Datenschutz-Bestimmungen

 

Data manager: Debreceni Gyógyfürdő Kft.

Company registration number of data manager: Cg.09-09-002758

Registered seat of data manager: 4032 Debrecen, Nagyerdei park 1.

Contact details of data manager: informacio@aquaticum.hu

Representative of data manager: Palotai Péter

 

We hereby inform you that your personal data related to the hotel services you use are handled according to the followings:

Rules of data management

Since information self-determination is a fundamental right as laid down in the Fundamental Law of Hungary, the company may manage data exclusively during its procedures and pursuant to the provisions of the current legislation.

Personal data may be managed exclusively to exercise a right or fulfil an obligation. Using the personal data managed by the company for private purposes is prohibited. Data management must meet the principle of purpose limitation at all times.

The Company may manage personal data exclusively for a specific purpose, to exercise a right or fulfil an obligation, to the extent it is necessary and for a minimum defined duration. Data management shall be performed in line with the aim at all stages - and if the aim becomes irrelevant, or data management is against the law, data are deleted. Deletion of data shall be arranged by the employee of the Company responsible for data management pursuant to the Company’s Policy on document management. Deletion may be supervised by the persons who act as the employer of the employee as well as the employee responsible for privacy policy.

The company may manage personal data only upon prior - in case of special personal data written - approval of the person concerned or pursuant to the law or an authorization prescribed by the law.

The Company shall inform the person concerned about the purpose and legal grounds of data management.

 

Terms

The terminology is in line with the glossary of Section 3 of the Infotv. (Act on the Right of Informational Self-Determination and on Freedom of Information):

  • person concerned: any defined natural person, identified or identifiable - either directly or indirectly - based on personal data.
  • personal data: any data related to the person concerned - particularly the name, ID number of the person concerned, or details about one or more physical, physiological, mental, economic, cultural or social characteristics - or consequences to be drawn from the above about the person concerned;
  • special data:
    1. any personal data related to race, nationality, political opinion or party affiliation, religious or other philosophical conviction, membership in any representative body, sexual orientation;
    2. personal data related to health status, addiction or criminal record;
  • personal criminal record: personal data related to the person concerned generated during or prior to criminal proceedings, in connection with criminal offence at competent bodies carrying out criminal proceedings or investigating criminal activity, and personal data generated at penal institutions related to or in connection with criminal records or the person concerned;
  • contribution: the voluntary and firm declaration of the person concerned, based on appropriate information, with which he/she gives his/her explicit consent to handle his/her personal data either in a comprehensive way or limited to specific procedures.
  • objection: the declaration of the person concerned, with which he/she objects to the management of his/her personal data, therefore asks for the cancellation of the data management or for the deletion of his/her data;
  • data manager: the natural person or legal entity or organisation without legal entity, defining the purpose of the data management individually or together with others, deciding on and executing the process of data management (including the devices used), or having it executed by assigned data processors.
  • data management: irrespective of the procedures applied it means the processes performed on the data, such as collecting, recording, logging, organizing, storing, modifying, using, retrieving, transmitting, publishing, coordinating, attaching, locking, deleting, eliminating or preventing any further use of the data. Taking photos, video-recording or recording any kind of physical characteristics (finger or palm print, DNA-sample, iris recognition) that makes the identification of a person possible.
  • transmission of data: making the data accessible to third parties;
  • publication: making the data accessible to third parties;
  • deletion of data: making the data undetectable without the possibility of restoration;
  • designation of data: adding an identification mark to the data to differentiate them;
  • locking of dataadding an identification mark to the data to make it impossible to be used permanently or for a certain period of time;
  • elimination of data: the complete physical destruction of the data carrier storing the data;
  • data processing: performing the technical tasks related to data management processes, irrespective of the method and device used for the implementation of the tasks, or of the place of the application, provided that the technical task is carried out on the data;
  • data processor: the natural person or legal entity or organisation without legal entity, who or which performs the data processing based on a contract, including contracts concluded pursuant to the provisions of the law;
  • data owner: a public sector body generating the data of public interest to be published electronically, or generating data during its normal operation;
  • data publisher: a public sector body that - if data owner does not publish the data - publishes the data received by the data owner on a website.
  • data set: all the data handled in the same registry;
  • third party: the natural person or legal entity or organisation without legal entity, who is not identical with the person concerned, the data manager or the data processor;
  • EGT-state:  member state of the European Union or a state being contracting party to the Agreement on the European Economic Area, furthermore, a state, the citizen of which enjoys a status equivalent to the status of a citizen of a state being a contracting party to the Agreement on the European Economic Area based on a contract concluded between the member states of the European Union and a state that is not part of the Agreement on the European Economic Area;
  • third country: any other state which is not an EGT-state;
  • privacy incident unlawful management or process of personal data, in particular unauthorised access, modification, forwarding, disclose, deletion or destruction, or incidental damage or destruction.

 

Enforcement of the rights of the persons concerned

The persons concerned may request information about the management and correction of their personal data, or - except the data management required by the law - may request deletion of the data via the contact details of the Company.

The company shall forward the request, or the objection to manager of the relevant organisational unit authorized to and responsible for and data management within three days following receipt.

The manager of organisational unit authorized to and responsible for data management shall reply to the request no later than 15 days - in case of objection within 5 days - following receipt in writing and in a comprehensible way.

The information to be provided shall include information specified in paragraph (1) of Section 15 of the Infotv., if the information provision may not be withheld under the law.

The information is provided free of charge, as a matter of principle, the Company may charge any fee exclusively in cases set out in paragraph (5) of Section 15 of Infotv.

Company may reject requests exclusively based on reasons set out in paragraph (1) of Section 9 or Section 19 of the Infotv. The request may only be rejected in writing as set out in paragraph (2) of Section 16 of the Infotv.

Incorrect data shall be corrected by the manager of the relevant organisational unit - if the necessary data and the public records are available - and on the grounds of paragraph (2) of Section 17 of Infotv. he/she makes arrangements to delete the personal data.

For the period until a decision is made about the objection - but not more than 5 days - data management is suspended by the manager of the organisational unit responsible for data management, examines the justification of the objection and makes a decision, and informs the person who submitted the objection pursuant to paragraph (2) of Section 21 of the Infotv.

If the objection is justified, the manager of the organisational unit responsible for data management shall act according to paragraph (3) of Section 21 of the Infotv.

If the case is not considered evident during the process when the person concerned is exercising his/her rights, the manager of the organisational unit managing the data may ask the employee responsible for data management to express his/her standpoint, who shall provide it within three days.

Company shall pay any damages arising out of unlawful management of the data of the person concerned or damage caused to a third party by breaching data security requirements or general damages in case of infringement of personality rights caused by data processors employed by the Company. Data manager is exempted from the liability for the damages and the payment of general damages, if it can prove that the damage and the infringement of personality rights were caused by unavoidable reasons outside the control of data manager. Data manager is exempted from the liability if the damage was caused intentionally or due to grave negligence of the damaged party.

The person concerned may turn to NAIH (National Data Protection and Freedom of Information Authority) regarding any complaints about the data management procedures of the Company.

name: National Data Protection and Freedom of Information Authority

seat: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.

website: www.naih.hu

 

Data management in connection with hotel services

During the provision of hotel services the company manages personal data.

The persons concerned fill in a registration form when checking in the hotel. The company asks the following data on the registration form:

  • name
  • date of birth
  • citizenship
  • ID card number
  • children’s name
  • address
  • e-mail address
  • if the guest arrives by car, the registration number of the car

 

data management registration number: Pursuant to paragraph (a) a) of Section 65 of the Infotv. (Act on the Right of Informational Self-Determination and on Freedom of Information) the National Data Protection and Freedom of Information Authority does not keep records on data management, because it refers to the data of the clients of data manager.

aim of data management: ensuring check in at the hotel, allocating rooms to clients

range of data managed: name, date of birth, citizenship, ID card number, children’s name, address, e-mail address, if the quest arrives by car, the registration number of the car

legal ground of data management: consent of the subject pursuant to paragraph (1) a) of Section 5 of the Infotv.

term of data storage: until the aim of the data management is fulfilled (data are deleted when the guest checks out from the hotel and does not declare, that he/she requests the hotel to keep his/her data to arrange the next check-in more smoothly)

mode of data controlling: on paper or electronically