DATA PROCESSING INFORMATION

Valid from: 12/3/2025 until revoked

Lázár-OK Hotel, Hospitality and Trade Services Ltd. (registered office: 1042 Budapest, Árpád út 41-43. 3rd floor, 1st floor, branch office: 3400 Mezőkövesd, Hajnal utca 2., cg.: 01-09-462665, tax number: 12068061-2-41) represented by: Sándor Lázár, CEO, email: info@hajnalhotel.hu ) fulfills its obligations related to data processing within the framework of this data processing information.

CAMERA RULES

Introductory provisions, purpose of the information

In this Data Protection Notice, the Data Controller sets out the governing rules and procedures related to data protection in order to implement the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation 95/46/EC (hereinafter referred to as the GDPR) and Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter referred to as the Infotv.), expressing respect for and protection of the basic principles set out in the regulation.

The data controller acknowledges the content of this information as binding on itself. The purpose of the Data Management Information is to inform the Data Controller’s customers, partners and clients regarding the processing of their personal data. The data controller only processes personal data in accordance with the legal provisions in force at all times and in strict compliance with their requirements, taking into account the principles set out in Article 5 of the GDPR:

principles of legality, fair procedure and transparency,
the principle of purposefulness,
the principle of data saving,
the principle of accuracy,
the principle of limited storage capacity.

The Data Controller is committed to protecting the personal data of the data subjects and considers it particularly important to respect the right of self-determination of the data subjects. The recorded personal data is treated confidentially and in accordance with data protection legislation. In addition, it takes all technical and organizational measures to guarantee the secure storage of the data. It protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, and against inaccessibility resulting from changes in the technology used.

The personal, material and temporal scope of the Data Management Notice:

The personal scope of this Data Processing Notice extends to the Data Controller, as well as to those natural persons whose data is included in the data processing operations covered by this Notice, as well as to those persons whose rights or legitimate interests are affected by the data processing.

Definitions of terms:

Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data for the purpose of uniquely identifying natural persons, data concerning health and personal data concerning the sex life or sexual orientation of natural persons.

Data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, regardless of the procedure used, including in particular the collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

Data transfer: making data available to a specific third party.

Disclosure: making data available to anyone.

Data erasure: making data unrecognizable in such a way that its recovery is no longer possible.

Filing system: a file of personal data structured in any way – centralized, decentralized, or according to functional or geographical aspects – which is accessible based on specific criteria.

Data controller: the person who determines the purposes and means of data processing, either independently or together with others.

Data processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller.

Data subject: any natural person identified or identifiable, directly or indirectly, on the basis of specific personal data.

Recipient: the natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether a third party or not.

Third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct control of the controller or processor, are authorised to process personal data.

Consent of the data subject: any freely given, specific, adequately informed and unambiguous indication of the data subject’s wishes by which the data subject, by a clear and unambiguous statement or affirmation, signifies agreement to the processing of personal data concerning him or her.

Data security incident: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed.

E-mail: (Electronic mail) electronic mail. The name refers to the method of writing and transmitting, which takes place entirely electronically using computer networks.

Internet: the Internet (Internetworking System) is a global network of computer networks (so-called metanetwork) that spans the entire Earth, connecting government, military, commercial, business, educational, research, and other institutions, as well as individual users.

Web page, Website, Web portal, Home page: an electronic interface suitable for presentation and information dissemination, which is typically located on servers (Webserver) connected to the Internet. These pages, tabs, have a unique address (link), which can be entered into a browser application to navigate to the given page. The technology of Websites allows for forward and backward jumps between individual content elements and links (hypertext).

Cookies: a program component used to create convenience functions on websites. There are two basic types. One is stored on your own computer, the other is stored on the server side, so-called session cookies. From a data management perspective, the handling of session cookies must be regulated. Websites must inform and declare to visitors about the use of cookies.

Electronic newsletter: electronic mail sent to the email address of persons subscribed to a mailing list, typically automatically generated and sent by an application set up for this purpose, for transactional, advertising or other campaign purposes.

Legal bases and purposes of data processing

Personal data may only be lawfully processed in the following cases and to the extent that at least one of the following is met according to Article 6 of the GDPR:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject’s request prior to entering into a contract;
the processing is necessary for compliance with a legal obligation to which the controller is subject;
the processing is necessary to protect the vital interests of the data subject or another natural person;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The Data Controller must examine the lawfulness of data processing at every stage of its activity and may only process data for as long as it can justify its purpose and legal basis. If the condition of the legal basis ceases, data processing is only lawful in the future if it can justify another legal basis, failing which the data must be deleted.

Website operation

The server and hosting provider: Previo.hu Kft.

Address: 1119 Budapest, Petzval József Street 4.a.

The server and hosting provider stores the personal data it has received and is not authorized to use it.

Information about cookies used on the website

Cookies are files that are created by websites you visit. They make your online navigation easier by saving your browsing data. Cookies allow websites to:

they can keep you logged in;
they can remember your website settings;
they can offer you locally relevant content.

However, some cookies expire when you close the website, and some have a longer expiration date.

Legal background of cookies:

The legal background of data management is provided by the provisions of the GDPR, the Information Act and Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society.

Legal basis for cookies:

The legal basis for data processing is Article 6(1)(f) of the GDPR in the case of session cookies, and your consent in the case of other cookies (e.g. security, analytical) in accordance with Article 6(1)(a) of the GDPR and Section 5(1)(a) of the Privacy Act.

We inform you that the data subject declares that he/she is over 16 years of age when accepting the use of cookies on the Data Controller’s website. A person under the age of 16 may not declare his/her acceptance or rejection of cookies used by the website. Pursuant to Article 8(1) of the GDPR, the consent of his/her legal representative is required for the validity of his/her legal declaration containing his/her consent to data processing. The data controller is not able to verify the age and entitlement of the person giving his/her consent, so the data subject guarantees that the data provided is true.

The website uses the following cookies:

Session cookies: These cookies are temporarily activated while browsing. That is, from the moment the user opens the browser window until the moment they close it. As soon as the browser is closed, all session cookies are deleted. We do not store any personal data in session cookies.

Google Analytics cookie: Google Analytics is Google’s analytics tool that helps website and app owners get a better understanding of their visitors’ activities. The service may use cookies to collect information and report on website usage statistics without personally identifying visitors to Google. The main cookie used by Google Analytics is the “__ga, _gat, _gid” cookie. In addition to reporting on website usage statistics, Google Analytics – together with some of the advertising cookies described above – may also be used to show more relevant ads in Google products (such as Google Search) and across the web. (Data processor: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.)

poptin_user_id: This period shows the period during which a service may store and/or read certain data from your computer using cookies, pixels, APIs, cookieless tracking, or other resources.

poptin_old_user: This period shows the period during which a service may store and/or read certain data from your computer using cookies, pixels, APIs, cookieless tracking, or other resources.

poptin_referrer: This period indicates the period during which a service may store and/or read certain data from your computer using cookies, pixels, APIs, cookieless tracking, or other resources.

Deleting cookies

You can delete cookies placed by the website from your device at any time using your browser. You can find detailed instructions on how to delete or manage cookies in the help of your browser. You can also block cookies using your browser or request a notification each time the browser receives a new cookie. Blocking cookies may technically prevent you from using our website.

If you do not accept the use of cookies, certain features will not be available to you.

Contact, inquire, request a quote via the website

The Data Controller allows the interested party to contact him/her at any of the contact details provided on the website or to send him/her a message via the contact form on the website. The data provided will be used exclusively for the purpose of maintaining contact with the interested party.

When contacting us, the following personal data must be provided, depending on the method of contact:

name
email
message

The purpose of data management is for the website operator to establish contact with interested parties and provide them with a quote.

Legal basis for data processing:

In the case of an inquiry or request for information, data processing is based on voluntary consent pursuant to Article 6(1)(a) of the GDPR. In the case of a quotation, data processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the data subject’s request prior to entering into a contract, pursuant to Article 6(1)(b) of the GDPR.

Duration of data processing:

The personal data provided will be processed for different periods of time depending on the nature of the contact.

In the event of an inquiry or contact, the Data Controller will no longer retain the data after the necessary information has been provided, unless a legitimate claim can be asserted regarding the subject of the ad hoc contact, in which case it will be retained for a maximum of 5 years for the purpose of its verification.

In the case of providing a price quote, the data retention period is the existence of the binding nature of the offer, which is governed by Sections 6:64-69 of the Civil Code.

In the event of a business relationship, the data must be retained for 8 years pursuant to Section 169 (2) of the Accounting Act.

Data processing related to Facebook page

The website operator also promotes and describes the service it provides through its social media page, and provides the opportunity to contact it via Messenger. The Data Controller treats the personal data obtained through its Facebook page confidentially and uses it exclusively to maintain contact with the data subject, answer questions, and provide quotes. The Data Controller shares advertising photos of the services it provides on its Facebook page. The photos also include natural persons, however, the Data Controller always ensures that the use of the photos does not violate the dignity or personal rights of others, and that the data subject has the voluntary and uninfluenced consent to the taking and publication of the photo. In all cases, the photos show a paid model.

The purpose of data processing is to promote and advertise services and provide information to interested parties.

Legal basis for data processing:

Pursuant to Article 6(1)(a) of the GDPR, it is based on voluntary consent, which shall be deemed to have been given by the data subject liking, following the page, commenting on posts, or contacting the page operator in the form of a message.

The legal basis for data processing regarding the taking and publication of photographs is Article 6(1)(a) of the GDPR, with regard to the provisions of Sections 2:42 and 2:48 of the Civil Code.

Joint data controller: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The operator of the site does not assume responsibility for previous pages that have already been deleted but have nevertheless been archived by Internet search engines. The operator of the search engine must ensure their removal.

You can read more about Facebook’s data management by clicking on the following link: https://www.facebook.com/privacy/explanation .

Photos of the accommodation

The Data Controller presents the accommodation and the services available there with photographs on its website, thus facilitating the choices of interested parties. The photographs also include natural persons.

The scope of the data processed:

the image of the person concerned

The purpose of data management is to introduce the data controller’s employees.

Legal basis for data processing

GDPR Article 6 (1) (f) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Duration of data processing:

The photos will be deleted immediately after the employment relationship ends.

Data management related to accommodation reservations (VIZA system)

The Data Controller provides interested parties with the opportunity to book accommodation on its website during available dates.

Based on legal obligations, the data must be sent to the National Tourism Data Service Center and, in the case of tourism tax, to the Municipality of the City of Esztergom with County Rights. The invoices issued will be forwarded to the National Tax and Customs Office.

Purpose of data processing:

Fulfillment of the ordered service, issuance of an invoice, preservation of the invoice, fulfillment of tax obligations, contact, contractual information obligation, data provision to bodies specified in law.

Legal basis for data processing:

In the case of providing a price quote and booking accommodation, the performance of a contract pursuant to Article 6(1)(b) of the GDPR, and in the case of adding guest data to an invoice: compliance with the cooperation and information obligation set out in Section 165 of Act C of 2000 on Accounting, Section 196 of Act CXXVII of 2007 on Value Added Tax, and Section 6:62 of the Civil Code. With regard to the data required for tourism tax and tourism data provision, compliance with the legal obligation set out in Article 6(1)(c) of the GDPR, with regard to the provisions of Section 9/H of Act CLVI of 2016.

Scope of data processed when booking a room:

arrival and departure date
number of rooms
name of the person concerned
email address
phone number
comment
would like to be informed about offers

Scope of processed data for the VIZA system:

name of the person concerned,
birth name,
place and time of birth,
ask,
citizenship,
mother’s birth name,
ID card number/passport,
in the case of third-country nationals, the visa/residence permit number,
place and date of entry,
bank card/credit card/SZÉP card details in case of card payment,
the address of the accommodation service,
start, expected and actual end date of accommodation use
room with terrace
family accommodation
promotional code
extra services (e.g. dietary requirements according to food sensitivities, massage services, body treatments, pets

Duration of data processing:

Accounting documentation must be kept for 8 years pursuant to Section 169(1) of the Accounting Act. Contact details will be kept until the contract is fulfilled, but no later than December 31 of the year following the contract.

Data processors:

National Tax and Customs Administration
National Tourism Data Service Center
Municipality of the City of Esztergom with County Rights
accountant

Scope of data transferred:

name of the person concerned,
birth name,
place and time of birth,
ask,
citizenship,
mother’s birth name,
ID card number/passport,
in the case of third-country nationals, the visa/residence permit number,
place and date of entry,
bank card/credit card/SZÉP card details in case of card payment,
the address of the accommodation service,
start, expected and actual end date of accommodation use

Legal basis for data transfer:

Fulfillment of a legal obligation pursuant to Article 6(1)(c) of the GDPR, with regard to the provisions of Section 9/H of Act CLVI of 2016.

Gift certificate

The Data Controller allows interested parties to purchase a wellness gift voucher for their loved ones as a vacation and relaxation opportunity through its website, which they can redeem at any time within the validity period for accommodation services and other wellness treatments (e.g. massage, rheumatism treatment, spa admission).

Purpose of data processing: to provide the opportunity to purchase gift certificates.

Legal basis for data processing: performance of a contract pursuant to Article 6(1)(b) of the GDPR, and in the event that guest data is added to the account: compliance with the cooperation and information obligation set out in Section 165 of Act C of 2000 on Accounting, Section 196 of Act CXXVII of 2007 on Value Added Tax, and Section 6:62 of the Civil Code.

Data processed:

donor’s name
gift recipient’s name
buyer’s email address
personal message on the gift certificate
delivery email address
delivery date
billing name
billing address
email
phone number
I would like to be informed about offers

Duration of data management: Accounting documentation must be kept for 8 years pursuant to Section 169 (1) of the Accounting Act. Contact details will be kept until the contract is fulfilled, but no later than December 31 of the year following the performance of the contract.

Newsletter subscription

The Data Controller offers the opportunity for interested parties to subscribe to its newsletters on its website. Subscription to the newsletter is done with the voluntary, uninfluenced consent of the data subject. The data subject can subscribe to the newsletter by providing their email address. If the data subject does not wish to receive further newsletters in the future, they can unsubscribe at any time.

The purpose of data processing is to provide the possibility of subscribing to the newsletter.

Legal basis for data processing: consent of the data subject (Article 6(a) of the GDPR).

Data processed:

name
email address
package offers that the data subject would like to be informed about
at the reception, in case of paper-based subscription, it is possible to request the newsletter by post based on the decision of the data subject

Duration of data processing: until consent is withdrawn.

Request a frequent guest card

The Data Controller provides the opportunity for its guests to register for the Frequent Guest program, within the framework of which, after every third stay, they automatically receive a free night with breakfast and free services on the fourth stay. The frequent guest card is valid for 2 years from the first night. After the specified period, the recorded and unused free nights are lost. The frequent guest card can only be obtained by an adult individual. The card is for personal use and is not transferable. The frequent guest card can be requested in person at the reception. In connection with the frequent guest card program, the participating guests also receive notifications about the latest opportunities for using the card and the related package offers, where they can use the opportunity favorably. The frequent guest card program therefore includes both the possibility of a discount and notifications about related offers.

Data processed:

name
email address

Duration of data processing: until consent is withdrawn.

Data protection incident

In the absence of appropriate and timely action, a data breach may cause physical, material or non-material damage to natural persons, including loss of control over their personal data or restriction of their rights, discrimination, identity theft or misuse, financial loss, unauthorized de-identification, damage to reputation, breach of the confidentiality of personal data protected by professional secrecy, or other significant economic or social disadvantage to the natural persons concerned.

It shall be ensured that all appropriate technological and organisational measures are implemented, on the one hand, to detect a personal data breach without delay, and on the other hand, to notify the supervisory authority and to notify the data subject without undue delay. Whether notification was made without undue delay shall be determined in particular having regard to the nature and severity of the personal data breach and its consequences or adverse effects on the data subject. Notification to the supervisory authority may result in its intervention in accordance with its tasks and powers as set out in this Regulation.

Reporting a data breach to the supervisory authority

The controller shall notify the personal data breach to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

The data processor shall notify the data controller of the data protection incident without undue delay after becoming aware of it.

The notification shall include at least:

a.) the nature of the data breach must be described, including – if possible – the categories and approximate number of data subjects, as well as the categories and approximate number of data affected by the breach;

b.) the name and contact details of the data protection officer or other contact person who can provide further information must be provided;

c.) the likely consequences of the data protection incident must be described;

d.) the measures taken or planned by the data controller to remedy the data protection incident must be described, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

If and to the extent that it is not possible to provide the information simultaneously, it may be provided in parts at a later date without further undue delay.

The controller shall keep records of data breaches, indicating the facts relating to the data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements of this Article.

Obligation to inform the data subject according to Article 34 of the GDPR

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe the nature of the personal data breach in a clear and intelligible manner and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3) of the GDPR.

The data subject does not need to be informed if any of the following conditions are met:

a.) the controller has implemented appropriate technical and organizational security measures and these measures have been applied to the data affected by the data breach, in particular measures – such as the use of encryption – that make the data unintelligible to persons not authorised to access the personal data;

b.) the controller has taken further measures following the data protection incident to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is no longer likely to materialise;

c.) providing information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly published information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.

If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the above-mentioned conditions is met.

The rights of the data subject according to the GDPR:

In connection with data processing, through the Data Controller:

request information about data processing and access to the data processed concerning him/her,
In case of inaccurate data, you can request correction or completion of incomplete data,
you can request the deletion of data processed based on your consent,
you can object to the processing of your personal data,
you can exercise your right to data portability
You can request restriction of data processing.

Upon request for information, the data subject may – unless restricted by law due to legitimate interests – find out whether the data controller is processing their personal data and is entitled to receive information about the data processed concerning them, including – the purpose for which the data is processed, – what authorizes the processing of the data (legal basis), – when and for how long the data is processed (duration), – what data is processed and a copy of it is made available to the data subject, – the recipients and categories of recipients of the personal data, – the transfer to a third country or international organization, – the data subject’s rights in relation to data processing, – the possibilities for legal remedies. The employer, as the data controller, shall respond to requests for information and access within 30 days at the latest. The data controller may charge a reasonable fee based on administrative costs for additional copies of the personal data processed by the data subject. In some cases, the data controller may refuse to provide information based on legal authorization – for example, in order to prevent or prosecute crimes – in which case the response will include information on the legal provision that grounds the refusal to provide information and on the possibility of legal remedies.

In the event of a request for correction (amendment) of data, the data subject must substantiate the truth of the data requested to be amended and must also prove that the person entitled to do so is indeed requesting the amendment of the data. If it is not clear whether the processed data is correct or accurate, the data controller shall not correct the data, but shall only mark it, i.e. indicate that the data subject has objected to it, but it may not be incorrect. After confirming the authenticity of the request, the data controller shall correct the inaccurate personal data or supplement the data affected by the request without undue delay. The data controller shall notify the data subject of the correction or marking.

The data controller will comply with your request to restrict data processing if one of the following is met:

the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time enabling the controller to verify the accuracy of the personal data,
the data processing is unlawful and the data subject opposes the deletion of the data and instead requests the restriction of their use,
the data controller no longer needs the personal data for the purposes of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or against the data processing relating to him or her.

If the data is subject to restriction, then personal data, with the exception of storage, will only be processed:

with the consent of the person concerned,
to assert, exercise or defend legal claims,
to protect the rights of another natural or legal person, or
may be handled in the important public interest of the European Union or a Member State.

The data controller shall inform the data subject in advance of the lifting of the restriction on data processing.

Legal remedy

If the data subject considers that the data processing violates the provisions of the GDPR or considers the way in which the data controller handles his or her personal data to be offensive, it is advisable to contact the data protection officer, or if the data controller does not employ a data protection officer, the company representative with the complaint. The complaint will be investigated in all cases. If, despite the response to your complaint, you continue to be dissatisfied with the way the police data processing body handles your data, or you wish to contact the data protection authority directly, you may file a complaint with the National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa u. 9-11., 1363 Budapest. Pf. 9.)

You have the option of filing a lawsuit in court to protect your data, which will handle the case on an urgent basis. In this case, you can decide whether to file your claim with the court of your place of residence (permanent address) or your place of residence (temporary address) ( https://birosag.hu/torvenyszekek ). You can find the court of your place of residence or place of residence at https://birosag.hu/birosag-kereso .

If the Data Controller experiences a breach of the legal provisions on data processing or a request has not been fulfilled in relation to its Facebook or Instagram page, your personal data is processed by Meta Platforms Ireland Ltd., (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). For this reason, the Irish data protection authority is entitled to act in the matter, so you should contact the Irish Data Protection Commission (21 Fitzwilliam Square, South Dublin 2, D02 RD28, Ireland) with your complaint.

This text was translated automatically. In case of any discrepancies, the Hungarian version shall prevail.