Privacy Policy
Hotel Golden Palace Kft. processes personal data collected in connection with its activities in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) 95/46/EC (hereinafter: GDPR) and Act CXII of 2011 on the Right of Information Self-Determination and Freedom of Information (hereinafter: Info Act).
The publisher of this Privacy Policy is also the Controller. The data processing is carried out by the staff of our organisation. Only employees of Hotel Golden Palace who have the necessary access to your data for the performance of their work are authorised to access your data. Access rights to personal data are regulated by internal policies.
Name and contact details of Controller’s representative (Article 13.1/a GDPR):
- Name: Hotel Golden Palace Kft.
- Head office: H-2132, Göd, Kádár str. 49
- Represented by: Krisztina Esztergályosné Hamar
- Contact: krisztina.hamar@hotelgoldenpalace.hu
Data Protection Officer (GDPR Article 13.1/b)
Name: Krisztina Esztergályosné Hamar
Postal contact: H H-2132, Göd, Kádár str. 49..
Electronic contact: info@hotelgoldenpalace.hu
Legal remedies:
If the Data Subject considers that the processing does not comply with the legal requirements, he or she has the right to lodge a complaint with the supervisory authority, the National Authority for Data Protection and Freedom of Information. Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR), right to judicial remedy against a decision of a supervisory authority (Article 78 of the GDPR)
Contact details of the National Authority for Data Protection and Freedom of Information:
- Registered office: 1125 Budapest, Szilágyi Erzsébet alley 22/C.
- Postal address: 1530 Budapest, PO. 5.
- Website: http://naih.hu
- E-mail: ugyfelszolgálat@naih.hu
- Phone: +36-1-391-1400
| Website visitor data processing | ||
|---|---|---|
| Scope of data processed | the start and end time of the website user's visit, IP address and other recorded browsing data (cookie) | |
| Purpose of data processing | identify visitors to the website, learn about their browsing habits | |
| Legal basis for processing | the data subject’s consent /Article 6(1) a) of the GDPR/ | |
| Source of data | from the data subject | |
| Data transfer | ||
| Deadline for the erasure of data | until the withdrawal of the data subject's consent | |
| Direct marketing (sending newsletters) | ||
|---|---|---|
| Scope of data processed | name and e-mail address | |
| Purpose of data processing | for marketing purposes, to promote the hotel service by sending an on-line newsletter | |
| Legal basis for data processing | Data Subject’s consent /Article 6(1) a) of the GDPR/ | |
| Source of data | from the data subject | |
| Data transfer | ||
| Deadline for the erasure of data | until the withdrawal of the data subject's consent | |
| Request for quotation | ||
|---|---|---|
| Scope of data processed | name, e-mail address, phone number, number of persons willing to use the service, (number of children, age) | |
| Purpose of data processing | contacting, maintaining contacts, sending customized quotations | |
| Legal basis for processing | performance of a contract /Article 6(1) b) of the GDPR/ | |
| Source of data | from the data subject | |
| Data transfer | ||
| Deadline for the erasure of data | - in case of a successful quotation, until the date of the rejection, - in case of a rejected quotation, until the date following the expiry of the deadline for submission of quotations, - in case of no response, until the date following the expiry of the deadline for submission of quotations |
|
| Direct booking | ||
|---|---|---|
| Scope of data processed | name, e-mail address, phone number, address, number of persons to be served, (number of children, age) | |
| Purpose of data processing | making room reservations | |
| Legal basis for data processing | performance of a contract /Article 6(1) b) of the GDPR/, processing of data based on law (Articles 30-31 of Act C of 1990) in respect of date of birth /Article 6(1) c) of the GDPR/ | |
| Source of data | from the data subject | |
| Data transfer | ||
| Deadline for the erasure of data | - name address: for 8 years pursuant to Article 169 of Act C of 2000 on Accounting - age of guests: until the last day of the 5th year following the year under review pursuant to Sec. 78 (3) and 202 (1) of Act CL of 2017 on the Provisions on Taxation |
|
| Booking through intermediaries | ||
|---|---|---|
| Scope of data processed | name, e-mail address, phone number, number of persons wishing to use the service (number of children, age) and in some cases bank card details | |
| Purpose of data processing | making room reservations | |
| Legal basis for data processing | performance of a contract /Article 6(1) b) of the GDPR/, processing of data based on law (Sec. 30-31 of Act C of 1990) in respect of date of birth /Article 6(1) c) of the GDPR/ | |
| Source of data | on-line intermediaries, travel agencies that are independent Controllers | |
| Deadline for the erasure of data | - the personal data obtained during the reservation will be processed for the duration of the contractual relationship with the data subject Except: - name address: for 8 years pursuant to Section 169 of Act C of 1990 on age of guests: until the last day of the 5th year following the year under review pursuant to Section 78 (3) and Section 202 (1) of Act CL of 2017 on the Rules of Taxation |
|
| Regular guest programme | ||
|---|---|---|
| Scope of data processed | name, number of previous hotel stays | |
| Purpose of data processing | offering discounts, increasing sales, building a loyal customer base | |
| Legal basis for data processing | data subject’s consent /Article 6(1) a) of the GDPR/ | |
| Source of data | from the data subject, from their own records | |
| Deadline for the erasure of data | until the withdrawal of the data subject's consent | |
| Billing | ||
|---|---|---|
| Scope of data processed | name, address, bank card details | |
| Purpose of data processing | accounting for services rendered for consideration, invoicing | |
| Legal basis for data processing | Compliance with the legal obligation under Sec. 169 of Act C of 2000 on Accounting (Article 6(1) c) of the GDPR) | |
| Source of data | from the data subject | |
| Deadline for the erasure of data | under Sec. 169 of Act C of 2000 on Accounting for 8 years | |
| Newsletter | ||
|---|---|---|
| Scope of data processed | email address, name | |
| Purpose of data processing | maintaining and developing relations with guests and partners | |
| Legal basis for processing | the data subject's consent - Article 6(1) a) of the GDPR, given by the data subject when starting to use the specific function. It lasts until the unsubscription from the newsletter. |
|
| Source of data | from the data subject | |
| Data Processor | ||
| Notification sheet | ||
|---|---|---|
| Scope of data processed | name, date of birth, ID/passport number, address, billing address, email address, vehicle registration number | |
| Purpose of data processing | - direct marketing objective, selling a service | |
| Legal basis for processing | data subject’s consent - Article 6(1) b) of the GDPR, Article 6(1) c) of the GDPR. Fulfilment of the legal obligation under Sec. 169 of Act C of 2000 | |
| Source of data | from the data subjectl | |
| Data transfer | ||
| Bank card details | ||
|---|---|---|
| Scope of data processed | card holder name, card number, expiry date, CVV/CVC | |
| Purpose of data processing | performance of a contract for hotel services | |
| Legal basis for data processing | Data Subject’s consent - Article 6(1) b) of the GDPR | |
| Source of data | from the data subject | |
| Data transfer | ||
| Camera system | ||
|---|---|---|
| Scope of data processed | the facial features, behaviour and conduct of the persons concerned as shown in the photograph | |
| Purpose of data processing | to protect the life and limb of persons on the Hotel premises, to protect the safety of persons and property | |
| Legal basis for processing | the data subject's consent - Article 6(1) a) and f) of the GDPR, duration 30 days after recording | |
| Source of data | electronic surveillance system (camera system) | |
| Data transfer | ||
| Record of the complaint | ||
|---|---|---|
| Data managed around | the name and address of the data subject, a detailed description of the complaint and the documents, photographic evidence and photographs produced in connection with the complaint | |
| Purpose of data processing | to protect the life and limb of persons on the Hotel premises, to protect the safety of persons and property | |
| Legal basis for data processing | Sec. 17/A (7) of Act CLV of 1997 on Consumer Protection, which makes data processing mandatory for 5 years from the date of the recording of the report | |
| Source of data | from the data subject | |
| Data transfer | ||
| Use of a central safe | |||
|---|---|---|---|
| Scope of data processed | Name, phone number, address of the data subject | ||
| Purpose of data processing | use of a central safe | ||
| Legal basis for processing | performance of a contract /Article 6(1) a) and b) of the GDPR | ||
| Source of data | from the data subject | ||
| Data transfer | |||
| Deadline for the erasure of data | - the personal data received are processed for the duration of the contractual relationship with the data subject for the use of the central safe | ||
| National Tourist Information Centre | ||
|---|---|---|
| Scope of data processed | the given and family name, given and family name at birth, place and date of birth, sex, nationality and mother's given and family name at birth of the data subject; the identification data of the data subject's identity document or travel document, in the case of a third-country national, the visa or residence permit number, date and place of entry; the address of the accommodation service, the starting and expected date and time of the use of the accommodation and the actual date and time of the end of the use of the accommodation | |
| Purpose of data processing | Providing data to the National Tourist Information Centre | |
| Legal basis for processing | Sec. 9/H of Act CLVI of 2016 on the State Tasks of the Development of Tourist Areas; Sec. 14/C of Government Decree 235/2019 (X. 15.) on the implementation of the Act on the State Tasks of the Development of Tourist Areas | |
| Source of data | from the data subject | |
| Data transfer | National Tourist Information Centre | |
| Deadline for the erasure of data | ||
The right to an effective judicial remedy against the controller (Article 79 of the GDPR) allows the data subject to bring an action before the competent court in case of a breach of the rules on the processing of personal data.
Competent Regional Court:
- Budapest Regional Court, 1146, Budapest, Hungária krt. 179-187
Scope of data processed for data subjects:
- contact data for the purpose of requesting an offer or reservation (name, surname, first name, address, phone number, e-mail address) pursuant to Article 6(1) b) and c) of the GDPR,
- contact data for marketing and online advertising purposes (surname, first name, e-mail address) pursuant to Article 6(1) a) of the GDPR (Data Subject’s consent)
- personal identification data for booking purposes (ID card number, passport number, date and place of birth, nationality) pursuant to Article 6(1) b) and c) of the GDPR (taking into account Act C of 1990);
- children's personal data for the purposes of reservation (surname, first name, place of birth, date of birth) pursuant to Article 6(1) b) and (c) of the GDPR,
- bank account data for the purposes of transaction and booking, use of services or payment of bills (bank account number, card expiry date, cardholder, CVC/CVV) pursuant to Article 6(1) c) of the GDPR (taking into account Act C of 2000);
- membership data for the purpose of participating in the Loyalty Programme pursuant to Article 6(1) a) of the GDPR (consent);
- arrival and departure dates pursuant to Article 6(1) b) of the GDPR;
- visa number, residence permit number, nationality (in relation to non-EU nationals) for the purposes of reservation under Article 6(1) b) of the GDPR;
- technical and location data generated by the hotel's website during use (start and end time of use, IP address, and other browsing data (cookies) recorded by the website operator pursuant to Article 6(1) a) of the GDPR .
The scope of the data processed is contained in the Controller's paper and computer database.
Purposes and legal basis for processing:
The Controller processes the personal data of the Data Subjects for the purposes of personal, online and phone bookings, the use of hotel services, contact and the fulfilment of the Controller's statutory obligations, in particular tax and accounting obligations.
The legal basis for the processing of personal data is the voluntary, prior and informed Data Subject’s consent.
By providing Personal Data through the use of the Hotel's website, the Data Subject declares that (s)he has read the version of the Privacy Policy in force at the time of providing the data and voluntarily and expressly consents to the use of the Personal Data provided by the Data Subject. The Data Subject may disclose Personal Data in accordance with applicable data protection laws and warrants that he or she has consented to the disclosure of the information.
The Controller records the IP address of the Data Subject when accessing the Website in connection with the provision of the Service, in the legitimate interest of the Controller and for the lawful provision of the Service, without the Data Subject's separate consent.
Duration of data processing:
Pursuant to Sec. 169 (1) of Act C of 2000 on Accounting. The business entity shall keep the annual accounts, the annual report and the supporting inventories, valuations, general ledger extracts and the logbook or other records complying with the requirements of the Act in a legible form for at least 8 years.
(2) The accounting documents (including general ledger accounts, analytical or detailed records) directly and indirectly supporting the accounting accounts shall be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.
Pursuant to Sec. 78 (1) of Act CL of 2017 on the Rules of Taxation: The taxpayer required to keep the documents specified in Sec. 77 (1) shall keep them at the place registered with the tax authority.
(2) The documents may be transferred to another place for the duration of the accounting and processing, but must be presented within three working days upon request of the tax authority.
(3) The taxpayer shall keep the documents, regardless of the method of record-keeping, until the right to assess the tax has expired or, in the case of deferred tax, until five years after the last day of the calendar year in which the deferred tax is due.
(4) The employer (paying agent) shall retain the supporting documents on which the tax and tax advances assessed by him are based until the date referred to in paragraph (3). Sec. 77 (1) The supporting documents, books and records required by law, including electronic data and information recorded on a computer medium, shall be drawn up and kept in such a way as to be suitable for the determination and verification of the taxable amount, the amount of tax, the exemption, the benefit, the basis and amount of the budget support, and the payment and use thereof.
Data Subject’s consent:
The processing of personal data is based on the Data Subject’s consent. Consent may be given
- on a separate declaration
- A document establishing a legal relationship between the Controller and the Data Subject (e.g. online booking, filling in a notification form, contract)
The processing of personal data is carried out with the Data Subject’s consent, on the basis of the performance of a contract between the parties and the fulfilment of legal obligations applicable to the Controller.
Consent is voluntary and the data subject has the right to withdraw his or her consent at any time without restriction by unilateral declaration addressed to the Controller.
Those personal data that the Controller is obliged to process in compliance with legal obligations will continue to be processed in accordance with the law even if the Data Subject withdraws his or her consent.
Recipient of personal data:
The Controller may transfer the Data Subject's personal data to public authorities and tax authorities for the purpose of fulfilling its obligations under the law.
Data Subject’s rights:
The Data Subject has the right to obtain, in relation to his or her personal data processed by the controller and by a data processor acting on his or her behalf or at his or her instructions:
- be informed of the facts relating to the processing before the processing starts (right to prior information),
- at his or her request, to have his or her personal data and information relating to the processing thereof made available to him or her by the controller (right of access). The controller shall inform the data subject of the action taken on his or her request without undue delay and at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Controller shall inform the Data Subject of the extension, stating the reasons for the delay, within one month of receipt of the request. Where the data subject has made the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject requests otherwise.
- at his or her request, and in the other cases set out in this Chapter, to rectify or complete his or her personal data (right of rectification). In order to exercise the right of rectification, where personal data processed by the controller or by a processor acting on its behalf or under its instructions are inaccurate, incorrect or incomplete, the Controller shall, without delay, in particular at the request of the data subject, rectify or correct them or, where compatible with the purposes of the processing, supplement them with additional personal data provided by the data subject or a declaration by the data subject on the personal data processed
- at his or her request and in the other cases set out in this Chapter, the controller restricts the processing of his or her personal data (right to restriction of processing),
- at his or her request or, in certain cases, to have his or her personal data erased by the controller (right to erasure).
Controller shall promptly erase the data subject’s personal data where:
- the processing is unlawful,
- the data subject withdraws his or her consent to the processing or requests the erasure of his or her personal data, unless the processing of the data is in accordance with the provisions of the Sec. 5(1) a) or c) or (2) b) of the Info Act,
- the erasure of the personal data has been ordered by law, an EU act, the Authority or a court; or
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
The Controller shall not erase the data if the processing is necessary for one of the following reasons:
- to exercise the right to freedom of expression and information;
- to comply with an obligation under the law that requires the processing of personal data;
- necessary for the establishment, exercise or defence of legal claims.
- The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller where one of the following conditions is met (right to restriction of processing):
- the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the controller to verify the accuracy of the personal data;
- the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
- the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
- the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the controller override those of the data subject. Where processing is restricted, the personal data concerned by the restriction may be processed, except for storage, only with the Data Subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State. The controller shall inform the data subject in advance of the lifting of the restriction.
- The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6(1) e) or f) of the GDPR, including profiling based on those provisions. In this case, the controller may no longer process the personal data unless he or she can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims (right to object).
Scope of the Privacy Notice
This notice is effective from 1st February 2024. The Controller is entitled to amend this Privacy Policy at any time..