for specified purposes.
(v) Data portability: In certain cases, the data subject shall have the right to receive the personal data concerning him/her in a structured, commonly used and machine-readable format and shall have the right to transmit such data to another controller.

The data subject may also have the right to request, where technically feasible, the direct transmission of personal data between data controllers.
(vi) Right to object: In certain cases, the data subject has the right to object to the processing of his or her personal data, in which case the Data Controller may no longer process such data.

In relation to the above rights, please note that in some cases the fulfilment of the given request may not be possible or may only be possible to a limited extent due to the nature of the data, and that the above rights are not unlimited and their exercise may be subject to conditions under the applicable data protection rules.

In addition to the above rights, the data subject has the right to withdraw his or her consent to data processing at any time. The withdrawal of consent does not affect the lawfulness of data processing carried out before its withdrawal.

The data subject may exercise the above rights at the email address info@erzsebetparkhotel.hu or in the context of certain activities related to data processing as set out therein. The Data Controller will respond to requests as soon as possible, but no later than 1 (one) month.
The data subject is also entitled to file a complaint with the National Authority for Data Protection and Freedom of Information (seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., tel.: +36 (1) 391-1400, e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu), or, if necessary, to the court of his/her place of residence or stay due to unlawful data processing.