Homepage | Baby-friendly hotel (0-2 years) | Preschool fun (3-6 years) | Family vacation, holidays (7+ years) | Boboland | Family aqualand | Quiet spa - only for adults | Aqualand tickets & passes | Baby swimming | Massage | Body - and facial treatments | Bobo wellness for kids | Wellness packages | Medical wellness | Hairdressers | Sport & Fitness | Child-friendly restaurants | Special meals & diets | Family celebrations | Rooms, family suites, apartment houses | Special offers and packages | Facilities & Services | Payment methods | Regulars’ Programme | Event venues | What's New? | Frequently asked questions | Local attractions | Contact | Impressum | Terms and Conditions | Payment and Cancellation Policy | Privacy Policy |
HU | EN | DE | SK
Font size: normal large larger

Kolping Hotel**** Spa & Family Resort

PRIVACY POLICY
OF KOLPING HOTEL KFT.

1. The purpose of the policy

The aim of the policy is to provide information for the data subject, taking into consideration the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: Info Act) and the provisions of Regulation 2016/679/EU of the European Parliament and the Council [GDPR], about the personal data processed by the controller defined in point 2, about the aim of data processing, its method, and about any other fact about the processing of data, especially but not limited to the rights regarding the processing of personal data, and about the possibilities for legal remedy.

2. Name, registered office, representative of the controller

3. Name, contact information and legal status of the data protection officer

Legal status of the data protection officer:
The controller shall assure that the data protection officer takes part properly and in a timely manner in any and all issue that is in connection with the protection of personal data. Resources have to be provided for keeping the data protection officer professionally well- informed regarding data protection.
The data protection officer may not accept any instruction from anyone regarding its duties. Neither the controller, nor the processor may dismiss the data protection officer, nor may they penalize him or her for performing his or her tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights.
The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks.
The data protection officer may fulfil other tasks and duties, but any such task and duty shall not result in a conflict of interests.

Tasks of the data protection officer:

4. Legal acts regarding data processing

- Article VI of the Fundamental Law of Hungary;

- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as: “Info Act”);

- Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

5. Definitions used in the present policy

6. Data protection impact assessment

The controller shall be responsible for performing the data protection impact assessment regarding the rights and freedoms of natural persons, by assessing the source, nature, specifications and gravity of the risk. When deciding what measures are suitable for substantiating that the processing of personal data is in line with the GDPR, the findings of the impact assessment shall be taken into account. The controller shall consult the National Authority for Data Protection and Freedom of Information (NAIH) prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of suitable measures in terms of the available technology and the costs of execution taken by the controller to mitigate the risk. In case it shall be necessary in the future to perform data protection impact assessment regarding high risk data processing, it shall be performed by using the open source software (original name: “PIA” software, hereinafter referred to as: impact assessment software) published by the French data protection authority (Commission Nationale de l'Informatique et des Libertés, hereinafter referred to as: CNIL), which is also recommended by NAIH.

The controller shall prepare a separate policy regarding the data protection impact assessment.

7. Test of weighting interests - in case of data processing based on legitimate interest

In case of data protection based on legitimate interest (GDPR Section 6 (1) f)) the weighting of interests shall be concluded based on NAIH/2015/3731/2/V állásfoglalás. According to this, the test of weighting of interests is a process consisting of several steps, during which the legitimate interest of the data processor, and as the counterpoint of weighting, the interest of the data subject, the given fundamental right have to be identified, and finally based on the weighting, it has to be established whether the personal data may be processed or not.

Steps to be applied when performing the test of weighting interests:

The controller shall prepare a separate policy regarding the test of weighting interests.

8. Processing and protecting personal data

8. 1. Tasks and competence, responsibilities of the controller

The primary controller shall compensate any damage which a person may suffer as a result of processing the personal data of the data subject unlawfully, or as a result of breaching the requirements regarding technical data protection. The controller shall be held liable towards the data subject for the damage caused by the processor as well. The controller shall be exempt from liability for damages if he or she proves that the damage was caused by unavertable reasons beyond the processing of data. No compensation shall be paid where the damage was caused by intentional or severely negligent conduct on the part of the person whose rights had been violated.

8.2. Tasks and competence, responsibilities of the processor

The rights and responsibilities of the processor regarding the processing of personal data shall be laid down by the controller in line with the present policy and with the applicable legal regulations. The processor shall be liable for the processing, modification, deletion, forwarding and disclosing of the personal data within the sphere of its activities and the boundaries laid down by the controller. It has to be included in the agreement concluded with the processor that based on the provisions of the controller, the processor may use another processor according to the provisions of the controller when performing its processing activities, and that it is possible to immediately terminate the agreement if the provisions relating to data processing are breached.

9. Principles and fundamental provisions

10. Rights of the data subjects

The controller shall not erase the data if data processing is necessary based on one of the reasons below:

11. Detailed rules regarding data processing

11. 1. Providing information regarding data processing

Data subjects shall have the right to obtain information about the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information.

The information that is provided has to contain the following:

11.2 The lawfulness of data processing

Processing shall be lawful if the controller has at least one of the following legal bases that applies for data processing:

11.3 The scope of personal data processed by the controller, the purpose of data processing, the duration of data processing shall be found in the register of data processing activities that form Annex 1 of the present policy, which shall be disclosed by the controller on its homepage.

The register of data processing activities shall contain:

Regarding the data processing activities indicated in the data processing register, separate privacy policies have been prepared, which form Annexes 1-21 of the register.

11. 4. Duration of data processing

Data shall be stored for the shortest possible time. When establishing this time limit, the controller’s data processing purpose, as well as legal regulations applicable for the storing of data have to be taken into consideration.

11. 5. Internal transmission of data

Personal data may only be transmitted within the controller’s organization in line with the principle of purpose limitation, and right to access may only be given if there is a proper purpose.

11. 6. Data transmission for third persons

Personal data may only be transmitted to any third person based on law, or under the consent of the data subject, provided that the conditions regarding data processing are fulfilled regarding all personal data. Controller has to examine before transmitting the data whether the legal conditions are met, and that the conditions for data processing are met regarding any and all personal data following the transmission. Before transmitting data for the same controllers, regarding the same data subject, with the same purpose, the data protection officer shall be involved in the examination whether the transmission is lawful or not. No separate examinations are needed regarding transmissions subsequent to this. The data protection officer shall keep a data transmission register regarding transmissions, and shall store it in line with the regulations. The data transmission register has to be stored until the end of the fifth year following the year when the data communication or transmission was made (in special cases, for twenty years).

The register of data transmission shall contain:

11.7 Transmitting data abroad or to third countries

Before the transmission of data, the controller - together with the data protection officer - has to examine whether the legal conditions are met, and that the conditions for data processing are kept regarding any and all personal data following the transmission.

11.8 Special data, including biometric data are not processed by the data controller.

12. Personal data breach

According to GDPR, personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

12.1 Reporting personal data breach

As soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the competent supervisory authority (NAIH) about the personal data breach without undue delay and, where feasible, not later than 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If reporting is not performed within 72 hours, the reasons that justify the delay have to be attached as well.

12.2 Investigating and handling personal data breach

The data protection officer inspects the reporting, requests data from the person making the reporting, who shall fulfil this request within 2 working days.

The provision of data has to include:

The data protection officer shall make a suggestion regarding the necessary measure. The person responsible for the processing of data shall inform the data protection officer within two days following the performance of the given measures about the specific measures taken regarding averting personal data breach

12.3 Register of personal data breach

The controller shall keep a register on breaches of personal data. According to GDPR, the controller shall provide suitable technical and organizational measures in order to be able to explore and evaluate vulnerabilities and security breaches. Thus the controller, above documenting personal data breach, shall use suitable processes and measures to explore and handle security breaches in time.

13. Modification of the present policy

The present policy shall enter into force on 30 November 2018. The controller is entitled to modify the policy unilaterally - provided it is not against the law. The policy is available at the registered office of the controller.

Alsópáhok, 30. November 2018

Processing of website user’s data
Scope of personal data processed the start and end time of the visit of website user, its IP address and other recorded browsing data (cookie)
Purpose of processing identification of website visitors, understanding the browsing habits, increasing the user experience
Legal basis for processing the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data from the data subject
Transfer of personal data 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) for the operation of the website
2. To Webshop Marketing Kft. (4028 Debrecen, Kassai út 129) for managing cookie settings
Deadline for data erasure until the withdrawal of the data subject’s consent
Related document Document number: 001
Document name: Privacy notice - cookie 
Direct marketing (sending newsletters)
Scope of personal data processed name and e-mail address
Purpose of processing marketing and remarketing purposes, promotion of the controller’s service by sending on-line newsletters
Legal basis for processing the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data from the data subject
Transfer of personal data 1. fps webügynökség kft. (3526 Miskolc, Arany J. tér 1.) for the purpose of providing newsletter sending service  
Deadline for data erasure until the withdrawal of the data subject’s consent
Related document Document number: 002
Document name: Privacy Notice- subscription for newsletters
Quotation request
Scope of personal data processed name, e-mail, phone number, address, number of persons who wish to use the service, (number of children, their age)
Purpose of processing contact, communication, sending personalised offers
Legal basis for processing performance of the contract /point (b) of Article 6(1) of the GDPR/
Source of data from the data subject
Transfer of personal data 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) on the purpose of operating on-line quotation request system  
Deadline for data erasure - in case of successful quotation request, according to the rule of booking,
- if the offer is rejected, until the day of reject,
- if no answer arrives to the offer, until the day after the offer validity expires
Related document Document number: 003
Document name: Privacy Notice - quotation request
Direct booking
Scope of personal data processed name, e-mail, phone number, address, number of persons who wish to use the service, (number of children, their age)
Purpose of processing arranging booking
Legal basis for processing performance of the contract /point (b) of Article 6(1) of the GDPR/
data processing with regard to the date of birth on the basis of legislation (Articles 30 and 31 of  Act C of 1990) /point (c) Article 6(1) of the GDPR/    
Source of data from the data subject
Transfer of personal data 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) on the purpose of operating online booking system
2. OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. Operation of the payment system needed for online payment transactions
Deadline for data erasure

- the personal data acquired during the booking will be processed until the contractual relationship with the data subject exists
Excluding:
- name, address: under Article 169 of Act C of 2000 on Accounting, for 8 years
- name and age of guests: until the last day of the 5th year following the current year as set out in Article 78 (3) and Article 202 (1) of Act CL of 2017 on the Rules of Taxation

Related document Document number: 004
Document name: Privacy Notice - booking
Booking through intermediaries
Scope of personal data processed name, e-mail, phone number, number of persons who wish to use the service, (number of children, their age) and in some cases, credit card information
Purpose of processing arranging booking
Legal basis for processing performance of the contract /point (b) of Article 6(1) of the GDPR/
data processing with regard to the date of birth on the basis of legislation (Articles 30 and 31 of  Act C of 1990) /point (c) Article 6(1) of the GDPR/
Source of data from online intermediary companies, travel agencies considered as independent data controllers
Transfer of personal data online booking sites and travel agencies are considered as independent data controllers; in this process, data processor will not be required
Deadline for data erasure

- the personal data acquired during the booking will be processed until the contractual relationship with the data subject exists
Excluding:
- name, address: under Article 169 of Act C of 1990 on Accounting, for 8 years
- name and age of guests: until the last day of the 5th year following the current year as set out in Article 78 (3) and Article 202 (1) of Act CL of 2017 on the Rules of Taxation

Related document Document number: 004
Document name: Privacy Notice - booking
Gift voucher order
Scope of personal data processed

customer’s name, e-mail address, phone number, postal address, billing address
name of the recipient(s), number of their children and their age

Purpose of processing provision of gift voucher service
Legal basis for processing performance of the contract /point (b) of Article 6(1) of the GDPR/
Source of data the customer’s data from the data subject, the recipient’s data from the customer
Transfer of personal data 1. To Morgens Design Kft. (8800 Nagykanizsa, Csányi László u 2) on the purpose of operating online booking system
2. OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. Operation of the payment system needed for online payment transactions
Deadline for data erasure Data that is not necessary for billing will be processed for 1 year or until the redemption of the voucher, whichever occurs earlier.
Related document Document number: 005
Document name: Privacy Notice - gift voucher
Regulars’ Programme
Scope of personal data processed name, number of previous hotel stays
Purpose of processing providing discounts, increasing sales, building clientele
Legal basis for processing the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data from data subject, from own records
Transfer of personal data does not take place
Deadline for data erasure until the withdrawal of the data subject’s consent
Related document

Document number: 008
Document name: Privacy Notice - check in

Billing
Scope of personal data processed name, address, credit card information
Purpose of processing providing discounts, increasing sales, building clientele
Legal basis for processing Fulfillment of legal obligations laid down in Article 169 of Act C of 2000 on Accounting /point (c) of Article 6(1) of the GDPR/
Source of data from the data subject
Transfer of personal data OTP Bank Nyrt, OTP Mobil Kft. and CIB Bank Zrt. For the purpose of conducting payment transaction.
Deadline for data erasure under Article 169 of Act C of 2000 on Accounting, for 8 years
Related document Document number: 008
Document name: Privacy Notice - check in
Photo shoot, video recording
Scope of personal data processed image of the guest and his child
Purpose of processing promotion of the hotel through social network sites
Legal basis for processing the data subject’s consent /point (a) of Article 6(1) of the GDPR/
Source of data from the assigned photographer
Transfer of personal data does not take place
Deadline for data erasure until the withdrawal of the data subject’s consent
Related document Document number: 016
Document name: Privacy Notice - photo and video

Kolping Hotel**** Spa & Family Resort Tel.: +36 83 344 143 sales@kolping.hotel.hu