Privacy Policy
Privacy Policy of Mercure Tokaj Center****superior
Personal data of natural persons collected during actions in relations to Tokaj Hotel Ltd. is processed in compliance with Regulation 2016/679 (hereby referred to as GDPR) of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and with Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereby referred to as Info law).
The publisher of this Privacy Policy Manual is also the manager of data. The processing of data is done by our colleagues. Data can only be accessed by those employees of Tokaj Hotel Ltd. to whose work such access is essential. Right to access personal data is regulated by internal rules.
Identity and contact details of the controller (GDPR Article 13. 1/a):
- Name: Hotel Tokaj Kft.
- Location: 3910 Tokaj, Rákóczi út 5
- Representative: Tarnainé Dr. Ináncsy Márta
- E-mail address: hb9b1@accor.com
Protection officer (GDPR Article 13. 1/b):
- Name: Csilla Nyiri
- Postal address: 3910 Tokaj, Rákóczi út 5.
- E-mail address: hb9b1-gm@accor.com
Access to judicial remedy
If the data subject considers that the processing of personal data relating to him or her infringes this Regulation, they have the right to lodge a complaint to the Hungarian National Authority for Data Protection and Freedom of Information. Right to lodge a complaint with a supervisory authority (GDPR Article 77). Right to an effective judicial remedy against a supervisory authority (GDPR Article 78).
Contact information of the Hungarian National Authority for Data Protection and Freedom of Information:
- Location: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
- Postal address: 1530 Budapest, Pf.: 5.
- Webpage: http://naih.hu
- E-mail address: ugyfelszolgálat@naih.hu
- Phone number: +36-1-391-1400
Data of website visitors
- Data processed: from the beginning of the visit until the end of the visit, IP address and other browsing data (Cookies)
- The goal of processing data is to identify the websites visitors and learn about browsing habits
- The lawfulness of processing is based on the consent of the data subject as per GDPR Article 6, section 1 point (a)/
- The source of the data is the data subject
- Transmission of data
- The data will be deleted if the data subject revokes consent
Direct marketing (newsletter)
- Data processed: name and e-mail address
- Data is processed for marketing purposes, to promote the services of the hotel with the help of an online newsletter
- The lawfulness of processing is based on the consent of the data subject as per GDPR Article 6, section 1 point (a)/
- The source of the data is the data subject
- Transmission of data
- The data will be deleted if the data subject revokes consent
Requesting offers
- Data processed: name, e-mail address, phone number, number of persons requesting an offer, (number and age of children)
- Data is processed in order to contact the requesting party, maintain contact with the requesting party, provide the requesting party with a personal offer
- The lawfulness of processing is based on the consent of the data subject as per GDPR Article 6, section 1 point (a)/
- The source of the data is the data subject
- Transmission of data
Deadline for deleting data
- In case of a successful offer request, data is deleted in accordance with our rules regarding reservations.
- If the offer is rejected by the requesting party, data is deleted on the date of rejection.
- If no answer is received to the offer, data is deleted until the day after the request for an offer expires.
Direct reservation
- Data processed: name, e-mail address, phone number, number of persons requesting an offer, (number and age of children)
- Data is processed in order to make a reservation
- The lawfulness of processing is based on the fulfilment of contractual obligations /GDPR Article 6, section 1, point (b)/ 30-31§ act C of 1990 on processing data in relations to date of birth/ GDPR Article 6, section 1, point (c)/
- The source of the data is the data subject
- Transmission of data
Deadline for deleting data
- In case of name and address, in compliance with 169§ act C. of 2000 on accounting, 8 years
- In the case of names and ages of guests, in accordance with 78§ and 202§ of act CL of 2017, the last day of the 5th year after the reporting year
Reservation through intermediaries
- Data processed: name, e-mail address, phone number, number of persons requesting an offer, (number and age of children)
- Data is processed in order to make a reservation
- The lawfulness of processing is based on the fulfilment of contractual obligations /GDPR Article 6, section 1, point (b)/ 30-31§ act C of 1990 on processing data in relations to date of birth/ GDPR Article 6, section 1, point (c)/
- The source of the data is an online intermediary or a travel agency, who is considered an independent data controller
Deadline for deleting data
- Personal data provided during the reservation process is deleted upon the expiration of the contract with the subjects
Exceptions:
- In case of name and address, in compliance with 169§ act C. of 2000 on accounting, 8 years
- In the case of names and ages of guests, in accordance with 78§ and 202§ of act CL of 2017, the last day of the 5th year after the reporting year
Regular Guest program
- Data processed: name, number of previous stays in the hotel
- Data is processed in order to provide special offers, strengthen sales, create a group of regular guests
- The lawfulness of processing is based on the consent of the data subject as per GDPR Article 6, section 1 point (a)/
- Data is sourced from the data subject and from our own records
The data will be deleted if the data subject revokes consent
Providing an invoice
- Data processed: name, address, credit card information
- Goal of the data processing: to provide a proper invoice as a duty according to legislations, and to create a document signifying a transaction
- The lawfulness of processing is based on 169§ act C. of 2000 on accounting/ GDPR Article 6, section 1, point (c)/
- The source of the data is the data subject
Data will be deleted in compliance with 169§ act C. of 2000 on accounting, within 8 years
Newsletter
- Data processed: e-mail address, name
- Data is processed in order to establish, preserve and improve relations with guests and partners
- The lawfulness of processing is based on the consent of the data subject as per GDPR Article 6, section 1 point (a), given when beginning the use of this function
- Data will be deleted after the subject unsubscribes from the newsletter
- Data is sourced from the data subject
Data processing and registration forms
- Data processed: name, date of birth, ID/Passport number, address, billing address, e-mail address, license number of vehicle
- Goal of the processing: direct marketing, sale of services.
- The lawfulness of processing is based on GDPR Article 6, section 1, point (b), GDPR Article 6, section 1, point (c) and 169§ act C. of 2000.
- Data is sourced from the data subject
- Transmission of data
Credit card details
- Data processed: name of the card owner, card number, expiration date, CVV/CVC
- Data is processed in order to fulfil a contract in relations to hotel services
- The lawfulness of processing is based on the consent of the data subject, in accordance with GDPR Article 6, section 1, point (b)
- Data is sourced from the data subject
- Transmission of data
CCTV system
- Data processed: faces of the data subjects recorded by the CCTV system, their behavior
- Data is processed in order to preserve the life and safety of individuals on the premises of the hotel and protect their belongings and valuables
- The lawfulness of processing is based on the consent of the data subject, in accordance with GDPR Article 6, section 1 points (a) and (f). The data is stored for 30 days after its recorded.
- Data is sourced trough a CCTV system
- Transmission of data
Records of complaints
- Data processed: name of the subject, home address, detailed description of the complaint with relevant documentation, documents, photographic evidence or video recording
- Data is processed in order to preserve the life and safety of individuals on the premises of the hotel and protect their belongings and valuables.
- The lawfulness of the processing is based on 17/A. § (7) of act CLV of 1997, which makes processing data compulsory for 5 years after the complaint is recorded
- Data is sourced from the data subject
- Transmission of data
Use of the central safe
- Data processed: name of the subject, their phone number, their address
- Data is processed in order to use the central safe
- Data is sourced from the data subject
- Transmission of data
Data will be deleted upon the termination of the contract, on the use of the central safe, with the subject.
Based on Article 79 of the GDPR, on right to an effective judicial remedy against a controller or processor, the data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
Relevant court with necessary jurisdiction:
- Address: 3525 Miskolc, Dózsa György út 4
- Postal address: 3550 Miskolc, Pf. 370.
Scope of processed data of the data subjects:
- data for maintaining contact for the purposes of requesting offers and reservations (surname, first name, address, phone number, e-mail address), based on GDPR Article 6, section 1, point b) and point c).
- data for maintaining contact for marketing and online advertisement purposes (surname, first name, e-mail address), based on GDPR Article 6, section 1, point a) (consent of the data subject).
- personal data for identification for reservation purposes (ID card number, passport number, place and date of birth, nationality), based on GDPR Article 6, section 1, point b) and point c) (considering act C. of 1990).
- personal data of children for reservation purposes (surname, first name, place and date of birth), based on GDPR Article 6, section 1, point b) and point c).
- bank account details for the purposes of transaction, reservation, use of services and for paying for invoices, (account number, credit cards date of expiration, name of the card owner, CVC/CVV), based on GDPR Article 6, section 1, point c) (considering act C. of 2000).
- membership details for the purpose of participation in a loyalty program, based on based on GDPR Article 6, section 1, point a) (consent of the data subject).
- date of arrival and departure based on GDPR Article 6, section 1, point b).
- visa number, residence permit, nationality (for non-EU citizens), for the purpose of making a reservation based on GDPR Article 6, section 1, point b).
- technical and geolocation details generated by the hotel’s website while being used (beginning and end date of use, IP address, and other data for the facilitator of the website (Cookies)), based on GDPR Article 6, section 1, point a).
- The scope of data processed is recorded in the archives of the processor on paper and in digital form.
Purpose and legality of processing data
The processor processes data of the data subjects for the purposes of making reservation, both online and in person, use of the hotel’s services, maintaining contact, and for the legal duties and obligations of the processor, especially those relating to taxation and accounting.
The legality of data processing is based on the voluntary consent of a previously, and properly informed data subject.
While using the hotel and by providing personal data, the data subject declares that he or she has read the version of the hotel’s Privacy Policy which was relevant at the time when the data was provided and voluntarily agrees to the processing of the personal data provided. The data subject can only provide personal data in accordance with the relevant legislations, and must guarantee that he or she has consented to providing the data.
The processor will record the IP address of the data subject, when entering the website, in relation to providing services, with regard to the rightful needs of the processor, and for the purpose of providing a service in accordance with the law, without the expressed consent of the data subject.
Duration of data processing
Based on 169§, paragraph (1), of act C. of 2000 on accounting. In accordance with the law the business is obligated to preserve, in a readable form, the report of the business year, business reports, the inventory supporting said reports, the evaluation, the trial balance sheet, and the cash book, or any other records for at least 8 years.
(2) Financial documents, which directly or indirectly, support accounting (including general ledger accounts, both analytical and detailed accounts) must be preserved, in a readable form, for at least 8 years, based on the citation of accounting records, in a retrievable way.
In accordance with act CL. of 2017 on taxation, 78§, paragraph (1), documents mentioned in 77§, paragraph (1), must be protected by the tax payer at a place previously declared to the revenue services.
(2) For the duration of processing or accounting the documents can be moved to another location, however, upon request, they must be presented to the revenue services within three workdays.
(3) The tax payer is obligated to preserve the documents, regardless of the method of registration, until the right to determine taxes prescribe. In the case of postponed taxes, the documents must be preserved for five years after the last day of the calendar year of the due date of the postponed tax.
(4) The employer (payer) must preserves the warrants, on which the tax, determined by them, and the advance tax are based, until the deadline established in paragraph (3).
77§ (1) The warrant, book, and record – including data and information stored on data mediums - mentioned in the legislation, have to be issued and recorded in a way, which would make it possible to determine and control, the basis of the tax, the amount of the tax, the tax exemptions, tax cuts, the basis and amount of budgetary contribution, their payment and the use.
The consent of the data subject:
The personal data of the data subject is processed based on the contribution of the data subject. Consent can be given:
- By providing a declaration.
- Through a document created between the processor and the subject (e.g. online reservation, filling out a registration form, contract).
Personal data is processed with the consent of the data subject and in accordance with contract between the parties, and with the duties and obligations of the processor derived from legislation.
Consent is given on a voluntary basis, and the subject has the right to revoke his or her consent, at any time by sending a unilateral declaration addressed to the processor.
Data, which the processor must process, due to their obligations derived from legislation, will continued to be process, following the declaration of the subject, in compliance with legislations.
The addressee of personal data
The processor may transmit the personal data of the subject to government organs, and to the revenue service, in accordance with their legal obligations.
The rights of the data subject
The subject vis-à-vis his or her personal data processed by the processor, or a person processing the data based on the request of the processor, has the right to:
Receive information in regards to facts relating to data processing before the processing starts (right to preliminary orientation).
Request that his or her personal data, and information relating to its processing, be provided to them by the processor (right to access). The processor has to inform the subject of the actions taken as consequence of the request, without undue delay, within one month of receiving the request. If it is necessary, considering the complexity of the request and the number of requests, this deadline can be extended by two months. The processor has to notify the subject of the delay, and of the reasons for the delay, within one month of receiving their request. If the request was sent in a digital format, the processor should also send their response in the same manner, except if the subject request otherwise.
Request that the processor correct their personal data, or supplement it with additional information (right to correction). This also applies to cases mentioned later in this chapter. In order to validate the right to correction, the processor, or a person processing the data based on the request of the processor, has to – without delay – correct, specify or if compatible with the goal of processing data, supplements processed data, with additional personal data provided to them by the data subject or with a declaration of the subject connected to personal data, if the data processed is inaccurate or imperfect.
Request, that the processor, limit the processing of their personal data (right to limit processing data). This also applies to cases mentioned later in this chapter.
Request that their personal data be deleted by the processor (right to delete data). This can also happen in specified cases.
The processor will delete the information of the subject without delay if:
- data processing is illicit,
- the subject revokes their consent or request that their data be deleted, except, if data is processed based on Info law 5§ paragraph (1) point a), point b) point c) or paragraph (2) point b),
- a legislation, a legal act of the EU, the Authority or, a court orders that the data be deleted, or
- there is no more need for the data, for the purpose it was collected or processed for in any other way.
The processor will not delete the data if it is needed for one of the following reasons:
- reasons connected to the right of freedom of speech or collection of information
- in order to complete a legal obligation connected to processing personal data
- for pleading, proving and protecting legal claims.
The subject has the right to request the processor to limit the processing of data if one of the following cases occur:
- the subject questions the accuracy of personal data, in this case the processing of the data will be limited to a time period, that will allow the processor to evaluate the accuracy of the personal data concerned.
- the processing of data is illicit, however the subject is against deleting the data and instead request the limitation of the processing of the data.
- the processor no longer needs the data for the purposes of processing it, however the subject requires the data for pleading, protecting or proving legal claims, or
- the subject protests against the processing of their data; in this case a limitation comes into place until it is determined whether the legal claims of the processors take precedence over the legal claims of the subject. Until the limitation is in place, the limited personal data of the subject can only be processed with the consent of the subject, or for the reason of pleading, protecting or proving legal claims, or to protect the legal rights of another natural or legal person, or if it can be processed because of an important public interest of the European Union or one of its member states. The processer will notify the subject prior to the lifting of the limitations.
The subject has the right to protest against the processing of their personal data based on GDPR Article 6, section 1, points e) and f), including profiling based on said regulations, at any time based on reasons derived from his or her personal situation. In this case the processor cannot continue the processing of the data, except when the processing of data is supported by such coercive legitimate reasons which take precedence over the interests, rights and liberties of the subject, or reasons that are connected to the pleading, proving or protecting of legal claims. (right to protest)
Extent of the Privacy Policy
This Privacy Policy on April 1st 2022. The processor has the right to independently modify this privacy policy, at any time.