General Provisions

Reed Hotelservice Ltd. (registered office: 1031 Budapest, Péter u. 4., company registration number: 01-09-443674, hereinafter referred to as the Data Controller), as the operator of Reed Hotel, ensures at all times the lawfulness and purposefulness of the processing of personal data it manages.

The purpose of this Privacy Notice is to provide individuals booking accommodation and submitting their personal data with adequate information – prior to making a reservation or providing personal data – about the conditions and safeguards under which our company processes their personal data, including the duration of such processing.

Our company adheres to the provisions of this Notice in all cases involving the processing of personal data, and considers the content herein as binding upon itself.

We reserve the right to amend the provisions set out in this unilateral legal declaration; in such cases, data subjects will be informed in advance.

If you have any questions regarding the contents of this Notice, please contact us by mail or email.

The data processing activities of our company are based on voluntary consent, or in certain cases, are necessary for taking steps at the request of the data subject prior to entering into a contract.

Our data processing practices comply with applicable legislation, in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”); and

Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.).

Data Controller’s Details and Contact Information:

• Name: Reed Hotelservice Kft.
• Registered Office: 1031 Budapest, Péter u. 4.
• Mailing Address: 8600 Siófok, Vécsey Károly u. 20.
• Company Registration Number: 01-09-443674
• Tax Number: 32807851-2-41
• Phone Number: +36 30 132 2061
• E-mail: info@reedhotel.hu
• Representative of the Data Controller: Dr. Csaba Tikos-Nagy, Managing Director

Details and Contact Information of the Data Processor:

• Name: NetHotelBooking Kft.
• Role: Online booking system provider
• Registered Office: 8200 Veszprém, Boksa tér 1/A
• Mailing Address: 8200 Veszprém, Ádám Iván u. 1.
• Tax Number: 22710776-2-19
• Phone Number: +36 30 650 0055
• E-mail Address: szilagyi.zsuzsa@resnweb.com
• Website: resnweb.com
• The Data Processor stores personal data based on a written agreement concluded with the Data Controller.

Details and Contact Information of the Data Processor:

• Name: MT-HostWare Information Technology Kft.
• Role: Hotel PMS (Property Management System) provider
• Registered Office: 1149 Budapest, Róna utca 120.
• Mailing Address: 1149 Budapest, Róna utca 120.
• Tax Number: 10426917-2-42
• Phone Number: +36 1 469 9000
• E-mail Address: hostware@hostware.hu
• Website: www.hostware.hu
• The Data Processor stores personal data based on a written agreement concluded with the Data Controller.

Details and Contact Information of the Data Processor:

• Name: Hilaris Hotel Management Kft.
• Role: Sales, marketing, communication, and consultancy
• Registered Office: 1031 Budapest, Péter utca 4.
• Mailing Address: 1031 Budapest, Péter utca 4.
• Tax Number: 32237557-2-41
• Phone Number: +36 30 448 4679
• E-mail Address: hello@hilarishotels.hu
• Website: hilarishotels.hu
• The Data Processor stores personal data based on a written agreement concluded with the Data Controller.

Details and Contact Information of the Data Processor:

• Name: ICT Megoldások Limited Liability Company
• Role: IT services / IT consulting and operation of computer systems and equipment
• Registered Office: 1119 Budapest, Nándorfejérvári út 42–44.
• Mailing Address: 1119 Budapest, Nándorfejérvári út 42–44.
• Tax Number: 25013322-2-43
• Phone Number: +36 20 933 2866
• E-mail Address: info@ict.hu
• Website: ICT Megoldások
• The Data Processor stores personal data based on a written agreement concluded with the Data Controller. It is not authorized to access the personal data.

Details and Contact Information of the Data Processor:

• Name: Mill-Co. Bt.
• Role: Accounting and payroll services
• Registered Office: 1158 Budapest, Jolán utca 18
• Mailing Address: 1158 Budapest, Jolán utca 18
• Tax Number: 28715188-2-42
• Phone Number: +36 30 201 7668
• E-mail Address: konyveles@millco.hu
• Website: N/A
• The Data Processor stores personal data based on a written agreement concluded with the Data Controller.

Definitions:

• In our policy, the following explanations apply to data protection terminology:
• Data Subject: Any natural person who is identified or identifiable based on any information.
• Identifiable Natural Person: A natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Personal Data: Any information relating to the data subject.
• Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
• Objection: A statement by the data subject whereby they oppose the processing of their personal data and request the cessation of the data processing or the deletion of the processed data.
• Data Controller: The natural or legal person, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data within the framework defined by law or binding legal acts of the European Union, makes and executes decisions regarding the processing of data (including the tools used), or has such decisions executed by the Data Processor.
• Data Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, erasure, and destruction of data, as well as preventing further use of the data, making photographic, audio, or video recordings, and recording physical characteristics suitable for identifying the individual.
• Data Transfer: Making the data accessible to a specified third party.
• Disclosure: Making the data accessible to anyone.
• Data Erasure: Rendering the data unrecognizable in such a way that recovery is no longer possible.
• Data Tagging: Attaching an identifier to the data for the purpose of distinguishing it.
• Data Restriction: Attaching an identifier to the data to restrict its further processing either permanently or for a specified period.
• Data Destruction: The complete physical destruction of the data carrier containing the data.
• Data Processing: The entirety of data processing operations carried out by the Data Processor on behalf of or under the instructions of the Data Controller.
• Data Processor: A natural or legal person, or an organization without legal personality, who processes data based on a contract — including contracts concluded on the basis of legal regulations.
• Data Set: The entirety of data managed in a single registry.
• Third Party: A natural or legal person, or an organization without legal personality, who is not identical with the data subject, the Data Controller, the Data Processor, or persons under the direct supervision of the Data Controller or Data Processor who perform data processing operations.

Principles of Personal Data Processing:

1. Lawfulness, Fairness, and Transparency:The collection and processing of personal data must be lawful and fair, and carried out in a transparent manner for the data subject. [Infotv. Section 4 (1)]
2. Purpose Limitation: Personal data may only be processed for specified, explicit, and legitimate purposes. [Infotv. Section 4 (1)]
3. Data Minimization: Only personal data that is necessary and suitable to achieve the purpose of the processing may be processed. [Infotv. Section 4 (2)]
4. Accuracy or Data Quality Principle: Beyond fairness and lawfulness, the data controller is obliged to ensure that data is accurate, complete, and kept up to date. [Infotv. Section 4 (2)]
5. Storage Limitation: Personal data must be deleted when the purpose of data processing has ceased. [Infotv. Section 17 (2)]
6. Integrity and Confidentiality: Personal data — except for mandatory data processing — may only be processed based on consent or other specific legal grounds defined in Section 6 of the Infotv. [Infotv. Sections 5-6, 14-21]
7. Accountability: The Data Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.

Data Security Measures:

The Data Controller and the Data Processor shall take all necessary technical and organizational measures to ensure an adequate level of security for the personal data processed, in order to prevent any data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record for the purpose of monitoring the necessary measures and informing the data subjects. This record includes the scope of the affected personal data, the number and scope of data subjects impacted by the data protection incident, the date, circumstances, and effects of the incident, the measures taken to mitigate it, as well as other data specified by the applicable data protection legislation.

Regarding each of our data processing activities, we provide the following information:

Data Processing Related to Hotel Services:

At the Reed Hotel (8600 Siófok, Vécsey Károly u. 20.), operated by the Data Controller, our guests can use hotel services, restaurant services, and other related services (such as spa use, recreational and beauty services, etc.).

Purpose of Data Processing:

To carry out administration related to hotel services, invoicing, and managing individual requests.

Legal Basis for Data Processing:

The legal basis is the conclusion of a contract and the data controller’s fulfillment of legal obligations.

Scope of Personal Data Processed:

Salutation; last name and first name; address (country, postal code, city, street, house number); phone number; email address; in the case of a business entity, company name and registered office; credit card number; data on identification documents; vehicle license plate number.

Data Retention Period:

Seven years from the date of issuing the receipt.

Data Retention Period for Compliance with Immigration and Law Enforcement Laws:

Three years from the guest’s departure.

Data Retention Period for Communication with the Guest and Quality Service:

Two years following the last day of the stay.

Possible Consequences of Failure to Provide Data:

The contract for the hotel services will not be concluded.

Data Processing Related to Wellness Services:

At the Reed Hotel (8600 Siófok, Vécsey Károly u. 20.), operated by the Data Controller, our guests can also use other related services (wellness services, etc.).

Purpose of Data Processing:

To carry out administration related to hotel services, invoicing, handling individual requests, and mapping the health status to determine eligibility for using the service.

Legal Basis for Data Processing:

Prior consent of the person booking the additional hotel service, legitimate interest.

Scope of Personal Data Processed:

Last name and first name; health status.

Data Retention Period:

30 calendar days from the use of the service.

Possible Consequences of Failure to Provide Data:

The hotel will be unable to provide the service.

Data Processing Related to Requesting Offers

Our company provides the opportunity for guests to request offers electronically. The offer is provided by our company through an automated system, taking into account available capacities.

Purpose of Data Processing:

Preliminary inquiry about the hotel’s prices.

Legal Basis of Data Processing:

The prior consent of the person making the reservation, or data processing necessary for taking steps at the request of the data subject prior to the conclusion of a contract.

Scope of Personal Data Processed:

1. Salutation
2. Last name and first name
3. Phone number
4. Email address
5. Number of guests staying

Duration of data processing:

Two years following the last day of the stay according to the booking.

Possible consequences of failure to provide data:

The hotel will not be able to provide an offer.

Data processing related to newsletter subscription:

Our company maintains contact with its guests via newsletter, informing them about our services, news related to our operations, and promotions.

Data controller:

Reed Hotelservice Kft (registered office: 1031 Budapest, Péter u. 4.) and Hilaris Hotel Management Kft as data processor.

Purpose of data processing:

Maintaining contact with potential hotel guests.

Legal basis of data processing:

Consent of the data subject.

Scope of personal data processed:

Name, e-mail address.

Duration of data processing:

Our company processes the name and e-mail address until the data subject unsubscribes from the newsletter.

Possible consequences of failure to provide data:

The data subject will not receive newsletters from our company.

You can unsubscribe from the newsletter at any time by using the link provided in the newsletter or by sending an email to our company at info@reedhotel.hu. Your email address will be deleted from our database immediately (in case of online unsubscription) or within 2 working days (in case of email request).

Personal Data Processing Related to Satisfaction Measurement:

As a hotel, our goal is to provide our services to guests at a high standard, therefore we continuously request feedback from our guests about their experiences during their stay at our hotel.

Data Controller:

Reed Hotelservice Ltd. (registered office: 1031 Budapest, Péter Street 4), and Hilaris Hotel Management Ltd. as data processor.

Purpose of Data Processing:

Requesting feedback from hotel guests to further develop and improve our services.

Legal Basis of Data Processing:

Personal consent.

Legitimate Interest:

Our company has an interest in obtaining information based on feedback to improve our services.

Scope of Processed Personal Data:

1. Name
2. Gender
3. E-mail address

Data Retention Period:

Two years following the last day of the stay according to the booking.

Possible Consequences of Failure to Provide Data:

The data subject will not receive a satisfaction survey questionnaire from our company.

Cookie Management:

The Data Controller places a small data package, called a cookie, on the user’s computer for the purpose of personalized service and reads it back during subsequent visits. If the browser sends back a previously stored cookie, the service provider managing the cookie can link the user’s current visit with previous ones, but only concerning their own content.

Purpose of data processing:

Identification, tracking, differentiation of users, identification of the users’ current session, storage of data provided during the session, prevention of data loss, web analytics, and personalized service.

Legal basis for data processing:

The consent of the data subject.

Categories of data processed:

Identifier, date, time, and previously visited page.

Duration of data processing:

Maximum 90 days.

Additional information regarding data processing:

The user is able to delete cookies from their own computer and can also disable the use of cookies in their browser. Cookie management is generally available in the browser’s Tools / Settings menu under Privacy / History / Custom settings, with options named cookies, tracking, or similar.

Possible consequences of not providing data:

It may become impossible to use the service.

Website Server Logging:

When visiting the nethotelbooking.net website, the web server automatically logs the user’s activity.

Purpose of data processing:

To monitor the operation of services during website visits and to prevent abuse by recording visitor data.

Legal basis for data processing:

Legitimate interest for the secure operation of the website.

Types of personal data processed:

Identifier, date, time, URL of the visited page.

Duration of data processing:

Maximum 90 days.

Additional information:

During the analysis of log files, our company does not combine the collected data with other information, and does not attempt to identify the user personally. The URLs visited, as well as the date and time data, alone are not sufficient to identify the individual concerned; however, combined with other data (e.g., data provided during registration), they may be used to infer conclusions about the user.

Data Processing Related to Logging by External Service Providers:

The portal’s HTML code contains links coming from and pointing to external servers independent from our company. The external service provider’s server connects directly with the user’s computer. We draw the attention of our visitors that the providers of these links are capable of collecting user data (e.g., IP address, browser, operating system details, mouse movements, visited page URL, and the time of visit) due to the direct connection to their servers and direct communication with the user’s browser.

The IP address is a numerical sequence that uniquely identifies the computers and mobile devices accessing the internet. Using IP addresses, the visitor using the given computer can even be geographically localized. The URLs of visited pages and the date and time data alone are not sufficient to identify the data subject, but when combined with other data (e.g., data provided during registration), they may be used to draw conclusions about the user.

Other Data Processing Activities

Photography:

Purpose of data processing:

The hotel may take photographs during various hotel events (e.g. children’s animation programs during peak seasons), in a way that participants are either not identifiable or their faces are not visible.

Legal basis for data processing:

Personal consent.

Scope of processed personal data:

Photographs (in which individuals are not recognizable and/or their faces are obscured).

Information on camera usage: https://reedhotel.hu/adatkezeles

For any data processing activities not listed in this notice, we will provide information at the time of data collection.

We also inform our clients that certain authorities, public bodies, and courts may contact our company for the disclosure of personal data.

Our company will disclose personal data to such entities only if the requesting authority specifies the exact purpose and the scope of data required, and only to the extent strictly necessary to fulfill the purpose of the request, and if the disclosure is required by law.

Storage of Personal Data and Data Security

Our company’s IT systems and other data storage locations are located at our headquarters and on servers rented by our data processor.

During the provision of services, our company selects and operates the IT tools used for processing personal data in such a way that the processed data is:

a) accessible only to those authorized (availability);

b) authentic and verifiable (authenticity of data processing);

c) protected against unauthorized modification (data integrity);

d) protected against unauthorized access (data confidentiality).

We pay special attention to data security, and we take all necessary technical and organizational measures, as well as establish the procedural rules required to enforce the guarantees set out in the GDPR. We protect data with appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage, or inaccessibility due to technological changes.

Our company’s and our partners’ IT systems and networks are protected against computer-assisted fraud, computer viruses, cyber intrusions, and denial-of-service attacks. The operator ensures security through both server-level and application-level protection procedures. Daily backups of the data are carried out. In order to prevent data protection incidents, our company takes all possible preventive actions. In the event of an incident, we act immediately in accordance with our incident response policy to minimize risks and prevent damage.

Rights of data subjects and legal remedies:

The data subject may request information about the processing of their personal data, as well as request the rectification or – except for mandatory data processing – deletion or withdrawal of their personal data. They may also exercise their right to data portability and objection in the manner indicated at the time of data collection or through the contact details of the data controller provided above. Upon the data subject’s request, information will be provided in electronic form without undue delay, but no later than within 30 days, in accordance with our internal policies. We fulfill requests related to the rights listed below free of charge.

Right to Information:

Our company takes appropriate measures to ensure that all information provided to data subjects regarding the processing of their personal data is concise, transparent, intelligible, and easily accessible, presented in a clear and plain manner while also being accurate.

The right to information may be exercised in writing through the contact details provided in point 1.

Upon request – and following verification of the individual’s identity – information may also be provided verbally.

Please note that if our staff has any doubts about the identity of the data subject, we may request additional information necessary to confirm the identity of the person concerned.

Right of Access by the Data Subject

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed.
Where such processing is taking place, the data subject shall have the right to access the personal data and the following information listed below.

• The purposes of the data processing;

• The categories of personal data concerned;

• The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries (outside the European Union) or international organisations;

• The envisaged period for which the personal data will be stored;

• The existence of the right to request rectification or erasure of personal data or restriction of processing, and the right to object to such processing;

• The right to lodge a complaint with a supervisory authority;

• Information as to the source of the personal data;

• The existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In addition, where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

Right to rectification:

Under this right, any individual may request the rectification of inaccurate personal data concerning them that are processed by our company, as well as the completion of incomplete data.

Right to erasure:

The data subject has the right to obtain from us the erasure of personal data concerning them without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing;

c) the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

d) the personal data have been unlawfully processed;

e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services.

Data erasure cannot be requested if the processing is necessary for the following purposes:

a) exercising the right of freedom of expression and information;

b) compliance with a legal obligation under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) reasons of public health, or for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;

d) the establishment, exercise, or defense of legal claims.

Right to restriction of processing:

At the request of the data subject, we restrict data processing under the conditions set out in Article 18 of the GDPR, namely if:

a) the data subject contests the accuracy of the personal data; in this case, the restriction applies for the period enabling the verification of the accuracy of the personal data;

b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the data controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; or

d) the data subject has objected to processing; in this case, the restriction applies for the period until it is verified whether the legitimate grounds of the data controller overridethose of the data subject.

If the processing is restricted, personal data may only be processed – except for storage – with the data subject’s consent, for the establishment, exercise, or defense of legal claims, for the protection of the rights of another natural or legal person, or for important public interest reasons of the European Union or a Member State. The data subject must be informed in advance about the lifting of the restriction.

Right to data portability:

The data subject has the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another controller. Our company can fulfill such requests in Word or Excel format.

Right to object:

If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to direct marketing. In case of objection to the processing of personal data for direct marketing purposes, the data may no longer be processed for such purposes.

Automated decision-making in individual cases, including profiling:

a) The data subject has the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning them or similarly significantly affects them. This right shall not apply if the processing is:

b) necessary for entering into or performing a contract between the data subject and the data controller;

c) authorized by Union or Member State law applicable to the controller, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests; or

d) based on the explicit consent of the data subject.

Right to withdraw consent:

The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

Procedural rules:

The data controller shall inform the data subject without undue delay, and in any case within one month of receiving the request, about the measures taken in response to the request pursuant to Articles 15–22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this period may be extended by an additional two months. The data controller shall inform the data subject of the extension within one month of receiving the request, stating the reasons for the delay.

If the data subject submitted the request electronically, the information shall be provided by electronic means, unless otherwise requested by the data subject.

If the data controller does not take any action in response to the data subject’s request, it shall inform the data subject without delay, but at the latest within one month of receiving the request, of the reasons for not taking action and of the right to lodge a complaint with the supervisory authority and to seek a judicial remedy.

The data controller shall communicate any correction, deletion, or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. Upon request, the data controller shall inform the data subject about these recipients.

Compensation and damages:

Any person who has suffered material or non-material damage as a result of a violation of the data protection regulation is entitled to compensation from the data controller or the data processor. The data processor shall only be liable for damages caused by processing if it has not complied with the obligations specifically imposed on data processors by law or if it has acted contrary to the lawful instructions of the data controller. If several data controllers or data processors, or both data controller and data processor, are involved in the same processing and are liable for the damage caused by the processing, each data controller or data processor shall be jointly and severally liable for the entire damage. The data controller or data processor shall be exempt from liability if it proves that it is not responsible in any way for the event giving rise to the damage.

Remedies:

For any requests, questions, or comments related to data processing, you may contact us by sending an email to info@reedhotel.hu.

Complaints regarding any potential violations by the Data Controller can be filed with the National Authority for Data Protection and Freedom of Information.

National Authority for Data Protection and Freedom of Information

Mailing address: 1530 Budapest, Pf.: 5

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: https://naih.hu

In case of violation of your data protection rights, you may also take legal action against the Data Controller. You may initiate the lawsuit before the court competent according to your place of residence or place of stay, at your discretion.