Privacy policy

Your data is safe with us!

Data Processing Notice

1. Identification of the data controller

Operator: Dr. Horváth Kinga

Address: 1037, Budapest, Vadóc utca 21184.

Address of accommodation: 1037, Budapest, Vadóc utca 21184

Phone: +3670/5846004

E-mail: hello@vendeghazahegyen.hu

Website: www.vendeghazahegyen.hu

(hereinafter referred to as “the Data Controller“).

The person and contact details of the Data Protection Officer are the same as those of the Operator.

2. Legislation applicable to data processing, scope of the information notice

2.1. The Data Controller provides its services from Hungary. Accordingly, Hungarian and European law shall apply to the provision of the service and to the processing of personal data of users during the course of using our services. The following laws shall apply to the activities of the Controller in relation to the processing of personal data:

– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (The EU General Data Protection Regulation), (hereinafter referred to as GDPR),

– Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Infotv.”),

– Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Act on electronic commerce services and information society services),

– and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions on Commercial Advertising Activities (hereinafter referred to as “Act XLVIII”).

2.2. This notice applies to the processing of data during the use of the website https://vendeghazahegyen.hu/ (hereinafter referred to as the “Website”) and the services available there.

2.3. For the purposes of this Policy, User means a natural person browsing the Website or using its services. Services available on the Site:

– request for proposal,

– booking,

– subscribe to the newsletter

– purchase of gift vouchers

2.4. The dates and times indicated in the brochure are to be understood as working days within Hungary.

3. Legal basis for processing

3.1. The legal basis for the processing carried out by the Data Controller is the consent of the User pursuant to Article 6(1)(a) of the GDPR for certain processing operations and Article 6(1)(b) of the GDPR for processing operations related to a reservation, which is necessary for the performance of a contract to which the data subject is a party.

3.2. In the case of processing based on consent, the data subject gives his/her consent by ticking the box in front of the data processing statement in the relevant places. The data subject can read the privacy policy at any time by activating the link marked “Privacy Policy” at the bottom of each page of the website or the link marked “Privacy Policy” in the privacy policy referred to in this point, whereby the Data Controller ensures that the data subject is provided with clear and detailed prior information. By ticking the checkbox in front of the privacy statement, the data subject declares that he/she has read the privacy policy and, being aware of its contents, consents to the processing of his/her personal data as described in this privacy policy.

3.3. In certain cases, the Data Controller may be required by law to carry out certain processing operations or may have a legitimate interest as a legal basis for processing the data. You can read more about these below in the chapters on specific processing operations.

4. Data processing related to the request for an offer

4.1. Data subjects: persons (natural/legal) requesting an offer from the Data Controller by filling in and sending the form made available on the website for the purpose of requesting an offer.

4.2. Legal basis for processing: article 6(1)(b) of the GDPR, which states that processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. When sending the request for an offer, the data subject will be informed that the personal data provided will be processed by the Data Controller solely for the purpose of making the offer.

4.3. Definition of the scope of the data processed:

The data subject’s:

– Last name,

– First name,

– telephone number,

– e-mail address,

and details of your offer request:

– chosen accommodation,

– the content of the offer chosen

– the planned date of arrival at the accommodation,

– planned number of nights stayed,

– the number of adults staying there,

– number of children staying,

any other information that the data subject may provide as additional information.

With regard to the additional data which the data subject may provide in the request for an offer and which are not necessary for the offer, the Data Controller will only process the data when receiving the message sent but will not ask the data subject to provide any personal data which may be provided there and which are not necessary for the offer. When such unexpected personal data is provided, the Controller shall not store the unexpected personal data.

4.4. Purpose of data processing: to enable the data subject to request an offer from the Data Controller and to make an offer to the data subject.

The purpose of processing the data subject’s personal data is to identify the data subject. Your telephone number will be used by the Data Controller if clarification or further consultation is required for the offer. The offer will be sent to the data subject’s e-mail address. The data concerning your request are necessary to compile the offer.

4.5. Duration of data processing: the Data Controller processes the data contained in the offer until the date indicated in the response to the request for an offer – until the offer is valid. In case the accommodation service is not used, the Data Controller shall delete the data immediately after having established this.

4.6. Method of storage of data: in a separate processing list in the IT system of the Data Controller.

4.7. If the request results in a reservation, the legal basis, purpose and duration of the processing will be as described in section 5 (Reservation-related data processing).

5. Reservation-related data processing

5.1. Data subjects: persons (natural/legal) who make a booking request by filling in the booking form and data sheet available from the booking form on several pages of the website and submitting the booking request through the online system of the Data Controller.

5.2. Legal basis for processing: article 6(1)(b) of the GDPR, which states that processing is necessary for the performance of a contract to which the data subject is a party. The data subject will be informed when sending the reservation that the personal data provided in connection with the reservation will be processed by the Data Controller for the purposes of the performance of the accommodation service contract resulting from the reservation.

5.3. Definition of the scope of the data processed:

The data subject’s:

– Last name,

– First name,

– Phone number,

– e-mail address,

and the details of your request:

– accommodation chosen

– the planned date of arrival at the accommodation,

– planned date of departure from the accommodation,

– planned number of nights stayed,

– number of room(s) selected, capacity and type of person

– number of adults staying,

– number and age of children staying,

– the content of the offer(s) chosen

– payment method and amount payable,

any additional information that the data subject may provide as other comments.

In the case of payment by credit card or online payment, the data of the credit card used for the payment will not be known to the Data Controller but will be provided by the data subject directly to the payment service provider.

However, the Data Controller receives the following data provided by the data subject to the payment service provider during the payment transaction:

The data subject’s:

– Last name,

– First name,

– Name, surname, first name, first name, last name and address.

The source of the above data is therefore the payment service provider (for more information see Chapter 6).

5.4. Purpose of the data processing: the conclusion and performance of the contract resulting from the reservation.

The conclusion of the contract and the conclusion of the reservation:

– Provision of the booked accommodation service,

– Provision of the booked accommodation, the provision of the booked services, the provision of the requested care/additional services.

The purpose of processing the data subject’s personal data is to identify the data subject. Your telephone number will be used by the Data Controller in case of clarification or further consultation of the reservation. A confirmation of the reservation will be sent to the data subject’s e-mail address. The data concerning your request are necessary to ensure the provision of accommodation services and appropriate care.

5.5. Duration of data processing: the Data Controller shall keep the receipts containing the data required for the fulfilment of the obligation to keep the supporting documents (name, address, invoice data of the service used, price) for at least 8 years from the date of issue of the receipt, after which the data carriers shall be deleted within one year.

Further data processed in connection with the reservation, including messages with relevant content related to the reservation, shall be kept by the Data Controller until 5 years from the date of confirmation of the reservation (conclusion of the contract), the general limitation period applicable to civil law claims.

5.6. Method of storage of the data: in a separate data management list in the IT system of the Data Controller and on accounting documents necessary for the proper accounting in order to fulfil the obligation to keep records required by the Act on Accounting.

6. Data transmission in connection with online payment (in case of booking/purchase)

(Currently not available for direct bookings.)

7. Data processing related to the sending of newsletters

7.1. Data subject: persons (natural/legal) who subscribes to the newsletter by filling in the subscription fields on the website and clicking on the “Subscribe” button, and then clicking on the link in the confirmation e-mail sent to his/her e-mail address.

7.2. Legal basis for processing: article 6 (1) (a) GDPR and Art. Article 6 (1) and (2) of the GDPR. Voluntary consent is given by the data subject by clicking on the link in the confirmation e-mail sent to his/her e-mail address requesting consent to subscribe to the newsletter. By doing so, the data subject declares that he or she consents to the processing of his or her data in accordance with the provisions of the Privacy Policy and to the sending of newsletters.

In addition to sending useful information, the newsletter service also aims at direct marketing by the Data Controller. The data subject may subscribe to this service independently of the use of other services. The use of this service is voluntary and based on the data subject’s decision after having been duly informed. If the data subject does not use the newsletter service, he/she will not be disadvantaged in the use of other services of the Data Controller. The Data Controller does not make the use of its direct marketing service a condition for the use of any of its other services.

7.3. Defining the scope of the data being processed:

– Name

– e-mail address.

7.4. Purpose of processing: sending newsletters by the Data Controller to the data subject by e-mail. The sending of newsletters means sending information about the Controller’s services, news and updates, attention-grabbing offers, promotional content.

7.5. Duration of data processing: the Data Controller shall process the data processed for the purpose of sending the newsletter until the data subject’s consent is withdrawn (unsubscribe) or the data is deleted at the data subject’s request.

7.6. Method of storage of the data: in a separate processing list in the IT system of the Data Controller.

8. Data processing related to receiving and replying to a message

8.1. Data subjects: persons (natural/legal) who send messages to the Data Controller using the e-mail addresses indicated on the website.

8.2. Legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR.

8.3. Definition of the scope of the data processed:

The data subject sending the e-mail message:

– Last name,

– First name,

– E-mail address,

– Any additional information that the data subject may provide in the message.

The Data Controller will only process the additional data that the data subject may provide in the message if such additional data are necessary to reply to the message. Otherwise, the Data Controller shall not ask the data subject to provide any additional data other than those mentioned above, shall not store any data not necessary for replying to the message, and shall delete them from its IT system without delay.

8.4. Purpose of processing: to enable the data subject to exchange messages with the Data Controller.

8.5. Duration of processing: the Data Controller shall delete the data processed for this purpose in the event of withdrawal of consent, but no later than 30 days after the message has been answered/request has been fulfilled. If the exchange of information takes place through several messages on related subjects, in that case the Data Controller shall delete the data 30 days after the end of the exchange of information.

If the exchange of messages results in a reservation or an order and the content of the messages is relevant to the contract, the legal basis and duration of the processing is as described in section 5 (processing in connection with a reservation/online purchase).

8.6. Method of storage of data: in a separate processing list in the IT system of the Data Controller.

9. Technical processing related to the provision of an IT service

9.1. The Data Controller uses cookies for the operation of the website and to collect technical data about visitors to the website.

9.2. The Data Controller provides separate information on the data management implemented by cookies: information on the use of cookies.

10. Use of a data processor

10.1 Developers/operators of the management software used for reservations

10.1.1. The data subjects concerned by the processing of the data are the persons (natural/legal) who submit a reservation in the online system.

10.1.3. Definition of the scope of the data concerned by the processing: the processing concerns all the data specified in this notice.

10.1.4. Purpose of using a data processor: to ensure the operation of the management software in the information technology sense.

10.1.5. Duration of processing: the same as the processing periods indicated in the processing operations governed by the purposes of the processing for each of the categories of data covered by this notice.

10.1.6. Nature of the processing: processing of data means processing operations carried out solely in the course of the information technology services necessary to ensure the proper functioning and development of the management software.

10.2. Data processing related to the production of invoices

10.2.1. Data subjects concerned by the processing: persons (natural/legal) who make online purchases on the website.

10.2.2. The Data Controller uses the following service provider as a data processor in connection with the software used to generate invoices for the payment of the costs related to the order/reservation:

Abbreviated name: KBOSS.hu Kft.

Company registration number: 01-09-303201

Tax number: 13421739-2-41

Registered office: 1031 Budapest, Záhony utca 7.

Contact: https://www.szamlazz.hu/szamla/kapcsolat

Website: https://www.szamlazz.hu/

(hereinafter referred to as ” Data Processor”).

10.2.3. Definition of the scope of the data processing: the data processing concerns the billing name and address (possibly tax number) of the Data Subject, as well as the indication of the product/service requested, the date of purchase and the purchase price, possibly other data concerning charges.

10.2.4. Purpose of the processing: to ensure the operation of the software used by the Data Controller for issuing invoices in the information technology sense, by means of data processing consisting of technical operations necessary for the secure operation of the software.

10.2.5. Nature of the processing: the processing of the data consists exclusively of the technical operations necessary for the operation of the software used to issue the invoice in an IT sense.

10.3. The Data Controller does not transfer data to third parties for business or marketing purposes.

10.4. In addition to the above, the Data Controller shall only transmit data to public authorities in the event of a legal obligation.

10.4. No other processing of data will take place.

10.5. Data Processors have no interest in the business activities of the Data Controller.

10.6. The Data Controller does not use any other data processors other than the Data Processors indicated above.

11. Data protection, data security

11.1. The Data Controller shall ensure the security of the data in its data management activities and shall ensure the enforcement of legal provisions and other data protection and confidentiality rules by technical and organisational measures and internal procedural rules. In particular, it shall take appropriate measures to protect the processed data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.

11.2. The data will be processed only for the legitimate purposes described in this notice and only to the extent necessary and proportionate for those purposes, in accordance with the applicable laws and recommendations, and with appropriate security measures.

11.3. To this end, the Data Controller uses the http protocol “https” to access the website, which allows web communication to be encrypted and uniquely identified. In addition, as described above, the Data Controller stores the processed data in encrypted data files, which are stored in separate processing lists for each processing purpose, to which access is granted to specific employees of the Data Controller, who are responsible for the protection of the data and for their responsible processing in accordance with this Policy and the applicable laws.

11.4. In the contracts concluded with the data processors, the Data Controller shall oblige the data processors to ensure a level of data security and lawful processing of data in accordance with the law.

12. Rights of the User in relation to data processing

12.1. Right to information

12.1.1. Upon reading the Privacy Policy, the data subject may at any time obtain information about the data processing. At the data subject’s request, information may also be provided orally, provided that the data subject’s identity has been verified by other means. The data subject may request information during and after the period of his/her involvement with the processing. The information shall also cover all relevant details of the processing and the way in which the data subject exercises his or her rights. Upon request, the Data Controller shall also inform the data subject of the measures taken in response to the data subject’s requests or the reasons for not taking such measures, indicating the forums available for lodging a complaint.

12.1.2. The provision of information is free of charge. If the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller shall, subject to the administrative costs of providing the requested information or taking the requested action:

(a) charge a reasonable fee; or

(b) refuse to act on the request.

12.1.3. The Data Controller shall provide the information as soon as possible (without undue delay) after the request is made, but no later than one month.

12.2. Right of access

12.2.1. The data subject has the right to access the data processed about him/her. In the event of such a request, the Controller shall inform the data subject whether or not personal data concerning the data subject are being processed and of all relevant circumstances relating to the specific processing.

12.2.2. Under the right of access, the User may request a copy of the personal data processed by the Data Controller, which the Data Controller shall provide to him/her free of charge for the first time. For subsequent copies, the Controller may charge a reasonable fee based on administrative costs.

12.2.3. The copy shall be provided by the Controller in a commonly used electronic format, unless the User requests otherwise.

12.2.4. The Data Controller shall provide access as described above as soon as possible (without undue delay) after the request is made, but no later than one month.

12.3 Right to rectification

12.3.1. The User shall have the right to have inaccurate personal data concerning him/her corrected by the Data Controller without undue delay upon his/her request.

12.3.2. Taking into account the purpose of the processing, the User has the right to request the completion of incomplete personal data, including by means of a supplementary statement.

12.3.3. At the User’s request, the Data Controller shall correct or, in justified cases, supplement inaccurate personal data concerning the User without undue delay.

12.4. Right to erasure

12.4.1.The User shall have the right to obtain from the Data Controller the erasure of personal data relating to him or her without undue delay, and the Data Controller shall be obliged to erase personal data relating to the User without undue delay, if one of the following grounds applies:

1. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

(b) the User withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing (of the processing covered by this notice, only the processing based on consent as described in the following chapters):

7. Data processing related to the sending of newsletters;
8. processing related to receiving and replying to a message;
9. technical processing based on consent, related to ensuring the functioning of an information technology service;
10. c) the User objects to the processing and there are no overriding legitimate grounds for the processing (of the processing covered by this notice, only the processing based on legitimate interest as described in the following chapters:
11. Transmission of data in connection with online payments;
12. technical processing based on legitimate interest related to the provision of an information technology service;
13. d) unlawful processing of personal data;

(e) the personal data must be erased in order to comply with a legal obligation under European Union or Member State law to which the controller is subject.

12.4.2. The Data Controller is not obliged to delete data necessary for the establishment, exercise or defence of legal claims, even if the User so requests, nor is the Data Controller obliged to delete data whose processing is necessary for the protection of the vital interests of the User or other natural persons or for the performance of an obligation under Union or Member State law applicable to the Data Controller. However, the Data Controller shall delete the data without request after the retention period has expired as a general rule.

12.5. Right to restriction of processing

12.5.1 At the User’s request, the Data Controller shall restrict the processing if one of the following conditions is met:

1. a) the User contests the accuracy of the personal data, in which case the limitation shall apply for the period of time that allows the Controller to verify the accuracy of the personal data;
2. b) the processing is unlawful and the User opposes the erasure of the data and requests instead the restriction of their use;

(c) the Controller no longer needs the personal data for the purposes of processing, but the User requires them for the establishment, exercise or defence of legal claims;

(d) the User has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate interests of the Controller prevail over the legitimate interests of the User (of the processing subject to this notice, only the processing based on legitimate interest as described in the following chapters:

6. Transmission of data in connection with online payments;
7. technical processing based on legitimate interest related to the provision of an information technology service;

12.5.2. If the processing is restricted, such personal data shall be processed by the Controller only with the consent of the User, except for storage, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.

12.5.3. The Data Controller shall inform in advance the User who has contested the accuracy of the personal data and on this basis the processing has been restricted, of the lifting of the restriction of processing.

12.6. Obligation to notify the rectification or erasure of personal data or the restriction of processing.

The Data Controller shall notify the User of the rectification, restriction or erasure, as well as the recipients to whom the data was previously disclosed. Notification may be omitted if it proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the User of these recipients.

12.7 Right to data portability

12.7.1 The User shall have the right to receive the personal data concerning him/her which he/she has provided to the Controller in a structured, commonly used, machine-readable format, and the right to transmit such data to another controller without hindrance from the controller to which he/she has provided the personal data, if:

(a) the processing is based on the consent of the User or on a contract entered into with the User; and

(b) the processing is carried out by automated means.

12.7.2 Of the data processing operations covered by this notice, the data processing operations described in the following chapters comply with the above conditions, and therefore the right to data portability may be exercised in relation to them:

1. a) carried out on the basis of consent:
2. Processing related to the sending of newsletters;
3. processing related to receiving and replying to a message;
4. technical processing carried out on the basis of consent and related to the provision of an information technology service;
5. b) processing carried out on the legal basis of necessity for the performance of a contract with the User or for the taking of steps at the request of the User prior to the conclusion of such a contract:
6. processing related to the request for a quote;
7. processing related to a booking;

12.7.3. In the exercise of the right to data portability as set out above, the User shall have the right to request the direct transfer of personal data between data controllers, if technically feasible.

12.8. Right to object

12.8.1. The User may at any time object to the processing of his/her personal data on the basis of legitimate interest for reasons relating to his/her particular situation.

12.8.2. In this case, the Data Controller may continue to process the personal data only if it proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the User or are related to the establishment, exercise or defence of legal claims.

12.8.3. Among the data processing subject to this notice, the User may exercise his/her right to object to the processing described in the following chapters on processing based on legitimate interest:

6. Transmission of data in connection with online payments;
7. technical processing based on legitimate interest related to the provision of an information technology service.

13. Complying with User requests

13.1. The Controller shall provide the information and take the measures referred to in point 12 free of charge. If the request of the User concerned is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller shall, taking into account the administrative costs of providing the requested information or information or of taking the requested action:

(a) charge a reasonable fee; or

(b) refuse to act on the request.

13.2. The Data Controller shall inform the User of the measures taken in response to the request, including the provision of copies of the data, without undue delay, but no later than one month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the User of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. Where the User concerned has submitted his request by electronic means, the information shall be provided by the Data Controller by electronic means, unless the User concerned requests otherwise.

13.3. If the Data Controller fails to act on the request of the User concerned, the Data Controller shall inform the User without delay, but no later than one month from the receipt of the request, of the reasons for the failure to act and of the right of the User concerned to lodge a complaint with the supervisory authority referred to in point 14 and to exercise his/her right to judicial remedy as provided for in the same point.

13.4. The User may submit requests to the Data Controller by any means that allows the identification of the User. The identification of the User submitting the request is necessary because the Data Controller can only grant requests to those who are entitled to do so. If the Data Controller has reasonable doubts about the identity of the natural person submitting the request, it may request additional information necessary to confirm the identity of the User concerned.

13.5 If the User wishes to submit his/her request by post, he/she may send it to the Data Controller’s address at 1037, Budapest Vadóc utca 21184, or electronically by e-mail to hello@vendeghazahegyen.hu . Requests sent by e-mail shall be considered as authentic by the Data Controller only if they are sent from the e-mail address provided by the User to the Data Controller and registered there, however, the use of another e-mail address shall not constitute a disregard of the request. In the case of e-mail, the date of receipt shall be deemed to be the first working day following the sending of the request.

14. Enforcement

14.1 Any complaint regarding the processing of User’s data may be addressed to the Data Controller or its Data Protection Officer, in particular by contacting: Dr. Kinga Horváth

E-mail address: hello@vendeghazahegyen.hu

Postal address: Hungary,1037, Budapest, Vadóc utca 21184.

14.2. The User may exercise his/her rights before a court of law and may also apply to the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information.

Address.

Postal address: 1363 Budapest, Pf. 9.

Phone: +36 1 391 1400

Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu/

In the event of a court proceeding, the action may be brought before the court of the User’s domicile or residence, at the choice of the User concerned. The court shall have jurisdiction to hear the case.

1 June 2022.

Annex 1

to its privacy statement in relation to the use of the https://vendeghazahegyen.hu/ website

Interest assessment for the transfer of data related to online payment

1. Reason for transfer, identification of legitimate interest

1.1. The purpose of the data transmission is to operate the so-called fraud-monitoring – a fraud detection system supporting the control of electronically initiated payment transactions -, to confirm transactions and to enable the performance of additional tasks that may be necessary to ensure the effectiveness of the payment.

1.2. When paying online with a debit card and OTP SZÉP Card (recipient: OTP Bank Plc.), the User provides the data of the debit card or SZÉP Card used for payment directly to the payment service provider on its online interface, to which the User is redirected at the end of the booking/ordering process. At the same time, in order to prevent and detect fraud and misuse of credit cards or SZÉP Cards, and to perform any additional tasks that may be necessary for the payment service provider (hereinafter referred to as the “Recipient”) to ensure the effectiveness of the payment, and to confirm transactions, the Data Controller shall transmit additional data to the payment service provider. Overall, the transfer of data is necessary for the secure online payment process and the operation of the fraud prevention system.

1.3. The Recipient is obliged to operate a fraud prevention and detection system in connection with the provision of the payment service and is entitled to process the personal data required for this purpose. The Recipient has established a system in accordance with its legal obligations, the operation of which requires the transfer of data by the Data Controller. Accordingly, it is in the legitimate interest of the Recipient to be able to operate the fraud prevention and detection system in order to fulfil its legal obligation. Legal provisions referred to which apply to the Recipient:

– Article 165(5) of Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings,

– Article 92/A(3)(f) of Act CCXXXV of 2013 on certain payment service providers,

– Article 14(1)(v) of Act LXXXV of 2009 on the provision of payment services.

1.4. The transmission of data is necessary for the operation of the fraud prevention and detection system.

1.5. With regard to the above, the Data Controller shall indicate the legitimate interest of the Recipient as the legal basis for the processing of the data.

1.6. The main source of revenue for both organisations is linked to the proper functioning of the payment service.

2. The necessity of the data processing

2.1 The operation of the fraud prevention and detection system is a legal obligation of the Recipient, but the details of the design and operation of the system are not specified in the legislation.

2.2. The Recipient has established the necessary system to comply and to achieve the purpose set out in the legislation, but the transmission of data is essential for its operation, without such transmission the Recipient would not be able to fulfil its legal obligation.

2.3. The transmission of data allows fraud to be detected, detected and any obstacles to the payment process to be removed.

2.4. If the Data Controller does not transmit to the Recipient the data necessary for the operation of the system, the Recipient cannot fulfil its legal obligation and would therefore not be able to cooperate with the Data Controller.

2.5. Without the transmission of the data, the interests of the User are also at risk, in terms of possible misuse of the credit card or debit card data.

2.6. The transfer of data is necessary to achieve the purposes described herein and is also suitable to make the payment service more secure.

3. Determining the interests of the data subject and the effects of the transfer on him or her

3.1. Scope of data to be transferred:

The following data relating to the payment transaction:

To OTP Bank Plc. in case of payment by credit card:

– Foreign currency (HUF/Euro),

– (Hungarian / English / German),

– in Hungarian, English, French, German, Hungarian, English, French, Hungarian, Hungarian, Hungarian, English and English as the title: ‘online reservation’,

– name of the accommodation concerned by the reservation,

– unique identifier of the transaction,

– amount to be paid,

– Name of the booking, name of the reservation, name of the booking, name of the reservation, name of the reservation, name of the booking, name of the reservation, name of the reservation, name of the reservation, name of the reservation, payment method.

3.2. Based on the unique identifier of the transaction, this data is also linked to the data provided by the User at the Recipient’s premises, so that conclusions can be drawn about the User, in particular with regard to the use of services and spending habits.

3.3. In addition, it is in the User’s interest to prevent fraud, in particular the misuse of credit card and SZÉP Card data.

3.4. The transfer of data also benefits the User in that it facilitates the confirmation of transactions in the cooperation between the Data Controller and the Recipient, which results in a faster and more flexible processing of transactions initiated by the User.

3.5. The User’s interest is the free exercise of his/her right of informational self-determination and the right to control his/her personal data, and his/her interest in respecting them.

3.6 The User’s interest in the protection and respect of the conclusions that can be drawn from the data relating to payment transactions and payment habits.

3.7 The data processed by the User during online payment will be transmitted through an electronic channel ensuring encrypted data traffic, exclusively to the Recipient and only in the case of online payment by credit card or SZÉP Card, which will not be used by the Recipient for any other purpose. It follows from the above that the data transfer does not entail any significant risk for the Recipient, nor does it have any further appreciable effect on him.

4. Safeguards built into the data processing process to protect the rights of data subjects and to ensure proportionate restriction of rights

4.1. The data transmitted will not be evaluated for purposes that would lead to conclusions about the User and his/her habits.

4.2. The data will not be disclosed to any other person.

4.3. Only the IT staff in charge of the website and the mobile application and the external Data Processor in charge of the development and maintenance of the application may access the data at the Data Controller.

4.4. The Data Controller has committed the Data Processor in a written contract to guarantee adequate data security and to process data in compliance with data protection legislation.

4.5. The Data Controller has also informed the User in advance about the data transfer by means of the data processing information provided to the User during the registration in the online system.

4.6. The Users may rely on the prior information with regard to the purpose and nature of the data processing, as it is closely related to the use of the online booking/payment system.

5. Comparing interests

5.1. The legitimate interest pursued by the Data Controller is a prerequisite for the legitimate operation of the Recipient. If the Data Controller does not transmit the data to the Recipient, the latter cannot fulfil its legal obligations.

5.2. The online payment method cannot be provided without the transmission of the data for the above reasons.

5.3. The availability and secure operation of online payment as a payment option is in the interest of the User, the Data Controller and the Recipient.

5.4. Subject to the guarantees set out above, the Data Controller considers the transfer of data in connection with online payment to be justified, necessary and proportionate for the purpose of enforcing the legitimate interests of the Recipient.

NTAK’s privacy policy is available here: https://info.ntak.hu/adatkezelesi-tajekoztato-ntak

March 2024

Wooden Cottage