Privacy Policy

1. GENERAL PROVISIONS

Bükkös Hotel Kft., as the operator of Bükkös Hotel**** & Spa, always ensures the legality and expediency of data management with regard to the personal data it manages. The purpose of this information is that our guests who book accommodation and provide their personal data can receive adequate information about the conditions and guarantees and for how long their data will be processed by our company before making the reservation or providing their personal data. Our company adheres to the contents of this information sheet in all cases involving personal data management, and we consider what is described here mandatory for us.

At the same time, we reserve the right to change what is described in this unilateral legal declaration, in which case we will inform the affected parties in advance. Please write to us if you have any questions about the contents of this information sheet. The data management of our company’s activities is based on voluntary consent, and in some cases, data management is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

Our data management complies with the relevant legislation, in particular the following:

➢ Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) – on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR“)

➢ CXII of 2011 on the right to information self-determination and freedom of information. Act (“Info. tv.“).

The details and contact details of our company are as follows:

Bükkös Hotel Kft.

2000 Szentendre

Bükkös beach 16.

Tax number: 14001365-2-13

Company register number: Cg.13-09-114063

Phone number: +36-26-501-360

E-mail: info@bukkoshotel.hu

We provide the following information regarding our individual data management.

2. DATA MANAGEMENT IN CONNECTION WITH ONLINE ACCOMMODATION BOOKINGS

Our company offers the possibility of online hotel reservations so that you can book a room at the Bükkös Hotel & Spa quickly, conveniently and at no cost.

Controller of personal data: Bükkös Hotel Kft.

The purpose of data management is to: make accommodation booking easier, cost-free and more efficient,

The legal basis for data management: the prior consent of the person booking the accommodation.

Scope of processed personal data: address; surname and first name; residential address (country, postal code, city, street, house number; telephone number; e-mail address; in the case of a business company, company name and seat, bank card number, SZÉP card data (identification, name on the card).

Duration of data management: two years after the last day of the stay date according to the reservation

Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor: NetHotelBooking Kft. (Address: 8200 Veszprém, Boksa tér 1/A)
- Data processing task description: Providing the possibility of online accommodation booking through the RESnWEB system

By accepting this data management information, the data subject gives his express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows.

Additional data processors:

The Rocket Science Group, LLC (Address: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA)
- Data processing task description: Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails displaying confirmations and notifications in the case of bookings, offers and satisfaction measurements.
Hostware Kft. (Address: 1149 Budapest, Róna utca 120-122.)
- Data processing task description: Performing customer management tasks when using the Hostware Front Office hotel system.
Triptease Limited (Address: WeWork 3 Waterhouse Square 138-142 Holborn London EC1N 2SW United Kingdom)
- Data processing task description: Online chat function, with the help of which the guest can keep in touch with the hotel and manage their reservations quickly and efficiently.
BIG FISH Internet-technológiai Kft. (Address: 1066 Budapest, Nyugati tér 1-2.)
- Data processing task description: Conducting the data communication required for payment transactions between the merchant and the payment service provider’s system, ensuring the traceability of transactions for trading partners.
OTP Mobil Kft. (Address: 1093 Budapest, Közraktár u. 30-32.)
- Data processing task description: Conducting the data communication required for payment transactions between the merchant and the payment service provider’s system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.

Barion Payment Zrt. (Address: 1117 Budapest, Infopark sétány 1. I. épület)
- Data processing task description: Conducting the data communication required for payment transactions between the merchant and the payment service provider’s system, customer service assistance for users, confirmation of transactions and fraud monitoring for the protection of users.
Creative Management Kft. (Address: 8200 Veszprém, Boksa tér 1. A ép.)
- Data processing task description: Performing server hosting tasks.

Possible consequences of not providing data: no booking contract will be created for the hotel room.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

a) may request access to personal data concerning him,

b) may request their correction,

c) may request their deletion,

d) you can apply to limit the processing of personal data if the conditions set out in Article 18 of the GDPR exist (that is, that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and beyond that, the data is not used for any other purpose handle),

e) can object to the processing of personal data,

f) exercise your right to data portability. Pursuant to the latter right, the data subject is entitled to receive his/her personal data in word or excel format, and is also entitled to have this data forwarded to another data controller by our company upon request.

Other information related to data management: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, access to unauthorized persons). In the event of an incident that still occurs, we keep a register for the purpose of checking the necessary measures and informing the person concerned, which includes the range of personal data concerned, the range and number of people affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the other data specified in the legislation requiring data management.

In the case of online bookings, our company has entered into a data processing contract for the data processing tasks, in which NetHotelBooking Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the event of the use of an additional data processor, taking into account the legal handling of personal data by the data processor we also provide.

3. DATA MANAGEMENT IN CONNECTION WITH REQUEST FOR OFFERS

Our company provides the opportunity for our guests to request an offer electronically or by filling out a form.

Controller of personal data: Bükkös Hotel Kft.

The purpose of data management: preliminary information on hotel prices

Legal basis for data processing: prior consent of the person booking accommodation, Article 6 (1) point a) GDPR, and data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract – GDPR Article 6 (1) point b)

Scope of processed personal data: address; surname and first name; telephone number; e-mail address; number of hotel guests.

Duration of data management: two years after the last day of the stay date according to the reservation.

Use of a data processor: our company uses the help of an IT service provider to operate the online quotation system as follows.

Data processor: NetHotelBooking Kft. (Address: 8200 Veszprém, Boksa tér 1/A)
- Data processing task description: Operation of the Request for Offer module

By accepting this data management information, the data subject gives his/her express consent to the Data Processor using additional data processors in order to make the service more convenient and customized as follows.

Additional data processors:

The Rocket Science Group, LLC (Address: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA)
- Data processing task description: Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails displaying confirmations and notifications in the case of bookings, offers and satisfaction measurements.
Creative Management Kft. (Address: 8200 Veszprém, Boksa tér 1. A ép.)
- Data processing task description: Performing server hosting tasks.
Profit Solutions Kft. (Address: 1117 Budapest, Október Huszonharmadika utca 8-10.)
- Data processing task description: Operating the chat customer service module, receiving offers via chat.

Possible consequences of not providing data: The hotel cannot make an offer.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

a) may request access to personal data concerning him,

b) may request their correction,

c) may request their deletion,

e) can object to the processing of personal data,

Our company has entered into a data processing contract for the data processing tasks, in which NetHotelBooking Kft. undertakes to obligatorily apply the data protection and data management guarantees required by the data processing contract in the event of the use of an additional data processor. In view of this, we also ensure the legal handling of personal data in the case of the data processor.

4. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION
Our company keeps in touch with its guests by means of a newsletter, to whom it recommends its services, and informs about news and special offers related to its operation.

Controller of personal data: Bükkös Hotel Kft.

Purpose of data management: maintaining contact with potential hotel guests

Legal basis for data management: the consent of the data subject – Article 6 (1) point a) GDPR.

Designation of legitimate interest: maintenance and development of business relationships with partners and hotel guests

Scope of processed personal data: name, e-mail address

Duration of data management: our company manages e-mail addresses until you unsubscribe from the newsletter.

Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor: NetHotelBooking Kft. (Address: 8200 Veszprém, Boksa tér 1/A)
- Data processing task description: Newsletter database storage

Additional data processors:

Creative Management Kft. (Address: 8200 Veszprém, Boksa tér 1. A ép.)
- Data processing task description: Operation of the newsletter system
Online Marketing Stratégia Kft.(Address: 1039 Budapest, Hatvany Lajos u.14. 8/71.)
- Data processing task description: Website popup operation.

Possible consequences of not providing data: The person concerned will not receive a newsletter from our company.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

a) may request access to personal data concerning him,

b) may request their correction,

c) may request their deletion,

e) can object to the processing of personal data,

You can unsubscribe from the newsletter at any time by sending a letter to our company at info@bukkoshotel.hu or by clicking on the unsubscribe link in the newsletter. In this case, we will immediately delete your e-mail address from our database.

5. PERSONAL DATA MANAGEMENT RELATED TO SATISFACTION MEASUREMENT

As a hotel, our goal is to provide our guests with high-quality services, which is why we constantly ask for feedback from our guests about their experiences during their stay at our hotel.

Controller of personal data: Bükkös Hotel Kft.

The purpose of data management is to request feedback from hotel guests in order to further develop and improve our services.

The legal basis for data management: the legitimate interest of the hotel operator – Article 6 (1) point f) GDPR.

Indication of legitimate interest: our company has a legitimate interest in receiving information for the development of our services based on feedback.

Scope of processed personal data: name, gender, e-mail address.

Duration of data management: two years after the last day of the stay date according to the reservation.

Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor: NetHotelBooking Kft. (Address: 8200 Veszprém, Boksa tér 1/A)
- Data processing task description:Operation of the satisfaction measurement module.

Additional data processor:

The Rocket Science Group, LLC (Address: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA)
- Data processing task description: Owner of the Mandrill software integrated into the reservation system. This software is responsible for sending automatic emails displaying confirmations and notifications in the case of bookings, offers and satisfaction measurements.

Possible consequences of not providing data: The person concerned will not receive a satisfaction questionnaire from our company.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

a) may request access to personal data concerning him,

b) may request their correction,

c) may request their deletion,

e) can object to the processing of personal data,

6. PERSONAL DATA MANAGEMENT RELATED TO HOTEL ACCOMMODATION

As a hotel, we manage the data of the arriving guests during the reception

Controller of personal data: Bükkös Hotel Kft.

Purpose of data management: Identification of guests staying here, acquisition of data for IFA declaration, acquisition of data necessary from the point of view of immigration enforcement

The legal basis for data management: the legitimate interest of the hotel operator – Article 6 (1) point f) GDPR.
Indication of the legitimate interest: our company has a legitimate interest in being able to identify the guests staying here

Scope of processed personal data: name, gender, e-mail address, residential address, citizenship, identification document number, date of birth, telephone number

Duration of data management: two years after the last day of the stay date according to the reservation.

Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor: Hostware Kft. (Address: 1149 Budapest, Róna utca 120-122.)
- Data processing task description: Performing customer management tasks when using the Hostware Front Office hotel system.

The rights of the data subject: the data subject (the person whose personal data is managed by our company)

a) may request access to personal data concerning him,

b) may request their correction,

c) may request their deletion,

e) can object to the processing of personal data,

7. COOKIE MANAGEMENT
In order to provide customized service, the Data Controller stores a small data package on the user’s computer, the so-called it places a cookie and reads it back during the next visit. If the browser returns a previously saved cookie, the cookie management service provider has the opportunity to connect the user’s current visit with previous ones, but only with regard to its own content.

The purpose of data management is to: identify, track, and distinguish users from one another, identify the current user session, store the data entered during that session, prevent data loss, web analytics measurements, personalized service.

Legal basis for data management: the consent of the data subject.

Scope of managed data: ID number, date, time, and previously visited page.

Duration of data management: maximum 90 days

Additional information on data management: The user can delete cookies from his computer or disable the use of cookies in his browser. Cookies can usually be managed in the Tools/Settings menu of browsers under the Data protection/History/Personal settings menu under the names cookie, cookie or tracking.

Possible consequences of failure to provide data: impossibility of using the service, as described in 2-5 above. in terms of services described in points.

8. WEBSITE SERVER LOGGING
When visiting the bukkoshotel.hu and nethotelbooking.net web pages, the web server automatically logs the user’s activity.

Purpose of data management: during visits to the website, the service provider records visitor data in order to check the operation of the services and prevent abuse.

Legal basis for data management: point f) of Article 6 (1) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

Type of personal data handled: ID number, date, time, address of the page visited.

Duration of data management: maximum 90 days.

Data processor: NetHotelBooking Kft. (Address: 8200 Veszprém, Boksa tér 1/A)
- Data processing task description: Recording of visitor data and information necessary for the operation of the server.

Additional information: our company does not connect the data generated during the analysis of the log files with other information, and does not seek to identify the user. The address of the pages visited, as well as the date and time data are not suitable for identifying the data subject by themselves, but when combined with other data (e.g. provided during registration) they are suitable for drawing conclusions about the user.

Data management related to logging by external service providers:

The html code of the portal contains links to and from an external server independent of our company. The server of the external service provider is directly connected to the user’s computer. We draw our visitors’ attention to the fact that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, mouse pointer movement, address of the page visited and the time of the visit) due to the direct connection to their server and direct communication with the user’s browser. The IP address is a sequence of numbers with which the computers and mobile devices of users accessing the Internet can be clearly identified.

IP addresses can even be used to locate the visitor using a given computer geographically. The address of the pages visited, as well as the date and time data are not suitable for identifying the data subject by themselves, but when combined with other data (e.g. provided during registration) they are suitable for drawing conclusions about the user.

9. OTHER DATA MANAGEMENT

We provide information on data management not listed in this information when the data is collected. We inform our customers that certain authorities, bodies performing public duties, and courts may contact our company for the purpose of providing personal data. If the relevant body has specified the exact purpose and the scope of the data, our company will release personal data to these bodies only to the extent and to the extent that is absolutely necessary to achieve the purpose of the request, and if the fulfillment of the request is required by law.

10. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT

Our company’s IT systems and other data storage locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used in the provision of the service to manage personal data in such a way that the processed data:

a) accessible to those authorized to do so (availability);

b) its authenticity and authentication are ensured (authenticity of data management);

c) its immutability can be verified (data integrity);

d) be protected against unauthorized access (data confidentiality).

We pay special attention to the security of the data, we also take the technical and organizational measures and develop the procedural rules that are necessary to enforce the guarantees according to the GDPR. We protect the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, and inaccessibility resulting from changes in the technology used.

The IT system and network of our company and our partners are both protected against computer-assisted fraud, computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures. Daily data backup is done. In order to avoid data protection incidents, our company takes all possible measures, in the event of such an incident – according to our incident management policy – we take immediate action to minimize the risks and prevent damages.

11. RIGHTS OF THE PERSPECTIVES, LEGAL REMEDIES

The data subject can request information about the processing of his personal data, and can request the correction of his personal data, or – with the exception of mandatory data processing – deletion or withdrawal, he can exercise his right to data portability and protest in the manner indicated when the data was collected, or at the above contact details of the data controller.

At the request of the data subject, we provide the information in electronic form without delay, but within 30 days at the latest, in accordance with our relevant regulations. We fulfill the requests of those concerned to fulfill the rights below free of charge.

Right to information:

Our company takes appropriate measures in order to provide data subjects with all the information mentioned in Articles 13 and 14 of the GDPR and Articles 15-22 regarding the processing of personal data, and provide each piece of information according to Article 34 in a concise, transparent, comprehensible and easily accessible form, clearly and comprehensibly worded, and at the same time precise.

The right to information can be exercised in writing, via the contact details given in point 1. At the request of the person concerned, information can also be provided orally after proof of identity. We inform our customers that if our company’s employees have doubts about the identity of the data subject, we can request the provision of the information necessary to confirm the identity of the data subject.

The data subject’s right to access:

The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed. If personal data is being processed, the data subject is entitled to access the personal data and the following information listed.

Purposes of data management;

categories of personal data concerned;
recipients or categories of recipients to whom or to whom the personal data has been or will be communicated, including in particular recipients from third countries (outside the European Union) and international organizations;
the planned period of storage of personal data;
the right to rectification, deletion or limitation of data processing and the right to protest;
the right to submit a complaint to the supervisory authority;
information about data sources; the fact of automated decision-making, including profiling, as well as comprehensible information about the applied logic and the significance of such data management and the expected consequences for the data subject.

In addition to the above, if personal data is transferred to a third country or an international organization, the data subject is entitled to receive information about the appropriate guarantees for the transfer.

Right of rectification:

Pursuant to this right, anyone can request the correction of inaccurate personal data managed by our company and the addition of incomplete data.

Right to delete data:

If one of the following reasons exists, the data subject has the right to have his/her personal data deleted without undue delay upon request:

a) personal data are no longer needed for the purpose for which they were collected or otherwise processed;

b) the data subject withdraws the consent that forms the basis of the data management, and there is no other legal basis for the data management;

c) the data subject objects to data processing and there is no overriding legal reason for data processing;

d) illegal processing of personal data can be established;

e) personal data must be deleted in order to fulfill the legal obligation prescribed by EU or Member State law applicable to the data controller;

f) the collection of personal data took place in connection with the offering of services related to the information society.

Data deletion cannot be initiated if data management is necessary for the following purposes:

a) for the purpose of exercising the right to freedom of expression and information;

b) for the purpose of fulfilling an obligation according to EU or Member State law applicable to the data controller requiring the processing of personal data, or for carrying out a task carried out in the public interest or in the context of the exercise of a public authority vested in the data controller;

c) in the field of public health, or for archival, scientific and historical research purposes or for statistical purposes, based on public interest;

d) or to present, assert or defend legal claims.

The right to restrict data processing:

At the request of the data subject, we restrict data processing in the case of conditions in Article 18 of the GDPR, i.e. if:

a) the data subject disputes the accuracy of the personal data, in which case the restriction applies to the period that allows the accuracy of the personal data to be checked;

b) the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use;

c) the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to submit, enforce or defend legal claims;

d) the data subject objected to data processing; in this case, the restriction applies to the period until it is determined whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

If data management is subject to restrictions, personal data may only be processed with the data subjects, with the exception of storage, or to submit, enforce or defend legal claims, or to protect the rights of other natural or legal persons, or in the public interest of the European Union or a data subject. The data subject must be informed in advance of the lifting of the restrictions on data management.

Right to data portability:

The data subject has the right to receive the personal data concerning him/her provided to the data controller in a segmented, widely used, machine-readable format, and to forward this data to another data controller. Our company can fulfill such a request of the person concerned in word or excel format.

Right to protest:

If personal data is processed for direct business acquisition, the data subject has the right to object at any time to the processing of his personal data for this purpose, including profiling, if it is related to direct business acquisition. In case of objection to the processing of personal data for the purpose of direct business acquisition, the data cannot be processed for this purpose.

Automated decision-making in individual cases, including profiling:

The data subject has the right not to be covered by the scope of a decision based solely on automated data management, including profiling, which would have legal effects on him or affect him to a similar extent. The above authorization cannot be applied if the data management

a) necessary for the conclusion or fulfillment of the contract between the data subject and the data controller;

b) is made possible by an EU or Member State law applicable to the data controller that protects the rights and freedoms and legitimate interests of the data subject

c) establishes appropriate measures for its protection; obsession

d) is based on the express consent of the data subject.

Right of withdrawal:

The data subject has the right to withdraw his consent at any time. Withdrawal of consent does not affect the legality of data processing based on consent prior to withdrawal.

Procedural rules:

The data controller informs the data subject without undue delay, but in any case within one month of receipt of the request, in accordance with Articles 15-22 of the GDPR. on measures taken following a request pursuant to Art. If necessary, taking into account the complexity of the application and the number of applications, this deadline can be extended by another two months. The data controller shall inform the data subject of the extension of the deadline, indicating the reasons for the delay, within one month of receiving the request.

If the data subject submitted the request electronically, the information will be provided electronically, unless the data subject requests otherwise.

If the data controller does not take measures following the data subject’s request, it shall inform the data subject without delay, but at the latest within one month of the receipt of the request, of the reasons for the failure to take action, and of the fact that the data subject may file a complaint with the supervisory authority and exercise his right to judicial redress.

The data manager informs all recipients of all corrections, deletions or data management restrictions carried out by him, to whom or to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the data controller informs about these recipients.

Compensation and damages:

All persons who have suffered material or non-material damage as a result of a violation of the data protection regulation are entitled to compensation from the data manager or data processor for the damage suffered. The data processor is only liable for damages caused by data processing if it has not complied with the obligations specified in the law, which are specifically imposed on data processors, or if it has ignored or acted contrary to the legal instructions of the data controller. If several data managers or data processors or both data managers and data processors are involved in the same data management and are liable for damages caused by data management, each data manager or data processor is jointly and severally liable for the entire damage.

The data controller or the data processor is exempted from liability if it proves that it is not responsible in any way for the event that caused the damage.

Right to go to court and official data protection procedure:

In the event of a violation of their rights, the data subject may apply to the court against the data controller. The court acts out of sequence in the case.

You can file a complaint with the National Data Protection and Freedom of Information Authority.

Address of the authority: HU – 1125 Budapest, Szilágyi Erzsébet fasor 22/C., mailing address: 1530 Budapest, P.O.B. 5.

Telephone: +36-1-391.1400

E-mail: ugyfelszolgalat@naih.hu.