Introduction
Zatech Kereskedelmi Kft. (hereinafter referred to as: Service Provider, Data controller) submits to the following policy:
Regarding the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46 (General Data Protection Regulation) by the EUROPEAN PARLIAMENT AND THE COUNCIL (EU) 2016/679 REGULATION (April 27, 2016), we provide the following information.
This privacy policy governs the processing of data on the following pages: www.motelnext.hu
The privacy policy is available at the following page: http://motelnext/privacy-policy/
The amendments to the rules will enter into force upon publication at the above address.
The data controller and its contact details:
Name: Zatech Kereskedelmi Kft.
Registered office: 1114 Budapest, Ulászló utca 21. 4/401
Email address: adam@motelnext.hu
Phone number: +36 30 478 8246
Contact details of the Data Protection Officer:
Name: Ádám Zatik
Email address: adam@motelnext.hu
Phone number: +36 30 478 8246
Definitions
“Personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Data processing”: any operation or set of operations performed on personal data or data sets, whether automated or non-automated, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
“Data controller”: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Data processor”: a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the controller;
“Recipient”: a natural or legal person, public authority, agency or other body to whom or which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Consent of the data subject”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Data breach”: the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Principles for the processing of personal data
Personal data:
The processing must be lawful, fair, and transparent to the data subject (“lawfulness, fairness, and transparency”).
The collection shall be for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the initial purposes (“purpose limitation”), in accordance with Article 89(1).
The purposes of data processing must be adequate and relevant from the viewpoint of the purposes and shall be limited to what is necessary (“data minimization”);
They must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
The storage shall be in a form that permits identification of data subjects only as long as it is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to implementation of appropriate technical and organizational measures required to safeguard the rights and freedoms of the data subject under this Regulation (“storage limitation”);
The processing shall be carried out in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
The data controller is responsible for ensuring compliance with the above, and must be capable of demonstrating such compliance (“accountability”).
The data controller declares that data processing is carried out in accordance with the principles set forth in this section.
Data processing
Contact
The fact of data collection, the scope of processed data, and the purpose of data processing:
Purpose of data processing
Identification
Keeping in touch, sending response messages
Keeping in touch
Required to reply
Executing technical operation.
Executing technical operation.
In the case of an email address, it is not necessary to include personal data.
Data subjects: All individuals sending messages via the contact form.
The duration of data processing, deadline for data deletion: If any of the conditions set out in GDPR Article 17(1) are met, the data shall be kept until the request for deletion by the data subject.
The possible data processors authorized to access the data, recipients of personal data: The personal data may be processed by the authorized employees of the data controller.
Description of data subjects’ rights related to data processing:
The data subject may request from the data controller access to their personal data, correction, deletion, or restriction of processing, and
the data subject has the right to data portability and the right to withdraw consent at any time.
The data subject may request access to, deletion, modification, restriction of processing or portability of personal data in the following ways:
by postal mail at 1114 Budapest, Ulászló Street 21, 4th floor, room 401,
by sending an e-mail to adam@motelnext.hu,
by phone on +36 30 478 8246.
Legal basis of data processing: consent of the data subject, Article 6(1)(b) and (c). By contacting us, you consent to the processing of your personal data (name, phone number, email address) in accordance with this policy.
We hereby inform you that
the present data processing is based on your consent, or it is necessary for providing a quotation or based on a legal obligation in case of contractual relationship (cooperation).
you are required to provide personal data in order to contact us.
failure to provide data will result in your inability to contact the Service Provider.
The data processors used
Booking
Activity performed by data processor: Room reservation
Name and contact details of the data processor:
Name: Digital Arbitrage, Inc.
Address: United States San Diego, CA 92103 2655 4th Avenue
Contact: 888-392-9478
Privacy Policy: https://www.cloudbeds.com/privacy-policy/
The fact of data processing, scope of processed personal data: First name, Last name, Email, Phone number, Country, Postal code, City, Street, County, Date of birth, ID number, and billing information.
The circle of data subjects: Persons making the reservation
Purpose of data processing: Processing room reservations, confirming transactions, and conducting fraud monitoring to protect users.
The duration of data processing, deadline for data deletion: Until the accommodation is used.
The legal basis for data processing: Article 6(1)(b) of the GDPR. The legal basis is necessary for the performance of a contract at the request of the data subject.
The rights of the data subject:
You can inform yourself about the circumstances of data processing,
You have the right to receive confirmation from the data controller as to whether your personal data is being processed, and you have the right to access all information related to such processing.
You have the right to receive your personal data concerning you in a structured, commonly used, and machine-readable format.
You have the right to request the data controller to rectify inaccurate personal data concerning you without undue delay.
Additional information: Online bookings are processed through the Cloudbeds system. The personal data provided when placing a booking is transferred to Cloudbeds’ servers in the United States. The transferred personal data is handled in accordance with the Cloudbeds Privacy Policy available at cloudbeds.com.
Hosting Provider
Activity performed by the processor: Hosting services
Processor name and contact details:
Name: Sybell Informatika Kft.
Address: 1158 Budapest, Késmárk utca 7/B, 2nd floor, 206.
Phone: +36 1 707 6726
Processed data: All personal data provided by the data subject.
Data subjects: All users of the website.
Purpose of processing: Ensuring availability and proper operation of the website.
Retention period: Until the agreement between the data controller and the hosting provider is terminated, or until the data subject requests deletion from the hosting provider.
Legal basis of processing: GDPR Article 6(1)(f), and Section 13/A (3) of Act CVIII of 2001 on electronic commercial services.
Rights of the data subject:
You may obtain information regarding the circumstances of data processing.
You have the right to receive confirmation from the data controller as to whether your personal data is being processed, and you may access all information related to the processing.
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
You have the right to request the data controller to rectify inaccurate personal data without undue delay.
You may object to the processing of your personal data.
Website Operation
Activity performed by the processor: Website operation (monitoring, technical updates, security development, further improvements, maintenance)
Processor name and contact details:
Name: Sybell Informatika Kft.
Address: 1158 Budapest, Késmárk utca 7/B, 2nd floor, 206.
Phone: +36 1 707 6726
E-mail: info@sybell.hu
Processed data: All personal data provided by the data subject.
Data subjects: All individuals using the website’s services or those registered/placing orders on the website.
Purpose of processing: Operation of the website (development, monitoring, troubleshooting).
Retention period: Until the agreement between the Service Provider and the website operator is terminated, or until the data subject requests deletion.
Legal basis: GDPR Article 6(1)(f), and Section 13/A (3) of Act CVIII of 2001.
Rights of the data subject:
You may obtain information regarding the circumstances of data processing.
You have the right to receive confirmation as to whether your personal data is being processed and to access all relevant information.
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
You have the right to request rectification of inaccurate personal data without undue delay.
You may object to the processing of your personal data.
Accounting and Invoicing
Activity performed by the processor: Accounting and invoicing
Processor name and contact details:
Name: ZaTech Kft
Company registration number: 01-09-192373
Address: 1114 Budapest, Ulászló utca 21. 4th floor, 401
Tax number: 24971829-2-43
E-mail: adam@motelnext.hu
Scope of data processing and types of data processed:
Name, billing name, billing address.
Categories of data subjects:
All individuals placing an order on the website.
Purpose of data processing:
Issuing electronic invoices / performing accounting tasks.
Duration of data processing / deadline for deletion:
8 years, in accordance with Section 169 (2) of Act C of 2000 on Accounting.
Legal basis of processing:
GDPR Article 6(1)(c), and Section 13/A (3) of Act CVIII of 2001 on electronic commerce and information society services.
Rights of the data subject:
You may obtain information regarding the circumstances of data processing.
You have the right to receive confirmation from the data controller as to whether your personal data is being processed, and you may access all information related to such processing.
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
You have the right to request the data controller to rectify inaccurate personal data concerning you without undue delay.
Online Marketing Services
Activity performed by the processor:
Online marketing
Processor name and contact details:
Name: ReachMedia Kft.
Registered office: 1036 Budapest, Lajos utca 118–120.
Website: https://www.reachmedia.hu/
Customer service: +36 1 373 0953
Scope of data processed:
Name, email address, visitor data.
Categories of data subjects:
All users of the website and all newsletter subscribers.
Purpose of data processing:
Promoting and advertising products available on the website, increasing website traffic.
Duration of data processing:
Until the agreement between the Service Provider and the processor specified in this section is terminated, or until the data subject submits a deletion request to the processor.
Legal basis:
User consent; Section 5(1) of the Infotv.; GDPR Article 6(1)(a); and Section 13/A(3) of Act CVIII of 2001.
Rights of the data subject:
You may obtain information regarding the circumstances of data processing.
You have the right to receive confirmation from the data controller as to whether your personal data is being processed, and to access all related information.
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
You have the right to request the controller to rectify inaccurate personal data concerning you without undue delay.
Recipients with whom personal data may be shared (Data Transfers)
Online Payment
Activity performed by the Recipient:
Online payment processing
Recipient name and contact details:
Name: PayPal (Europe) S.a.r.l. et Cie, S.C.A.
Address: 22–24 Boulevard Royal, L-2449 Luxembourg
Website: www.paypal.com
Privacy Policy: https://www.paypal.com/hu/webapps/mpp/ua/privacy-prev
Scope of data processed:
Booking data, billing data, name, email address.
Categories of data subjects:
All individuals who choose PayPal as the payment method on the website.
Purpose of data processing:
Processing online payments, confirming transactions, and fraud monitoring for user protection.
Duration of data processing:
Until the online payment process is completed.
Legal basis:
GDPR Article 6(1)(b) – necessary to perform an online payment requested by the data subject.
Rights of the data subject:
You may obtain information regarding the circumstances of data processing.
You have the right to receive confirmation from the controller as to whether your personal data is being processed, and to access all relevant information.
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
You have the right to request the controller to rectify inaccurate personal data without undue delay.
Additional information:
Online purchases are processed through the PayPal system.
The personal and payment data provided during checkout are transferred to PayPal’s servers in the United States.
PayPal handles these personal data in accordance with its Privacy Policy available at paypal.com.
Cookie Management
Typical cookies used by online shops include:
“password-protected session cookies,” “shopping cart cookies,” “security cookies,” “necessary cookies,” “functional cookies,” and “analytics cookies,”
all of which may be used without requiring prior consent from the data subject.
Scope of data processed:
Unique identifier, dates, times.
Categories of data subjects:
All visitors to the website.
Purpose of processing:
Identifying users, maintaining the shopping cart, and tracking visitor behaviour.
Duration of data processing:
Cookie Type
Retention
Session cookies
session duration
Persistent/saved cookies
until expiry
Statistical cookies
according to analytics settings
Persons authorised to access data:
The controller does not process personal data directly through cookies.
Rights of the data subject:
Data subjects may delete cookies in their browser settings under Tools/Settings → Privacy.
Legal basis:
No consent is required if the sole purpose of using cookies is to perform the transmission of communications over an electronic communications network or if the service provider strictly needs them to provide an information society service explicitly requested by the user.
Use of Google Ads Conversion Tracking
The controller uses the “Google AdWords” online advertising program and its conversion tracking service. Google Conversion Tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
When a user arrives at the website through a Google ad, a cookie required for conversion tracking is placed on their device. These cookies are valid only for a limited time and do not contain personal data, thus they cannot identify the user.
When the user visits certain pages and the cookie has not expired, both Google and the controller can see that the user clicked on the advertisement.
Each Google Ads customer receives a different cookie, making cross-website tracking impossible.
The information collected through conversion cookies is used to generate conversion statistics for Ads customers.
These statistics show the number of users who clicked on the ad and reached a page tagged with a conversion pixel.
However, no personal information is provided that would allow user identification.
If you do not wish to participate in conversion tracking, you can disable the installation of cookies in your browser settings.
After doing so, you will not be included in conversion statistics.
More information and Google’s privacy policy are available at:
google.de/policies/privacy/
Use of Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies—text files stored on the user’s device—to analyse website usage.
Information generated by the cookie is typically transmitted to and stored on Google servers in the USA.
With IP anonymisation enabled, Google shortens the user’s IP address within EU/EEA countries before transmission.
Only in exceptional cases is the full IP address transferred to Google’s US servers and shortened there.
Google uses this information to evaluate how the user interacts with the website, compile reports for the operator, and provide additional services related to website and internet usage.
Google does not associate the user’s transmitted IP address with any other data held by Google.
Users may prevent cookie storage by adjusting their browser settings; however, some website features may become unavailable.
Users can also prevent Google from collecting and processing data generated by cookies (including IP address) by installing the browser plugin available at:
https://tools.google.com/dlpage/gaoptout?hl=hu
Facebook Pixel
The Facebook Pixel is a piece of code that enables conversion tracking, audience building, and detailed analytics regarding visitor activity.
With the Facebook remarketing pixel, personalised offers and ads may be displayed to website visitors on the Facebook platform.
The remarketing list cannot be used to identify individuals.
More information on Facebook Pixel is available at:
https://www.facebook.com/business/help/651294705016616
Newsletter and Direct Marketing (DM) Activities
In accordance with Section 6 of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities, the User may give their prior and explicit consent to the Service Provider contacting them at the contact details provided at registration with marketing offers and other communications.
Furthermore, in view of the provisions of this notice, the Customer may consent to the Service Provider processing their personal data necessary for sending marketing offers.
The Service Provider does not send unsolicited marketing messages, and the User may unsubscribe from receiving offers at any time, free of charge, without restriction or justification. In this case, the Service Provider deletes all personal data necessary for sending marketing messages from its records and will no longer contact the User with further marketing offers. The User may unsubscribe from the marketing messages by clicking on the link included in the message.
Facts of data collection, scope of data processed and purpose of processing
Personal data processed:
Name, email address
Time of subscription
IP address at the time of subscription
Categories of data subjects:
All individuals subscribing to the newsletter.
Purpose of data processing:
To send electronic messages containing advertising (email, SMS, push notifications) to the data subject, and to provide information on current news, products, promotions, new features, etc.
Duration of processing / deadline for deletion:
Processing continues until the consent statement is withdrawn, i.e. until unsubscription.
Persons authorised to access the data, recipients of personal data:
Personal data may be processed by the controller’s sales and marketing staff, in compliance with the above principles.
Rights of the data subject
The data subject may request from the controller:
access to personal data concerning them,
rectification, erasure, or restriction of processing of such data, and
may object to the processing of their personal data, and
has the right to data portability, as well as the right to withdraw their consent at any time.
The data subject may initiate access, erasure, modification, restriction of processing, data portability or objection in the following ways:
by post: 1114 Budapest, Ulászló utca 21. 4. em. 401.
by email: adam@motelnext.hu
by phone: +36 30 478 8246
The data subject may unsubscribe from the newsletter at any time, free of charge.
Legal basis for processing:
The data subject’s consent, GDPR Article 6(1)(a) and (f), and Section 6(5) of Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities:
The advertiser, the advertising service provider and the publisher of the advertisement shall keep records of the personal data of those persons who have given their consent, within the scope defined in the consent. The data recorded in these records regarding the recipient of the advertisement may be processed only in accordance with the content of the consent, until it is withdrawn, and may be transferred to a third party only with the prior consent of the data subject.
We inform you that:
data processing is based on your consent and on the legitimate interest of the Service Provider,
providing personal data is necessary if you wish to receive our newsletter,
failure to provide data results in our inability to send you newsletters.
Complaint Handling
Facts of data collection, scope of data processed and purpose of processing
Personal data:
Surname and first name
Email address
Phone number
Billing name and address
Categories of data subjects:
All data subjects who purchase via the website and submit a complaint regarding quality issues.
Duration of processing / deadline for deletion:
Records of complaints, transcripts and copies of the responses must be retained for 5 years in accordance with Section 17/A(7) of Act CLV of 1997 on Consumer Protection.
Persons authorised to access the data, recipients of personal data:
Personal data may be processed by the controller’s sales and marketing employees, in compliance with the above principles.
Rights of the data subject
The data subject may request from the controller:
access to personal data concerning them,
rectification, erasure, or restriction of processing, and
has the right to data portability, as well as the right to withdraw their consent at any time.
The data subject may initiate access, erasure, modification, restriction of processing or data portability in the following ways:
by post: 1114 Budapest, Ulászló utca 21. 4. em. 401.
by email: adam@motelnext.hu
by phone: +36 30 478 8246
Legal basis for processing:
The data subject’s consent, GDPR Article 6(1)(c), and Section 17/A(7) of Act CLV of 1997 on Consumer Protection.
We inform you that:
providing personal data is a legal obligation,
the processing of personal data is a precondition for concluding the contract,
you are required to provide your personal data so that we can handle your complaint,
failure to provide data results in our inability to handle your complaint.
Social Media Pages
Facts of data collection, scope of processed data
Name registered on social media platforms such as Facebook / Google+ / Twitter / Pinterest / YouTube / Instagram, etc., and the user’s public profile picture.
Categories of data subjects
All data subjects who are registered on the above social media platforms and who have “liked” the website.
Purpose of data collection
To share and promote certain content elements, products, promotions, or the website itself on social media platforms (e.g. via “like” or share).
Duration of data processing, authorised persons, rights
Information on the source of the data, the processing, method of transfer, and its legal basis can be found in the privacy policies of the respective social media platforms. Data processing is carried out on these platforms, therefore the duration, method of processing and the options for deletion and modification of data are governed by the rules of the relevant social media site.
Legal basis for processing:
The data subject’s voluntary consent to the processing of their personal data on social media platforms.
Customer Relations and Other Processing
If, in connection with the use of our services, the data subject has any questions or issues, they may contact the controller via the contact options provided on the website (phone, email, social media, etc.).
The controller stores incoming emails and messages, and data provided by phone, Facebook, etc. together with the inquirer’s name, email address and any other voluntarily provided personal data, for a maximum period of 2 years from the time of data provision, after which they are deleted.
For processing activities not listed in this notice, we provide information at the time the data is collected.
In the case of exceptional requests from authorities, or if required by law for other bodies, the Service Provider is obliged to provide information, hand over data, or make documents available.
In such cases, the Service Provider will disclose personal data to the requesting party only to the extent strictly necessary to achieve the purpose of the request, provided that the request precisely specifies the purpose and the scope of the data.
Rights of Data Subjects
Right of Access
You have the right to obtain confirmation from the controller as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and to the information listed in the Regulation.
Right to Rectification
You have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to Erasure (“Right to be Forgotten”)
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay where certain grounds apply.
Right to be Forgotten
Where the controller has made the personal data public and is obliged to erase it, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure of any links to, or copy or replication of, those personal data.
Right to Restriction of Processing
You have the right to obtain from the controller restriction of processing where one of the following applies:
you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims;
you have objected to processing; in this case, restriction applies for the period until it is verified whether the legitimate grounds of the controller override your legitimate grounds.
Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format, and you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…).
Right to Object
In the case of processing based on legitimate interests or the exercise of official authority, you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.
Right to Object to Direct Marketing
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The above shall not apply if the decision:
is necessary for entering into, or performance of, a contract between you and the controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
is based on your explicit consent.
Time Limits for Action
The controller shall provide information on action taken on your request without undue delay and in any event within 1 month of receipt of the request.
That period may be extended by 2 further months where necessary. The controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
If the controller does not act on your request, they shall inform you without delay and at the latest within 1 month of receipt of the request of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
Security of Processing
Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate:
pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Informing the Data Subject about a Personal Data Breach
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and shall contain at least the name and contact details of the data protection officer or other contact point, a description of the likely consequences of the personal data breach, and a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Communication to the data subject shall not be required if any of the following conditions are met:
the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those measures such as encryption which render the data unintelligible to any person who is not authorised to access it;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby data subjects are informed in an equally effective manner.
If the data subject has not already been informed of the personal data breach, the supervisory authority may, after considering the likelihood of high risk, require the controller to communicate the breach to the data subject.
Notification of a Personal Data Breach to the Supervisory Authority
The controller shall notify the personal data breach to the competent supervisory authority pursuant to Article 55 without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.
Right to Lodge a Complaint
In the event of an infringement by the controller, you may lodge a complaint with the National Authority for Data Protection and Freedom of Information:
Nemzeti Adatvédelmi és Információszabadság Hatóság
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf. 5.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
Email: ugyfelszolgalat@naih.hu
Closing Provisions
In drafting this notice, we have taken into account the following legislation, among others:
Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.)
Act CVIII of 2001 on certain issues of electronic commerce services and information society services (in particular Section 13/A)
Act XLVII of 2008 on the prohibition of unfair commercial practices against consumers
Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (particularly Section 6)
Act XC of 2005 on Freedom of Electronic Information
Act C of 2003 on Electronic Communications (in particular Section 155)
Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising
Recommendation of the National Authority for Data Protection and Freedom of Information on the data protection requirements of prior information
Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
2018.05.17
Motel Next
Zatech Kereskedelmi Kft.
