PRIVACY POLICY

Privacy policy

Data of controller:

Name: Gyenesdiás Tourism Association

Address: 2 Hunyadi u., Gyenesdiás, H-8315

Mailing address, handling of complaints: 2 Hunyadi u., Gyenesdiás, H-8315

Email: gyenesdias@t-online.hu

Telephone:  +36 83 511 790

Website: www.gyenesdias.info.hu

Registry court: Zalaegerszeg Regional Court

Tax number: 18966527-1-20

The purpose and validity of this privacy policy:

The purpose of this privacy policy is to identify the data controlling activities of Gyenesdiás Tourism Association, as a Controller, regarding personal data. These activities are:

–              validating the constitutional principles of data protection

–              comply with the rules of use and the lawful order of processing records and databases

–              ensuring the requirements of the rights to informational self-determination and data protection

The validity of this privacy policy covers the handling of personal and special information processed by the co-workers of the Controller or by contracted third party data processors.

Applicable law:

Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Law CXII of 2011 on the right to informational self-determination and freedom of information

Law V of 2013 on the Civil Code, and Law XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity

Law CXXX of 2016 on Code of Civil Procedure

We also took the recommendation of the National Authority for Data Protection and Freedom on information privacy requirements of prior notification into account when drawing up this Privacy Policy. The content of this Privacy Policy also covers the information control connected to the following website: www.gyenesdias.info.hu

We reserve the right to make amendments to our Privacy Policy by unilateral decision anytime. Thus, as a Controller entity, we are authorised but not obliged to inform the persons concerned by sending a system notification in case this Privacy Policy is amended. The persons concerned are authorised to exercise their rights related to the processing of data as described in this Privacy Policy and the existing legislation.

The scope of the data processed, the aim and the title of information control:

The Controller handles the personal information based on voluntary submission, or by legal authorisation. In case of voluntary submission, the person concerned can request for information about the scope of data processed and the way of the procession, moreover, withdraw their submission anytime. In case of legislation, the Controller will inform the persons concerned about the further processing of data, and about their possibilities to exercise their rights.

The personal information can be only handled by our co-workers, and by those data processors who have signed a data processing contract with us (as a Controller entity). The above-mentioned data controllers are authorised to handle the data only to the extent necessary to achieve the purpose and for the time granted by the legislation. These controllers are not authorised to make their own decisions, they are obliged to process only according to the contract signed with us, and to the instructions given by us (as a Controller entity). As a Controller entity, we monitor the processing of our partner data controllers. These partners are authorised to work with other data controllers only with our permission.

Data processing related to the certain activities of the Controller:

Guest inquiries

Legal basis of data processing: the submission of the person concerned

Scope of data: name, email address, telephone number, address

Aim of data processing: providing information

Data transmission: none

Data processors: not relevant

Deadline for deleting data: 6 months

Possible consequences of the absence of data: non-commencement of the service

Handling of complaints

Legal basis of data processing: the submission of the person concerned

Scope of data: name, email address, telephone number, address

Aim of data processing: handling of complaints

Data transmission: none

Data processors: not relevant

Deadline for deleting data: 5 years

Possible consequences of the absence of data: non-commencement of the service

Job applications

Legal basis of data processing: the submission of the person concerned

Scope of data: name, email address, telephone number, address

Aim of data processing: participating in a job interview

Data transmission: none

Data processors: not relevant

Deadline for deleting data: 2 months after the job interview

Possible consequences of the absence of data: refusal of the application

Registering for touristic cards – West-Balaton Card/Gyenesdiás Plus Card

Legal basis of data processing: contractual obligation

Scope of data: name, date of birth, accommodation, email address, telephone number, address

Aim of data processing: ensuring the use of the discount card

Data transmission: through IT system – West-Balaton Tourism Card System V 1.1, GYTE

Legal basis of data transmission: contractual obligation

Data processors: Sárkány Informatikai Zrt.

Deadline for deleting data: 2 years

Possible consequences of the absence of data: non-commencement of the service

Bicycle rental agreement

Legal basis of data processing: contractual obligation

Scope of data: name, address, ID card number, telephone number

Aim of data processing: ensuring the service

Data transmission: none

Legal basis of data transmission: not relevant

Data processors: not relevant

Deadline for deleting data: 2 years

Possible consequences of the absence of data: non-commencement of the service

Subscribing for newsletters (private correspondence)

Legal basis of data processing: the submission of the person concerned

Scope of data: name, email address, telephone number, address

Aim of data processing: providing information

Data transmission: through IT system

Legal basis of data transmission: contractual obligation

Data processors: Chrome Soft Kft., MailChimp Marketing Platform

Deadline for deleting data: 24 hours after the persons concerned withdraw their consent

Possible consequences of the absence of data: non-commencement of the service

Webshop purchasing and online ordering of brochures

Legal basis of data processing: contractual obligation

Scope of data: name, email address, telephone number, address

Aim of data processing: shipping the ordered items

Data transmission: through IT system

Legal basis of data transmission: contractual obligation

Data processors: Chrome Soft Kft., GYTE

Deadline for deleting data: 2 years

Possible consequences of the absence of data: non-commencement of the service

Requesting accommodation quotations

Legal basis of data processing: the submission of the person concerned

Scope of data: name, email address, telephone number, address

Aim of data processing: sending quotations

Data transmission: through IT system

Legal basis of data transmission: contractual obligation

Data processors: Chrome Soft Kft., GYTE

Deadline for deleting data: 6 months

Possible consequences of the absence of data: non-commencement of the service

Booking accommodation

Legal basis of data processing: contractual obligation

Scope of data: name, email address, telephone number, address

Aim of data processing: arranging accommodation

Data transmission: through IT system

Legal basis of data transmission: contractual obligation

Data processors: Chrome Soft Kft., GYTE

Deadline for deleting data: 5 years

Possible consequences of the absence of data: non-commencement of the service

Uploading the data of accommodations and services in a personal capacity to the portal

Legal basis of data processing: contractual obligation

Scope of data: name, email address, telephone number, address

Aim of data processing: arranging accommodation

Data transmission: through IT system

Legal basis of data transmission: contractual obligation

Data processors: Chrome Soft Kft., GYTE

Deadline for deleting data: 24 hours after the persons concerned withdraw their consent

Possible consequences of the absence of data: non-commencement of the service

Filling in the questionnaire related to Gyenesdiás Tourism

Legal basis of data processing: the submission of the person concerned

Scope of data: name, email address, telephone number

Aim of data processing: guest-polling, compiling statistics

Data transmission: through IT system

Legal basis of data transmission: contractual obligation

Data processors: GYTE, MailChimp Marketing Platform

Deadline for deleting data: 2 years

Possible consequences of the absence of data: not relevant

Employment contracts

Legal basis of data processing: legal obligation

Scope of data: name, mother’s name, birthplace and date, address, telephone number, social security number, bank account number

Aim of data processing: paying wages and contributions

Data transmission: Könyvel-Velem Kft.

Legal basis of data transmission: contractual obligation

Data processors: Könyvel-Velem Kft. – Klára Varga

Deadline for deleting data: 5 years after the termination of the contract

Possible consequences of the absence of data: non-payment of wages and contributions

Logging of the website of the Controller

Legal basis of data processing: the submission of the person concerned

Scope of data: anonymised IP address

Aim of data processing: making statistics

Data transmission: Chrome Soft Kft.

Legal basis of data transmission: the submission of the person concerned, contractual obligation

Data processors: Chrome Soft Kft.

Data processors during the booking/request process:

All of your data given during the booking process will be stored on the servers of Chrome-Soft Kft., as it provides us with the TCM booking system. Data transmission occurs through a safe HTTPS connection.

The chosen accommodation receives your request and your data given during the booking process so that it can send you a specific quotation and ensure the accommodation or the service that you have chosen. Our partner accommodation providers handle the personal data involved in the booking and request process as individual controllers.

List of accommodation providers: Accommodations

Social media

The information control happens through social media sites, so the duration, the way of data control, and the deleting, modifying possibilities are subject to the regulation of the social media sites.

Rights of the persons concerned

The persons concerned are authorised to ask for information about, correction or deletion of their personal data (except data regulated by the law) by clicking on the link at the end of our newsletters, or by contacting us at any of our contact details. If requested, we provide information on the data of the persons concerned controlled by us, the aim, the legal basis and the duration of data processing, the name, the address (seat) and the activity of the data processor connected to the data processing, moreover on the details of the persons who received the data, and on the purpose they receive or have received the data.

We are obliged to provide information as soon as possible, but maximum within one month from the date of request, in clear, written form, and for free.

We are also obliged to correct all incorrect personal data. We will cancel the personal detail if

• its handling is against the law,
• or the person concerned asks for it,
• or it is incomplete or incorrect – and we are legally not allowed to correct it – provided that the law does not exclude its cancelling,
• or the purpose of data control no longer exists,
• the period for data storage defined by the law has elapsed,
• or it is ordered by the court or by the data protection supervision.

We will inform the person concerned – and all those parties who have received the data from us for the data control – about the amendment or the deletion of the data. We will skip this step, if it does not harm the legitimate interest of the person concerned, regarding the purpose of the data control.

The person concerned may object the control of his/her personal data, in case

• this control (transmission) is exclusively required for enforcement of the rights or the legitimate interests of the Controller, except the data control is required by the law;
• the aim of the data control or transmission is direct marketing, survey or scientific research;
• the exercise of the right to object is supported by the law.

When receiving the claim, as Controllers we are obliged to examine the objection and to inform the claimer on the results in writing as soon as possible, but during not more than 15 days, under the simultaneous suspension of the data control. If the objection is justified, we will cease data control, including further data collection and transmission, block the data, and we will also give information about the objection and the following actions to all the parties to whom we have transmitted the data involved in the objection. These parties are obliged to take measures to ensure the exercise of the right of objection.

Means for data storing

Controller stores controlled data archived in paper form at its head office, the data of the actual year at the office of its accountant (Könyvel-Velem Kft.), while in electronic form the data will be stored on the computers in the head office, and the servers of the Chrome-Soft Kft. (partner company) and by the MailChimp Marketing Platform. The data transmitted to the partners (data processors) of the Controller are stored at the head offices of those partners.

During data control process, Controller ensures the person concerned, that

they can access their data when they need them;

only parties can access the data, who are entitled to do so;

the information and the accuracy and the completeness of the methods of data processing are protected.

Compensation

If any of the concerned persons suffer material or non-material damage due to the breach of the data protection legislation, they are entitled to claim damages from the Controller and/or from the data processor. If both the Controller and the data processor(s) are involved in the infringement, they will be severally liable for damage.

The data processor is liable for damage, only if they have breached the special regulations for data processors of the relating data protection laws, or if the damage is due to not considering the instructions of the Controller.

The Controller or the data processors are liable for damage, only if they cannot prove that they are not responsible for the event, or circumstances that caused the damage.

Legal remedy

If the person concerned states that the Controller or any of the data processors have breached their rights, they are entitled to contact the competent court appointed by the Civil Procedure Code (Pp.). The court will give priority to the case.

If the person concerned wants to file a complaint regarding the data control, they are entitled to contact the Hungarian National Authority for Data Protection and Freedom of Information. Contact information:

Address: 22/C, Szilágyi Erzsébet fasor, 1125 Budapest

Tel.: +36 1 391 1400 Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

Website: www.naih.hu

Cooperation with the authorities

If the Controller receives a formal request from the competent authorities, it will compulsorily deliver the related personal data. The Controller will deliver only those data, which are necessarily required for achieving the objectives defined by the authority.

Gyenesdiás, 22nd May 2018

Updated 1^st March 2022