Adatkezelési tájékoztató

1.1 Török-Mezei Beatrix private individual with tax number (hereinafter referred to as the "Data Controller") complies with its obligation to provide information pursuant to the General Data Protection Regulation of the European Union (Regulation 2016/679 of the European Parliament and of the Council) (hereinafter referred to as the "GDPR") with regard to the processing of data in the context of its accommodation services.

1.2 The purpose of this Privacy Notice is to provide the Data Controller with clear, detailed, comprehensible and easily accessible information to the guests and persons interested in the accommodation service (hereinafter referred to as the "Data Subject") about all facts related to the processing of their personal data, rights and remedies related to the processing, ensuring the lawfulness and expediency of the processing, before the processing starts. The Data Controller declares that it does not engage in any activity that would justify the employment of a Data Protection Officer.

1.3 The Data Controller publishes this Privacy Notice on its website - the amikishazunk.hu website and at the accommodation facility operated by the Data Subject - at 2896 Szomód, Tatai utca 6., and will send it to the Data Subject in the first e-mail upon contact.

1.4 The submission of a reservation by the Data Subjects constitutes acceptance of this Privacy Notice, confirms their knowledge of it and constitutes their voluntary consent to the processing.

1.5 In line with the requirements of simplicity and transparency, the basic concepts of data management, legislative background, principles, and the rights of access are listed at the end of this leaflet, but are available through the links.

THE CONTROLLER AND CONTACT DETAILS

Name: Török-Mezei Beatrix private individual with tax number
Tax number: 56869198-1-31
Registered office: 2896 Szomód, Erdősor utca 14.
Address: 2896 Szomód, Erdősor utca 14.
Phone: +36 20 389 8381
E-mail: info@amikishazunk.hu

Accommodation operated by the Data Controller

Name: The Guest House OUR KISHÁZUNK SOMOD
Type: private accommodation
Address: 2896 Szomód, Tatai utca 6.
Registration number: 5/2021
NTAK registration number: MA21000426

Phone: +36 20 389 8381
E-mail: info@amikishazunk.hu

LEGAL BASIS FOR PROCESSING

6.1 The Data Controller processes personal data if it meets one of the following legal bases:

3.1.1. Contribution: The data subject has given his or her freely given, specific, informed, unambiguous and verifiable consent to the processing of his or her personal data for a specific purpose,

3.1.2. Contract performance: The processing is necessary for the performance of a contract where the data subject is one of the parties or initiates the conclusion of the contract,

3.1.3. Legal obligation: Necessary for the controller to comply with its legal obligations,

3.1.4 Vital interest: processing is necessary to protect vital interests;

3.1.5 Public authority: processing is necessary for the performance of a task carried out in the public interest;

3.1.6 Legitimate interest: Necessary for the purposes of the legitimate interests pursued by the controller or a third party, provided that those interests can be demonstrated by means of a balancing test.

ADATKEZÉSEK

Operated by the Data Controller The Guest House OUR KISHÁZUNK SOMOD Government Decree 239/2009 (X.20.) on the detailed conditions for the provision of accommodation services and the procedure for issuing accommodation operating licences is a private accommodation registered by the Municipality of Szomód on 5/2021.

Below is a description of the data processed by each data management group in the following system:

Below we set out in more detail how, in each case:

- which personal data are processed (1)

- the purpose of the processing (2)

- what is the legal basis for processing (3) What legal bases does the Data Controller use?

- how long the controller will store the personal data (4)

- who has access to the personal data: recipients (5)

- who is affected (6)

- whether the data subject is obliged to provide the personal data (7)

- the consequences of not providing the personal data(7)

4.1 CONTACT, CONTACT, REQUEST FOR PROPOSAL

Category of interest: AIR CONTROL

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)	Transmission (list of recipients) (5)
Name	Contact, information, offers via the form on the website	Consent of the data subject - Article 6 (1) a) GDPR	The Data Controller will delete the data of those interested in the accommodation service within 14 days after sending the offer.	Data Controller and the spouse of the Data Controller (Norbert Mezei).
E-mail address	Contacts, information, offers	Data subject's consent - Article 6 (1) a) GDPR	The Data Controller will delete the data of those interested in the accommodation service within 14 days after sending the offer.	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Phone number	Contacts, information, offers	Data subject's consent - Article 6 (1) a) GDPR	The Data Controller will delete the data of those interested in the accommodation service within 14 days after sending the offer.	Data Controller and the spouse of the Data Controller (Norbert Mezei).

(6) Data subjects: persons who contact the data controller via the website or via e-mail, social media platforms, who do not use accommodation services.

(7) The person concerned obliged to provide the data, as future identification, reservations and other information cannot be carried out without the data listed. If the data subject does not provide the personal data, the contact cannot be made, but the data subject may continue to view the public parts of the website without restriction.

(8) Description of data subjects' rights in relation to data processing. Accesst, they correctionfood, erasure or restriction of processing, as well as the withdraw consent at any time.

4.2 BOOKING

Category of interest: patient

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)	Transmission (list of recipients) (5)
Name	provision of accommodation services	Contract performance [Article 6 (1) b) GDRP]	8 years after the last day of the year in which the invoice is issued.	Data Controller and the spouse of the Data Controller (Norbert Mezei), NAV, accountant
E-mail address	provision of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Phone number	provision of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Address	provision of accommodation services	Legal obligation: Act C of 2000, § 169 (2)	8 years after the last day of the year of issue of the invoice	Data Controller and the spouse of the Data Controller (Norbert Mezei), NAV, accountant
Information on catering	ensuring the provision and quality of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Other information voluntarily provided by the customer*	ensuring the provision and quality of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).

(6) Data subjects: anyone who submits a booking request for accommodation services by phone, email, our website, Facebook, Instagram or through an accommodation portal.

(7) The person concerned obliged to provide the data, as the reservation of the accommodation cannot be made without the provision of the listed data, except for the information voluntarily provided by the customer. If the data subject does not provide the personal data, the reservation cannot be sent.

(8) Description of data subjects' rights in relation to data processing. Accesst, they correctionfood, erasure or restriction of processing.

(9) The lawfulness of the processing of the data shall not be affected for 3 years after the reservation has been sent, even if the Data Subject has cancelled the service.

4.3 BOOKING

Category of interest: patient

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)	Transmission (list of recipients) (5)
Name	provision of accommodation services	Contract performance [Article 6 (1) b) GDRP]	8 years after the last day of the year in which the invoice is issued.	Data Controller and the spouse of the Data Controller (Norbert Mezei), NAV, accountant
E-mail address	provision of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Phone number	provision of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Address	provision of accommodation services	Legal obligation: Act C of 2000, § 169 (2)	8 years after the last day of the year of issue of the invoice	Data Controller and the spouse of the Data Controller (Norbert Mezei), NAV, accountant
Information on catering	ensuring the provision and quality of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).
Other information voluntarily provided by the customer*	ensuring the provision and quality of accommodation services	Contract performance [Article 6 (1) b) GDRP]	3 years from the date of the last service used	Data Controller and the spouse of the Data Controller (Norbert Mezei).

(6) Data subjects: anyone who submits a booking request for accommodation services by phone, email, our website, Facebook, Instagram or through an accommodation portal.

(8) Description of data subjects' rights in relation to data processing. Accesst, they correctionfood, erasure or restriction of processing.

(9) The Data Controller will also advertise the accommodation on the Booking portal and on Facebook and Instagram.

When booking through Booking, our guests can find out about the processing of their personal data by following the links below: https://www.booking.com/content/privacy.hu.html

The accommodation operated by the Data Controller is available on the Facebook community portal. Information on the data management of the Facebook page is available at the following link: https://www.facebook.com/about/privacy/update

The accommodation operated by the Data Controller is available on the Instagram community portal. Information about the data management on the Instagram page is available at the following link: https://help.instagram.com/519522125107875

4.4 GUEST REGISTRY

Category of interest: patient

Guest registration is carried out by means of a simplified guest registration application (accommodation management software) called "My Guest", which is operated by the Hungarian Tourism Agency under the supervision of the Tourism Data Service Centre (hereinafter referred to as NTAK) for the purpose of national statistical data collection. NTAK receives only statistical data via the "My Guest" accommodation management software and does not receive, record or store any personal data. The incoming data does not identify the guest and therefore no personal data is entered into NTAK.

Notwithstanding the above, I inform the Data Subject below about the rules of data processing:

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)	Transmission (list of recipients) (5)
Guest (client) gender	real and up-to-date measurement of the traffic statistics of all domestic accommodation establishments, preparation of statements, summaries and analyses for the tourism sector based on the statistical data received.	Legal obligation: Act CLVI of 2016, 239/2009 (X. 20.) Government Decree*	Data shall be available for 1 year after the provision of the statistical service	"My Guest" (accommodation management software), Data Controller and his agent (Norbert Mezei), NAV, accountant
Guest (customer) your nationality	real and up-to-date measurement of the traffic statistics of all domestic accommodation establishments, preparation of statements, summaries and analyses for the tourism sector based on the statistical data received.	Legal obligation: Act CLVI of 2016, 239/2009 (X. 20.) Government Decree*	Data shall be available for 1 year after the provision of the statistical service	"My Guest" (accommodation management software), Data Controller and its nominee
Customer's place and date of birth,	real and up-to-date measurement of the traffic statistics of all domestic accommodation establishments, preparation of statements, summaries and analyses for the tourism sector based on the statistical data received.	Legal obligation: Act CLVI of 2016, 239/2009 (X. 20.) Government Decree*	Data shall be available for 1 year after the provision of the statistical service	"My Guest" (accommodation management software), Data Controller and its nominee
Client's country of residence	real and up-to-date measurement of the traffic statistics of all domestic accommodation establishments, preparation of statements, summaries and analyses for the tourism sector based on the statistical data received.	Legal obligation: Act CLVI of 2016, 239/2009 (X. 20.) Government Decree*	Data shall be available for 1 year after the provision of the statistical service	"My Guest" (accommodation management software), Data Controller and its nominee
The municipality and postcode of the customer's permanent address	real and up-to-date measurement of the traffic statistics of all domestic accommodation establishments, preparation of statements, summaries and analyses for the tourism sector based on the statistical data received.	Legal obligation: Act CLVI of 2016, 239/2009 (X. 20.) Government Decree*	Data shall be available for 1 year after the provision of the statistical service	"My Guest" (accommodation management software), Data Controller and its nominee

(6) Data subjects: customers who have already used accommodation services

(7) The person concerned obliged to provide the data, as the controller is subject to the following legal obligations:

(8) Description of data subjects' rights in relation to data processing. Accesst, they correctionfood, erasure or restriction of processing, if the conditions are met.

* Legal basis for data processing:Act CLVI of 2016 on State Tasks for the Development of Tourist Areas and Government Decree 235/2019 (X. 15.) on its implementation, and the details of the provision of accommodation servicesand the procedure for issuing the accommodation management licence pursuant to Government Decree 239/2009 (X. 20.). According to Article 5(3) of Government Decree No 239/2009 (X. 20.), the provision of accommodation services is can be conducted in accommodation that has accommodation management software. The software sends the accommodation service data electronically to NTAK as required by law, ensuring the Data Controller's compliance with the law. The obligation to provide the data can only be fulfilled electronically by means of software. The data reporting obligation for accommodation operators shall apply from 01 January 2020.

(9) Possible consequences of non-delivery: impossibility to use the service.

(10) The Data Controller does not keep a paper-based guest register. The register to be submitted annually to the Municipality of Szomód, concerning the number of guests received, shall only contain the number of nights spent in the accommodation, no personal data.

4.5 NEWSLETTER SUBSCRIPTION

Category of interest: AIR CONTROL

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)	Transmission (list of recipients) (5)
Name	To send newsletters, promotional material and useful information to data subjects.	Consent of the data subject - Article 6 (1) a) GDPR	Until cancellation or termination of the newsletter service	Data Controller and the spouse of the Data Controller (Norbert Mezei).
E-mail address	To send newsletters, promotional material and useful information to data subjects	Data subject's consent - Article 6 (1) a) GDPR	Until cancellation or termination of the newsletter service	Data Controller and the spouse of the Data Controller (Norbert Mezei).

(6) Data subjects: subscribers to the newsletter service of the data controller.

(7) The data subject is under no obligation to provide the data, as subscribing to the newsletter is a voluntary decision free of any influence. If the data subject does not provide the personal data, the subscription will not be established.

(8) Description of the data subjects' rights in relation to data processing: the data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her. The data subject shall have the right to data portability and the right to obtain consent at any time.

(9) The data subject may unsubscribe from the newsletter at any time and free of charge.

4.6. FINANCIAL PERFORMANCE

Category of interest: patient

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)	Transmission (list of recipients) (5)
Name	Data required to identify the financial execution	Legal obligation: Act C of 2000, § 169 (2)	8 years after the last day of the year of issue of the invoice	Bank, Billing software
E-mail address	Data required to identify the financial execution	Legal obligation: Act C of 2000, § 169 (2)	8 years after the last day of the year of issue of the invoice	Invoicing software
Bank card details	Providing the data subject with the possibility to pay online by credit card	Legal obligation: Act C of 2000, § 169 (2)	Payment Service Provider as a Data Controller according to the Data Processing Policy	Bank, Billing software, Payment service provider
Account number	If the person concerned makes a transfer, the account number will appear in the accounts	Legal obligation: Act C of 2000, § 169 (2)	8 years after the last day of the year of issue of the invoice	Accountant, Bank

The financial performance of the paid services used by the data subject is a condition for the proper performance of the contract. Although civil law claims are subject to a limitation period of 5 years, the invoice directly linked to the financial performance must be kept by the controller for 8 years after the last day of the year in which it was issued.

(6) Data subjects: data subjects who have entered into a contract with the data controller and are subject to a financial performance obligation.

(7) The data subject is obliged to provide the data, as the issuing of an invoice is not possible without financial settlement (bank transfer or payment by credit card).

(8) Description of the data subjects' rights in relation to data processing: the data subject may request the controller to access and rectify personal data relating to him or her and has the right to data portability.

4.7 COOKIE MANAGEMENT (COOKIES)

a.) A amikishazunk.hu uses cookies, about which you can read the Cookie policy find out more. A cookie is a small file that is created when you visit a website. Cookies are used to improve the user experience of websites.

DATA TRANSMISSION/IDENTIFICATION OF DATA PROCESSORS

Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller; (Article 4 GDPR) point 8)

The use of a processor does not require the prior consent of the data subject, but the data subject must be informed. Accordingly, the following information is provided:

5.1 Data Controller's billing service provider

5.1.1 For the performance of its billing obligations, the Data Controller shall contract an external service provider, which shall also process personal data of natural persons who have a contractual or paying relationship with the Data Controller, for the purpose of the performance of the Data Controller's billing obligations.

5.1.2 The name of this processor is:

Name: KBOSS.hu Kft.

Registered office: 1031 Budapest, Záhony utca 7.
Representative name: Ángyán Balázs managing director
Company registration number: 01-09-303201
Tax number: 13421739-2-41
E-mail: info@szamlazz.hu
Data Protection Officer: dr. Éva Istvánovics, lawyer
Contact: dpo@kboss.hu
WEB: https://www.szamlazz.hu/
Data protection information: https://www.szamlazz.hu/adatvedelem/

5.1.3. The purpose of the processing: fulfilment of invoicing obligations.

5.2. National Tax and Customs Administration (NAV):

5.2.1 As of 01 January, the data content of all invoices issued by the Data Controller will be forwarded to the NAV.

5.2.2. The purpose of the processing: fulfilment of the obligation to provide invoice data.

5.3 The recipients of the statistical data recorded in the My Guest application:

The Governor of Szomód Municipality
Hungarian Tourism Agency
National Tax and Customs Office
Central Statistical Office

5.3.1. The purpose of the processing: statistical reporting.

TRANSFER/COMMUNICATION TO AN INDEPENDENT CONTROLLER

6.1 "Standalone controller": a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.

From independent controllers process the personal data we disclose or transfer on their own behalf and in accordance with their own privacy policy, and the controller has no control over their activities. There is a contractual obligation between the independent controller and the data controller.

Type of standalone controller	Name of the recipient of the standalone controller	Address of the independent controller	Privacy notice	Data processed
Bank	MHB Bank Plc.	1056 Budapest, Váci utca 38.	https://www.mbhbank.hu/adatvedelem	Name, Account number, Nice card details
Invoicing software	KBOSS.hu Kft (szamlazz.hu)	1031 Budapest, Záhony utca 7.	https://www.szamlazz.hu/adatvedelem/	Name, billing address, e-mail address, service purchased
Social media	Meta Platforms Inc	1601 Willow Road, Menlo Park, CA 94025, USA	https://www.facebook.com/privacy/center/	Marketing information, contact details
Repository	Websupport Hungary Ltd.	1119 Budapest, Fehérvári út 97-99.	https://www.mhosting.hu/	name, e-mail address, telephone number, address, billing address, nationality, name, quantity, size, price of the service ordered, the method of providing the service and the method of payment, and the dates related thereto
Correspondence	Google HQ	1600 Amphitheatre Parkway Mountain View, CA 94043, USA	https://policies.google.com/privacy/embedded?hl=en-US	Data provided in an e-mail exchange

6.2 Data processing on social networking sites

The fact of data collection and the scope of data processed: The public name and profile picture of users registered on social networking sites such as Twitter, Pinterest, YouTube, Facebook, Instagram, TikTok, LinkedIn, etc.

Who is affected: All users who have registered on the above-mentioned social networking sites, "liked" the Service Provider's page or contacted the data controller via the social networking platform.

The purpose of the data collection: Share, "like", follow and promote the website's content, products, promotions and the website itself.on social networking sites.

Duration of processing and your rights: Information on the source, processing, transfer and legal basis of the data can be found on the relevant Community site. The processing of data is governed by the policy of the relevant community site, and therefore the duration, modification and deletion of data are also governed by this policy.

Legal basis for processing: Voluntary consent of the data subject to the processing of personal data on social networking sites.

6.3 . meta-common data management

The Data Controller has a Meta (Facebook and/or Instagram) profile for the activity. Meta HQ and the Data Controller are considered joint controllers for the processing of data on these social networking sites. Details of the joint data management agreement are set out in the Data Controller Appendix of the Facebook Page Analytics function. The Addendum is available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum

The controller communicates by private message on the social networking site only if the data subject contacts the controller.

Type of personal data (1)	Purpose of processing (2)	Legal basis for processing (3)	Duration of processing (4)
Registered name of the person concerned	The purpose of data processing on Facebook is to share and promote the activities and services of the data controller. The data provided by the data subject in a private message may be used by the Data Controller to reply to the message, otherwise the Data Controller does not collect data through the social networking sites, nor does it extract data from them.	Consent of the data subject - Article 6 (1) a) GDPR	6 months until withdrawal, if messages are exchanged
E-mail address of the user concerned		Consent of the data subject - Article 6 (1) a) GDPR	6 months until withdrawal, if messages are exchanged
Public data shared by the data subject on the Community site		Consent of the data subject - Article 6 (1) a) GDPR	6 months until withdrawal, if an exchange of messages takes place.

(6) Stakeholders: the data subject who has registered on the social networking site and has "liked" the profile page of the Data Controller and the data subject who contacts the Data Controller by private message on the social networking site

(7) The person concerned not obliged to provide the data, in which case, in case of failure to provide the data, the data subject cannot find out about the activities and services of the Data Controller via the Facebook community page, or send a message to the Data Controller via Facebook Messenger.

(8) Data subjects' rights in relation to data processing: The data subject may withdraw his or her consent to data processing and delete his or her post or comment at any time. The processing takes place on social networking sites operated by a "Data Controller". If the data subject withdraws his/her consent, the Data Controller will delete the conversation with him/her. The withdrawal does not affect the lawfulness of the processing carried out before the withdrawal.

(9) Source of the data processed: The source of the data is the data subject.

(10) Transfers of personal data and recipients: The Data Controller shall only transfer personal data of the data subject to public authorities, such as courts, prosecutors' offices, investigative authorities or the National Authority for Data Protection and Freedom of Information, on the basis of a legal obligation and in exceptional cases.

(11) Joint data controller agreement with Meta HQ: The Page Analytics feature provides aggregated data to help you understand how users use your Facebook page. Meta HQ and the Data Controller are jointly responsible for managing the analytics data. Meta takes primary responsibility for data management in compliance with the GDPR and ensures that it complies with its obligations under the GDPR. The Data Controller will provide the appropriate legal basis for processing the data and for identifying the data controller of the site. Meta is solely responsible for the personal data processed within the Site Analytics function, except for the data specified in the Site Analytics Appendix. The Data Controller shall not have access to the personal data of Facebook users and shall not act on behalf of Meta in relation to data protection requests.

(12) Customer relations and other data management: If a question or problem arises in relation to the services of the data controller, the data subject may contact the data controller by the means indicated on the website (telephone, e-mail, social networking sites, etc.). The Data Controller will store the e-mails, messages received, the data provided by telephone or on Meta, the name and e-mail address of the interested party and other data voluntarily provided for a maximum period of 6 months and will then delete them. Information on data processing not covered by this notice will be provided at the time of collection. The Service Provider is obliged to provide data in response to a request from a public authority or on the basis of a legal mandate, provided that the request contains a precise purpose and scope of the data, only to the extent necessary.

DATA SECURITY MEASURES

7.1 Your personal data will be stored electronically. The place of storage of the personal data is the registered office of the Controller, as indicated in this Notice.

7.2 The Data Controller shall make every reasonable effort to ensure the security of personal data for all purposes and in relation to the processing of data, both in the network system and in the storage and retention of data.

7.3 The Data Controller shall take appropriate measures to protect the data against accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure or access.

7.4 The Data Controller shall protect the IT systems, electronic data processing and records with firewalls, virus protection and passwords that meet the requirements of data security.

7.5 Only the Data Controller and the Data Controller's spouse (Balázs Török) authorised to handle the data may access the data.

THE BASIS FOR DATA PROCESSING

8.1. BASIC CONCEPTS OF DATA MANAGEMENT

The definitions in this Privacy Notice are the same as the interpretative definitions set out in Article 4 of the GDPR.

8.1.1. Personal data: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

8.1.2.Data management: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction by any means, including by

8.1.3. Registration system: a set of personal data, disaggregated by any means, centralised, decentralised or by functional or geographical criteria, which is accessible on the basis of specific criteria

8.1.4. Data Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law

8.1.5. Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller

8.1.6. Addressee: the natural or legal person, public authority, agency or any other body with whom or to which the personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing

8.1.7. Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process the personal data

8.1.8. Consent of the data subject: a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her

8.8.9. Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

8.2. PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA

Personal data:

8.2.1. be processed lawfully and fairly and in a transparent manner for the Data Subject ("lawfulness, fairness and transparency");

8.2.2. collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes ("purpose limitation");

8.2.3. be adequate, relevant and limited to what is necessary for the purposes for which the data are processed ("data minimisation");

8.2.4. be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of the processing are erased or rectified without undue delay ("accuracy");

8.2.5. be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("limited storage");

8.2.6. be handled in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage ("integrity and confidentiality"), by implementing appropriate technical or organisational measures;

8.2.7 The controller is responsible for and able to demonstrate compliance with the above ("accountability").

8.3. THE RIGHTS OF DATA SUBJECTS

8.3.1.Right to prior information: The data subject is entitled to be informed of the facts and information relating to the processing before the processing starts.

8.3.2. Right of access: The data subject has the right to request information about the processing of his or her personal data, in particular from the Data Controller. The Data Subject shall have the right to obtain from the Controller feedback as to whether or not his or her personal data are being processed and, if such processing is ongoing, the right to access the personal data and to be informed of the purposes and legal basis of the processing, the personal data processed, the identity of the processor, the duration of the processing, his or her rights and the right to lodge a complaint. The Data Controller shall provide the Data Subject with a copy of the personal data processed.

8.3.3. Right to rectification: The data subject shall have the right to obtain from the Data Controller, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data.

8.3.4. Right to erasure: At the data subject's request, the Data Controller shall delete personal data concerning him or her without undue delay if one of the following grounds applies:

the purpose of the processing has ceased, or
the Data Subject withdraws his or her consent to the processing of personal data and there is no other legal basis for the processing, or
the Data Subject exercises his or her right to object, or
the processing is unlawful, or
the erasure of the data concerned is required by law.
8.3.5. Erasure requested by the data subject only for the deletion of data processed on the basis of his or her consent and therefore does not affect the scope of data subject to mandatory processing for the performance of a contract and the fulfilment of a legal obligation.

8.3.6. Right to restriction of processing: At the request of the data subject, the Data Controller shall restrict the processing of data in the following cases:

the data subject contests the accuracy of the personal data, in which case the restriction applies for the period of time necessary to allow the Controller to verify the accuracy of the personal data; or
the processing is unlawful, but the Data Subject does not request the erasure of the data, but instead requests the restriction of their use; or
the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
The Data Subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the Data Controller prevail over the legitimate grounds of the Data Subject.

8.3.7. the Data Controller shall inform the Data Subject at whose request the processing has been restricted in advance of the lifting of the restriction of processing.

8.3.8. The obligation to notify the rectification or erasure of personal data or the restriction of processing: The Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the Data Subject of these recipients.

8.3.9. Right to data portability: Subject to the conditions set out in the GDPR, the Data Subject has the right to receive personal data provided to the Data Controller in machine-readable format and the right to transmit such data to another Data Controller.

8.3.10. Right to object:_The Data Subject may object to the processing of his or her personal data if the processing or transfer of the personal data is necessary solely for the purposes of the legitimate interests pursued by the Controller or a third party (except in the case of mandatory processing). If the Controller finds the Data Subject's objection to be justified, the Data Subject shall delete the personal data without undue delay.

8.3.11. Right to withdraw consent: You have the right to withdraw your consent to the processing of your personal data at any time. However, the right of withdrawal shall not affect the lawfulness of the processing carried out on the basis of the consent prior to the withdrawal.

LEGAL REMEDIES

9.3. Right to lodge a complaint with a supervisory authority (right to official redress)

Data subjects have the right to lodge a complaint with the supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR.

In Hungary, the data subject may lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) regarding the data processing procedures of the Data Controller.

Postal address: 1363 Budapest, Pf.: 9.
Address: 1055 Budapest, Falk Miksa utca 9-11.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
URL: http://naih.hu

9.4. Right to judicial remedy

You can also choose to pursue your claim in court. The tribunal has jurisdiction to hear the case. The action may also be brought, at the option of the person concerned, before the courts for the place where he or she resides or is domiciled.

THE RULES CONCERNING THE REQUEST SENT BY THE DATA SUBJECT TO THE CONTROLLER

10.3. The data subject shall send the requests indicated in this Notice and the withdrawal of consent to data processing in writing to the following address:

Address: 2896 Szomód, Erdősor utca 14.

E-mail: info@amikishazunk.hu

10.4 The Data Controller shall examine the requests received without delay and shall comply with the request no later than 30 days after receipt of the request. If the Data Controller finds the Data Subject's request unfounded and refuses to comply with it, it shall notify the Data Subject in writing of the refusal and the reasons for the refusal, together with information on the remedies available, within 30 days of receipt of the request.

PROCEDURE IN THE EVENT OF A DATA PROTECTION INCIDENT

11.3 The Data Controller shall protect the personal data of the Data Subject to the best of its ability, provide a modern and reliable IT environment, and carry out its internal processes in a controlled manner in order to prevent, avoid or, if the slightest error, problem or incident occurs in connection with the processing of personal data, to detect, investigate and handle the case.

11.4.Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

11.5 If the Data Subject becomes aware of a personal data breach as defined above in connection with personal data processed by the Data Controller, please notify us immediately using the contact details indicated in section 12.1. The Data Controller shall investigate the data breach without delay and notify the National Authority for Data Protection and Freedom of Information of the data breach within 72 hours of becoming aware of it, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons, and take measures to remedy the incident. The Data Controller shall keep records of the data breaches.

ACCEPTANCE OF, AMENDMENTS TO THE PRIVACY NOTICE

12.3 The Data Controller publishes this Privacy Notice on its website - on amikishazunk.hu website and at the accommodation facility operated by the Data Subject - at 2896 Szomód, Tatai utca 6., and will send it to the Data Subject in the first e-mail upon contact.

12.4.The submission of a reservation by the Data Subjects shall constitute acceptance of this Privacy Notice, confirms their knowledge of it and constitutes their voluntary consent to the processing.

12.5 The Data Controller is entitled to amend this Privacy Notice unilaterally. The amended Privacy Notice shall be published in the accommodation it operates.

THE MAIN LEGISLATION ON DATA PROCESSING AND THEIR ABBREVIATIONS

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR);
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.);
Act V of 2013 on the Civil Code (Civil Code);
Act C of 2000 on Accounting;
Act CL of 2017 on the Rules of Taxation;
Act CLVI of 2016 on State Tasks for the Development of Tourist Areas;
Government Decree No 235/2019 (X. 15.) on the implementation of Act CLVI of 2016 on the implementation of the State Tasks of the Development of Tourist Areas;
Government Decree No 239/2009 (X. 20.) on the detailed conditions for the provision of accommodation services and the procedure for issuing accommodation operating licences;
Act C of 1990 on local taxes;