Privacy Policy
Privacy Policy of Klebelsberg Castle Budapest.
I. GENERAL PROVISIONS
Pro Cultura Kft., as the operator of Klebelsberg Castle Budapest (address: 1028 Budapest, Templom utca 12; website: www.klebelsbergkastelybudapest.hu), ensures the lawfulness and appropriateness of data processing in all cases regarding the personal data it manages. The purpose of this notice is to ensure that our guests who book accommodation and provide their personal data receive adequate information, prior to making a reservation or providing their personal data, regarding the conditions and guarantees under which our company processes their data, as well as the duration of such processing. Our company adheres to the provisions of this notice in all cases involving the processing of personal data, and we consider the information described here to be binding upon us.
Our company’s details and contact information are as follows:
Name: Pro Cultura Kft.
Registered office: 1028 Budapest, Templom u. 12.
Company registration number: 01-09-397036
Tax ID: 27764134-2-41
Phone number: +36 30 399 2143
Email: info@klebelsbergkastelybudapest.hu
Website: www.klebelsbergkastelybudapest.hu
(hereinafter also referred to as: “Data Controller”)
Our data processing activities comply with applicable laws, in particular the following:
➢ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”);
➢ Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Infotv.”);
➢ Act V of 2013 on the Civil Code;
➢ Act C of 2000 on Accounting;
➢ Act CL of 2017 on the Rules of Taxation;
➢ Act CXXXIII of 2005 on the Rules Governing Personal and Property Protection and Private Investigation Activities (hereinafter: “Szvtv.”);
➢ Act XLVIII of 2008 on the Fundamental Conditions and Certain Restrictions of Commercial Advertising Activities;
➢ Act CVIII of 2001 on Certain Issues Concerning Electronic Commerce Services and Information Society Services.
We provide the following information regarding our specific data processing activities.
II. SPECIFIC DATA PROCESSING ACTIVITIES
1. DATA PROCESSING RELATED TO ONLINE ACCOMMODATION BOOKINGS
Our company offers the option of online accommodation booking so that you can book a room at Klebelsberg Castle Budapest quickly, conveniently, and free of charge.
Purpose of data processing: to facilitate the accommodation booking process, making it free of charge and more efficient.
Legal basis for data processing: the prior consent of the person making the reservation [GDPR Article 6(1)(a)], the necessity to take steps at the request of the data subject prior to entering into a contract between the Data Controller and the data subject [GDPR Article 6(1)(b)].
Scope of personal data processed: title; last name and first name; address (country, postal code, city, street, house number); phone number; email address; in the case of a business entity, company name and registered office, credit card number, SZÉP card details (ID, name on the card), representative’s name, contact person’s name, email address, and phone number.
Duration of data processing: two years following the last day of the stay specified in the reservation.
Use of a data processor: our company uses the services of an IT service provider for the online accommodation system as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Providing online accommodation booking through the Hotelizátor system |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Operation of the website |
By accepting this notice, the data subject expressly consents to the Data Processor engaging additional data processors—in order to make the service more convenient and personalized—as follows:
Name of Data Processor |
Registered Office |
Description of Data Processing Tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály utca 13. |
Owner of the software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations and notifications in the event of a reservation, quote, or satisfaction survey |
Hostware Kft. |
1149 Budapest, Róna utca 120-122 |
Performing customer management tasks when using the Hostware Front Office hotel system |
K&H Bank Zrt. |
1095 Budapest, Lechner Ödön fasor 9. |
Handling data communication required for payment transactions between the merchant and the payment service provider’s system, ensuring transaction traceability for merchant partners |
K&H Bank Zrt. |
1095 Budapest, Lechner Ödön fasor 9. |
Handling the data communication required for payment transactions between the merchant and the payment service provider’s system, providing customer service support to users, confirming transactions, and conducting fraud monitoring to protect users. |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály utca 13. |
Providing server hosting services |
Possible consequences of failure to provide data: no contract will be concluded for the hotel room.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) may request information regarding the processing of personal data concerning them, as well as access to such personal data,
b) may request the rectification of such data,
c) may request the erasure of such data,
d) request the restriction of the processing of personal data if the conditions set forth in Article 18 of the GDPR are met (i.e., that our company not delete or destroy the data until a court or authority issues a request, but for no longer than thirty days, and that it not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. Under this right, the data subject is entitled to receive personal data concerning them in Word or Excel format, and is also entitled to have our company transfer this data to another data controller upon request.
Additional information regarding data processing: Our company takes all necessary technical and organizational measures to prevent any data protection incidents (e.g., damage to, loss of, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record for the purpose of verifying the necessary measures and informing the data subject, which includes the scope of the personal data concerned, the scope and number of individuals affected by the data breach, the date of the data breach, circumstances, effects, and the measures taken to address it, as well as other data specified in the legislation governing data processing.
Our company has entered into a data processing agreement for data processing tasks, in which Igor Corner Kft. undertakes to apply, in the event of engaging additional data processors, the data protection and data processing safeguards required of it by the data processing agreement; in this regard, we ensure the lawful processing of personal data even in the case of the data processor.
2. DATA PROCESSING RELATED TO REQUESTS FOR QUOTES
Our company provides our guests with the option to request a quote electronically. Our company provides the quote via an automated system, taking into account available capacity.
Purpose of data processing: preliminary information about hotel rates
Legal basis for data processing: prior consent of the person booking the accommodation [GDPR Article 6(1)(a)], or data processing is necessary for taking steps at the request of the data subject prior to entering into a contract [GDPR Article 6(1)(b)]
Scope of personal data processed: title; last name and first name; phone number; email address; number of guests, billing name and address, number of children and their ages.
Duration of data processing: two years following the last day of the stay specified in the reservation.
Use of a data processor: our company uses the services of an IT service provider to operate the online quote request system as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Operation of the Request for Proposal module |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Operation of the website |
By accepting this notice, the data subject expressly consents to the Data Processor engaging additional data processors—in order to make the service more convenient and personalized—as follows:
Name of Data Processor |
Registered Office |
Description of Data Processing Tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Owner of the Hotelizátor software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations and notifications in the event of bookings, offers, and satisfaction surveys |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
providing server hosting services |
Possible consequences of failure to provide data: The hotel will be unable to provide a quote.
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) may request information regarding the processing of personal data concerning them, as well as access to such personal data,
b) may request the rectification of such data,
c) may request the erasure of such data,
d) request the restriction of the processing of personal data if the conditions set forth in Article 18 of the GDPR are met (i.e., that our company not delete or destroy the data until a court or authority issues a request, but for no longer than thirty days, and that it not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. Under this right, the data subject is entitled to receive personal data concerning them in Word or Excel format, and is also entitled to have our company transfer this data to another data controller upon request.
Additional information regarding data processing: Our company takes all necessary technical and organizational measures to prevent any data protection incidents (e.g., damage to, loss of, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record for the purpose of verifying the necessary measures and informing the data subject, which includes the scope of the personal data concerned, the scope and number of individuals affected by the data breach, the date of the data breach, circumstances, effects, and the measures taken to address it, as well as other data specified in the legislation governing data processing.
Our company has entered into a data processing agreement for data processing tasks, in which Igor Corner Kft. undertakes to strictly apply the data protection and data processing safeguards prescribed by the data processing agreement should it engage additional data processors; in this regard, we ensure the lawful processing of personal data even in the case of the data processor.
3. DATA PROCESSING RELATED TO SERVICE PROVISION AND BILLING
Our company processes guests’ personal data for the purpose of fulfilling the contract entered into with guests of Klebelsberg Castle Budapest—including the payment of fees related to the use of the hotel’s services.
Purpose of data processing: the use of services provided by Klebelsberg Castle Budapest by the data subject, the determination of the consideration, and invoicing.
Legal basis for data processing: the necessity to fulfill a contract to which the data subject is a party [GDPR Article 6(1)(b)], as well as compliance with a legal obligation under the provisions of Sections 69(1) and (2) of Act C of 2000 on Accounting [GDPR Article 6(1)(c)]
Scope of personal data processed: first and last name, address.
Duration of data processing: from the date the personal data is provided by the data subject until 5 years after the performance of the contract (statute of limitations). In the case of issuing an invoice, the duration of data processing is 8 years from the date the personal data is provided by the data subject until the preparation of the financial statements, business report, or accounting records for the given fiscal year.
Use of a data processor: Our company uses the services of an accountant for invoicing as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Keller Consult KFT |
1015 Budapest, Ostrom utca 27. 1/1 |
Performing accounting tasks |
Possible consequences of failure to provide data: The data subject will not be able to use the services of Klebelsberg Castle Budapest.
Rights of the data subject: The data subject (the person whose personal data is processed by our company)
a) may request information regarding the processing of personal data concerning them, as well as access to such personal data,
b) may request the rectification of such data,
c) may request the erasure of such data,
d) request the restriction of the processing of personal data if the conditions set forth in Article 18 of the GDPR are met (i.e., that our company not delete or destroy the data until a court or authority issues a request, but for no longer than thirty days, and that it not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. Under this right, the data subject is entitled to receive personal data concerning them in Word or Excel format, and is also entitled to have our company transfer this data to another data controller upon request.
Additional information regarding data processing: Our company takes all necessary technical and organizational measures to prevent any data protection incidents (e.g., damage to, loss of, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record for the purpose of verifying the necessary measures and informing the data subject, which includes the scope of the personal data concerned, the scope and number of individuals affected by the data breach, the date of the data breach, circumstances, effects, and the measures taken to address it, as well as other data specified in the legislation governing data processing.
Our company has entered into a data processing agreement for data processing tasks, in which MT Szignál Kft. undertakes to apply, in the event of engaging additional data processors, the data protection and data processing safeguards required of it by the data processing agreement, thereby ensuring the lawful processing of personal data even in the case of the data processor.
4. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION
Our company maintains contact with its guests via a newsletter, through which it promotes its services and informs them about news and promotions related to its operations.
Purpose of data processing: maintaining contact with potential hotel guests and partners, and maintaining and developing business relationships with hotel guests.
Legal basis for data processing: the data subject’s consent [GDPR Article 6(1)(a)].
Scope of personal data processed: first and last name, email address
Duration of data processing: until unsubscribing from the newsletter.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Operation of the Request for Proposal module |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13.. |
Operation of the website |
Name of Data Processor |
Registered Office |
Description of Data Processing Tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály utca 13. |
Operation of the newsletter distribution system |
Possible consequences of failing to provide data: The data subject will not receive newsletters from our company.
The data subject’s rights: The data subject (the person whose personal data is processed by our company)
a) may request information regarding the processing of personal data concerning them, as well as access to such personal data,
b) may request the rectification of such data,
c) may request the erasure of such data,
d) request the restriction of the processing of personal data if the conditions set forth in Article 18 of the GDPR are met (i.e., that our company not delete or destroy the data until a court or authority requests it, but for no longer than thirty days, and that it not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. Under this right, the data subject is entitled to receive personal data concerning them in Word or Excel format, and is also entitled to have our company transfer this data to another data controller upon request.
You may unsubscribe from the newsletter at any time by sending an email to our company at info@klebelsbergkastelybudapest.hu or info@hotelandmore.hu, or by clicking the unsubscribe icon in the newsletter. In this case, we will immediately delete your personal data related to the newsletter from our database.
Additional information regarding data processing: Our company takes all necessary technical and organizational measures to prevent any data protection incidents (e.g., damage to, loss of, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record for the purpose of verifying the necessary measures and informing the data subject, which includes the scope of the personal data concerned, the scope and number of individuals affected by the data breach, the date of the data breach, circumstances, effects, and the measures taken to address it, as well as other data specified in the legislation governing data processing.
Our company has entered into a data processing agreement for data processing tasks, in which Igor Corner Kft. undertakes to apply, in the event of engaging additional data processors, the data protection and data processing safeguards required of it by the data processing agreement; in this regard, we ensure the lawful processing of personal data even in the case of the data processor.
5. PROCESSING OF PERSONAL DATA IN CONNECTION WITH SATISFACTION SURVEYS
Our goal is to provide high-quality services to guests of Klebelsberg Castle Budapest; therefore, we continuously request feedback from our guests regarding their experiences during their stay at our hotel.
Purpose of data processing: to request feedback from hotel guests in order to further develop and improve our services.
Legal basis for data processing: Legitimate interest of the data controller [GDPR Article 6(1)(f)], consent of the data subject [GDPR Article 6(1)(a)].
Specification of the legitimate interest: Our company has a legitimate interest in receiving information based on feedback to improve our services.
Scope of personal data processed: first and last name, gender, email address, arrival and departure dates.
Duration of data processing: two years following the last day of the stay specified in the reservation.
Use of a data processor: our company uses an IT service provider for its online accommodation system as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Operation of the satisfaction survey module |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Operation of the website |
By accepting this notice, the data subject expressly consents to the Data Processor engaging additional data processors—in order to make the service more convenient and personalized—as follows:
Name of Data Processor |
Registered Office |
Description of Data Processing Tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály utca 13. |
Owner of the Hotelizátor software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the event of a booking, quote, or satisfaction survey |
Possible consequences of failure to provide data: The data subject will not receive a satisfaction survey from our company.
The data subject’s rights: the data subject (the person whose personal data is processed by our company)
g) may request information regarding the processing of personal data concerning them, as well as access to such personal data,
h) may request the rectification of such data,
i) may request the erasure of such data,
j) request the restriction of the processing of personal data if the conditions set forth in Article 18 of the GDPR are met (i.e., that our company not delete or destroy the data until a court or authority issues a request, but for no longer than thirty days, and that it not process the data for any other purpose beyond that),
k) object to the processing of personal data,
l) exercise the right to data portability. Under this right, the data subject is entitled to receive personal data concerning them in Word or Excel format, and is also entitled to have our company transfer this data to another data controller upon request.
Additional information regarding data processing: Our company takes all necessary technical and organizational measures to prevent any data protection incidents (e.g., damage to, loss of, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record for the purpose of verifying the necessary measures and informing the data subject, which includes the scope of the personal data concerned, the scope and number of individuals affected by the data breach, the date of the data breach, circumstances, effects, and the measures taken to address it, as well as other data specified in the legislation governing data processing.
Our company has entered into a data processing agreement for data processing tasks, in which Igor Corner Kft. undertakes to strictly apply the data protection and data processing safeguards prescribed by the data processing agreement should it engage additional data processors; in this regard, we ensure the lawful processing of personal data even in the case of the data processor.
6. COOKIE MANAGEMENT
To provide a personalized service, the Data Controller places a small data package, known as a cookie, on the user’s computer and reads it back during subsequent visits. If the browser sends back a previously saved cookie, the service provider managing the cookie can link the user’s current visit to previous ones, but only with respect to its own content.
Purpose of data processing: identifying users, tracking them, distinguishing them from one another, identifying the user’s current session, storing data provided during that session, preventing data loss, web analytics, and personalized service.
Legal basis for data processing: the data subject’s consent [GDPR Article 6(1)(a)].
Scope of processed data: date, time, and the previously visited page.
Duration of data processing: a maximum of 30 days from the date of visiting the website
Use of a data processor: our company uses the services of an IT provider for the online booking system as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Recording of visitor data |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Website operation |
Further information regarding data processing: Users can delete cookies from their own computers or disable cookies in their browsers.
For more information on configuring cookie preferences within your browser, please refer to the following guides:
• Internet Explorer
• Firefox
• Chrome
• Safari
Possible consequences of failure to provide data: inability to use the services described in sections II.1–5 above.
7. WEBSITE SERVER LOGGING
When you visit the www.klebelsbergkastelybudapest.hu website, the web server automatically logs your activity.
Purpose of data processing: During a visit to the website, the service provider records visitor data to monitor the operation of the services and prevent abuse.
Legal basis for data processing: Legitimate interest of the data controller [GDPR Article 6(1)(f)]
Specification of the legitimate interest: Our company has a legitimate interest in the secure operation of the website.
Types of personal data processed: IP address, identification number, date, time, and the URL of the page visited.
Duration of data processing: a maximum of 90 days from the date of visiting the website.
Use of a data processor: our company uses the services of an IT provider for the online booking system as follows.
Name of data processor |
Registered office |
Description of data processing tasks |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Recording visitor data and information necessary for server operation |
Igor Corner Internet Kft. |
9730 Kőszeg, Táncsics Mihály Street 13. |
Website operation |
Further information: Our company does not link the data obtained during the analysis of log files to any other information and does not seek to identify individual users. The addresses of the pages visited, as well as the date and time data, are not sufficient on their own to identify the data subject; however, when combined with other data (e.g., provided during registration), they can be used to draw conclusions about the user.
Data processing by third-party providers related to logging:
The portal’s HTML code contains links originating from and pointing to external servers independent of our company. The third-party provider’s server communicates directly with the user’s computer. We would like to draw our visitors’ attention to the fact that the providers of these links are able to collect user data (e.g., IP address, browser, operating system information, mouse cursor movements, the address of the page visited, and the time of the visit) due to the direct connection to their server and direct communication with the user’s browser. An IP address is a sequence of numbers that uniquely identifies the computers and mobile devices of users accessing the internet.
IP addresses can even be used to geolocate the visitor using the computer in question. The addresses of the pages visited, as well as the date and time data, are not sufficient on their own to identify the data subject; however, when combined with other data (e.g., provided during registration), they can be used to draw conclusions about the user.
8. CAMERA SURVEILLANCE
Our company uses an electronic surveillance system on the premises of Klebelsberg Castle Budapest.
Purpose of data processing: To protect the life and physical safety of persons on the premises of Klebelsberg Castle Budapest, and to maintain personal and property security through the use of the electronic surveillance system (camera system).
Camera surveillance by the data controller is not intended for employer monitoring as defined in Section 11(1) of the Labor Code.
Legal basis for data processing: the data subject’s explicit voluntary consent [Article 6(1)(a) of the GDPR] and the enforcement of the Data Controller’s legitimate interests pursuant to Section 26(1)(e) and Sections 31(1)-(4) of the Szvtv. [Article 6(1)(f) of the GDPR].
Scope of personal data processed: the data subjects’ likeness, voice, and behavior as seen in the video and audio recordings.
Duration of data processing: 3 business days from the data subject’s entry onto the premises of Klebelsberg Castle Budapest; 30 days in the case of public events.
Use of a data processor: our company uses the following data processor to operate the electronic surveillance system (camera system).
Name of data processor |
Registered office |
Description of data processing tasks |
Optimum Füred Kft. |
1022 Budapest, Fillér u 84/a |
Operation of the electronic surveillance system (camera system) |
Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) may request information about the processing of personal data concerning him or her, as well as access to such personal data,
b) may request their rectification,
c) may request their deletion,
d) may request the restriction of the processing of personal data, if the conditions set out in Article 18 of the GDPR are met (i.e. that our company does not delete or destroy the data until requested by a court or authority, but not for a maximum of thirty days, and that the data is not processed for any other purpose beyond that),
e) may object to the processing of personal data,
f) may exercise his or her right to data portability. Under this latter right, the data subject is entitled to receive the personal data concerning him or her in Word or Excel format, and is also entitled to have our company transmit these data to another data controller upon request.
Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance, access to unauthorized persons of files containing personal data). In the event of an incident that nevertheless occurs, we keep a record in order to monitor the necessary measures and inform the data subject, which contains the scope of the personal data concerned, the scope and number of those affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to remedy it, as well as other data specified in the law prescribing data processing.
Our company has concluded a data processing agreement for data processing tasks, in which Optimum Füred Kft. undertakes to apply the data protection and data processing guarantees required by the data processing agreement in the event of the use of an additional data processor, and in this regard, we also ensure the lawful processing of personal data in the case of the data processor.
8. OTHER DATA PROCESSING PROCEDURES
We will provide information on data processing not listed in this information when collecting the data. We inform our customers that certain authorities, public bodies and courts may contact our company to provide personal data. Our company will only provide these bodies with personal data to the extent and insofar as the body concerned has specified the precise purpose and scope of the data, which is absolutely necessary to achieve the purpose of the request and if the fulfillment of the request is required by law.
III. METHOD OF STORAGE OF PERSONAL DATA, SECURITY OF DATA PROCESSING
Our company's IT systems and other data storage locations are located at the registered office and on servers rented by the data processor. Our company selects and operates the IT tools used to process personal data during the provision of the service in such a way that the processed data:
a) is accessible to those authorized to do so (availability);
b) its authenticity and authentication are ensured (authenticity of data processing);
c) its unchangeability can be verified (data integrity);
d) is protected against unauthorized access (data confidentiality).
We pay particular attention to data security, and we also take the technical and organizational measures and develop the procedural rules that are necessary to enforce the guarantees under the GDPR. We protect the data with appropriate measures, in particular against unauthorized access, modification, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility resulting from changes in the technology used.
The IT system and network of our company and our partners are both protected against computer-aided fraud, computer viruses, computer intrusions and denial-of-service attacks. The operator also ensures security with server-level and application-level protection procedures. Daily backup of data is provided. In order to avoid data protection incidents, our company takes all possible measures, and in the event of such an incident, we take immediate action – according to our internal regulations – to minimize risks and prevent damage.
IV. RIGHTS OF THE DATA SUBJECTS, LEGAL REMEDIES
The data subject may request information about the processing of his/her personal data, as well as request the correction of his/her personal data, or - with the exception of mandatory data processing - its deletion, withdrawal, and exercise his/her right to data portability and objection in the manner indicated when recording the data, or at the above contact details of the data controller.
Upon the request of the data subject, we will provide the information in electronic form without delay, but no later than within 30 days, in accordance with our relevant regulations. We will fulfill the requests of the data subjects to exercise the rights below free of charge.
Right to information:
Our company will take appropriate measures to ensure that the data subjects are provided with all information regarding the processing of personal data referred to in Articles 13 and 14 of the GDPR and in Articles 15–22. and provide each information pursuant to Article 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language, but at the same time in a precise manner.
The right to information may be exercised in writing, through the contact details provided in point 1. Upon request, the data subject may also be provided with information orally, after verification of his/her identity. We inform our customers that if our company's employees have doubts about the identity of the data subject, we may request the provision of information necessary to confirm the identity of the data subject.
The data subject's right to access:
The data subject has the right to receive feedback from the data controller as to whether his/her personal data is being processed. If personal data is being processed, the data subject has the right to access the personal data and the following information listed.
• Purposes of data processing;
• Categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries (outside the European Union) or international organisations;
• the planned period for which the personal data will be stored;
• the right to rectification, erasure or restriction of processing and to object;
• the right to lodge a complaint with a supervisory authority;
• information on the sources of the data; the fact of automated decision-making, including profiling, as well as intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
In addition, in the event of a transfer of personal data to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards for the transfer.
Right to rectification:
According to this right, anyone may request that inaccurate personal data concerning them processed by our company be corrected and incomplete data completed.
Right to erasure:
The data subject has the right to obtain from us the erasure of personal data concerning them without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject withdraws his or her consent on which the processing is based and there is no other legal basis for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) unlawful processing of the personal data can be established;
e) the personal data must be erased for compliance with a legal obligation to which the controller is subject under Union or Member State law;
f) the personal data were collected in connection with the provision of information society services.
The erasure of data may not be requested if the processing is necessary for the following purposes:
a) to exercise the right to freedom of expression and information;
b) to comply with an obligation to process personal data to which the controller is subject under Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for public health purposes, or for archiving, scientific and historical research purposes or statistical purposes, in the public interest;
d) or for the establishment, exercise or defence of legal claims.
Right to restriction of processing:
At the request of the data subject, we shall restrict the processing of the personal data in accordance with the conditions set out in Article 18 of the GDPR, i.e. where:
a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the accuracy of the personal data to be verified;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override those of the data subject.
Ha az adatkezelés korlátozás alá esik, a személyes adatokat a tárolás kivételével csak az érintett hozzájárulásával, vagy jogi igények előterjesztéséhez, érvényesítéséhez vagy védelméhez, vagy más természetes vagy jogi személy jogainak védelme érdekében, vagy az Európai Unió, illetve valamely tagállam fontos közérdekéből lehet kezelni. Az érintettet az adatkezelés korlátozásának feloldásáról előzetesen tájékoztatni kell.
Right to data portability:
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and to transmit these data to another controller. Our company can fulfill such a request of the data subject in word or excel format.
Right to object:
If the personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, if it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for such purposes.
Automated decision-making in individual cases, including profiling:
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply if the processing is
a) necessary for entering into, or the performance of, a contract between the data subject and the data controller;
b) permitted by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests
c); or
d) based on the data subject's explicit consent.
Right to withdrawal:
The data subject shall have the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Procedural rules:
The data controller shall inform the data subject without undue delay and in any event not later than one month from the date of receipt of the request of the data subject of the action taken in response to the request pursuant to Articles 15 to 22 of the GDPR. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.
If the data subject submitted the request electronically, the information shall be provided electronically, unless the data subject requests otherwise.
If the data controller does not take action on the data subject's request, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with the supervisory authority and exercise his or her right to a judicial remedy.
The data controller shall inform all recipients to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing carried out by the controller, unless this proves impossible or involves a disproportionate effort. Upon request, the data subject shall be informed of these recipients.
Compensation and damages:
Any person who has suffered material or non-material damage as a result of a breach of the Data Protection Regulation shall be entitled to compensation from the controller or processor for the damage suffered. The processor shall only be liable for damage caused by the processing of data if it has failed to comply with the obligations laid down in law expressly incumbent on the processor or if it has disregarded or acted contrary to the lawful instructions of the controller. If several controllers or processors or both controllers and processors are involved in the same processing of data and are liable for damage caused by the processing of data, each controller or processor shall be jointly and severally liable for the entire damage.
The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
Right to appeal to court and data protection authority procedure:
If the data subject believes that the Data Controller has violated his/her right to the protection of personal data during the processing of data, he/she may seek legal redress with the competent authorities in accordance with the applicable laws as follows:
- may file a complaint with the National Authority for Data Protection and Freedom of Information
address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
website: www.naih.hu;
e-mail address: ugyfelszolgalat@naih.hu;
telephone: +36-1-391-1400
(hereinafter referred to as “NAIH”)
- may appeal to the competent court.
The court shall proceed with the case ex officio.
The Data Controller undertakes to cooperate with the relevant court or the NAIH in all respects during these procedures and to disclose the data relating to data processing to the NAIH or the relevant court.
V. MISCELLANEOUS PROVISIONS
The Data Controller undertakes to ensure that all data processing related to its activities complies with the requirements set out in this information, the Data Controller’s internal regulations – which impose the same requirements as this information – and the applicable laws.
The Data Controller reserves the right to change this information at any time, providing that the data subjects are informed of any changes by means of a notice published on the Klebelsberg Kastély Budapest website after the changes have been implemented.
Please send us an e-mail if you have any questions regarding the contents of this information.
Last updated: 2018.05.23.
