Privacy statement

1.INTRODUCTION:

The operator of the hotelarpad.hu website is Árpád Kft. (headquarters: 2800, Tatabánya, Fő Tér 20. company registration number: 11 09 002730, hereinafter: as Data Controller or Árpád Kft.) informs Users about data processing related to the website and the services it provides in accordance with Act CXII of 2011 on the right to informational self-determination and freedom of information, as well as Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR).

The Data Controller recognizes the content of this data processing information as binding. The Data Controller considers it particularly important to respect the right to informational self-determination of users and all other Data Subjects, therefore handles personal data confidentially and takes all measures to ensure data security.

During its data processing activities, the Data Controller complies with the guidelines of the National Authority for Data Protection and Freedom of Information, as well as the applicable laws related to data processing, particularly the following:

Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (Eker. Act),
Act C of 2003 on electronic communications (Eht),
Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv),
Act XLVIII of 2008 on the basic conditions and certain restrictions of economic advertising activities (Grt)

Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR),
Act C of 2000 on accounting (Számv. Act)

DEFINITIONS:

2.1. Website: the totality of content and services available under the hotelarpad.hu domain, where Users can obtain information about the activities of the Data Controller.

2.2. Data Subject: a natural person identified or identifiable during data processing. Users visiting the Website and all those whose personal data is processed by the Data Controller.

2.3. User: a person using the internet interface. Persons under the age of 16 may only register with the consent of a parent or guardian.

2.4. Personal data: any information relating to the Data Subject. A natural person who can be identified directly or indirectly, particularly by an identifier such as: name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2.5. Data processing: any operation or set of operations performed on data, regardless of the applied procedure, including collection, recording, organization, storage, alteration, use, transmission, disclosure, alignment or combination, restriction, deletion, and destruction of data, as well as preventing further use of the data.

2.6. Data Controller:

Árpád Kft. (headquarters: 2800, Tatabánya, Fő Tér 20. company registration number: 11 09 002730, hereinafter: as Data Controller or Árpád Kft.)

, who determines the purpose of data processing, makes and executes decisions regarding data processing, or has it executed by a data processor appointed by them.

2.7. Data processing: performing technical tasks related to data management operations, regardless of the methods and tools used for the execution of the operations, as well as the location of the application.

2.8. Data processor: the natural or legal person, or organization without legal personality, who or which processes personal data on behalf of the Data Controller.

2.9. Consent: the voluntary, specific, informed, and unambiguous indication of the data subject's wishes, by which the data subject signifies agreement to the processing of personal data concerning them, through a statement or a clear affirmative action.

2.10. Data transfer: when the data is made accessible to a specific third party.

2.11. Disclosure: when the data is made accessible to anyone.

2.12. Data deletion: rendering the data unrecognizable in such a way that its restoration is no longer possible.

2.13. Data destruction: the complete physical destruction of the data or the data carrier containing it.

2.14. Objection: the statement of the data subject in which they object to the processing of their personal data and request the termination of the data processing and the deletion of the processed data. In this case, the Data Controller may no longer process the personal data, unless it demonstrates that the processing is justified by compelling legitimate grounds which override the interests, rights, and freedoms of the data subject, or which relate to the establishment, exercise, or defense of legal claims.

2.15. Data storage: making it permanently or for a specified period impossible to transfer, access, disclose, transform, alter, destroy, delete, link, or coordinate and use the data.

2.16. Third party: the natural or legal person, or organization without legal personality, who or which is not the data subject, the Data Controller, or the Data Processor.

2.17. Profiling: the automated processing of personal data, which is used to evaluate, analyze, or predict certain characteristics related to a natural person.

2.18. Data processing information: considering that a contract is established between the data subjects and the Data Controller through the use of the Data Controller's services, the purchase of its products, the visit to the Website, and the contact made on the Website, the Data Controller informs the data subjects about the personal data processing related to this contract with this data processing information. The Data Controller reserves the right to modify this data processing information within 15 days and publish it on the Website if there is a substantial change in the data processing.

The Data Controller informs the data subjects that by entering into a contract with the Data Controller, accessing the Website, registering, or using its functions, they acknowledge the contents of this Data Processing Information without any further legal declaration.

OUR DATA PROCESSING

The data processing of Árpád Kft. can take place on the legal bases provided by Article 6(1) of the GDPR as follows:

according to point a), the data subject has given their consent after being informed (hereinafter: Consent) to the processing of their personal data for one or more purposes.

according to point b), the data processing is necessary for the performance of a contract (hereinafter: Performance of the Contract) in which the data subject is one of the parties or for taking steps at the request of the data subject prior to entering into the contract.

according to point c), the data processing is necessary for compliance with a legal obligation to which the Data Controller is subject (hereinafter: Legal Obligation).

according to point d), the data processing is necessary for the protection of vital interests of the data subject or another person (hereinafter: Vital Interest).

according to point e), the data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (hereinafter: Public Interest).

According to point f), data processing is necessary for the legitimate interests of the Data Controller or a third party (hereinafter: Legitimate Interest).

3.1. Data processing of natural persons contacting the Website

If the Data Subject contacts Árpád Kft. for information regarding the product or any complaint, we will record their name, contact details, and request.

Scope of Data Subjects: private individuals initiating contact with Árpád Kft.

Purpose of data processing: information request, notification, communication

Scope of processed data: name, phone number, email address, and other voluntarily provided data

Legal basis for data processing: consent of the Data Subject according to GDPR Article 6(1)(a).

Source of data: the Data Subjects

Data deletion date: messages and personal data will be deleted after responding to the information request or complaint. If justified for tax, civil law, or accounting reasons, or for the protection of Árpád Kft.'s rights, the data will be retained for 5 years.

Data transfer: none occurs.

3.7. Contact data processing

Scope of Data Subjects: private contacts of the Data Controller's legal entity partners

Purpose of data processing: necessary communication for contract preparation, fulfillment, and legal obligation compliance

Scope of processed data: name, phone number, email address, and other voluntarily provided data

Legal basis for data processing: performance of the contract according to GDPR Article 6(1)(b), and compliance with legal obligations applicable to the Data Controller according to GDPR Article 6(1)(c).

Source of data: the Data Subjects

Data deletion date: 5 years after the termination of the contract; billing data will be deleted 8 years after the termination of the contract.

Data transfer: to the data processor performing accounting and delivery.

RIGHTS OF DATA SUBJECTS, REMEDIES:

They may request information about the processing of their personal data, request correction, and in the case of consent-based data processing, request deletion, restriction, withdrawal, and in certain cases, object to the processing of their personal data.

Right to information:

The Data Controller provides the Data Subject with all information and notifications regarding the processing of personal data in a concise, transparent, clear, and understandable manner. The right to information can be exercised in writing.

Right of access:

The Data Subject has the right to receive feedback from the Data Controller regarding whether their personal data is being processed, what personal data is being processed, for what purpose, for how long, to whom it is disclosed, where it comes from, and what rights they have in this regard.

The Data Controller shall provide the information within 30 days from the submission of the request.

Right to rectification:

The Data Subject may request the rectification of inaccurate personal data concerning them and the completion of incomplete data processed by the Data Controller.

Right to erasure:

The Data Subject is entitled to request the Data Controller to erase personal data concerning them without undue delay if the following grounds apply:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed
the Data Subject withdraws the consent on which the processing is based and there is no other legal ground for the processing,

the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing,
the personal data have been unlawfully processed,
the personal data must be erased for compliance with a legal obligation to which the Data Controller is subject under Union or Member State law.
the collection of personal data was related to the offering of information society services.

Erasure of data cannot be initiated if the processing is necessary for compliance with a legal obligation to which the Data Controller is subject under Union or Member State law or for the establishment, exercise, or defense of legal claims.

Right to object:

The Data Subject has the right to object to the processing of their personal data if it is

necessary for the purposes of legitimate interests pursued by the Data Controller or a third party, including profiling. In this case, the Data Controller may no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or which relate to the establishment, exercise, or defense of legal claims.
if the processing of personal data is for scientific and historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The Data Controller shall examine the objection as soon as possible and inform the Data Subject within 30 days.

Right to restriction of processing:

At the request of the Data Subject, the Data Controller restricts the processing of data if any of the following conditions are met:

the Data Subject disputes the accuracy of the personal data, in this case, the restriction applies for the duration that allows for the verification of the accuracy of the personal data,
the processing is unlawful, and the Data Subject opposes the deletion of the data and instead requests the restriction of its use,
the Data Controller no longer needs the personal data for processing purposes, but the Data Subject requires it for the establishment, exercise, or defense of legal claims, or
the Data Subject has objected to the processing, in this case, the restriction applies for the duration until it is determined whether the legitimate grounds of the Data Controller override those of the Data Subject.

If the processing of data is restricted, the personal data may be processed only with the consent of the Data Subject, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or another Member State, except for storage.

The Data Controller informs all recipients of the personal data about its rectification, deletion, or restriction of processing, with whom the personal data has been shared, unless this proves impossible or requires a disproportionate effort. At the request of the Data Subject, the Data Controller informs them about these recipients.

Right to data portability:

The Data Subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, machine-readable format, and has the right to transmit those data to another data controller without hindrance from the data controller to whom the personal data has been provided, if the processing is based on the consent of the Data Subject or is necessary for the performance of a contract and the processing is carried out by automated means. The Data Subject has the right to request the direct transfer of personal data between data controllers if technically feasible. The right to data portability shall not adversely affect the right to erasure. The right to data portability shall not adversely affect the Data Subject's right to erasure. The right to data portability shall not adversely affect the rights and freedoms of others.

Right to lodge a complaint:

You may assert your claims regarding the above rights or if you have been harmed during the processing of data, by sending an email to [email protected] or by sending a letter to the registered office of Árpád Kft. The Data Controller undertakes to inform the Data Subject of the measures taken within 30 days from the request.

If the Data Controller does not inform you about the handling of your complaint or does not investigate it, you have the right to lodge a complaint with the competent supervisory authority: National Authority for Data Protection and Freedom of Information (head office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, mailing address: 1530 Budapest, Pf.: 5., phone: +3613911400, fax: +3613911410, email: [email protected]). A judicial review of the NAIH's decision can be initiated.

In addition to the above, you may file a lawsuit against the Data Controller. The court shall proceed with the case as a matter of priority.

DATA OF THE DATA CONTROLLER:

Company name: Árpád Kft. Limited liability company

(registered office: 2800, Tatabánya, Fő Tér 20. company registration number: 11 09 002730)

Represented by: Zoltán Szalay

The Data Controller is not obliged to appoint a data protection officer.

DATA PROCESSORS:

In order to carry out its activities, the Data Controller engages the following Data Processors:

AMG Solution Kft (registered office: 2800 Tatabánya, Aradi Vértanúk tere 8. 4th floor 14., email: [email protected]

purpose of data processing: hosting service, IT support

The Data Controller reserves the right to involve additional data processors in the data processing in the future, which will be communicated to the Data Subjects by modifying this Data Processing Information.

DATA PROTECTION:

We process personal data solely for the purposes and duration specified in this data processing information. We only process personal data that is essential for achieving the purpose of data processing and suitable for reaching the goal.

We protect personal data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and inaccessibility due to changes in the applied technology, ensuring the integrity of personal data and that only those who are authorized or have a task related to the specific data processing can access the personal data.

We store personal data encrypted with MD5 hashing (pseudo-anonymized).

We urge all third parties to whom we transmit or transfer data based on the consent of the Data Subject to comply with data protection requirements. We also impose this obligation on our employees and data processors involved in the data processing activity. Our employees are regularly trained on data and information security requirements, and we comply with data security requirements during document handling.

Our computers are protected by antivirus software and passwords, the use of external data carriers is restricted and only allowed under secure conditions, after verification. We create backups of the data on external data carriers, for which we ensure security guarding.

We store personal data on the hard drives of our computers and on our own servers, which are reliably secured and protected by antivirus applications, in a location that is accessible only to a limited number of authorized personnel based on strict access control rules. We use rate limiting to access the server.

In the event of a data protection incident – in accordance with our incident management policy – we will report it to the supervisory authority within 72 hours and maintain a record of it.

Tatabánya, July 23, 2022.