Privacy policy

PRIVACY POLICY OF HOTEL BALNEO KFT.

1. GENERAL PROVISIONS

Hotel Balneo Kft., HU-3400 Mezőkövesd, Fülemüle u. 2., as the operator of Balneo Hotel Zsori Thermal & Wellness, is committed to ensuring the lawfulness and appropriateness of the processing of personal data. The purpose of this information is to provide our guests who book accommodation and provide their personal data with adequate information about the conditions and guarantees under which our company processes their data and for how long, before they make a reservation or provide their personal data. We apply this information in all cases involving the processing of personal data and we consider ourselves bound by the information contained herein.

However, we reserve the right to change what is described in this unilateral declaration, in which case we will inform the data subjects in advance. Please email us if you have any questions about the contents of this policy. The processing of data relating to the activities of our company is based on voluntary consent and, in some cases, is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

Our data management practices comply with the relevant legislation, in particular:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "GDPR")
  • Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information ("Privacy Act").

Our company data and contact details are as follows:
Name: Hotel Balneo Kft.
Registered office: HU-3400 Mezőkövesd, Fülemüle st. 2.
Company registration number: 05 09 030055
Tax number: 24145246-2-05
Telephone number: +36 49 505 030
E-mail: info@balneohotel.hu

We hereby provide the following information about each of our data processing activities.

2. DATA PROCESSING RELATED TO ONLINE BOOKING

We offer online booking in order to provide you with a fast, convenient and cost-free way to book your accommodation at Balneo Hotel Zsori Thermal & Wellness.

Controller of the personal data: Hotel Balneo Kft., HU-3400 Mezőkövesd, Fülemüle u. 2.

Purposes of the processing: to make the booking of accommodation easier, cheaper and more efficient, to contact the guest booking the accommodation.
Legal basis for the processing: the prior consent of the person booking the accommodation. By accepting this information, the data subject gives his/her explicit consent to the processing of his/her personal data in accordance with this point.
Scope of personal data processed: preferred name; surname and first name; address (country, postcode, city, street, house number;) telephone number; e-mail address; in the case of a company, company name and registered office, bank card number, CVC code, SZÉP card details (ID, name on card). If you fill in the online registration form, the following data will also be processed by the accommodation provider: number of identity document (identity card, passport or driving licence), nationality, place and date of birth, number plate of the vehicle.
Duration of data processing: two years after the last day of the booked stay.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Providing the possibility of online reservation of accommodation through RESnWEB system, operating a pre-arrival e-mail module

By accepting this Privacy Policy, the data subject gives his or her explicit consent to the use of additional data processors by the Processor, in order to make the service more convenient and customized, as follows

Name of additional Data Processor

Registered office

Description of a data processing tasks

The Rocket Science Group, LLC*

675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA

Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

Hostware Kft.

1149 Budapest, Róna utca 120-122

Performing customer management tasks for the Hostware Front Office hotel system.

Triptease Limited

WeWork 3 Waterhouse Square 138-142 Holborn London EC1N 2SW United Kingdom

Online chat function, which allows guests to keep in touch with the hotel and manage their reservations quickly and efficiently.

BIG FISH Payment Services Kft.

1066 Budapest, Nyugati tér 1-2

Managing data communication between the merchant and the payment service provider's system for payment transactions, ensuring the traceability of transactions for merchant partners.

OTP Mobil Kft.

1093 Budapest, Közraktár u. 30-32.

Managing data communication between the merchant and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.

Barion Payment Zrt.

1117 Budapest, Infopark sétány 1. I. épület

Managing data communication between the merchant and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.

Creative Management Kft.

8200 Veszprém, Boksa tér 1. A ép.

Performing server hosting tasks

Wildbit, LLC*

225 Chestnut St, Philadelphia, PA 19106, USA

Owner of the software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests for quotations, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

*The Data Processor has its registered office in the United States, so any transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily entered into the EU-US Privacy Shield Agreement between the European Union and the United States government, committing to a high level of protection of personal data, so there is no further legal barrier to the transfer.

Possible consequences of non-disclosure: The provision of data is voluntary. It is important to note that the fields marked with * are mandatory, failing which the reservation cannot be finalised. Leaving other fields blank will not have this consequence.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

  1. may request access to personal data concerning him or her,
  2. may request the rectification of such data,
  3. request their deletion,
  4. may withdraw his or her consent to the processing: in this case, the lawfulness of the processing prior to the withdrawal is not affected by the withdrawal.
  5. may request the restriction of the processing of personal data (i.e., that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of 30 days, and that the data are not processed for any other purpose beyond that period), if the conditions set out in Article 18 of the GDPR are met,
  6. may object to the processing of personal data,
  7. may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information relating to data processing:

  • By making a reservation, the data subject also declares that the information provided is true and correct and that he/she is over 16 years of age.
  • In order to help our guests to prepare for their trip and to shorten the check-in time on arrival, we provide them with practical and relevant information, weather forecasts, suggested activities, online check-in and a pre-arrival email with information about accommodation, travel and activities before their arrival. Based on the pre-arrival email, the guest can fill in an online check-in form to speed up their check-in to the accommodation on arrival.
  • Our company will take all necessary technical and organisational measures to avoid a possible data protection incident (e.g., damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep records to verify the necessary measures and to inform the data subject, including the scope of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
  • Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.
2. DATA PROCESSING RELATED TO ONLINE BOOKING

We offer online booking in order to provide you with a fast, convenient and cost-free way to book your accommodation at Balneo Hotel Zsori Thermal & Wellness.

Controller of the personal data: Hotel Balneo Kft., HU-3400 Mezőkövesd, Fülemüle u. 2.

Purposes of the processing: to make the booking of accommodation easier, cheaper and more efficient, to contact the guest booking the accommodation.
Legal basis for the processing: the prior consent of the person booking the accommodation. By accepting this information, the data subject gives his/her explicit consent to the processing of his/her personal data in accordance with this point.
Scope of personal data processed: preferred name; surname and first name; address (country, postcode, city, street, house number;) telephone number; e-mail address; in the case of a company, company name and registered office, bank card number, CVC code, SZÉP card details (ID, name on card). If you fill in the online registration form, the following data will also be processed by the accommodation provider: number of identity document (identity card, passport or driving licence), nationality, place and date of birth, number plate of the vehicle.
Duration of data processing: two years after the last day of the booked stay.
Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Providing the possibility of online reservation of accommodation through RESnWEB system, operating a pre-arrival e-mail module

By accepting this Privacy Policy, the data subject gives his or her explicit consent to the use of additional data processors by the Processor, in order to make the service more convenient and customized, as follows

Name of additional Data Processor

Registered office

Description of a data processing tasks

The Rocket Science Group, LLC*

675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA

Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

Hostware Kft.

1149 Budapest, Róna utca 120-122

Performing customer management tasks for the Hostware Front Office hotel system.

Triptease Limited

WeWork 3 Waterhouse Square 138-142 Holborn London EC1N 2SW United Kingdom

Online chat function, which allows guests to keep in touch with the hotel and manage their reservations quickly and efficiently.

BIG FISH Payment Services Kft.

1066 Budapest, Nyugati tér 1-2

Managing data communication between the merchant and the payment service provider's system for payment transactions, ensuring the traceability of transactions for merchant partners.

OTP Mobil Kft.

1093 Budapest, Közraktár u. 30-32.

Managing data communication between the merchant and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.

Barion Payment Zrt.

1117 Budapest, Infopark sétány 1. I. épület

Managing data communication between the merchant and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.

Creative Management Kft.

8200 Veszprém, Boksa tér 1. A ép.

Performing server hosting tasks

Wildbit, LLC*

225 Chestnut St, Philadelphia, PA 19106, USA

Owner of the software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests for quotations, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

*The Data Processor has its registered office in the United States, so any transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily entered into the EU-US Privacy Shield Agreement between the European Union and the United States government, committing to a high level of protection of personal data, so there is no further legal barrier to the transfer.

Possible consequences of non-disclosure: The provision of data is voluntary. It is important to note that the fields marked with * are mandatory, failing which the reservation cannot be finalised. Leaving other fields blank will not have this consequence.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

  1. may request access to personal data concerning him or her,
  2. may request the rectification of such data,
  3. request their deletion,
  4. may withdraw his or her consent to the processing: in this case, the lawfulness of the processing prior to the withdrawal is not affected by the withdrawal.
  5. may request the restriction of the processing of personal data (i.e., that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of 30 days, and that the data are not processed for any other purpose beyond that period), if the conditions set out in Article 18 of the GDPR are met,
  6. may object to the processing of personal data,
  7. may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information relating to data processing:

  • By making a reservation, the data subject also declares that the information provided is true and correct and that he/she is over 16 years of age.
  • In order to help our guests to prepare for their trip and to shorten the check-in time on arrival, we provide them with practical and relevant information, weather forecasts, suggested activities, online check-in and a pre-arrival email with information about accommodation, travel and activities before their arrival. Based on the pre-arrival email, the guest can fill in an online check-in form to speed up their check-in to the accommodation on arrival.
  • Our company will take all necessary technical and organisational measures to avoid a possible data protection incident (e.g., damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep records to verify the necessary measures and to inform the data subject, including the scope of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.
  • Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.
4. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTIONS

Our company keeps in touch with its guests by means of a newsletter, recommending its services, informing them about news and promotions related to its operations.

Controller of the personal data: Hotel Balneo Kft., HU-3400 Mezőkövesd, Fülemüle u. 2.

Purposes of the processing: keeping in touch with potential hotel guests
Legal basis for the processing: consent of the data subject - Article 6(1)(a) of GDPR.
Indication of legitimate interest: maintaining and developing business relations with partners and hotel guests
Scope of personal data processed: name, e-mail address
Duration of data processing: our company processes e-mail addresses until you unsubscribe from the newsletter.
Use of a data processor: our company uses an IT service provider for the online reservation system as follows.

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Newsletter database storage

By accepting this Privacy Policy, the data subject gives his or her explicit consent to the use of additional data processors by the Processor, in order to make the service more convenient and customized, as follows:

Name of additional Data Processor

Registered office

Description of a data processing tasks

Creative Management Kft.

8200 Veszprém, Boksa tér 1/A

Operation of a newsletter sending system

MailerLite

11341 Lithuania, Vilnius, Paupio g. 46

Operation of a newsletter sending system

Possible consequences of non-disclosure: The data subject does not receive a newsletter from our company.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1.may request access to personal data concerning him or her,

2.may request the rectification of such data,

3.request their deletion,

4.may withdraw his or her consent to the processing: in this case, the lawfulness of the processing prior to the withdrawal is not affected by the withdrawal.

5.may request the restriction of the processing of personal data (i.e., that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of 30 days, and that the data are not processed for any other purpose beyond that period), if the conditions set out in Article 18 of the GDPR are met,

6.may object to the processing of personal data,

7.may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

You can unsubscribe at any time by sending an email to info@balneohotel.hu or by clicking on the unsubscribe icon in the newsletter. In this case, your e-mail address will be immediately deleted from our database.

Other information relating to data processing: Our company will take all necessary technical and organisational measures to avoid a possible data protection incident (e.g., damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep records to verify the necessary measures and to inform the data subject, including the scope of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.

5. PERSONAL DATA PROCESSING RELATED TO CUSTOMER SATISFACTION SURVEYS

As a hotel, our aim is to provide our guests with a high quality of service, so we constantly ask for feedback from our guests about their experience of staying at our hotel.

Controller of the personal data: Hotel Balneo Kft., HU-3400 Mezőkövesd, Fülemüle u. 2.

Purposes of the processing: asking for feedback from our guests to further develop and improve our services.
Legal basis for the processing: legitimate interest of the hotel operator- Article 6(1)(f) GDPR.
Indication of legitimate interest: our company has a legitimate interest in receiving feedback that provides us with information to improve our services.
Scope of personal data processed: name, gender, e-mail address.
Duration of data processing: two years after the last day of the booked stay.
Use of a data processor: our company uses an IT service provider for the online reservation system as follows.

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Operation of the customer satisfaction module

By accepting this Privacy Policy, the data subject gives his or her explicit consent to the use of additional data processors by the Processor, in order to make the service more convenient and customized, as follows:

Name of additional Data Processor

Registered office

Description of a data processing tasks

The Rocket Science Group, LLC*

675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA

Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

Creative Management Kft.

8200 Veszprém, Boksa tér 1. A ép.

Performing server hosting tasks

Wildbit, LLC*

225 Chestnut St, Philadelphia, PA 19106, USA

Owner of the software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests for quotations, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

*The Data Processor has its registered office in the United States, so any transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily entered into the EU-US Privacy Shield Agreement between the European Union and the United States government, committing to a high level of protection of personal data, so there is no further legal barrier to the transfer.

Possible consequences of non-disclosure: The person concerned does not receive a satisfaction questionnaire from our company.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

  1. may request access to personal data concerning him or her,
  2. may request the rectification of such data,
  3. request their deletion,
  4. may withdraw his or her consent to the processing: in this case, the lawfulness of the processing prior to the withdrawal is not affected by the withdrawal.
  5. may request the restriction of the processing of personal data (i.e., that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of 30 days, and that the data are not processed for any other purpose beyond that period), if the conditions set out in Article 18 of the GDPR are met,
  6. may object to the processing of personal data,
  7. may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information relating to data processing: Our company will take all necessary technical and organisational measures to avoid a possible data protection incident (e.g., damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep records to verify the necessary measures and to inform the data subject, including the scope of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.

6. PROCESSING OF DATA RELATED TO THE PURCHASE OF GIFT VOUCHERS

We offer the possibility to buy gift vouchers electronically. The gift voucher is provided by our company via an automated system on our website.

Controller of the personal data: Hotel Balneo Kft., HU-3400 Mezőkövesd, Fülemüle u. 2.

Purposes of the processing: purchase and delivery of gift vouchers
Legal basis for the processing: the prior consent of the person purchasing the gift voucher: by accepting this Privacy Policy, the data subject consents to the processing of the data in accordance with this point.
Scope of personal data processed: preferred name; surname and first name; address (country, postcode, city, street, house number); telephone number; e-mail address (both the sender's and the recipient's)
Duration of data processing: two years after the expiry date of the gift voucher.
Use of a data processor: our company uses the assistance of an IT service provider to operate the online gift voucher system as follows.

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Operating the gift voucher module

By accepting this Privacy Policy, the data subject gives his or her explicit consent to the use of additional data processors by the Processor, in order to make the service more convenient and customized, as follows:

Name of additional Data Processor

Registered office

Description of a data processing tasks

The Rocket Science Group, LLC*

675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA

Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

Creative Management Kft.

8200 Veszprém, Boksa tér 1. A ép.

Performing server hosting tasks

BIG FISH Payment Services Kft.

1066 Budapest, Nyugati tér 1-2

Managing data communication between the merchant and the payment service provider's system for payment transactions, ensuring the traceability of transactions for merchant partners.

OTP Mobil Kft.

1093 Budapest, Közraktár u. 30-32.

Managing data communication between the merchant and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.

Barion Payment Zrt.

1117 Budapest, Infopark sétány 1. I. épület

Managing data communication between the merchant and the payment service provider's system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.

Wildbit, LLC*

225 Chestnut St, Philadelphia, PA 19106, USA

Owner of the software integrated into the reservation system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, requests for quotations, offers, pre-arrival emails, gift voucher sales and customer satisfaction surveys.

*The Data Processor has its registered office in the United States, so any transfer of data to it is considered a transfer to a third country. At the same time, The Rocket Science Group and Wildbit have voluntarily entered into the EU-US Privacy Shield Agreement between the European Union and the United States government, committing to a high level of protection of personal data, so there is no further legal barrier to the transfer.

Possible consequences of non-disclosure: The provision of data is voluntary. It is important to note that the fields marked with * are mandatory, if these are not provided, the person cannot purchase a gift voucher. Leaving other fields blank will not have this consequence.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

  1. may request access to personal data concerning him or her,
  2. may request the rectification of such data,
  3. request their deletion,
  4. may withdraw his or her consent to the processing: in this case, the lawfulness of the processing prior to the withdrawal is not affected by the withdrawal.
  5. may request the restriction of the processing of personal data (i.e., that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of 30 days, and that the data are not processed for any other purpose beyond that period), if the conditions set out in Article 18 of the GDPR are met,
  6. may object to the processing of personal data,
  7. may exercise his or her right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information relating to data processing: Our company will take all necessary technical and organisational measures to avoid a possible data protection incident (e.g., damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep records to verify the necessary measures and to inform the data subject, including the scope of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end, we also ensure the lawful processing of personal data in the case of the data processor.

7. COOKIE MANAGEMENT

In order to provide a more personalised service, the Data Controller places a small data package, a so-called cookie, on the user's computer and reads it back during a subsequent visit. When the browser returns a previously saved cookie, the cookie management service provider has the possibility to link the user's current visit to previous visits, but only in relation to its own content.

Purposes of the processing: identifying, tracking and distinguishing users, identifying users' current sessions, storing the data they provide, preventing data loss, web analytics measurements, personalised service.

Legal basis for the processing: consent of the data subject.
Scope of personal data processed: ID number, date, time and the page previously visited.
Duration of data processing: maximum 90 days

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Identification of users and their current session, storage of their data, data loss prevention, web analytics measurements, personalised service.

Other information relating to data processing: You can delete the cookie from your computer or disable the use of cookies in your browser. You can usually manage cookies by going to the Tools/Preferences menu of your browser and selecting Privacy/Preferences/Custom Settings, and then selecting the cookie or tracking option.

Possible consequences of non-disclosure: the impossibility to use the service for the services described in points 2 to 5 above.

8. WEBSITE SERVER LOGGING

When visiting the balneohotel.hu website, the web server automatically logs the user's activity

Purposes of the processing: during the visit of the website, the service provider records the visitor's data in order to monitor the operation of the services and to prevent abuse.
Legal basis for the processing: Article 6(1)(f) of the GDPR. We have a legitimate interest in the secure operation of the website.
Scope of personal data processed: ID number, date, time, address of the page visited.
Duration of data processing: maximum 90 days.

Name of Data Processor

Registered office

Description of a data processing tasks

NetHotelBooking Kft.

8200 Veszprém, Boksa tér 1/A

Recording visitor data and information necessary for the operation of the server

More information: our company does not link the data obtained from the analysis of log files with other information and does not seek to identify the user. The address of the pages visited, as well as the date and time of the visit, are not in themselves suitable for identifying the data subject, but when combined with other data (e.g., data provided during registration) they can be used to draw conclusions about the user.

Logging-related data management by external service providers: The html code of the portal contains links from and to an external server that is independent of our company. The server of the external provider is directly connected to the user's computer. Please be aware that the providers of these links may collect user data (e.g., IP address, browser, operating system data, mouse cursor movement, visited page title and time of visit) due to the direct connection to their server, direct communication with the user's browser. An IP address is a sequence of numbers that uniquely identifies the computers or mobile devices of users accessing the Internet.

IP addresses can even be used to geographically locate a visitor using a particular computer. The address of the pages visited, as well as the date and time of the visit, are not in themselves suitable for identifying the data subject, but when combined with other data (e.g., data provided during registration) they can be used to draw conclusions about the user.
9. OTHER DATA PROCESSING

Information about data processing not listed in this notice is provided at the time of collection. We inform our customers that certain authorities, public bodies and courts may contact our company for the purpose of disclosing personal data. We will disclose personal data to such bodies only to the degree and to the extent strictly necessary for the purpose of the request, provided that the body concerned has indicated the exact purpose and scope of the data, and provided that the execution of the request is required by law.

10. HOW THE PERSONAL DATA ARE STORED, THE SECURITY OF THE PROCESSING

Our computer systems and other data storage locations are located at our headquarters and on servers leased by the data processor. Our company selects and operates the IT tools used to process personal data in the course of providing the service in such a way that the data processed is:

  1. accessible to authorised persons (availability);
  2. its authenticity and authenticity are assured (authenticity of processing);
  3. its integrity can be verified (data integrity);
  4. protected against unauthorised access (data confidentiality).

We take particular care to ensure data security, and we take the technical and organisational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, we take appropriate measures to protect the data against unauthorised access, alteration, disclosure, publication, deletion or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.

We and our partners' IT systems and networks are protected against computer fraud, computer viruses, computer intrusions and denial of service attacks. The operator ensures security through both server-level and application-level protection procedures. Daily data backup is provided. We take all possible measures to avoid data breaches and, in the event of such an incident, we take immediate action to minimise the risks and remedy the damage, in accordance with our incident management policy.

11. RIGHTS AND LEGAL REMEDIES FOR DATA SUBJECTS

The data subject may request information about the processing of his or her personal data, and may request the rectification, erasure or withdrawal of his or her personal data, except for mandatory data processing, and may exercise his or her right to data portability and objection in the manner indicated when the data were collected, or by contacting the controller at the above contact details.

At the request of the data subject, information will be provided in electronic form without delay and within 30 days at the latest, in accordance with our applicable policies. Requests by data subjects to exercise the rights set out below will be granted free of charge.

Right to information:

We will take appropriate measures to provide data subjects with all the information on the processing of personal data referred to in Articles 13 and 14 of the GDPR and each of the disclosures referred to in Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, but also in a precise manner.

The right to information may be exercised in writing, using the contact details provided in point 1. The data subject may also be provided with information verbally at his or her request and after verification of his or her identity. We inform our customers that, in case of doubt as to the identity of the data subject, our staff may request the information necessary to confirm the identity of the data subject.

Right of access of the data subject:

The data subject has the right to receive confirmation from the controller as to whether his or her personal data are being processed. Where personal data are being processed, the data subject shall have the right to obtain access to the personal data and to the following information listed below.

  • Purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries (outside the European Union) and international organisations;
  • the envisaged duration of the storage of the personal data;
  • the right to rectification, erasure or restriction of processing and the right to object;
  • the right to lodge a complaint with a supervisory authority;
  • information on the sources of the data; the fact of automated decision-making, including profiling, and clear information on the logic used and the significance of such processing and its likely consequences for the data subject.

In addition to the above, where personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of the appropriate safeguards for the transfer.

Right of rectification:

Under this right, any person may request the rectification of inaccurate personal data relating to him or her processed by our company and the completion of incomplete data.

Right to erasure:

The data subject has the right to have personal data relating to him or her erased without undue delay at his or her request for one of the following reasons:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. unlawful processing of personal data can be established;
  5. the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
  6. the personal data have been collected in connection with the provision of information society services.

The erasure of data cannot be initiated if the processing is necessary for the following purposes:

  1. to exercise the right to freedom of expression and information;
  2. for the purposes of complying with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for archiving purposes, scientific and historical research purposes or statistical purposes in the public interest in the field of public health;
  4. or for the establishment, exercise or defence of legal claims.

Right to restriction of processing:

We restrict processing at the request of the data subject in the circumstances set out in Article 18 of the GDPR, that is, where:

  1. the data subject contests the accuracy of the personal data, in which case the restriction applies for a period of time which allows the accuracy of the personal data to be verified;
  2. the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use
  3. the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
  4. the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction on processing.

Right to data portability:

The data subject has the right to receive personal data relating to him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit these data to another controller. We can comply with such a request in word or excel format.

Right to object:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for those purposes.

Automated decision-making on individual cases, including profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply where the processing

  1. necessary for the conclusion or performance of a contract between the data subject and the controller;
  2. permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
  3. is based on the explicit consent of the data subject.

Right of withdrawal:

The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

Procedural rules:

Without undue delay and in any event within one month of receipt of the request, the controller shall inform the data subject of the action taken in response to the request pursuant to Articles 15 to 22 of the GDPR. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request.

Where the data subject has made the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.

If the controller does not act on the data subject's request, the data subject shall be informed without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of the right to lodge a complaint with the supervisory authority and to seek judicial remedy.

The controller shall inform all recipients to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. The controller shall, at the request of the data subject, inform the data subject of those recipients.

Damages and compensation:

Any person who has suffered material or non-material damage as a result of an infringement of the Data Protection Regulation, is entitled to receive compensation from the controller or processor for the damage suffered. A processor shall be liable for damage caused by processing only if it has failed to comply with the obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller. Where more than one controller or more than one processor, or both controller and processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the total damage.

The controller or processor shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to apply to the courts and data protection authority proceedings:

The data subject may take the controller to court if his or her rights are infringed. The court shall rule on the case out of turn.

You may lodge a complaint with the National Authority for Data Protection and Freedom of Information.
Address of the authority: 1125 Budapest, Szilágyi Erzsébet fasor 22/C., mailing address: 1530 Budapest, Pf.: 5., Telephone: +36-1-391.1400, E-mail ugyfelszolgalat@naih.hu
GUARANTEED THE BEST PRICE
Direct contact with the accommodation
Immediate information service
Flexible booking management
Booking of extra services in addition to your room reservation