Effective from 25th May 2018
The name and contact details of the data processor and the representative thereof:
IHG Szálloda Budapest Szolgáltató Korlátolt Felelősségű Társaság (herinafter: Data controller) 1052 Budapest, Apáczai Csere J. u. 12-14, +36 1 327 6333, firstname.lastname@example.org e-mail address: email@example.com)
The purpose and legal grounds of data handling
The purpose of data handling is to send newsletters as well as information of Data controller’s current offers, programs and discounts.
The legal grounds of data handling is your consent that is a freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you. Such consent can be withdrawn at any time, which withdrawal does not affect the data handling being done lawfully prior the withdrawal being legitimate.
The scope of data being handled
Your first name, surname, e-mail address.
The duration of handling data
Until your withdrawal of consent.
Using a data processor
Data controller uses the services of ComLab Korlátolt Felelősségű Társaságot as data processor for executing data processing activity. Contact details of the data processor are: 1037 Budapest, Seregély utca 3-5. +36 1 880 3000 firstname.lastname@example.org.
The contracted partner acts as data processor as regards the sending of newsletters. Their rights and duties in relation to processing data are defined by Data controller. Data processor has no right to make any decision regarding the controlling and handling of data. They shall not process data for their own purposes. They are to store and maintain the personal data as Data controller regulates and orders.
Personal data related to children or third persons
As per the regulations of GDPR children under 16 may not provide any personal data of themselves, unless consent and authorisation thereto has been granted by the person holding the parental responsibility over the child.
By providing your personal data to Data controller you acknowledge to be acting in view of the above stated, and that your ability to act freely in providing your personal data is not in any way restricted. Should you be not entitled individually to provide your personal data to Data controller you shall be liable to obtain the permission of relevant persons (person holding the parental responsibility, e.g.: parent, legal representative) prior to giving your personal data. In the course of providing services Data controller does not become aware of the fact if the person using the services require the permission of a third party thereto, therefore compliance with the present regulation is to be provided by you, and Data controller is exempt from any liability or responsibility thereof.
Data controller reserves the right to examine whether the legal grounds of handling personal data, or the conditions of lawful data processing are provided for. For example, in the event you are acting on behalf of a third person, Data controller is entitled to request proof of your being assigned by the said person and/or the consent of the third person in question regarding the given case.
Subject’s rights and the possibilities of exercising such rights
As of 25th May 2018 your data protection rights and the possibilities for seeking legal resolution shall be regulated in detail by GDPR. In the following we are providing you with the key requirements of GDPR regarding your rights and possibilities of exercising such rights.
Access or rights to obtaining information as per GDPR
Based upon these regulations you are entitled to receive notification, information whether you’re the handling or processing of your personal data is in progress at Data controller. If such activity is in progress you have the right to be granted access to your personal data being handled as well as receive information as follows:
- purpose of data handling;
- the categories of the relevant person’s personal data,
- details of addressees or the category of such addressees with whom Data controller have shared the personal details, specifically including addressees located in a third country and international organisation,
- the duration of maintaining the personal data, or if this is not possible, the factors such duration is defined by,
- your further rights include that you may request Data controller to correct, erase or restrict the handling of personal data relating to you, as well as you may object to your personal data being handled,
- you are entitled to submit complaint to the supervisory authority,
- in the event Data controller did not receive your personal data from you, you are entitled to seek notification of all relevant information available,
- as regards automated decision making, in the event Data controller handles your personal data in such a way, the fact thereof, including profiling, as well as of the method and logic applied therein and the clear, unambiguous information thereof, as well as the extent of impact and possible consequences of such data handling may have on you.
- In the event personal data is transferred to a third country, you have the right to receive information on the guaranties of compliance of such transfer.
- You may request a copy of the personal data being under data processing, and provided it does not have any legal barrier we will be providing you therewith. In the event you submitted your request electronically, GDPR requires us to do so in a format most commonly used, unless you request it differently.
- Data controller shall without undue delay, but within one month of the request being received, shall inform you of the measure taken by the receipt of your request. if necessary, in view of the complexity of the request and the number of requests received the above deadline may be extended by a further two months. Data controller shall provide information on the extension of the deadline and the reasons for the delay within one month of receiving the request. In the event the subject submitted their request electronically information shall be given electronically, unless subject requests otherwise.
- Should Data controller take no measures following the request received, they shall inform the person submitting the request of the reasons for not taking measures without undue delay or within one month of receiving the request, as well as of subject’s right to submit a complaint at one of the supervisory authorities and that they have the right to seek legal advice and resolution.
Right to obtain correction
Aa per GDPR you have the right to request Data controller to correct the personal data of you that might be incorrect or in need of modification without undue delay. Furthermore, you have the right to request the completion of deficient personal data.
The right to be erased or forgotten
Based upon this right, you are entitled to request your personal data to be erased or deleted – without undue delay as per GDPR – provided that one of the following reasons apply:
- personal data stored in relation to you are no longer needed for the purpose Data controller has collected them or otherwise handled;
- You withdraw your consent to your personal data being handled, and no other legal grounds exist for handling your data;
- You object to the handling of your data and in the given case there is no legitimate reason enjoying priority for handling the data;
- personal data were handled illegitimately;
- personal data are to be deleted if an EU or member state legal regulation makes Data controller liable to erase such data; or
- personal data were collected in relation to providing services connected to the information society.
If data handling is necessary due to reasons included in GDPR, erasure thereof, or the exercising of rights to be forgotten are not possible, specifically if:
- for exercising the right of expressing an opinion or the rights of obtaining information;
- for complying with an EU or member state regulation that prescribes the handling of personal data binding to Data controller;
- for archiving for public interest, for scientific or historic researches or for statistics, provided that the erasure or the right to be forgotten would most probably make it impossible or would seriously endanger such data handling; or
- it is necessary for proposing, exercising and protecting legal requests.
We make all reasonable efforts in the interest of erasing all information that have come in our possession unlawfully, and we ensure that such information will not be transferred to any third party, neither will it be used by ourselves (neither for marketing nor for any other purposes). Please inform us without delay should you learn that a child about themselves, or a third person about you have unlawfully transferred personal information. You can contact us at any of the above contact details.
The right to restrict data handling
As per the regulations of GDPR you have the right to restrict the handling and processing of your personal data in the event if any of the following apply:
- You dispute of the personal data handled about you of being correct, in which case restriction will apply to the period that has made it possible for us to check the personal data you consider incorrect or deficient,
- data handling is illegitimate, however you object to your personal data being erased, and instead request a restriction on the scope of their use,
- Data controller no longer needs your personal data for data handling, but you request your personal data for the purpose of forwarding, executing or protecting; or
- You have objected to the handling of your data, in which case such restriction applies to the period until it is unambiguously stated that Data handler’s legitimate interests enjoy priority over your legitimate interests.
In the event, based upon the above said, data handling comes under data handling restriction, such personal data – other than being stored – may only be handled and processed with your consent, or to putting forward, exercising or protecting legal claims, or in order to protect other person’s or entity’s rights, or in the high public interest of the EU or a member state. Data controller will inform you on the lift of data handling restrictions.
Notification liabilities relating to correcting, erasing personal data, or regarding the restriction on handling personal data
Data controller shall inform all relevant addressees of all corrections, erasure or restriction on data handling to whom they have transferred any data, except such notification proves impossible or would require efforts out of proportion with the aim. Upon your request we shall inform you of such addressees.
Rights to transfer data
In compliance with GDPR you have the right to receive from Data controller your personal data you have provided Data controller with in a format that is commonly used and legible with a machine, furthermore, you have the right to transfer such data to a different data controller without being restricted or hindered in doing so in any way by Data controller.
You have the right to transfer data in the following events:
- if data handling and processing is based upon consent or contract, and
- data handling and processing is done in an automated way.
While exercising the right to transfer your data you have the right – if it is technically feasible – to request Data controller to transfer your personal data to another data controller indicated by you.
The right to object
In compliance with GDPR, for reasons being relating to your situation, you have the right to object to your personal data being handled for legitimate reasons, including profiling. In this case Data controller shall discontinue to handle or process your personal data, except for the event it is proven beyond doubt that such legitimate reasons compel the personal data to be handled which reasons enjoy priority of your interests, rights freedoms, or which are related to putting forward, exercising or protecting legitimate claims.
Should personal data be obtained for business purposes, you have the right to object at any time to your personal data being collected and handled for such reason including profiling as well, in the event such activity is also connected to business interests.
In the event you object to your personal data being collected for business purposes, your personal data may not be handled for such purposes.
Relating to using services connecting to the information society and differing from the directive 2002/58/EK, you may exercise the right to object via automated devices that are based upon technical descriptions.
In the event personal data are handled for scientific, historic research or for statistics, you have the right, for reasons relating to your situation, to object to your personal data being handled, unless the handling of data is necessary for executing tasks of public interest.
Right to submit claims to the Supervisory authority
You have the right to place a complaint with the supervisory authority – especially in the member state relevant to your regular place of presence, work place or the place where the breach has supposedly occurred -, if in your judgement the handling of your personal data breaches the regulations of GDPR.
In Hungary the relevant supervisory authority is: Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information (http://naih.hu/; 1530 Budapest, Pf.: 5.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: email@example.com).
You are entitled for the effective judicial remedy against the decision of the authority legally binding to you.
You are entitled for effective judicial remedy if the relevant supervisory authority does not deal with the claim, or fails to inform you about the process launched in relation to your claim and its results within three months of submitting your claim
Any proceedings against the supervisory authority may be launched at the court of the member state where the supervisory authority in question is located.