Privacy Statement of Villapark Hungary Kft.

GENERAL PROVISIONS

Villapark Hungary Kft., as the operator of Várgesztesi Villapark, the seat of the company, always ensures the legality and expediency of its data processing with respect to personal data. The purpose of this document is to provide adequate information for our guests about our company's terms and conditions, guarantees and retention times with respect to their personal data, before they make the reservation and submit their personal information. In all cases involving personal data processing, our company adheres to the content contained in this document; we recognize it as binding us.

However, we reserve the right to change the terms of this unilateral declaration of rights, in which case we will inform the persons concerned in advance. The data processing of our company's activity is based on voluntary consent and on our legal obligations; and in some cases, data processing is necessary in order to take steps at the request of the data subject prior to entering into a contract.

This document was created based on national and European data protection legislation in force on 21 May 2018, and in the light of the resolutions issued by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) until 21 May 2018. Based on Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information, and Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the General Data Protection Regulation or GDPR).

Our data processing complies with applicable laws, in particular the followings:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”)
Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information (“Data Protection Act”).
Act V of 2013 on the Civil Code;
Act C of 2000 on Accounting;
Act CL of 2017 on Rules of Taxation;
Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (hereinafter: “Security Services Act”);
Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity;
Act CVIII of 2001 on certain issues of electronic commerce services and servicesrelated to the information society.

The details and contact information of our Company are as follows:

Name: Villapark Hungary Kft / Villapark Várgesztes
Seat: 2824, Várgesztes, Villapark 201/25
Business reg. no.: 11-09-008808
Taxpayer identification number: 12869707-2-11
Phone number: +36 34 494 494
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.

Might you have any further questions about the processing of your data or the interpretation of the provisions of this document, our data privacy officer is at your disposal at the above contact details.

Regarding our data processing, we provide the following information per field of activity.

DATA PROCESSING RELATED TO ACCOMMODATION BOOKING AND CATERING

Our company provides the possibility of online booking in order to make the booking of accommodation in Villapark Várgesztes a quick, convenient and cost-free experience.

The controller of the personal data: Villapark Hungary Kft.

Purpose of data processing: to make booking easier, free and more efficient, and to provide an environmentally-friendly and fast booking system for our guests;

Legal basis of the data processing: the prior consent of the person booking the accommodation.

The scope of personal data processed: title; surname and first name; address (country, postal code, city, street, house number, telephone number, e-mail address; in case of a company, name and seat of company, bank card number, SZÉP card data (identifier, name on card).

Duration of the data processing: eight (8) years after the last day of stay, according to the booking

Use of a Data Processor: our company uses an information technology service provider for the online accommodation system as follows.

Name of Data Processor	Seat	Description of the data processing task
One Online Kft.	3300 Eger Maklári utca 58. fszt. 2.	Providing the possibility of online accommodation booking
Hostware Kft.	1149 Budapest, Róna utca 120-122	Carrying out client management tasks when using the Hostware Front Office hotel IT-system
SIX Payment Services (Europe) S.A., Hungarian Branch Office	IP West Irodaház, Budafoki út 91-93. C épület, 1117 Budapest	Managing the data communication for payment transactions between the IT systems of the merchant and that of the payment service provider, ensuring traceability of transactions for merchant partners
CIB Bank	1027 Budapest, Medve u. 4-14.	Managing the data communication for payment transactions between the IT systems of the merchant and that of the payment service provider, ensuring traceability of transactions for merchant partners
MediaCenter Hungary Kft.	6001 Kecskemét, Pf. 588	Server hosting, website operation http://www.mediacenter.hu/index.php?subaction=showfull&id=1524482931&archive=&start_from=&ucat=1&
Hostware Kft.	1149 Budapest, Róna utca 120-122	Operator of the booking engine, responsible for sending automated emails that provide acknowledgments and notifications, booking and offers

Possible consequences of not providing the necessary data: no contract is established for the hotel room.

Rights of the data subject: the person concerned (the person whose personal information is processed by our company)

shall have the right to request access to the personal data concerning him or her,
shall have the right to request rectification of these data,
shall have the right to request erasure of these data,
shall have the right to request restriction of processing the personal data when the conditions set out in Article 18 of the GDPR are met (i.e. to request our company to not delete or discard the data until a request is received from a court or authority, but for not more than thirty days, and to request our company to not process the data for any other reason),
shall have the right to object to the processing of personal data,
shall have the right to data portability. According to this last right, the data subject shall have the right to receive the personal data concerning him or her in Word or Excel format, and shall have the right to have our company transmit these data to another data controller.

Other information related to the data processing: our company will take all necessary technical and organizational measures to avoid any possible privacy incidents (e.g. files containing personal data being damaged, lost or made available to unauthorized persons). In case of an incident, to monitor the necessary measures and to inform the data subject, we keep a record containing the scope of the personal data concerned; the scope and number of persons affected by the data security incident; the date, circumstances and effects of the data security incident; and the measures taken to remedy the incident, as well as any other data specified in the law that prescribes the data processing.

Our company has concluded a data processing contract for data processing tasks in which our service providers undertake to provide the guarantees required by the data processing contract, thereby we ensure that the personal data is processed under the law by the data processor as well.

DATA PROCESSING RELATED TO THE CALL FOR PROPOSAL

Our company offers our guests the opportunity to request a quote electronically. The offer is sent to the requester in a template-based electronic reply message via an automated system.

The controller of the personal data: Villapark Hungary Kft.

Purpose of data processing: preliminary inquiries about the hotel's prices

Legal basis of the data processing: prior consent of the person booking the accommodation, GDPR Article 6 (1) (a), and processing is necessary in order to take steps at the request of the data subject prior to entering into a contract – GDPR Article 6 (1) (b)

The scope of personal data processed: title; surname and first name; telephone number; e-mail address; number of hotel guests.

Duration of the data processing: eight (8) years after the last day of stay, according to the booking

Possible consequences of not providing the necessary data: The hotel is unable to give an offer.

Rights of the data subject: the person concerned (the person whose personal information is processed by our company)

shall have the right to request access to the personal data concerning him or her,
shall have the right to request rectification of these data,
shall have the right to request erasure of these data,
shall have the right to request restriction of processing the personal data when the conditions set out in Article 18 of the GDPR are met (i.e. to request our company to not delete or discard the data until a request is received from a court or authority, but for not more than thirty days, and to request our company to not process the data for any other reason),
shall have the right to object to the processing of personal data,
shall have the right to data portability. According to this last right, the data subject shall have the right to receive the personal data concerning him or her in Word or Excel format, and shall have the right to have our company transmit these data to another data controller.

DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION

It is via newsletter that our company keeps in touch with guests, to whom it recommends its services, and provides news about its operations and promotions.

The controller of the personal data: Villapark Hungary Kft.

Purpose of data processing: contact with potential guests

Legal basis of the data processing: consent of the data subject – GDPR Article 6 (1) (a).

Designation of the legitimate interest: maintaining and developing business relationships with partners and hotel guests

The scope of personal data processed: name, e-mail address

Duration of the data processing: our company processes the e-mail addresses until unsubscribing from the newsletter.

Use of a Data Processor: our company uses an information technology service provider for the online accommodation system as follows.

Name of Data Processor	Seat	Description of the data processing task
Villapark Hungary Kft.	2024, Várgesztes, Villapark 201/25	Operation of the RFQ (Request for Quote) module

By accepting this Privacy Statement, the data subject gives his or her express consent to Data Processor using additional data processors to make the service more convenient and customized, as follows:

Name of additional Data Processor	Seat	Description of the data processing task
MediaCenter Hungary Kft.	6001 Kecskemét, Pf. 588	Operation of the RFQ engine
Facebook, Instagram	Palo Alto, California, Menlo Park – USA	Customer relationship, advertisements
MediaCenter Hungary Kft.	6001 Kecskemét, Pf. 588	Server hosting, website operation http://www.mediacenter.hu/index.php?subaction=showfull&id=1524482931&archive=&start_from=&ucat=1&

Possible consequences of not providing the necessary data: The person concerned will not receive newsletter from our company.

Rights of the data subject: the person concerned (the person whose personal information is processed by our company)

shall have the right to request access to the personal data concerning him or her,
shall have the right to request rectification of these data,
shall have the right to request erasure of these data,
shall have the right to request restriction of processing the personal data when the conditions

set out in Article 18 of the GDPR are met (i.e. to request our company to not delete or discard the data until a request is received from a court or authority, but for not more than thirty days, and to request our company not to process the data for any other reason),

shall have the right to object to the processing of personal data,
shall have the right to data portability. According to this last right, the data subject shall have the right to receive the personal data concerning him or her in Word or Excel format, and shall have the right to have our company transmit these data to another data controller.

You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link in the newsletter’s footer. In this case, we delete your email address from our databases within 24 hours.

PERSONAL DATA PROCESSING RELATED TO THE SATISFACTION SURVEY

As a hotel, we aim to provide our guests with high quality services, so we are constantly requesting feedback from our guests about their experiences during their stay at our hotel.

The controller of the personal data: Villapark Hungary Kft, 2824 Várgesztes Villapark 201/25

Purpose of data processing: getting feedback from hotel guests to further develop and improve our services.

Legal basis of the data processing: the legitimate interest of the hotel operator – GDPR Article 6 (1) (f).

Designation of the legitimate interest: our company has a legitimate interest in getting information from the feedback for the development of our services.

The scope of personal data processed: name, gender, e-mail address

Duration of the data processing: two (2) years after the last day of stay, according to the booking

Use of a Data Processor: our company uses an information technology service provider for the online accommodation system as follows.

Possible consequences of not providing the necessary data: The person concerned will not receive a survey on satisfaction from our company.

Rights of the data subject: the person concerned (the person whose personal information is processed by our company)

shall have the right to request access to the personal data concerning him or her,
shall have the right to request rectification of these data,
shall have the right to request erasure of these data,
shall have the right to request restriction of processing the personal data when the conditions set out in Article 18 of the GDPR are met (i.e. to request our company to not delete or discard the data until a request is received from a court or authority, but for not more than thirty days, and to request our company not to process the data for any other reason),
shall have the right to object to the processing of personal data,
shall have the right to data portability. According to this last right, the data subject shall have the right to receive the personal data concerning him or her in Word or Excel format, and shall have the right to have our company transmit these data to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to apply the data protection and data processing guarantees required by the data processing contract in case of additional data processors being used; thereby we ensure that the personal data is processed under the law by the data processor as well.

COOKIE MANAGEMENT

In order to provide customized service, the data controller places a small data packet, a so-called cookie, on the computer of the user, and reads is back at a later visit to the website. If the browser returns a previously saved cookie, the cookie operator service provider can link the user's current visit to his or her visits in the past, but only in respect of its own content.

You can declare your full or partial acceptance of cookies or disable them at your first visit to the site. An information bar located in your browser window prompts you for this. You can change your cookie settings at any time.

Purpose of data processing: identifying and tracking of users, distinguishing between users, identifying the user's current session and storing the data provided during that session, preventing loss of data, web analytics, personalized service.

Legal basis of the data processing: consent of the data subject.

The scope of data processed: identification number, date, time and the webpage you arrived from; Duration of the data processing: max. 30 days

Further information about data processing: The user can delete the cookies from his or her computer or disable the use of them in his or her browser. To manage the cookies, you can usually use the cookies or tracking options under the Privacy/History/Custom Settings menu in the Tools/Settings menu of your browser.

Possible consequences of not providing the necessary data: the inability to access the services described above, in paragraphs 2-5.

We use four types of HTML cookies on our website. You can accept or reject cookies by category:

required
comfort
statistics
marketing

In the case of required cookies:

You give your permission for the website to:

Basic: remember the cookie permission settings
Basic: enable the session cookies
Basic: collect all information you have entered into a form, newsletter, and other forms on any pages
Basic: keep track of the data entered in your basket
Basic: certify that you have logged in to your account
Basic: remember the selected language version

You give no permission for the website to:

remember your login data
Functionality: remember your social media settings
Functionality: remember the selected region and country
Analytics: keep track the pages you visited and the interactions
Analytics: keep track your location and region, based on your IP-address
Analytics: keep track the time you spend on each pages
Analytics: increase the data quality of statistical functions
Advertising: show personalized information and ads according to your interests, e.g. based on the contents you have visited so far. (Presently we do not use targeting cookies.)
Advertising: collect personally identifiable information such as your name and location

When selecting comfort cookies:

You give your permission for the website to:

Basic: remember the cookie permission settings
Basic: enable the session cookies
Basic: collect all information you have entered into a form, newsletter, and other forms on any pages
Basic: keep track of the data entered in your basket
Basic: certify that you have logged in to your account
Basic: remember the selected language version
Functionality: remember your social media settings
Functionality: remember the selected region and country

You give no permission for the website to:

Remember your login data
Analytics: keep track the pages you visited and the interactions
Analytics: keep track your location and region, based on your IP-address
Analytics: keep track the time you spend on each pages
Analytics: increase the data quality of statistical functions
Advertising: show personalized information and ads according to your interests, e.g. based on the contents you have visited so far. (Presently we do not use targeting cookies.)
Advertising: collect personally identifiable information such as your name and location

When selecting statistical cookies:

You give your permission for the website to:

Basic: remember the cookie permission settings
Basic: enable the session cookies
Basic: collect all information you have entered into a form, newsletter, and other forms on any pages
Basic: keep track of the data entered in your basket
Basic: certify that you have logged in to your account
Basic: remember the selected language version
Functionality: remember your social media settings
Functionality: remember the selected region and country
Analytics: keep track the pages you visited and the interactions
Analytics: keep track your location and region, based on your IP-address
Analytics: keep track the time you spend on each pages
Analytics: increase the data quality of statistical functions

You give no permission for the website to:

remember your login data
Advertising: use information about third-party personalized ads
Advertising: connect to social media sites
Advertising: identify the device you are using
Advertising: collect personally identifiable information such as your name and location

When selecting marketing cookies:

You give your permission for the website to:

Basic: remember the cookie permission settings
Basic: enable the session cookies
Basic: collect all information you have entered into a form, newsletter, and other forms on any pages
Basic: keep track of the data entered in your basket
Basic: certify that you have logged in to your account
Basic: remember the selected language version
Functionality: remember your social media settings
Functionality: remember the selected region and country
Analytics: keep track the pages you visited and the interactions
Analytics: keep track your location and region, based on your IP-address
Analytics: keep track the time you spend on each pages
Analytics: increase the data quality of statistical functions
Advertising: use information about third-party personalized ads
Advertising: connect to social media sites
Advertising: identify the device you are using
Advertising: collect personally identifiable information such as your name and location

You give no permission for the website to:

remember your login data

SERVER LOGGING OF THE WEBSITE

When visiting the Villapark.hu website(s), the web server automatically logs user activity.

Purpose of data processing: during the visit to the site, the service provider records the visitor data in order to check the functionality of the services and to prevent abuse.

Legal basis of the data processing: Article 6 Paragraph 1 point (f) of GDPR. Our company has a legitimate interest in the safe operation of the website.

The type of the processed personal data: identification number, date, time, and title of the page you are visiting. Duration of the data processing: max. 90 days.

Further information: our company does not associate data generated by the analysis of logs with other information and does not seek to identify the user. The addresses of the pages visited, and the date-time data, in themselves, are not suitable for identifying the person concerned, but by linking them to other data (such as those provided during registration) they allow to draw conclusions about the user.

Data processing of external service providers concerning data logging:

The portal’s html code contains links referring to and arriving from external servers that are independent of our company. The server of the external service provider is connected directly to the user's computer. We are reminding our visitors that the service providers of these links are able to collect user data (e.g. IP address, details of the browser and the operating system, cursor movement, title of a visited page, and time of visit) due to the direct connection with their server and the direct communication with the user's browser. The IP address is a series of numbers that can clearly identify the computers and mobile devices of users on the Internet. IP addresses can be used to geographically locate a visitor using the given computer. The addresses of the pages visited, and the date-time data, in themselves, are not suitable for identifying the person concerned, but by linking them to other data (such as those provided during registration) they allow to draw conclusions about the user.

ELECTRONIC SURVEILLANCE SYSTEM

An electronic monitoring system (surveillance camera system) works on the premises of Villapark. Villapark’s designated staff operates the hotel’s electronic surveillance system. The recording, use and preservation of images are governed by Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (“Security Services Act”) and Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information (“Data Protection Act”). The operation of the electronic surveillance system is carried out as outlined below, in the interests of protection of human life and physical integrity as well as property, based on express consent according to Act 30 Paragraph (2) of the Security Services Act, for the purpose of preventing and detecting infringements and accidents, surprising perpetrators in the act, and for the purpose of demonstrating infringements. Our system records the name of the inspecting person, the reason and the time of inspection. Data transfer is possible only in the event of unlawful conduct or breach of obligations, for providing judicial information. The data transferred may include recordings of relevant information from the camera system, as well as the names of the persons eventually shown in the recording. We also inform you that you can request information at any time about the processing of your personal data from Villapark Hungary Kft as the operator. You may also request the rectification or blocking of your personal information in accordance with applicable legal provisions. In addition, you may object to processing your personal data.

Areas monitored by camera:

Porter’s lodge and entrance gate
Park Center: terraces, restaurant, utility entrance, gallery, adventure pool, pub
Park Center: Reception, shop

For more information, you can request insight into the Camera Surveillance Policy found at the guard service at the porter’s lodge, or write to this e-mail address: This email address is being protected from spambots. You need JavaScript enabled to view it..

OTHER DATA PROCESSING

We provide information about data processing not listed in this document, when recording the given data. We inform our customers that certain authorities, public service bodies, courts may contact our company for communicating personal data towards them. Our company transfers personal data for these bodies only if the fulfillment of the request is required by law and if the body concerned indicates the exact purpose and scope of the data, and only to the extent that it is indispensable for the fulfillment of the purpose of the request.

METHOD OF STORAGE OF PERSONAL DATA, THE SECURITY

OF THE DATA PROCESSING

Our computing systems and other data retention locations are situated at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used to process personal data and provide the service so that following applies to the data processed:

available to those entitled to it (availability);
its authenticity and authentication is ensured (credibility of data processing);
its integrity can be verified (data integrity);
protected against unauthorized access (confidentiality of data).

We pay particular attention to the security of the data; we also take the technical and organizational measures and develop the procedural rules necessary to enforce the guarantees as per the GDPR. The data are protected by appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction, damage, and arising changes in the technology used.

The IT system and network of our company and partners are protected against computer-aided fraud, computer viruses, computer intrusions, and attacks leading to denial-of-service. The operator also provides security through server-level and application-level security procedures. The daily backup of the data is solved. Our company takes every possible measures in order to avoid any privacy incident; and in the event of such an incident, we will take immediate action according to our incident management policy to minimize the risks and to avoid damages.

RIGHTS OF THE DATA SUBJECTS, REMEDIES

The data subject may request information about the processing of his or her personal data and may request the rectification of his or her personal data or, with the exception of mandatory data processing, the erasure or revocation of these data; may exercise his or her right to data portability and to object as indicated at the data entry and on the above mentioned contact details of the data controller.

At the request of the data subject, we provide the information in electronic form without delay, but no later than 25 days, in accordance with our applicable regulations. We fulfill the requests of the data subjects free of charge to comply with the rights below.

Right to information:

Our company takes appropriate measures to ensure that all the information on the processing

of personal data referred to in Articles 13 and 14 of the GDPR, as well as all the information provided for in Articles 1522 and 34, are provided in a concise, transparent, intelligible and easily accessible form, and in a precise yet clear and understandable way.

The right to information can be exercised in writing, through the contact details given in point 1. Information can also be provided orally at the request of the data subject, after verifying his or her identity. We inform our customers that if our company's employees are in doubt about the identity of the data subject, they may request the information required to confirm that person's identity.

Right of access by the data subject:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. In addition, where that is the case, the data subject shall have the right to access the personal data and the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries (outside the European Union) or international organizations (if that was the case);
the envisaged period for which the personal data will be stored;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
information about the data sources; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Moreover, where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

Right to rectification:

Under this right, anyone may request the rectification of inaccurate personal data processed by our company, concerning him or her, and the completion of any incomplete data.

Right to erasure:

The data subject shall have the right to obtain from us the erasure of personal data concerning him or her without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.

The data erasure shall not be initiated if the data processing is necessary for any of the following purposes:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
or for the establishment, exercise or defense of legal claims.

Right to restriction of processing:

At the request of the data subject, we restrict the processing of data when any condition listed in Article 18 of the GDPR applies, that is:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
the data subject has objected to processing; pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject shall be informed by the controller before the restriction of processing is lifted.

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Our company can execute such request in Word or Excel format.

Right to object:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated individual decision-making, including profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply if the data processing

is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights
and freedoms and legitimate interests; or
is based on the data subject's explicit consent.

Right to withdraw: The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Procedural rules:

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Compensation and grievance fee:

Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation shall have the right to receive compensation from the controller or processor for the damage suffered. The processor shall be liable for the damage caused by processing only where it has not complied with obligations of the law specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage.

A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

The right to turn to court and the procedure of National Authority for Data Protection:

In the event of violation of his or her rights, the data subject may turn to the court. The court may hear the case without delay. Your complaint can be reported to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

The address of the Authority:

1125 Budapest Szilágyi Erzsébet fasor 22/C, mailing address: 1530 Budapest Pf. 5.
Telephone: +36 1 391 1400
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.