Introduction

Borbora Kft. (hereinafter: Service Provider) is the operator of the website www.borbora.hu (hereinafter: Website) and the Borbora Borház Villa accommodation (hereinafter: Accommodation), and manages the data of Website visitors, those who place orders or reservations, users who register on the Website, and those who subscribe to the Newsletter, and customers of their products and services (hereinafter collectively: Data Subject or Data Subjects) .

CXII of 2011 on the right to information self-determination and freedom of information. law – hereinafter: Infotv – in accordance with paragraph (4) of § 20, as well as the data protection regulation No. 2016/679 of the European Union (General Data Protection Regulation, GDPR, hereinafter: “Regulation” or “GDPR”), the Service Provider provides Data Subjects with data management before starting, hereby informs you about the personal data it handles on the Website and during business transactions, the principles, purpose and practice of handling personal data, the organizational and technical measures it has taken to protect data, as well as the way and possibilities for exercising the rights of the Data Subjects.

By using the Website, accepting the use of cookies (see Cookie Policy), submitting an order or a reservation, registering, or subscribing to the Newsletter, the Data Subject accepts the provisions of the Privacy Policy and consents to the data management specified in this Privacy Policy. The service available on the website can only be used by persons over the age of 18.

  1. Service Provider as Data Controller

Company name: Borbora Kereskedelmi és Szolgáltató Kft.
Company short name: Borbora Kft.
Headquarters: 2030 Érd, Csanád u. 93.
Tax number: 14417179-2-13
Company registration number: 13-09-122010
Registration court: Budapest District Court Company Office
E-mail address: info@borbora.hu
Phone number: +36-30/914-1675

The Data Controller is a business service provider registered in Hungary.

The Data Controller operates the Website, which was created for the purpose of presenting and purchasing products produced or services provided and distributed by the Service Provider online, has a commercial relationship with merchants, caterers and customers, and occasionally organizes or participates in the organization of wine-related programs and forums. The Data Controller also operates the Accommodation, which is suitable for guests to stay on site for several days.

  1. Concept definitions

The terms appearing in the Data Protection Policy have the following meaning:

Data management: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying.

Data controller: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others.

Personal information or data: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.

Data processor: the natural or legal person, public authority, agency or service provider who processes personal data on behalf of the Data Controller.

Data subject: the natural person who provides his or her personal data or whose personal data is provided to the Service Provider.

External service provider: third-party service partners used by the Data Controller or the Website operator, either directly or indirectly, in connection with the provision of individual services, to whom personal data is or may be transmitted in order to provide their services, or who provide personal data to the Service Provider can be forwarded. External service providers are also service providers that do not collaborate with the Service Provider or the operators of the services, but by accessing the Website, they collect data about the data subjects, which, either independently or combined with other data, may be suitable for the identification of the data subject. When providing hosting services, the Service Provider also considers the data subject to be an external service provider in terms of the data management activities carried out on the hosting used by him.

Data protection incident : a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.

Policy: this Privacy Policy of the Service Provider.

  1. Principles of data management

In order to protect and respect the privacy of the Data Subjects, the Service Provider handles the data management in accordance with the applicable legislation, and in particular in accordance with Infotv and the Regulation. The Service Provider only manages the Data Subject’s personal data specified in this Policy and the Cookie Policy in full accordance with the detailed normative text and basic principles of the relevant legislation.

The Service Provider takes all necessary and sufficient technical and organizational measures in order to ensure the security of the provided personal data during the entire data management phase. The Service Provider does not transfer the personal data managed by it to third parties other than those specified in these Regulations.

The data must be handled in such a way that adequate security of personal data is ensured by applying appropriate technical and/or organizational measures. An exception to the provisions contained in this point is the use of data in a statistically aggregated form, which may not contain any other data capable of identifying the Data Subject in any form.

In certain cases, the Service Provider may, due to an official court or police inquiry, legal proceedings, copyright, property or other infringements, or due to reasonable suspicion of such infringements, harm the interests of the Service Provider, jeopardize the provision of the service, etc. – makes available personal data of the data subject accessible to third parties.

Terms used in these Regulations must be interpreted primarily according to the terms defined in the interpretation provisions of the Regulation and other data protection legislation.

Basic principles of data management

“Legality, fair procedure, transparency”

The data must be handled legally and fairly, as well as in a transparent manner for the data subject.

“Destiny”

Personal data may only be collected for specific, clear and legitimate purposes, they may not be handled in a manner incompatible with these purposes; in accordance with Article 89 (1) of the GDPR, further data processing for the purpose of archiving in the public interest, for scientific and historical research purposes or for statistical purposes is not considered incompatible with the original purpose.

In all cases where the Service Provider intends to use the personal data for a purpose other than the purpose of the original data collection, it shall inform the data subject thereof and shall obtain his/her express prior consent, or provide him/her with the opportunity to prohibit the use.

“Data saving, data minimization”

The processed personal data must be appropriate and relevant for the purposes of data management and must be limited to what is necessary.

The Service Provider only handles the data provided by the data subjects or their employers/contractors/customers, defined in the law, for the purposes defined in these regulations. The range of personal data handled is proportional to the purpose of the data management, it cannot expand beyond that.

“Accuracy”

The data must be necessary and relevant for the purpose of data management, and must also be accurate and, if necessary, up-to-date. The Service Provider will take all reasonable measures to ensure that inaccurate personal data is deleted or corrected immediately.

The Service Provider does not check the personal data provided to it. The person providing it is solely responsible for the adequacy of the provided personal data. When entering the e-mail address of any user, as well as the data provided during registration (e.g. user name, ID, password, etc.), the user assumes responsibility for ensuring that the e-mail address provided or using the data provided by him, only he uses the service. In view of this responsibility, any responsibility related to access to a specified e-mail address and/or data is the sole responsibility of the user who registered the e-mail address and provided the data.

“Limited shelf life”

The data must be stored in a form that allows the identification of the data subjects only for the time necessary to achieve the goals of personal data management.

“Integrity and Confidentiality”

The processing of personal data must be carried out in such a way that the appropriate security of personal data is ensured by applying appropriate technical or organizational measures, including protection against unauthorized or illegal processing, accidental loss, destruction or damage of data.

“Appointment of a Data Protection Officer (DPO)”

After the preliminary analysis carried out by the Service Provider, it can be established that, based on the Regulation, the Service Provider is not obliged to appoint a data protection officer, as the Service Provider is not a public authority or a body performing a public task, the Service Provider’s activities do not include any operation that the affected parties regularly and systematically, they require extensive monitoring, and the Service Provider does not manage special data or personal data related to decisions regarding the establishment of criminal liability and crimes.

  1. Purpose of data management

The overall purpose of the Service Provider’s data management is to operate the Website and the Accommodation, provide its services, and establish and fulfill commercial and contractual relationships.

The detailed purposes of data management based on the above:

  • identification of the Data Subject, contact with the Data Subject

  • Preparation of the contract created during the purchase on the Website or the reservation of the Accommodation, fulfillment of the contractual obligations by the Data Controller, enforcement of its rights;

  • providing concise, transparent, understandable and easily accessible information to the Data Subject

  • creation and performance of legal transactions between the Service Provider and the Data Subject within the scope of the Service Provider’s activities

  • in the case of using a fee-based service, fee collection and invoicing

  • fulfilling the obligations of the Data Controller, exercising the Data Controller’s rights

  • making analyses, statistics, development of services – for this purpose, the Data Controller only uses anonymized data and aggregations that are not suitable for personal identification

  • Advertising and research with the Data Subject’s separate consent

  • protection of the Data Subject’s rights

The data must be handled legally and fairly, as well as in a transparent manner for the Data Subject. The Service Provider strives to ensure that only such personal data is processed that is essential for the realization of the purpose of data management and suitable for achieving the purpose. Personal data can only be processed to the extent and for the time necessary to achieve the purpose.

  1. Legal basis for data management

Based on Article 6 of the Regulation, personal data can be processed if

  1. the Data Subject has given his consent to the processing of his personal data for one or more specific purposes;

  2. data processing is necessary for the performance of a contract in which the Data Subject is one of the parties, or it is necessary for taking steps at the Data Subject’s request prior to the conclusion of the contract;

  3. data management is necessary to fulfill the legal obligation of the Data Controller;

  4. data processing is necessary to protect the vital interests of the Data Subject or another natural person;

  5. data processing is in the public interest or is necessary for the execution of a task performed in the context of the exercise of public authority granted to the data controller;

  6. data processing is necessary to enforce the legitimate interests of the Data Controller or a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data, especially if the data subject is a child.”

The legal basis for data management by the Service Provider – taking into account the nature of the Service Provider’s activities – is primarily the Data Subject’s voluntary, express consent based on adequate information.

In addition, CVIII of 2001 on certain issues of electronic commercial services and services related to the information society applies to data management. It takes place on the basis of law – Ekertv.

The Service Provider may manage it for the purposes of creating the contract, defining its content, amending it, monitoring its performance, invoicing the fees arising from it, and asserting related claims

  • natural personal identification data and address necessary to identify the Data Subject.

The Service Provider can process the fees from the contract for the purpose of invoicing

  • natural personal identification data related to the use of the service, address, as well as data on the time, duration and location of the use of the service.

In addition to the above, the Service Provider may process it for the purpose of providing the service

  • the personal data that are technically essential for the provision of the service.

The processing of personal data necessary for ordering and fulfilling contracts is governed by Art. CVIII of 2001. are based on the authorization specified in §§ 13/A.(1)-(3) of the Act.

The Data Subject voluntarily contacts the Service Provider, or voluntarily registers, or voluntarily uses the Service Provider’s service, either during the performance of a task for his employer/client/customer. In the absence of the Data Subjects’ consent, the Service Provider only handles data if it is clearly authorized by law.

If the data management is based on consent, the Data Controller must be able to prove that the Data Subject has consented to the processing of his personal data. The Data Subject has the right to withdraw his consent at any time with regard to all data processing, the legal basis of which is the Regulation in point 5.1.a) of the Regulation above. Withdrawal of consent does not affect the legality of data processing based on consent and before withdrawal.

Data transmission to the Data Processors defined in these Regulations can be carried out without the Data Subject’s separate consent.

When the user accesses individual websites, the Service Provider collects the IP address of the user in connection with the provision of the service, in view of the legitimate interest of the Service Provider and for the reason of the legal provision of the service (e.g. to filter out illegal use or illegal content), even without the user’s separate consent. records.

  1. Duration of data management

The processing of personal data mandatorily provided during registration begins with registration and lasts until it is deleted upon request. The registration can be canceled at any time, after the cancellation request has been sent, within 5 working days of receiving the cancellation request. Deletion can only be refused if the law authorizes the processing of the data. In all cases, the Service Provider provides information on the refusal of the deletion request and on the law enabling data management.

In the case of non-mandatory data related to the order (contract), the data will be processed until the order is fulfilled.

In the case of a newsletter, the Service Provider manages the data provided by the Data Subject during the subscription to the newsletter until the Data Subject unsubscribes from the newsletter by clicking on the “Unsubscribe” button at the bottom of the Newsletter, or requests to be removed from the list of subscribers to the newsletter by e-mail or by post. In case of unsubscribing, the Service Provider will delete the Data Subject’s data from its system within 5 working days after receiving the request (by e-mail, post or by clicking on the “Unsubscribe” button).

The logged data is stored by the system for 6 months from the date of logging, with the exception of the date of the last visit, which is automatically overwritten.

The Service Provider also deletes the Personal Data,

  • If it turns out that the data is being handled illegally, the Service Provider will delete it immediately.

  • If requested by the Data Subject (with the exception of data processing based on legislation).

  • If it becomes known that the data is incomplete or incorrect – and this state cannot legally be rectified – provided that deletion is not precluded by law.

  • If the purpose of data management has ceased or the statutory period for data storage has expired; Deletion can be refused (i) if the Personal Data is authorized by law; and (ii) necessary for legal protection and enforcement.

  • It was ordered by the court or the National Data Protection and Freedom of Information Authority

If a court or the National Authority for Data Protection and Freedom of Information legally orders the deletion of the data, the deletion will be carried out by the Data Controller.

Instead of deletion, the Service Provider – after informing the Data Subject – locks the personal data, if the Data Subject requests this, or if, based on the information available, it can be assumed that the deletion would harm the legitimate interests of the Data Subject. The personal data locked in this way can only be processed as long as the data management purpose that precluded the deletion of the personal data exists. The Service Provider indicates the personal data it manages if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.

In the case of data management ordered by law, the deletion of data is governed by the provisions of the law.

In case of deletion, the Service Provider renders the data unsuitable for personal identification. If required by law, the Service Provider destroys the data carrier containing personal data.

In all cases, the Service Provider informs the Data Subject of the refusal of the deletion request, specifying the reason for the refusal of the deletion. After fulfilling the request to delete personal data, the previous (deleted) data can no longer be restored.

Newsletters sent by the Service Provider can be unsubscribed via the unsubscribe link in them. In case of unsubscribing, the Service Provider deletes the Personal Data of the Data Subject in the newsletter database.

Exceptions to data erasure are also all data that must be handled for a specified period of time based on various legal provisions, and are to be guarded, especially the 8-year document retention obligation prescribed in Section 169 (2) of Act C of 2000 on accounting.

The above provisions also do not affect data processing based on additional consents given during registration on the Website or in any other way.

  1. Scope of processed personal data

Order

To place an order on the Websiteor to reserve the Accommodation for a specific period, the Data Subjects (Customer) must provide the following data in order for the Service Provider to fulfill the order:

  • Last name,

  • first name,

  • E-mail address

In order to send and fulfill the order, it is mandatory to enter additional data:

  • Delivery Address:

  • Billing address:

  • Customer phone number:

(Entering the phone number is not mandatory, but it helps to complete it.)

The legal basis for data management is partly the Data Subject’s consent, partly the legislation on taxation and accounting. The purpose of data management is invoicing, collecting fees, fulfilling orders, and handling reservations.

Registration

To register on the Website, the following data must be provided:

  • Username

  • Password,

  • Last name,

  • first name,

  • E-mail address

The legal basis for data management is the Data Subject’s consent, the primary purpose of data management is communication and information for marketing purposes.

Newsletter

on the Website, the following data must be entered:

  • Last name,

  • first name,

  • E-mail address

The legal basis for data management is the Data Subject’s consent, the primary purpose of data management is marketing contact, information, newsletter or XLVIII of 2008. TV. – Grtv. – Sending a direct inquiry according to Section 6 (1).

  1. The source of the data

The Service Provider only handles the personal data provided by the Data Subjects or legal entities that use the service (work) of the Data Subjects for the purpose of preparing/fulfilling the transaction, and does not collect data from other sources.

The data is entered during the Data Subject’s registration. The Data Subject provides his name, e-mail address and password during registration.

  1. Description of the data management process

The source of the data is the Data Subject, or a legal entity with an employment/contract/enterprise legal relationship with him, who uses the data (i) during the possible registration and/or (ii) during the preparation, creation or performance of the legal transaction and/or (iii) the newsletter or the Grtv. Enter it when making a statement related to a direct inquiry according to Section 6 (1). Entering the data on the registration form is mandatory, unless the contrary is expressly stated.

The Data Subject provides the data independently, the Service Provider does not provide any mandatory guidelines in this regard, and does not impose any content expectations. The Data Subject expressly consents to the processing of the data provided by him. In addition to the data requested by the Service Provider, the Data Subject is entitled to provide other data in his profile, the legal basis for data management in this case is also the Data Subject’s voluntary consent.

If the Data Subject registers at any event or forum organized by the Service Provider (e.g. on Facebook, X, etc.) and provides the data requested there, he accepts the Data Protection Policy related to the given event or forum. In this case, by entering the data, the Data Subject does not register on the website, but consents to the processing of the data provided in accordance with the Regulations of the given event or forum.

  1. Technical data

The data of the data subject’s logged-in computer, which are generated during the use of the service and which are recorded by the Service Provider’s system as an automatic result of the technical processes. These are, in particular, the date and time of the visit, the IP address of the Data Subject’s computer, the type of browser, characteristics of the operating system of the device used for browsing (e.g. set language), the address of the viewed and previously visited website. The data that is automatically recorded is automatically logged by the system upon entry or exit without a separate declaration or action by the Data Subject. These data cannot be combined with other personal user data, except in cases made mandatory by law. Only the Service Provider has access to the data.

The Service Provider’s system may collect data on the activities of the Data Subjects, which cannot be linked to other data provided by the Website at the time of registration or to the User/Visitor when connecting, nor to data generated when using other websites or services.

The html code of the Website may contain links to and from an external server independent of the Service Provider. The providers of these links are able to collect user data due to the direct connection to their server.

External servers support the independent measurement and auditing of the Website’s visitor and other web analytics data (Google Analytics). The data controllers can provide the Data Subject with detailed information on the management of the measurement data. Their availability: www.google.com/analytics/

  1. Detailed information about cookies is contained in the Service Provider’s separate Cookie Policy

  2. The range of persons familiar with the data, data transmission, data processing, external service providers

The Service Provider is primarily entitled to know the data, it will not be published or passed on to third parties, with the following exceptions:

The service provider may use a data processor (e.g.: system operator, delivery/shipper, accountant, intermediary) for the fulfillment of orders and settlement of accounts. The service provider is not responsible for the data management practices of those used in this way.

The Service Provider is entitled to use a data processor to carry out its activities. The data processors do not make independent decisions, they are only entitled to act according to the contract concluded with the Service Provider and the instructions received. The Service Provider checks the work of the data processors. Data processors are entitled to use additional data processors only with the consent of the Service Provider. The Service Provider may only use data processors who provide adequate guarantees for the implementation of appropriate technical and organizational measures to ensure the compliance of data management and the protection of the rights of the data subjects.

The data processor may not use additional data processors without the prior written authorization of the Service Provider on a case-by-case or general basis. In the case of a general written authorization, the data processor informs the Service Provider of any planned changes that involve the use of additional data processors or their replacement, thus providing the Service Provider with the opportunity to object to these changes.

The Service Provider indicates the data processors used in the Regulations.

Data processors used by the Service Provider:

In case of payment by bank card:

If the Consumer chooses the payment method by Bank card, then the Consumer consents and accepts that the personal data stored by Borbora Kft. in the user database https://www.borbora.hu will be transferred to the given service provider. Scope of transmitted data: username (in case of registration), last name, first name, country, e-mail address, telephone number.

Purpose of data transmission: customer service assistance for the Consumer, confirmation of transactions, management of online payments and fraud monitoring for the protection of users.

Data processors in this context:

  • OTP Bank Plc. (1051 Budapest, Nádor utca 16.)

  • OTP Mobil Szolgáltató Kft. (1138 Budapest, Váci u. 135-139. B. ép. 5. em.)

  • Raiffeisen Bank Zrt. (1133 Budapest, Váci út 116-118.)

  • Mastercard Magyarország Kft. (1052 Budapest, Deák Ferenc utca 5.)

  • Borgun hf. (Ármúli 30, 108 Reykjavik, Izland)

External service providers:

The Service Provider uses external service providers, which the Service Provider cooperates with.

Regarding the Personal Data managed in the systems of External Service Providers, the guidelines are contained in the External Service Providers’ own data protection regulations. The Service Provider will do its best to ensure that the External Service Provider handles the Personal Data transmitted to it in accordance with the law and uses them exclusively for the purpose specified by the Data Subject or specified below in the Regulations.

The Service Provider informs the Data Subjects about the External Service Providers used for the fulfillment of the orders and the transfer of data to them during the order, before finalizing it.

Data processors in this context:

  • EasyLot Kft. (1222 Budapest, Borkő utca 12., e-mail: info@easylot.hu )

  • Booking.com B.V. (Oosterdokskade 163, 1011 DL, Hollandia

Additional external service providers used by the service provider:

Logistics:

  • Magyar Posta Zrt. (1138 Budapest, Dunavirág utca 2-6.)

  • DPD Hungária Courier and Parcel Service Kft. (1158 Budapest, Késmárk utca 14. B.ép.)

  • GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. (2351 Alsónémedi, GLS Európa u. 2., e-mail: info@gls-hungary.com )

  • SPRINTER Futárszolgált Kft. (1097 Budapest, Táblás utca 39., e-mail: info@sprinter.hu )

Community sites:

  • Facebook (Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

  • Google LLC (1600 Amphitheater Parkway, Mountain View, CA 94043, USA)

IT:

  • Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-7329, USA)

Hosting provider:

  • JUMPER.HU Engineering Consulting, Trading and Service Kft. (1114 Budapest, Orlay u. 2/b., e-mail: info@jumper.hu)

Invoicing and Booking:

  • VIKIT Codex Kft. (1149 Budapest, Pillangó utca 16-20.)

  • KBOSS.hu Kft. (1031 Budapest, Záhony utca 7.)

  • Qsoft Kft. (1119 Budapest, Fehérvári út 85.)

In addition to the above, personal data relating to the Data Subject may only be forwarded in the case required by law or based on the Data Subject’s consent.

  1. Your rights and remedies

The Data Subject may initiate the enforcement of his rights listed in this section to the Service Provider at the following contact details:

  1. Rights of Data Subjects related to data management

The Service Provider informs the Data Subject at the same time as the contact is made about the handling of the data. The Data Subject is also entitled to request information about data management at any time.

The Data Subject has the right to receive feedback from the Service Provider as to whether his personal data is being processed, and if such data processing is in progress, he is entitled to receive access to the personal data and information about the purpose of the data processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data has been or will be communicated, the planned period of storage of the personal data, or, if this is not possible, the criteria for determining this period. The Data Subject has the right to request from the data controller the correction, deletion or restriction of the processing of personal data concerning him and to object to the processing of such personal data. You also have the right to submit a complaint to a supervisory authority, and if the data were not collected from the data subject, all available information about their source.

The data subject has the right to have the data controller correct inaccurate personal data concerning him without undue delay upon request. Taking into account the purpose of the data management, the data subject is entitled to request the completion of incomplete personal data, including by means of a supplementary statement.

With the exception of data processing mandated by law, the Data Subject may request the Service Provider to delete the personal data relating to him without undue delay. The Service Provider informs the Data Subject of the deletion.

The Data Subject may object to the processing of his personal data as specified in Infotv.

a letter addressed to the Service Provider’s headquarters or location, or in an e-mail sent to the Service Provider at the address info@borbora.hu .

The Data Subject may request that the Service Provider restricts the processing of his/her Personal Data if the Data Subject disputes the accuracy of the processed Personal Data. In this case, the limitation applies to the period that allows the Service Provider to check the accuracy of the Personal Data. The Service Provider marks the Personal data it manages if the Data Subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established.

The Data Subject may request that the processing of his Personal Data be restricted by the Service Provider even if the Data Processing is illegal, but the Data Subject opposes the deletion of the processed Personal Data and instead requests a limitation of its use.

The Data Subject may request the restriction of the processing of his Personal Data by the Service Provider even if the purpose of the Data Management has been achieved, but the Data Subject requires their processing by the Service Provider for the presentation, enforcement or defense of legal claims.

The Data Subject has the right to receive the personal data concerning him/her provided to a data controller in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without being hindered by the data controller whose made the personal data available to you.

If the Service Provider does not comply with the Data Subject’s request for correction, blocking or deletion, within 30 days of receiving the request, the Service Provider will notify the reasons for rejecting the request for correction, blocking or deletion in writing. In the case of rejection of the request for correction, deletion or blocking, the data controller informs the Data Subject of the possibility of a judicial remedy, as well as the possibility of turning to the National Data Protection and Freedom of Information Authority.

The Data Subject can make the above declarations regarding the exercise of his rights at the contact details of the Data Controller.

The Data Subject can file a complaint directly with the National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa utca 9-11; telephone: +36-(30) 683-5969, +36 (30) 549-6838; electronic submission: https://www.naih.hu/online-ugyinditas) too.

In the event of a violation of the Data Subject’s rights, without prejudice to the right to file a complaint, the Data Subject shall be entitled to an effective judicial remedy if, in his judgment, his rights under the GDPR have been violated as a result of inappropriate handling of his personal data.

The procedure must be initiated before the competent court according to the registered office of the Data Controller.

If the Data Subject wishes to use a judicial remedy, the courts in Hungary have jurisdiction. You can find out about the jurisdiction and contact details of the courts on the following website: www.birosag.hu .

  1. Data security

The service provider undertakes to ensure the security of the data, and to take the technical measures to ensure that the recorded, stored and managed data are protected, and to do everything possible to prevent their destruction, unauthorized use and unauthorized change. You also undertake to call on all third parties to whom you may forward or transfer the data to fulfill their obligations in this regard.

implement appropriate technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, as well as the varying probability and severity of the risk to the rights and freedoms of natural persons. , to guarantee a level of data security appropriate to the degree of risk.

In the context of the above, the Service Provider:

  • takes care of measures to ensure protection against unauthorized access, including the protection of software and hardware devices, as well as physical protection (access protection, network protection);

  • takes measures to ensure the possibility of restoring data files, about regular backups;

  • takes care of virus protection.

  1. Incident management as a Data Controller

The Data Controller shall report the data protection incident to the National Data Protection and Freedom of Information Authority without undue delay, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is likely to pose no risk to the natural regarding the rights and freedoms of persons.

The Data Controller keeps records of data protection incidents, indicating the facts related to the data protection incident, its effects, and the measures taken to remedy it.

The Data Controller shall inform the data subject of the data protection incident without undue delay if the data protection incident is likely to involve a high risk for the rights and freedoms of natural persons.

An exception to the notification of the data subject if

  • The Data Controller has implemented appropriate technical and organizational protection measures and applied these measures to the data affected by the data protection incident, in particular those measures – such as the use of encryption – that make the personal data unintelligible to persons not authorized to access the personal data. data; obsession

  • Following the data protection incident, the Data Controller has taken additional measures to ensure that the high risk to the rights and freedoms of the data subject is unlikely to materialize in the future; obsession

  • Information would require a disproportionate effort, in which case the data subjects must be informed through publicly published information, or a similar measure must be taken that ensures similarly effective information to the data subjects.

  1. Other provisions

If the Data Subject provided third-party data during registration to use the service or caused damage in any way while using the Website or booking the Accommodation, the Service Provider is entitled to claim compensation from the Data Subject. In such a case, the Service Provider will provide all possible assistance to the acting authorities in order to establish the identity of the person violating the law.

In matters not covered by these Regulations, the GDPR and Infotv. its provisions shall govern

The Service Provider reserves the right to unilaterally amend this Privacy Policy after notifying the Data Subjects in advance via the Website interface. Following the entry into force of the amendment, the Data Subject accepts the provisions of the amended Data Protection Regulations by using the Website.

This Privacy Policy is effective from 25.03.2024