Somogyi Korona Szálloda és Étterem Zártkörűen Működő Részvénytársaság
(for the safeguarding of your personal data)
The Somogyi Korona Szálloda és Étterem Zártkörűen Működő Részvénytársaság (we, us), as data controller defines the purposes and tools for personal data management, and as data processor, manages personal data.
Data Controller contact information
Name: Somogyi Korona Szálloda és Étterem Zártkörűen Működő Részvénytársaság
Seat: 7400 Kaposvár, Ady Endre utca 2.
Telephone/ Fax: +36 82 510 279
Email address: email@example.com
You may also visit us at: http://www.kaposhotel.hu
The company registration number, if applicable: 14-10-000210
National tax number: 10354788-2-14
Representative: Franz Maier General Manager
The General Manager of Somogyi Korona Zrt., as well as the employees ensure by a continuous controller that the companies departments and employees comply with the provisions regarding data controller and data security.
I. Definitions and basic principles:
Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person — as well as any deduction from the data to the data subject concerned
Data Controlling: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction as well as preventing the further use of given data, the making of photo, sound or picture recordings, and the capturing of physical characteristics adequate for personal identification (e.g. finger or palm prints, DNA-samples, retinal image).
Data Processing: performing technical tasks related to data processing operations, irrespective of the method and device used to perform the operations and the location of the application.
Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
With regard to the provisions of (3) of the Hungarian Privacy Act (Act CXII of 2011) and Article 4 of GDPR.
II. Personal Data Protection
Somogyi Korona Zrt. keeps records of the personal data regarding natural persons in compliance with the following principles:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
Only personal data that is essential and suitable for achieving the purpose of processing may be processed by Somogyi Korona Zrt. and its organisation, and only for a clearly specified and legitimate time and measure. Somogyi Korona Zrt. ensures the separation of data processing operations.
Somogyi Korona Zrt. and its employees may use personal data only for performing tasks, in compliance with the relevant legislation.
Somogyi Korona Zrt. may use personal data only for the purpose of exercising its functions and powers, and to exercise its rights or to fulfil its obligations. The use of personal data processed by Somogyi Korona Zrt. or provided by other controllers for the performance of controller’s tasks, for private purposes is prohibited.
The employee at Somogyi Korona Zrt. performing data processing operations has disciplinary, liability, punitive and criminal responsibility for the lawful processing of the personal data obtained in the exercise of his or her duties and powers and for the lawful exercise of access to the records of Somogyi Korona Zrt. Employees performing data processing operations must keep the personal data they have accessed as a professional secret.
III. Legal basis for data processing:
Somogyi Korona Zrt. keeps records of the personal data regarding natural persons in compliance with the following principles:
- data subject’s consent;
- fulfilment of the legal obligation
- vital interest
- data processing for public interest
- right, legitimate interest, interest assessment test
If data processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their data
In case of the processing of the personal data of the data subject based on a legitimate interest, Somogyi Korona Zrt. conducts an interest assessment test, during which:
- it identifies and records the legitimate interest
- identifies and records the interests and rights of the data subject based on the principles of necessity and proportionality, purpose limitation, data minimisation and storage limitation
- conducts an assessment
- informs the data subject of the interest assessment.
Personal data may be processed even if the consent of the data subject cannot be obtained or would entail disproportionate expenses, and the processing of the personal data
a) is necessary in order for the controller to fulfil its legal obligations, or b) is necessary for the pursuit of the legitimate interest of the controller or third party, and the pursuit of interest is proportionate to the restriction of the right to the protection of personal data.
IV. Purpose for data processing:
Somogyi Korona Zrt. conducts data processing in compliance with the law for the following purposes:
- we process the data of the customers of our service in connection with productive and sales activity with the aim to maintain a customer relationship;
- marketing activity for potential customers;
- data management of employees and applicants; personnel and payroll records
- handling contact details of contractual partners for the purpose of performance of the contract;
- meeting customers’ orders;
- property protection, personal security;
- fulfilling obligations under the law.
V. Duration of data processing:
Somogyi Korona Zrt. informs the data subjects about the retention period for data storage.
- Retention period of invoices: at least 8 years due to legal obligations.
- Retention period of the documents serving as the basis for invoices is 8 years.
- Retention period of the documents serving as the basis for employment relationship: 50 years.
- The retention period of data obtained for communication purposes is 5 years following the termination of contact.
- Retention of data related to the performance of the contract: 5 years.
- Retention period of data related to tenders is as defined in the grant agreement.
VI. Rights of data subjects
(1) Somogyi Korona Zrt. ensures that the data subject has access to, or request information about his or her data processed by the company.
(2) The data subject may require information from Somogyi Korona Zrt. concerning the processing of his or her personal data, may require the correction, as well as the erasure or blocking — except for mandatory data processing — of his or her personal data, or — if authorised by law — may object to such processing.
(3) The data subject shall have the right to obtain from Somogyi Korona Zrt. about his or her personal data being processed by the controller or authorized data processor, and to access the following information: source of the data, the purpose of the data processing, its legal basis and duration, the name and contact information of the data processor, its activities regarding data processing, the circumstances, effects and mitigating measures in case of data breach, as well the legal basis and addressee s in case of data transmission. Somogyi Korona Zrt. must provide an easily understandable information to the data subject within 25 days after his or her written request. Providing the information is free of charge if the claimant has not requested such information regarding the same data within given year. In all other cases, there may be a reimbursement established. The paid reimbursement shall be repaid if the data were handled unlawfully, or the request leads to a correction.
(4) The controller may refuse to provide information to the data subject in the cases defined in (1) § 9 and § 19 of the Privacy Act. If the request of the data subject is rejected, he or she must be informed about the reasons to it, as well as about possible legal remedies at court and contact turning to the Hungarian data protection supervisory authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, hereinafter: Authority). A senior official at Somogyi Korona Zrt. keeps record of the denied requests, and informs the Authority about the record until 31 January of the following year.
(5) Somogyi Korona Zrt. must correct all inaccurate information if the necessary data is provided.
(6) The data handled must be erased if:
- the managing of the data is unlawful
- on the data subject’s request — unless the data processing is required under law or is necessary
- the data is incomplete or inaccurate, and this cannot be corrected lawfully, and if the erasure is not ruled out by the legislation
- the purpose of the data processing has ceased, or the statutory data retention period has expired
- it was ordered by court or the Authority.
(7) The request to erasure may be denied if the data processing is necessary
- for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for the establishment, exercise or defence of legal claims, and
- if the data processing was ordered by law.
(8) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If the request of the data subject is rejected, he or she must be informed about the reasons to it, as well as about possible legal remedies at court and contact turning to the Authority.
(9) Somogyi Korona Zrt. provides, with the data security requirements, access to its records for third parties involved in the data processing, and who provide services to Somogyi Korona Zrt. which are connected to data management, such as accounting, legal services, etc.
(10) Regular data transmission is only carried out on the basis of contract for data processing, to certain organs at certain periods and with certain content defined by law.
VII. Personal Data Protection
(1) Somogyi Korona Zrt shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the regulations concerned.
(2) In a specific case, only personal data absolutely necessary for the case, without an unjustified copying and keeping record of presented identity cards and other personal documents. The recorded data may only be used for the given case, and may not be connected to further procedures or data.
(3) To ensure data quality, personal data may only be obtained from a valid official identifying document (e.g. identification card, driver’s licence, passport, etc.), whereas sensitive data may be collected only based on a written consent.
(4) Documents or other media containing personal data may only be taken from Somogyi Korona Zrt.’s offices — with an exception for fulfilling tasks of the job description — in justified cases, and with consent of the supervisor. The data controller must protect the document from loss, damage or destruction, and from getting obtained by an unauthorized person.
(5) Other than the controller, only persons with a legal authorization or authorized by this document shall look at the data at the controller or in the archives. The exercise of the right to access must be carried out in such way that the rights of others to the protection of personal data or personal rights are not infringed. The provisions of this section shall be applied when copying or extracting.
(6) Employees must take special measures to protect their equipment used to store documents and data during working hours. The employee must handle and store his or her computer and data carriers in such way that that data requiring protection cannot be accessed by an unauthorized person.
(7) Somogyi Korona Zrt. may record activities on their premises, including captures of persons appearing in these premises for the protection of persons and property, with a closed-circuit camera system installed at its headquarters and premises continuously, without direct personal surveillance. The recordings shall be used by Somogyi Korona Zrt. only for the purpose of subsequent investigations regarding the circumstances of crime or other extraordinary event taken place in the observed area.
All premises with cameras shall be signed to inform entrants that certain areas of the premise are being observed, or a ‘under CCTV surveillance’ sign shall be installed in the vicinity of each camera.
(8) There shall be no camera installed in a resting area, buffet, toilet, restroom or changing room, nor at the entrance of those. The installed cameras may not record footage of working sites or working processes unless it is recorded for occupational safety and health purposes. The camera at the counters shall be installed as to show the payer as well as the counter. The recorded image, sound and footage shall be erased and deleted within 3, in case of external premises within 30 days after recording, if not used.
(9) If justified, the recordings may be viewed by: the authorized personnel of the security company, management of the Company and the supervisor of the given premises, and in case of accidents at work, the staff of the labour inspectorate, the representative in charge of occupational safety and health, as well as who is authorized by the executive.
(10) The data subject has specific rights connected to their personal data being processed, provided to him or her by the law.
- right of access
- right of rectification
- right of erasure
- right to restrict processing data
- Notification obligation regarding rectification or erasure of personal data or restriction of processing
- right to data portability
- right to object
(11) Company website:
(a) The information provided during the registration or data uploads when visiting the website is handled by the Company and the website operator (name: Instantweb Portálszolgáltató és Webfejlesztő Kft.) for the purpose of informing guests about
accommodation opportunities at Hotel Kapos,
weekly offers of Karos Restaurant
and about getting quotes for events, business and private gatherings, weddings organized by the Company.
People interested — based on their information provided and their inquiries — will be sent a offers and confirmation regarding accommodation, restaurant and café menus, events or other services of the Company’s activities, as well as future opportunities.
(b) Principles of data collection: Users register and provide their information on www.kaposhotel.hu voluntarily, and receiving messages and providing information through email, per fax is also optional for the user.
Leads are to provide information which is necessary for and applicable with the required service, special offer, subscription, booking or order. All fields marked are required to be filled out, without these information, the data of the voluntary registers are not adequate for their given purpose.
(c) Place and duration of the data processing:
Data processing takes place on the servers of the operator.
Besides the employees of the Company, information found on the server or the admin page may be seen only by web programmer (Instantweb Kft.) and the server subcontractor.
During a visit to our website, the service provider may place so-called cookies on the user’s computer. You can delete these from your computer or disable them in your browser. The html code of the websites operated by the Company may contain links to and from independent, external servers for web analytical purposes. Web analysis service provider processes data connected to browsing, and which is not personal, and is not suitable for identifying individuals.
VIII. The process of informing the data subject
Somogyi Korona Zrt., as controller shall take appropriate measures to provide any information and any communication relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
Collecting personal data directly from the data subject:
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all the following information:
- he identity and the contact details of the controller;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients of the personal data if any
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation,
Provide the data subject with the following further information necessary to ensure fair and transparent processing:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- he existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information.
Retention of personal data from other sources
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
- the categories of personal data concerned
- from which source the personal data originate, and if applicable, whether it came from publicly accessible sources.
IX. Data processing
Within the organisation system Somogyi Korona Zrt., the personal data of the users of services provided by the Kft. may be transferred – to the extent and for the time necessary to perform the task – to organisation units, which fulfil administrative, control or authority tasks connected to clients.
Customer data may be transferred for data processing or made available to:
- The performance of accounting, payroll accounting, work and fire protection or other tasks incumbent on the company based on a written assignment contract,
- The local municipality, its notary, mayor’s office, as well as the Hungarian Tax and Customs Administration (NAV).
- To recover civil non-litigious (order for payment) and other debts through litigation, as well as in proceedings for the settlement of legal disputes, to the legal representative and to the bodies entitled by law.
- For the protection of national security, national defence and public security, in the event of a lawful request to the competent national security bodies, investigative authorities, courts and other judicial and investigative bodies for the purpose of prosecuting criminal offenses.
- in the case of a legal obligation, in the case of a lawful request to fulfil it.
X. Data Protection Policies
(1) During the data processing, Somogyi Korona Zrt. implements appropriate IT measures, so that:
- The IT system is suitable for restricting access to the data processed, as such, protecting the data against unauthorised third parties (as such, from unauthorised access, alteration, transfer, public disclosure, erasure, destruction).
- Preventing unauthorised data entry during the automated processing of personal data, use of its data processing system by unauthorised persons and use via a data transfer device; all changes to data to ensure verification and accountability in connection with information relating to data entry (such as who and when) and data transfer are made by specifying the time changes were made.
- To protect the data against accidental destruction and damage, and to make it inaccessible due to changes in the technology used, it can be backed up in the event of a breakdown.
(2) Both the IT system and the network of the Kft. are protected against computer-related crimes. The operator provides security with password protection, firewall, and server security procedures. The IT system of Somogyi Korona Zrt. is operated by Instantweb Kft. under an agency contract.
(3) In order to ensure the security of personal data processed manually, the following measures must be taken:
- Fire and property protection: Fire and property protection: documents taken in the archives are to be placed in a well-sealed, dry, fire-proof and property protected facility.
- Access control: Continuously active files may only be accessed by the competent administrators. The administrator must ensure that the document containing personal data does not remain unattended and accessible by unauthorized persons. Records must be kept in lockable filing cabinets and secure archive rooms.
- Archiving: Data processing records must be archived once a year. Somogyi Korona Zrt. must handle archived records in accordance with the records management and disposal regulations.
XI. Managing personal data incidents
Somogyi Korona Zrt. – by means of an internal data protection officer – with the purpose of controlling the measures relating to data incidents and to inform data subjects – shall keep records containing the affected personal data, the persons affected by the data incident, the time, circumstances and effects thereof, and the measures taken to eliminate them, as well as further information determined by law. Employees must make a note of the data protection incident they become aware of, and inform their superior with the note. Somogyi Korona Zrt or its representative must report the data protection incident to the supervisory authority without undue delay, within 72 hours of becoming aware of it, and inform the data subject as well, unless the data protection incident probably did not involve a risk to the rights and freedoms of natural persons.
Somogyi Korona Zrt shall take the necessary security measures without delay after the data protection incident has been brought to the attention of the data protection incident, with the aim of eliminating or restoring the injury to which the data protection incident is based.
The data subject shall be notified about the measures taken and their affect.
XII. Information on legal remedies:
The Hungarian data protection supervisory authority is: Nemzeti Adatvédelmi és Információszabadság Hatóság (hereinafter: NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, email address: firstname.lastname@example.org). The data subject may submit a complaint to NAIH if he or she considers that the personal data relating to him or her does not comply with the legal obligations. A review may be initiated against the NAIH decision.
XIII. Information regarding records:
Somogyi Korona Zrt. carries out the handling and processing of data in a lawful, transparent and verifiable manner, with the following records to achieve the objectives:
- Data inventory
- Records of processing activities
- Records of terminating activities
- Records of incidents
- Records of data subject and authority inquiries and the responses thereto
- Records of the activities of the data protection officer
- Records of lost data and searching
- Records of preliminary data protection impact assessment
XIV. Entry into force::
This Data Management and Data Protection Code is established by Act CXII of 2011 on Informational Self-Determination and Freedom of Information of Hungary, Regulation (EU) 2016 / 679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and repealing Directive 95 / 46 / EC, and repealing Directive 95 / 46 / EC (GDPR), which will enter into force with a corporate signature on 25 May 2018.
Pécs, 25 May 2018
Somogyi Korona Zrt.
Represented by: Franz Maier General Manager