Privacy Notice

Dear Guests!

An online booking system is available at www.randevupanzio.hu, through which you have the opportunity to book accommodation at the Randevú Guesthouse.

Please be informed that providing certain personal data, detailed below, is necessary for a successful booking.

In connection with the processing of your data, the data controller hereby informs you about the personal data processed on the website, the principles and practices followed in processing personal data, the organisational and technical measures taken to protect personal data, as well as the ways and possibilities for exercising your rights as data subjects. Please be advised that the recorded personal data will be handled confidentially, in accordance with data protection legislation and international recommendations, and in compliance with this notice.

You are further informed that the legal regulation of personal data processing will fundamentally change as of 25 May 2018, as from that date the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR) becomes mandatorily applicable.

By completing an online booking through the website, you as a user accept the provisions of this Privacy Notice (hereinafter: Privacy Notice).

I. Basic Definitions

• Personal data: any information relating to an identified or identifiable natural person (data subject) that can be associated with them — in particular the data subject’s name, identification number, or one or more characteristics specific to their physical, physiological, mental, economic, cultural, or social identity — as well as any conclusion drawn from such data relating to the data subject.
• Data set: the totality of data managed in a single register.
• Data subject: any natural person who is identified or — directly or indirectly — identifiable on the basis of any information.
• Data processing: the performance of technical tasks related to data management operations, regardless of the method and means used to carry out the operations or the location of application, provided that the technical task is performed on the data.
• Third party: a natural or legal person, or an organisation without legal personality, other than the data subject, the data controller, or the data processor.
• Data protection: the totality of technologies and organisational methods that ensure the integrity, inviolability, usability, and confidentiality of the collected data assets.
• Data protection incident: a breach of data security resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored, or otherwise processed.
• Data management/processing: any operation or set of operations performed on data, regardless of the procedure applied — in particular collection, recording, registration, organisation, structuring, storage, transformation or alteration, use, retrieval, disclosure, transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure and destruction, as well as preventing further use of data, making photo, audio, or video recordings, and recording physical characteristics suitable for identifying a person (e.g. fingerprint, palm print, DNA sample, iris image).
• Data controller: a natural or legal person, or an organisation without legal personality, who or which, independently or jointly with others, determines the purposes of data processing, makes and implements decisions regarding data management (including the means used), or has them implemented by a data processor.
• Data transfer: making data accessible to a specified third party.
• Data erasure: rendering data unrecognisable in such a way that their restoration is no longer possible.
• Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
• Consent: a freely given, specific, and unambiguous expression of the data subject’s will, based on adequate information, by which the data subject gives their agreement — through a statement or an act expressing confirmation without any doubt — to the processing of personal data relating to them, either in full or for specific operations.

Consent shall also be deemed to have been given if the data subject, while browsing the website or finalising a booking, ticks a checkbox provided for this purpose, makes relevant technical settings, or takes any other statement or action which, in the given context, clearly indicates their consent to the intended processing of their personal data.

• Mandatory data processing: where data processing is ordered by law or — based on authorisation by law, within the scope defined therein — by local government decree, for a purpose based on public interest.
• Publication: making data accessible to anyone.
• Profiling: any form of automated processing of personal data consisting of using such data to evaluate certain personal aspects relating to a natural person — in particular to analyse or predict aspects relating to job performance, financial situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

II. Name and Contact Details of the Data Controller

Name of data controller: Nagy Ferenc EV. Address: 9400 Sopron, Vitnyédi u. 21. Phone number: 06 20 931 3891 Email address: randevu@randevupanzio.hu

III. Purpose of Data Processing

The data controller processes Guests’ personal data for the following purposes:

• Primarily, certain personal data detailed below are required in order to make a booking at the Guesthouse.
• Your personal data are also needed for issuing an invoice for the accommodation.
• Providing your personal data is also important for communication related to your booking, so that we can inform you should any significant circumstances arise that you need to be aware of.

IV. Legal Basis for Data Processing

The data controller processes guests’ personal data on the following legal bases:

• For the purpose set out in Section III(a): Article 6(1)(b) of the GDPR, namely the performance of a contract to which the Guest, as the data subject, is a party.
• For the purpose set out in Section III(b): Article 6(1)(c) of the GDPR, namely compliance with a legal obligation applicable to the data controller — specifically the obligation to prepare records and issue invoices.
• For the purpose set out in Section III(c): Article 6(1)(a) of the GDPR, in order to be able to properly inform the Guest about significant circumstances arising from the contractual relationship.

Should the need arise to process data for any purpose or on any legal basis other than those listed above, the data controller is obliged to inform the data subject individually, prior to the commencement of such processing, of all relevant information and of their related rights.

V. Categories of Data Processed

Use of the online booking interface on the data controller’s website does not require separate registration; however, the following personal data must be provided to complete a booking:

• Name (surname and given name)
• Phone number
• Email address
• Billing address

VI. Duration of Data Processing

With regard to the Guest’s phone number and email address, data processing begins at the time the booking date is provided and the data will be deleted following the Guest’s departure from the Guesthouse.

With regard to the Guest’s name and billing address, data will be processed for the period prescribed by the Accounting Act — 8 (eight) years — after which the data controller will destroy them.

VII. Data Security

The data controller takes all necessary steps to ensure the security of the personal data provided by Guests, both within the network system and during storage and safekeeping.

The booking system operating through the data controller’s website is hosted on an external, protected hosting service, and the hosting provider has no access to the data stored therein. The data controller carries out all work processes on a password-protected and antivirus-protected computer.

VIII. Guests’ Rights and Legal Remedies

1. The Guest is entitled to receive confirmation from the data controller as to whether their personal data are being processed, and if so, to receive information about the data being processed and all relevant information related to the processing.
2. The Guest may request that the data controller correct any inaccurate personal data relating to them without undue delay. Taking into account the purposes of processing, the Guest may also request the completion of incomplete personal data.
3. You may request the erasure of your personal data, unless the processing is necessary for compliance with a legal obligation of the data controller or for the establishment, exercise, or defence of legal claims. The data controller shall erase personal data without undue delay if the processing is unlawful, the data are incomplete or inaccurate, the purpose of processing has ceased or the storage period has expired, a court or authority has ordered their deletion, or erasure is necessary to fulfil a legal obligation applicable to the data controller.
4. Where the data controller processes personal data based on the data subject’s consent, the data subject may withdraw that consent. If there is no other legal basis for the processing, the data controller shall erase the personal data affected by the withdrawn consent.
5. The Guest is entitled to request that the data controller restrict processing where:
   • the Guest disputes the accuracy of the personal data — for the period necessary to verify accuracy;
   • the processing is unlawful but the Guest opposes erasure and requests restriction of use instead;
   • the data controller no longer needs the personal data for processing purposes but the data subject requires them for the establishment, exercise, or defence of legal claims; or
   • the data subject has objected to processing carried out on grounds of public interest or the legitimate interests of the data controller or a third party.
   During the period of restriction, the data controller may not use personal data for any purpose other than storage.
6. When the Guest exercises their rights, the data controller shall examine the request, take the necessary measures, and inform the Guest of these measures — or the reasons for not taking them — within one month of receiving the request.
7. Legal Remedies:

The Guest may submit a request relating to data processing to the data controller at the address or email address provided in Section II.

In the event of an infringement of their rights, the data subject may apply to the court having jurisdiction over the data controller’s address, or — at their choice — over their place of residence or, in the absence thereof, their place of stay, and may bring legal proceedings.

The Guest may also lodge a complaint with the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, address: 1125 Budapest, Szilágyi Erzsébet Fasor 22/c.; hereinafter: NAIH) and initiate an investigation on the grounds that a violation has occurred, or that there is an imminent risk of a violation, in connection with the processing of their personal data.