PRIVACY POLICY

1. General provisions

Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55. ), as the  operator of Ferrata Guesthouse, always ensures the lawfulness and expediency of data processing in relation to the personal data it processes. The purpose of this information is to ensure that our guests who make a reservation and provide their personal data can receive adequate information about the conditions and guarantees under which our company processes their data and for how long before making a reservation or providing their personal data. Our company adheres to the contents of this information in all cases involving personal data processing, and we consider the contents of this information to be binding on us.

However, we reserve the right to change the terms of this unilateral legal declaration, in which case we will inform the data subjects in advance.  If you have any questions about the contents of this information, please contact the info@ferratavendeghaz.hu e-mail address or by post at ferrata Guesthouse (8419 Csesznek, Wathay Ferenc Str. 55-57.)  mail us to a mailing address. The data processing of our company’s activities is based on voluntary consent, and in some cases the data processing is necessary to take steps at the request of the data subject prior to entering into a contract.

Our data processing complies with applicable laws, in particular the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR“)
• Act CXII of 2011 on informational self-determination and freedom of information (“Info. tv.”).

Contact details of the data controller:

Name: Cheblon Kft. (hereinafter referred to as “Data Controller”)

Headquarters and postal address: 8419 Csesznek, Wathay Ferenc Str. 55.

Company registration number: 19 09 520820

Tax number: 26302168-2-19

E-mail address: info@ferratavendeghaz.hu

Telephone number: +36 (30) 607 7905

Home page: www.ferrataapartman.hu

Represents: Nagy Ádám, manager

We provide the following information in connection with each of our data processing.

1. Range of data subjects

The data subject is any natural person identified or – directly or indirectly – identifiable on the basis of any specific personal data, whose data are processed by the Data Controller. Therefore, the data subjects are primarily the guests, the natural person Partners of the Data Controller, the representatives, contact persons and possibly other employees of the Partners of non-natural persons.

1. Scope of personal data processed, purpose, legal basis and duration of data processing

1. 1. Data processing related to online hotel booking

Our company provides the opportunity to book accommodation online in order to be able to book a room in the Ferrata Guesthouse in a fast, convenient and free of charge way.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of data processing: to facilitate the reservation of accommodation, to make it free of charge and more efficient, to contact the guest who has booked the accommodation. 

Legal basis for data processing: prior consent of the person making the reservation. By accepting this notice, the data subject gives his or her express consent to the processing of his or her personal data in accordance with this section.

Scope of personal data processed: title; surname and first name; address (country, postal code, city, street, house number;) phone number; e-mail address; in the case of a business company, company name and registered office, bank card number, CVC code, SZÉP card data (id, name on the card). If you fill in the online application form, the hotel will also process the following data: id document (ID card, passport or driver’s license) number, nationality, place and date of birth, vehicle registration number.

Duration of data processing: two years after the last day of the reservation date of stay.

Engagement of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows. 

By accepting this Privacy Policy, the data subject expressly consents to the Data Processor using additional data processors in order to make the service more convenient and customized, as follows:

*The Data Processor is based in the United States, so the transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily acceded to the EU-US Privacy Shield Agreement, assuming a high level of personal data protection, so there are no further legal obstacles to the transfer.

Possible consequences of failure to provide data: The provision of data is voluntary. An important circumstance is that the fields marked with * are mandatory, and if they are not completed, no booking can be finalized. Leaving additional fields blank has no such consequences.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

a) request access to personal data concerning him or her,

b) request their rectification,

c) request their deletion,

d) withdraw your consent to data processing: in this case, the lawfulness of the processing before the withdrawal of consent will not be affected by the withdrawal.

e) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority has requested it, but for a maximum of thirty days, and that, in addition, it does not process the data for any other purpose),

f) object to the processing of personal data,

g) exercise your right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to have this data transmitted to another data controller at his or her request.

Other information related to data processing:

• By making a booking, the data subject also declares that the data provided is correct and that he or she is over 16 years of age.

• We try to help guests prepare their trip with practical and relevant information, weather forecasts, program offers, online check-in and shorten the time spent checking in upon arrival, so we send them a so-called pre-arrival email with information about accommodation, travel and program opportunities before their arrival. Based on the pre-arrival letter, the guest can fill out an online registration form to expedite their check-in to the accommodation upon arrival.

• Our company takes all necessary technical and organizational measures to avoid a possible data breach (e.g. damage, disappearance, unauthorized access to files containing personal data). In the event of an incident that does occur, we keep records to control the necessary measures and to inform the data subject, which includes the scope of the personal data concerned, the scope and number of those affected by the personal data breach, the date, circumstances, effects of the personal data breach and the measures taken to eliminate it, as well as other data specified in the law requiring data processing.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data processing guarantees required by the data processing contract in case of the use of further data processors, therefore we ensure the lawful processing of personal data even in the case of the data processor.

1. 1. Data processing related to requests for quotations

Our company provides an opportunity for our guests to request an offer electronically. The offer is provided by our company by means of an automated system, taking into account the available capacities. 

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

Purpose of data processing: to be informed in advance about the prices of the guest house

Legal basis for data processing: prior consent of the person making the reservation, Article 6 (1) (a) of the GDPR, or the processing is necessary to take steps at the request of the data subject prior to entering into a contract – Article 6 (1) (b) of the GDPR

Scope of personal data processed: title; surname and first name; telephone number; e-mail address; number of hotel guests.

Duration of data processing: two years after the last day of the reservation date of stay.

Engagement of a data processor: our company uses the help of an IT service provider to operate the online contracting system as follows. 

By accepting this Privacy Policy, the data subject expressly consents to the Data Processor using additional data processors in order to make the service more convenient and customized, as follows:

*The Data Processor is based in the United States, so the transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily acceded to the EU-US Privacy Shield Agreement, assuming a high level of personal data protection, so there are no further legal obstacles to the transfer.

Possible consequences of failure to provide data: The provision of data is voluntary. An important circumstance is that the fields marked with * are mandatory, if they are not filled in, the guesthouse will not be able to provide an offer. Leaving additional fields blank has no such consequences.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

(a) request access to personal data concerning him or her,

(b) request their rectification,

(c) request their deletion,

d) withdraw consent to processing: in this case, the lawfulness of the processing before its withdrawal shall not be affected by the withdrawal.

e) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and in addition, do not process the data for any other purpose),

f) object to the processing of personal data,

(g) exercise your right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to have this data transmitted to another data controller at his or her request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data breach (e.g. damage, disappearance, unauthorized access to files containing personal data). In the event of an incident that does occur, we keep records to control the necessary measures and to inform the data subject, which includes the scope of the personal data concerned, the scope and number of those affected by the personal data breach, the date, circumstances, effects of the personal data breach and the measures taken to eliminate it, as well as other data specified in the law requiring data processing.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data processing guarantees required by the data processing contract in case of the use of further data processors, therefore we ensure the lawful processing of personal data even in the case of the data processor.

1. 1. Mandatory registration and provision of data related to the check-in of accommodation users

When checking in at the accommodation, the Data Controller records the required data in the IT system called VIZA, protected by multiple, asymmetric encryption, i.e. in the storage space provided by the hosting service provider designated by the Government decree. The purpose of the register of data is to protect the rights, safety and property of the Data Subject and others, as well as to verify compliance with the provisions on the residence of third-country nationals and persons enjoying the right of free movement and residence. The primary objective of VIZA is therefore to promote public order, public security, the order of the state border, the protection of the rights, safety and property of the data subject and others.    

Purpose of data processing: Supporting the purposes designated by the Government and implementing the legal obligation requires the processing of personal data.

Scope of processed data:

The Data Subject using the accommodation service:

• • surname and first name
  • surname and first name at birth
  • place and date of birth
  • Sex
  • Nationality
  • mother’s birth name

The Data Subject using the accommodation service:

• • identification details of your personally identifiable document or travel document,
  • scanned image of your identification document
  • in the case of a third-country national, the number of the visa or residence permit,
  • the date and place of entry,
  • Information related to the accommodation service:
  • the exact address of the accommodation,
  • the start and expected and actual end date of the use of the accommodation.

Legal basis for data processing: The legal basis for data processing is compliance with a legal obligation (GDPR. Article 6(1)(c),). The process of data provision is prescribed and regulated by Act CLVI of 2016 on state tasks for the development of tourist areas.

Duration of data processing: It is necessary to store the data processed for the purpose of data provision until the last day of the first year after becoming aware of it. The data controller then deletes the personal data in the register. The VIZA system retains the data submitted to it for a maximum of two years.

Data transfer: The activity of the hosting service provider, as a data processor of the accommodation service provider, covers only the storage of data in encrypted form by the provider of the encryption procedure designated by the Government decree and the provision of access to the data to the accommodation service provider and to a person or body authorized to do so by law through the accommodation service provider. The recorded guest data is encrypted and accessed only by the competent bodies, the hosting service provider or the operator of the document reading software enabling the upload cannot access the data stored in the storage space.

1. 1. Personal data processing related to satisfaction measurement

As a guest house, our goal is to provide our services to our guests at a high level, so we constantly ask for feedback from our guests about their experiences during their stay in the guesthouse.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of data processing: to request feedback from hotel guests in order to further develop and improve our services.

Legal basis for data processing: legitimate interest of the guesthouse operator – Article 6 (1) (f) of the GDPR.

Indication of legitimate interest: our company has a legitimate interest in receiving information based on feedback to improve our services.

Scope of personal data processed: name, gender, e-mail address.

Duration of data processing: two years after the last day of the reservation date of stay.

Engagement of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows. 

By accepting this Privacy Policy, the data subject expressly consents to the Data Processor using additional data processors in order to make the service more convenient and customized, as follows:

*The Data Processor is based in the United States, so the transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily acceded to the EU-US Privacy Shield Agreement, assuming a high level of personal data protection, so there are no further legal obstacles to the transfer.

Possible consequences of failure to provide data: The data subject does not receive a satisfaction survey from our company.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

(a) request access to personal data concerning him or her,

(b) request their rectification,

(c) request their deletion,

d) withdraw consent to processing: in this case, the lawfulness of the processing before its withdrawal shall not be affected by the withdrawal.

e) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and in addition, do not process the data for any other purpose),

f) object to the processing of personal data,

(g) exercise your right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to have this data transmitted to another data controller at his or her request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data breach (e.g. damage, disappearance, unauthorized access to files containing personal data). In the event of an incident that does occur, we keep records to control the necessary measures and to inform the data subject, which includes the scope of the personal data concerned, the scope and number of those affected by the personal data breach, the date, circumstances, effects of the personal data breach and the measures taken to eliminate it, as well as other data specified in the law requiring data processing.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data processing guarantees required by the data processing contract in case of the use of further data processors, therefore we ensure the lawful processing of personal data even in the case of the data processor.

1. 1. Cookie management

In order to provide customized service, the Data Controller places a small data package, a so-called cookie, on the user’s computer and reads it back during a subsequent visit. If the browser returns a previously saved cookie, the service provider that manages the cookie has the option to link the user’s current visit to previous ones, but only with respect to its own content.

The purpose of data processing: identification, tracking, differentiation of users, identification of the current session of users, storage of the data provided during it, prevention of data loss, web analytics measurements, personalized service.

Legal basis for data processing: consent of the data subject.

The scope of the processed data: identification number, date, time, as well as the previously visited page.

Duration of data processing: maximum 90 days 

Further information on data processing: The user can delete the cookie from his/her own computer or disable the use of cookies in his/her browser. Cookies can usually be managed in the browser’s Tools/Settings menu under the Privacy/History/Custom Settings menu, under the name cookie, cookie or tracking.

Possible consequences of failure to provide data: impossibility of using the service in respect of the services described in points 2-5 above.

1. 1. Website server logging

When visiting nethotelbooking.net web page, the web server automatically logs the user’s activity.

The purpose of data processing: during the visit to the website, the service provider records the visitor data in order to monitor the operation of the services and to prevent abuse.

Legal basis for data processing: Article 6 (1) (f) GDPR. Our company has a legitimate interest in the safe operation of the website.

Type of personal data processed: identification number, date, time, address of the visited page.

Duration of data processing: maximum 90 days.

Further information: our company does not connect the data incurred during the analysis of log files with other information, it does not seek to identify the user. The addresses of the pages visited, as well as the date and time data alone, are not suitable for identifying the data subject, however, when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

Data processing related to logging by external service providers: The html code of the portal contains links from and to an external server independent of our company. The external provider’s server is directly connected to the user’s computer. We would like to draw the attention of our visitors to the fact that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, mouse pointer movement, address of the visited page and time of visit) due to the direct connection to their server and direct communication with the user’s browser. An IP address is a series of numbers by which the computers and mobile devices of users accessing the Internet can be clearly identified.

With the help of IP addresses, the visitor using a given computer can even be geographically localized. The addresses of the pages visited, as well as the date and time data alone, are not suitable for identifying the data subject, however, when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

1. 1. Data processed during a one-time request for information / continuous regular contact

The Data Controller ensures that the data subject is in constant or regular contact with him or her in various ways and forums. For example, electronic communications; exchanging e-mails with the data subject, contacting them by post or telephone, etc.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

Purpose of data processing: to provide appropriate information and to keep in touch with the data subject.

Legal basis for data processing: consent of the data subject – Article 6 (1) (a) of the GDPR. In the event that the Data Controller and the data subject enter into an agreement with each other, for example, on the use of a service of the Data Controller, such as accommodation services, the legal basis for the processing may also be based on the conclusion of the contract. Contact and contact, so the processing of the relevant data may be based on the legitimate interest of the data subject, a third party or the Data Controller, as well as on other legal bases defined by law, for example, it may be mandatory by law.

Scope of personal data processed: first and last name; phone number; e-mail address; content of the question.

Duration of data processing: until the realization of the purpose, or if the interest of the data subject or a third party or the Data Controller or the fulfillment of an obligation requires it, then after the realization of the purpose, until the termination of the interest or the fulfillment of an obligation. If the duration of data processing is mandatory by law on the basis of the method of data processing or otherwise, the Data Controller shall process the data for the period specified in the relevant legislation.

1. 1. Check-in and notification form/guest and tourist register

Upon arrival, before occupying the booked and confirmed room, the Data Subject shall fill in a report form in which he/she consents to the Data Controller processing the data provided below for the purpose of fulfilling its obligations under the relevant legislation (in particular the legislation related to aliens police and tourist tax) and for the purpose of proving compliance and identifying the data subject, as long as the competent authority has complied with the relevant legislation  verify the fulfilment of specified obligations.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of data processing: to ensure full compliance with the legislation (in particular the legislation related to aliens’ and tourist tax), to conclude the accommodation service contract, as well as to prove its fulfillment and performance, as well as possible enforcement of claims and contacts with the data subject.

Based on the authorization of Act C of 1990 on Local Taxes, based on the local government’s decree on the establishment of tourist tax, data processing is mandatory in relation to name, place and date of birth, address, nationality, so they are legal conditions for using the services provided by the Data Controller.

The Data Controller draws the attention of the data subjects to the fact that, having regard to the provisions of Section 6(5) of Act CXII of 2011, it may process the data voluntarily provided by the data subject for the purpose of fulfilling his obligations under the legislation related to the tax (in particular tourist tax) and for the purpose of enforcing his or her legitimate interests, without further special consent of the data subject and after the withdrawal of the consent of the data subject.

With regard to the safekeeping, storage and destruction of paper-based login sheets and other paper-based documents containing data, the Data Controller acts in accordance with this policy and the Document Management Policy.

Legal basis for data processing: The registration and filling in the application form are based on voluntary consent, but it is a condition for using the services, and in relation to the data specified by Act C of 1990 on Local Taxes, if provided voluntarily by the data subject, data processing is mandatory.

The scope of personal data processed: first and last name; place and date of birth; address; telephone number; e-mail address; identity card number; car registration number; nationality; method of payment; date of arrival and departure. In a case related to the establishment of a tourist tax exemption, the following data may be transmitted to the municipal tax authority: first and last name; place and date of birth; dates of arrival and departure. The provision of an e-mail address on the notification form is optional. By providing the e-mail address, the data subject voluntarily subscribes to the newsletter service operated by the Data Controller. This information has been included in the notification form. The newsletter is otherwise governed by the provisions of this policy.

Duration of data processing: in the case of data that are mandatory by law, it lasts for 5 years from the date of recording, in the case of a newsletter, until deletion at the request of the data subject, and in relation to other data until the validity of the rights and obligations arising from the legal relationship in connection with which the Data Controller processes personal data, in relation to data that are placed on supporting documents and the document supports the accounting, the duration of data processing is C of 2000.  under Section 169(2) of the Act for at least 8 years.

Possible consequences of failure to provide data: no contract is concluded for the guest house room or no tourist tax exemption can be established.

1. 1. Camera system

Surveillance cameras are operated on the territory of the guesthouse for the personal and property safety of those affected and for other purposes. The operation of these is invited to the attention of those concerned by an information board at the entrance.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

Purpose of data processing: protection of property owned by the data controller, prevention and proof of unlawful acts.

Legal basis for data processing: legitimate interest of the data controller. The data controller has a legitimate interest in protecting the property owned by it, preventing and proving violations at its registered office.

Scope of processed data: Facial images and other personal data of persons entering the territory of the Ferrata Guesthouse visible in the image recordings. Data reporting is automatic, with access to the property.

Duration of data processing: 3 working days in the absence of use.

Further information related to data processing: The place of storage of the recording: the office operated by the Data Controller, located at 8419 Csesznek, Wathay Ferenc Str. 55-57. The recordings are stored with enhanced data security measures, ensuring that unauthorized persons cannot view and copy the recordings. Only the designated employee of the Data Controller is entitled to view the current image of the cameras and record them on a data carrier.

Use of a data processor: during the operation of the camera system, our company uses the help of a service partner due to maintenance work and technical assistance as follows.

1. 1. Guestbook

The data subject can write an opinion and a comment in the guestbook available on paper at the reception of the Ferrata Guesthouse in parallel with entering his data.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of data processing: to enable the data subject to express his or her opinion on the services of the Data Controller in order to improve the quality of the Data Controller’s services, and to communicate with the data subject due to a possible guest complaint.

Legal basis for data processing: consent of the data subject – Article 6 (1) (a) of the GDPR.

Scope of processed data: data provided by the data subject, typically: first and last name, address, e-mail address, comment / opinion.

Duration of data processing: at the request of the data subject, the identification can be terminated by anonymization.

Further information related to data management: The Data Subject acknowledges that the guestbook may be accessed by other data subjects and third parties, therefore, by using the guestbook, he expressly consents to the access of other data subjects as well as third parties to the data specified in the guestbook. Due to the fact that the Data Controller does not examine the data provided in the guestbook, but makes the guestbook available, the Data Controller does not take responsibility for the use of the guestbook. Accordingly, you should use the guestbook with caution.

1. 1. Make an appointment

The Data Controller allows the data subjects to request an appointment from the Data Controller by providing their data detailed below, during which they can personally consult with the Data Controller about its services and other issues.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

Purpose of data processing: to provide an appointment for the data subject and to keep in touch.

The legal basis for data processing is the consent of the data subject – Article 6 (1) (a) of the GDPR.

Scope of managed data: first and last name, phone number, e-mail address, time

Duration of data processing: until the purpose is achieved.

1. 1. Data processing related to the conclusion of an agreement

The Data Controller makes the provision of certain of its services subject to the prior conclusion of an agreement as a condition.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of data processing: identification of the data subject, provision of an appropriate service to the data subject in accordance with the provisions of the agreement, contact.

The legal basis for data processing is necessary for the performance of a contract to which the data subject is a party or it is necessary to take steps at the request of the data subject prior to entering into a contract – Article 6 (1) (b) of the GDPR.

Scope of processed data: first and last name, phone number, e-mail address, address, additional data necessary for the conclusion of the agreement, falling within the scope of the content of the contract, subject and content of the service, remuneration, rights and obligations

Duration of data processing: it lasts until the validity of the rights and obligations arising from the legal relationship in connection with which the Data Controller processes personal data expires, in relation to data that are documented and the document supports the accounting, the duration of data processing is at least 8 years based on Section 169 (2) of Act C of 2000.

1. 1. Data processing related to bank data

The Data Controller allows the data subject to pay the price of the products / services by transferring money through the bank, or to provide a bank card guarantee by providing bank card details as security for the services he wants to use.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of data processing: to facilitate and control the financial performance on the part of the data subject.

The legal basis for data processing is the transfer through the bank, and thus the disclosure of the related data to the Data Controller is based on the consent of the data subject – Article 6 (1) (a) of the GDPR.

Scope of processed data: name of the account holder, bank account number of the account holder, announcement of transfer, amount of transfer, bank card data (bank card number, name on the card, expiry date)

Duration of data processing: in relation to identification and contact data, it lasts until the limitation of the rights and obligations arising from the legal relationship in connection with which the Data Controller processes personal data expires, in relation to data that are placed on supporting documents and the document supports the accounting, the duration of data processing is at least 8 years pursuant to Section 169 (2) of Act C of 2000. In the case of bank card data, until the contractual performance has taken place, until the consideration for the services used has been paid.

Further information related to data processing: In order to preserve bank and business secrets, the Data Controller shall make every effort to ensure that the above data are disclosed only to those Employees who are strictly necessary for the performance of their tasks and have the appropriate authority to do so. As a bank card guarantee, we only receive and process bank card data through online interfaces that have an appropriate security protocol.

The activity and process involved in data processing is as follows:

1. The data subject makes the bank transfer through the channel of his choice and accessible to him, or provides a bank card guarantee by providing his bank card details as security for the services he wants to use.
2. By making a bank transfer or providing bank card details, the data subject makes the above data available to the Data Controller.
3. In the case of bank transfers, the Data Controller checks in particular the data of the name, amount and communication. In the case of a bank card guarantee, the provided data will only be processed if, in the event of a violation of the cancellation conditions set out in the respective GTC, the card is entitled to be charged, or the contractual performance or the payment of the services used is made with the prior consent of the data subject on the basis of the card data provided.
4. You can transfer the data of the bank transfer or the bank card payment to the Data Controller, the data processor entrusted with the performance of accounting and accounting tasks.

Engagement of a data processor: our company uses the help of an external service provider to perform accounting and other accounting tasks as follows. 

1. 1. Data processing related to events

On behalf of the Data Controller and its partners, it organizes and participates in the organization of numerous events and actively participates in the organization of events. We also process personal data within the scope of organizing and holding events.

Controller of personal data: Cheblon Kft. (8419 Csesznek, Wathay Ferenc Str. 55.)

The purpose of processing personal data: to transmit information about events, in some cases to document the conduct of the event.

Legal basis for data processing: prior consent of the data subject – Article 6 (1) (a) of the GDPR

Scope of processed data: name, delegation business organization, if applicable, portraits of those present at the event and other personal data recorded by the photo or video recording. The processing of this data is necessary, on the one hand, in order to properly identify the registrants and, if necessary, to document the conduct of the event visually.   

Duration of data processing: 5 years from the date of data collection.

Further information related to data processing: By registering for the event, the data subject expressly consents to the processing of his or her personal data by the Data Controller in accordance with the provisions of this information, and, if necessary, to the production of images and videos of him or her, which the Data Controller may use within the retention period without compensation or restriction, exclusively for the purpose of informing about the event.

Possible consequences of failure to provide data: Data provision is voluntary, in case of non-consent, the data subject will not be able to register for the event.

1. 1. Other data processing

We provide information on data processing not listed in this prospectus at the time of data collection. We inform our clients that certain authorities, bodies with a public service mission, courts may contact our company for the purpose of disclosing personal data. Our company will only disclose personal data to these bodies – if the body concerned has indicated the exact purpose and scope of the data – to the extent and to the extent that is strictly necessary for the purpose of the request and if the fulfillment of the request is required by law.

1. Method of storing personal data, security of data management

Our company’s computer systems and other data retention locations can be found at the registered office and on servers rented by the data processor. Our company selects and operates the IT tools used to process personal data in the provision of the service in such a way that the processed data:

1. accessible to authorised persons (availability);
2. its authenticity and authentication are ensured (authenticity of data management);
3. its invariability can be verified (data integrity);
4. be protected against unauthorized access (confidentiality of data).

We pay special attention to the security of the data, and we also take the technical and organizational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, we protect the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage and inaccessibility due to changes in the technology used.

Both our company and our partners’ IT systems and networks are protected against computer-aided fraud, computer viruses, computer intrusions, and denial-of-service attacks. The operator ensures security with both server-level and application-level protection procedures. Daily data backup is solved. In order to avoid data breaches, our company takes all possible measures, in the event of such an incident – in accordance with our incident management policy – we take immediate action to minimize the risks and repair the damage.

1. Rights of data subjects, legal remedies

The data subject may request information about the processing of his or her personal data, as well as the rectification of his or her personal data, or – with the exception of mandatory data processing – its erasure or revocation, and may exercise its right to data portability and objection in the manner indicated at the time of data collection or at the above contact details of the data controller.

At the request of the data subject, the information will be provided in electronic form without delay, but no later than within 30 days, in accordance with our relevant regulations. Requests by data subjects to fulfil the rights set out below will be fulfilled free of charge.

1. 1. Right to information:

Our company takes appropriate measures to provide the data subjects with all the information referred to in Articles 13 and 14 of the GDPR and each information pursuant to Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language, but at the same time in a precise manner.

The right to information can be exercised in writing through the contact details provided in point 1. Information may also be provided orally to the data subject upon his or her request, after verifying his or her identity. We would like to inform our clients that if the employees of our company have doubts about the identity of the data subject, we may ask for the information necessary to confirm the identity of the data subject.

1. 1. Right of access by the data subject:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. Where personal data are being processed, the data subject shall have the right to have access to the personal data and the following information listed.

• • Purposes of processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries (outside the European Union) or international organisations;
  • the envisaged period for which the personal data will be stored;
  • the right to rectification, erasure or restriction of processing and the right to object;
  • the right to lodge a complaint with a supervisory authority;
  • information on data sources; the fact of automated decision-making, including profiling, as well as meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject.

In addition, in the case of a transfer of personal data to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer.

1. 1. Right to rectification:

Under this right, anyone may request the rectification of inaccurate personal data processed by our company and the completion of incomplete data.

1. 1. Right to erasure:

The data subject shall have the right to obtain from us the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

• • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  • unlawful processing of personal data can be established;
  • the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  • the personal data have been collected in relation to the offer of information society services.

The deletion of data cannot be initiated if the processing is necessary for the following purposes:

• for the purpose of exercising the right to freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• for public health or archival, scientific or historical research purposes or statistical purposes in the public interest;
• or for the establishment, exercise or defence of legal claims.

1. 1. Right to restriction of processing:

At the request of the data subject, we restrict the processing under the conditions of Article 18 of the GDPR, i.e. if:

• the accuracy of the personal data is contested by the data subject, in which case the restriction shall apply for a period enabling the accuracy of the personal data to be verified;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
• the data subject has objected to the processing; in this case, the restriction applies to the period until it is established whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction of processing.

1. 1. Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Our company can fulfill such a request of the data subject in word or excel format.

1. 1. Right to object:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for this purpose.

1. 1. Automated individual decision-making, including profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right does not apply if the data processing

1. 1. 1. 1. necessary for entering into, or performance of, a contract between the data subject and the controller;
         2. is authorised by Union or Member State law to which the controller is subject and which guarantees the data subject’s rights and freedoms and legitimate interests
         3. it shall also lay down appropriate measures for its protection; or
         4. is based on the explicit consent of the data subject.

1. 1. Right of withdrawal:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

1. 1. 5.10.Procedural rules:

The controller shall inform the data subject without undue delay and in any event within one month of receipt of the request of the data subject of the action taken in response to the request pursuant to Articles 15 to 22 of the GDPR. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by a further two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receipt of the request.

Where the data subject has made the request by electronic means, the information shall be provided by electronic means, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and in any event within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy.

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the controller shall inform him or her of those recipients.

1. 1. 5.11.Damages and grievance fees:

Any person who has suffered material or non-material damage as a result of a breach of the Data Protection Regulation shall be entitled to compensation from the controller or processor for the damage suffered. The data processor shall only be liable for the damage caused by the data processing if it has not complied with the obligations laid down by law, specifically imposed on the processors, or if it has ignored or acted contrary to the lawful instructions of the data controller. Where several controllers or processors, or both the controller and the processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the entire damage.

The controller or processor shall be exempt from liability if it proves that it is not in any way liable for the event giving rise to the damage.

1. 1. 5.12.Right to go to court and data protection authority procedure:

In the event of a violation of his or her rights, the data subject may turn to the court against the data controller. The court shall deal with the case as a matter of priority.

Complaints can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information

Address of the authority: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: +36 (1) 391 1400

Email ugyfelszolgalat@naih.hu

Web: www.naih.hu

The Data Subject shall also have the right to lodge a complaint with another supervisory authority established in the Member State of the European Union where he or she has his or her habitual residence, place of work or the alleged infringement.

In the event of a violation of the rights of minors in relation to offensive, hateful, exclusionary content, correction, rights of a deceased person, reputational damage:

National Media and Infocommunications Authority

1015 Budapest, Ostrom u. 23-25.

Mailing address: 1525. Pf. 75

Phone: +36 (1) 457 7100

Fax: +36 (1) 356 5520

Email: info@nmhh.hu

1. Other information

The Data Controller declares that:

• reserves the right to change the Prospectus due to its alignment with the legal background, the Regulations and other internal regulations to be amended in the meantime.

Dated: Csesznek, 01.10.2022.

Nagy Ádám
manager
Cheblon Kft.