Privacy policy
Privacy policy
INTRODUCTION
This Privacy Notice provides information on the data processing carried out by the DATA CONTROLLER (7Seasons Apartments Service Provider Ltd. in accordance with the provisions of the General Data Protection Regulation (hereinafter referred to as “GDPR”).
CONTENTS
I. NAME AND CONTACT DETAILS OF THE DATA CONTROLLER
II.2. REQUEST AN OFFER – ONLINE
II.4. PERSONAL DATA PROCESSED FOR THE PAYMENT OF THE RESERVATION FEE
II.5. PERSONAL DATA PROCESSED FOR ACCOUNTING OBLIGATIONS
II.7. ADDITIONAL, TYPICALLY PAPER-BASED, PROCESSING IN CONNECTION WITH THE LOG-IN
II.8. DATA PROCESSING ON SOCIAL NETWORKING SITES
II.9. DATA PROCESSING IN RELATION TO CUSTOMER BOOKS
II.11. WEB ANALYTICS IN GENERAL
I. NAME AND CONTACT DETAILS OF THE DATA CONTROLLER
| Data controller
|
7Seasons Apartments Service Provider Ltd.
|
| Representative
|
Edina Szabo-Varga
|
| Company’s registered office
|
1061 Budapest, Paulay Ede utca 3. D. ép. VI. em. 2.
|
| Tax identification number
|
14659126242
|
| Company register number
|
01 09 913980
|
| E-mail
|
info@7seasonapartments.com
|
| Website
|
https://www.7seasonsapartments.com
|
II. USE OF PERSONAL DATA
| Purpose of data processing
|
Data Subjects may contact the Data Controller with questions and requests for information. By storing the data provided, the Data Controller is able to identify the requester and provide the answer or the information required by the data subject.
|
| Personal data processed
|
Full name, e-mail address, telephone number, questions, information and any other personal data you may have provided
|
| Source of personal data
|
Data subject
|
| Legal basis for data processing
|
The legal basis for processing is the data subject’s consent (Article 6(1)(a) GDPR.
|
| Data retention time
|
Withdrawal of consent or execution of a request for cancellation
|
| Addressees
|
Hosting Service
|
| Data Subject’s rights
|
Right of access, withdrawal of consent, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II.2. REQUEST AN OFFER – ONLINE
| Purpose of data processing
|
Find out in advance about prices, availability, services and special offers
|
| Personal data processed
|
Name; surname and first name; telephone number; e-mail address; expected check-in and check-out times, number of adults, number of children, date of acceptance of the privacy notice, comment on the place of accommodation
|
| Source of personal data
|
Data Subject
|
| Legal basis for data processing
|
Legal basis for processing for the performance of a contract /Article 6(1)(b) GDPR
|
| Data retention time
|
In the case of a successful bid, according to the rules for reservations,
– in case of rejection of the offer, until the date of rejection, – if no reply to the offer is received, until the day following the expiry of the time limit for the submission of tenders
|
| Addressees
|
Hosting Service
|
| Data Subject’s rights
|
Right of access, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above. |
| Purpose of data processing
|
To make booking accommodation easier, cheaper and more efficient by contacting the guest booking the accommodation.
|
| Personal data processed
|
Address; surname and first name; address (country, postal code, city, street, house number;) telephone number; e-mail address; details of the message sent to the accommodation, room type, number of adults, check-in and check-out times, price, voucher number, if any, Term and conditions, date of acceptance of the privacy notice, payment information
|
| Source of personal data
|
Data Subject
|
| Legal basis for data processing
|
The legal basis for the processing is the performance of a contract (Article 6 (1) (b) GDPR), processing of data based on law (Articles 30-31 of Act C of 1990) with regard to date of birth /Article 6 (1) (c) GDPR/
|
| Data retention time
|
The personal data obtained during the booking will be processed for a period of 5 years after the contractual relationship with the data subject has ended,
Except: – name address: for 8 years pursuant to Article 169 of Act C of 2000 on Accounting – age of the guests’ names: until the last day of the 5th year following the year in question, pursuant to Articles 78(3) and 202(1) of Act CL of 2017 Coll. on the Rules of Taxation
|
| Addressees
|
Web and hosting service
|
| Data Subject’s rights
Purpose of data processing |
Right of access, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II.4. PERSONAL DATA PROCESSED FOR THE PAYMENT OF THE RESERVATION FEE
| Purpose of data processing
|
You can pay for your reservation in person where to stay, or you can choose between the following payment methods: bank transfer, payment through other accommodation websites using their own payment system, or through the payment page provided by Teya.com
|
| Personal data processed
|
Bank transfer: surname and first name, bank account number, order ID, value of the product ordered, time of transfer, address.
|
| Source of personal data
|
Data subject
|
| Legal basis for data processing
|
The legal basis for processing is the performance of the contract (Article 6(1)(b) GDPR).
|
| Data retention time
|
In order to comply with the obligation to keep accounting documents (Section 169 (2) of the Accounting Act), 8 years.
|
| Addressees
|
Accountant, Payment Service, Controller’s Account Holding Bank, Billing system
|
| Data Subject’s rights
Purpose of data processing |
Right of access, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II. 5. PERSONAL DATA PROCESSED FOR ACCOUNTING OBLIGATIONS
| Purpose of data processing
|
Pursuant to Paragraph (2) of Article 169 of the Act on Accounting, the obligation to preserve accounting documents directly and indirectly supporting the accounting statements, as defined in the Act on Accounting.
The Data Controller shall keep for 8 years in a legible and retrievable form the accounting documents, including general ledger accounts, analytical and detailed records, which directly and indirectly support the accounting.
|
| Personal data processed
|
Surname and first name, address, product ordered, order ID, place of personal receipt, method of payment, service ordered, price of reservation (categories of data as defined in § 169-170 and § 176 of Act CXXVII of 2007)
|
| Source of personal data
|
Data subject, any natural person, including a self-employed person, whose data can be identified on the basis of an invoice (or accounting document treated as such) issued by the Data Controller
|
| Legal basis for data processing
|
Compliance with a legal obligation on the controller (Article 6(1)(c) GDPR)
|
| Data retention time
|
In order to comply with the obligation to keep accounting documents (Section 169 (2) of the Accounting Act), 8 years.
|
| Addressees
|
Accountant, Payment Service, Controller’s Account Holding Bank, Billing system
|
| Data Subject’s rights
Purpose of data processing
|
Right of access, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II.6. DATA PROCESSING IN CONNECTION WITH THE PROVISION OF DATA TO THE VIZA (CLOSED GUEST INFORMATION DATABASE) SYSTEM
| Purpose of data processing
|
The rights, safety and property of the data subject and others
and the protection of the rights of third-country nationals and the free movement of persons with the right of free movement and residence the provisions on the residence of persons.
|
| Personal data processed
|
1. the user of the accommodation service
– the surname and first name of the person staying, – surname and given name at birth, – place and date of birth, sex, nationality – mother’s name and surname at birth, – the identification data of his/her identity document or travel document and, in the case of third-country nationals, the visa or residence permit number, date and place of entry, 2. the address of the accommodation service, the start and expected end date of the accommodation
|
| Source of personal data
|
Data subject
|
| Legal basis for data processing
|
Article 6(1)(c) of the GDPR, compliance with a legal obligation under the 2016. CLVI Act 2016, § 9/H – 9/I.
The primary objective of the VIZA system is the protection of public order, public safety, public security and the public security and public order, the rights and safety of the data subject and others and property. This means that no circumstances may prevent the provision of data circumstances and is mandatory by law.
Pursuant to Act CLVI of 2016, the customer of the accommodation service must present his/her identification document to the Data Controller for the purpose of data recording.
|
| Data retention time
|
The Data Controller shall process the data of the data subjects (guests) until the last day of the first year following the date on which the data becomes known to the Data Controller, and the VIZA system shall keep the data submitted to it for a maximum of two years.
|
| Addressees
|
1. Magyar Turisztikai Ügynökség Zrt.
(1027 Budapest, Kacsa u. 15-23., web: https://vizainfo.hu, E-mail: info@mtu.gov.hu GDPR: https://vizainfo.hu/adatkezelesi-tajekoztato 2. Webhosting service
|
| Other information
|
The Data Controller may, pursuant to Act CLVI of 2016, keep the register of guests and the local government’s regulation determining the tourist tax electronically using the accommodation management software, but it uses a paper registration form to record the following data:
– vehicle registration number, in order to identify the vehicle vehicle can be identified. – room number – – To identify the vehicle type
|
| Data Subject’s rights
|
Right of access, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II.7. ADDITIONAL, TYPICALLY PAPER-BASED, PROCESSING IN CONNECTION WITH THE Check-IN
| Purpose of data processing
|
Providing hotel services, including liaison and service development.
The purpose of the recording and storage of the data specified in the Tourism Act, the Accounting Act and the Local Government Ordinance is to ensure legal compliance.
After your departure, the data will be retained for the purposes of claims and complaints handling within the limitation period of civil law
|
| Personal data processed
|
Data recorded in the reservation system, signature, date
|
| Source of personal data
|
Data subject
|
| Legal basis for data processing
|
In accordance with the provisions of the Tourism Act, in order to comply with the legal obligation, we record and store for each of our guests: first and last name; first and last name at birth; place and date of birth; sex; mother’s first and last name at birth; identification data of the identity document or travel document, nationality, visa or permit number, place and date of entry. [Article 6(1)(c) GDPR]
A municipal regulation may also require the retention of additional data. [Article 6(1)(c) GDPR] For the purpose of providing the requested service (based on a contract), we also process e.g.: contact details, frequent guest programme number, payment method, credit card details, room number, number of guests, [GDPR Article 6 (1) (b)] After your departure, we will retain the data on the basis of our legitimate interest to pursue claims and complaints. [Article 6(1)(f) GDPR]
|
| Data retention time
|
If the data is needed for invoicing or other tax records, we are legally obliged to keep the data for 8 years from the end of the calendar year.
The hotel has a legal obligation to report to the local authority all guests checking in with the data set out in the local government decree, and must also report to the police all guests arriving from outside the EU.
We have a legal obligation to keep the data contained in these reports for 5 years from the date of registration to the end of the year in question.
After your departure, we will keep the data for the period of the statute of limitations for civil law, which is 5 years after the end of the year in question.
Personal data recorded under the provisions of the Tourism Act will be stored in the designated central repository until the end of the following year.
|
| Addressees
|
|
| Other information
|
Right of access, rectification, erasure and restriction of processing. |
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II.8. DATA PROCESSING ON SOCIAL NETWORKING SITES
| Purpose of data processing
|
The accommodation operated by the Company and the restaurant operated by the Company are also separately available on Facebook.
The Facebook user can subscribe to the news feed posted on the message board by clicking on the “like” link on the page, unsubscribe by clicking on the “dislike” link on the same page or delete unwanted news on the message board by using the message board settings. The Company has access to the profile of “followers”, but does not record it or manage it in its own internal system.
|
| Personal data processed
|
Sharing content, other news, promotions and contact information on the hotel/restaurant websites operated by the Company.
Facebook pages allow you to book rooms, participate in competitions and find out about the latest promotions.
|
| Source of personal data
|
Data recorded in the reservation system, signature, date
|
| Legal basis for data processing
|
Data Subject
|
| Data retention time
|
Your consent, which you can withdraw at any time by unsubscribing. [Article 6(1)(a) GDPR]
Withdrawal does not affect the lawful processing that preceded it. In case of withdrawal, you will not be notified of our news feed, our news will not appear in your news feed, but you will still have access to the news feed, as the site is public
|
| Addressees
|
At the data subject’s request, until deletion or termination of the profile, but please refer to the provisions of the relevant social networking site’s own privacy policy for details.
Facebook is an independent, separate data controller for its own data processing.
|
| Other information
|
META Ireland Limited (4 Grand Canal Square, Grand Canal, Harbour, Dublin 2 Ireland) is a joint controller with the Data Controller in relation to facebook.com and Facebook-related pages.
|
| Purpose of data processing
|
Public data of the data subject, interaction data, content of messages sent
You can read the Facebook Privacy Policy for page analytics data here here
|
| Personal data processed
Source of personal data
|
Right of access, rectification, erasure and restriction of processing.
|
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
II. 9. DATA PROCESSING IN RELATION TO CUSTOMER BOOKS
| Purpose of data processing
|
The recording and reassuring resolution of complaints and suggestions about the operation of the accommodation and the services provided there, i.e. the formal recording of the views, often complaints, of the person concerned
|
| Personal data processed
|
Data recorded by the data subject when registering in the customer directory, name, address, e-mail address, service definition, comment, opinion, date, signature. Response data to the registration
|
| Source of personal data
|
Data subject
|
| Legal basis for data processing
|
Performance of a legal obligation under Act CLXIV of 2005 on Trade
|
| Data retention time
|
5 years in the case of a complaint, or
in the case of no complaint, the customers’ book (removed pages) destruction of the removed books.
|
| Addressees | |
| Other information
|
The Data Controller draws your attention to the fact that the guestbook may be persons can also freely access the guestbook, so the data subjects must be aware of this and act with care when making entries in the guestbook!
|
| Purpose of data processing
Personal data processed
|
Right of access, rectification, erasure and restriction of processing.
|
| WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.
|
Reservations made on booking sites transmit the following data to the accommodation providers in order to fulfil the contract: name, e-mail address, phone number, address reservation details, information in the comment, special comments, requests and its details.
| Joint data controllers | Activity |
| Booking.com | Online Travel Agency |
| Expedia.com | Online Travel Agency |
| Hotels.com | Online Travel Agency |
| Hotwire.com | Online Travel Agency |
| Lastminute.com | Online Travel Agency |
| Agoda.com | Online Travel Agency |
| Hotelbeds.com | Online Travel Agency |
| AirBNB.com | Online Travel Agency |
| Hoteltonight.com | Online Travel Agency |
| hrs.com | Online Travel Agency |
| Tripadvisor.com | Online Travel Agency |
| Google Hotel Search | Online Travel Agency |
| Szállás.hu | Online Travel Agency |
| Trivago.com | Online Travel Agency |
| Ctrip.com | Online Travel Agency |
II.11. WEB ANALYTICS IN GENERAL
- Google (Google Analytics, Google Tag Manager)
Google Analytics by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, uses cookies, which are text files placed on your computer, to help Google Analytics analyze how you use our online services. In general, the information collected by the cookie about your usage behaviour is transmitted to a Google server in the USA and stored there. In the event that IP anonymisation is activated for online services, Google will already shorten the IP address in the Member States of the European Union and the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of the online services to evaluate your use of the online services, compile reports on these activities and provide other services relating to the use of the online services and internet usage for the website operator.
The IP address transmitted by your browser in the context of Google Analytics will not be merged with other data held by Google. The saving of cookies can be prevented by setting your browser software accordingly. However, in this case you will not be able to take full advantage of all the features of the online services. The collection of data generated by cookies and their use by Google can be prevented by downloading and installing the browser plugin at the following link (https://tools.google.com/dlpage/gaoptout?hl=en).
Our website also makes use of the Google Tag Manager, which allows you to quickly and easily update tracking codes and related code snippets (known collectively as tags) on the website and in the mobile application.
Detailed information: https://support.google.com/tagmanager/answer/6102821?hl=hu
Detailed information on Google’s terms of use and privacy policy can be found here: www.google.com/analytics/terms/gb.html ; https://policies.google.com/privacy?hl=en
The data subjects may exercise the rights listed below – as provided by the GDPR – at any time against the accommodation, orally, in writing or electronically. ATTENTION! Certain data subjects’ rights may only be exercised in relation to personal data processed on the basis of the relevant legal basis. For more information on the rights that may be exercised in relation to each of the purposes of processing, please refer to the tables above.
Individuals located in the European Economic Area only, whose Personal Data Stanford processes (“Data Subjects”), have the following rights with regard to their Personal Data.
“Personal Information” is any information that we can reasonably use to identify you. If you are located in the European Economic Area (EEA), Personal Information includes all Personal Data as defined under EEA laws.
| Right to withdraw consent
|
A Data Subject who has provided the Data Controller with consent to process their Personal Information has the right to withdraw any consent previously provided to the Data Controller at any time. If a Data Subject withdraws their consent, this will not affect the lawfulness of the Data Controller’s collecting, using and sharing of their Personal Information up to the point in time that consent was withdrawn. Even if a Data Subject withdrawstheir consent, the Data Controller may still use the information that has been anonymized and does not personally identify the Data Subject.
|
| Right of access
|
Data Subjects may request details of their Personal Information that the accomodations holds. The accomodations will confirm whether it is processing the individual’s Personal Information and will disclose supplementary information including the categories of Personal Information, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding Personal Information transfers to non-EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.
|
| Right of correction
|
The accomodations will comply with a Data Subject’s request to edit and update incorrect Personal Information promptly and in most cases within 30 days from the receipt of the request for correction.
In the event that correction is not possible or cannot occur within 30 days, the accomodations will document its reasons, specify the time frame in which correction will occur (to the extent knowable), and respond to the requestor with this information within 30 days from the receipt of request for correction.
|
| Right to be forgotten
|
At a Data Subject’s request, the accomodations will delete their Personal Information promptly if:
– it is no longer necessary to retain the Personal Information; – the Data Subject withdraws the consent which formed the basis of the Personal Information processing; – the Data Subject objects to the processing of their Personal Information and there are no overriding legitimate grounds for such processing; – the Personal Information was processed illegally; or, – the Personal Information must be deleted for the Data Controller to comply with its legal obligations. The accomodations will inform any third parties with whom it might have shared the Data Subject’s Personal Information of the deletion request.
The Data Controller may decline a Data Subject’s request for deletion if processing of their Personal Information is necessary:
|
| Right to restrict processing of Personal Information
|
Right to restrict processing of Personal Information At a Data Subject’srequest, the Data Controller will limit the processing of their Personal Information if:
|
| Right to data portability
|
At a Data Subject’s request, the Data Controller will provide them a copy of their Personal Information in a structured, commonly used and machine-readable format, if:
(i) the Data Subject provided the Data Controller with Personal Information; (ii) (ii) the processing of the Data Subject’s Personal Information is based on consent or required for the performance of a contract ; or, (iii) (iii) the processing is carried out by automated means.
|
| Right to object
|
Where the Data Controller processes a Data Subject’s Personal Information based upon the lawful basis of legitimate interest, then the individual has the right to object to this processing.
|
| Right not to be subject to decisions based solely on automated processing
|
Data Subjects will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of their Personal Information, unless the Data Controller has received explicit consent or where the automatic processing is necessary for a contract with the Data Controller.
|
The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:
1. to deny unauthorised persons access to the means used for data processing (hereinafter referred to as the ‘data management system’),
2. preventing the unauthorised reading, copying, modification or removal of data media,
3. to prevent the unauthorised input of personal data into the data management system and the unauthorised access to, modification or deletion of personal data stored in the data management system,
4. preventing unauthorised persons from using the processing systems by means of data transmission equipment,
5. that persons authorised to use the system have access only to the personal data specified in the access authorisation,
6. that it is possible to verify and establish to which recipients the personal data have been or may be transmitted or made available or made available by means of a data transmission installation that it is possible to verify and establish a posteriori which personal data have been entered into the system by whom, at what time
7. to prevent the unauthorised disclosure, copying, modification or deletion of personal data during transmission or transport of the data medium
8. to ensure that the data processing system can be restored in the event of a malfunction.
9. that the data management system is operational, that any errors in its operation are reported and that the personal data stored cannot be altered by the malfunctioning of the system.
Right to complain to a supervisory authority If a Data Subject is not satisfied with the Data Controller’s response, they have the right to complain to or seek advice from a supervisory authority and/or bring a claim against the Data Controller in any court of competent jurisdiction. Any person, that receives a request from a Data Subject seeking to exercise their rights under GDPR should contact the Data Controller to assist in the review of and response to the Data Subject’s request.
Requests will be responded to within 30 days of receipt. Under certain circumstances, the Data Controller may inform the requesting Data Subject that additional time is needed to fully comply with the request. Such notification shall occur within 30 days of receipt of the request.
| Contact details of the National Authority for Data Protection and Freedom of Information
|
|
| Headquarters
|
1055 Budapest, Falk Miksa utca 9-11.
|
| Postal address
|
1363 Budapest, Pf.: 9.
|
| Phone
|
+36-1-391-1400
|
| Fax
|
+36-1-391-1410
|
| E-mail
|
ugyfelszolgalat@naih.hu
|
| Website
|
http://www.naih.hu
|
| Online start a case
|
http://wwwnaih.hu/online-uegyinditas.html
|
Data processors
| Name of data processor | Name of data processing |
| D-edge.com | Website booking engine |
| Google Business Suite | Daily operation |
| WordPress.com | Website operation |
| K&H Bank Zrt, CSOB | Account-holding financial institution |
| Bluehost.com | Hosting services |
| Kulcs-Soft | Accounting services |
| Teya.com | Payment service |
| Szamlazz.hu | Billing system |
| Magyar Turisztikai Ügynökség Zrt. | Guest Information Closed Database (VIZA) system, National Turism Datacenter (NTAK) |
Cookie management
The data controller uses the services of Cookiebot on the website.
Please kindly acknowledge the processing of your data in accordance with this privacy notice.