Privacy notice

GTC available on this page

Vénu Ltd.
Privacy notice

www.vendeghaz.krisnavolgy.hu
Date of acceptance: 2023.11.23.

---

Vénu Ltd., as the data controller, hereby informs you, as the data subject, about the processing activities concerning personal data carried out in connection with the services (booking of accommodation and package offers) available on the website www.vendeghaz.krisnavolgy.hu operated by the data controller.

This Privacy Policy also governs the processing of data on the www.vendeghaz.krisnavolgy.hu website.

1. Data Controller

VÉNU Trade and Service Company Limited Liability Company
Registered office: 8699 Somogyvámos, Bhaktivedanta Swami promenade 6.
Address for correspondence: 8699 Somogyvámos, Bhaktivedanta Swami promenade 6.
Registering authority: Cégbírósága Cégbírósága Kaposvári Törvényszék
Company registration number: 14-09-304851
Tax number: 12778564-2-14
Representative: Krisztina Etelka Papp
Email: [email protected]
Website: www.vendeghaz.krisnavolgy.hu

2. Hosting provider

Name: Lál Ltd.
Postal address: 8699 Somogyvámos, Fő utca 38.
E-mail address: [email protected]
Phone number: 06 30 505 1266

3. Concepts

Personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

Data Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the controller’s designation may also be determined by Union or Member State law

Data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller

Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed. Public authorities that may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of such data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing

Consent of the data subject: a voluntary, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies his or her agreement to the processing of personal data concerning him or her by means of a statement or an unambiguous act of affirmation.

4. Description of the data processing activities carried out in the operation of the accommodation and the related website

This document contains all relevant information on data processing in relation to the operation of the website and the booking of accommodation through it, the services of the Data Controller in accordance with the General Data Protection Regulation of the European Union 2016/679 (hereinafter: Regulation, GDPR) and the 2011. CXII. tv. (hereinafter: Infotv.).

4.1. Data processed for the purposes of contracting and performance

There may be more than one processing operation for the purposes of contracting and performance.

4.1.1. Data processing related to contacting

If you contact us by email or telephone with a question about a service. Contacting us in advance is not compulsory, you can book the service at any time without contacting us.

• Data processed: the data you provide when you contact us.
• Duration of processing: your data will be processed only until the contact is completed.
• Legal basis for processing: your voluntary consent, which you provide to the Data Controller by contacting us. [Processing under Article 6(1)(a) of the Regulation]

4.1.2. Data processing in connection with the reservation of accommodation

The processing and the provision of data are essential for the performance of the contract, i.e. the reservation, without the data the contract cannot be concluded and the Data Controller cannot perform the accommodation service. Reservation of accommodation by electronic mail (e-mail), by telephone, through the Data Controller’s own website shall also be considered as conclusion of a contract.

• The data processed: the Data Controller processes as personal data the surname, first name, e-mail address, address, telephone number of the person making the reservation, any other personal data entered in the “Comments” field, the number of accommodation units, the type of accommodation, the number of adults, the number of children, the additional service chosen and the date of the reservation.
• Duration of processing: data are processed for 5 years according to the statute of limitations in civil law. If the reservation is cancelled and the service is not provided, we will keep it until the reservation is cancelled, but no later than 30 (thirty) days after the cancellation.
• Legal basis for processing: performance of the contract. [Processing under Article 6(1)(b) of the Regulation]

4.1.3 Data processing related to the notification form

The Data Controller records the personal data of the Guest using the accommodation service through the accommodation management software at check-in. Upon check-in, the Guest is obliged to present his/her identity card or travel documents to the competent employee of the Data Controller (reception) for the purpose of recording the data. The Data Controller shall refuse to provide accommodation services in the absence of the presentation of identification or travel documents.

When you check in at the accommodation, the Data Controller records the data in the VIZA computer system in accordance with the legal requirements. Accommodation providers are required to provide data on the registration of accommodation users in accordance with the 2016. CLVI. Act (hereinafter: Turtv.)7 and the Turtv. 235/2019 on the implementation of the (X. 15.) Korm. Regulation (hereinafter referred to as the “Vhr.”). The Turtv. 9/H. § (1) paragraph (1) point b) of the the accommodation provider – in order to protect the rights, safety and property of the data subject and others, and to verify compliance with the provisions on the stay of third-country nationals and persons enjoying the right of free movement and residence – records, at the time of check-in, through the accommodation management software, on the hosting provider designated by Government Decree, in the VIZA system, the identification data of the accommodation user’s identity document or travel document, among others.

Information required by law:

The personal data that must be provided and that the guest must provide as a condition of using the accommodation service.

• Data processed: name and surname, name and surname at birth, place and date of birth, sex of the person concerned, mother’s name and surname at birth, identification data of the identity document or passport document, scanned image of the identification document, nationality of the person concerned, exact address of the accommodation, starting and expected ending dates of the accommodation, visa or residence permit number, date and place of entry in the case of third-country nationals.
• Duration of data processing: the Data Controller keeps the data after the departure of the guest for the general limitation period of civil law, i.e. 5 years after the end of the year in question. The Data Controller shall store the personal data recorded in accordance with the provisions of the Tourism Act in the central storage space designated for this purpose until the end of the following year.
• Legal basis for processing: processing is necessary for compliance with a legal obligation to which the Data Controller is subject. [Article 6 (1) (c) of GDPR, § 9/H of Act CLVI of 2016 and § 7, § 14, § 14/C of Government Decree 235/2019 (15.X.)]

4.1.4 Gift card

The Data Controller allows the data subject to purchase gift vouchers, which can be used for the services of the Data Controller in the respective coin.

• Processed data: surname and first name of the donor and donee, email address, telephone number, billing name and address,
• Data processing period: the Accounting Act 2000. Pursuant to Article 169 (2) of Act C of 2006 C., the data must be kept for 8 years [data processing pursuant to Article 6 (1) (c) of the Regulation].
• Legal basis for processing: performance of the contract. [Processing under Article 6(1)(b) of the Regulation]

4.1.5. Issue of the invoice

The data processing is carried out in order to issue invoices in accordance with the law and to comply with the obligation to keep accounting records. Pursuant to Article 169 (1)-(2) of the State Act, companies must keep accounting documents that directly and indirectly support the accounting.

• Data processed: billing name, address, e-mail address, telephone number
• Duration of data processing: the invoices issued in accordance with the Sztv. 169. § (2), must be kept for 8 years from the date of issue of the invoice.
• Legal basis for data processing: the General Sales Tax Act 2007. CXXVII. Act 159. § (1) of the Act on Accounting 2000. Pursuant to Article 169 (2) of Act C of 2006 C., the data must be kept for 8 years [data processing pursuant to Article 6 (1) (c) of the Regulation].

4.1.6. Processing of banking data

In connection with the payment of the Service by bank transfer, the Data Controller processes the following data of the data subject:

• Data processed: account holder name, bank account number, amount transferred, communication.
• Purpose of processing: to check the payment of the amount due for the service.
• Duration of data processing: accounting tv. 169. § (1) 8 years
• Legal basis for processing: performance of the contract. [Processing under Article 6(1)(b) of the Regulation]

4.1.7. Data processed in relation to the justifiability of consent

During the ordering process, the IT system stores the IT data relating to the consent for later evidence.

• Data processed: date of consent and IP address of the data subject.
• Duration of data processing: due to legal requirements, consent must be verifiable at a later date, therefore the duration of data storage is stored for a period of limitation after the termination of data processing.
• Legal basis for processing: the Regulation Article 7(1) imposes this obligation. [Processing under Article 6(1)(c) of the Regulation]

4.1.8. Guest ratings, reviews

They can comment on the quality of the services provided by the accommodation and the satisfaction of the guests online via the website. The purpose of the data processing is to get to know the opinions of the guests. Statistical targets, market research.

• Data processed: name of the data subject, email address. When filling in the review, the guest can provide additional personal information, but can also fill it in anonymously.
• Legal basis for processing: your voluntary consent, which you provide to the Data Controller by submitting the evaluation. [Processing under Article 6(1)(a) of the Regulation]
• Duration of data processing: at the request of the Data Subject, the Data Controller deletes the ratings from all the interfaces displayed.

5. Processing of consumer complaints

If you have lodged a complaint with us, the processing of the data and the provision of the data are essential. The data management process is used to handle consumer complaints.

• Data processed: name, address, telephone number, email address of the data subject, content of the complaint.
• Duration of data processing: warranty complaints are kept for 5 years under the Consumer Protection Act.
• Legal basis for processing: Whether or not you contact us with a complaint is a voluntary decision, but if you do contact us, we will be able to process your complaint in accordance with the Consumer Protection Act 1997. CLV. Act 17/A. § (7) we are obliged to keep the complaint for 3 years [data processing under Article 6(1)(c) of the Regulation].

6. Data management related to the handling of warranty claims

Warranty claims must be dealt with in accordance with the rules of Decree 19/2014 (IV.29.) NGM, which also defines how your claim must be handled.

Data processed:

When dealing with warranty claims, the 19/2014. (29.IV.) We must follow the rules of the NGM Regulation. Under the Regulation, we are obliged to keep a record of the warranty claim notified to us:

1. your name, address and a declaration that you consent to the processing of your data recorded in the minutes in accordance with the Regulation,
2. the name and purchase price of the movable property sold under the contract between you and us,
3. the date of performance of the contract,
4. the date of the error report,
5. a description of the error,
6. the right you wish to exercise under a warranty or guarantee claim; and
7. how the warranty or guarantee claim is to be settled or the grounds for rejecting the claim or the right to enforce it.

Duration of processing

The business must keep the record of the consumer’s warranty claim for three years from the date of its recording and produce it at the request of the supervisory authority.

Legal basis for data processing: compliance with legal obligations pursuant to Regulation 19/2014 (IV.29.) NGM [Article 4(1) paragraph and Article 6(1) paragraph] [processing pursuant to Article 6 (1) c) of the Regulation].

7. Other data processing

7.1.Data processors, recipients of personal data

7.1.1. Processing for the purpose of storing personal data

Name of the data processor: Lál kft.

Registered office: 8699 Somogyvámos, Fő u. 38
Phone number: 06 30 505 1266
E-mail address: [email protected]

The Processor stores personal data on the basis of a contract with the Data Controller. You are not entitled to access personal data.

7.1.2. Accounting-related data management

Name of data processor: Lál kft.

Registered office: 8699 Somogyvámos, Fő u. 38
Phone number: 06 30 505 1266
Email: [email protected]

The Processor shall assist in the accounting of supporting documents on the basis of a written contract with the Controller. In doing so, the Data Processor shall disclose the name and address of the data subject to the extent necessary for accounting purposes, in accordance with the provisions of the Act. 169. § (2) for a period of time, after which it shall delete it without delay.

7.1.3. Data processing related to the operation of accommodation management software

Name of the data processor: FelhőMatrac Informatikai Kft.

The data processor is located at 35 Damjanich utca, 1071 Budapest, Hungary. 3. em. 17.
Telephone number of the data processor: +36 30 49 33 627 E-mail address of the data processor: [email protected]
The website of the data processor: felhomatrac.hu

The Data Processor contributes to the registration of orders on the basis of a contract with the Data Controller. In doing so, the Data Processor will process the name, address, telephone number, number and date of orders of the data subject within the limitation period of civil law.

7.1.4. Processing of data related to check-in to the accommodation

The data processor is the National Tourist Information Centre (NTAK), operated by the Hungarian Tourist Agency Zrt.

The data processor is located at 1027 Budapest, Kacsa u. 15-23.;

The Hungarian Tourism Agency Zrt. is available at the following link: https://info.ntak.hu/adatkezelesi-tajekoztato.

The terms and conditions of the data processing relationship between NTAK and the Data Controller are set out in the Data Processing Contract instead of the Data Processing Contract in the Data Processing Contract 235/2019. (X. 15.) Korm. Regulation 14. §.

7.1.5. Invoicing software connection data processing

The name of the data processor is Billingo Technologies Zrt.

The data processor is located at 1133 Budapest, Árbóc u. 6.
Telephone number of the data processor: (06 1) 500 9491
E-mail address of the data processor: [email protected]
The website of the data processor: billingo.hu

7.1.6. Processing of data related to online payments

Name of the data processor: OTP Mobil Kft.

The data processor is located at 1138 Budapest, Váci út 135-139. B. intact. 5. em.
Telephone number of the data processor: (06 1) 366 6611
E-mail address of the data processor: [email protected]
Website: https://otpmobil.hu/

In the case of online payment by credit card, the Guest acknowledges and agrees that the following personal data stored by the Data Controller in the user database of www.vendeghaz.krisnavolgy.hu will be transferred to OTP Mobil Kft. as data processor. The following data are transmitted by the Data Controller: name, e-mail address, telephone numbers, billing address data.

The nature and purpose of the data processing activities carried out by the processor can be found in the SimplePay Privacy Notice at the following link: http://simplepay.hu/vasarlo-aff”

7.1.7. Data processing activities related to payments via PayPal (credit card payments)

The name of the data processor is PayPal (Europe) S.a.r.l.et Cie, S.C.A.
The data processor is established at 22-24 Boulevard Royal L-2449, Luxembourg, foreign registration number: B118349)
Phone number of the data processor: 00 1 402-935-2050
As a financial service provider, PayPal complies with the laws that apply to it, the Privacy Notice published on its website
( https://www.paypal.com/hu/webapps/mpp/ua/legalhubfull?locale.x=hu_HU)
carries out its data management activities properly.

8. Information about the use of cookies

What is a cookie?

The Data Controller uses so-called cookies when you visit the website. A cookie is a bundle of letters and numbers that our website sends to your browser to save certain settings, facilitate the use of our website and help us to collect some relevant statistical information about our visitors.

Some of the cookies do not contain any personal information and cannot be used to identify an individual user, but some of them contain a unique identifier – a secret, randomly generated sequence of numbers – that is stored on your device, thus ensuring your identification. The duration of each cookie is described in the relevant description of each cookie.

Legal background and legal basis for cookies:

There are three basic types of cookies:

1. a cookie that is essential for the proper functioning of the Website,
2. for statistical purposes and
3. cookies for marketing purposes.

The legal basis for the processing of the data is 6. Article 6(1)(a) of the Regulation, your consent is required your consent for statistical and marketing cookies and Article 6. legitimate interest necessary for the functioning of the Website, in the case of cookies necessary for the functioning of the Website.

Main features of the cookies used by the website

8.1.1. Cookies that are essential for the operation

If you do not accept the use of these cookies, certain features may not be available to you.

Strictly necessary cookies: these cookies are essential for the use of the website and allow you to use its basic functions. In their absence, many of the site’s features will not be available to you. The lifetime of these types of cookies is limited to the duration of the session.

Session cookie: these cookies store the visitor’s location, browser language, payment currency, and their lifetime is until the browser is closed or for a maximum of 2 hours.

Recommended products cookie: the “recommend to a friend” function records the list of products you wish to recommend. It has a lifespan of 60 days.

Mobile version, design cookie: detects the device the visitor is using and switches to full view on mobile. It has a lifespan of 365 days.

Cookie acceptance cookie: when you arrive at the site, you will be prompted to accept the cookie statement in the warning window. It has a lifespan of 365 days.

employee_login_last_email: when logged in, the email address is stored until the browser is closed.

Ealrm, ealem, ealpw: Provides permanent access. It has a lifespan of 180 days.

come_from Performs an entry redirect. Lifetime 10 minutes.

currency Stores the currency of the customer. It has a lifespan of 30 days.

8.1.2. Cookies for statistical purposes:

Google Analytics cookie: Google Analytics is Google’s analytics tool that helps website and application owners to get a more accurate picture of their visitors’ activities. The service may use cookies to collect information and compile reports on website usage statistics without individually identifying visitors to Google. The main cookie used by Google Analytics is the “__ga” cookie. In addition to reporting on site usage statistics, Google Analytics, along with some of the advertising cookies described above, can also be used to display more relevant ads in Google products (such as Google Search) and across the web.

_gid: This cookie is set by Google Analytics. Each page visited stores and updates a unique value and is used to count and track page views.

_ga_G7LFQSLNQR: This cookie is used by Google Analytics to keep track of session status.

Cookies to improve your user experience: these cookies collect information about your use of the website, such as which pages you visit most often or what error messages you receive from the website. These cookies do not collect any information that identifies the visitor, i.e. they work with completely generic, anonymous information. We use the data from this to improve the performance of the website. The lifetime of these types of cookies is limited to the duration of the session.

Referrer cookies: they record from which external page the visitor came to the site. Their lifetime lasts until the browser is closed.

Last viewed product cookie: records the products last viewed by the visitor. Their lifespan is 60 days.

Last visited category cookie: records the last visited category. It has a lifespan of 60 days.

Shopping cart cookie: records the products placed in your shopping cart. It has a lifespan of 365 days.

Smart offer cookie: records the conditions under which smart offers are displayed (e.g. whether the visitor has been on the site before, whether they have placed an order). It has a lifespan of 30 days.

_fbp: Meta is used to deliver a range of advertising products, such as real-time bidding from third-party advertisers.

_gat_gtag_UA_194226315_1: This cookie is part of Google Analytics and is used to limit requests (to control the speed of requests).

wp-wpml_current_language: Stores the current language. By default, this cookie is only set for logged in users. If you enable the language cookie to support AJAX filtering, this cookie will be set for users who are not logged in.

pbid: unclassified cookies, cookies that are still under classification, including individual cookie providers. Expiry date: 180 days.

pys_first_visit, pys_start_session, pysTrafficSource, pys_pys_landing_page, pys_landing_page, pys_pysTrafficSource: register statistical data about the behaviour of users on the website. The website operator uses it for internal analysis. Their lifespan: 7 days.

pys_session_limit: An anonymous cookie used to facilitate the “PixelYourSite” plug-in that manages our analytics services.

8.1.3. Cookies for marketing purposes:

Google Adwords cookie: when someone visits our site, the visitor’s cookie ID is added to our remarketing list. Google uses cookies – such as NID and SID cookies – to personalise the ads you see in Google products, such as Google Search. It uses such cookies, for example, to remember your recent searches, your previous interactions with certain advertisers’ ads or search results, and your visits to advertisers’ websites. The AdWords conversion tracking feature uses cookies. Cookies are saved on the user’s computer when they click on an ad to track ad sales and other conversions. Some common uses of cookies include: selecting ads based on what is relevant to a particular user, improving campaign performance reporting, and avoiding displaying ads that the user has already viewed.

Remarketing cookies: may appear to previous visitors or users when browsing other sites on the Google Display Network or searching for terms related to your products or services.

predictionio: user ID cookie for recommending personalised ads. Lifespan 3 months.

Facebook pixel (Facebook cookie): a Facebook pixel is code that allows the website to report conversions, create audiences and provide the site owner with detailed analytics on how visitors use the site. Facebook pixel allows you to display personalised offers and ads to your website visitors on Facebook. You can read the Facebook Privacy Policy here: https://www.facebook.com/privacy/explanation

For more information on how to delete cookies, please follow the links below:

• Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/delete-manage-cookies#ie=ie-11
• Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Mozilla: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito
• Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
• Chrome: https://support.google.com/chrome/answer/95647
• Edge: https://support.microsoft.com/hu-hu/help/4027947/microsoft-edge-delete-cookies

9. Your rights in relation to data processing

You have the following rights under the Regulation during the period of processing.

• the right to withdraw consent
• access to personal data and information on data management
• right to rectification
• restriction of processing,
• right to erasure
• right to protest
• the right to portability.

If you wish to exercise these rights, this will involve your identification and the Data Controller will need to communicate with you. Therefore, personal data will be required for identification purposes (but identification will only be based on data that the Data Controller already processes about you) and your complaints about the processing will be available on the Data Controller’s email account for the period of time specified in this notice in relation to complaints. If you are a former customer and would like to be identified for complaint or warranty purposes, please include your order ID for identification purposes. We can also use this to identify you as a customer.

You may make a request to the Data Controller regarding the processing of your personal data orally in person or in writing in person or by post or email using the following contact details:
Address for correspondence: 8699 Somogyvámos, Fő u. 15.
Phone number: +36 (30) 239 9265
Email address: vendeghaz@vhComplaints regarding data management shall be answered by the Data Controller within 30 days at the latest.

9.1 Right to withdraw consent

You have the right to withdraw your consent to data processing at any time, in which case the data will be deleted from our systems. However, please note that cancellation of an outstanding order may result in our inability to complete delivery of the product to you. In addition, if the purchase has already been made, we cannot delete billing data from our systems under accounting rules and, if you have a debt to us, we may process your data even if you withdraw your consent on the basis of a legitimate interest in the recovery of the debt.

9.2. Access to personal data

You have the right to receive feedback from the Data Controller as to whether or not your personal data is being processed and, if it is being processed, you have the right to:

• have access to the personal data processed; and
• the following information to be provided by the Data Controller:
  • the purposes of the processing;
  • the categories of personal data processed about you;
  • information about the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed by the Controller;
  • the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;
  • your right to request the Controller to rectify, erase or restrict the processing of personal data concerning you and to object to the processing of such personal data where the processing is based on legitimate interests;
  • the right to lodge a complaint with a supervisory authority;
  • if the data was not collected from you, any available information about its source;
  • the fact of automated decision-making (where such a process is used), including profiling, and, at least in these cases, clear information about the logic used and the significance and likely consequences for you of such processing.

The purpose of exercising the right may be to ascertain and verify the lawfulness of the processing, and therefore, in the event of repeated requests for information, the Data Controller may charge reasonable compensation for the provision of information.

Access to personal data is provided by the Data Controller by sending you, by email, the personal data and information processed after you have identified yourself. If you are registered, we will provide access so that you can view and control the personal data we process about you by logging into your account.

Please indicate in your request whether you want access to your personal data or information about data management.

9.3. Right to rectification

You have the right to have inaccurate personal data relating to you corrected by the Data Controller without delay upon your request.

9.4. Right to restriction of processing

You have the right to have the Controller restrict processing at your request if one of the following conditions is met:

• You contest the accuracy of the personal data, in which case the restriction applies for the period of time that allows the Controller to verify the accuracy of the personal data, if the accuracy can be established immediately, no restriction will be imposed;
• the processing is unlawful, but you object to the deletion of the data for any reason (for example, because the data are important to you for the purposes of pursuing a legal claim) and you do not request the deletion of the data but instead request the restriction of their use;
• the Controller no longer needs the personal data for the purposes for which they are processed, but you require them for the establishment, exercise or defence of legal claims; or
• You have objected to the processing, but the Data Controller may also have a legitimate interest in the processing, in which case, until it is established whether the legitimate grounds of the Data Controller prevail over your legitimate grounds, the processing shall be restricted.

If the processing is restricted, such personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

The Data Controller will inform you in advance (at least 3 working days before the lifting of the restriction) about the lifting of the restriction.

9.5. Right to erasure – right to be forgotten

You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay where one of the following grounds applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Controller;
• You withdraw your consent and there is no other legal basis for the processing;
• You object to processing based on legitimate interest and there is no overriding legitimate ground (i.e. legitimate interest) for processing,
• the personal data were unlawfully processed by the Controller and this has been established on the basis of the complaint,
• the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the Data Controller.

If the Data Controller has disclosed personal data about you for any lawful reason and is required to delete it for any of the reasons set out above, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform other data controllers that you have requested the deletion of the links to or copies of the personal data in question.

Erasure does not apply where the processing is necessary:

• to exercise the right to freedom of expression and information;
• to comply with an obligation under Union or Member State law that requires the controller to process personal data (such as processing in the context of invoicing, where the storage of the invoice is required by law) or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
• to lodge, enforce or defend legal claims (e.g. if the Data Controller has a claim against you and has not yet settled it, or if a consumer or data management complaint is pending).

9.6. Right to object

You have the right to object to the processing of your personal data based on legitimate interests at any time on grounds relating to your particular situation. In such a case, the Controller may no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, where it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data will no longer be processed for these purposes.

9.7. Right to portability

If the processing is automated or if the processing is based on your voluntary consent, you have the right to request the Data Controller to receive the data you have provided to the Data Controller, which the Data Controller will make available to you in xml, JSON or csv format, and if technically feasible, you may request that the Data Controller transfer the data in this format to another data controller.

9.8. Automated decision-making

You have the right not to be subject to a decision based solely on automated processing (including profiling) which would have legal effects concerning you or

you would also be significantly affected. In such cases, the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention by the controller, to express his or her point of view and to object to the decision.

The above does not apply if the decision:

• necessary for the conclusion or performance of a contract between you and the Data Controller;
• is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or
• is based on your explicit consent.

10. Data security measures

The Data Controller declares that it has implemented appropriate security measures to protect personal data against unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage and inaccessibility resulting from changes in the technology used.

The Data Controller will make every effort to ensure that its Data Processors also take appropriate data security measures when working with your personal data, as far as organisational and technical possibilities allow.

11. Remedies

If you believe that the Data Controller has violated a legal provision on data processing or has failed to comply with a request, you may initiate an investigation procedure with the National Authority for Data Protection and Freedom of Information (postal address: 1363 Budapest, Pf. 9., e-mail: [email protected], telephone +36 (30) 683-5969 +36 (30) 549-6838; +36 (1) 391 1400).

You are also informed that you may bring a civil action against the Data Controller before a court in the event of a breach of the legal provisions on data processing or if the Data Controller has not complied with a request.

12. Amendments to the Privacy Notice

The Data Controller reserves the right to amend this Privacy Notice in a way that does not affect the purpose and legal basis of the processing. By using the website after the amendment comes into force, you accept the amended privacy policy.

If the Data Controller intends to carry out further processing of the collected data for purposes other than those for which they were collected, the Data Controller will inform you of the purposes of the processing and the following information prior to the further processing:

• the duration of the storage of personal data or, where this is not possible, the criteria for determining that duration;
• your right to request from the Controller access to, rectification, erasure or restriction of processing of personal data concerning you and, in the case of processing based on legitimate interest, to object to the processing of personal data and, in the case of processing based on consent or a contractual relationship, to request the right to data portability;
• in the case of processing based on consent, that you may withdraw your consent at any time,
• the right to lodge a complaint with a supervisory authority;
• whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, whether you are under an obligation to provide the personal data and the possible consequences of not providing the data;
• the fact of automated decision-making (where such a process is used), including profiling, and, at least in these cases, clear information about the logic used and the significance and likely consequences for you of such processing.

Processing can only start after this, if the legal basis for the processing is consent, and you must give your consent in addition to the information.