PRIVACY NOTICE
Last updated: 20.05.2024
Table of Contents
1. The Data Controller
2. Data processing
2.1. Table booking and restaurant service
2.2. Location rental
2.3. Complaint management and customer book (complaint book)
2.4. Contact
2.5. Business relationship
2.6. Social media sites
3. Your rights
3.1. You can withdraw your consent
3.2. You can request information (access)
3.3. You can request a rectification
3.4. You can request the erasure of your personal data ("to be forgotten")
3.5. You can request that we restrict the data processing
3.6. You can ask us to transfer your personal data (right to data portability)
3.7. You can object to the processing of your personal data
4. Legal remedies available
4.1. Right to complain to a “Supervisory Authority”
4.2. Right to an effective judicial remedy against a controller or processor
4.3. Damages and compensation for violation of personality rights
5. Data security
6. Other
1. The Data Controller
Danubius Hotels Zrt.
registered seat: 1051 Budapest, Szent István tér 11.
represented by: Balázs Kovács CEO
e-mail: adat@danubiushotels.com
website: www.whiteravenskybar.com
(hereinafter: the “Data Controller”)
The hosting service is provided by Websupport Magyarország Kft. (head office: 6000 Kecskemét, Sosztakovics u. 3. II/6) as a data processor;
2. Data processing
2.1. Table booking and restaurant service
You can reserve a table on the website, by phone or in person. When recording a table reservation, we process the personal data as follows. The source of the data is the data subject himself/herself or the person making the reservation.
|
Data |
Purpose of the data processing |
Retention time |
Legal basis of the data processing |
Rights |
|
Data required for the reservation full name, e-mail address, telephone number, personal data shared in the reservation notes field that becomes relevant for special requests, food allergies or other necessary health information |
Registering the reservation and related communication (e.g. sending an e-mail confirming the reservation, sending a preliminary notification SMS) |
Until the end of season (except for guest profiles) |
Data processing for the performance of the contract. The reservation is not possible without providing the data. [GDPR Article 6(1)(b)] |
3.2. 3.3. 3.4. 3.5. 3.6. |
|
Complaints management |
Our legitimate interest associated with managing complaints. You may object to the processing at any time using either of the contact details listed in Section 1. [GDPR Article 6(1)(f)] |
3.2. 3.3. 3.5. 3.7. |
||
|
Guest profiles full name, e-mail address, telephone number, personal data shared in the reservation notes field that becomes relevant for special requests, food allergies or other necessary health information, reviews, reservation history, order history, IP address |
To identify returning guests and to offer a personalised service based on order and reservation history. More effective complaint handling, notifications about upcoming events and offers via newsletters and remarketing messages. |
Until you request your data to be deleted |
Your express consent [GDPR Article 6(1)(a) and Article 9(2)(a)] The consent may be withdrawn at any time using our contact details specified in point 1. Withdrawal of consent does not affect the lawfulness of the data processing that preceded it. |
3.1. 3.2. 3.3. 3.4. 3.5. 3.6. |
|
Personal data that may be included on your bill: name, address |
Fulfilment of a legal obligation |
For 8 years following the reporting year |
Fulfilment of a legal obligation. After billing, the data retention is necessary due to tax and accounting regulations. Without providing the data, it is not possible to issue a bill in the name of a private individual. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
|
Sending an e-mail requesting an evaluation after leaving: name, e-mail address |
Improving our services |
The review is stored in with your data until it is deleted according to the terms above |
Our legitimate interest in service development and sales. You may object to the processing at any time using either of the contact details listed in Section 1. [GDPR Article 6(1)(f)] |
3.2. 3.3. 3.5. 3.7. |
We use the system of SEVENROOMS INC. (228 Park Avenue S; PMB 37706; New York, NY 10003) to record the table reservations and to send newsletters. The adequacy of the transmission of data to Sevenrooms (https://sevenrooms.com/en/privacy-policy/) is ensured by the Data Privacy Framework Program (https://www.dataprivacyframework.gov/list).
In case of Guest profiles, your e-mail address and phone number is shared with Google [Google Ireland Limited (location: Gordon House, Barrow Street, Dublin 4, Ireland; https://policies.google.com/technologies/product-privacy] and Facebook. The data processing in case of Facebook advertisements is a joint processing between the Data Controller and Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland. The details of the joint data management agreement can be found in the data management appendix of the Facebook Page Analysis function. The appendix is located here: https://www.facebook.com/legal/terms/page_controller_addendum
2.2. Location rental
It is possible to rent the location after requesting a quote by e-mail and after accepting the quote and concluding a contract.
|
Data |
Purpose of the data processing |
Retention time |
Legal basis of the data processing |
Rights |
|
The data included in the contract concluded with the private individual and those becoming relevant in the request for quote typically: full name, e-mail address, telephone number, home address, personal data that becomes relevant for special requests. |
Provision of service according to the request |
Until cancellation or leaving |
Data processing for the performance of the contract. It is not possible to rent a location without providing the data. [GDPR Article 6(1)(b)] |
3.2. 3.3. 3.4. 3.5. 3.6. |
|
Fulfilment of a legal obligation |
For 8 years following the reporting year |
Fulfilment of a legal obligation. After billing, the data retention is necessary due to tax and accounting regulations. It is not possible to rent a location without providing the data. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
|
|
In the case of a contract with a company, the contact person's details: full name, e-mail address, telephone number, position |
Provision of service according to the request |
Until cancellation or leaving |
Our legitimate interest in the performance of the contract. You may object to the processing at any time using either of the contact details listed in Section 1. [GDPR Article 6(1)(f)] |
3.2. 3.3. 3.5. 3.7. |
|
Fulfilment of a legal obligation |
For 8 years following the reporting year |
Fulfilment of a legal obligation. After billing, the data retention is necessary due to tax and accounting regulations. It is not possible to rent a location without providing the data. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
|
|
Food allergies or other necessary health information |
Provision of service according to the request, handling of complaints after leaving |
For 1 (one) month after leaving |
Your express consent [GDPR Article 6(1)(a) and Article 9(2)(a)] The consent may be withdrawn at any time using our contact details specified in point 1. Withdrawal of consent does not affect the lawfulness of the data processing that preceded it. |
3.1. 3.2. 3.3. 3.4. 3.5. 3.6. |
|
Personal data that may be included on your bill: name, address |
Fulfilment of a legal obligation |
For 8 years following the reporting year |
Fulfilment of a legal obligation. After billing, the data retention is necessary due to tax and accounting regulations. Without providing the data, it is not possible to issue a bill in the name of a private individual. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
2.3. Complaint management and customer book (complaint book)
If you do not agree with how your verbal complaint was handled, or it is not possible to investigate the complaint immediately, we are obliged to draw up a record the complaint and the related opinions.
In the case of a written complaint, it is not necessary to draw up a record, but we must keep the answer.
You can also record your complaint in the customer book (complaint book). We must remove the page containing the complaint or suggestion after the entry was made and keep it separately so that other guests cannot see the previous entries and the data of the people making the entries.
|
Data |
Purpose of the data processing |
Retention time |
Legal basis of the data processing |
Rights |
|
Record of a consumer complaint and response to a written complaint name, address, signature, ID number |
Fulfilment of a legal obligation |
3 years |
Fulfilment of a legal obligation. Retention is necessary due to the consumer protection laws. Providing the data is a condition for recording the complaint. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
|
Customers’ book (complaints book) the data provided |
Fulfilment of a legal obligation |
3 years |
Fulfilment of a legal obligation. Retention is necessary due to the consumer protection laws.Providing the data is a precondition for being able to respond. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
2.4. Contact
If you contact us electronically or by post, we will handle your inquiry as follows.
|
Data |
Purpose of the data processing |
Retention time |
Legal basis of the data processing |
Rights |
|
Personal data provided in inquiries: name, e-mail address, other personal data provided |
Answering inquiries and handling complaints |
1 year |
Consent, which you give by sending the request. The consent may be withdrawn at any time using our contact details specified in point 1. Withdrawal does not affect the lawfulness of the data processing that preceded it. [GDPR Article 6(1)(a)] |
3.1. 3.2. 3.3. 3.4. 3.5. 3.6. |
2.5. Business relationship
If we have a business relationship with the company or organisation that you represent or that employs you and we have received your contact information in order to maintain contact, we will process your personal data as follows. The source of the data is the data subject or the person acting on behalf of the company.
|
Data |
Purpose of the data processing |
Retention time |
Legal basis of the data processing |
Rights |
|
Contact information of the companies' contact persons: name, position, e-mail address, telephone number |
Maintaining contact with business clients |
Until the business relationship exists or another contact person is appointed |
Our legitimate interest in fulfilling the contract and maintaining contact. You may object to the processing at any time using either of the contact details listed in Section 1. [GDPR Article 6(1)(f)] |
3.2. 3.3. 3.5. 3.7. |
|
Data of the signatories or contact details included in the contract: name, position, e-mail address, telephone number, signature |
Fulfilment of a legal obligation |
For 8 years after termination |
Fulfilment of a legal obligation. We must keep the contract as an accounting document due to tax law and accounting regulations. Without providing the data, it is not possible to include the data in the contract. [GDPR Article 6(1)(c)] |
3.2. 3.3. 3.5. |
2.6. Social media sites
You can follow us on social media to be informed of news about us.
|
Data |
Purpose of the data processing |
Retention time |
Legal basis of the data processing |
Rights |
|
Data provided on social media sites: profile data |
Information about current news |
Until unfollowing (unsubscribing) |
Consent, which you give by following us. Consent can be revoked at any time by unsubscribing. Withdrawal does not affect the lawfulness of the data processing that preceded it. [GDPR Article 6(1)(a)] |
3.1. 3.2. 3.3. 3.4. 3.5. 3.6. |
|
profile name, profile picture, personal data shared in the message |
To respond to your message |
Until message is deleted by the sender |
Consent, which you give by messaging us. Consent can be revoked at any time by unsubscribing. Withdrawal does not affect the lawfulness of the data processing that preceded it. [GDPR Article 6(1)(a)] |
3.1. 3.2. 3.3. 3.4. 3.5. 3.6. |
|
statistical data |
Improve efficiency of the page and ads |
Until ads are turned off in settings |
Consent, which you give by ad settings. Consent can be revoked at any time by changing the settings. Withdrawal does not affect the lawfulness of the data processing that preceded it. [GDPR Article 6(1)(a)] |
3.1. 3.2. 3.3. 3.4. 3.5. 3.6. |
The operator of the Facebook and Instagram pages provides the Data Controller with the display of advertisements and the use of the page analytics function. The page analytics function displays aggregated data, the purpose of which is to enable the Data Controller to understand how visitors use the page and its advertisements and to draw conclusions for more efficient operation. No personal data is included in the statistical analysis. The processing of advertising and statistical data on these pages is carried out jointly by the Data Controller and Meta Platforms Ireland Limited, Serpentine Avenue, Block J, Dublin 4, Ireland. Details of the joint data processing agreement are set out in the Data Controller Appendix of the Facebook Page Analytics function. The Addendum is available at the following link: https://www.facebook.com/legal/terms/page_controller_addendum
The companies operating the social media sites are separate data controllers:
- Facebook and Instagram Facebook Ireland Ltd. (registered office: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; https://www.facebook.com/privacy/explanation; https://www.facebook.com/help/instagram/155833707900388/)
- YouTube, Google Ireland Limited (registered office: Gordon House, Barrow Street, Dublin 4, Ireland; https://policies.google.com/technologies/product-privacy?hl=hu)
- LinkedIn, LinkedIn Ireland Unlimited Company (registered office: Wilton Place, Dublin 2, Ireland; https://www.linkedin.com/legal/privacy-policy)
- Tripadvisor, Tripadvisor Ireland Limited (registered office: Bloodstone Building, Bloodstoney Road, Dublin 2, Ireland; https://tripadvisor.mediaroom.com/HU-privacy-policy)
3. Your rights
In connection with the data processing, you have the rights detailed in points 3.1-3.7. If you want exercise one of them, please write to us using the contact details indicated in point 1.
Identification
In any case, we need to verify your identity before fulfilling your request. If we cannot verify your identity, unfortunately we cannot fulfil your request.
Answering the request
After we have verified your identity, we provide information about the request in writing, electronically, or – at your request – verbally. Please note that if you submitted your request electronically, we will respond electronically. Of course, in this case too, you have the option to request another method.
Deadline for handling the matters
We will inform you about the measures taken as a result of your request within 1 (one) month from the receipt of the request at the latest. If necessary, taking into account the complexity of the request and the number of requests, this deadline can be extended by another 2 (two) months, of which we will inform you within the 1 (one) month deadline for handling the matter.
We are also obliged to inform you of the failure to take action within the one-month deadline for handling the matter. You can file a complaint against this with the Hungarian National Authority for Data Protection and Freedom of Information (point 6.1) and exercise your right to judicial remedy (point 6.2).
Administration fee
The requested information and measures are free of charge. An exception is the case where the request is clearly unfounded or – especially due to its repetitive nature – excessive. In this case, we may charge a fee or refuse to fulfil the request.
3.1. You can withdraw your consent
In the case of data processing based on your consent, you can withdraw your consent at any time. In such a case, we will immediately erase your personal data related to the given data processing. We would like to inform you that the withdrawal does not affect the lawfulness of the data processing carried out on the basis of prior consent.
3.2. You can request information (access)
You can request information on whether your personal data is being processed, and if so:
- What is the purpose of processing?
- What kind of data is being processed exactly?
- To whom do we transfer this data?
- How long do we store this data?
- What rights and remedies do you have in this regard?
- Who did we get your data from?
- Do we make automated decisions about you using your personal data? In such cases, you can also request information about the logic (method) we apply, the importance of such data processing, and the expected consequences.
- If you have found that your data has been transferred to an international organisation or a third country (non-EU member state), you can request a demonstration of what guarantees the adequate processing of your personal data.
- You can request a copy of your personal data (for additional copies, we may charge a fee based on administrative costs)
3.3. You can request a rectification
You can request that we rectify or supplement any of your inaccurate or incomplete personal data.
3.4. You can request the erasure of your personal data ("to be forgotten")
You can request that we erase your personal data if:
- The personal data are no longer needed for the purpose for which they were processed;
- In the case of data processing based on your consent;
- If it is established that personal data is being processed unlawfully;
- If your objection is successful;
- If required by EU or national laws;
- The data was collected in the context of offering IT services to children.
We cannot erase personal data if it is necessary:
- for exercising the right to freedom of expression and information;
- for compliance with a legal obligation which requires processing according to Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest;
- on the basis of public interest in the field of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the request is likely to render impossible or seriously impair the achievement of the objectives of deletion; or
- for the establishment, exercise or defence of legal claims.
3.5. You can request that we restrict the data processing
You can request that we restrict the data processing if one of the following applies:
- You contest the accuracy of the personal data, for a period enabling us to verify the accuracy of the personal data;
- The data processing carried out is unlawful, but you do not agree to the erasure of the data and instead request the restriction of its use;
- We no longer need the data for the purpose of data processing, but you require the data for the establishment, exercise or defence of legal claims;
- You have objected to the data processing; in this case, the restriction applies to the period until it is established whether the Data Controller's legitimate reasons override your legitimate reasons.
In the case of restriction, the personal data may only be processed with your consent, with the exception of storage, or to establish, exercise or defend legal claims, or to protect the rights of another natural or legal person, or in the important public interest of the Union or a Member State. We will inform you in advance about the possible lifting of the restriction.
3.6. You can ask us to transfer your personal data (right to data portability)
You have the right to receive your personal data that we process, in a machine-readable format, and you also have the right to transfer this data to another data controller – or at your request – if the data processing is based solely on your consent or a contract concluded with you or in your interest, and is automated.
The aforementioned right does not apply in the event that the data processing is necessary for the performance of a task in the public interest. It cannot violate the right to erasure and cannot adversely affect the rights and freedoms of others.
3.7. You can object to the processing of your personal data
You can object to the processing of your personal data if the data processing is based on a legitimate interest, is for direct marketing purposes (e.g. sending a newsletter), or is necessary for the performance of a task of public interest. In this case, the personal data will be erased, unless its processing is justified by compelling legitimate reasons that override your interests, rights and freedoms, or that are related to the establishment, exercise or defence of legal claims.
You can object to the processing of your personal data also if the personal data is processed for scientific and historical research purposes or for statistical purposes. In this case, the personal data will be erased unless the data processing is necessary for the performance of a task carried out in the public interest.
4. Legal remedies available
4.1. Right to complain to a “Supervisory Authority”
If you believe that we have treated you unfairly or unlawfully under GDPR, you can complain to a Supervisory Authority for data protection. If you are normally resident in an EU country other than Hungary, you have the right to raise a complaint with the Supervisory Authority of that country. This link will give you the name and contact details:
http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
If you are normally resident in Hungary or outside the EU, you can complain to the Hungarian Authority:
The Hungarian National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail address for correspondence in English: privacy(at)naih.hu
E-mail address for correspondence in Hungarian: ugyfelszolgalat(at)naih.hu
Website: http://naih.hu
4.2. Right to an effective judicial remedy against a controller or processor
If you believe that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR, you have the right to an effective judicial remedy.
Proceedings against a controller or a processor shall be brought before the courts of the EU Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the EU Member State where your habitual residence is.
In Hungary, regional courts shall have jurisdiction in handling the case. Data subjects can also choose to bring actions at regional courts of their domicile or residence. Even individuals with no locus standi can be parties to the proceedings. The Authority has the option to intervene for the data subject to succeed in the proceedings.
Court proceedings shall be governed by GDPR, by the provisions of Act V of 2013 on the Civil Code, Book Two, Part Three, Title XII (Sections 2:51 to 2:54), as well as by other legislative provisions applicable to court proceedings.
4.3. Damages and compensation for violation of personality rights
If the Data Controller causes damage or violates the personality rights of the data subject by unlawful processing of the data of the data subject, a claim for compensation for violation of personality rights by the Data Controller may be raised. The Data Controller is released from responsibility for the damage caused and from the obligation to pay compensation if it proves that the damage or the violation of the personality rights of the data subject was caused by an unavoidable cause outside the scope of data processing.
5. Data security
We will do our best to take the adequate technical and organisational measures – taking into account the current state of science and technology, the costs of implementation, the nature of data processing, as well as the risk to the rights and freedoms of natural persons – in order to ensure that we guarantee data security corresponding to the level of risk.
We always process the personal data confidentially, with limited access, encryption and the possible maximisation of resilience, ensuring that it can be restored in the event of a problem. We regularly test our system to ensure security. When determining the appropriate level of security, we take into account the risks arising from the data processing, which arise in particular from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access to the personal data transmitted, stored or otherwise processed.
We do our best to ensure that persons acting under our control and having access to the personal data can only process this data in accordance with our instructions, unless they are required to deviate from this by EU or Member State law.
6. Other
The Data Controller has the right to modify the contents of this Data Processing Notice at any time. Any modification will take effect at the same time as it is published on the website.
Annex 1: Explanation of terms used in the Data Processing Notice
“personal data”: Any information relating to the natural person (data subject) (e.g. name, number, location data, online ID or data relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person);
“data subject”: identifiable natural person to whom the given personal data is related. (Such as: a website visitor, a person who subscribes to the newsletter, a person who applies after a job advertisement)
"data processing": any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as by way of collection, recording, organisation, structuring, storage, transformation or alteration, retrieval, access, use, disclosure, transmission, distribution or otherwise making available, coordination or linking, restriction, erasure or destruction;
"Data Controller": the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing the personal data independently or together with others;
"data processing by processor": performing technical tasks related to data processing operations;
"data processor": the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the Data Controller (on behalf of, at the instruction of and based on the decision of the Data Controller);
“third party”: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who have been authorised to process personal data under the direct control of the Data Controller or data processor;
"consent of the data subject": the voluntary, specific and clear declaration of the intent of the data subject, based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he or she gives his or her consent to the processing of personal data concerning him or her;
"recipient": the natural or legal person, public authority, agency or any other body to whom or to which the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients.