Barack Thermal Resort, Tiszakécske

Data protection and Data processing policy

Publication time: 22-05-2018
Latest time of the 1st revision: With changes in legislation
Date of entry into force of the amendments introduced by the 1st revision: 
Sections modified during the 1st revision: 
Latest time of the 2nd revision:
Created by: Éva Anikó Szabó, General manager

DATA PROCESSING POLICY [based on the GDPR]

Identification data of the Company, as data controller:

Representative of the Company, as data controller:

Our data processing principles are in accordance with applicable laws in force, in particular with the following:

Table of contents

Interpretative provisions 5
1 Purpose of the policy 7
2 Data management principles 7
3 Lawfulness of processing 8
3.1 Personal data, with the exception of sensitive data 8
3.2 Sensitive data 9
4 The Company’s duty of disclosure and its measures 9
4.1 Privacy notice 9
4.1.1 Common rules 9
4.1.2 Information to be provided where personal data are collected from the Data subject 10
4.1.3 Information to be provided where personal data have not been obtained from the Data subject 10
4.2 Data subject rights 11
4.2.1 Right of access 11
4.2.2 Right to rectification 12
4.2.3 Right to erasure (“right to be forgotten”) 12
4.2.4 Right to restriction of processing 13
4.2.5 Right to object 14
4.2.5.1 Right to object in case of direct marketing 14
4.2.5.2 Profiling 14
4.2.6 Right to data portability 14
4.2.7 Right to decide on automated decision-making in individual cases, including on profiling 15
4.2.8 Right to a legal remedy 16
4.2.8.1 Right to lodge a complaint 16
4.2.8.2 Judicial review of the decision of the supervisory authority and other legal remedies 16
4.2.8.3 Right to go to court (right to bring legal action) 16
4.2.8.4 Other options for bringing claims 16
4.2.8.5 Right to receive compensation 17
4.2.8.6 Administrative fines 17
4.2.8.7 Criminal and/or administrative penalties 17
4.3 Procedural rules 17
4.3.1 Evaluation of the request 17
4.3.2 Fees for information provided and action taken 18
4.3.3 Examination of the identity of the applicant 18
5 Transmission of data 18
6 Personal data breach 18
6.1 Notification to the supervisory authority 19
6.2 Communication to the Data subject 19
7 Data processing registers 20
7.1 Recording of processing activities 20
7.2 Recording of personal data breaches 20
8 Data protection officer 21
9 Data protection impact assessment 21
10 Training 22
11 Joint data processing, data management 22
12 Security of data processing 22
13 Miscellaneous 22
14 Scope, validity and review procedure 22

Interpretative provisions

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
 ‘controller’ means the Company, and the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
 ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing
 ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
‘Data subject’ is the natural person, whose personal data is being processed
‘consent of the Data subject’ means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
‘EU Member State’ means Member States of the European Union, including Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, United Kingdom, Estonia, Finland, France, Greece, Netherlands, Croatia, Ireland, Poland, Latvia, Lithuania, Luxembourg, Hungary, Malta, Germany, Italy, Portugal, Romania, Spain, Sweden, Slovakia and Slovenia
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR
‘GDPR’ means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
 ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question
 ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data
‘sensitive data’ means personal data belonging to special categories of personal data
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
‘special categories of personal data’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation 

Company: Tiszaparti Termálfürdő Kft. H-6060 Tiszakécske, Szabolcska u. 43., as data controller

1. Purpose of the policy

The purpose of the Data Processing Policy is the introduction and consistent application of such measures, which ensure the accurate and secure processing of the Data subjects' personal data, which processing shall be in compliance with applicable EU and national data protection rules in force and uniformly implemented at the Company level.
At the same time, the Data Processing Policy provides a concise, transparent and easily accessible information to Data subjects regarding access to their personal data processed by the Company, and governs and provides information about the Company's policy for safeguarding the rights of the Data subjects.

2. Data management principles

Before beginning to process personal data, one should carefully consider in every case if such processing is truly necessary or not. The processing of personal data may only begin, if it is unequivocally justifiable that the purpose of the data processing cannot be achieved otherwise.
The Company shall process the Data subjects’ personal data in a lawful, fair and transparent manner.  No one shall be adversely affected because of initiating any action, legal remedy or making a complaint to the Company or any other authority as defined in this Policy, or because of refusal or withdrawal of their consent in the case of data processing based on consent.
The collection of the Data subjects’ personal data may only be done for a specified, explicit and legitimate purpose. The Company is obliged to refrain from, or subsequently discontinue any data processing that is incompatible with the purpose in question of the personal data.   The Company shall be entitled to process personal data only to the extent necessary and shall delete any personal data for which the purpose of data processing has ceased to exist or for which the legal basis of data processing cannot be justified.
The Company shall introduce control mechanisms that are capable of ensuring already in advance and subsequently, as a filter, that: 
(i)the personal data are in accordance with the purposes of the data processing already at the time of data collection and subsequently, during the whole period of data processing, and
(ii)the extent of data processing is limited to what is necessary in terms of both the scope of data and the duration of the data processing. 
The personal data processed by the Company shall be accurate and up-to-date. The Company shall take all reasonable measures to ensure that accurate personal data shall be processed, 
(i)personal data which are not or no longer necessary for the purposes of the data processing shall be promptly deleted;
(ii)inaccurate personal information shall be corrected or deleted.
Personal data must be stored in a form, which permits identification of the Data subjects only for the time necessary to achieve the purposes of personal data processing.
The processing of personal data shall be carried out in such a way as to ensure adequate security of personal data by adequate technical or organizational measures, including any steps that serve to protect personal data against unauthorized or unlawful processing, accidental loss, destruction or damage.

3. Lawfulness of processing

The correct definition of the basis for data processing and the fulfilment of such additional conditions, which belong to the chosen legal basis, are prerequisites for lawful data processing. The requirement of lawfulness thus implies, in a narrower sense, the existence of an appropriate legal basis for data processing and, in a broader sense, implies that personal data may only be processed in accordance with legislation applicable to such legal basis.
Considering the activity it performs regarding the Data subjects’ personal data, the Company may choose from the following main legal bases, depending on the nature and circumstances of the data processing. The main legal bases referred to in the first subparagraph apply to all personal data with the exception of special categories of personal data, while the second sub-paragraph sets out specific provisions concerning the legal bases for the special categories of personal data.

3.1 Personal data, with the exception of sensitive data

The Company may process the Data subject’s personal data - not including special data - in particular on the following legal basis: 
(i)Consent: A Company – as long as the free nature of the consent can be proven – may give their consent for the processing of their personal data (Annexes 1A, 1B, 1C). Where the Company processes the personal information of a child under the age of 16 in connection with information society services provided directly to children under the age of 16, as a general rule, data processing shall be lawful only in the event and to such extent, if the consent was given or authorized by the person having parental care over them. The Data subject gives their consent freely and shall be entitled to withdraw it at any time.  The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
(ii)Contract preparation, contract performance: This legal basis may be used for data processing necessary for the performance of a contract (e.g. a service contract, employment contract, study contract) in which the Data Subject is a party or where data processing is necessary prior to the conclusion of the contract, for the execution of steps at the request of the Data subject.
(iii)Performance of a legal obligation: Data processing required by EU or Hungarian law.
(iv)Legitimate interest: This includes data processing necessary to assert the legitimate interests of the Company or of a third party. The legitimate interests of the Company or of a third party shall be set out in the privacy notice for the given data processing purpose. Data processing based on legitimate interest may only take place, if the Company does an interest balancing test, in which it records and examines whether the legitimate interest of the Company proportionately limits the Data subject’s right to the protection of their personal data and privacy and how the balance between the interests of the Company and the Data subject can be ensured. The interest balancing test is not part of the privacy notice.
(v)[Other legal bases for data processing that are specific to the given purpose of the data processing may include: the vital interest of the Data subject or another natural person, or data management related to the performance of a task in the exercise of official authority vested in the Company.] 
If the Company collects the data a from the Data subject and the Data subject does not disclose data processed on the above legal bases, then the potential consequence of disclosing such data may be denial or impossibility of preparing or performing a given contract (e.g. failure to establish an employment relationship). If the Data subject does not disclose a part of the data to be disclosed, then it shall be judged on the basis of the data that have not been disclosed in full, if the lack of data disclosure may entail for example the impossibility of concluding or maintaining the contract. In the case of contractual data management, the Company may only apply the legal consequences of the impossibility, if it demonstrates that it would be unable to perform the contract without the disclosed data.

3.2 Sensitive data

Due to fundamental rights and freedoms of natural persons sensitive data are, by their nature, particularly sensitive and risky data, which merit specific protection. The Company may process the Data subject’s sensitive data – including, primarily data concerning health – in particular for the following purpose and on the following legal basis:
(i)GDPR Article 9. Paragraph 2 a): The Data subject – as long as the free nature of the  consent can be proven – may give their consent for the processing of their personal data (Annexes 1A, 1B, 1C). The Data subject gives their consent freely and shall be entitled to withdraw it at any time.  The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 
(ii)GDPR Article 9. Paragraph 2 b): For example when authorised by Union or Member State law or a collective agreement pursuant to Member State law, the Company may process data in order to fulfil its obligations exercise of its specific rights arising from  employment, as well as social security and social protection legislation.
(iii)GDPR Article 9. Paragraph 2 f): This legal basis may be used when processing of sensitive data is necessary for the establishment, exercise or defence of legal claims.

4. The Company’s duty of disclosure and its measures

The Company shall provide certain information to the Data subject in a concise, transparent, easily accessible way in a clear and plain language and to inform the Data Subject of their rights.  Furthermore, at the request of the Data Subject, the Company may take measures in compliance with certain procedural rules.

4.1 Privacy notice

The Company, depending on whether it collects the personal data from the Data subject or not, is obliged to provide certain information regarding data processing to the Data subject. The general and specific rules of this privacy notice are summarized in the following sub-sections.

4.1.1 Common rules
Based on the duty of disclosure the Company is obliged to inform the Data subject of the following:
(i)the identity and the contact details of the Company and, where applicable, of the Company's representative;
(ii)it does not employ a data protection officer,
(iii)the purpose of the intended processing of personal data as well as the legal basis for the processing;
(iv)in the case of data processing based on Article 6 paragraph 1 f) of the GDPR, the legitimate interests of the Company or a third party,
(v)if applicable, the recipients or categories of recipients of the personal data, if any;
(vi)where applicable, that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available,
(vii)the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(viii)the existence of the right of the Data subject to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing of such personal data, as well as the right to data portability;
(ix)where processing is based on point (a) of Article 6 paragraph 1 or point (a) of Article 9 paragraph 2 of the GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(x)the right to lodge a complaint with a supervisory authority;
(xi)the existence of automated decision-making, including profiling, referred to in Article 22 paragraph 1 and 4 of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

4.1.2 Information to be provided where personal data are collected from the data subject
In the event that the Company collects personal data from the Data Subject, it shall, in addition, inform the Data Subject, whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
It is necessary to provide the information at the time when the personal data is obtained.  In the event the data subject already has the above information, it is not necessary to inform them.

4.1.3 Information to be provided where personal data have not been obtained from the data subject
In the event that the Company does not collect personal data from the Data Subject, it shall, in addition, inform the Data Subject, of the personal categories of the Data subject, as well as the source of the personal data and if applicable, of whether the data come from publicly available sources. 
The Company shall provide the information at the following times:
(i)having regard to the specific circumstances in which the personal data are processed, within a reasonable period after obtaining the personal data, but at the latest within one month,
(ii)if the personal data are to be used for communication with the Data subject, at the latest at the time of the first communication with that Data subject, or
(iii)if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
It is not necessary to provide the above information, if 
(i)the Data subject already has the information,
(ii)the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89 paragraph 1 of the GDPR or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing.  In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests - including making the information publicly available,
(iii)obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the Data subject's legitimate interests, or 
(iv)where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

4.2 Data subject rights
The Data subject may request from the Company access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing of such personal data. Furthermore the Data subject is entitled to the right to data portability and to a legal remedy, as well as the right to decide on automated decision-making in individual cases, including on profiling too. 

The Company shall provide information on certain data subject rights as part of the notice referred to in Clause 4.1.

4.2.1 Right of access by the data subject 
The Data subject shall have the right to obtain from the Company confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information: 
(i)the purposes of the processing regarding the given personal data, 
(ii) the categories of personal data concerned,
(iii)the categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (in the case of transfers to recipients in third countries and international organizations, the Data Subject shall have the right to request information on whether the transfer is subject to appropriate safeguards),
(iv)the envisaged period for which the personal data concerned will be stored, or, if not possible, the criteria used to determine that period,
(v)the Data subject's rights (right to rectification, erasure or restriction, right to data portability and right to object against the processing of such personal data),
(vi)the right to lodge a complaint with a supervisory authority,
(vii)if the Company did not obtain the data from the Data subject, every available information concerning the source,
(viii)the existence of automated decision-making regarding the concerned personal data, including profiling too; if such data processing is occurring, then the information shall include meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 
Where the Data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 
The Company may request  form the Data subject that, before the information is delivered, the Data subject specify the information or processing activities to which the request relates.
If the Data subject’s right to access pursuant to the present clause should adversely affect the rights or freedoms of others, including their trade secrets or intellectual property, the Company shall be entitled to refuse the Data Subject's request to the necessary and proportionate extent. 
In case the Data subject should request the above information in multiple copies, the Company shall be entitled to charge a fee that is proportionate and reasonable to the administrative costs of providing multiple copies.
If the Company does not process the personal data indicated by the Data subject, it shall also inform the Data subject of the latter in writing.

4.2.2 Right to rectification
The Data subject shall have the right to request the rectification of personal data concerning them. If the personal data concerning the Data subject is incomplete, the Data subject shall have the right to have incomplete personal data completed. 
For exercising their right to rectification/completion, the Data subject shall indicate which data are inaccurate or incomplete and shall also inform the Company of the accurate, complete data. The Company shall have the right, in justified cases, to call on the Data subject to certify the rectified data to the Company in an adequate manner - primarily with an official document (deed). 
The Company shall execute the rectification and completion of the data without undue delay. 
The Company — following the execution of the Data subject’s request to assert their right to rectification — shall inform each recipient to whom the Company disclosed the personal data of the Data subject, unless this proves impossible or involves disproportionate effort from the Company.  The Company shall inform the Data subject about those recipients if the Data subject so requests it.

4.2.3 Right to erasure (‘right to be forgotten’)
The Data subject shall have the right to request from the Company the erasure of personal data concerning them without undue delay, where one of the following grounds applies:
(i)the personal data indicated by the Data subject is no longer necessary in relation to the purposes for which the Company collected or otherwise processed it,
(ii)the Company processed personal data (including sensitive data) based on consent of the Data subject, the data subject withdraws consent in writing and there is no other legal ground for the processing;
(iii)the Data subject objects to the processing regarding data processing based on the Company’s legitimate interest and there are no compelling legitimate grounds for the processing for the Company, which would prevail over the Data subject’s interests, rights and freedoms, or which or which are related to the establishment, exercise or defence of legal claims,
(iv)the personal data have been unlawfully processed by the Company,
(v)the personal data processed by the Company have to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject,
(vi)the Data subject objects to the processing and there are no overriding legitimate grounds for the processing.
The Data Subject shall submit their request for erasure in writing and shall indicate which personal data they wish to have erased for which reason. 
In case the right to erasure is exercised, the Company shall act in consideration of the procedural rules set out in clause 4.3. 
If the Company accepts the Data subject’s request for erasure, then they shall erase the processed personal data from all records and inform the Data subject thereof in an adequate manner. 
In case the Company should be obliged to erase the personal data of the data subject, the Company should take all reasonable steps — including the use of technical measures — which are necessary to inform the controllers, who came to know the Data subject’s personal data pursuant to their disclosure.  The Company shall inform the other data controllers of the fact that the Data subject requested erasure of any links to, or copies or replications of the Data subject’s personal data. 
The Company — following the execution of the Data subject’s request to assert their right to erasure — shall inform each recipient to whom the Company disclosed the personal data of the Data subject, unless this proves impossible or involves disproportionate effort from the Company.  The Company shall inform the Data subject about those recipients if the Data subject so requests it.
The Company shall not be obliged to erase personal data in case the data processing is necessary: 
(i)for exercising the right of freedom of expression and information;
(ii)for fulfilling an obligation imposed on the Company by Hungarian or European Union law regarding the processing of personal data,
(iii)for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company,
(iv)for executing a public interest in the area of public health,
(v)for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the exercise of the Data subject’s right to be forgotten is likely to render impossible or seriously impair the processing,
(vi)for the establishment, exercise or defence of legal claims.

4.2.4 Right to restriction of processing 
The Data Subject shall have the right to request that the Company restrict the use or processing of personal data relating to the Data subject, where one of the following grounds applies:
(i)the accuracy of the personal data is contested by the Data subject, (in this case the restriction is for a period enabling the Company to verify the accuracy of the data),
(ii)the processing by the Company was unlawful, but the Data subject requests the restriction of their use instead of erasure,
(iii)the purposes of the processing have ceased to exist for the Company, but they are required by the Data subject for the establishment, exercise or defence of legal claims,
(iv)the Data subject objects to the processing regarding data processing based on the Company’s legitimate interest and there are no compelling legitimate grounds for the processing for the Company, which would prevail over the Data subject’s interests, rights and freedoms, or which or which are related to the establishment, exercise or defence of legal claim; in this case the restriction shall exist until the time that it is established if the Company’s legitimate interests prevail over the Data subject’s legitimate interests.
Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the Data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. 
The Data subject shall be informed by the Company before the restriction of processing is lifted. 
The Company — following the execution of the Data subject’s request to assert their right to restriction — shall inform each recipient to whom the Company disclosed the personal data of the Data subject, unless this proves impossible or involves disproportionate effort from the Company.  The Company shall inform the Data subject about those recipients if the Data subject so requests it.

4.2.5 Right to object
Considering that the Company does not do any processing for reasons of public interest, neither does it have any official authority vested in it, does not do any scientific or historic research and does not process data for statistic purpose, the exercise of the right to object may arise in the Company’s case for processing based on legitimate interest.
If the processing of the Data subject’s data is based on legitimate interest, it is an important guarantee provision that in relation to the data processing adequate information and the assertion of the right to object shall be provided to the Data subject. Latest at the time of the first communication with the Data subject, the present right shall be explicitly brought to the attention of the Data subject.
Based on this the Data subject is entitled to object to the processing of their personal data and in such case the Company may no longer process the Data subject’s personal data, unless it can be proven that 
(i)there are compelling legitimate grounds for the processing from the part of the Company, which would prevail over the Data subject’s interests, rights and freedoms, 
(ii)the processing relates to the establishment, exercise or defence of legal claims of the Company.

4.2.5.1 Right to object in case of direct marketing
With regard to data processing for direct marketing purposes the GDPR also acknowledges that it is possible to presume the existence of a legitimate interest in such data processing. 
Thus, in the case of direct marketing activities conducted by the Company, the Data subject is also entitled to object to the processing of their personal data for this purpose, but unlike in case of other data processing based on legitimate interest, should the Data subject object, the Company will not be able to consider whether they can continue to process the data.
If the Data subject objects to the processing of data for direct marketing purposes, the Company may no longer process the Data subject’s data for this purpose.

4.2.5.2 Profiling
During profiling personal aspects of the Data subject are evaluated by some automated method. Such evaluations can be used, for example, for analysing or predicting the Data subject’s aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The right to object extends to profiling based on legitimate interest, as a specific data processing operation. If profiling was done for the purpose of direct marketing, then pursuant to Data subject’s objection, the profiling based on their personal data shall promptly cease as well.

4.2.6 Right to data portability 
The Data subject shall have the right to receive the personal data concerning them, which is processed by the Company, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Company.
Right to data portability can be exercised with regards to such personal data, which the Data subject provided to the Company, and 
(i)the data processing is based on consent of the Data subject or on a contract, and
(ii)the processing is carried out by automated means. 
Where technically feasible, the Company shall transmit the personal data, upon the request of the Data subject, directly to another data controller, designated in the Data subject’s request. The right to data portability under this clause does not create an obligation for data controllers to implement or maintain technically compatible data processing systems. 
In the scope of data portability the Company shall be obliged to provide the Data subject the medium free of charge.  
If the Company’s right to data portability should adversely affect the rights or freedoms of others, including their trade secrets or intellectual property, the Company shall be entitled to refuse the Data Subject's request to the necessary extent.
Measures taken in the field of data portability do not mean the erasure of data. The Company shall keep records of those as long as it has adequate purpose and legal basis for the processing of the data.

4.2.7 Right to decide on automated decision-making in individual cases, including on profiling
The GDPR does not define the notion of automated decision-making, but essentially it includes any process in which input data is evaluated exclusively by means of computational tools, without human intervention, by a predetermined set of criteria / algorithms, and as a result of this such decision is made that has significant consequences for the data subject. As an example, the GDPR cites rejection of online loan applications through automatic decision-making or online human resource selection without human intervention. 
By contrast, the GDPR specifically defines the notion of profiling, as we can see from the previous clause, the point of that is that during profiling personal aspects of the Data subjects are evaluated by some automated method. If the Company is using automated decision-making regarding the personal data of the Data subject, including profiling, then this shall be stated in the privacy notice. In this case the privacy notice shall contain information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data subject. 
The Data subject shall have the right to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. 
The Data subject shall not have the right to request exemption from the decision based on automated data processing if that is necessary for entering into, or performance of, a contract, the decision-making is authorised by Union or Member State law or the decision is based on the Data subject's explicit consent. 
If the automated data processing is necessary for entering into, or performance of, a contract, or is based on the consent of the Data subject, the Data subject shall have the right to request human intervention on the part of the Company, to express their point of view and to contest the decision. 
The Company will use its best efforts during data processing to avoid the inclusion of special categories of personal data in automated decision making. Should that prove to be impossible though, then automated decision-making for special categories of personal data may only be done, if the data processing is based on the Data subject’s consent or processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law and appropriate measures have been taken to protect the rights of data subjects.

4.2.8 Right to a legal remedy
The Data subject may make a submission to the court with jurisdiction, as determined in the applicable law.

4.2.8.1 Right to lodge a complaint
If the Data subject considers that the processing of their personal data by the Company breaches applicable data protection legislation in effect, in particular the provisions of the GDPR, they shall have the right to lodge a complaint to the Hungarian National Authority for Data Protection and Freedom of Information.

Contact information of the Hungarian National Authority for Data Protection and Freedom of Information, “Nemzeti Adatvédelmi és Információszabadság Hatóság”: 
Website: http://naih.hu/
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: H-1530 Budapest, Pf.: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

The Data subject shall have the right to also lodge a complaint with another supervisory authority established in a Member State of the European Union, in particular according to their habitual residence, place of work or place of the alleged infringement.

4.2.8.2 Judicial review of the decision of the supervisory authority and other legal remedies
The Data subject and the Company shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority.
Furthermore the Data subject shall have the right to an effective judicial remedy, where the supervisory authority, which is competent pursuant to Articles 55 and 56 of the GDPR, does not handle the complaint or does not inform the Data subject within three months on the progress or outcome of the complaint lodged.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

4.2.8.3 Right to go to court (right to bring legal action)
Regardless of their right to lodge a complaint, the Data subject may go to court if their rights under the GDPR have been violated during the processing of their personal data. 
A legal action against the Company may be brought in Hungarian courts, as the Company is a data controller with a place of business in Hungary.
The Data subject may also bring a claim, under Art.22(1) of the Act CXII of 2011 on the Right of Informational Self-determination and Freedom of Information in force, to the courts in their domicile. The contact details of the Hungarian courts can be found on the following link: http://birosag.hu/torvenyszekek.
Considering that the Company does not qualify as a public authority exercising official authority of a Member State, the Data subject may also bring an action before the competent court that has jurisdiction in the Member State of habitual residence, if the Data Subject has their habitual residence in another Member State of the European Union.

4.2.8.4 Other options for bringing claims
The data subject shall have the right to mandate a not-for-profit body, organisation or association — which has been properly constituted in accordance with the laws of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data — to lodge the complaint on their behalf, to exercise their right of a judicial review of a supervisory authority’s decision, to bring a claim, and to exercise the right to receive compensation, on their behalf.

4.2.8.5 Right to receive compensation
The Company shall be required to compensate any material or non-material damage suffered by another person as a result of a breach of the following laws:
(i)GDPR,
(ii)delegated acts and implementing acts adopted in accordance with the GDPR 
(iii)Member State law specifying the rules of the GDPR.
The Company shall be exempt from liability, if it proves that it is not responsible in any way for the event giving rise to the damage.
The injured party may submit their claim for damages to a competent court with jurisdiction in the Member State specified in clause 4.2.8.3.

4.2.8.6 Administrative fines
Imposition of an administrative fine and determination of the amount thereof, pursuant to Article 83 of the GDPR, depending on the circumstances of each individual case, such as for example the he gravity of the infringement.

4.2.8.7 Criminal and/or administrative penalties
Under the authority of the GDPR.

4.3 Procedural rules

During the execution of its duty of disclosure above and of its measures, the Company shall proceed as defined therein.  In addition to the specific rules set out above, the Company shall comply with the following provisions.

4.3.1 Evaluation of the request
The following procedural rules shall apply regarding the measures requested in relation to the data subject rights set out in clauses 4.2.1 - 4.2.7.
The Data subject can submit their request to the representant of the data controller.
The request may be submitted in writing via email or on paper. The request may also be submitted on the form called “Request”, in Annex 2 of the present policy. If the Company does not submit the claim on the form, then the request shall be evaluated based on its content.  Where the Data subject makes the request by electronic means, and unless otherwise requested by the Data subject, the information shall be provided, if possible, by electronic means.
The Data subject shall indicate in their request, regarding which personal data they request action from the Company.
The Company shall evaluate the request within one (1) month of receipt thereof. That period may be extended by the Company by two (2) further months where necessary, taking into account the complexity and number of the requests.  The Company shall inform the Data subject of any such extension within one (1) month of receipt of the request, together with the reasons for the delay.
If the request of the Data Subject is substantiated, the Company shall execute the requested action within the time limit of the proceedings and shall provide the Data Subject written information on the execution.
If the Company does not take any action pursuant to the request of the Data subject, the Company shall inform the Data subject without delay, but at the latest within one (1) month of receipt of the request of the reasons for not taking any action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

4.3.2 Fees for information provided and action taken 
The Company shall provide information defined in clauses 4.1, 4.2.1 - 4.2.7 and 6.2, information on data subject rights and the requested action free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Company, in consideration of  the administrative costs of providing the information requested or of taking the action requested
(i)may charge a reasonable fee, or
(ii)may refuse to act on the request.

4.3.3 Examination of the identity of the applicant
Where the Company has reasonable doubts concerning the identity of the person making the request referred to in clauses 4.2.1 - 4.2.6 of this policy, the Company may request the provision of additional information necessary to confirm the identity of the Data subject.

5. Transmission of data

The Company may transfer personal data of the Data subject for a specific purpose — in particular to perform a contract with a third party or to fulfil a legal obligation or to fulfil an employment obligation arising from an employment relationship.
Except in the case of statutory data transfers, the Company shall only transfer the Data subject's personal data to recipients who are domiciled in the European Union or who provide appropriate safeguards that their data processing complies with the requirements of the GDPR. 
If the Company transfers personal data to a third country, i.e. a country outside the European Union, or to an international organization (or makes it available to a data controller or international organization in a third country), the Company shall ensure that the recipient or international organization in a third country, shall grant the same level of protection to the personal data of the Data subject as the Company provides, in accordance with Chapter V. of the GDPR. 
If data is transferred to a third country or international organization that cannot provide an appropriate level of protection of personal data under Chapter V. of the GDPR (e.g. certain Asian or African countries), the transfer may only take place without the consent of the Data subject, if the transfer complies with Article 49 of the GDPR; in the absence thereof, the express consent of the Data subject is required for the transmission of personal data. 

6. Personal data breach

The Company shall comply and shall proceed according to the following rules in case of a data breach.

6.1 Notification to the supervisory authority

In the case of a data breach regarding the personal data it processes, the Company shall, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, with the following minimum information:
(i) description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(ii)Name and contact information of the Data Controller’s representative,
(iii)description of the likely consequences of the personal data breach,
(iv)description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The data breach shall not be reported, if the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.  The likelihood and severity of the risk should be determined by reference to the nature, scope, context and purposes of the processing. It could qualify as a risk for example if the data subjects may, pursuant to the breach, be subject to discrimination, identity theft or fraud, financial loss, damage to reputation, or any other significant economic or social disadvantage. 

6.2 Communication to the Data subject

If a Data subject, in particular a Company employee, shall become aware of a data breach, then they must promptly notify the representative of the Company. The notification fee shall be calculated in accordance with clause 4.3.2.
 When the personal data breach is likely to result in a high risk to the rights and freedoms of any Data subject(s), and the Company shall become aware of such breach, then it shall communicate the personal data breach to the Data subject(s) without undue delay. The communication shall describe in clear and plain language the following:
(i)the nature of the personal data breach 
(ii)Name and contact information of the Data Controller’s representative,
(iii) the likely consequences of the personal data breach,
(iv) the measures taken or proposed to be taken by the Company to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Communication to the Data subject is not necessary, if any of the following conditions are met:
(i)the Company has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption,
(ii) the Company has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise,
(iii)it would involve disproportionate effort. In such a case, there shall instead be a public communication, in a local, conventional manner or similar measure, whereby the Data subjects are informed in an equally effective manner.
If the Company has not already communicated the personal data breach to the Data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to above are met, and that in such case the communication to the Data subject is not necessary.

7. Data processing registers

7.1 Recording of processing activities

The Company and the Company’s representative, shall maintain a record in writing, including digital documents as well, of processing activities under its responsibility in compliance with Article 30 of the GDPR. That record shall contain all of the following information:
(i)the name and contact details of the Company, the name and contact details of the Controller's representative,
(ii)the purposes of the data processing,
(iii)a description of the categories of Data subjects and of the categories of personal data,
(iv)the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations,
(v)where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards,
(vi)where possible, the envisaged time limits for erasure of the different categories of data,
(vii)where possible, a general description of the technical and organisational security measures referred to in Article 32(1) of the GDPR.
The Company and the Company’s representative shall make the record available to the supervisory authority on request:
-if the data processing done by the Data controller is likely to result in a risk to the rights and freedoms of Data subjects,  
-if the data processing is not occasional, or 
-if the processing includes special categories of data or personal data relating to criminal convictions and offences.

7.2 Recording of personal data breaches

The Company shall document the personal data breaches with the information hereunder:
(i)facts relating to the personal data breach, 
(ii) its effects and 
(iii)the remedial action taken.
The supervisory authority shall be able to view such documentation and verify compliance with Article 33 of the GDPR.

8. Data protection officer

The Company does not appoint or employ a data protection officer.

9. Data protection impact assessment

Where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the Company should be responsible for the carrying-out of a data protection impact assessment. The impact assessment shall contain at least the following information:
(i)a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller,
(ii)an assessment of the necessity and proportionality of the processing operations in relation to the purposes,
(iii)an assessment of the risks to the rights and freedoms of the Data subject,
(iv)the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
The assessment shall contain:
(v)a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person,
(va) processing on a large scale of special categories of data referred, or of personal data relating to criminal convictions and offences,
(vb)a systematic monitoring of a publicly accessible area on a large scale.
The supervisory authority may determine further data processing operations that are subject to execution of a data processing impact assessment.
No impact assessment shall be done, if the conditions hereunder exist:
(i)Where processing pursuant to point (c) or (e) of Article 6(1) of the GDPR has a legal basis in Union law or in the law of the Member State to which the controller is subject, and 
(ii)that law regulates the specific processing operation or set of operations in question,
(iii)and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis.
If the above conditions are met and an impact assessment ought not to be done, it shall still be necessary to do an impact assessment, if the Member States deem it to be necessary to carry out such an assessment prior to processing activities,
The Company shall consult the supervisory authority  prior to processing pursuant to Article 36 of the GDPR where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk.

10. Training

The Company shall take care of the data protection awareness-raising and training of persons who participate in data processing operations at the Company.
Employees involved in data processing are trained on a regular basis, with the frequency of legislative changes.

11. Joint data processing, data management

A Company does not carry out joint data processing, and does not use an external data processor.

12. Security of data processing

Short description of IT

13. Miscellaneous

For the purposes of this Policy, “European Union law” or “European Union” shall be construed to mean the law applicable in the EEA Member States and the EEA Member States.

14. Scope, validity and review procedure

The Data processing policy enters into force on May 25, 2018 and will remain in effect until revoked. With the Data processing policy entering into force all  previous internal policies and employer instructions shall be superseded, which were used by the Company to process the personal data pertaining under the scope of the Data processing policy.
The Data processing policy shall be reviewed at least once a year commencing on the date of entry into force of this Data processing policy, provided that the review shall be extended to the contents of all of its Annexes as well. If necessary, the representative of the Company, as the officer responsible for the review, shall take care of the adequate amendment of the Data processing policy in accordance with changes in legislation and in internal organizational changes, shall take care of the entering into force and publication of the amended Data processing policy, as well as that the persons within the personal scope of the Data processing policy take note of the contents of the amendments.
Knowledge of, and compliance with, the rules governing the Data processing policy are binding on all representatives, officers, and agents of the Company and they are required to perform their duties in full compliance with the provisions of the Data processing policy.
In case of legislative changes, and in case of the amendment of this policy for any other reason, the Notice shall be amended based on the legislative change or other reason and the Data subjects shall be made aware of the text of the amendment.

The Data processing policy includes the following Annexes:
1. Annex 1A
Annex 1B

15 May 2018, Tiszakécske

Tiszaparti Termálfürdő Kft.
H-6060 Tiszakécske, Szabolcska u. 43.
 
__________________________
Éva Anikó Szabó, General manager
 
TISZAPARTI TERMÁLFÜRDŐ KFT.
H-6060 Tiszakécske, Szabolcska M. u. 43.


Privacy notice

This Privacy notice (“Notice”) informs the data subject regarding the processing of personal data provided in connection with the use of accommodation services, pursuant to Article 13. or 14 of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”). 

1 The data controller and its contact information:

Name of the data controller company: Tiszaparti Termálfürdő Kft. (hereinafter: “Data controller”)  
Registered seat: H-6060 Tiszakécske, Szabolcska u. 43.
Postal address: H-6060 Tiszakécske, Szabolcska u. 43.
Email Address: info@barack.hu
Telephone number: 76/ 541-100
Website: www.barack.hu

The Data controller does not employ a data protection officer.

Data controller’s representative:
Éva Anikó Szabó, General manager
Email Address: info@barack.hu
Telephone number: 20/4108188

2 Processing of the data subject’s data 

2.1 Scope of data subjects
The Data controller processes personal data in connection with the use of accommodation services.

2.2 Categories of the processed personal data
The Data controller processes during the use of accommodation services the following personal data of the Data subject: 
Name, address, date of birth
The Data subject provides the processed personal data to the Data controller via a contract, registration form and internet site.
The Data controller collects the processed personal data from the following source(s): personal data coming from the Data subject through the use of the contract, registration form and internet site. 

2.3 The purpose, legal basis and duration of the data processing
Personal data may only be processed for a defined purpose, for exercise of a right or fulfilment of an obligation.  The data processing shall comply with this purpose in every stage.
Only such personal data may be processed, which is essential for the purpose of data processing, is fit for the achievement of the purpose and may only be done to the extent and for the time necessary for the achievement of the purpose.
The data subject shall be informed — in a clear and plain language and in detail — of all facts relating to the processing of their data, in particular of the purpose and legal basis of the data processing, the person authorized for data processing and data management, the duration of data processing and about who can access the data. The information shall extend to the rights and legal remedies of the data subject in connection with data processing.
The processed personal data shall comply with the following requirements:
a) their recording and processing shall be fair and legal;
b) they shall be accurate, complete and if necessary, timely;
c) the method of their storage is such that the data subject can only be identified for the time necessary for the purpose of storage.
The use of a generic and uniform identification number that can be used without restriction is forbidden.

2.3.1 The preparation of entering into, and the performance of, the contract for the provision of accommodation services: 
The processing of personal data is necessary for the preparation of entering into, and the performance of, a contract for the provision of accommodation services (hereinafter: “Contract”).
The detailed terms and conditions for the provision of services under the Contract are set forth in the General Terms and Conditions (hereinafter referred to as “GTC”) and the documents referred to therein.
In order to achieve the above purpose, the Data controller in particular: 
 - manages personal data related to booking required by the Contract, in order for the Data controller to verify the fulfilment of this contractual obligation; analyses personal data to determine the amount of payment; processes the contact details of the Data subject for the purpose of maintaining contact during the preparation and performance of the Contract; identifies the Data subject based on their personal data.
 - processes the personal data necessary for the performance of the Contract, monitors them in order to verify the performance of the obligations defined in the GTC.
The duration of the present data processing is the equivalent of the duration of the preparation and if it is concluded, with the duration of the Contract. 
Considering that without the provision of the above personal data the Data controller could not prepare entering into the contract, could not conclude and perform the Contract, the Data subject shall be obliged to provide the personal data to the Data controller. If no data is provided, the Data controller shall have the right to deny entering into a contract with the Data subject or deny the Contract’s performance.
In the event of a failure to enter into a contract, or in case of the termination of the Contract, the Data controller shall not delete the personal data, but shall retain it for the purpose and on the legal basis specified in clause 2.3.5.

2.3.2 Performance of a legal obligation 
The Data controller processes the Data subject’s personal data for the purpose of fulfilling the following legal obligations, for the following duration: By complying with legal obligations e.g. Article 73 (2) of Act II of 2007 on the Admission and Right of Residence of Third-Country Nationals, which states: “The host shall keep a record (guest book) according to the prescribed form, of the data set out in paragraph (1) of the third-country national staying at a commercial accommodation or other accommodation maintained by a legal person.” Such legal obligation of furthermore, e.g. Article 169.(2) of the Act C of 2000 on Accounting, according to which “[the] accounting document (including the general ledger accounts, analytical and detailed records as well)  supporting directly or indirectly the accounting records,  must be preserved in a legible form for at least 8 years, in a way that they be retrievable based on the references in the accounting records.”
However, data processing based on the fulfilment of a legal obligation must not go beyond the limits of what is legally required. 
In this way, for example the Data controller may not, in case of data processing based on a legal obligation, collect data for a purpose that is different from that set out in the law, may not store the personal data longer than what is prescribed by the law, cannot transfer them to persons or organizations, which are different form the ones prescribed by law. If, for any reason, the data processing should still go beyond the statutory obligation, e.g. the Data controller collects other data beyond the scope of the law, or stores it for a longer period of time than prescribed by law, the data processing beyond this statutory scope is only lawful if there is a proper legal basis for it (e.g. legitimate interest).

2.3.3 Data subject’s consent
The processing of personal data is done on the basis of the Data subject’s consent  (freely given, specific, informed and unambiguous indication of the data subject's wishes). The Data subject may consent
(i)in the contract for the provision of accommodation services, separately form other declarations, 
(ii)in a separate declaration attached to the Notice,
(iii)in other way, e.g. via a certain online platform
The consent is given freely and the Data subject shall be entitled to revoke their consent at any time, without limitation, with a notice addressed to the Data controller. The Data subject may send their notice to any address indicated in clause 1 of the Notice. 
The withdrawal of their consent shall have no consequences for the Data subject. The withdrawal of consent however shall not affect the lawfulness of processing  — based on consent — before its withdrawal.
Where the Data controller processes the personal information of a child under the age of 16 in connection with information society services provided directly to children under the age of 16, as a general rule, such data processing shall be lawful only in the event and to such extent, if the consent was given or authorized by the person having parental care over them. 
During the compliance of legislation with the GDPR, the legislator shall have the right to set an age limit lower then 16, and, to limit the processing of a special category of personal data based on the Data subject’s consent. 

2.3.4 Bringing, enforcing and protecting legal claims arising from of the Contract
The Data controller shall retain the personal data of the Data subject, which has not been deleted following the failure to conclude the contract or the termination of the Contract, for the five years following the failure to conclude the contract or the termination of the Contract, in accordance with the general statutes of limitation of Act V of 2013 on the Civil Code. 
The purpose of the data processing under this clause is to enable the Data controller to enforce any rights and claims arising from the Contract, or to defend itself in the event that such legal claims should be brought against it. 
The Data controller does not do any automated decision-making, including profiling.

3 Recipients of personal data

The Data controller transfers the Data subject’s personal data as stipulated in legislation.
The Data controller processes the Data subject’s personal data for the purpose of complying with the following legal obligations, in the following manner: e.g. Article 73 (2) of Act II of 2007 on the Admission and Right of Residence of Third-Country Nationals, which states: “The host shall keep and transfer a record (guest book) according to the prescribed form, of the data set out in paragraph (1) of the third-country national staying at a commercial accommodation or other accommodation maintained by a legal person.”
The Data controller does not do any joint data processing.

4 Rights of the data subject

4.1 Right of access
The Data subject shall have the right to obtain from the Data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information: 
(i)the purposes of the processing regarding the given personal data, 
(ii) the categories of personal data concerned,
(iii)the categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (in the case of transfers to recipients in third countries and international organizations, the Data Subject shall have the right to request information on whether the transfer is subject to appropriate safeguards),
(iv)the envisaged period for which the personal data concerned will be stored, or, if not possible, the criteria used to determine that period,
(v)the Data subject's rights (right to rectification, erasure or restriction, right to data portability and right to object against the processing of such personal data),
(vi)the right to lodge a complaint with a supervisory authority,
(vii)if the Data controller did not obtain the data from the Data subject, every available information concerning the source,
(viii)the existence of automated decision-making regarding the concerned personal data, including profiling too; if such data processing is occurring, then the information shall include meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where the Data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 
The Data controller may request  form the Data subject that, before the information is delivered, the Data subject specify the information or processing activities to which the request relates to.
If the Data subject’s right to access pursuant to the present clause should adversely affect the rights or freedoms of others, including their trade secrets or intellectual property, the Data controller shall be entitled to refuse the Data Subject's request to the necessary and proportionate extent. 
In case the Data subject should request the above information in multiple copies, the Data controller shall be entitled to charge a fee that is proportionate and reasonable to the administrative costs of providing multiple copies.
If the Data controller does not process the personal data indicated by the Data subject, it shall also inform the Data subject of the latter in writing.

4.2 Right to rectification 
The Data subject shall have the right to request the rectification of personal data concerning them. If the personal data concerning the Data subject is incomplete, the Data subject shall have the right to have incomplete personal data completed. 
For exercising their right to rectification/completion, the Data subject shall indicate which data are inaccurate or incomplete and shall also inform the Data controller of the accurate, complete data. The Data controller shall have the right, in justified cases, to call on the Data subject to certify the rectified data to the Data controller in an adequate manner - primarily with an official document (deed). 
The Data subject shall execute the rectification and completion of the data without undue delay. 
The Data controller — following the execution of the Data subject’s request to assert their right to rectification — shall inform each recipient to whom the Data controller disclosed the personal data of the Data subject, unless this proves impossible or involves disproportionate effort from the Data controller.  The Data controller shall inform the Data subject about those recipients if the Data subject requests it.

4.3 Right to erasure (‘right to be forgotten’)
The Data subject shall have the right to request from the Data controller the erasure of personal data concerning them without undue delay, where one of the following grounds applies:
(i)the personal data indicated by the Data subject is no longer necessary in relation to the purposes for which the Data controller collected or otherwise processed it,
(ii)the Data controller processed personal data (including sensitive data) based on consent of the Data subject, the data subject withdraws consent in writing and there is no other legal ground for the processing;
(iii)the Data subject objects to the processing regarding data processing based on the Data controller’s legitimate interest and there are no compelling legitimate grounds for the processing for the Data controller, which would prevail over the Data subject’s interests, rights and freedoms, or which or which are related to the establishment, exercise or defence of legal claims,
(iv)the personal data have been unlawfully processed by the Data controller,
(v)the personal data processed by the Data controller have to be erased for compliance with a legal obligation in Union or Member State law to which the Data controller is subject,
(vi)the Data subject objects to the processing and there are no overriding legitimate grounds for the processing.
The Data Subject shall submit their request for erasure in writing and shall indicate which personal data they wish to have erased for which reason. 
If the Data controller accepts the Data subject’s request for erasure, then they shall erase the processed personal data from all records and informs the Data subject thereof in an adequate manner. 
In case the Data controller should be obliged to erase the personal data of the Data subject, the Data controller should take all reasonable steps — including the use of technical measures — which are necessary to inform the controllers, who came to know the Data subject’s personal data pursuant to their disclosure.  The Data controller shall inform the other data controllers of the fact that the Data subject requested erasure of any links to, or copies or replications of the Data subject’s personal data. 
The Data controller — following the execution of the Data subject’s request to assert their right to erasure — shall inform each recipient to whom the Data controller disclosed the personal data of the Data subject, unless this proves impossible or involves disproportionate effort from the Data controller.  The Data controller shall inform the Data subject about those recipients if the Data subject requests it.
The Data controller shall not be obliged to erase personal data in case the data processing is necessary: 
(i)for exercising the right of freedom of expression and information;
(ii)for fulfilling an obligation imposed on the Data controller by Hungarian or European Union law regarding the processing of personal data,
(iii)for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data controller,
(iv)for executing a public interest in the area of public health,
(v)for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the exercise of the Data subject’s right to be forgotten is likely to render impossible or seriously impair the processing,
a)for the establishment, exercise or defence of legal claims.

4.4 Right to restriction of processing
The Data Subject shall have the right to request that the Data controller restrict the use or processing of personal data relating to the Data subject, where one of the following grounds applies:
(i)the accuracy of the personal data is contested by the Data subject, (in this case the restriction is for a period enabling the Data controller to verify the accuracy of the data),
(ii)the processing by the Data controller was unlawful, but the Data subject requests the restriction of their use instead of erasure,
(iii)the purposes of the processing have ceased to exist for the Data controller, but they are required by the Data subject for the establishment, exercise or defence of legal claims,
(iv)the Data subject objects to the processing regarding data processing based on the Data controller’s legitimate interest and there are no compelling legitimate grounds for the processing for the Data controller, which would prevail over the Data subject’s interests, rights and freedoms, or which or which are related to the establishment, exercise or defence of legal claim; in this case the restriction shall exist until the time that it is established if the Data controller’s legitimate interests prevail over the Data subject’s legitimate interests.
Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the Data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. 
The Data subject shall be informed by the Data controller before the restriction of processing is lifted. 
The Data controller — following the execution of the Data subject’s request to assert their right to restriction — shall inform each recipient to whom the Data controller disclosed the personal data of the Data subject, unless this proves impossible or involves disproportionate effort from the Data controller.  The Data controller shall inform the Data subject about those recipients if the Data subject requests it.

4.5 Right to object
Considering that the Data controller does not do any processing for reasons of public interest, neither does it have any official authority vested in it, does not do any scientific or historic research and does not process data for statistic purpose, thus the exercise of the right to object may arise in the Company’s case for processing based on legitimate interest.
If the processing of the Data subject’s data is based on legitimate interest, it is an important guarantee provision that in relation to the data processing adequate information and the assertion of the right to object shall be provided to the Data subject. Latest at the time of the first communication with the Data subject, the present right shall be explicitly brought to the attention of the Data subject.
Based on this the Data subject is entitled to object to the processing of their personal data and in such case the Data controller may no longer process the Data subject’s personal data, unless it can be proven that 
(i)there are compelling legitimate grounds for the processing from the part of the Data controller, which would prevail over the Data subject’s interests, rights and freedoms, 
(ii)the processing relates to the establishment, exercise or defence of legal claims of the Data controller.

4.5.1 Right to object in case of direct marketing
In the case of direct marketing activities conducted by the Data controller, the Data subject is entitled to object to the processing of their personal data for this purpose, but unlike in case of other data processing based on legitimate interest, should the Data subject object, the Data controller will not be able to consider whether they can continue to process the data.
If the Data subject objects to the processing of data for direct marketing purposes, the Data controller may no longer process the Data subject’s data for this purpose.

4.5.2 Profiling
During profiling personal aspects of the Data subject are evaluated by some automated method. Such evaluations can be used, for example, for analysing or predicting the Data subject’s aspects concerning their performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
The right to object extends to profiling based on legitimate interest, as a specific data processing operation. If profiling was done for the purpose of direct marketing, then pursuant to Data subject’s objection, the profiling based on their personal data shall promptly cease as well.

Place of data processing at the company:

Tiszaparti Termálfürdő Kft. H-6060 Tiszakécske, Szabolcska M. u. 43.

Name and address of our external providers:
Google Adwords
Dublin, Barrow street 4.

Hostware Kft.
H-1149 Budapest, Róna u. 120.

NetHotel Booking Kft.
H-8200 Veszprém, Baksa tér 1/a.

Newsletter system:
The user has the opportunity to subscribe to our newsletter service by giving their name and email address on the barack.hu website. By doing so, the user consents to the sending of newsletters and other offers and information via email, and to the processing of the personal data provided by the user.

Regulars’ card system:
Tiszaparti Termálfürdő Kft. processes the personal data of those who are part of the regulars’ card system for the operation of the Regulars’ card system. 

Booking system:
There’s the possibility of sending a booking request to the hotel with the form available on barack.hu.

Use of hotel services:
When using the hotel services the guest fills out a registration form. By signing the registration form, the guest consents to the service provider processing the compulsory information provided, for the purpose of to fulfilling its obligations under applicable law.

Contact form system:
There’s a possibility to contact the service provider by submitting a name, email address and a message, using the form on the website or by email.

4.6 Right to data portability
The Data subject shall have the right to receive the personal data concerning them, which is processed by the Data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data controller.
Right to data portability can be exercised with regards to such personal data, which the Data subject provided to the Data controller, and 
(i)the data processing is based on consent of the Data subject or on a contract, and
(ii)the processing is carried out by automated means. 
Where technically feasible, the Data controller shall transmit the personal data, upon the request of the Data subject, directly to another data controller, designated in the Data subject’s request. The right to data portability under this clause does not create an obligation for data controllers to implement or maintain technically compatible data processing systems. 
In the scope of data portability the Data controller shall be obliged to provide the Data subject the medium free of charge.  
If the Data controller’s right to data portability should adversely affect the rights or freedoms of others, including their trade secrets or intellectual property, the Data controller shall be entitled to refuse the Data subject's request to the necessary extent.
Measures taken in the field of data portability do not mean the erasure of data. The Data controller shall keep records of those as long as it has adequate purpose and legal basis for the processing of the data.

4.7 Right to decide on automated decision-making in individual cases, including on profiling
The Data subject shall have the right to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. 
The Data subject shall not have the right to request exemption from the decision based on automated data processing if that is necessary for entering into, or performance of, a contract, the decision-making is authorised by Union or Member State law or the decision is based on the Data subject's explicit consent.
If the automated data processing is necessary for entering into, or performance of, a contract, or is based on the consent of the Data subject, the Data subject shall have the right to request human intervention on the part of the Data controller, to express their point of view and to contest the decision. 
The Data controller will use its best efforts during data processing to avoid the inclusion of special categories of personal data in automated decision making. Should that prove to be impossible though, then automated decision-making for special categories of personal data may only be done, if the data processing is based on the Data subject’s consent or processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law and appropriate measures have been taken to protect the rights of data subjects.

4.8 Right to a legal remedy

4.8.1 It is possible to submit a legal remedy of lodge a complaint with the office of the Data Protection Supervisor:

Name: Office of the Data Protection Supervisor
Registered seat: H-1051 Budapest, Nádor u. 22.
Postal address: H-1387 Budapest, Pf.: 40.
Telephone: 06.1.475.7186, 475.7100
Telefax: 06.1.269.3541
E-mail: adatved@obh.hu

4.8.2. Right to lodge a complaint
If the Data subject considers that the processing of their personal data by the Data controller breaches applicable data protection legislation in effect, in particular the provisions of the GDPR, they shall have the right to lodge a complaint to the Hungarian National Authority for Data Protection and Freedom of Information.
Contact information of the Hungarian National Authority for Data Protection and Freedom of Information, “Nemzeti Adatvédelmi és Információszabadság Hatóság”:
Website: http://naih.hu/
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: H-1530 Budapest, Pf.: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The Data subject shall have the right to also lodge a complaint with another supervisory authority established in a Member State of the European Union, in particular according to their habitual residence, place of work or place of the alleged infringement.

4.8.3 Right to go to court (right to bring legal action)
Regardless of their right to lodge a complaint, the Data subject may go to court if their rights under the GDPR have been violated during the processing of their personal data.
A legal action against the Data controller may be brought in Hungarian courts, as it is a data controller with a place of business in Hungary.
The Data subject may also bring a claim, under Art.22(1) of the Act CXII of 2011 on the Right of Informational Self-determination and Freedom of Information in force, to the courts in their domicile. The contact details of the Hungarian courts can be found on the following link: http://birosag.hu/torvenyszekek.
Considering that the Data controller does not qualify as a public authority exercising official authority of a Member State, the Data subject may also bring an action before the competent court that has jurisdiction in the Member State of habitual residence, if the Data subject has their habitual residence in another Member State of the European Union.

4.8.4 Other options for bringing claims
The data subject shall have the right to mandate a not-for-profit body, organisation or association — which has been properly constituted in accordance with the laws of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data — to lodge the complaint on their behalf, to exercise their right of a judicial review of a supervisory authority’s decision, to bring a claim, and to exercise the right to receive compensation, on their behalf.

5. Miscellaneous

Where the Data controller has reasonable doubts concerning the identity of the person making the request referred to in clauses 3.1 - 3.6 of this Notice, the Company may request the provision of additional information necessary to confirm the identity of the Data subject.
Az Data controller reserves the right, to modify the Notice at any time. The Data controller shall notify the Data subject of the amendment via a publication on the website, by mail, etc. at least 30 days prior to the entry into force of the amendment. 
 
* * *
22 May 2018, Tiszakécske
 
____________________________
Tiszaparti Termálfürdő Kft.
Represented by: Éva Anikó Szabó