Privacy Policy
Relating to hotel management and guests
This Privacy Policy (“Policy”) is to inform data subjects in compliance with Article 13 AND 14 of Regulation (EU) 2016/679 (General Data Protection Regulation) of the EU Parliament and Commission in relation to the processing of personal data during the course of providing and preparing hotel services.
1. Data Controller’s contact details
- Company name of data controller: Birgés Wellness Hotel Kft. (hereinafter referred to as: “Controller”)
- Official Seat: 1061 Budapest, Király utca 30-32./ A. lház. I. emelet 108.
- Mailing address: 8230 Balatonfüred, Mikes Kelemen utca 21
- Tax ID number: 14332766-2-42
- Registration Number: 01 09 199921
- Hotel: Hotel Vinifera Wine & Spa *****
- Email address: hello@vinifera.hu
- Phone number: +36 87 866 000
- Website: hello@vinifera.hu
2. Processing of data subjects’ personal data
2.1 Scope of data subjects
During the pursuit of its hotel management activities the Controller shall process the personal data of the following natural persons (hereinafter referred to as: Data Subjects): guests
2.2 Categories of personal data processed
The Controller shall process the following personal data relating to the Data Subject:
- family name and first name
- address
- nationality
- date and place of birth
- mother’s maiden name
- sex
- email address (personal or created by OTA)
- phone number
- date of arrival
- date of departure
- number of rooms
- number of adults
- number of children
- codes (promotion, group)
- passport / personal identification document number
- visa number
- date and place of entering Hungary
- preferences
- payment information, type of card, card number, expiration date, CVV code
- purpose of travel
- data related to dietary sensitivities
- name, phone number, email address of contact person (in case of events)
- flight number
- room number
- description of lost and found items with guest name and room number
- guest feedback information
- bar consumption details
- health issues (separate document to be filled out before a massage upon the masseur’s request)
- date of invoicing
- length of stay
- method of payment
- amount paid, date of crediting payment
- car registration number, value of possible fines
The Data Subject shall disclose the data to be processed to the Controller by the following channels:
- hotel website upon making a reservation or direct reservation (email address, phone number)
- check-in document
- third country guest registration form
- credit card authorization form
- consumption form
- guest satisfaction survey
The Controller shall obtain personal data for processing from the following source(s):
- Re-seller booking system
- Off-line and on-line travel agencies
Please note that the Controller shall be considered to be a separate data controller and it is only responsible for the data controlling it performed. Controller is not responsible for the data processing and data transfer performed by any third party, in case the personal data have been sent by a third party to the Controller – includingany re-seller and travel agent.
2.3 Legal grounds, purpose and duration of data processing
2.3.1 Preparation and performance of a contract for the provision of hotel services
Personal data processing is necessary for the purpose of preparing and performing a contract for the provision of hotel services (hereinafter referred to as: the “Contract”).
Purpose of personal data processing:
- performance of obligations related to room reservations and other services ordered
- during his or her stay the Data Subject is identified (information is transferred between divisions) by his or her personal data for the purposes of performing contractual obligations (eg. housekeeping, breakfast, bar consumption),
- record of pre-purchased and pre-paid gift certificates
- pricing a room as part of an offer
- the Data Subject’s contact details are processed for communication purposes; eg. managing issues arising during the guest’s stay, pre-stay emails etc.
- invoice data are recorded for receivables management purposes
- to ensure smooth check-out operations in case of IT problems
The duration of data processing shall be the same as the preparation and in case of concluding a contract the performance thereof, except for the following cases:
- check-in card, invoices - paper version 8 years
- massage information - 1 month
- housekeeping list, emergency shift - 3 days
- bar consumption slip - 1 month
With regard to the fact that the Controller is unable to prepare and perform the contract without disclosure of the above personal data the Data Subject shall be obliged to provide them to the Controller. Failure to do so may result in the Controller refusing to prepare or perform the contract with the Data Subject.
In the event of failure to conclude a contract or the termination of a contract the Controller shall not erase the personal data from its database. Data entered into Hostware shall be anonymized after 1 year.
The Controller processes the following data from the list detailed in Section 2.2 in accordance with Article 6. Section 1 b) of the GDPR:
- family name and first name
- address
- nationality
- date and place of birth
- mother’s maiden name
- sex
- email address (personal or created by OTA)
- phone number
- date of arrival
- date of departure
- number of rooms
- number of adults
- number of children
- codes (promotion, group)
- passport / personal identification document number
- visa number
- date and place of entering Hungary
- payment information, type of card, card number, expiration date, CVV code
- name, phone number, email address of contact person (in case of events)
- room number
- description of lost and found items with guest name and room number
- bar consumption details
- date of invoicing
- length of stay
- method of payment
- amount paid, date of crediting payment
- car registration number
2.3.2 Performance of legal obligations:
The Controller shall control the Data Subject’s personal data defined in the applicable legistlation for the purpose of compliance with the following legal regulations for the following lengths of time:
- Filing of tourist tax returns (Municipality Regulation No. 57/2010.(XII.30.) of City of Budapest VI. Terézváros Municipality and Municipality Regulation No. 38/2010. (XII. , KSH [Central Statistics Bureau] statistics (Act No. CLV of 2016 on Official Statistics) and other mandatory reports, eg.: PTGSZLA (Act No. CXXVII of 2007 on VAT, Act No. CL of 2017 on Taxes and Regulations)– 8 years
- Administration of guest register for the personal data relating to nationals of third countries (Article 2 of § 73 of Act No. II of 2007 on the entry and residence of third-country nationals ) – 8 years
- Obligation to issue an invoice, correction of invoices in case of any errors upon issuing (Article 2 of § 169 of Act No. C of 2000 on accounting ) – 8 years
With consideration to the fact that the data processing described in this section is the Controller’s legal obligation, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.
2.3.3 Legitimate interests of the Controller AND/OR a third party
The Controller shall control the Data Subject’s personal data detailed above on the grounds of legitimate interests for the following purposes and for the following lengths of time:
- Problem management (family name and first name, address, email address (personal or created by OTA), phone number, information on the stay, name, phone number, email address of contact person) in case of a problem occurred after departure, it is the lawful interest of the Controller to act in the possession of sufficient information, therefore for the time period allowed by law, the personal data collected for the performance of a Contract may be controlled in accordance with the legitimate interest of the Controller too.
- Guest satisfaction development (preferences, purpose of travel, data related to dietary sensitivities guest feedback information, health issues) it is the lawful interest of the Controller to develop its services in order to increase the guest satisfaction, therefore several data collected upon the consent of the Data Subjects may be processed in accordance with the legitimate interest of the Controller as well
- Informing guests
- Verification of information provided by guests (eg. room number given at the bar), codes (promotion, group), bar consumption details, information on the stay) it is the lawful interest of the Controller to control the data collected upon the performance of the Contract and the consent of the Data Subject in accordance with the legitimate interest of the Controller in order to issue its invoice.
The purpose of data processing under this section is to enable the Controller to exercise his legitimate interests.
The duration of data processing shall be the same as the preparation and in case of concluding a contract the validity thereof, furthermore in case of data controlling for compliance with a legal obligation, the time period defined by law.
With consideration to the fact that the data processing described in this section is the Controller’s or third party’s legitimate interest, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.
2.3.4 Consent of the Data Subject
Personal data shall be processed in certain cases on the basis of the Data Subject’s consent (voluntary expression of explicit will, based on specific and proper information). The Data Subject shall give his or her consent to the Controller on the Controller’s website, the check-in card or the guest satisfaction questionnaire.
Consent shall be voluntary and the Data Subject shall have the right to revoke his or her consent at any time without restrictions via a written notification to the Controller. The Data Subject may send his or her written notification to either of the contact details contained in section 1 of the Privacy Policy.
Revoking his or her consent shall result in no consequences to the Data Subject. However, revoking his or her consent shall not affect the lawfulness of data processing on the grounds of consent prior to revoking it.
The Controller processes the following data upon consent:
- preferences
- purpose of travel
- data related to dietary sensitivities
- name, phone number, email address of contact person (in case of events
- guest feedback information
- health issues (separate document to be filled out before a massage upon the masseur’s request)
- car registration number, value of possible fines
- e-mail address for purpose of direct marketing
2.4 Right to decide on automated individual decision-making, including profiling
The Controller does not pursue automated decision-making, including profiling.
3. Recipients of personal data
The Controller shall transmit the Data Subject’s personal data to the following persons and organizations (data processors):
- External IT companies (Comp-dock Kft.) for the purposes of systems operation, see guest data in 2.2
- Hostware (have access with the hotel’s consent for the purposes of error correction) guest data contained in the invoicing software, see 2.2
- Massage company Bamboo Kft. for the purpose of rendering services, see guest data in 2.2
- Taxi companies for the purpose of rendering services, see guest data in 2.2
- Police, upon request (camera recordings)
4. Data Subject rights
The Controller examines any request of the Data Subjects within 72 hours from its receipt and answers it within 30 days.
4.1 Right of access
The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and if so, access to the personal data and the following information:
- the purposes of the processing of the specific personal data,
- the categories of personal data concerned,
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations (if personal data are transferred to a third country or to an international organization, the Data Subject shall have the right to be informed of whether the data transfer is done with the appropriate safeguards and guarantees),
- the planned period for which the personal data will be stored, or if not possible, the criteria used to determine that period,
- the rights of the Data Subject (rectification, erasure or restriction of processing, portability and the right to object to the processing of such personal data),
- the right to lodge a complaint with a supervisory authority,
- where the personal data were not collected from the Data Subject, all available information as to their source,
- the existence of automated decision-making, including profiling; and, at least in cases where such processing is done, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.
The Controller shall have the right to request clarification or specification of the requested information or data processing activities from the Data Subject prior to responding to the Data Subject’s request.
In the event that the Data Subject’s right of access set forth in this section adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the Data Subject’s request to the extent that is necessary and proportionate.
Where the Data Subject requests several copies of the above information, the Controller may charge a reasonable and proportionate fee based on administrative costs.
If the Controller does not process the personal data specified by the Data Subject, the former shall also inform the Data Subject of this fact in writing.
4.2 Right to rectification
The Data Subject shall have the right to request the rectification of inaccurate personal data concerning him or her. The Data Subject shall have the right to have incomplete personal data completed.
Upon exercising his or her right of rectification/completion the Data Subject shall indicate exactly which data are inaccurate or incomplete and shall also communicate to the Controller the correct and complete data. The Controller has the right to request that the Data Subject provide proper proof of the rectified data, primarily with proper documentation.
The Controller shall perform the rectification of inaccurate personal data without undue delay the.
Following rectification of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.
4.3 Right to erasure (“right to be forgotten”)
The Data Subject shall have the right to request that the Controller erase his or her personal data without undue delay where one of the following grounds applies:
- the personal data specified by the Data Subject are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Controller,
- the Data Subject withdraws consent on which the processing of his or her personal data (including special categories of personal data) was based and there is no other legal ground for the processing,
- the Data Subject objects to the Controller processing his or her data on the grounds of its legitimate interests and the Controller has no legitimate grounds for the processing that override the Data Subject’s interests, rights or freedoms or that are relevant to the establishment, exercise or defense of legal claims,
- the personal data was unlawfully processed by the Controller,
- the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Controller is subject,
- the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing.
The Data Subject shall submit his or her request relating to erasure in writing and shall specify the reason for requesting the erasure of each personal data.
In the event that the Controller grants the Data Subject his or her request of erasure, the former shall erase the specified personal data from all databases and duly inform the Data Subject of it.
Where the Controller is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. In its communication the Controller is obliged to inform the other controllers that the Data Subject had requested the erasure of all links to or copies of his or her personal data, as well as any copies thereof.
Following erasure of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.
The Controller is not obliged to erase the personal data in cases where the processing is necessary:
- for exercising the right of freedom of expression and information,
- for compliance with a legal obligation arising from a Hungarian or EU legal regulation which requires processing by the Controller,
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
- for reasons of public interest in the area of public health,
- for archiving purposes in the public interest, scientific or historical research purposes, in so far as the Data Subject’s exercising his or her right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing,for the establishment, exercise or defense of legal claims.
4.4 Right to restriction of processing
The Data Subject shall have the right to request that the Controller restrict the processing or use of his or her personal data without undue delay where one of the following grounds applies:
- the accuracy of the personal data is contested by the Data Subject (in which cases the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data),
- The data was unlawfully processed by the Controller, but the Data Subject requests restriction instead of erasure,
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims,
- the Data Subject objects to the Controller processing his or her data on the grounds of its legitimate interests and the Controller has no legitimate grounds for the processing that override the Data Subject’s interests, rights or freedoms or that are relevant to the establishment, exercise or defense of legal claims; in such cases the restriction shall apply until it is established whether the legitimate interests of the Controller override the legitimate interests of the Data Subject.
Where processing has been restricted, such personal data shall, with the exception of storage, shall only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.
A Data Subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.
Following restriction of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.
4.5 Right to object
Considering that the Controller does not perform any data processing carried out in the public interest and has no official authority, does not pursue scientific or historical research and does not process data for statistics purposes, the right to object may be exercised on the grounds of data processing on the grounds of legitimate interests.
In the event that the the personal data of the Data Subjects are processed on the grounds of legitimate interests it is an imperative guarantee that the Data Subject shall be ensured proper information regarding the data processing of his or her data and his or her right to object. The Data Subject shall be expressly informed of this right latest at the time of initial contact.
The Data Subject is entitled to object to the processing of his or her personal data on the above grounds and in such cases the Controller shall no longer have grounds to lawfully process the Data Subject’s personal data, except in cases where it can be demonstrated that:
- the Controller has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or
- the processing of the data is related to the establishment, exercise or defense of legal claims by the Controller.
4.5.1 Right to object to direct marketing
The Data Subject is entitled to object to the processing of his or her personal data for direct market purposes.
Where the Data Subject objects to processing for direct marketing purposes, the Controller shall no longer process the Data Subject’s personal data for such purposes.
4.6 Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller.
The right to data portability may only be exercised in relation to the personal data provided by the Data Subject to the Controller and
- where data processing is based on the legal grounds of a contract and
- data processing is performed by automated means.
Otherwise, in cases where it is technically possible, the Controller shall directly transmit the Data Subject’s personal data to another controller designated in the Data Subject’s written request. The right to portability as defined in this section does not give rise to an obligation for the controllers to introduce or maintain technically compatible data processing systems.
With regard to data portability the Controller shall provide the data media required to transfer the data to the Data Subject free of charge.
In the event that the Data Subject’s right to data portability adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the Data Subject’s request to the extent that is necessary and proportionate.
Measures taken in relation to data portability do not mean the erasure of the data. The Controller shall store the data up to the point that the Controller has relevant purposes and sufficient legal grounds to do so.
4.7 Right to legal remedies
In case of any question regarding data controlling the employees of the Data Controller may be contacted via the following e-mail address: hotel@hotelvision.hu.
4.7.1 Right to lodge a complaint
The Data Subject shall have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information if he or she considers that the processing of his or her personal data by the Controller infringes on the effective data protection legislation, especially the GDPR.
The contact details for the National Authority for Data Protection and Freedom of Information:
- Website: http://naih.hu/
- Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
- Mailing address: 1530 Budapest, Pf.: 5.
- Phone: +36-1-391-1400
- Fax: +36-1-391-1410
- Email address: ugyfelszolgalat@naih.hu
The Data Subject shall have the right to lodge a complaint with other supervisory authorities, in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement.
4.7.2 Right of access to the courts (Right of legal action)
Without prejudice to his or her right to lodge a complaint, the Data Subject shall have the right of access to the courts where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data.
Proceedings against the Controller shall be brought before the courts of Hungary, as its activities are based in Hungary.
Pursuant to § 22. (1) of the effective Information Act, the Data Subject may also bring proceedings before the courts where the Data Subject has his or her place of habitual residence. The contact details of the Hungarian courts are available at: http://birosag.hu/torvenyszekek.
Since the Controller does not qualify as a public authority acting as an official authority of any member state, the Data Subject may bring proceedings before the courts with jurisdiction and authority at the place of the Data Subject’s place of residence in the event that his or her habitual residence is in another EU member state.
4.7.3 Other recourse options
The Data Subject shall have the right to mandate a not-for-profit body, organization or association which has been properly established in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise on his or her behalf the right to receive compensation, the right to an effective judicial remedy against a supervisory authority or to bring a legal suit in front of the courts.
5. The principles of data provessing
The Controller processes the personal data lawfully, fairly and in a transparent manner, in accordance with the applicable legislation and the regulations of this Privacy Policy.
Personal data is processed by the Controller only for a specific purpose.
The Controller processes the personal data only in accordance with the purposes specified in the Privacy Policy and the applicable legislation. The scope of the personal data processed is adequate to the purposes for which they are processed. Where the Controller intends to process the personal data for a purpose other than that for which they were collected, the Controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information, should collect its express consent and provide the opportunity to prohibit the further process.
The Controller does not verify the given personal data. The accuracy of the given personal data is the sole responsibility of the person providing it, nevertheless the Controller makes reasonable efforts to delete or correct the inaccurate personal data essential with regards to the purpose of the processing.
This Privacy Policy does not apply to the use of data in a statistically aggregated form, which may not contain any other data suitable for the identification of the Data Subject, therefore it shall not be considered as data processing or data transfer
The Controller shall ensure the security of the personal data and to ensure the protection of the collected, stored and processed personal data and to prevent their accidental loss, unauthorized destruction, unauthorized access, unauthorized use and alteration, unauthorized disclosure it shall implement appropriate technical and organisational measures and appropriate procedures. To comply with this obligation, the Controller shall oblige any third party to whom it transfers personal data.
Subject to the relevant provisions of the GDPR, the Controller is not obliged to nominate a data protection officer.
6. Miscellaneous
Where the Controller has reasonable doubts regarding the identity of the person making the request relating to sections 4.1 – 4.6 of this Policy, the Controller may request that the Data Subject provide access to additional information needed to verify his or her identity.
The Controller reserves the right to modify this Policy at any time. The Controller shall notify the Data Subject of such modifications at least 8 days prior to their entering into force via publishing on its website.
7. Record identification documents
According to the amendment of the 2016 CLVI. law , from 1st September 2021, all accommodation service providers are obliged to record identification documents (e.g. ID cards, passports) of all guests using the document reader upon check-in. The system is protect the rights, security and property of the data subject and others. In the absence of presenting the document, the accommodation provider will refuse the accommodation service.