INTRODUCTION
This data privacy information concerns the processing of data by the Host as Controller on the websites www.godirect.website www.appartman.hu and appartman.io. The Data privacy information on the processing of data by the Controller besides the system of appartman.io see the contacts provided by the controller.
Appartman PMS Technologies Kft. as the operator of the site (tax number: 27441792-2-05, seat: H-3557 Bükkszentkereszt, Dózsa utca 2.) acts as data processor in the activity.
CONTROLLER
The data of the Controller are included in the following chart:
| Name of the Controller: | |
| Contacts to exercise the rights of data subjects based on GDPR: |
PROCESSING OF DATA OF GUESTS FOR THE PURPOSE OF BOOKING ACCOMODATION
PURPOSES OF THE PROCESSING OF DATA
| The purpose of processing of data: | Online submitting of the request for accommodation service to the host |
THE DATA SUBJECTS AND THE PERSONAL DATA PROCESSED
| Natural persons subject to the processing of data: | Guest |
| During the processing of data, the following data are processed by the Controller: | Name, e-mail address, phone number, country, postal code, city, extra services, number of guests, date of check-in and check-out demanded, type of room, total of booking, remarks |
LEGAL BASES OF PROCESSING OF DATA
| The legal basis of the processing of data: | Performance of contract – point (b) og Article 6(1) – the processing is necessary for the performance of contract, or taking the steps before conducting the agreement to the request of the data subject |
| Justification of the legal basis, i.e. in case of processing of data based on legitimate interest with respect to laws on processing of data or point (f) of Article 6(1) GDPR: the legitimate reason constituting the processing of data. In case of point (b): the contract justifying the processing of data | Processing of booking data necessary for preparing the accommodation service contract. |
| The special category of personal data in case of processing special categories of personal data: | Data not sensitive |
| Further condition(s) ont he processing of sensitive data based on 9(2) GDPR: | Irrelevant |
STORAGE PERIOD
| Regarding this processing of data, the storage period data, and the aspects defining the storage period: | 5 years of the breach or the termination of the contract, in accordance with the general terms regarding limitation of Act Nr V of 2013 on the Hungarian Civil Code. |
OTHER CONDITIONS
| Possible consequences of omission of data provisions | Previous booking of the accommodation is not possible. |
| Other conditions based on point (e) 13(2) | The provision of data is obligatory. |
| In case of the legal basis in accordance with points (b) and (c) 6(1) GDPR, is the provision of personal data a statutory or contractual requirement necessary to conclude a contract? | The provision of data is a requirement necessary to conclude a contract. |
THE RECIPIENTS OF TRANSFER OF PERSONAL DATA
| Other processors within the processing of data: | Appartman PMS Technologies Kft. (tax number: 27441792-2-05, seat: H-3557 Bükkszentkereszt, Dózsa utca 2.; website: www.appartman.hu ) |
| Categories of processing of data by the processor to the order or request of the controller | Operation of the application www.godirect.website that stores personal data specified in this information. |
| The processing of data includes joint processing of data with the following organizations: | Irrelevant |
| The processing of data may include regular data transfer to the following recipients: | During the use of Hotjar web analytics service, the usage data collected by the application (IP address, client technical data, user behavior) are transferred to Hotjar Ltd. (Level 2 St. Julians Business Centre, 3, Elia Zammit Street, St. Julians STJ 1000, Malta). |
AUTOMATED DECISION-MAKING INCLUDING PROFILING FOR THAT PURPOSE
The processing of data does not include automated decision-making and/or profiling.
Protection of data subjects’ rights
The Controller provides the data subject with exercising the right to information based on Section 13 and 14 GDPR by electronically publishing this Data Privacy Information.
The Controller shall provide the electronic availability or a printed copy of the Data Privacy Information at the time of acquiring the personal data, or first contact with the data subject.
Furthermore, data subjects may ask for inquiry concerning the processing of their personal data contacting on the details given, or they may submit their request related to exercising their right as data subjects.
Data subjects possess the following rights concerning processing of data – besides the right to information based on Section 13 GDPR. The Controller shall comply with the requests within one month the latest after the receipt of the request – providing the deadline is not extended because of the complexity or the number of requests.
a) a) Right of access
Based on the right of data subject in accordance with Article 15 GDPR, the data subject may obtain information, confirmation from the Controller on the conditions and circumstances of processing of their personal data, especially:
- the purposes and legal bases of the processing of the data subjects personal data,
- the categories of the personal data concerned,
- the recipients of the personal data or categories of recipients,
- the period of data retention and the aspects of establishing the retention period in connection with the processing of data subjects personal data.
- the possibilities of the data subject to exercise their rights and right to remedy.
- the fact whether the processing of data includes automated decision-making including profiling, if yes, in what circumstances.
Within the scope of exercising their rights - based on 15(4) GDPR - data subjects may request the Controller, one time free of charge, the electronic copy of their personal data processed.
b) Right to rectification
Based on Article 16 GDPR the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject shall also have the right to have incomplete personal data completed.
c) Right to erasure
Based on Article 17 GDPR data subjects may request the Controller to erase their rights in case of withdrawal of their consent, unlawful processing of data, in compliance with a legal obligation in Union or Member State law to which the controller is subject, the revoke of the purpose of processing of data, in case of no lawful reason existing for processing of data, and objection to the processing of data collected for direct marketing purposes.
The request to erase personal data is not complied with by the Controller in case he/she is obliged by law to store the personal data and the period for processing (storage) defined by law has still not lapsed.
d) Right to restriction of processing
Based on Article 18 GDPR, the data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject,
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing of data.
e) Right to data portability
Based on Article 20 GDPR, the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller either based on based on consent pursuant to point (a) of Article 6(1) or based on a contract pursuant to point (b) of Article 6(1), in a structured, commonly used and machine-readable format.
The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The right to data portability does not create any obligation for controllers to introduce of maintain processing systems technically compatible with each other.
In case the data subject’s right to data portability hinders others’ rights or freedom, especially confidential business information or intellectual property, the Controller may deny the performance of the data subject’s request in the necessary extent.
That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f) Automatizált döntéshozatal, profilalkotás
Based on 22 (3) GDPR, to the request of the data subject – in case an automated processing including profiling concerning processing of data occurs in accordance with the data privacy information of sensitive data – the data controller shall implement suitable measures to safeguard the data subjects rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. At this moment, the controller does not perform automated processing including profiling.
h) Right to object
Based on Article 21 GDPR, the data subject shall have the right to object any time, on grounds relating to his or her particular situation, to processing of personal data concerning him or her which is based on point (e) concerning the exercise of public power by the Controller or (f) of Article 6(1) concerning legitimate interests. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
RIGHT TO REMEDY
a) ) Data protection officer (DPO)
The data subject may contact the DPO of the Controller in case of questions or complaints regarding processing and protection of their personal data or exercising their rights as data subject.
b) Right to complaint before the supervisory authorities of data protection
Besides other remedies before the public administrative authorities and courts, data subjects are authorized – if data subjects find that the Controller or their Processor has violated the law by acting or neglecting their duty or inducing their possibility – to file a complaint to the National Authority for Data Protection and Freedom of Information.
Contacts of the National Authority for Data Protection and Freedom of Information:
Seat: H-1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9,
Tel.: 06 1/391-1400, +36 (30) 683-5969, +36 (30) 549-6838,
E-mail:ugyfelszolgalat@naih.hu,
website: http://naih.hu/
c) The right to effective judicial remedy against the Controller or Processor
Data subjects may go to court besides the possibility of public administrative or non-judicial remedies at disposal – including the right to complaint before the supervisory authorities of data protection – in case of any possibility of breach of data subjects’ rights of personal data protection by the Controller or their Processor.
The actions shall be filed to the tribunal situated at the Controller’s seat, i.e. Fővárosi Törvényszék (High Court of Budapest) of competence. Data subjects may decide to file the action to the high court at their address or place of habitation. The list of high courts of Hungary see: http://birosag.hu/torvenyszekek.