Data Protection INFORMATION SHEET
[Bük, Bükfürdő Közhasznú Turisztikai Egyesület]
Data Protection Information Sheet
1.Purpose and Scope of the Information Sheet
- The purpose of this Data Processing Information Sheet (hereinafter referred to as "Information Sheet") is to determine the legal order for the use of the records / databases kept by [Bük, Bükfürdő Közhasznú Turisztikai Egyesület] (hereinafter "Data Controller") and to ensure that constitutional principles of data protection, requirements of the right to self-determination and data security are met, and that everyone have their own personal data at their disposal within the framework of legislation; know the circumstances of processing thereof; prevent unauthorized access, data modification and unauthorized disclosure. In addition, this Information Sheet provides information to Data Subjects about the data processing practices of Data Controller.
- The scope of this Information Sheet covers processing personal and special data at all organizational units of Data Controller.
2.Applicable Legislation
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as "GDPR")
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter referred to as "Info Act" )
- Act V of 2013 on the Civil Code (hereinafter referred to as the "Civil Code" )
- Act CXXX of 2016 on the Code of Civil Procedure (hereinafter referred to as "CCP" )
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
3.Details of Data Controller
The current details of Data Controller are as follows:
- Name: Bük, Bükfürdő Közhasznú Turisztikai Egyesület (Tourism Association of Bükfürdő)
- Headquarters: 9737 Bük, Eötvös u. 11.
- Registration Number: 18-02-0200231
- Tax Number: 18899874-2-18
- Court of Registration: Regional Court of Szombathely
- Phone: +36 94 558 419
- E-mail address: info@visitbuk.hu
4.Scope of Personal Data Processed, Purpose, Duration and Title of Data Processing
- Data processing by Data Controller is carried out on the basis of voluntary consent from Data Subjects or pursuant to law. In the case of voluntary consent, Data Subject may at any time request information on the scope of the data being processed and the manner in which they are used and may withdraw their consent, except in specific cases where data processing continues on the basis of statutory obligation (in such cases Data Controller shall provide information on further processing of the data to Data Subject).
- Data Subjects are required to provide data accurately; to the best of their knowledge.
- If Data Subject fails to provide their own personal data, Data Supplier shall be obliged to obtain the consent of the person concerned.
- If Data Controller transfers the data to data processors or other third parties, Data Controller shall keep records thereof. Records on transferring data shall include the recipient, the method, the date and the scope of the data transferred.
- data processing for each activity of Data Controller:
- Guest Management, Questionnaires
- Complaint Handling
- Tourist Card
- Logging on the Website of Data Controller
- Cookie Management on the Website of Data Controller
- Sports equipment rental
Legal grounds for data processing: Consent of Data Subject
Scope of the data processed: Age group, e-mail address, accommodation used, purpose of travelling, source of tourist information, regular guest, booking method, age group, means of travelling, services used in the spa
Purpose of data processing: To collect statistical data and to further develop services
Deadline for erasing the data: Anonymised data shall be retained for an unlimited period of time; name, e-mail address and the sheets containing these data shall be destructed after 5 years.
Possible consequences of lack of communication of data: Hindrance to the development of services provided by Bükfürdő.
Legal grounds for data processing: Consent of Data Subject
Scope of the data processed: Name, e-mail address, content of complaint
Purpose of data processing: To foster efficiency of handling complaints
Data transfer: To the service provider complained about
Legal grounds for data transfer: Consent of Data Subject
Data processors: Service provider complained about
Deadline for erasing the data: 5 years
Possible consequences of lack of communication of data: Failure of complaint handling
Legal grounds for data processing: Consent of Data Subject
Scope of the data processed: Name, e-mail address, accommodation, length of stay, date of birth, home address
Purpose of data processing: To use a discount card, collect statistical data
Data transfer: Website operator
Legal grounds for data transfer: Performance of the contract
Data processors: Qilaq Solution Kft. (address, mail)
Deadline for erasing the data: 5 years in case of data enabling personal identification; anonymised data shall be retained for an unlimited duration for statistical purposes
Possible consequences of lack of communication of data: Failure of service
Legal grounds for data processing: Consent of Data Subject
Scope of the data processed: IP address, visitor's language, IT device and software used
Purpose of data processing: To collect statistical data
Data transfer: Website operator
Legal grounds for data transfer: Performance of the contract
Data processors: Qilaq Solution Kft. ( )
Deadline for erasing the data: 2 years
Possible consequences of lack of communication of data: Deterioration of user experience on the website
Logging-related data processing of external service providers: IP address, visitor's language, IT device and software used
Legal grounds for data processing: Consent of Data Subject
Cookies used: PHP Session cookie - does not expire; only responsible for operation of the website. No personal data is saved into it by the system. Google Analytics cookies send data to Google Inc. through an anonymised IP address containing the visitor's tracker ID only.
Scope of the data processed: PHP Session cookie: -; Google Analytics cookies: Improving the operation of the data processing website IP address.
Purpose of data processing: PHP Session cookie: Basic operation of the website of the Data Controller; Google Analytics cookies: Improving the operation of the data processing website.
Data transfer: Google Inc.
Legal grounds for data transfer: Consent of Data Subject
Data processors: Google Inc. (Mountain View, California, United States)
Deadline for erasing the data and other detailed information: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
Possible consequences of lack of communication of data: Jeopardising the proper operation of the data processing website
Legal grounds for data processing: Consent of Data Subject, Lease Agreement
Scope of the data processed: Name, identity card, address of accommodation used, telephone number, e-mail address
Purpose of Data Processing: To rent sports equipment
Deadline for erasing the data: 6 years, 9 years for invoice
Possible consequences of lack of communication of data: Failure of service
5.Rights of Data Subjects, Legal Remedies
- Data Subjects may at any time request information from Data Controller in writing about the manner in which their personal data are handled, submit their request for erasure or modification, and withdraw their consent at contact details specified in point 3 above.
- Data Subject shall not be able to exercise their right of erasure in the case of data processing stipulated by law.
- Content of the right to information: Based on the request of Data Subject, Data Controller shall provide Data Subject with the information on processing personal data listed in Articles 13 and 14 of GDPR, and provide the information in Articles 15 to 22 and 34 in a concise, comprehensible form.
- Content of the right to access: Upon the request of Data Subject, Data Controller shall provide information on whether data processing of Data Subject is in progress with Data Controller. If data processing concerning Data Subject is in progress with Data Controller, Data Subject shall have access to the following:
- Personal data concerning Data Subject;
- Purpose(s) of data processing;
- Categories of personal data concerned;
- Persons to whom data of Data Subject have been or will be disclosed;
- Length of storing the data;
- Right to rectification, erasure and restriction of data processing;
- Right of access to a court or supervisory authority;
- Source of data processed;
- Details and practical effects of profiling and / or automated decision-making and the application thereof;
- Transferring the data processed to a third country or an international organization.
- In the case of data requests as described above, Data Controller shall issue a copy of the corresponding data processed to Data Subject. A separate request may be submitted to Data Controller to deliver the requested data by electronic means.
- For each additional copy, Data Controller asks for a 500 HUF administration fee per page.
- The deadline for issuing the requested data is 30 days from receipt of the request.
- Right to rectification: Data Subject may request rectification of inaccurate data relating to them processed by Data Controller.
- Right to erasure: If any of the following reasons exist, Data Controller shall, at the request of Data Subject, erase data concerning Data Subject as soon as possible and in any event within 5 working days:
- Data were illegally processed (without statutory authorization or personal consent);
- Data processing is unnecessary to achieve the original purpose;
- Data Subject withdraws their consent to data processing and Data Controller has no other legal grounds for data processing;
- Collection of the data concerned has been made in connection with information society service provision;
- Personal data have to be erased to comply with statutory obligations of Data Controller.
- Erasure of data may not be performed by Data Controller if data processing is required for any of the following:
- Additional data processing is required to comply with statutory provisions of Data Controller;
- exercising the right to freedom of expression and information;
- public interest;
- archiving, scientific, research or statistical purposes;
- enforcing or protecting legal claims.
- Right to restriction of data processing: If any of the following reasons exist, Data Controller shall restrict data processing at the request of Data Subject:
- The accuracy of the personal data relating to Data Subject is contested by them; then restriction applies to the time when accuracy and correctness of the data in question is duly verified;
- Data processing is illegal but at the same time Data Subject requests non-erasure and only requests restriction of data processing;
- Data is no longer needed for data processing, but Data Subject requests that they be stored further to enforce or protect their legal claims;
- If Data Controller introduces a restriction to any data processed, they shall only process the data concerned during the time of the restriction if:
- Data Subject has given their consent to this;
- it is necessary to enforce or protect legal claims;
- it is necessary to enforce or protect the rights of another person;
- it is necessary to enforce public interest.
- Right to withdraw: Data Subject shall be entitled to withdraw their consent given to Data Controller at any time, in writing. Upon such request, Data Controller shall immediately and permanently erase any data that have been processed relating to Data Subject and whose further storage is not required by law or are not necessary for enforcement or protection of rights related to legitimate interests. The lawfulness of data processing until the consent is withdrawn shall not be affected by the withdrawal.
- The right to data portability: Data Subject is entitled to request Data Controller to forward data relating to them to another data controller in a generally used, electronically readable form. The request shall be complied with by Data Controller as soon as possible and in any event within 30 days.
- Automated decision making and profiling: Data Subject is entitled not to be subject to a decision solely based on automated data processing (e.g. profiling) that would have legal effect on them or would adversely affect them otherwise. Such right shall not apply if:
- data processing is essential for the conclusion or performance of a contract between Data Subject and Data Controller;
- Data Subject expressly contributes to the application of such a procedure;
- application is authorized by law;
- it is necessary to enforce or protect legal claims;
6.Contact
During the contact with Data Controller, the e-mail received and its contents (especially the sender's name, address, date and attachments) will be stored for 5 years and erased by Data Controller.
7.Means of Storing and Securing Data
- Data Controller stores the data processed, both in paper and in electronic form, at their headquarters.
- Exceptions to (1) are the data stored at data processors of Data Controller, which are held at the headquarters of the data processors.
- Data Controller uses an IT system to operate to ensure that:
- integrity of the data can be verified (data integrity);
- authenticity of the data is secured (authenticity of data processing);
- the data are accessible to those entitled (availability);
- or the data are protected against unauthorised access (confidentiality of data).
- Protection of the data shall cover in particular:
- unauthorised access;
- modification;
- transferring;
- erasure;
- disclosure;
- accidental breach;
- accidental destruction;
- or unavailability due to change in the technology used.
- In order to protect the electronically processed data, Data Controller shall use state-of-the-art security measures. When examining compliance, the risk of data processing at Data Controller is especially emphasised. IT protection ensures that the data stored are not directly attributed or linked to Data Subjects (unless permitted by law).
- While processing the data, Data Controller ensures that:
- those entitled have the access to the data when they need it;
- only those entitled shall have the access to the information;
- the accuracy and completeness of the information and the method of processing shall be protected.
- Data Controller and its potential data processors shall always protect their IT systems against fraud, espionage, viruses, burglaries, damage and natural disasters. Data Controller (and the data processor) uses server-level and application-level security measures.
- Messages transferred to Data Controller over the Internet, in any form, are increasingly exposed to network threats that may result in modification of information, access by unauthorized persons or other illegal activities. However, to safeguard against such hazards, Data Controller shall make every reasonable efforts expected from them according to the state of the art. To this end, the systems used are being monitored to record security breaches, to obtain evidence of an event of security incidents or to investigate the effectiveness of the security measures.
8.Procedural Rules
- If Data Controller receives a request based on Articles 15 to 22 of GDPR, Data Controller shall inform Data Subject in writing of the measures taken on request as soon as possible and in any event within 30 days.
- If the complexity of the request or other objective circumstance justifies it, the above deadline may be extended once, up to 60 days. Data Controller shall inform Data Subject in writing about the extension of the deadline, together with an appropriate justification for the extension.
- Data Controller provides the information free of charge, unless:
- Data Subject requests information / measures repeatedly about essentially unchanged content;
- the request is manifestly unfounded;
- the request is manifestly excessive.
- In cases referred to in (3), Data Controller shall be entitled to:
- refuse the request;
- to complete the request upon charging a reasonable fee related to it.
- If the applicant requests the transfer of data on in paper or electronic media (CD or DVD) format, Data Controller shall provide a copy of the data concerned free of charge as requested (unless the platform chosen is technically disproportionate). For each additional copy requested, Data Controller asks for an administration fee of 500 HUF per page / CD / DVD.
- Data Controller shall inform the persons to whom they previously communicated the data concerned about the rectification, erasure or restriction performed by Data Controller, unless provision of information is impossible or requires disproportionate efforts.
- If requested by Data Subject, Data Controller provides information about the persons to whom the data was transferred.
- Data Controller shall reply to the request in electronic form unless:
- Data Subject expressly requests the reply in a different way and it does not cause unreasonably high extra cost to Data Controller;
- Data Controller does not know the electronic contact details of Data Subject.
9.Compensation
- In the event of any party suffering material or non-material damage as a result of an infringement of the data protection legislation, they shall be entitled to claim compensation from Data Controller and / or the data processor. If Data Controller and data processor(s) are also affected by the infringement, they shall be jointly and severally liable for the damage.
- The data processor shall only be liable for the damage if they have violated the specific provisions of the applicable data protection law for data processors or if the damage has been caused by the failure to observe the instructions of Data Controller.
- Data Controller and any data processors shall only be liable if they cannot prove that they are not liable for the incident or circumstance causing the damage.
10.Remedy
- If Data Subject considers that their rights have been infringed by Data Controller and / or the data processors, they shall be entitled to access a court having jurisdiction according to CCP. The court directs that such cases be given priority.
- If Data Subject wishes to make a complaint about data processing, they can do so at the Nemzeti Adatvédelmi és Információszabadság Hatósága (National Authority for Data Protection and Freedom of Information) at the following address: Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; mailing address: 1530 Budapest, Pf.: 5.; Telephone: +36 1 391 1400; fax: +36 1 391 1410; e-mail address: ugyfelszolgalat@naih.hu; website: www.naih.hu
11.Administrative Cooperation
- Data Controller, upon receiving a formal request from the competent authorities, shall transfer the specified personal data.
- Data Controller shall only transfer data in the cases referred to in (1) which are strictly necessary to achieve the purpose indicated by the applicant authority.
Done in Bük, on 24th May 2018