7Seasons Apartments
Book direct Get the BEST DEAL and more DIRECT BOOKER BENEFITS

PRIVACY POLICY

7SEASONS APARTMENTS

valid from 01/07/2024

 

INTRODUCTION

This Privacy Notice provides information on the data processing carried out by the DATA CONTROLLER (7Seasons Apartments Service Provider Ltd. in accordance with the provisions of the General Data Protection Regulation (hereinafter referred to as “GDPR”).

 

CONTENTS

I. NAME AND CONTACT DETAILS OF THE DATA CONTROLLER

II. USE OF PERSONAL DATA

II.1. CONTACT, INFORMATION

II.2. REQUEST AN OFFER – ONLINE

II.3. RESERVATION – ONLINE

II.4. PERSONAL DATA PROCESSED FOR THE PAYMENT OF THE RESERVATION FEE

II.5. PERSONAL DATA PROCESSED FOR ACCOUNTING OBLIGATIONS

II.6. DATA PROCESSING IN CONNECTION WITH THE PROVISION OF DATA TO THE VIZA (CLOSED GUEST INFORMATION DATABASE) SYSTEM

II.7. ADDITIONAL, TYPICALLY PAPER-BASED, PROCESSING IN CONNECTION WITH THE LOG-IN

II.8. DATA PROCESSING ON SOCIAL NETWORKING SITES

II.9. DATA PROCESSING IN RELATION TO CUSTOMER BOOKS

II.10. JOINT CONTROLLERS

II.11. WEB ANALYTICS IN GENERAL

III. DATA SUBJECT’S RIGHTS

IV. DATA SECURITY

V. THE LEGAL REMEDIES

ANNEX NO 1.

ANNEX NO 2.

 

I. NAME AND CONTACT DETAILS OF THE DATA CONTROLLER

 

Data controller

 

7Seasons Apartments Service Provider Ltd.

 

Representative

 

Edina Szabo-Varga

 

Company’s registered office

 

1061 Budapest, Paulay Ede utca 3. D. ép. VI. em. 2.

 

Tax identification number

 

14659126-2-42

 

Company register number

 

01 09 913980

 

E-mail

 

info@7seasonapartments.com

 

Website

 

https://www.7seasonsapartments.com

 

Data Privacy Officer contact info

 

info@adatokvedelme.hu and info@7seasonapartments.com

 

 

II. USE OF PERSONAL DATA

 

II.1. CONTACT, INFORMATION

 

Purpose of data processing

 

Data Subjects may contact the Data Controller with questions and requests for information. By storing the data provided, the Data Controller is able to identify the requester and provide the answer or the information required by the data subject.

 

Personal data processed

 

Full name, e-mail address, telephone number, questions, information and any other personal data you may have provided

 

Source of personal data

 

Data subject

 

Legal basis for data processing

 

The legal basis for processing is the data subject’s consent (Article 6(1)(a) GDPR.

 

Data retention time

 

Withdrawal of consent or execution of a request for cancellation

 

Addressees

 

Hosting Service

 

Data Subject’s rights

 

 

Right of access, withdrawal of consent, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

II.2. REQUEST AN OFFER – ONLINE

 

Purpose of data processing

 

Find out in advance about prices, availability, services and special offers

 

Personal data processed

 

Name; surname and first name; telephone number; e-mail address; expected check-in and check-out times, number of adults, number of children, date of acceptance of the privacy notice, comment on the place of accommodation

 

Source of personal data

 

Data Subject

 

Legal basis for data processing

 

Legal basis for processing for the performance of a contract /Article 6(1)(b) GDPR

 

Data retention time

 

 

In the case of a successful bid, according to the rules for reservations,

– in case of rejection of the offer, until the date of rejection,

– if no reply to the offer is received, until the day following the expiry of the time limit for the submission of tenders

Addressees

 

Hosting Service

 

Data Subject’s rights

 

Right of access, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

II.3. RESERVATION – ONLINE

 

Purpose of data processing

 

To make booking accommodation easier, cheaper and more efficient by contacting the guest booking the accommodation.

 

Personal data processed

 

Address; surname and first name; address (country, postal code, city, street, house number;) telephone number; e-mail address; details of the message sent to the accommodation, room type, number of adults, check-in and check-out times, price, voucher number, if any, Term and conditions, date of acceptance of the privacy notice, payment information

 

Source of personal data

 

Data Subject

 

Legal basis for data processing

 

The legal basis for the processing is the performance of a contract (Article 6 (1) (b) GDPR), processing of data based on law (Articles 30-31 of Act C of 1990) with regard to date of birth /Article 6 (1) (c) GDPR/

 

Data retention time

 

The personal data obtained during the booking will be processed for a period of 5 years after the contractual relationship with the data subject has ended,

Except:

– name address: for 8 years pursuant to Article 169 of Act C of 2000 on Accounting

– age of the guests’ names: until the last day of the 5th year following the year in question, pursuant to Articles 78(3) and 202(1) of Act CL of 2017 Coll. on the Rules of Taxation

 

Addressees

 

Web and hosting service

 

Data Subject’s rights

Purpose of data processing

Right of access, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

 

II.4. PERSONAL DATA PROCESSED FOR THE PAYMENT OF THE RESERVATION FEE

 

Purpose of data processing

 

You can pay for your reservation in person where to stay, or you can choose between the following payment methods: bank transfer, payment through other accommodation websites using their own payment system, or through the payment page provided by Teya.com

 

Personal data processed

 

Bank transfer: surname and first name, bank account number, order ID, value of the product ordered, time of transfer, address.

 

Source of personal data

 

Data subject

 

Legal basis for data processing

 

The legal basis for processing is the performance of the contract (Article 6(1)(b) GDPR).

 

Data retention time

 

In order to comply with the obligation to keep accounting documents (Section 169 (2) of the Accounting Act), 8 years.

 

Addressees

 

Accountant, Payment Service, Controller’s Account Holding Bank, Billing system

 

Data Subject’s rights

Purpose of data processing

Right of access, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

 

II. 5. PERSONAL DATA PROCESSED FOR ACCOUNTING OBLIGATIONS

 

Purpose of data processing

 

Pursuant to Paragraph (2) of Article 169 of the Act on Accounting, the obligation to preserve accounting documents directly and indirectly supporting the accounting statements, as defined in the Act on Accounting.

The Data Controller shall keep for 8 years in a legible and retrievable form the accounting documents, including general ledger accounts, analytical and detailed records, which directly and indirectly support the accounting.

 

Personal data processed

 

Surname and first name, address, product ordered, order ID, place of personal receipt, method of payment, service ordered, price of reservation (categories of data as defined in § 169-170 and § 176 of Act CXXVII of 2007)

 

Source of personal data

 

Data subject, any natural person, including a self-employed person, whose data can be identified on the basis of an invoice (or accounting document treated as such) issued by the Data Controller

 

Legal basis for data processing

 

Compliance with a legal obligation on the controller (Article 6(1)(c) GDPR)

 

Data retention time

 

In order to comply with the obligation to keep accounting documents (Section 169 (2) of the Accounting Act), 8 years.

 

Addressees

 

 Accountant, Payment Service, Controller’s Account Holding Bank, Billing system

 

Data Subject’s rights

Purpose of data processing

 

Right of access, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

 

II.6. DATA PROCESSING IN CONNECTION WITH THE PROVISION OF DATA TO THE VIZA (CLOSED GUEST INFORMATION DATABASE) SYSTEM

 

Purpose of data processing

 

The rights, safety and property of the data subject and others

and the protection of the rights of third-country nationals and the free movement of persons with the right of free movement and residence the provisions on the residence of persons.

 

Personal data processed

 

1. the user of the accommodation service

– the surname and first name of the person staying,

– surname and given name at birth,

– place and date of birth, sex, nationality

– mother’s name and surname at birth,

– the identification data of his/her identity document or travel document and, in the case of third-country nationals, the visa or residence permit number, date and place of entry,

2. the address of the accommodation service, the start and expected end date of the accommodation

 

Source of personal data

 

Data subject

 

Legal basis for data processing

 

Article 6(1)(c) of the GDPR, compliance with a legal obligation under the 2016. CLVI Act 2016, § 9/H – 9/I.

 

The primary objective of the VIZA system is the protection of public order, public safety, public security and the public security and public order, the rights and safety of the data subject and others and property. This means that no circumstances may prevent the provision of data circumstances and is mandatory by law.

 

Pursuant to Act CLVI of 2016, the customer of the accommodation service must present his/her identification document to the Data Controller for the purpose of data recording.

 

Data retention time

 

The Data Controller shall process the data of the data subjects (guests) until the last day of the first year following the date on which the data becomes known to the Data Controller, and the VIZA system shall keep the data submitted to it for a maximum of two years.

 

Addressees

 

1.      Magyar Turisztikai Ügynökség Zrt.

(1027 Budapest, Kacsa u. 15-23.,

web: https://vizainfo.hu,

E-mail: info@mtu.gov.hu

GDPR: https://vizainfo.hu/adatkezelesi-tajekoztato

2.      Webhosting service

 

Other information

 

The Data Controller may, pursuant to Act CLVI of 2016, keep the register of guests and the local government’s regulation determining the tourist tax electronically using the accommodation management software, but it uses a paper registration form to record the following data:

vehicle registration number, in order to identify the vehicle

vehicle can be identified.

room number

–          – To identify the vehicle type

 

Data Subject’s rights

 

Right of access, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

 

II.7. ADDITIONAL, TYPICALLY PAPER-BASED, PROCESSING IN CONNECTION WITH THE Check-IN

 

Purpose of data processing

 

 

Providing hotel services, including liaison and service development.

 

The purpose of the recording and storage of the data specified in the Tourism Act, the Accounting Act and the Local Government Ordinance is to ensure legal compliance.

 

After your departure, the data will be retained for the purposes of claims and complaints handling within the limitation period of civil law

 

Personal data processed

 

Data recorded in the reservation system, signature, date

 

Source of personal data

 

Data subject

 

Legal basis for data processing

 

In accordance with the provisions of the Tourism Act, in order to comply with the legal obligation, we record and store for each of our guests: first and last name; first and last name at birth; place and date of birth; sex; mother’s first and last name at birth; identification data of the identity document or travel document, nationality, visa or permit number, place and date of entry. [Article 6(1)(c) GDPR]

A municipal regulation may also require the retention of additional data. [Article 6(1)(c) GDPR]

For the purpose of providing the requested service (based on a contract), we also process e.g.: contact details, frequent guest programme number, payment method, credit card details, room number, number of guests, [GDPR Article 6 (1) (b)]

After your departure, we will retain the data on the basis of our legitimate interest to pursue claims and complaints. [Article 6(1)(f) GDPR]

 

Data retention time

 

If the data is needed for invoicing or other tax records, we are legally obliged to keep the data for 8 years from the end of the calendar year.

 

The hotel has a legal obligation to report to the local authority all guests checking in with the data set out in the local government decree, and must also report to the police all guests arriving from outside the EU.

 

We have a legal obligation to keep the data contained in these reports for 5 years from the date of registration to the end of the year in question.

 

After your departure, we will keep the data for the period of the statute of limitations for civil law, which is 5 years after the end of the year in question.

 

Personal data recorded under the provisions of the Tourism Act will be stored in the designated central repository until the end of the following year.

 

Addressees

 

Other information

 

Right of access, rectification, erasure and restriction of processing.
WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

 

II.8. DATA PROCESSING ON SOCIAL NETWORKING SITES

 

Purpose of data processing

 

The accommodation operated by the Company and the restaurant operated by the Company are also separately available on Facebook.

The Facebook user can subscribe to the news feed posted on the message board by clicking on the “like” link on the page, unsubscribe by clicking on the “dislike” link on the same page or delete unwanted news on the message board by using the message board settings.

The Company has access to the profile of “followers”, but does not record it or manage it in its own internal system.

 

Personal data processed

 

Sharing content, other news, promotions and contact information on the hotel/restaurant websites operated by the Company.

 

Facebook pages allow you to book rooms, participate in competitions and find out about the latest promotions.

 

Source of personal data

 

Data recorded in the reservation system, signature, date

 

Legal basis for data processing

 

Data Subject

 

Data retention time

 

Your consent, which you can withdraw at any time by unsubscribing. [Article 6(1)(a) GDPR]

Withdrawal does not affect the lawful processing that preceded it.

In case of withdrawal, you will not be notified of our news feed, our news will not appear in your news feed, but you will still have access to the news feed, as the site is public

 

Addressees

 

At the data subject’s request, until deletion or termination of the profile, but please refer to the provisions of the relevant social networking site’s own privacy policy for details.

Facebook is an independent, separate data controller for its own data processing.

 

Other information

 

META Ireland Limited (4 Grand Canal Square, Grand Canal, Harbour, Dublin 2 Ireland) is a joint controller with the Data Controller in relation to facebook.com and Facebook-related pages.

 

Purpose of data processing

 

Public data of the data subject, interaction data, content of messages sent

You can read the Facebook Privacy Policy for page analytics data here here

 

Personal data processed

Source of personal data

 

Right of access, rectification, erasure and restriction of processing.

 

WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

 

II. 9. DATA PROCESSING IN RELATION TO CUSTOMER BOOKS

 

Purpose of data processing

 

The recording and reassuring resolution of complaints and suggestions about the operation of the accommodation and the services provided there, i.e. the formal recording of the views, often complaints, of the person concerned

 

Personal data processed

 

Data recorded by the data subject when registering in the customer directory, name, address, e-mail address, service definition, comment, opinion, date, signature. Response data to the registration

 

Source of personal data

 

Data subject

 

Legal basis for data processing

 

Performance of a legal obligation under Act CLXIV of 2005 on Trade

 

Data retention time

 

5 years in the case of a complaint, or

in the case of no complaint, the customers’ book (removed pages)

destruction of the removed books.

 

Addressees
Other information

 

The Data Controller draws your attention to the fact that the guestbook may be persons can also freely access the guestbook, so the data subjects must be aware of this and act with care when making entries in the guestbook!

 

Purpose of data processing

Personal data processed

 

Right of access, rectification, erasure and restriction of processing.

 

WARNING! The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data at any of the contact details indicated above.

 

 

II.10. JOINT CONTROLLERS

Reservations made on booking sites transmit the following data to the accommodation providers in order to fulfil the contract: name, e-mail address, phone number, address reservation details, information in the comment, special comments, requests and its details.

 

Joint data controllers Activity
Booking.com Online Travel Agency
Expedia.com Online Travel Agency
Hotels.com Online Travel Agency
Hotwire.com Online Travel Agency
Lastminute.com Online Travel Agency
Agoda.com Online Travel Agency
Hotelbeds.com Online Travel Agency
AirBNB.com Online Travel Agency
Hoteltonight.com Online Travel Agency
hrs.com Online Travel Agency
Tripadvisor.com Online Travel Agency
Google Hotel Search Online Travel Agency
Szállás.hu Online Travel Agency
Trivago.com Online Travel Agency
Ctrip.com Online Travel Agency

 

 

II.11. WEB ANALYTICS IN GENERAL

 

  • Google (Google Analytics, Google Tag Manager)

Google Analytics by Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, uses cookies, which are text files placed on your computer, to help Google Analytics analyze how you use our online services. In general, the information collected by the cookie about your usage behaviour is transmitted to a Google server in the USA and stored there. In the event that IP anonymisation is activated for online services, Google will already shorten the IP address in the Member States of the European Union and the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of the online services to evaluate your use of the online services, compile reports on these activities and provide other services relating to the use of the online services and internet usage for the website operator.

The IP address transmitted by your browser in the context of Google Analytics will not be merged with other data held by Google. The saving of cookies can be prevented by setting your browser software accordingly. However, in this case you will not be able to take full advantage of all the features of the online services. The collection of data generated by cookies and their use by Google can be prevented by downloading and installing the browser plugin at the following link (https://tools.google.com/dlpage/gaoptout?hl=en).

Our website also makes use of the Google Tag Manager, which allows you to quickly and easily update tracking codes and related code snippets (known collectively as tags) on the website and in the mobile application.

Detailed information: https://support.google.com/tagmanager/answer/6102821?hl=hu

Detailed information on Google’s terms of use and privacy policy can be found here: www.google.com/analytics/terms/gb.html ; https://policies.google.com/privacy?hl=en

 

III. Data subject’s rights

 

The data subjects may exercise the rights listed below – as provided by the GDPR – at any time against the accommodation, orally, in writing or electronically. ATTENTION! Certain data subjects’ rights may only be exercised in relation to personal data processed on the basis of the relevant legal basis. For more information on the rights that may be exercised in relation to each of the purposes of processing, please refer to the tables above.

Individuals located in the European Economic Area only, whose Personal Data Stanford processes (“Data Subjects”), have the following rights with regard to their Personal Data.

“Personal Information” is any information that we can reasonably use to identify you. If you are located in the European Economic Area (EEA), Personal Information includes all Personal Data as defined under EEA laws.

 

Right to withdraw consent

 

A Data Subject who has provided the Data Controller with consent to process their Personal Information has the right to withdraw any consent previously provided to the Data Controller at any time. If a Data Subject withdraws their consent, this will not affect the lawfulness of the Data Controller’s collecting, using and sharing of their Personal Information up to the point in time that consent was withdrawn. Even if a Data Subject withdrawstheir consent, the Data Controller may still use the information that has been anonymized and does not personally identify the Data Subject.

 

Right of access

 

Data Subjects may request details of their Personal Information that the accomodations holds. The accomodations will confirm whether it is processing the individual’s Personal Information and will disclose supplementary information including the categories of Personal Information, the sources from which it originated, the purpose and legal basis for the processing, the expected retention period, and the safeguards regarding Personal Information transfers to non-EEA countries, subject to the limitations set out in applicable statutes, regulations and other laws.

 

 Right of correction

 

The accomodations will comply with a Data Subject’s request to edit and update incorrect Personal Information promptly and in most cases within 30 days from the receipt of the request for correction.

In the event that correction is not possible or cannot occur within 30 days, the accomodations will document its reasons, specify the time frame in which correction will occur (to the extent knowable), and respond to the requestor with this information within 30 days from the receipt of request for correction.

 

Right to be forgotten

 

At a Data Subject’s request, the accomodations will delete their Personal Information promptly if:

 

–          it is no longer necessary to retain the Personal Information;

–          the Data Subject withdraws the consent which formed the basis of the Personal Information processing;

–          the Data Subject objects to the processing of their Personal Information and there are no overriding legitimate grounds for such processing;

–          the Personal Information was processed illegally; or,

–          the Personal Information must be deleted for the Data Controller to comply with its legal obligations.

The accomodations will inform any third parties with whom it might have shared the Data Subject’s Personal Information of the deletion request.

 

The Data Controller may decline a Data Subject’s request for deletion if processing of their Personal Information is necessary:

  • to comply with a Data Controller legal obligation;
  • in pursuit of a legal action;
  • to detect and monitor fraud; or,
  • for the performance of a task in the public interest.

 

Right to restrict processing of Personal Information

 

Right to restrict processing of Personal Information At a Data Subject’srequest, the Data Controller will limit the processing of their Personal Information if:

  • the Data Subject disputes the accuracy of their Personal Information;
  • the Data Subject’s Personal Information was processed unlawfully and they request a limitation on processing, rather than the deletion of their Personal Information;
  • the Data Controller no longer needs to process the Data Subject’s Personal Information, but the individual requires their Personal Information in connection with a legal claim; or,
  • the Data Subject objects to the processing pending verification as to whether an overriding legitimate ground for such processing exists.

 

Right to data portability

 

At a Data Subject’s request, the Data Controller will provide them a copy of their Personal Information in a structured, commonly used and machine-readable format, if:

(i)                  the Data Subject provided the Data Controller with Personal Information;

(ii)                (ii) the processing of the Data Subject’s Personal Information is based on consent or required for the performance of a contract ; or,

(iii)              (iii) the processing is carried out by automated means.

 

Right to object

 

Where the Data Controller processes a Data Subject’s Personal Information based upon the lawful basis of legitimate interest, then the individual has the right to object to this processing.

 

Right not to be subject to decisions based solely on automated processing

 

Data Subjects will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of their Personal Information, unless the Data Controller has received explicit consent or where the automatic processing is necessary for a contract with the Data Controller.

 

 

 

IV. DATA SECURITY

 

The Data Controller shall ensure, in particular, in the context of its IT security responsibilities:

1. to deny unauthorised persons access to the means used for data processing (hereinafter referred to as the ‘data management system’),

2. preventing the unauthorised reading, copying, modification or removal of data media,

3. to prevent the unauthorised input of personal data into the data management system and the unauthorised access to, modification or deletion of personal data stored in the data management system,

4. preventing unauthorised persons from using the processing systems by means of data transmission equipment,

5. that persons authorised to use the system have access only to the personal data specified in the access authorisation,

6. that it is possible to verify and establish to which recipients the personal data have been or may be transmitted or made available or made available by means of a data transmission installation that it is possible to verify and establish a posteriori which personal data have been entered into the system by whom, at what time

7. to prevent the unauthorised disclosure, copying, modification or deletion of personal data during transmission or transport of the data medium

8. to ensure that the data processing system can be restored in the event of a malfunction.

9. that the data management system is operational, that any errors in its operation are reported and that the personal data stored cannot be altered by the malfunctioning of the system.

 

 

V. THE LEGAL REMEDIES

ANNEX NO 1

 

Right to complain to a supervisory authority If a Data Subject is not satisfied with the Data Controller’s response, they have the right to complain to or seek advice from a supervisory authority and/or bring a claim against the Data Controller in any court of competent jurisdiction. Any person, that receives a request from a Data Subject seeking to exercise their rights under GDPR should contact the Data Controller to assist in the review of and response to the Data Subject’s request.

Requests will be responded to within 30 days of receipt. Under certain circumstances, the Data Controller may inform the requesting Data Subject that additional time is needed to fully comply with the request. Such notification shall occur within 30 days of receipt of the request.

 

Contact details of the National Authority for Data Protection and Freedom of Information

 

Headquarters

 

1055 Budapest, Falk Miksa utca 9-11.

 

Postal address

 

1363 Budapest, Pf.: 9.

 

Phone

 

+36-1-391-1400

 

Fax

 

+36-1-391-1410

 

E-mail

 

ugyfelszolgalat@naih.hu

 

Website

 

http://www.naih.hu

 

Online start a case

 

http://wwwnaih.hu/online-uegyinditas.html

 

 

 

Data processors

 

Name of data processor Name of data processing
D-edge.com Website booking engine
Google Business Suite Daily operation
WordPress.com Website operation
K&H Bank Zrt, CSOB Account-holding financial institution
Bluehost.com Hosting services
Kulcs-Soft Accounting services
Teya.com Payment service
Szamlazz.hu Billing system
Magyar Turisztikai Ügynökség Zrt. Guest Information Closed Database (VIZA) system, National Turism Datacenter (NTAK)

 

ANNEX NO 2

 

Cookie management

 

The data controller uses the services of Cookiebot on the website.

 

Please kindly acknowledge the processing of your data in accordance with this privacy notice.

 


 

CCTV Privacy Policy

 

Please be informed that our Company has a CCTV surveillance system in place at its premises (e.g. at the reception of the 7Seasons Apartments). You can access our privacy policy on the system here.