General Provisions

Bánhida Hotelservice Ltd. (registered office: 1031 Budapest, Péter St. 4., company registration number: 01-09-464397, hereinafter referred to as the Data Controller), as the operator of Residence Hotel Balaton, always ensures the legality and purposefulness of data processing concerning the personal data it manages. The purpose of this privacy notice is to provide our guests, who book accommodation and provide their personal data, with adequate information before the booking or before providing their personal data about the conditions, guarantees, and duration under which our company processes their personal data. Our company adheres to the provisions of this privacy notice in all cases of personal data processing, and considers these provisions binding upon itself.

However, we reserve the right to modify this unilateral legal statement, in which case we will inform the affected parties in advance. If you have any questions regarding the contents of this privacy notice, please contact us by letter or e-mail. Our company’s data processing activities are based on voluntary consent, or in some cases, data processing is necessary to take steps at the request of the data subject before concluding a contract.

Our data processing complies with the applicable laws, in particular the following:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), as well as Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act).

Data Controller’s details and contact information are as follows:

  • Name: Bánhida Hotelservice Ltd.
  • Registered Office: 1031 Budapest, Péter St. 4.
  • Mailing Address: 8600 Siófok, Erkel Ferenc St. 49.
  • Company Registration Number: 01-09-464397
  • Tax Number: 10411810-2-41
  • Phone Number: +36 30 200 1282
  • E-mail: info@rhb.hu
  • Data Controller’s Representative: Csaba Tikos-Nagy, CEO

Data Controller details for online booking system:

  • Name: NetHotelBooking Ltd.
  • Tasks: Online booking system
  • Registered Office: 8200 Veszprém, Boksa Square 1/A
  • Mailing Address: 8200 Veszprém, Iván Ádám St. 1.
  • Tax Number: 22710776-2-19
  • Phone Number: +36 30 650 0055
  • E-mail: szilagyi.zsuzsa@resnweb.com
  • Website: resnweb.com
  • The Data Processor stores personal data under a written agreement with the Data Controller.

Data Controller details for hotel PMS system:

  • Name: MT-HostWare IT Ltd.
  • Tasks: Hotel PMS system
  • Registered Office and Mailing Address: 1149 Budapest, Róna St. 120.
  • Tax Number: 10426917-2-42
  • Phone Number: +36 1 469 9000
  • E-mail: hostware@hostware.hu
  • Website: www.hostware.hu
  • The Data Processor stores personal data under a written agreement with the Data Controller.

Data Processor details for sales, marketing, communication, consultancy:

  • Name: Hilaris Hotel Management Ltd.
  • Tasks: Sales, marketing, communication, consultancy
  • Registered Office and Mailing Address: 1031 Budapest, Péter St. 4.
  • Tax Number: 32237557-2-41
  • Phone Number: +36 30 448 4679
  • E-mail: hello@hilarishotels.hu
  • Website: hilarishotels.hu
  • The Data Processor stores personal data under a written agreement with the Data Controller.

Data Processor details for IT services and consulting:

  • Name: ICT Solutions Ltd.
  • Tasks: IT services / IT consulting and operation of IT equipment and systems
  • Registered Office and Mailing Address: 1119 Budapest, Nándorfejérvári St. 42-44.
  • Tax Number: 25013322-2-43
  • Phone Number: +36 20 933 2866
  • E-mail: info@ict.hu
  • Website: ICT Megoldások
  • The Data Processor stores personal data under a written agreement with the Data Controller. They are not authorized to access personal data.

Data Processor details for accounting and payroll:

  • Name: Mill-Co. Ltd. (Bt.)
  • Tasks: Accounting and payroll
  • Registered Office and Mailing Address: 1158 Budapest, Jolán St. 18
  • Tax Number: 28715188-2-42
  • Phone Number: +36 30 201 7668
  • E-mail: konyveles@millco.hu
  • Website: N/A
  • The Data Processor stores personal data under a written agreement with the Data Controller.

Definitions:

    Data Protection Terms in Our Policy:

  • Data Subject: any natural person identified or identifiable on the basis of any information.
  • Identifiable Natural Person: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personal Data: any information relating to the data subject.
  • Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
  • Objection: a declaration by the data subject by which they object to the processing of their personal data and request the termination of data processing or deletion of the processed data.
  • Data Controller: the natural or legal person, or organization without legal personality, who or which alone or jointly with others determines the purposes and means of the processing of personal data (including the means used), makes and implements decisions related to data processing, or has them implemented by the Data Processor, within the framework defined by law or binding acts of the European Union.
  • Data Processing: any operation or set of operations performed on data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data, as well as preventing further use of data, taking photographs, sound or image recordings, and recording physical characteristics suitable for identifying a person.
  • Data Transfer: making data accessible to a specified third party.
  • Disclosure to the Public: making data accessible to anyone.
  • Data Erasure: rendering data unrecognizable so that restoration is no longer possible.
  • Data Marking: labeling data with an identifier for the purpose of distinction.
  • Data Blocking: labeling data with an identifier for the purpose of restricting its further processing permanently or for a defined period.
  • Data Destruction: complete physical destruction of the data carrier containing the data.
  • Data Processing: the entirety of data processing operations performed by the Data Processor on behalf of or under the instructions of the Data Controller.
  • Data Processor: the natural or legal person, or organization without legal personality, who or which processes data based on a contract — including contracts concluded under statutory provisions — with the Data Controller.
  • Data Set: the entirety of data managed in a single register.
  • Third Party: a natural or legal person, or organization without legal personality, who or which is not identical with the data subject, the Data Controller, the Data Processor, or those persons under the direct authority of the Data Controller or the Data Processor performing operations related to personal data processing.

Principles of Personal Data Processing:

  1. Lawfulness, Fairness, and Transparency: Personal data collection and processing must be fair and lawful and carried out transparently for the data subject. [Info Act, Section 4 (1)]
  2. Purpose Limitation: Personal data may only be processed for specified, explicit and legitimate purposes. [Info Act, Section 4 (1)]
  3. Data Minimization: Only personal data necessary and appropriate for achieving the purpose of processing may be processed. [Info Act, Section 4 (2)]
  4. Accuracy or Data Quality: Beyond fairness and lawfulness, the Data Controller is obliged to process data that are accurate, complete, and up to date. [Info Act, Section 4 (2)]
  5. Storage Limitation: Personal data must be erased when the purpose of processing has ceased. [Info Act, Section 17 (2)]
  6. Integrity and Confidentiality: Personal data — except for mandatory processing — may only be processed based on consent or on other legal grounds specified in Section 6 of the Info Act. [Info Act, Sections 5-6, 14-21]
  7. Accountability: The Data Controller is responsible for compliance with the above principles and must be able to demonstrate it.

Data Security Measures:

The Data Controller and the Data Processor shall take all necessary technical and organizational measures to ensure an appropriate level of security for the personal data processed, in order to avoid any potential data protection incident (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, a register is maintained for the purpose of monitoring necessary measures and informing the data subject. This register includes the scope of personal data involved, the number and category of data subjects affected, the date, circumstances, and impact of the incident, the measures taken to mitigate it, as well as any other data required by applicable data protection legislation.

Data Processing Related to Hotel Services:

Our hotel, Residence Hotel Balaton (8600 Siófok, Erkel Ferenc u. 49.), operated by the Data Controller, offers guests hotel services, restaurant services, and other related services (spa usage, recreational and beauty services, etc.).

Purpose of Data Processing:

To carry out administration related to hotel services, invoicing, and handling individual guest requests.

Legal Basis for Processing:

Performance of a contract and compliance with legal obligations of the Data Controller.

Categories of Personal Data Processed:

Salutation; last name and first name; address (country, postal code, city, street, house number); phone number; email address; company name and registered office (if a legal entity); bank card number; data from identity documents; vehicle license plate number.

Data Retention Period:

    Seven years from issuing the invoice.

    Three years after the guest’s departure to comply with immigration and law enforcement regulations.

    Two years after the last day of stay for maintaining contact and ensuring quality service.

Possible Consequences of Not Providing Data:

No contract for hotel services will be concluded.

Data Processing Related to Wellness Services:

Guests at Residence Hotel Balaton may also use related services such as wellness treatments.

Purpose of Data Processing:

To perform administration related to hotel services, invoicing, handling individual needs, and assessing health status to determine eligibility for the service.

Legal Basis for Processing:

Prior consent of the person booking the supplementary hotel service and legitimate interest.

Categories of Personal Data Processed:

Last name and first name; health status.

Data Retention Period:

30 calendar days from the date of service use.

Possible Consequences of Not Providing Data:

The hotel cannot provide the service.

Data Processing Related to Requests for Offers:

Our company provides guests the opportunity to request offers electronically. Offers are provided automatically, taking into account available capacities.

Purpose of Data Processing:

Preliminary inquiry regarding hotel prices.

Legal Basis for Processing:

Prior consent of the person making the booking or processing necessary to take steps at the request of the data subject before entering into a contract.

Categories of Personal Data Processed:

  1. Salutation;
  2. Last name and first name;
  3. Phone number;
  4. Email address;
  5. Number of guests.

Data Retention Period:

Two years after the last day of the stay according to the booking.

Possible Consequences of Not Providing Data:

The hotel cannot provide an offer.

Data Processing Related to Newsletter Subscription:

Our company maintains contact with guests via newsletter, informing them about our services, updates, and promotions.

Data Controller:

Bánhida Hotelservice Kft (registered office: 1031 Budapest, Péter u. 4.) and Hilaris Hotel Management Kft as Data Processor.

Purpose of Data Processing:

Communication with potential hotel guests.

Legal Basis for Processing:

Consent of the data subject.

Scope of Processed Personal Data:

Name, e-mail address.

Duration of Data Processing:

Our company processes names and e-mail addresses until the subscriber unsubscribes from the newsletter.

Possible Consequences of Not Providing Data: The data subject will not receive newsletters from our company.

Unsubscription from the Newsletter:

Subscribers can unsubscribe at any time using the link provided in the newsletter or by sending a message to our company at info@rhb.hu. The e-mail address will be deleted from our database immediately in case of online unsubscription, or within 2 business days upon receiving the request by e-mail.

Personal Data Processing Related to Satisfaction Surveys:

As a hotel, our goal is to provide high-quality services to our guests; therefore, we continuously request feedback from guests regarding their experiences during their stay.

Data Controller:

Bánhida Hotelservice Kft (registered office: 1031 Budapest, Péter u. 4.) and Hilaris Hotel Management Kft as Data Processor.

Purpose of Data Processing:

To request feedback from hotel guests to further develop and improve our services.

Legal Basis for Processing:

Consent of the data subject.

Legitimate Interest:

Our company has an interest in receiving information based on feedback to improve our services.

Categories of Personal Data Processed:

  1. Name,
  2. Gender,
  3. E-mail address.

Duration of Data Processing:

Two years after the last day of stay according to the booking.

Possible Consequences of Not Providing Data:

The data subject will not receive satisfaction survey questionnaires from our company.

Cookie Management:

The Data Controller places small data packages called cookies on the user’s computer to provide personalized service, which are read back on subsequent visits. When the browser sends back a previously saved cookie, the service provider managing the cookie can link the user’s current visit to previous ones, but only with respect to their own content.

Purpose of Data Processing:

Identification, tracking, differentiation of users, identification of the current user session, storage of data provided during the session, prevention of data loss, web analytics, and personalized service.

Legal Basis for Processing:

Consent of the data subject.

Categories of Data Processed:

Identifier, date, time, and previously visited page.

Duration of Data Processing:

Maximum 90 days.

Additional Information:

Users can delete cookies from their own computers or disable cookies in their browser. Usually, this can be managed in the browser’s Tools / Settings menu under Privacy / History / Custom settings, under cookies or tracking settings.

Possible Consequences of Not Providing Data:

Inability to use the service.

Website Server Logging:

When visiting the nethotelbooking.net website, the web server automatically logs user activity.

Purpose of Data Processing:

To monitor the operation of services and prevent abuses during website visits.

Legal Basis for Processing:

Legitimate interest for the secure operation of the website.

Categories of Personal Data Processed:

Identifier, date, time, and the URL of the visited page.

Duration of Data Processing:

Maximum 90 days.

Additional Information:

Our company does not link the data collected in log files with any other information and does not attempt to identify users personally. The visited page URLs, date, and time data alone are insufficient for identifying the data subject, but combined with other information (e.g., data provided during registration), they may enable conclusions about the user.

Data Processing Related to Logging by External Service Providers:

The portal’s HTML code contains links from and to external servers independent of our company. The external service provider’s server communicates directly with the user’s computer. Visitors are hereby informed that the providers of these links may collect user data (e.g., IP address, browser type, operating system data, mouse movements, visited page URL, and time of visit) due to direct connection to their servers and communication with the user’s browser.

The IP address is a numerical sequence uniquely identifying computers or mobile devices accessing the internet. Using IP addresses, the visitor’s geographical location can also be determined.

Visited page URLs, date, and time data alone are insufficient for identifying the data subject, but combined with other information (e.g., data provided during registration), they may enable conclusions about the user.

Other Data Processing:

Photography:

Purpose of data processing:

The hotel takes photos during various hotel programs (e.g., children’s animation and activities during peak periods), exclusively in a way that participants are either not visible or their faces are obscured.

Legal basis of data processing: Consent

Scope of processed personal data: photos (non-identifiable and/or with obscured faces)

Camera usage information: https://rhb.hu/adatkezeles

Additional data processing not listed in this privacy notice will be communicated at the time of data collection.

We inform our clients that certain authorities, public bodies, or courts may request personal data from our company for specific purposes. We provide personal data to these bodies only to the extent necessary and as required by law, strictly for the purpose specified in the request.

Storage and Security of Personal Data:

Our company’s IT systems and other data storage locations are situated at the headquarters and on servers rented by our data processor. We select and operate IT tools used in data management to ensure that:

a) data is accessible to authorized persons (availability);

b) data authenticity and verification are ensured (authenticity);

c) data integrity can be verified (integrity);

d) data is protected against unauthorized access (confidentiality).

We pay special attention to data security and implement technical and organizational measures and procedures to enforce GDPR guarantees. We protect data against unauthorized access, alteration, transmission, disclosure, deletion, destruction, accidental loss, damage, or becoming inaccessible due to technological changes.

Our IT systems and networks are protected against computer fraud, viruses, intrusions, and denial-of-service attacks. The operator ensures security with server- and application-level protective measures. Daily data backups are performed. In case of data breaches, we take immediate action to minimize risks and damages according to our incident response policy.

Data Subject Rights and Remedies:

Data subjects have the right to request information about the processing of their personal data, request correction, deletion, withdrawal of consent (except for mandatory data processing), data portability, and objection to data processing as specified at the time of data collection or via the contact details below.

We provide requested information electronically without delay, at the latest within 30 days, following our internal procedures. Requests are fulfilled free of charge.

Right to Information:

We ensure that data subjects receive clear, transparent, concise, understandable, and easily accessible information about personal data processing. Information can be requested in writing via the contact details in section 1. Upon identity verification, information may also be provided orally.

If there is doubt about the data subject’s identity, we may request additional information to confirm it.

Right of Access:

Data subjects have the right to obtain confirmation about whether their personal data is being processed and, if so, to access:

  • the purposes of data processing;
  • categories of personal data processed;
  • recipients or categories of recipients of the data, including third countries or international organizations;
  • the planned storage period;
  • the right to correction, deletion, restriction of processing, and objection;
  • the right to lodge a complaint with a supervisory authority;
  • the source of the data;
  • information about automated decision-making, including profiling, and its consequences.

In case of data transfer to third countries or international organizations, data subjects have the right to information about appropriate safeguards.

Right to Rectification:

Data subjects can request correction of inaccurate or incomplete personal data.

Right to Erasure:

Data subjects can request deletion of their personal data without undue delay if:

a) data is no longer necessary for the purpose collected;

b) consent is withdrawn and no other legal basis for processing exists;

c) objection to processing and no overriding lawful reason exists;

d) unlawful processing is established;

e) data must be deleted under EU or national law;

f) data was collected in relation to information society services offered to a child.

Data deletion cannot be requested if processing is necessary for:

a) freedom of expression and information;

b) compliance with legal obligations or public interest tasks;

c) public health, archiving, research, or statistics in the public interest;

d) legal claims enforcement or defense

Right to Restriction of Processing:

Data subjects can request restriction of processing if:

a) accuracy of data is contested;

b) processing is unlawful but erasure is opposed and restriction requested;

c) data is no longer needed but required for legal claims;

d) objection to processing is lodged pending verification of overriding grounds.

Restricted data may only be processed with consent, for legal claims, protection of others’ rights, or important public interest. Data subjects must be notified when restriction is lifted.

Right to Data Portability:

Data subjects have the right to receive their personal data in a structured, commonly used, machine-readable format and transfer it to another controller. Our company provides data in Word or Excel format upon request.

Right to Object:

If data is processed for direct marketing, data subjects can object at any time, including profiling related to direct marketing. Upon objection, data cannot be processed for these purposes.

Automated Decision-Making in Individual Cases, Including Profiling:

a) The data subject has the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning them or similarly significantly affects them. The above right does not apply if the automated processing

a) is necessary for the conclusion or performance of a contract between the data subject and the data controller;

b) is authorized by Union or Member State law applicable to the data controller, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or

c) is based on the explicit consent of the data subject.

Right to Withdraw Consent:

The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Procedural Rules:

The data controller shall inform the data subject without undue delay, but at the latest within one month of receipt of the request pursuant to Articles 15–22 of the GDPR, about the measures taken. This period may be extended by a further two months, taking into account the complexity and number of requests. The data controller shall inform the data subject about the extension within one month of receipt of the request, stating the reasons for the delay.

If the data subject submitted the request electronically, the information shall be provided by electronic means unless otherwise requested by the data subject.

If the data controller does not take action on the data subject’s request, they shall inform the data subject without delay and at the latest within one month of receipt of the request about the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The data controller shall communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the data controller shall inform the data subject about these recipients.

Compensation and Damages:

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall be entitled to receive compensation from the data controller or processor for the damage suffered. The processor shall only be liable for the damage caused by processing if it has not complied with obligations specifically directed to processors or if it has acted contrary to the lawful instructions of the controller.

Where there are multiple controllers or processors involved in the same processing and they are liable for the damage caused, each controller or processor shall be jointly and severally liable for the entire damage. The data controller or processor shall be exempt from liability if it proves that it is not responsible for the event giving rise to the damage.

Legal Remedies:

Requests, questions, or comments related to data processing may be sent by email to info@rhb.hu.

Complaints regarding possible violations by the data controller can be lodged with the National Authority for Data Protection and Freedom of Information (NAIH):

National Authority for Data Protection and Freedom of Information

Mailing address: 1530 Budapest, Pf.: 5.

Office address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: https://naih.hu

In case of violation of the data subject’s rights, they may also take the data controller to court. The lawsuit may be filed before the court competent according to the data subject’s choice, either the court of their place of residence or habitual residence.