Rights of the person concerned: the person concerned (whose personal information is handled by our company)
a) may request information on the processing of his/her personal data or to access these personal data,
b) may request the rectification of the data,
c) may request the deletion thereof,
d) in case the conditions of GDPR Article 18. are met, he/she may request the limitation of the processing of the personal data (which means that our company does not delete or destroy the data until a court or official order, but only for maximum 30 days, and beyond this the company shall not process the data for any other reasons).
e) may object to the processing of personal data,
f) exercise his/her right for data transmission. Under the latter law, the concerned person is entitled to receive his/her personal data in a word or excel format, and he/she is further entitled to ask the data to be forwarded by our company to another data processor.
Other information about data processing: Our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage, loss of files containing personal information and to prevent unauthorized access).
In the event of an incident occurring, we keep a record of the necessary measures and in order to be able to inform the concerned persons, which includes the circle of the given personal data, the circle and number of the people affected by the data protection incident, the time of the data protection incident, its circumstances, effects and the measures taken to remedy the data protection incident, and all other data specified in the law governing the data management.
Our company has not concluded a data processing contract for data processing, therefore our company undertakes that in case we use further data processors, we will obligatorily use the data protection and data processing guarantees that are required from us by the data processing agreement, taking this into consideration we provide the legal processing of the personal data even in case of the use of data processors.
10. OTHER DATA MANAGEMENT
In case of data management not listed in this information material, we provide information when the data is recorded. We inform our customers that some authorities, public service bodies, courts may approach our company to provide personal information. For these bodies, our company – in case the body has indicated the exact purpose and the scope of the information – provides information only to the extent that is necessary for the achievement of the purpose of the request, and in case the accomplishment of the approach is legally required.
III. STORAGE OF PERSONAL DATA, SAFETY OF THE DATA MANAGEMENT
The computing systems and other data retention locations of our company are located at the headquarters and on the servers rented by the data processor. Our company selects and manages the IT tools used to manage personal data for the provision of the service in a way that:
a) it is accessible for the authorized persons (availability);
b) its authenticity and certification is provided (credibility of data management);
c) its unchanged nature can be verified (data integrity);
d) it is protected from unauthorized access (confidentiality of data).
We pay particular attention to the security of the data, and we also take the technical and organizational measures and develop the procedures necessary to enforce the GDPR guarantees. We protect the data by appropriate measures, particularly against unauthorized access, modification, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and the unavailability due to the applied technology.
The IT system and network of our company and our partners is protected against computer-aided fraud, computer viruses, computer intrusions, and against attacks leading to a service denial. The operator also provides for the security through server-level and application-level security measures. The daily data backup is provided for. In order to avoid data protection incidents, our company will take all possible measures, in case such an incident occurs – according to our internal rules – we take immediate actions to minimize the risks and to remedy the damages.
IV. THE RIGHTS OF THE PARTIES CONCERNED, LEGAL REMEDY OPPORTUNITIES
The Party concerned may request information about the handling of his/her personal data, may request the rectification of his/her personal data or – with the exception of the mandatory data handling – may request the deletion, cancellation of his/her data, he/she may use his/her right to transfer his/her data, to protest as indicated at the time of the recording of the data, and at the above contact details of data manager.At the request of the person concerned, we provide the information in electronic format without delay, but no later than 30 days, in accordance with our applicable regulations. Requests for the fulfilment of the below rights are provided free of charge to the concerned persons.
Right to receive information:
Our company takes appropriate actions to ensure that we provide all the information as regards the handling of personal data to persons concerned as mentioned in Article 13. and 14. of the GDPR according to articles 15-22. and 34. in a concise, transparent, comprehensible and easily accessible form, in a clear and straightforward, but at the same time in a precise manner.
The right to receive information can be exercised in writing through the contact details given in point 1. At the request of the person concerned – after the verification of his/her identity – oral information may also be given. We inform our customers that in case the co-workers of our company have concerns about the identity of a concerned person, we may request information from him/her that is needed for the verification of his/her identity.
The right to access of the concerned person:
The person concerned has the right to be informed by the data manager about whether his/her personal data is being processed, or not. In case his/her personal data is being managed, the concerned person has the right to have access to his/her personal information and to the information listed below.
• The purposes of the data management;
• the categories of the personal data involved;
• recipients or recipient categories to whom the personal data has been or will be communicated, including in particular third (non-EU) country recipients or the international organizations;
• the intended duration of the storage of personal data;
• the right to correct or delete the data or to limit the data management;
• the right to file a complaint addressed to the supervisory authority;
• information about data sources; the fact of automated decision making, including the creation of a profile, as well as information about the logic applied and information about the significance of such data management, and about the consequences it may have for the person concerned.
In addition to the above, in case personal data is transferred to third countries or to an international organization the concerned person has the right to receive information about the guarantees of the data transfer.
The right for correction:
Under this law, anyone may request the correction of his/her inaccurate personal data processed by our company and the completion of incomplete data.
Right to delete:
The person concerned has the right, on any of the following grounds, to request from us the deletion of his/her personal data without undue delay:
a) personal data are no longer required for the purpose for which they have been collected or otherwise managed;
b) the party concerned withdraws his/her consent for the data management and the data management has no other legal basis;
c) the party concerned is objecting the processing of his/her data and there is no primary legal basis for the data management;
d) the unlawful handling of personal data is the case;
e) personal data is to be deleted in order to comply with the legal obligation imposed on the data manager by the Union or by the Member State law;
f) the collection of the personal data is done in connection with the provision of information society services.
Deletion of the data cannot be requested if the management of the data is required for the following purposes
a) to exercise the right to freedom of expression and information gathering;
b) to meet the obligation to manage personal data under the law of the Union or of the Member States applicable to the data manager, or for the purpose of processing data for public interest or for the purpose of doing a task within the framework of public authority permit issued for the data controller;
c) on the basis of public interest relating to public health or archiving, scientific and historical research purposes or for statistical purpose;
d) or for the submission, validation or protection of legal claims.
Right to restrict data management:
At the request of the person concerned, we restrict the processing of data in the cases mentioned in Article 18. of the GDPR, that is:
a) if the person concerned disputes the accuracy of the personal data, the restriction concerns the period of time which allows for checking the accuracy of the personal data;
b) if the data management is unlawful and the person concerned opposes the deletion of the data and, instead, he/she requests the restriction of the data management;
c) the data manager no longer needs the personal data for data processing, but the person concerned requires them to submit, enforce or protect legal claims; or
d) the person concerned objected the data management; in this case, the restriction applies to the period of time that is needed to verify whether the legitimate reasons of the data manger prevail over the legitimate grounds of the person concerned.
If the data management is restricted, personal data with the exception of storage may be managed only with the consent of the person concerned or for the submission, validation or protection of legal claims or for the protection of the rights of other natural or legal persons, or for the public interest of the European Union or of a Member State. The concerned person must be informed of the discontinuation of the limitation of data handling in advance.
Right to data transfer:
The concerned person shall have the right to receive the personal data that he/she has provided to the data manger in a sectioned, widely used machine-readable format and to transfer such data to another data manager. Our company can execute such a request of the concerned party in word or excel format.
Right to object:
If the management of the personal data is done for direct business acquisition, the person concerned is entitled to object at any time the management of personal data relating to that purpose, including the creation of a profile, if such is related to direct business acquisition. In the event of the objection of the handling of personal data for direct business acquisition, the data cannot be managed for this purpose.
The affected person is entitled to object against the managing of his/her personal datas, if the legal basis of the data management is the legitimate interest of the Data Manager. In this case, the Data Manager is not entitled to manage the given personal datas further, unless it can proof that management is justified by such compulsive legitimate reasons, which take precedence against the interests, rights and freedoms of the affected person, or which is related to presentation, vindication or protection of legal claims.
Right of withdrawal:
The person concerned has the right to withdraw his/her consent at any time. The withdrawal of the consent does not affect the lawfulness of the data management based on consent prior to the withdrawal.
Data manager informs the concerned person without undue delay, but in any case within one month from the receipt of the request, on the measures taken on the basis of Articles 15-22. of the GDPR. If necessary, this deadline may be extended by two additional months taking into account the complexity of the application and the number of applications. Data manager shall inform the person concerned about the extension of the deadline by indicating the reasons for the delay within one month counted form the receipt of the application.
If the person concerned has submitted the request electronically, the information will be provided electronically, unless the person concerned requests it otherwise.
In case the data manager fails to take action upon the request of the concerned person, he shall inform the person concerned without delay but not later than one month after the receipt of the request about the reasons for not complying with the request, and about the fact the concerned party may submit a complaint at the supervisory authority and may exercise his/her right to seek legal remedy at the court.
Data manager shall inform all recipients about all corrections, cancellations, or restrictions of the data management to whom he/she communicated personal data unless this proves impossible or would require disproportionate efforts. At the request of the concerned person, the data manager shall inform him/her about the recipients thereof.
Compensation and damages:
Any person who has suffered material or non-material damage as a result of the violation of the data protection regulation is entitled to receive compensation for the damage sustained from the data manager or the data processor. The data processor shall only be held liable for damages caused by the data management if he/she has failed to comply with the statutory obligations specifically imposed on the data processors or if he/she has disregarded the legitimate instructions of the data manager or acted contrary to it. If several data managers or several data processors or both the data manager and the data processor are involved in the same data handling, and are liable for the damage caused by the data handling, each data manager or data processor is jointly liable for the total damage.
The data manager or the data processor shall be exempt from the liability if he/she is able to prove that he/she is not liable in any way for the act giving rise to the damage.
Right to turn to court and the data protection authority procedure:
If the person concerned thinks that the data manager has violated his right to protect his/her personal data during his/her data management, he/she may seek legal remedy on the basis of the respective legal regulations from the competent authorities, as follows:
– may file a complaint to the Hungarian National Authority for Data Protection and Freedom of Information
address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
e-mail address: firstname.lastname@example.org;
– may turn to the competent court.
The court proceeds with the case out of turn.
Data manager undertakes to fully cooperate with the concerned court or the HNADPFI in all these proceedings, and to provide the information needed about the data management to the HNADPFI or to the court concerned..
V. MISCELLANEOUS PROVISIONS
The data manager undertakes to ensure that all data management related to his activity is in accordance with the requirements set out in this declaration, as well as in accordance with his internal regulations – making requirements that are similar to the contents of this very declaration – and in accordance with the respective legal regulations.
Data manager reserves the right to change this declaration at any time, provided that after the implementation of the changes, he informs the concerned person by means of a notice published on the website of the Tisza Balneum Hotel.
Should you have any questions about the contents of this declaration, please send us an e-mail.
Last updated: 13.07.2018.