Privacy policy

  • INTRODUCTION 

NOER apartman (Adsress of the apartman: H-2220 Vecsés, Ady Endre utca 99.); Dornyák Péter ev. (H-2220 Vecsés, Ady Endre utca 97); VAT number: 28756116-2-42, registration no.: ……………………) (hereinafter: Service Provider, data controller) accepts the following policy. 

By virtue of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) we provide the following information. This data processing policy regulates data processing at the http://www.noerapartman.hu website and the NOER apartman. This data processing policy is accessible at the following site: http://www.noerapartman.hu/privacy-policy. Amendments to this policy enter into force through publication at the above address. 

The data controller and its contacts: 

Name: Dornyák Péter ev. Registered office: 2220 Vecsés, Ady Endre utca 97. E-mail: hello@noerapartman.hu, Telephone: +36 20 350 5007

  • DEFINITION OF TERMS
  • “Personal data”: means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • “Data processing”: means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 
  • “Data controller”: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; 
  • “Data processor”: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 
  • “Recipient”: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • “Consent by the data subject”: means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 
  • “Data protection incident”: a violation of security that results in incidental or unlawful annihilation, loss, change, authorized publication of, and unauthorized access to transferred, stored data or data processed in another manner.
  • PRINCIPLES GOVERNING THE PROCESSING OF PERSONAL DATA 

Personal data shall be: 

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); 

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); 

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); 

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); 

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); 

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’). 4 14 May 2018 [DATA PROCESSING POLICY – RESIDENCEBUDAPEST.COM

  • DATA PROCESSING RESERVATION, REQUEST FOR QUOTE 

1. The fact of data collection, the circle of processed data and the purpose of data processing: The e-mail address does not have to contain personal data. 

2. Persons involved: All data subjects who make a reservation / request a quote at the website. 

3. Period of data processing, deadline of data deletion: The data are deleted immediately after responding to the user’s request for quote (in this case the data controller is not even entitled to send a newsletter to the user) if no room was reserved. If the User reserved a room in the service provider’s system, a contract is established, thus the deadline for deleting personal data is different for accounting vouchers as such data shall be stored for 8 years based on Article 169 (2) of Act C of 2000 on Accounting. Personal data Purpose of data processing: First name and surname Required for making contact, requesting a quote and issuing a regular invoice. E-mail address Keeping contact. Telephone number Keeping contact, efficiently managing issues concerning reservations, requests for quote and invoicing. Invoicing name and address Issuing regular invoices, concluding contracts, specifying and modifying their contents, monitoring their fulfilment, invoicing contractual fees and enforcing related claims. Reservation-related data (date and time, date of arrival and departure, number of adults and children, age of children, type of service, room type, gender, mother’s name, visa number, bank card related data) Enabling reservation. Date of reservation/request for quote Implementing technical operations. IP address upon reservation/request for quote Implementing technical operations

Accounting documents (including general ledger accounts, analytic records and detailed records) of direct and indirect support to the book-keeping accounts are to be retained in a readable form for at least 8 years in a retrievable manner based on the references of accounting records. 

Possible data controllers entitled to access the data, recipients of the personal data: Personal data can be processed by the data controller’s sales and marketing associates, by respecting the above basic principles. 

Information about the rights of data subjects concerning data processing: 

• Data subjects may request the data controller to provide access to the relevant personal data as well as correction, deletion or limited processing of their data, 

• They may protest against processing such personal data as well as 

• They have the right to data portability and to withdraw their consent at any time. 

Access to personal data, deletion, modification, the limitation of processing, data portability and protest against data processing can be initiated by the data subjects in the following manners: 

– by mail, at the address: H-2220 Vecsés, Ady Endre utca 97.

– Via e-mail, at the hello@noerapartman.hu e-mail address,

– On the telephone: +36 20 350 5007

Legal ground of data processing: the data subject’s consent, article 6 (1) a) and b), article 5 (1) of the Information Act, article 169 (2) of Act C of 2000 on accounting as well as article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commercial services as well as services related to the IT society.

The service provider shall have the right, in view of providing the service, to manage those personal data that are technically indispensable for the provision of the service. 

Please be advised that 

• Data processing is based on your consent. 

• You are obliged to provide your personal data in order for us to process the reservation. 

• The consequence of not providing personal data is that we cannot process your reservation and request for quote.

  • THE EMPLOYED DATA PROCESSORS

Storage space provider 

1. Activities carried out by the data processor: Storage space provision 

2. Name and contact of the data processor: MikroVPS Kft., 7150 Bonyhád, Jókai u 3. Phone: +36307564514

3. The fact of data processing, circle of the processed data: All personal data provided by the data subjects. 

4. Persons involved: All data subjects using the website. 

5. Purpose of data processing: Making the website accessible and ensuring its proper operation. 

6. Period of data processing, deadline of data deletion: Immediately upon deleting the registration. 

7. Legal basis of data processing: the User’s consent, article 5 (1), article 

6 (1) a) of the Information Act, as well as article 13/A (3) of Act CVIII of 2001 on certain issues of electronic commercial services as well as services related to the IT society.

  • MANAGING COOKIES

1. The fact of data processing, circle of the processed data: Individual ID number, dates, times 

2. Persons involved: All data subjects visiting the website. 

3. Purpose of data processing: Identifying the users and tracking the visitors. 

4. Period of data processing, deadline of data deletion: 

5. Possible data controllers entitled to access the data: The data controller processes no personal data by using cookies. 

6. Information about the rights of data subjects concerning data processing: The data subjects have the opportunity to delete cookies in the Tools/Settings menu of the browsers, generally under the Data Protection menu point. 

7. Legal ground of data processing: No consent is needed from the data subject if the exclusive purpose of using cookies is to transfer messages through the electronic infocommunication network or the service provider unconditionally needs it in order to provide the service – related to the information society – expressly requested by the subscriber or the user. Type of cookie Legal basis of data processing Period of data processing Processed data Work process cookies (session) Article 13/A (3) of Act CVIII of 2001 on the electronic commercial services, and on certain legal aspects of information society services Period until closing the relevant visitor work process connect.sid Permanent or saved cookies Article 13/A (3) of Act CVIII of 2001 on the electronic commercial services, and on certain legal aspects of information society services Until deleting the data subject, maximum 90 days.

  • CUSTOMER CONTACTS 

1. The fact of data collection, the circle of personal data and the purpose of data processing: 

2. Persons involved: All data subjects keeping contact with the data controller on the telephone / in e-mail / personally or maintaining a contractual relationships with it. 

3. Period of data processing, deadline of data deletion: Data processing lasts until termination of the legal relationship between the data controller and the data subject and for 5 years after the contract in the case of claims. 

4. Possible data subjects entitled to access the data, recipients of the personal data: Personal data can be processed by the data controller’s authorized associates, by respecting the above basic principles. 

5. Information about the rights of data subjects concerning data processing: 

• Data subjects may request the data controller to provide access to the relevant personal data as well as correction, deletion or limited processing of their data, 

• Data subjects have the right to data portability and to withdraw their consent at any time. 6. Access to personal data, deletion, modification, the limitation of processing and data portability can be initiated by the data subjects in the following manners:

– By mail, at the address H-2220 Vecsés, Ady Endre utca 97. 

– Via e-mail, at the hello@noerapartman.hu e-mail address, 

– On the telephone: +36 20 350 5007

Legal ground of data processing: 7.1. Article 6 (1) clauses b)-c) of the GDPR. 7.2. 5 years in line with the provisions of article 6:21 of Act V of 2013 on the Civil Code in case of enforcing claims arising from the contract. Section 6:22 [Statute of limitations] (1) Unless otherwise provided for in this Act, claims shall lapse after five years. (2) The period of limitation commences upon the due date of the claim. 

Personal data: Name, e-mail address, phone number. 

Purpose of data processing: keeping contacts, identification, fulfilling contracts, business purpose.

  • An agreement for changing the limitation period shall be executed in writing.
  • Any agreement excluding prescription shall be null and void. 
  • Please be advised that 

• Data processing is needed for fulfilling the contract and giving a quote. 

• You are obliged to give your personal data in order for us to process your order / other request. 

• The consequence of not providing personal data is that we cannot process your order / request.

  • FIRST CONTACT 

1. The fact of data collection, the circle of personal data and the purpose of data processing:

Personal data Purpose of data processing: Name Identification E-mail address Keeping contacts, sending reply messages Telephone number Contacts Content of the message Needed for reply Date of establishing contact: Implementing technical operations IP address upon establishing contact Implementing technical operations

The e-mail address does not have to contain personal data. 

2. Persons involved: All data subjects sending messages through the contact form. 

3. Period of data processing, deadline of data deletion: Until the data subject requests to delete them. 

4. Possible data subjects entitled to access the data, recipients of the personal data: Personal data may be processed by the authorized associates of the data controller. 

5. Information about the rights of data subjects concerning data processing: 

• Data subjects may request the data controller to provide access to the relevant personal data as well as correction, deletion or limited processing of their data, 

• Data subjects have the right to data portability and to withdraw their consent at any time.

6. Access to personal data, deletion, modification, the limitation of processing and data portability can be initiated by the data subjects in the following manners: 

– By mail, at the address H-2220 Vecsés, Ady Endre utca 97.

– Via e-mail, at the hello@noerapartman.hu e-mail address, 

– On the telephone: +36 20 350 5007

7. Legal ground of data processing: the data subject’s consent, article 6 (1) clauses a)-b).

8. Please be advised that 

• This data processing is based on your consent and is needed for giving a quote. 

• You are obliged to give your personal data in order to contact us. 

• The consequence of not providing personal data is that you cannot contact the service provider.

  • COMPLAINT MANAGEMENT 

1. The fact of data collection, the circle of personal data and the purpose of data processing:

Personal data: First name and surname

Purpose of data processing: Identification, keeping contact 

E-mail address: Keeping contact 

Telephone number: Keeping contact 

Invoicing name and address: Identification, managing quality complaints, questions and problems arising in connection with the services

2. Persons involved: All data subjects making a complaint about the hotel services. 

3. Period of data processing, deadline of data deletion: The copies of the minutes drawn up about the received complaint, the transcription and the response given to it shall be stored for five years based on article 17/A (7) of Act CLV of 1997 on consumer protection. 

4. Possible data subjects entitled to access the data, recipients of the personal data: Personal data can be processed by the data controller’s sales and marketing associates, by respecting the above basic principles. 

5. Information about the rights of data subjects concerning data processing: 

• Data subjects may request the data controller to provide access to the relevant personal data as well as correction, deletion or limited processing of their data, 

• Data subjects have the right to data portability and to withdraw their consent at any time. 6. Access to personal data, deletion, modification, the limitation of processing and data portability can be initiated by the data subjects in the following manners: 

– By mail, at the address H-2220 Vecsés, Ady Endre utca 97.

– Via e-mail, at the hello@noerapartman.hu e-mail address, 

– On the telephone: +36 20 350 5007

7. Legal ground of data processing: The data subject’s consent, article 6 (1) c) and article 17/A (7) of Act CLV of 1997 on consumer protection. 

8. Please be advised that

• Providing personal data is based on a legal obligation. 

• Processing personal data is the pre-condition of concluding the co. 

• You are obliged to give your personal data in order for us to manage your complaint. 

• The consequence of not providing personal data is that we cannot manage your complaint.

  • INTERNAL DATA PROCESSING (DATASHEET) 

1. Legal ground of data processing: Article 6 (1) c) of the GDPR. 

2. Purpose of data processing: Compliance with the legal regulations concerning tourism tax. 

3. Period of data processing, deadline of data deletion: Until the competent authority can check the fulfilment of the obligations specified in the relevant legal regulations, and the deadline – in case of a contract – is 31 December of the seventh year following the given year, under article 169 (2) of Act C of 2000 on accounting. 

4. Scope of the processed data: name, e-mail, telephone number, address, identity card number, citizenship, place and date of birth, mother’s name, gender, visa number, registration plate, as well as the name, place and date of birth and other personal data of further guests staying in the room. 

5. Data controllers that may be entitled to access the data: Personal data can be processed by the data controller’s associates, by respecting the above basic principles. 

6. Information about the rights of data subjects concerning data processing: 

• Data subjects may request the data controller to provide access to the relevant personal data as well as correction, deletion or limited processing of their data, 

• Data subjects have the right to data portability and to withdraw their consent at any time. 

9. Access to personal data, deletion, modification, the limitation of processing and data portability can be initiated by the data subjects in the following manners: 

– By mail, at the address H-2220 Vecsés, Ady Endre utca 97.

– Via e-mail, at the hello@noerapartman.hu e-mail address, 

– On the telephone: +36 20 350 5007

  • SOCIAL NETWORKING WEBSITES 

1. The fact of data collection, circle of the processed data: Name and public profile picture of the user registered at the Facebook/Google+/Twitter/Pinterest/Youtube/Instagram etc. social sites. 

2. Persons involved: All data subjects who registered at the Facebook/Google+/Twitter/ Pinterest/Youtube/Instagram etc. social sites and liked the website. 

3. Purpose of data collection: sharing, liking and promoting various content elements, products, promotions of the website, or the website itself at social networking sites. 

4. Information on the period of data processing, deadline for deleting the data, data controllers that may be entitled to access the data, and the data subjects’ rights concerning data processing: The data subjects can find information about the data source, data processing, the manner and the legal basis of delivery at the given social networking site. The data are processed at the social networking sites, therefore, the period and manner of data processing as well as the option to delete and modify the data are governed by the rules of the given social site. 

5. Legal ground of data processing: The data subjects’ voluntary consent to processing their personal data at the social networking sites.

  • CUSTOMER CONTACTS AND OTHER DATA PROCESSING 

1. Should the data subjects have a question or a problem when using the data controller’s services, they can contact the data controller in the manner indicated at the website (telephone, e-mail, social networking sites etc.). 

2. The data controller deletes the incoming e-mails, messages, data provided on the telephone, on Facebook etc. – together with the enquiring person’s name and e-mail address as well as other voluntarily provided personal data – upon the expiry of two years calculated from the data disclosure. 

3. Information about data processing not listed here is provided when the data are collected. 

4. The Service Provider shall provide information as well as shall disclose and deliver data and provide documents if exceptionally requested by the authorities or by other organizations by virtue of the legal regulations. 

5. In such cases, the Service Provider delivers to the enquiring party personal data 

– if the exact purpose and the circle of data was indicated 

– only in the amount and to the extent that is indispensable for fulfilling the purpose of the enquiry. 

  • RIGHTS OF THE DATA SUBJECTS 
  1. Right to access 

You are entitled to receive feedback from the data controller as to whether your personal data are being processed, if yes, you are entitled to access your personal data and the information listed in the legal regulation. 

  1. Right to correction 

You are entitled to request the data controller to modify your incorrect personal data without any unjustified delay. With regard to the purpose of data processing, you are entitled to request extension of deficient personal data, among other things, by way of a supplementary declaration. 

  1. Right to delete 

You may request the data controller to delete your personal data without any unjustified delay, and the data controller is obliged to delete your personal data without any unjustified delay if certain conditions prevail. 

  1. Right to be forgotten 

If the data controller disclosed the personal data and is obliged to delete them, it shall take all reasonably expected actions, also including technical actions, in consideration of the accessible technology and the costs of implementation, in order to notify the data controllers processing the data that you requested deletion of the links directing to the personal data or the copy or counterpart of these personal data. 

  1. Right to limit data processing 

You are entitled to request the data controller to limit the data processing if any of the following conditions are fulfilled: 

• You dispute the accuracy of the personal data, in this case the limitation shall refer to the period that enables the data controller to verify the accuracy of the personal data; 

• Data processing is illegitimate and you protest against deleting the data and, instead, you request limitation of their use; 

• The data controller no longer needs the personal data for data processing but you need them to submit, enforce or protect legal claims; 

• You protested against the data processing; in this case the limitation refers to the period until it is established whether the data controller’s legitimate reasons are given priority over your legitimate reasons. 

  1. Right to data portability 

You are entitled to receive your personal data, delivered to a data controller, in an articulated, widely used, typed, readable format, furthermore, you are entitled to transfer these data to another data controller, and the data controller to whom you provided these data may not prevent such transfer (…) 

  1. Right to protest 

You are entitled to protest at any time against (…) processing your personal data for reasons related to your own situation, also including profiling, which is based on the above-mentioned provisions. 

  1. Protest in the case of direct marketing 

If personal data are processed for direct marketing, you may protest at any time against processing your personal data for such a purpose, also including profiling, if it is attached to direct marketing. If you protest against processing your personal data for direct marketing, in that case the personal data may no longer be processed for such a purpose. 9. Automated decision-making in individual cases, including profiling You have the right not to be affected by the scope of the decision exclusively based on automated data processing, also including profiling, that would impose a legal impact on you or would affect you in a similarly significant manner. The previous paragraph shall not apply in the event where:

The decision is needed for concluding or fulfilling the contract between you and the data controller; 

• Decision-making is enabled by an EU or Member State law – applicable for the data controller – that also establishes appropriate actions serving the protection of your rights and freedoms and legitimate interests; or 

• The decision is based on your express consent. 

  • DEADLINE FOR ACTIONS 

The data controller notifies you about the actions taken as a result of the above requests without any unjustified delay, but by all means within one month from receipt of the request. If needed, this may be extended with two months. The data controller notifies you about the deadline extension, by indicating the reasons for delay, within one month from receiving the request. Should the data controller fail to take actions upon your request, it shall notify you about the reasons for failing the actions without delay but at the latest within one month from receiving the request, and about the fact that you may submit a complaint to a supervisory authority and may make use of your right to legal remedy.

  • THE SECURITY OF DATA PROCESSING 

The data controller and the data processor carry out appropriate technical and organizational actions – in consideration of the scientific and technological standing, the implementation costs as well as the nature, the scope, the circumstances and the purposes of data processing, as well as the risks of various probability and weight impending on the rights and freedoms of natural persons – in order to guarantee data security at a level equalling the rate of risk, in the given case: 

a) Pseudonymizing and encrypting the personal data; 

b) Guaranteeing the confidential nature of the systems and services used for processing personal data, as well as their integrity, availability and resistance; 

c) In the case of physical or technical incident, the ability to restore access to the personal data and the availability of data in due course; 

d) Procedure for regularly testing, surveying and assessing the efficiency of technical and organizational actions taken to guarantee secure data processing

  • NOTIFYING THE DATA SUBJECTS ABOUT DATA PROCESSING INCIDENTS 

If the data processing incident presumably involves a high risk for the rights and freedoms of natural persons, the data controller shall notify the data subject about the data processing incident without unreasonable delay. The information provided to the data subject shall clearly specify the nature of the data processing incident, the name and contact of the data protection officer as well as the name and contact of another contact person providing further information; the consequences that presumably arise from the data processing incident, the actions made or planned by the data controller to remedy the data processing incident, including in the given case actions aimed at mitigating eventual adverse consequences arising from the data processing incident. 

The data subject does not have to be informed if any of the following conditions take place: 

• The data controller took appropriate technical and organizational actions and these actions were applied for data affected by the data processing incident, especially actions – e.g. applying encryption – that make the data uninterpretable by persons not authorized to access the personal data; 

• After the data processing incident the data controller took further actions to guarantee that the high risk affecting the data subject’s rights and freedoms will presumably not take place in the future; • The information would require disproportionate efforts. In such cases, the data subjects shall be notified through publicly disclosed information, or similar actions shall be taken to ensure that the data subjects are informed in a similarly effective manner. If the data controller has not notified yet the data subject about the data processing incident, the supervisory authority may order the notification of the data subject after considering whether the data processing incident involves a high risk. 

  • REPORTING DATA PROTECTION INCIDENTS TO THE AUTHORITY 

The data controller reports to the competent supervisory authority the data processing incident without unjustified delay, and if possible at the latest 72 hours after learning about the data processing incident, based on article 55, except where the data processing incident presumably does not involve any risk for the rights and freedoms of natural persons. Should the report not be made within 72 hours, the reasons verifying the delay shall also be attached to it.

  • COMPLAINTS 

Complaints against the eventual violation of law by the data controller can be made to the National Authority for Data Protection and Freedom of Information:

Hungarian National Authority for Data Protection and Freedom of Information 

1125 Budapest, Szilágyi Erzsébet fasor 22/C. 

Mailing address: 1530 Budapest, P.O. Box: 5. 

Telephone: +36 -1-391-1400; Fax: +36-1-391-1410 

E-mail: ugyfelszolgalat@naih.hu

  • CONCLUDING REMARKS 

This policy is based on the following legal regulations: 

– REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 

– Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information 

– Act CVIII of 2001 on the electronic commercial services, and on certain legal aspects of information society services (especially article 13/A) 

– Act XLVII of 2008 on prohibiting unfair commercial conduct towards consumers 

– Act XLVIII of 2008 on the Essential Conditions of, and Certain Limitations to Business Advertising (especially article 6) 

– Act XC of 2005 on the Freedom of Information by Electronic Means 

– Act C of 2003 on Electronic Communications (especially article 155) 

– Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising 

– Recommendation of the Hungarian National Authority for Data Protection and Freedom of Information about the data processing requirements of preliminary information