DATA CONTROLLING POLICY
effective as of 1 July, 2021
I. GENERAL PROVISIONS
This policy is based on the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (’General Data Protection Regulation’ or ’GDPR’), Act CXII of 2011 on informational self-determination and freedom of information, Act V of 2013 on the Civil Code and Act XLVIII of 2011 on the basic requirements and certain restrictions of commercial advertising activities.
This policy defines the rules concerning the protection of natural persons with regard to the controlling of their personal data and the free flow of personal data. The provisions of this policy shall be applied in specific data controlling activities and in the issue of instructions and information regulating data controlling.
The obligation to employ a data protection officer applies to every public authority and every other public body (irrespective of what kind of data they process) and to other organisations the main activity of which is the systematic and large-scale monitoring of individuals, or which process special categories of personal data in a large number. In accordance with this, data controller does not employ a data protection officer.
This policy shall be valid until it is revoked and its effect shall extend to the leading officials, employees and any subcontractors of V&L Housing Kft. (’V&L Housing Ltd Co’).
The objective of the data controlling in this policy is that V&L Housing Kft. should keep records of its tenants and other clients (hereinater referred to as Clients) as required by the legal statutes governing its main scope of activities (Provision of holiday and other temporary accommodation) and its scope of other activities, and comply with its contractual obligations for the operation of the property Budapest Budget Rooms, located at 1095 Budapest, Ipar u. 15-21., (hereinafter referred to as Budapest Budget Rooms).
GDPR (General Data Protection Regulation): the new data protection regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council)
data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
restriction of data processing: the marking of stored personal data with the aim of limiting their processing in the future;
data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
data subject: a natural person identified or directly or indirectly identifiable on the basis of any specific personal data;
recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
consent of data subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
filing system: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
data protection incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed;.
DETAILS OF DATA CONTROLLER
Name: V&L Housing Kft.
Seat: 1095 Budapest, Ipar u 15-21.
Represented by: László Papp CEO
Registration No.: 01-09-402524
VAT No.: 32011762-2-43
Name of service: Budapest Budget Rooms
Internet address: budbudgetrooms.com
DETAILS OF HOSTING SERVICE PROVIDER
Role of hosting service provider: data processor
The server for the webpage used by data controller can be found in the United States. The existing contract between data controller and https://wordpress.com/ includes proper guarantees in relation to clients’ personal data to protect clients’ rights that they have under EU law. In accordance with the data protection agreement between the European Union and the USA, the Commission of the European Union acknowledges that the United States ensures such enforceable protection of personal data which is equivalent to the data protection levels valid in the EU.
PRINCIPLES OF DATA PROCESSING
Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation: Personal data shall only be collected for specified, explicit and legitimate purposes.
Data minimisation: Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy: Personal data shall be accurate and up to date; Every reasonable step shall be taken to ensure that personal data that are inaccurate are erased or rectified without delay
Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary. Personal data may be stored for longer periods insofar as the personal data will be stored solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability: V&L Housing Kft’s employee doing data processing shall have disciplinary liability, liability for damages, liability for infringement and criminal liability for the lawful processing of personal data. If such employee becomes aware that the personal data processed by it are defective, deficient or outdated, employee shall rectify them or initiate the rectification thereof with the staff member responsible for recording such data.
The above principles of data protection shall be applied to any information related to any identified or identifiable natural person.
LAWFULNESS OF DATA PROCESSING (based on section (1), Art. 6 of GDPR)
Processing shall be lawful only if one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
In accordance with the above, data processing shall be deemed to be lawful if it is necessary in the framework of a contract or intent to enter into contract.
It is only permitted to process personal data for any other purpose than for the original purpose of their collection if such data processing is compatible with the original purpose of data processing for which such personal data were originally collected. In such a case, there is no need for a separate legal base different from the one which made the collection of personal data possible.
DATA SUBJECT’S CONSENT AND CONDITIONS FOR CONSENT
Where processing is based on consent, the controller shall be able to demonstrate if needed that the data subject has consented to the processing of his or her personal data by keeping the declaration of consent.
V&L Housing Kft.’s data processing is essentially based on data subject’s consent and it is necessary for the performance of a contract to which V&L Housing Kft. is one of the parties.
Data subjects making use of V&L Housing Kft’s services provide personal data voluntarily. In case of data processing based on contractual obligations, the provision of personal data is a precondition of concluding contract. Without it, the contract cannot be concluded.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
SCOPE AND PROCESSING OF PERSONAL DATA
The scope of the personal data processed, the purpose and legal base of the processing thereof, the information related to data transmitting and the term of data processing are included in detail in Annex 1 hereto.
The website www.budbudgetrooms.com and data controller’s reservation system are made for use by people over the age of 18 with full legal capacity.
Data are primarily collected from data subjects in the way that accommodation in Budapest Budget Rooms may be reserved through MiniCRM. In addition to reservation, personal data are recorded at check-in before customers occupy places of accommodation. As a rule, data controller requests and receives data directly from data subjects but it may exceptionally receive data from a third person involved in reservation (for example, through an intermediary travel agency or reservation webpage). Data subject shall declare that he/she gives consent to the processing of his/her data.
V&L Housing Kft only accepts data from any other sources if it is authorised by law to do so.
Data controller does not collect special personal data, e.g. data related to religious or political beliefs, health or sexual orientation or philosophical beliefs. Should data controller get into the possession of such data, it will take measures to delete them.
Session cookies are stored by the computer, notebook or mobile device only temporarily, until the client leaves the given website; these cookies help the system remember information so that such information need not be given or filled in again. The lifetime of session cookies is limited to the user’s current session, their purpose is to prevent data loss (for example, when a longer form is filled in). This kind of cookie is automatically deleted from the visitor’s computer when the session is ended or the browser is closed.
Persistent cookies are stored in the computer, notebook or mobile device even after the website is left. With the help of these cookies, the website recognizes the user as a returning visitor. Persistent cookies are suitable for identifying the user through matching identifier on the server side and user in every case where the authentication of the user is indispensable as it is a necessary condition of proper operation. In themselves, persistent cookies do not carry any personal data and are only suitable for identifying users with the matching data stored in the database of the server. The risk of such cookies is that they do not identify users but browsers, which means that if somebody logs in in the reservation system in a public place, e.g. in a cafe, and leaves without exit, then later another user using the same computer may have unauthorised access on behalf of the original user.
DATA SUBJECTS’ RIGHTS
Informing data subjects and right of access (GDPR Art. 15):
The data subject shall have the right to obtain access to the personal data and the following information. Prior to the start of data processing, data subject shall be informed whether such data processing is based on consent or is mandatory. Data subject is informed with this public data protection and data security policy and other forms of one-time information provision. Furthermore, data subject may request information using the contact details herein about what kind of personal data V&L Housing Kft processes, on what legal base, for what data processing purpose, from what source and for how long. Upon request, data controller shall provide information to the contact details given without delay but within maximum 30 days.
Data controller shall provide a copy of the personal data undergoing processing to data subject. For any further copies requested by the data subject, data controller may charge a reasonable fee based on administrative costs.
Right to rectification /GDPR Art. 16 /
Any data subject may request the rectification of any of his/her inaccurate data using the contact details. Upon data subject’s request, such rectification shall be arranged immediately but within maximum 30 days, and information concerning such rectification shall be sent to the address provided by data subject.
Right to erasure (’right to be forgotten’) /GDPR Art. 17 /
Any data subject may request the erasure of their data using the contact details. Upon data subject’s request, such erasure shall be arranged immediately but within maximum 30 days, and information concerning such erasure shall be sent to the address provided by data subject if:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
the data subject objects to the processing of his/her data and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing in case of data processing for the purpose of direct marketing;
the personal data have been unlawfully processed;
personal data shall be erased to fulfil legal obligations set forth in EU or member state law applicable to V&L Housing Kft.
Right to restriction of processing /GDPR Art. 18 /
The data subject may request the restriction of data processing using the contact details provided. Blocking shall last as long as the purpose indicated makes it necessary to store data. Upon request, this shall be arranged immediately but within maximum 30 days, and information concerning such restriction shall be sent to the address provided by data subject. V&L Housing Kft. restricts data processing if:
the accuracy of the personal data is contested by the data subject, for a period enabling V&L Housing Kft to verify the accuracy of the personal data;
data processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
V&L Housing Kft no longer needs the personal data for the purpose of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
the data subject has objected to data processing, in this case restriction shall apply pending the verification whether the legitimate grounds of V&L Housing Kft override those of the data subject.
Where processing has been restricted under the above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by V&L Housing Kft before the restriction of processing is lifted using the contact address indicated.
Right to data portability /GDPR Art. 20/
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to V&L Housing Kft, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from V&L Housing Kft where:
the processing is based on consent or on a contract in which one of the parties is data subject and
the processing is carried out by automated means.
In exercising his or her right to data portability pursuant to the above, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The right to data portability shall not adversely affect the rights of others.
Right to object /GDPR Art. 21 /
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, including profiling using the contact details provided. Such objection shall be assessed within the shortest time but maximum 15 days upon the submission of request, decision shall be made on whether it is well-founded or not and notification of such decision shall be sent using the contact details provided. In such a case, V&L Housing Kft shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or related to the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purpose which includes profiling to the extent that it is related to such direct marketing.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Remedies concerning data processing
Right to lodge a complaint /GDPR Art. 77 /
Data subject shall have the right to lodge a complaint with a supervisory authority if he/she considers that the processing of personal data relating to him or her infringes the provisions of GDPR. Complaint may be lodged using the following contact details:
Név: Nemzeti Adatvédelmi és Információszabadság Hatóság (National Authority for Data Protection and Freedom of Information)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1363 Budapest, Pf.: 9.
Telephone: +36 (30) 683-5969
The supervisory authority with which the complaint has been lodged shall provide information on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Right to an effective judicial remedy /GDPR Art. 79 /
Data subject shall have the right to effective judicial remedy against the supervisory authority’s legally binding decision concerning him/her.
Data subject shall have the right to effective judicial remedy if the competent judicial authority fails to address complaint or inform data subject of procedural developments or result related to the complaint lodged within three months.
Compensation and damages /GDPR Art. 82 /
Any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the controller or processor for the damage suffered.
Any controller involved in processing shall be liable for the damage caused by processing which infringes GDPR. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this regulation specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the controller.
A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage. No compensation shall be given and damages cannot be claimed to the extent that the damage was caused by the deliberate or gross carelessness of the injured party or the impairment of personal rights was caused by the deliberate or gross carelessness of data subject.
SECURITY OF DATA PROCESSING
The measures taken by data controller to ensure data security shall be the following:
Any data processed by the website and the reservation system shall be kept at data controller’s and data processor’s seats.
Data controller shall design and carry out data processing operations in the way as to ensure the protection of data subject’s privacy.
Data controller shall take all the necessary measures to prevent any unauthorised access to the data processed by it and any unauthorised change, transmitting, publishing, erasing or destroying of such data, and to protect them from any accidental destruction or damage or from becoming inaccessible due to the change of technology.
In order to protect data sets electronically processed in different records, data processor ensures with a proper technical solution that the data stored in records may only be directly connected and linked to data subject if the law makes it possible.
During the automated processing of personal data, data controller and data processor shall ensure with proper measures
a) that any unauthorised data entry is prevented;
b) that the use of automated data processing systems by unauthorised persons with the help of data communication equipment is prevented;
c) that it is possible to control and specify to which authorities the personal data have been or may be transmitted with the application of data communication equipment;
d) that it is possible to control and specify which personal data were entered in the automated data processing systems, when and by whom;
e) that the systems installed can be restored in case of breakdown, and
f) that a report is made of the errors occurring during automated procesing. .
When defining and applying measures promoting data security, data controller and data processor shall take into account the current level of technology. From among several data processing solutions, the one ensuring the higher level protection of personal data shall be chosen except if it involved disproportionate difficulty for data controller.
Both data controller and data processor shall protect the data with proper measures in particular, against unauthorised access, alteration, transmitting, publishing, erasure or destruction, from any accidental destruction or damage and from becoming inaccessible due to the change of technology.
With regard to the current level of technology, data controller and data processor shall provide for the protection of data processing security with such technical,and organisational measures that provide an adequate level of protection for the risks related to data processing.
DATA PROTECTION INCIDENTS
A data protection incident is such a breach of security which results in the accidental or illegal destruction, loss, alteration or unauthorised disclosure of or unauthorised access to the transmitted or stored personal data or personal data processed in any other way.
A data protection incident shall be reported to the competent supervisory authority without undue delay, within 72 hours the latest except if in accordance with the principle of accountability, it can be proven that the data protection incident is not likely to involve any risks for the rights and freedoms of natural persons.
V&L Housing Kft shall maintain records of data protection incidents including the date of incident, the scope and number of those affected by the incident, the scope of the personal data involved, the circumstances of the incident and its effects, the description and justification of the measures taken for remedying, what such measures rectify and any other data specified in the legal statutes requiring data processing in order to control the measures related to such incidents and provide information for the data subject. Records may be taken both on paper and electronically, and shall be kept for 5 years.
If the data processing incident is likely to involve high risks for the rights and freedoms of natural persons, data controller shall inform data subject of the data processing incident except if:
a) data controller has taken proper technical and organisational protective measures so that the data are incomprehensible for any persons who have unauthorised access to them;
b) following the data processing incident, data controller has taken further measures so that high risk is not likely to be involved in the future;
c) direct information provision would require disproportionate efforts. In such cases, data subjects shall be notified through publicly provided information, or a similar measure shall be taken ensuring efficient information provision for data subjects.
LEGAL STATUTES PROVIDING THE BASE FOR THIS DATA PROTECTION POLICY
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Act CXII of 2011 on informational self-determination and freedom of information;
Act V of 2013 on the Civil Code;
Act I of 2012 on the Labour Code;
Act CLV of 1997 on consumer protection;
Act C of 2000 on accounting;
Act CL of 2017 on the rules of taxation;
Act CVIII of 2001 on certain issues of electronic commerce services and information society services;
Act C of 2003 on electronic communications;
Act CLIX of 2012 on postal services.
SCOPE OF PERSONAL DATA PROCESSED BY DATA CONTROLLER