Privacy Policy

I.) INTRODUCTION

The purpose of this document (hereinafter referred to as the “Notice”) is to provide appropriate information regarding the processing of personal data of natural persons by Horváth Mihály Tér Kft., registered address: 1204 Budapest, Mártírok útja 290., operator of the Marone Suites accommodations (hereinafter referred to as the data controller/company).

The provisions of this Notice are based in particular on the relevant provisions of the following national and European Union legislation:

· Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, i.e. the General Data Protection Regulation (GDPR) of the European Union;

· Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.);

· Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (Ekertv.);

· Act C of 2003 on Electronic Communications (Eht.);

· Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (Grt.);

· Act C of 2000 on Accounting (Sztv.);

· Act CL of 2017 on the Rules of Taxation (Art.);

· Act C of 1990 on Local Taxes (Htv.);

· Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (Szvmtv.);

· Act CXIX of 1995 on the Processing of Name and Address Data for the Purpose of Research and Direct Marketing (Nlktv.);

· Act V of 2013 on the Civil Code (Ptk.);

· Act XIX of 1998 on Criminal Procedure (Be.);

· Act II of 2012 on Misdemeanors, Misdemeanor Procedure, and the Misdemeanor Registry System (Szabstv.);

· Act CLV of 2016 on Official Statistics (Stattv.);

· Government Decree 388/2017 (XII.13.) on the Mandatory Data Reporting of the National Statistical Data Collection Program (OSTAPr.);

· Act II of 2007 on the Entry and Stay of Third-Country Nationals (Hmtv.);

· Government Decree 114/2007 (V.24.) on the Implementation of Act II of 2007 on the Entry and Stay of Third-Country Nationals (Hmtv. Implementing Decree);

· Act CLV of 1997 on Consumer Protection (Fgytv.).

The Hungarian text of this Notice is continuously available and can be accessed and reviewed on the website maronesuites.com, as well as in printed form at the registered office of the Data Controller and at the actual location of data processing: 1082 Budapest, Horváth Mihály tér 15.

Please read this Notice carefully!

II.) THE DATA CONTROLLER

Name: Horváth Mihály Tér Kft.
Registered seat: 1204 Budapest, Mártírok útja 290.
Company registration number: 01 09 273357
Tax number: 25406836-2-43
Telephone: +36 1 784 0404
Email: anita@marone.hu
Actual data processing location: 1082 Budapest, Horváth Mihály tér 15.

Data Protection Officer:
The Data Controller is not obliged to appoint a data protection officer pursuant to Article 37 of the GDPR.

III.) DEFINITIONS

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future.

“profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

“recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“third party”: a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

“the data subject’s consent”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“main establishment”:
a) as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented; in that case, the establishment having taken such decisions shall be considered to be the main establishment;
b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place, insofar as the processor is subject to specific obligations under this Regulation.

“representative”: a natural or legal person established in the Union who, designated in writing by the controller or processor pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation.

“supervisory authority”: an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

“concerned supervisory authority”: a supervisory authority which is concerned by the processing of personal data because:
a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) the data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
c) a complaint has been lodged with that supervisory authority.

“cross-border processing of personal data”:
a) processing of personal data which takes place in the context of the activities of establishments of a controller or a processor in more than one Member State of the Union where the controller or processor is established in more than one Member State; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

“relevant and reasoned objection”: an objection to a draft decision as to whether there is an infringement of this Regulation, or whether the envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union.

“international organisation”: an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

“third country”: any state that is not an EEA member state.

IV.) DATA PROCESSING

A) Data Processing Related to Online Accommodation Booking

The Data Controller provides the possibility of online booking in order to allow guests to book rooms operated by Horváth Mihály Tér Kft. quickly, conveniently, and free of charge.

Purpose of data processing:
To facilitate, simplify, and make the accommodation booking process more efficient and cost-free.

Legal basis for data processing:

· The prior consent of the person making the booking [Article 6(1)(a) GDPR];

· The necessity of taking steps at the request of the data subject prior to entering into a contract [Article 6(1)(b) GDPR].

Scope of personal data processed:
Form of address; surname and first name; address (country, postal code, city, street, house number); telephone number; e-mail address; in the case of a business entity: company name and registered seat; bank card number; SZÉP card details (identifier, name on card); name, e-mail address, and telephone number of representative/contact person.

Duration of data processing:
Two (2) years following the last day of the stay according to the booking.

Use of data processors:
The Data Controller uses the assistance of IT service providers for the online accommodation booking system as detailed below:

Data Processor

Registered Seat

Description of Data Processing Activities

Guesty, Inc.

440 N Barranca Ave PMB 9720, Covina, CA 91723-1722, United States

Processing of data related to accommodation bookings within the Guesty software

GAP Solutions Kft.

2162 Őrbottyán, Fekete István út 75/2

Processing of data related to accommodation bookings within the RoomSoft software

Alphabet Inc.

1600 Amphitheatre Parkway, Mountain View, CA 94043

Processing of data arising from website usage within Google Analytics

Possible consequences of failure to provide data:
The contract for the accommodation room cannot be concluded.

Rights of the data subject:
The data subject (the person whose personal data are processed by Horváth Mihály Tér Kft.) may:
a) request information and access regarding the processing of their personal data,
b) request rectification,
c) request erasure,
d) request restriction of processing under the conditions of Article 18 GDPR (i.e. that the controller shall not erase or destroy the data until the request of a court or authority, but for no longer than thirty days, and shall not process it for any other purpose),
e) object to the processing of personal data,
f) exercise the right to data portability — meaning that the data subject has the right to receive their personal data in Word or Excel format and to request the transfer of such data to another controller.

Additional information:
The Data Controller takes all necessary technical and organisational measures to prevent any possible personal data breach (e.g. damage, loss, or unauthorised access to files containing personal data).

B) Data Processing Related to Requests for Quotation

The Data Controller provides the possibility for guests to request a quotation electronically.

Purpose of data processing:
To provide preliminary information on the accommodation’s prices.

Legal basis for data processing:

· The prior consent of the person requesting the quotation [Article 6(1)(a) GDPR];

· The necessity of taking steps at the request of the data subject prior to entering into a contract [Article 6(1)(b) GDPR].

Scope of personal data processed:
Form of address; surname and first name; telephone number; e-mail address; number of guests; billing name and address; number and age of children.

Duration of data processing:
Two (2) years following the last day of the booked stay.

Use of data processors:
The Data Controller uses IT service providers for operating the online quotation request system as follows:

Data Processor

Registered Seat

Description of Data Processing Activities

Guesty, Inc.

440 N Barranca Ave PMB 9720, Covina, CA 91723-1722, United States

Processing of data related to accommodation bookings within the Guesty software

GAP Solutions Kft.

2162 Őrbottyán, Fekete István út 75/2

Processing of data related to accommodation bookings within the RoomSoft software

Alphabet Inc.

1600 Amphitheatre Parkway, Mountain View, CA 94043

Processing of data arising from website usage within Google Analytics

Possible consequences of failure to provide data:
The accommodation cannot provide a quotation.

Rights of the data subject:
The data subject (the person whose personal data are processed by the Data Controller) may:
a) request information and access regarding the processing of their personal data,
b) request rectification,
c) request erasure,
d) request restriction of processing under the conditions of Article 18 GDPR (meaning that the company shall not erase or destroy the data until the request of a court or authority, but for no longer than thirty days, and shall not process it for any other purpose),
e) object to the processing of personal data,
f) exercise the right to data portability — meaning that the data subject has the right to receive their personal data in Word or Excel format and to request the transfer of such data to another controller.

Additional information:
The Data Controller takes all necessary technical and organisational measures to prevent any possible data protection incident (e.g. damage, loss, or unauthorised access to files containing personal data).

C) Data Processing Related to the Provision of Services and Billing

The Data Controller processes the personal data of its guests for the performance of contracts concluded with them — including the payment of fees related to the use of accommodation services.

Purpose of data processing:
Use of the provided services by the data subject, determination and invoicing of the consideration.

Legal basis for data processing:

· The necessity for the performance of a contract to which the data subject is a party [Article 6(1)(b) GDPR];

· Compliance with a legal obligation under Section 69 (1)-(2) of Act C of 2000 on Accounting [Article 6(1)(c) GDPR].

Scope of personal data processed:
Surname and first name, residential address.

Duration of data processing:
Five (5) years from the date of provision of the personal data by the data subject (statutory limitation period).
In case of invoice issuance: eight (8) years from the date of provision of the personal data by the data subject and the preparation of the annual report, business report, or accounting records for the given financial year.

Use of data processors:
The Data Controller uses accounting services for invoicing as follows:

Data Processor

Registered Seat

Description of Data Processing Activities

Qsoft Kft.

1119 Budapest, Fehérvári út 85.

Provision of accounting services

Possible consequences of failure to provide data:
The data subject cannot use the accommodation services.

Rights of the data subject:
The data subject may request information, rectification, erasure, restriction, object to processing, and exercise the right to data portability under the same terms as above.

Additional information:
The Data Controller takes all necessary technical and organisational measures to prevent any possible data protection incident.

D) Data Processing Related to Newsletter Subscription

The Data Controller maintains contact with its guests via newsletters, through which it recommends its services and informs them about updates, promotions, and news related to its operations.

Purpose of data processing:
To maintain contact with potential hotel guests and partners, and to preserve and develop business relationships established with guests.

Legal basis for data processing:
The data subject’s consent [Article 6(1)(a) GDPR].

Scope of personal data processed:
Surname and first name, e-mail address.

Duration of data processing:
Until the data subject unsubscribes from the newsletter.

Use of data processors:
The Data Controller uses IT service providers for its online accommodation system as follows:

Data Processor

Registered Seat

Description of Data Processing Activities

Guesty, Inc.

440 N Barranca Ave PMB 9720, Covina, CA 91723-1722, United States

Processing of data related to accommodation bookings within the Guesty software

GAP Solutions Kft.

2162 Őrbottyán, Fekete István út 75/2

Processing of data related to accommodation bookings within the RoomSoft software

Alphabet Inc.

1600 Amphitheatre Parkway, Mountain View, CA 94043

Processing of data arising from website usage within Google Analytics

The Rocket Science Group LLC

675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308

Processing of data provided by users on the website within the Mailchimp newsletter management software

Possible consequences of failure to provide data:
The data subject will not receive newsletters from the Data Controller.

Rights of the data subject:
The data subject may exercise the same rights as described in previous sections.

Unsubscribing from the newsletter is possible at any time by sending an e-mail to anita@marone.hu. In such cases, the Data Controller will immediately delete the personal data related to the newsletter from its database.

E) Data Processing Related to Guest Registration and Registration Forms

Upon arrival at the accommodation, before occupying the booked and confirmed room, the guest fills out a hotel registration form, which includes the guest’s personal data. The data on the registration form are stored by the Data Controller both in the hotel software and on paper.

Purpose of data processing:
To contact the guest, maintain communication, identify the guest, distinguish guests from each other, process room reservation requests, link the specific room with the guest, manage room bookings, provide targeted service, issue invoices, fulfil accounting obligations, create, define, modify, and monitor the performance of the contract, invoice fees arising therefrom, enforce related claims, fulfil data reporting and record-keeping obligations, and meet tax declaration requirements.

Legal basis for data processing:
The data subject’s consent [Article 6(1)(a) GDPR].

Scope of personal data processed:
Surname and first name, e-mail address, residential address, mother’s maiden name, place and date of birth, telephone number, nationality, vehicle registration number.

Duration of data processing:
In case of cancellation without legal consequences, data are deleted immediately.
In case of failure or termination of contract: five (5) years following such failure or termination.
If an accounting document is issued: eight (8) years from the date of its issuance.
Until the expiry of the right to determine tax liability; until the withdrawal of the guest’s consent.

Possible consequences of failure to provide data:
The booking/contract for the given room cannot be established.

F) Data Processing Related to Payment

The Data Controller ensures that, in addition to cash, the guest may pay for products/services by bank transfer or with a bank card (including credit cards).

Purpose of data processing:
Execution of payment transactions, fulfilment of accommodation bookings and contracts.

Legal basis for data processing:
Consent and performance of contract.

Scope of personal data processed:
Bank account number, cardholder’s name, card number, expiration date, CVV code.

Legal basis for data processing:

· Consent – the data subject has given consent to the processing of their personal data for one or more specific purposes [Article 6(1)(a) GDPR];

· Performance of contract – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the data subject’s request prior to entering into a contract [Article 6(1)(b) GDPR].

Duration of data processing:
If the booking is cancelled without legal consequences, data are deleted immediately; in case of failure or termination of contract: five (5) years following such failure or termination; until withdrawal of consent by the guest.

Possible consequences of failure to provide data:
The booking/contract for the given room cannot be established.

Data transfer:
The data are processed by the Data Controller’s contractual payment partners and contractual banking partners as follows:

Name

Registered Seat

Role

Description of Data Processing

Legal Basis

CIB Bank Zrt.

1024 Budapest, Petrezselyem utca 2–8.

Independent data controller

–

Processing necessary for contract performance

Guesty, Inc.

440 N Barranca Ave PMB 9720, Covina, CA 91723-1722, United States

Independent data controller

Processing of data arising from payments in the Guesty Pay system

Processing necessary for contract performance

G) Electronic Surveillance System

An electronic surveillance system (CCTV) operates on the premises of the accommodation operated by the Data Controller. The installed cameras are located in the following areas:

· Corridors

· Reception

· Parking area

· Common areas

Purpose of data processing:
To protect human life, physical integrity, and property by preventing and detecting unlawful acts, apprehending perpetrators, and providing evidence of infringements; to identify persons entering the accommodation premises without authorisation; to record entries; to document the activities of unauthorised persons; and to investigate circumstances of workplace or other accidents.

Legal basis for data processing:
Legitimate interest – the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party [Article 6(1)(f) GDPR]. The Data Controller has a legitimate interest in ensuring personal and property protection.

Scope of personal data processed:
Image of persons entering the accommodation premises as recorded by the surveillance system, and any other personal data captured by the system.

Duration of data processing:
Three (3) working days, or a longer period established and justified by the legitimate interest assessment carried out by the Data Controller.

Persons authorised to view live images:
Employees of the Data Controller with appropriate authorisation.

Persons authorised to view recorded footage:
Employees of the Data Controller with appropriate authorisation.

Persons authorised to copy recordings onto data carriers:
Employees of the Data Controller with appropriate authorisation.

Further details:
Recordings stored by the surveillance system may only be viewed by authorised persons for the purpose of proving infringements of human life, physical integrity, or property, and for identifying the perpetrator. A data subject whose right or legitimate interest is affected by the recording may, by verifying such right or interest, request that the Data Controller not delete or destroy the recording until the request of a court or authority, but for no longer than 30 days. The person appearing in the recording may request information regarding footage recorded about them, request a copy, or, if the recording contains images of others, may inspect the recording. The data subject may request deletion or rectification of the footage, or object to its processing.
The Data Controller keeps a record of access to the stored recordings, the name of the person viewing them, the reason and time of access.

Data transfer:
In case of misdemeanor or criminal proceedings, to the competent authorities or courts.

Scope of data transferred:
Recordings made by the camera system containing relevant information.

Legal basis for transfer:

· Act XIX of 1998 on Criminal Procedure (Be.) §§ 71(1), 151(2)(a), 171(2);

· Act II of 2012 on Misdemeanors (Szabstv.) §§ 75(1)(a), 78(3).

H) Other Data Processing: Server Logging of the Website www.maronesuites.com

When visiting the website www.maronesuites.com, the web server automatically logs user activity.

Legal basis for data processing:

· Consent – the data subject has given consent to the processing of their personal data for one or more specific purposes [Article 6(1)(a) GDPR];

· Legitimate interest – processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party [Article 6(1)(f) GDPR]; the Data Controller has a legitimate interest in the secure operation of the website.

Duration of data processing:
Ninety (90) days from the date of visiting the website.

Use of data processors:

Data Processor

Registered Seat

Description of Data Processing Activities

Guesty, Inc.

440 N Barranca Ave PMB 9720, Covina, CA 91723-1722, United States

Processing of data related to accommodation bookings within the Guesty software

GAP Solutions Kft.

2162 Őrbottyán, Fekete István út 75/2

Processing of data related to accommodation bookings within the RoomSoft software

Alphabet Inc.

1600 Amphitheatre Parkway, Mountain View, CA 94043

Processing of data arising from website usage within Google Analytics

I) Cookie Management

To ensure personalised service, the Data Controller places small data packages called “cookies” on the user’s computer and reads them back during later visits. If the browser sends back a previously saved cookie, the service provider handling the cookie can connect the user’s current visit to the previous ones, but only with regard to its own content.

Purpose of data processing:
Identification, tracking, and differentiation of users; identification of the current session; storage of data provided during the session; prevention of data loss; web analytics; personalised service.

Legal basis for data processing:
The data subject’s consent [Article 6(1)(a) GDPR].

Scope of data processed:
Date, time, and the previously visited page.

Duration of data processing:
A maximum of thirty (30) days from the date of visiting the website.

Use of data processors:

Data Processor

Registered Seat

Description of Data Processing Activities

Guesty, Inc.

440 N Barranca Ave PMB 9720, Covina, CA 91723-1722, United States

Processing of data related to accommodation bookings within the Guesty software

GAP Solutions Kft.

2162 Őrbottyán, Fekete István út 75/2

Processing of data related to accommodation bookings within the RoomSoft software

Alphabet Inc.

1600 Amphitheatre Parkway, Mountain View, CA 94043

Processing of data arising from website usage within Google Analytics

Further information:
The cookie can be deleted by the user from their own computer, or the use of cookies can be disabled in the browser.

Detailed information on cookie preferences in browsers can be found at:

· Internet Explorer

· Firefox

· Chrome

· Safari

V.) STORAGE OF PERSONAL DATA AND SECURITY OF DATA PROCESSING

The IT systems and other data storage locations of the Data Processor are located at the Data Controller’s registered office and on servers rented by the Data Processor.

The Data Processor selects and operates the IT tools used for processing personal data in the course of providing the service in such a way that the processed data shall be:

a) accessible to those authorised to access them (availability);
b) authentic and verifiable (authenticity of data processing);
c) proven to be unchanged (data integrity);
d) protected against unauthorised access (confidentiality of data).

The Data Controller pays special attention to data security, and takes the technical and organisational measures and establishes the procedural rules necessary to enforce the guarantees under the GDPR. The data are protected in particular against unauthorised access, alteration, transmission, disclosure, deletion or destruction, accidental destruction, damage, and loss, as well as becoming inaccessible due to changes in the applied technology.

The IT systems and networks of the Data Controller and its partners are protected against computer-assisted fraud, computer viruses, hacking, and attacks leading to denial of service. The operator ensures security by server-level and application-level protection procedures. Daily data backups are in place.

To prevent data protection incidents, the Data Controller takes all possible measures; in the event of such an incident, it acts immediately — in accordance with its internal regulations — to minimise risks and eliminate damage.

VI.) RIGHTS OF THE DATA SUBJECT AND POSSIBILITIES FOR LEGAL REMEDY

The data subject may exercise the rights listed below by means of a verbal or written request addressed to the Data Controller. The Data Controller’s contact details are provided in Chapter II of this Notice.

1. Right to Information Regarding the Processing of Personal Data

Upon request, the Data Controller shall provide the data subject with information on the data processed by it or by a data processor acting on its behalf or under its instructions, the source of the data, the purpose, legal basis, and duration of processing, the name and address of the data processor and its activities related to data processing, the circumstances and effects of any personal data breach, the measures taken to remedy it, and—in case of transfer of the data subject’s personal data—the legal basis and recipient of the transfer.

The Data Controller shall provide the information in an intelligible form in writing, upon request, within the shortest possible time but no later than within 25 days from submission of the request.

2. Right of Access to Personal Data

The data subject has the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:

a) the purposes of processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the existence of the right to request rectification, erasure or restriction of processing, or to object to such processing;
f) the right to lodge a complaint with a supervisory authority;
g) where the data were not collected from the data subject, any available information as to their source;
h) the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and possible consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

The Data Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Data Controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, the information shall be provided in a commonly used electronic format unless otherwise requested.

The right to obtain a copy must not adversely affect the rights and freedoms of others.

3. Right to Rectification

The data subject has the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

4. Right to Erasure (“Right to be Forgotten”)

The data subject has the right to obtain from the Data Controller the erasure of personal data concerning them without undue delay, and the Data Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject;
f) the personal data have been collected in relation to the offer of information society services.

Where the Data Controller has made the personal data public and is obliged to erase them, the Data Controller, taking account of available technology and implementation cost, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure of any links to, or copies or replications of, those personal data.

Erasure shall not be initiated where processing is necessary for exercising the right of freedom of expression and information; compliance with a legal obligation; reasons of public interest; purposes of public health, archiving, scientific or historical research or statistical purposes; or the establishment, exercise, or defence of legal claims.

5. Right to Restriction of Processing

The data subject has the right to obtain restriction of processing from the Data Controller where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the data and requests restriction of their use instead;
c) the Data Controller no longer needs the personal data for processing purposes, but the data are required by the data subject for the establishment, exercise, or defence of legal claims; or
d) the data subject has objected to processing; in this case, restriction applies until it is verified whether the legitimate grounds of the Data Controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The Data Controller shall inform the data subject who requested restriction before the restriction is lifted.

The Data Controller shall communicate any rectification, erasure, or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients if requested.

6. Right to Data Portability

The data subject has the right to receive the personal data concerning them, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where:
a) the processing is based on consent or on a contract; and
b) the processing is carried out by automated means.

In exercising this right, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible.
This right shall not adversely affect the right to erasure and shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, nor shall it adversely affect the rights and freedoms of others.

7. Right to Withdraw Consent

The data subject has the right to withdraw their consent to the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

8. Right to Lodge a Complaint with a Supervisory Authority

To ensure the enforcement of the right to the protection of personal data, a report may be submitted to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság – NAIH), upon which a data protection authority procedure may be or will be initiated.
If the procedure was preceded by an investigation initiated based on a report, the notifier must be informed of the commencement and conclusion of the authority procedure.

9. Right to Judicial Remedy

The data subject has the right to seek judicial remedy if their rights have been violated. The court shall act in the case without delay.
The Data Controller bears the burden of proving that its data processing complies with legal requirements.
The action may be brought before the competent court of the data subject’s place of residence or habitual residence.

A person without legal capacity may also be a party to such proceedings. The National Authority for Data Protection and Freedom of Information may intervene in the proceedings in support of the data subject.

If the court grants the application, it may order the Data Controller to provide information, rectify, restrict, or delete data, annul a decision made by automated data processing, or take into account the data subject’s objection.

The court may order publication of its judgment – including the identification details of the Data Controller – if required by the interests of data protection or the rights of a large number of data subjects.

VII.) MISCELLANEOUS PROVISIONS

The Data Controller undertakes that all data processing related to its activities shall comply with the provisions of this Notice, its internal regulations imposing identical requirements, and the expectations set forth in the applicable legislation.

The Data Controller reserves the right to amend this Notice at any time; in such case, data subjects shall be informed of the changes via a notice published on the website after the amendments have been incorporated.

If you have any questions regarding the contents of this Notice, please send an e-mail to the address provided in Section II of this document.

Budapest, September 2025