Boutique Residence Budapest
Privacy Policy – Data Protection Guide
Table of contents
1. Preamble... 3
2. Data Controller... 3
3. The aim of the Data Protection Guide... 3
4. Definitions... 4
5. The scope of the DPG... 6
6. Rights... 6
a) Right to information... 6
b) Corrections... 7
c) Right to erasure... 7
d) Right to restriction of processing... 7
e) Right to data portability... 7
f) Right to object... 8
g) Automated individual decision-making, including profiling... 8
4. Remedy... 8
5. Compensation and injury claims... 9
6. Principles... 9
7. Legal basis... 10
8. The period of data management... 11
9. Data management - Using hotel services... 11
a) Data management – Request for information... 11
b) Data management – Request for quotation... 12
c) Data management - Room reservation and specialoffer... 12
d) Data management - Hotel registration cards... 13
e) Data management - Surveillance cameras... 13
f) Data management – Vouchers, coupons... 14
g) Data management - Guest questionnaire,evaluation system... 14
h) Data management – Newsletter... 15
i) Data management – Guestbook... 15
j) Data management - Table reservation... 16
k) Data management – Credit/Bank card data... 16
l) Data management – Social media... 16
m) Data management - Website traffic data... 17
10. Data safety... 17
11. Data processor... 18
12. Data transfer... 18
13. Miscellaneous rules, governing law, jurisdiction... 18
1. Preamble
1. The
operator of Canelones Kft., the Boutique Residence Budapest (hereinafter
referred to as Hotel) as Data Controller hereby draws the attention of its all
customers, Guests, as well as visitors (hereinafter referred to collectively as
Guest(s) or Data Subject(s)) of the website that if you want to be the user of
the website above, or wishes to be the customer of the Data Controller, then
carefully read the General Terms and Conditions and the Data Protection Guide.
2. Boutique
Residence Budapest is dedicated to protecting the privacy of the Data Subject.
This Data Protection Guide explains the Data Controllers’ policies and
practices regarding the personal information it manages.
2. Data Controller
1. According
to the present Data Protection Guide, the Data Controller is:
a) Canelones
Kft., Boutique Residence Budapest
b) Site:
1051. Budapest, Hercegprímás u. 11. 1. floor.
c) Address
of the Hotel: 1051. Budapest, Hercegprímás u. 11. 1. floor.
d) Company
reg. number: 01-09-883067
e) Tax nr: 13981635-2-41
f) Phone:
+36 (31) 789-4216
g) E-mail:
operation@brbudapest.com
h) General
manager: Nyolcas Nikolett
i) Website:
http://www.boutiqueresidencebudapest.com/
j) Social networking websites:
i. https://www.facebook.com/boutiqueresidencebudapest
k) every
employee of the Canelones Kft.
3. The aim of the Data Protection Guide
1. The Data
Controller respects the personal rights of its Guests, hence it prepared this
DPG which is available in electronic format at the Data Controller's website as
well as in print format in the Hotel.
2. Therefore
the aim of the DPG is to regulate the data management procedures, methods to
protect the privacy of the Data Subjects.
3. The
Data Controller hereby states that it observes the provisions of
a) the
Regulation (EU) 2016/679 of the European Parliament and of the Council,
b) the Act
112 of 2011 (hereinafter: "Data Protection Act") on the rights for
information management and freedom of information and and
c) other
Hungarian acts and rules.
4. Definitions
1. Data
Subject: any specific natural person identified or identifiable (directly or
indirectly) based on the personal data, primarily Data Subject is the Guest or Contracting
Party.
2. Guest
means an individual that uses accommodation. Guests also include those persons
that are accommodated together with such Party (e.g. family members, friends
etc.).
3. Contracting
party means the Guest in the Accommodation Contract (see GTC).
4. Hotel
means the Boutique Residence Budapest operated by the Data Controller (as Data
Controller, see GTC).
5. GTC means
the General Terms and Conditions of Accommodation Contract, available on the
website and at the reception desk.
6. DPG means
the present Data Protection Guide, available on the website and at the reception
desk.
7. Personal
data: any data that can relate to the Data Subject - especially the Data
Subject's name, identification number, as well as one or more pieces of
information characteristic of their physical, physiological, mental,
economical, cultural or social attributes - and any such conclusions regarding
the Data Subject that can be drawn from such data;
8. Consent:
voluntary and specific expression of the Data Subject's intention, which is
based on proper information and by which the Data
Subjects
provide a clear and unambiguous consent to managing their personal data
comprehensively or for particular operations;
9. Objection:
a statement by the Data Subjects in which they object to the management of
their personal data and request the termination of data management and/or the
deletion of the data managed;
10. Data
Controller: the natural or legal persons or organizations not having a legal
personality, who or which determine the purpose of data management on its own
or together with others, and make and carry out the decision regarding data
management (including the equipment used), or have the data processor entrusted
by them to carry out such decisions; Data Controller is the Data Controller.
11. Data
management: regardless of the procedure applied; any operation or the whole of
operations performed on data, specifically including the collection, recording,
systematization, storage, modification, application, query, transfer,
publication, harmonisation or linking, blockage, deletion and destruction of
data, as well as the prevention of the further usage of such data,
photographing, audio or visual recording, as well as the recording of physical
attributes suitable for the identification of a person (e.g.: finger- or palm
prints, DNA samples, iris scans);
12. Data transfer: rendering data
accessible for certain third parties;
13. Publication: rendering data
accessible for the general public;
14. Data
deletion: rendering data unrecognisable in such a manner that their restoration
is no longer possible;
15. Tagging
data: applying an identifying mark to the data in order to distinguish them;
16. Data
blocking: applying an identifying mark to the data in order to block their
management for a defined period of time or for good;
17. Data
processing: performing any technical tasks related to data management
operations, regardless of the method and equipment applied for the performance
of such operations as well as of the place of application, provided that the
tasks are performed in terms of data;
18. Data
processor: natural or legal persons and/or organizations not having a legal
personality, who or which perform data processing activities based on their
contract with the Data Controller - including contracts concluded pursuant to
legal provisions;
19. Third
party: natural or legal persons and/or organizations without a legal
personality, who or which are not identical with the Data Subject, the Data
Controller or the data processor.
5. The scope of the DPG
1. The DPG
applies for all data managements in the Hotel executed by the Data Controller.
2. According
to the section 1, the present DPG regulates the methods of the data
managements.
3. The
personal scope of the DPG is the Data Controller and the Data Subject.
4. The
present DPG valid from 1st November, 2016.
5. Special,
unique conditions do not constitute part of the indicated GTC, but do not
exclude the drawing up of special agreements with tour operators and organisers
from time to time with conditions adjusted according to the type of business.
6. Rights
1. Data
Subjects have rights related to the data and data management.
2. Data
Subjects may enforce their rights by sending request(s) to the Data Controller’s
postal (1051 Budapest, Hercegprímás u. 11. 1. floor.) or e-mail address (operation@brbudapest.com),
by phone, or personally, or any available contact form.
3. Upon
requests, the Data Controller shall immediately take the necessary steps based
on the request and inform the Data Subjects about the taken steps within 15
days.
a) Right to information
1. Upon
requests sent by the Data Subjects to the e-mail addresses in each chapter or
addressed to the Data Controller, the Data Controller shall provide information
regarding the particular subject's data managed by the Data Controller; the
source of such data; the purpose, legal basis and duration of the data management;
the names and addresses of data processors as well as their activities related
to data management; and (in the case of a transfer of the Data Subject's
personal data) the legal basis and recipient of data transfer. Such
information
shall be provided within 15 days, free of charge once a year for identical
data, and for a fee for all additional requests.
2. If the
provision of information is denied, the Data Controller shall inform the Data
Subject in writing as to which provision of which law was the legal basis to
deny the information, and also inform the Data Subject regarding options for
legal remedy.
b) Corrections
1. If the
personal data are incorrect, and the correct data are available to the Data
Controller, it shall correct such personal data.
2. The Data
Controller shall inform the Data Subject regarding the correction as well as
all parties that may potentially have received the data from the Data
Controller for data management purposes. Such notice is omissible if the
rightful interest of the Data Subject is not violated in terms of the purpose
of data management.
3. Corrections
upon request, deadline for administration and legal remedy are governed by the
present DPG
c) Right to erasure
1. The Data
Subject shall have the right to obtain from the Data Controller the erasure of
personal data concerning him or her without undue delay.
2. Where the
Data Controller has made the personal data public and is obliged pursuant to
paragraph 1 to erase the personal data, the Data Controller, taking account of
available technology and the cost of implementation, shall take reasonable
steps, including technical measures, to inform controllers which are processing
the personal data that the Data Subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data.
d) Right to restriction of processing
1. The Data
Subject shall have the right to obtain from the Data Controller restriction of
data processing.
e) Right to data portability
1. The Data
Subject shall have the right to receive the personal data concerning him or
her, which he or she has provided to a Data
Controller,
in a structured, commonly used and machine-readable format and have the right
to transmit those data to another Data Controller without hindrance from the
controller to which the personal data have been provided, where:
a) the
processing is based on consent/contract pursuant and
b) the
processing is carried out by automated means.
f) Right to object
1. The Data
Subject shall have the right to object, on grounds relating to his or her
particular situation, at any time to processing of personal data concerning him
or her, including profiling.
g) Automated individual decision-making, including profiling
1. The Data
Subject shall have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects
concerning him or her or similarly significantly affects him or her.
2. Data
Subject has the right to request the deletion or blocking of the personal data,
or object against the data managements.
3. Cases of
deletion and blocking of personal data and objections against data management
are governed by the relevant provisions of the Data Protection Act in Sections
17 - 21.
4. The Data
Controller shall provide information on the legal regulations laid out in this paragraph upon requests sent to
4. Remedy
1. If their
privacy rights are probably breached or breached, Data Subjects may request an
investigation from the Hungarian National Authority for Data Protection and
Freedom of Information. The contact details:
a) H-1125
Budapest, Szilágyi Erzsébet fasor 22/C.
b) Phone:
+36 -1-391-1400
c) Fax:
+36-1-391-1410
d) E-mail: privacy@naih.hu
2. If their
privacy rights are breached, Data Subjects may file a lawsuit against the Data
Controller. The court procedure shall be governed by provisions in Section 22
of the Data Protection Act, and the First Book, Chapter Three, Title XII
(Sections 2:51 - 2:54) of Act V of 2013 concerning the Civil Code, and other
relevant legal provisions.
3. The Data controller
shall provide information on the legal regulations laid out
in this paragraph upon requests sent to operation@brbudapest.hu
5. Compensation and injury claims
1. If the
Data Controller causes injury or violates the subject's privacy rights through
handling the subject's data in an unlawful manner or through violating its data
security requirements, then the affected party may demand an injury claim from
the Data Controller.
2. The Data
Controller shall be exempt from liability for the damage caused and from its
obligation to compensate an injury claim, if it can prove that the damage or
violation of the privacy rights of the affected party was caused by an
unavoidable force falling outside the scope of data management.
3. The Data
Controller shall be exempted from liability and its obligation to compensate an
injury claim, if it can prove that the damage or violation of the privacy
rights of the affected party was caused by an unavoidable force outside the
scope of data management. The damage may not be compensated and an injury claim
may not be demanded, if it was due to the willful or grossly negligent
misconduct of the damaged party.
6. Principles
1. Personal
data shall be:
a) processed
lawfully, fairly and in a transparent manner in
relation to the Data Subject (‘lawfulness, fairness and transparency’);
b) collected
for specified, explicit and legitimate purposes and not further processed in a
manner that is incompatible with those purposes; further processing for
archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes shall not be considered to be incompatible
with the initial purposes (‘purpose limitation’);
c) adequate,
relevant and limited to what is necessary in relation to the purposes for which
they are processed (‘data minimisation’);
d) accurate
and, where necessary, kept up to date; every reasonable step must be taken to
ensure that personal data that are inaccurate, having regard to the purposes
for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a
form which permits identification of Data Subjects for no longer than is
necessary for the purposes for which the
personal
data are processed; personal data may be stored for longer periods insofar as
the personal data will be processed solely for archiving purposes in the public
interest, scientific or historical research purposes or statistical purposes (‘storage
limitation’);
f) processed in a manner that ensures appropriate security of
the personal data, including protection against unauthorised or unlawful
processing and against accidental loss, destruction or damage, using
appropriate technical or organisational measures (‘integrity and
confidentiality’).
2. The Data
Controller shall be responsible for, and be able to demonstrate compliance with
section 1 (‘accountability’).
7. Legal basis
1. The
legal basis of the personal data management is:
a) the
consent of the Data Subject or
b) compulsory
requirement by (the Hungarian or EU) law
2. Consent
should be given by a clear affirmative act establishing a freely given,
specific, informed and unambiguous indication of the Data Subject's agreement
to the processing of personal data relating to him or her, such as by a written
statement, including by electronic means.
3. Guest
shall expressly consent to this DPG by
a) accepting
the DPG or
b) using
the services of the website or of the Data Controller.
4. If the
management or processing of personal data based on mandatory by law, then the
relevant rules are determining the purpose, the period of time, the handled
data, the rights and obligations.
5. The Data
Controller shall only manage personal data for pre-determined purposes, for the necessary period of time and in order to exercise its rights
and fulfill obligations. The Data Controller shall only manage such personal
data that are indispensable and suitable for fulfilling the objective of the
particular data management activity.
6. If the
Data Controller uses the received data for any other purpose than the original
purpose of data collection, the Data Controller shall inform the Data Subjects
in each case and ask for their specific, prior consent and/or shall provide an
opportunity for them to disallow such usage.
7. Personal
data communicated to the Data Controller during the data management process shall
only be disclosed to such persons
contracted
or employed by the Data Controller entrusted with duties in relation to the
given data management process.
8. The period of data management
1. Data
Controller shall manage the data until
a) the
purpose of the data management is fulfilled;
b) the
withdrawal of the voluntary consent;
c) erasing
the personal data.
9. Data management - Using hotel services
1. The
management of any personal data related to the Data Subject and the provision
of services are based on voluntary consent, with the purpose of such data
management to provide services and/or maintain contact.
2. The term
of the management of the data shall terminate upon the withdrawal of the
consent of the relevant Data Subject. Such declaration on the withdrawal of the
consent to data management shall be sent via mail to the registered seat (1051
Budapest, Hercegprímás u. 11. 1. floor.) or electronically to operation@brbudapest.com.
3. Providing
the required data by the Guests is a precondition for using hotel services.
4. In the
case of particular services, additional data can be provided in the comments
section, which allows for a complete assessment of the Guests' needs. Making
room reservations and using other services, however, shall not depend upon the
provision of such additional data.
5. Guests
consent to the Data Controller managing and/or archiving the personal data in
order to
a) verify
that the contract was concluded and/or performed, possibly enforce a claim
and/or;
b) contact
Guest in the term of the management of the data.
6. If you
have any further questions regarding the management of data related to room
reservations, please send your enquiry to: operation@brbudapest.com.
a) Data management – Request
for information
1. In the
case of information request, the Data Controller requests/may request that the
Guest makes the following data available:
a) name
b) e-mail
address
c) question
2. Purpose
of the data management: to provide relevant information to the Data Subject.
3. Period of
data management: the purpose of the data management is fulfilled.
b) Data management – Request
for quotation
1. In the
case of quotation request, the Data Controller requests/may request that the
Guest makes the following data available:
a) name
b) e-mail
address
c) phone
nr.
d) requested
services
2. Purpose
of the data management: to provide relevant quotation to the Data Subject.
3. Period of
data management: the purpose of the data management is fulfilled.
c) Data management - Room
reservation and special offer
1. In the
case of room reservations and special offers, the Data Controller requests/may
request that the Guest makes the following data available:
a) first
name
b) last name
c) e-mail
address
d) payment
method
e) aim
of the visit
f) room
type
g) bed type
h) date
of arrival
i) date of departure
j) subscribing
to newsletter
k) number
of nights
l) number of adult Guests
m) number
of minors
n) smoking/non
smoking room
o) phone
number
p) promo
code
2. Purpose
of the data management: to provide the room reservation to the Data Subjects,
and to contact Data Subjects.
3. Period of
data management: the withdrawal of the voluntary consent; and/or erasing the
personal data.
d) Data management - Hotel
registration cards
1. Upon
using hotel services, Guests shall fill in a hotel registration card, in which
they give their consent to the Data Controller managing the data they are
obliged to provide.
a) place
and date of birth
b) citizenship
c) passport
number
d) country
e) street
f) town/city
g) zip
code
h) e-mail
address
i) license plate number
j) parking
fee
k) aim of
traveling
l) date
of departure
m) payment
method
2. Purpose of
the data management: The Data Controller shall manage such data in order to
fulfill its obligations prescribed in the relevant legal regulations
(particularly regarding the laws related to immigration control and tourism
tax) as well as to verify the completion of services and/or to identify the
Guests for as long as required by the competent authority to manage the
fulfillment of obligations as defined in the given laws.
3. Period of
data management: the withdrawal of the voluntary consent; and/or erasing the
personal data.
e) Data management - Surveillance
cameras
1. The Data
Controller operates surveillance cameras in the area of the Hotel in order to
ensure the security of Guests and their property. Camera surveillance is
indicated by a pictogram and a warning sign with text.
2. The
purpose of camera surveillance is the protection of property. More
specifically, the purpose is to protect equipment with significant value as
well as the personal valuables of Guests regarding detecting breaches of the
law and catching perpetrators in the act, and the prevention of such criminal
acts cannot be done in any other way, and/or there is no other method of
presenting evidence.
3. The floor
map and the locations of the cameras marked on it are available at the front
office desk.
f) Data management – Vouchers, coupons
1. In the
case of filling out voucher and/or coupon, the Data Controller requests/may
request that the Guest makes the following data available:
a) name
b) e-mail
address
c) value
of the voucher/coupon
d) phone nr.
e) name
of consignee
f) payment
method
g) address
2. Purpose
of the data management: to provide vouchers and/or coupons to the Data Subject.
3. Period of
data management: the purpose of the data management is fulfilled.
g) Data management - Guest
questionnaire, evaluation system
1. As part
of the quality assurance process applied by the Data Controller, Guests may
provide feedback on the services via an online or paper-based Guest
questionnaire and/or evaluation system.
2. When
filling out the questionnaire, Guests may provide the following personal data:
a) name;
b) date
of visit;
c) room
number;
d) note.
3. Providing
these data are not obligatory, and merely serve the purpose of an accurate
investigation of possible complaints and/or enable the Data Controller to
respond to the Guest.
4. The feedback
received in this manner and the data potentially provided by the Guest may not
be traced back to the Guest or linked to the name of the Guest, but may be used
by the Data Controller for statistical purposes.
5. Period of
data management: the purpose of the data management is fulfilled.
h) Data management – Newsletter
1. In the
case of newsletter, the Data Controller requests/may request that the Guest
makes the following data available:
a) name
b) e-mail
address
2. Newsletter
is sent by email to those who explicitly request it.
3. The
provision of personal data is facultative. The eventual refusal to provide such
data will make it impossible to utilize the newsletter service.
4. Data
Subject can unsubscribe from the newsletter by clicking on the unsubscribe link
on the end of the newsletter, or by sending request to the Data Controller’s
postal (1051 Budapest, Hercegprímás u. 11. 1. floor.) address.
5. Period
of data management: the withdrawal of the voluntary consent.
i) Data management – Guestbook
1. If the
Data Subject would like to write in the guestbook, then the Data Subject can
make the following data available for everyone who can read the guestbook:
a) name
b) e-mail
address
c) other
personal data
d) comment
2. Purpose
of the data management: to provide the guestbook for the the Data Subject.
3. Period of
data management: the withdrawal of the voluntary consent; and/or erasing the
personal data.
j) Data management - Table reservation
1. In the
case of table reservations, the Data Controller requests/may request that the
Data Subject makes the following data available:
a) first
name
b) last
name
c) time
of arrival
d) number of
adults
e) number
of minors
f) phone number
2. Purpose
of the data management: to provide the table reservation to the Data Subjects,
and to contact Data Subjects.
3. Period of
data management: the withdrawal of the voluntary consent; and/or erasing the
personal data.
k) Data management – Credit/Bank card data
1. The Data
Controller requests/may request that the Guest makes the following data
available:
a) type
of credit/debit card;
b) number
of credit/debit card,
c) name
of bank holder;
d) expiry
date of credit/debit card;
e) CVC/CVV
code on credit/debit card
2. For room
reservations, the Data Controller can only use the given debit card, credit
card and bank account data to such an extent and period of time as necessary
for the exercise of rights and fulfillment of obligations. Data is handled by
the Data Controller's contractual bank partners. Information about their data
handling policies can be found on the websites of the competent banks.
l) Data management – Social media
1. The
Data Controller can also be contacted via social networking sites.
2. The
purpose of data management is to share the contents of the website. Guests may
request information, quotation, reserve rooms or tables, and learn about the
latest special offers.
3. By following
the Data Controller's pages, the Data Subjects consent to the Data Controller
posting its news and offers on the Data Subjects' news wall.
4. You can
find further information about the data management in the data protection guidelines and rules of the relevant social networking
page.
m) Data management - Website traffic data
1. References
and link: The Data Controller's website may contain links that are not operated
by the Data Controller, and are only there to inform visitors. The Data Controller
has no influence whatsoever on the content and security of the websites
operated by partner companies, and therefore it is not responsible for them
either. Before providing your data in any form at the given site, please review
the data protection statements and data management guidelines of the websites
you visit.
2. Analytics,
cookies: In order to monitor its websites, the Data Controller uses an
analytical tool which prepares a data string and tracks how the visitors use
the Internet pages. When a page is viewed, the system generates a cookie in
order to record the information related to the visit (pages visited, time spent
on our pages, browsing data, exits, etc) but these data cannot be linked to the
visitor's person. This tool is instrumental in improving the ergonomic design
of the website, creating a user-friendly website and enhancing the online
experience for visitors. The Data Controller does not use the analytical
systems to collect personal information. Most Internet browsers accept cookies,
but visitors have the option of deleting or automatically rejecting them. Since
all browsers are different, visitors can set their cookie preferences
individually with the help of the browser toolbar. You might not be able to use
certain features on our website if you decide not to accept cookies.
10. Data safety
1. The Data
Controller takes all the measures that can be expected from it for the safety
of the stored data, it provides for their guarding at an appropriate level with
particular regard to unauthorized access, alteration, forwarding, disclosing,
cancellation of destruction as well as to accidental destruction and damaging.
2. The Data
Controller provides for appropriate technical and organizational measures in
order to maintain safety of the stored data.
11. Data processor
1. The accountant is the sole Data
processor of the Data Controller.
12. Data transfer
1. The Data
Controller has the right to transfer personal data handed over to business
partners (compliance assistants) fulfilling the Data Controller’s obligation
related to the Data Subjects. Such data transfer may only take place if the
Data Subjects have been informed in advance accordingly, upon using the
service(s).
2. The Data
Controller may transfer the following data to its compliance assistants
regarding to the previous section:
a) name
b) phone
number
c) room
number
3. In order
to verify the legality of data transfer and inform the Data Subjects, the Data
Controller shall keep a data transfer log containing the time of transfer of
the managed personal data, the legal basis and addressee of data transfer as
well as the definition of the scope of the transferred personal data, and any
data defined in the rule of law prescribing data management.
13. Miscellaneous rules, governing law, jurisdiction
1. The
applicable version of the DPG is continuously available on the website and at
the reception desk.
Closed: 01st January, 2019, Budapest
Canelones Kft.
Ms. Nyolcas
Nikolett