The company Kristály ’95 Idegenforgalmi Kft (Cristal’95 Touristic LLC, registered office: H-8360 Keszthely, Lovassy S. u. 8, Hungary, company registration number: 20-09-062161, tax number: 11351427-2-20, phone number: 0036 83 318 999, email: sales@kristalyhotel.hu, represented with sole powers by: Mária Dr. Domonkosné Nádasi Managing Director) as the data controller considers it important to honour and enforce the rights of its clients and all other affected natural persons (hereinafter: data subjects) pertaining to data processing, and therefore hereby informs the data subjects that it respects the personality rights of data subjects and, while processing data, it always acts in conformity with the substantial and procedural rules of Hungarian law in force, the Data Protection and Data Security Policy in force from time to time as well as other internal policies.
This short Data Protection Notice is a short excerpt from the Data Controller’s Data Protection and Data Security Policy (hereinafter: Policy), and is designed to concisely inform data subjects about the Data Controller’s most important rules pertaining to data protection. This Notice shall be considered an annex to the Policy. Any issues or topics not regulated herein shall be governed by the Policy as well as the provisions of applicable laws, and the Notice shall be construed in conjunction with these. The Notice and the unabridged Policy are continuously available at the actual location of data processing, that is, under the address H-8360 Keszthely, Lovassy S. u 20, Hungary.
Who are the data subjects?
Categories of data subjects: Data subjects shall include any and all specific natural persons identified or directly or indirectly identifiable by reference to personal data whose data are processed by the Data Controller, as well as the persons whose rights or legitimate interests are affected by the data processing operations. Consequently, data subjects shall primarily include those requesting to use the Data Controller’s services, Employees, guests, those enquiring about the Data Controller’s services, the Data Controller’s Partners who are natural persons, as well as the representatives, contact persons and, in some cases, other employees of the Partners that are not natural persons.
What data processing activities does the Data Controller perform, and for what purpose and for how long does it process my data?
Requesting information:
Requesting information is based on voluntary consent.
Categories of data subjects:
All natural persons contacting the Data Controller and requesting information from the Data Controller by providing their personal data.
Categories and purpose of the data processed:
| name* | identification |
| phone number | communication |
| email address* | communication |
| content of the question* | response |
The data processing serves the purpose of providing the data subject with appropriate information, and to keep contact.
Duration of processing: until realisation of the purpose.
Requesting an offer
Requesting an offer is based on voluntary consent.
Categories of data subjects: All natural persons requesting an offer from the Data Controller regarding a given service and/or product by providing their personal data.
Categories and purpose of the data processed:
| name* | identification |
| phone number | communication |
| email address* | communication |
| content of the question/request* | response |
| date of arrival* | necessary for giving an offer |
| date of departure* | necessary for giving an offer |
| number of adults* | necessary for giving an offer |
| number of children | necessary for giving an offer |
| age of children | necessary for giving an offer |
| message | necessary for giving an offer |
| indication of subscription to newsletter | subscription to newsletter |
The data processing serves the purpose of providing an appropriate offer to the data subject, and to keep contact.
Duration of processing: until the expiry of the offer’s validity.
Data processing in connection with room booking and/or packages Room booking is based on voluntary consent.
Categories of data subjects: All natural persons booking a room in the Hotel operated by the Data Controller by providing their personal data.
Categories and purpose of the data processed:
| name* | identification |
| phone number | communication |
| email address* | communication |
| content of the question/request* | response |
| date of arrival* | necessary for giving an offer |
| date of departure* | necessary for giving an offer |
| number of adults* | necessary for giving an offer |
| number of children | necessary for giving an offer |
| age of children | necessary for giving an offer |
| message | necessary for giving an offer |
| indication of subscription to newsletter | subscription to newsletter |
Data processing serves the purpose of processing the room booking request, booking the room by linking the given room to the data subject, as well as keeping contact with the data subject.
Duration of processing:shall last until the end of the limitation period of the enforceability of the rights and obligations resulting from that legal relationship in connection with which the Data Controller processes the personal data. In the case of data recorded in documents supporting accounting records, the duration of processing shall be at least 8 years according to Section 169 (2) of Act C of 2000.
Check-in and check-in form/guest and touristic records
Check-in and the completion of the check-in form is based on voluntary consent, however, it is a prerequisite of using the services and, as regards the data determined in Clause 6, data processing is mandatory once the data subject has voluntarily provided such data.
Categories of data subjects: All natural persons checking in and completing a check-in form in the Hotel operated by the Data Controller by providing their personal data.
Categories and purpose of the data processed:
| name* | mandatory under law, identification |
| place and date of birth* | mandatory under law, identification |
| address* | mandatory under law, communication, assessment of touristic tax |
| nationality* | mandatory under law, assessment of touristic tax, alien control |
| phone number | communication |
| email address* | communication |
| vehicle registration number | vehicle identification |
| date of arrival and departure* | mandatory under law, assessment of touristic tax |
| indication of subscription to newsletter | sending information materials |
The purpose of data processing is to ensure full compliance with the laws (in particular those relating to alien control and the tourist tax), to conclude the contract on accommodation services, to prove the performance of that contract, the enforcement of claims (if necessary), and keeping contact with the data subject.
Duration of processing: in the case of data mandatory under law, for 5 years from recording; in the case of the newsletter, until erasure at the data subject’s request; and in case of other data, processing shall last until the end of the limitation period of the enforceability of the rights and obligations resulting from that legal relationship in connection with which the Data Controller processes the personal data. In the case of data recorded in documents supporting accounting records, the duration of processing shall be at least 8 years according to Section 169 (2) of Act C of 2000.
Video surveillance system
Data processing is based on the data subject’s voluntary consent on the basis of the information provided by the Data Controller in the form of signs as well as the video surveillance policy available at the reception. Consent may also be provided by conduct. Such conduct shall include in particular if the data subject enters units covered by the video surveillance system and stays there.
Categories of data subjects: All natural persons entering and/or staying in an area monitored by a video surveillance system.
Categories and purpose of the data processed:
| likeness | identification |
| voice | identification |
| other personal data | identification |
The data processing serves the purpose of property protection regarding the assets, devices and equipment located at the monitored area; the protection of persons and the identification of data subjects; the prevention of accidents in the area; to investigate the circumstances of any accidents occurring; quality assurance purposes; the clarification, investigation and evidencing of the (legal) dispute in the case of quality complaints; investigating guest complaints, etc. The purpose of data processing is separately determined for each video camera in the annex of the applicable camera policy.
Records are stored at: the office operated by the Data Controller under the address H-8360 Keszthely, Lovassy S. u. 20, Hungary.
Duration of processing: Section 31 (2) of Act CXXXIII of 2005 (in lack of use, 3 working days from the making of the record).
Loyalty programme
Participation in the loyalty programme is subject to the condition laid down in a policy formally separated from this Policy, and is based on the data subject’s voluntary consent.
Categories of data subjects: All natural persons who have used the Data Controller’s services earlier, have fulfilled the conditions of becoming a regular customer/guest and wish to become regular customers/guests by providing their personal data.
Categories and purpose of the data processed:
| name | identification |
| address | communication |
| phone number | communication |
| email address | communication |
| dates of staying at the hotel | assessing eligibility |
| indication of subscription to newsletter | sending newsletter |
The purpose of data processing is to identify data subjects, provide them with authorisations and to verify their eligibility, to inform data subjects of the discounts, promotions and other news targeted exclusively at regular customers/guests, communication.
Duration of data processing: until erasure at the data subject’s request/until expiry of a fixed period (3 years).
Data processing in connection with a gift voucher/coupon
Ordering and using the gift voucher/coupon is based on voluntary consent.
Categories of data subjects: All natural persons wishing to purchase or redeem gift vouchers/coupons in connection with one of the Data Controller’s services/products.
Categories and purpose of the data processed:
| name of the data subject as the purchaser* | identification |
| name of the beneficiary of the gift voucher, or the indication that the gift voucher may be used by its holder (anonym beneficiary)* | identification |
| phone number* | communication |
| email address* | communication |
| value of the voucher* | data necessary for performance and invoicing |
| determination of payment method | data necessary for invoicing |
| delivery address | data necessary for delivery |
Data processing serves the purpose that the data subject can be provided with a unique offer for a gift voucher/coupon by supplying their data, they can order and/or redeem a gift voucher/coupon, and communication.
Duration of processing: shall last until the end of the limitation period of the enforceability of the rights and obligations resulting from that legal relationship in connection with which the Data Controller processes the personal data. In the case of data recorded in documents supporting accounting records, the duration of processing shall be at least 8 years according to Section 169 (2) of Act C of 2000.
Questionnaire, evaluation system
Completing the questionnaire is based on voluntary consent.
Categories of data subjects: All natural persons who have used the Data Controller’s services and evaluate them to improve quality and/or give feedback.
Categories and purpose of the data processed:
| name | identification |
| room number | identification |
| date of arrival | identification |
| email address | communication |
| evaluation in text form | quality assurance |
| Multiple-level evaluation in connection with the services provided by the Data Controller | quality assurance |
| reason of the visit | statistics, quality assurance |
| reason of hotel selection | statistics, quality assurance |
The purpose of data processing is to improve the quality of services, to investigate complaints, if any, and communication.
The Data Controller will use the opinions received with the help of the questionnaires and evaluation system as well as the data that cannot be traced back to the given data subject and cannot be linked to the name of the data subject also for statistical purposes.
Duration of processing: until realisation of the purpose.
Sending newsletter
Subscription to newsletter is based on voluntary consent.
Categories of data subjects: All natural persons wishing to receive regular notification about the Data Controller’s news, promotions and discounts, and therefore subscribing to the newsletter service by providing their personal data.
Categories and purpose of the data processed:
| name | identification (data mandatory under law) |
| email address | sending newsletter (data mandatory under law) |
The purpose of data processing in connection with the sending of newsletters is to provide comprehensive general or customised information to the addressee about the Data Controller’s latest promotions, events, news, or changes in or cancellation of services.
The data subject can unsubscribe from the newsletter any time at the bottom of the electronic mail, as well as by sending a cancellation request to sales@kristalyhotel.hu.
Cancelling your subscription is also possible by sending a postal mail to: Kristály’95 Idegenforgalmi Kft., H-8360 Keszthely, Lovassy S. u. 20, Hungary.
Duration of data processing: until erasure upon the data subject’s request, or if the data subject does not give further consent.
Duration of data processing: until erasure upon the data subject’s request, or if the data subject does not give further consent.
Electronic guestbook
Use of the guestbook is based on voluntary consent.
Categories of data subjects: All natural persons who have used the Data Controller’s services and want to share their experience and opinion with the Data Controller and others by using the guestbook.
Categories and purpose of the data processed:
| address | communication |
| email address | communication |
| comment, opinion | quality assurance |
The purpose of data processing is to enable data subjects to express their opinion on the Data Controller’s services to improve the quality thereof, and furthermore, on the Data Controller’s part, to keep contact with the data subject if case of any complaint.
The data subject acknowledges that the guestbook is available to other data subjects and third parties as well, therefore, by using the guestbook, data subjects expressly consent to their data specified in the guestbook being accessed by other data subjects and third parties as well. Having regard to the fact that the Data Controller will not examine the data provided in the guestbook but will make the guestbook available, the Data Controller assumes no liability for the use of the guestbook. Accordingly, the guestbook must be used carefully.
Duration of data processing: until erasure upon the data subject’s request.
Data processing concerning bank card details
Bank card details shall be provided based on voluntary consent.
Categories of data subjects: All natural persons wishing to pay by bank card.
Categories and purpose of the data processed:
| bank card number | identification for financial transaction |
| CVV code | identification for financial transaction |
| date of expiry | identification for financial transaction |
| card holder’s name | identification for financial transaction |
The purpose of data processing is to facilitate financial performance by bank card.
Duration of processing: until realisation of the purpose. In the case of data recorded in documents supporting accounting records, the duration of processing shall be at least 8 years according to Section 169 (2) of Act C of 2000.
Data processing concerning bank details
Transfer by bank, and thus the disclosure of the relating data to the Data Controller as well are based on voluntary consent.
Categories of data subjects: All natural persons wishing to pay by bank transfer.
Categories and purpose of the data processed:
| account holder’s name | identification |
| bank account number | identification |
| comment | identification |
| amount | identification |
The purpose of data processing is to facilitate financial performance by the data subject, and to verify the same.
To secure bank and business secrets, the Data Controller shall do its best to ensure that the above data are only obtained by the Employees for whom these are indispensable for performing their tasks and who have the proper authorisations.
To secure bank and business secrets, the Data Controller shall do its best to ensure that the above data are only obtained by the Employees for whom these are indispensable for performing their tasks and who have the proper authorisations.
Organising prize games
Participation in a prize game is based on voluntary consent.
Categories of data subjects: All natural persons who wish to participate in the prize game organised by the Data Controller and provide their data.
Categories and purposes of the data processed:
| name* | identification |
| phone number | communication |
| email address | communication |
The purpose of data processing is to identify the data subjects after the draw, as well as keeping contact.
Duration of processing: as regards identification and contact data, shall last until the end of the limitation period of the enforceability of the rights and obligations resulting from that legal relationship in connection with which the Data Controller processes the personal data. In the case of data recorded in documents supporting accounting records, the duration of processing shall be at least 8 years according to Section 169 (2) of Act C of 2000.
Keeping records of staff members’ data
The purpose of data processing is to identify the data subjects, to establish a legal relationship, keeping contact, and to perform obligations under law.
Categories of data processed
- first name and surname
- place of birth
- date of birth
- mother’s name
- address
- tax identification number
- social security number
- qualification, professional and vocational qualifications, the name of the institution that issued the relevant certificate, number of the certificate,
- FEOR (Hungarian Standard Classification of Occupations) number
- starting date, code and termination of insurance relationship
- duration of suspension of insurance
- weekly working hours
- gross salary
- net salary
- bank account number
The establishment of the legal relationship is based on voluntary consent, however, keeping records of the employees’ data and transferring these to the tax authority is mandatory under Section 16 (4) of Act XCII of 2003 on the Rules of Taxation as well as under Sections 3 and 11 of Act LXXV of 2010 on Simplified Employment.
The Data Controller keeps records of the data for 5 years from the end of the calendar year of the staff member’s exit, on the proviso that it is prohibited to scrap labour, wage and social security records.
Presence and marketing on social media sites
The use of social media sites, including in particular Facebook, and making contact and communication with the Data Controller through these sites, as well as performing other operations allowed by the social media site is based on voluntary consent.
Categories of data subjects: All natural persons voluntarily following, sharing and liking the Data Controller’s social media pages, in particular its page on facebook.com, and the contents displayed there.
Categories and purpose of the data processed:
| the data subject’s public name | identification |
| public photo | identification |
| public email address | communication |
| message sent by the data subject via the social media site | keeping contact, base for response |
| evaluation by the data subject, result of other operation | quality improvement, purpose of other operation |
The Data Controller shall communicate with the data subjects via the social media site, and so the purpose of the categories of data shall only become important if the data subject contacts the Data Controller via the social media site.
The purpose of presence on social media portals, including in particular Facebook and the relating data processing is to share, publish and market the website’s content on the social media site. The social media site also allows data subjects to receive information on our latest promotions.
Duration of data processing: until erasure upon the data subject’s request.
Complaint handling
Categories of data subjects: All natural persons wishing to communicate their complaint orally or in writing regarding the ordered service/product and/or the Data Controller’s conduct, activity or omission.
The purpose of data processing is to identify the data subject and the complaint, and to record the data to be mandatorily registered under law.
Categories and purpose of the data processed:
| complaint identifier | identification |
| name | identification |
| date of receipt of complaint | identification |
| phone number | communication |
| time of call | identification |
| personal data supplied during the conversation | identification |
| invoicing/mailing address | communication |
| product/service complained about | investigation of complaint |
| documents attached | investigation of complaint |
| reason of the complaint | investigation of complaint |
| the complaint itself | investigation of complaint |
The purpose of data processing is to enable communication of the complaint, as well as to keep contact.
Duration of processing: The Data Controller shall mandatorily process the minutes taken of the complaint as well as a copy of the reply for 5 years of recording the same under Section 17/A (7) of the applicable Act CLV of 1997 as in force from time to time.
Who processes my data?
The data may be processed by the Data Controller’s Employees, only to the extent that is indispensable for their work, provided that the Data Controller has Employees.
If it has no Employees, data shall be processed by the Data Controller’s representative.
Does the Data Controller transmit or transfer data to anyone else?
The personal data are basically processed by the Data Controller. If it outsources this task, then it is performed by the data processor(s) specified in Annex I of the Policy. In such case the Data Controller transmits data to the data processors, and it is liable for the data processors’ activity.
The Data Controller may transfer the data subject’s data to the Data Controller’s contractual Partners if the Data Controller has named the given Partner to the data subject before the data transfer, has determined the expected duration of data processing as well as its purpose, and the data subject has consented to the data transfer. The Data Controller may name the Partners also by way of an announcement or notice, thus including Annex I of the Policy, provided that it makes the same available to the data subjects. The Data Controller may transfer data to a requesting authority in the case of such request, under authorisation by law.
If the data processing activity performed by the Data Controller for its Partners so require, the Data Controller may transfer data to authorities and to persons specified in law or data processing contracts. In such case data subjects shall be notified by the Partner as the data controller.
What rights do I have?
According to the Privacy Act and Regulation (EU) 2016/679 of the European Parliament and of the Council, the data subject has the following rights: right to information, rectification, erasure, the right to be forgotten, the right to the blocking/restriction of data, the right to object, the right to turn to court or the authority.
For the detailed description and limitations of each of the above rights please consult the Policy.
Where and how can I request detailed information about the processing and transfer of the data, and where and how can I exercise my rights?
The Data Controller draws the attention of the data subjects that data subjects can request information and exercise their other rights – provided that this is not excluded by law – by sending a declaration to thesales@kristalyhotel.hu email address or to other contact points of the Data Controller.
The Data Controller shall examine and answer the declaration within the shortest time possible after its receipt but within no more than 25 days, and shall take the necessary steps in accordance with the contents of the declaration as well as the provisions of the Policy and the law.
Where can I turn if my right of self-determination has been violated?
Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www: http://www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
If your rights relating to contents violating minors, or inflammatory or discriminatory contents, rectification, the rights of deceased persons, or your rights relating to the violation of good reputation have been infringed on:
National Media and Infocommunications Authority (Nemzeti Média- és Hírközlési Hatóság)
H-1015 Budapest, Ostrom u. 23-25, Hungary
Postal address: 1525. Pf. 75
Phone: (+36 1) 457 7100
Fax: (06 1) 356 5520
E-mail: info@nmhh.hu
If the data subject’s rights have been violated, he or she may turn to court. The court shall hear such cases in priority proceedings. The burden of proof to show compliance with the law lies with the Data Controller.
If the Data Controller, by unlawful processing of the data subject’s data or by breaching data security rules, violates the personality rights of the data subject, the latter may claim a grievance award from the Data Controller.
How does the Data Controller ensure the security of my data?
The Data Controller provides for the security of data. To this end, it shall take the technical and organisational measures and have procedures in place that are necessary for the enforcement of the applicable laws and other rules concerning the protection of data and secrets.
The Data Controller protects the data with appropriate measures against unauthorised access, alteration, transfer, disclosure to the public, erasure or destruction, accidental destruction and compromise, and against becoming inaccessible due to changes in the technology applied.
The Data Controller (also) uses internal policies, instructions and procedures – the content and form of which differ from the Data Protection and Data Security Policy and this Notice – to enforce data security rules.
When determining and applying the measures designed to secure the data, the Data Controller takes into account the state of the art and, from among several possible data processing solutions, chooses the one ensuring a higher level of protection for the data, except if that would mean a disproportionate burden.
In the framework of its tasks relating to IT protection, the Data Controller shall ensure in particular:
- Measures ensuring protection against unauthorised access, including the protection of software and hardware tools, as well as physical protection (access protection, network protection);
- Measures ensuring the possibility to restore files, including regular security backups and the separate, secure handling of copies (mirroring, security backups);
- The antivirus protection of files (antivirus protection);
- Physical protection of the files and/or their carriers, including protection against fire, water, lightning, other natural forces, and the restorability of any damage occurring as a result of such evets (archiving, fire protection).
Other information
The Data Controller represents that
- in the case of data processing operations subject to registration, it has taken care of their registration with the Hungarian National Authority for Data Protection and Freedom of Information, and the numbers of the relevant authority decisions can be found on https://kristalyhotel.hu/.
- it reserves the right to amend the Notice as necessary so that it is in line with the legal background, the Policy and other internal policies as they may change from time to time.
Dated: 1 November 2017
Kristály’95 Idegenforgalmi Kft.