Privacy Policy

PRIVACY NOTICE

Hotel OTP Balatonszemes

Data processing is done in accordance with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR or General Data Protection Regulation) and Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Info Act).

As the operator of OTP Hotel Balatonszemes, OTP Ingatlanüzemeltető Kft. (seat: 1138 Budapest, Váci street 141-143., hereinafter: ‘Company’) always ensures the lawfulness and legitimate purpose of data processing with regard to the personal data processed by it. The purpose of this Notice is to provide guests, who book a room and provide their personal data, with adequate information on the conditions and guarantees subject to which their data will be processed by us and the duration of data processing. Our company adheres to the contents of this Notice whenever processing of personal data occurs, and we consider the information described here to be binding on us.

This Notice shall remain in force until withdrawal. The Company reserves the right to amend this Notice, and publishing the amended Notice on its website shall be deemed proper notification of such amendment.

1. THE FOLLOWING TABLE SUMMARISES THE FEATURES OF DATA PROCESSING ACCORDING TO THIS PRIVACY NOTICE

1.1. DATA PROCESSING RELATED TO REQUESTS FOR QUOTATION AND ONLINE ROOM BOOKING

Our company provides an opportunity for our guests to request a quotation electronically for the prices of rooms and services. The quotation will be provided via an electronic system, taking into account the available capacities.

We also provide our guests with the opportunity to book accommodation online in order to book a room quickly, conveniently and free of charge.

In addition to the above, with the consent of the data subject, we try to assist our guests by sending a pre-arrival e-mail so that they can prepare for their trip and spend less time with checking in at the hotel upon arrival. The pre-arrival e-mail is used for checking in online and, on the other hand, it contains useful information including among others the current weather forecast and programme offers.

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
SCOPE OF THE PROCESSED DATA
DURATION OF DATA PROCESSING
Prior information about hotel prices by sending offers electronically (providing an exact quotation, preparing reservation)
Data processing is necessary in order to take the steps requested by the data subject pursuant to point a) of Article 6(1) of the GDPR

title; last name and first name; telephone; e-mail address; number of hotel guests (number of adults, number of children)
- in the case of a successful offer, two years after the last day of the stay according to the reservation

- in the case of a rejected offer, until the date of the rejection,

- if no reply to the offer is received, by the day following the expiry of the time limit of the offer.

Sending a pre-arrival e-mail with information about the room, travelling and programme options. The purpose is to help guests prepare for their trip and reduce the time spent on checking in with practical and relevant information, weather forecasts, programme offers and enabling online check-in.
Consent of a data subject, pursuant to point a) of Article 6(1) of the GDPR

title; last name and first name; telephone; e-mail address;

Until the purpose is achieved or until the withdrawal of consent at the latest.
Filling in an online application form in order to speed up the check-in at the hotel, as well as for providing services and book reservation.
Data processing is necessary in order to take the steps requested by the data subject pursuant to point b) of Article 6(1) of the GDPR

last name, first name, firm name, motor vehicle plate no., home address, nationality, place and date of birth, day of arrival, day of departure, ID card no., e-mail address

Personal data received during the booking process will be processed for the duration of the contractual relationship with the data subject, with the exception of: data to be retained for 8 years pursuant to Act C of 2000 on Accounting; and data to be retained until the last day of the 5th year following the current year pursuant to Act XCL of 2017 on the Rules of Taxation;
Providing electronic booking of accommodation
Necessary for performing the contract pursuant to point b) of Article 6(1) of the GDPR

title; surname and first name; address (country, postcode, city, street, house number;) telephone number; e-mail address, date of arrival, date of departure, number of adults, number of children, room type, method of payment, data on possible food allergies; in the case of a business company, company name and registered office, bank card number

1.2. DATA PROCESSING RELATING TO SUBSCRIPTION FOR NEWSLETTERS

We keep in touch with our guests through newsletters in which we offer our services, inform them about news related to our operation and promotion campaigns.

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
SCOPE OF THE PROCESSED DATA
DURATION OF DATA PROCESSING
Keeping contact via newsletters, offering services, providing information about the operation of the hotel and promotion campaigns.
The data subject’s consent pursuant to point a) of Article 6(1) of the GDPR

name, e-mail address

Until unsubscription from the newsletter (withdrawal of consent).

1.3. SATISFACTION RATING

As a hotel operator, our goal is to provide our guests with a high standard of service, so we constantly ask for feedback from our guests about their experience during their stay at our hotel.

During satisfaction rating, we do not aim to identify the data subject; it is not necessary to provide any personal data for the completion so the data subject will not be identifiable from the answers.

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
SCOPE OF THE PROCESSED DATA
DURATION OF DATA PROCESSING
Requesting feedback from hotel guests in order to further develop and improve our services.

The data subject’s consent pursuant to point f) of Article 6(1) of the GDPR

name, e-mail address

Two years after the last day of the booked stay.

1.4. MANAGING COOKIES

Cookies are small programs that help the functional operation of the website you are visiting, collect data for traffic analysis purposes, or possibly for marketing purposes.

When cookies are used, these small programs or data packets are sent to the user's computer and stored there for a certain period of time. When using cookies, the website “requests” the user’s computer or other smart device, for the user’s browser to store information about the use of their computer. Cookies may come either from the website you are visiting or from a third party. Cookies allow a website to “remember” certain actions or preferences of the user. Cookies help to identify users, record users' individual settings related to the use of the website, and allow users to use the websites without having to re-enter data (e.g., memorising passwords).

Some cookies are handled by an external web server, these cookies are called http headers. Another way to store cookies is to use JavaScript code stored on or linked from that page. In practice, the process can be described so that every time the user wants to visit the website again, the web server can receive the data of the previously set cookies, thus making it easier and more convenient to load and use the previously visited page.

Cookies and other similar technologies may be suitable for identifying specific individuals, and their use therefore qualifies as processing of personal data for the purposes of the General Data Protection Regulation.

Cookies and other similar technologies can be encountered when you visit any website today. The questions asked in relation to cookie management are there to inform users or request their consent.

Cookies used by the website:

a) Basic cookies

Cookies that provide basic functionality help us make our website usable by enabling basic features such as navigating on the site and access to secure areas of the website. The website cannot function properly without these cookies.

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
Expiry
To ensure the proper functioning of the website.
The controller's legitimate interest pursuant to point f) of Article 6(1) of the GDPR).

12 months

b) Statistics cookies

Through the collection and reporting of data in an anonymous form, statistics cookies help the website owner to understand how visitors interact with the website.

They provide information about the number of users, the number of visits to each page, the duration of staying on the website, the device through which the website was visited (mobile phone, desktop, tablet, display size, type of operating system), geographical location of the visiting user at city level only, frequency of the visit (the proportion of returning and new visits).

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
Expiry
To ensure the proper functioning of the website.
The data subject’s consent pursuant to point a) of Article 6(1) of the GDPR

_ga 2year

_gid 24hour

_gat_gtag_<property-id> session

Removing cookies from your device:

You can remove all cookies from your device by clearing your browsing history. This allows you to delete all cookies associated with the websites you visit.

Keep in mind, however, that deleting your history may result in the loss of some of the saved information (e.g., login information, search settings).

Managing site-specific cookies:

To further specify your options related to the use of site-specific cookies, check and change the privacy and cookie settings of your browser as you see fit.

Disabling cookies:

Most browsers currently in use allow users to disable all cookies on their device. In this case, however, the necessary settings must be made for each website separately. Some services and features (e.g., creating a user profile, logging in) may not work properly or at all.

1.5. DATA PROCESSING RELATED TO CAMERA SURVEILLANCE

The hotel has CCTV cameras for the protection of guests and their property as well as for the protection of other hotel property. The cameras provide continuous surveillance (live image) on the one hand, and record images on the other.

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
SCOPE OF THE PROCESSED DATA
DURATION OF DATA PROCESSING
The purpose of data processing is to protect people and property effectively

and to enable and make it easier to detect or prove any misconduct.

The controller's legitimate interest pursuant to point f) of Article 6(1) of the GDPR).

the image and conduct of persons staying in the area monitored by the surveillance system

The recorded image is kept for 3 working days from the time of recording.

1.6. SOCIAL MEDIA

We maintain a Facebook and Instagram page in order to present and promote the services of our hotel.

The personal data provided by visitors on the hotel's Facebook/Instagram page is not managed by the hotel. Visitors are subject to the Facebook/Instagram Privacy and Service Terms. If any illegal or offensive content is posted, the Company may block the person concerned from the page or delete their post without prior notice. The hotel is not responsible for any data content or comments that violate the law published by Facebook/Instagram users. Furthermore, the hotel is not responsible for any errors, malfunctions or problems caused by, or changes in, the operation of Facebook/Instagram.

1.7. DATA PROCESSING RELATED TO TOURIST TAX DECLARATION AND INVOICING

Any private person who spends at least one guest night in the area of jurisdiction of the local government as a non-permanent resident and persons who own a building suitable for holiday or recreation in the area of jurisdiction of the local government that does not qualify as a home are liable to tourist tax (‘IFA’).

PURPOSE OF DATA PROCESSING
LEGAL BASIS FOR DATA PROCESSING
SCOPE OF THE PROCESSED DATA
DURATION OF DATA PROCESSING
To perform the tax payment obligation necessary for providing an accommodation service.
To comply with a legal obligation pursuant to point c) of Article 6(1) of the GDPR,

name, place of birth, date of birth, address, identity card number, start and end dates of stay

Until the date specified by law for the specific data processing purpose or for two years after the last day of the booked stay

Issuing invoices
To comply with a legal obligation pursuant to point c) of Article 6(1) of the GDPR,

name, address, price, IFA amount, chosen payment method, date of using the service

8 years from the issuance of the invoice pursuant to the Accounting Act

2. DATA OF THE DATA CONTROLLER AND THE DATA PROTECTION OFFICER

Name of Controller: OTP Ingatlanüzemeltető Kft. (seat: 1139 Budapest, Frangepán utca 8-10; postal address: 8200 Veszprém, Ádám Iván u. 1; Reg. No. 19-09-512827; Tel: +36 84 560 911; E-mail: recepcio@otphotel. hu)

Name of data protection officer: dr. Attila Turi (postal address: 1139 Budapest, mailbox: 66; e-mail address: adatvedelem@otpfm.hu; Phone number: +36 (70) 6578782)

3. THE RECIPIENTS OF PERSONAL DATA

Recipient means a natural or legal person, public authority, agency or another body, to which personal data is disclosed, whether or not it is a third party.

We always treat the personal data of the data subjects confidentially, and transmit data only to the recipients in the table below only in order to comply with a legal obligation. No data is transferred to any other third parties.

3.1. DATA TRANSFERS

RECIPIENTS OF DATA TRANSFER
LEGAL GROUND OF DATA TRANSFER

SCOPE OF DATA TRANSFER
PURPOSE OF DATA TRANSFER
National Tourism Agency
Compliance with a legal obligation pursuant to point c) of Article 6(1) of the GDPR,

Anonymous statistical data
The Company provides daily anonymous statistical data on guest traffic at the hotel through the hotel management software.
Balatonszemes Municipality
Compliance with a legal obligation pursuant to point c) of Article 6(1) of the GDPR,

name, telephone number, gender, e-mail address, home address, date of arrival and departure, time of booking, nationality
To meet the tax (IFA) liability required for the provision of accommodation services.

3.2. DATA PROCESSOR

In connection with the data processing referred to in point 2, we use the services of the IT service provider of the online hotel reservation system (RESnWEB) as a data processor as follows:

Name of processor
Registered office
Description of the data processor’s task
NetHotelBooking Kft.
8200 Veszprém, Boksa tér 1/A
Through the RESnWEB system:

- providing the possibility to book accommodation online;

- operation of the pre-arrival e-mail module;

- management of the newsletter database;

- operation of a satisfaction rating module

- Cookie management, including identification of users and their current browsing session, storage of data provided, prevention of data loss, web analytics measurements, personalised service

3.3. USE OF SUB-PROCESSORS

In order to make the service more convenient and customised, the Data Processor uses the following sub-processors:

Name of sub-processor
Registered office
Description of the sub-processor’s task
Wildbit, LLC*
225 Chestnut St, Philadelphia, PA 19106, USA
Owner of software integrated into the reservation system. This software sends automatic e-mails containing confirmations and notifications when booking, requesting and providing quotes, sending pre-arrival e-mails, selling gift vouchers and doing satisfaction surveys.
Hostware Kft.
1149 Budapest, Róna utca 120-122.
Performs customer management tasks when using the Hostware Front Office hotel management system.
BIG FISH Payment Services Kft.
1066 Budapest, Nyugati tér 1-2.
To ensure data communication between the trader and the payment service provider necessary for the transaction, to provide retrievability of transactions for sales partners.
OTP Mobil Kft.
1093 Budapest, Közraktár u. 30-32.
To ensure data communication between the trader and the payment service provider necessary for the transaction, to provide customer service assistance to users, confirm transactions and perform fraud-monitoring aimed at protecting users.
D-Edge SAS
14/16 Boulevard Poissonnière, 75009 Paris, France
D-Edge Channel Manager to manage prices and free room capacity in one place when using multiple sales channels.
Creative Management Kft.
8200 Veszprém, Boksa tér 1/A
To perform server hosting tasks

In addition to the above, other authorities, public bodies and courts may contact us for disclosing personal data. In these cases, we may disclose personal data to the authorities only to such extent which is absolutely necessary for achieving the purpose of the data request, provided that the relevant authority has specified the exact purpose and the scope of data requested, and that the request must be satisfied due to the law.

4. DATA SECURITY

Our company's computer systems and other data storage facilities are located at the headquarters and on the servers rented by the data processor. We choose and operate the information technology equipment used for providing our services related to the processing of personal data so as to make sure that the data being processed:

- Is accessible to those authorised to access the same (availability);

- its authenticity and authentication is secured (authenticity of data processing);

- its integrity can be verified (data integrity);

- it is protected against unauthorised access (confidentiality of data).

We pay particular attention to data security, take appropriate technical and organisational measures and develop internal procedures that are necessary to enforce the guarantees required in the General Data Protection Regulation. We take appropriate measures to protect data in particular against unauthorised access, modification, transmission, publication, deletion or destruction, and incidental loss or corruption, or becoming inaccessible due to a change in the applied technology.

Both the Company’s and our partners’ information systems and networks are protected against computer fraud, computer viruses, hacking and denial-of-service attacks. The operator ensures security through server-level and application-level protection procedures. Data backups are created on a daily basis. In order to avoid any data breaches, we take all possible measures and, in the event of such an incident, we take immediate action to minimise the risks and eliminate any damage in accordance with our incident management policy.

5. THE DATA SUBJECT’S RIGHTS RELATING TO DATA PROCESSING

Pursuant to Articles 12 to 21 of the General Data Protection Regulation, the data subject has the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, and the withdrawal of their consent.

In the event of a breach of their rights under the General Data Protection Regulation, the data subject may lodge a complaint with the data controller at the contact details set out in point 2.

In the case of consent-based data processing, the consent is always voluntary and can be revoked at any time during the data processing. You may indicate your intention to withdraw your consent to the Company at any of the contact details provided in point 2. The withdrawal does not affect the lawfulness of previous data processing operations.

In accordance with Article 12(3) of the General Data Protection Regulation, the Company shall comply with the request of the data subject exercising their rights without undue delay, but not later than within one month from the receipt thereof. This period may be extended by two months where necessary, taking into account the complexity and number of the requests received. The Company shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request electronically, the information shall also be provided by electronic means where possible, unless the data subject specifically requests a different form of communication.

5.1. RIGHT OF ACCESS

The data subject has the right to obtain from the Company information through the contact details provided in this Notice as to whether or not personal data concerning him or her are being processed, and, where such data processing is in progress, to be informed about the following:

− Which of their personal data is processed by the Company; on what legal basis; for what data processing purpose; for how long;

− which of their personal data is made available for access or transmitted by the controller to whom, when, under what law; what sources their personal data comes from; and

− whether the Company uses automated decision-making and, if it does, the data subject is entitled to know its logics including profiling.

At the data subject’s request, the Company shall provide the data subject with a copy of the personal data undergoing processing free of charge for the first time and then, pursuant to Paragraph (5) of Article 12 of the GDPR, if the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive character, the Company may charge a reasonable fee based on the administrative costs or refuse to act on the request.

In order to comply with data security requirements and protect the rights of the data subject, the Company is obliged to make sure that the data subject and the person wishing to exercise the right of access are identical; therefore, the data subject must be identified before providing any information or giving access to the data or issuing a copy of the same.

5.2. RIGHT TO RECTIFICATION

The data subject may request in writing, through the contact details provided in this Notice, that the Company modify or correct any of their personal data if they can credibly prove the accuracy of such corrected data. If the request is sent electronically to the Company, the Company will also send its response electronically. If you request a reply in a different way, please indicate this in your request.

5.3. RIGHT TO RESTRICT PROCESSING (BLOCKING)

The data subject may request, through the contact details provided in this Notice, that the processing of their personal data be restricted by the Company (clearly indicating the limited nature of the processing and ensuring separate processing from other data) if the data subject

− disputes the accuracy of their personal data (in which case the Company shall restrict data processing for such time as is needed for checking the accuracy of the personal data);

− considers the processing unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

− the controller no longer needs the personal data for the purposes of the processing, but the data subject requests the same for the assertion, exercise or defence of legal claims; or

− the data subject has objected to processing (in this case such restriction shall be valid until it is determined whether the legitimate grounds of the controller override those of the data subject).

5.4. DATA PORTABILITY

You have the right to receive the personal data concerning you, which you have provided to the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindering the Controller if:

- The processing is based on consent or a contract; and

- the processing is carried out by automated means.

5.5. RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)

The data subject may request from the Company the erasure of their personal data in writing through the contact details provided in this Notice.

The Company is obliged to delete personal data concerning you without undue delay if, inter alia, any of the following reasons applies:

- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

- you withdraw your consent and there is no other legal ground for data processing;

- you object to the processing based on a legitimate interest, public interest or under a public authority and there are no overriding legitimate grounds for the processing; or

- where personal data is processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing;

- the personal data have been unlawfully processed;

The Company will reject the request for erasure only if it is required by law to continue to store personal data.

5.6. OBJECTION TO PROCESSING

You have the right to object to the processing of data based on a legitimate interest through any of the contact details provided in point 2.

5.7. RIGHT TO WITHDRAW CONSENT

The data subject may withdraw their consent to the data processing at any time during the data processing period through the contact details provided in this Notice. The withdrawal of consent does not affect the lawfulness of prior processing by the Company.

6. RIGHT TO LEGAL REMEDY

If the data subject considers that the Company has violated the applicable data protection requirements during the processing of their personal data, they may submit a complaint to the Authority (National Authority for Data Protection and Freedom of Information, address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9.; telephone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu). The data subject may also submit a complaint to another supervisory authority, particularly the one established in the EU Member State of their permanent residence.

The data controller can also be sued in court for violating the rules on the processing of personal data. The data subject may start the lawsuit at the Budapest Metropolitan Court or the court competent according to their permanent residence. The contact details of Hungarian courts can be found through the following link: http://birosag.hu/torvenyszekek. If the data subject’s normal place of residence is in another member state of the EU, the lawsuit may also be started at the court that has power and competence in the member state of the normal place of residence.