1. Purpose of the regulation
The purpose of the regulation is to comply – in accordance with legal requirements – with the provisions of Act CXII of 2011 on the right of informational self-determination and on freedom of information (hereinafter referred to as “Privacy Act”) and with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) 2016/679 [GDPR], and inform the persons concerned about the range of personal data managed by the data controller referred to in point 2, the purpose and manner of data management as well as any other facts related to data management, in particular, but not limited to their data management rights and the legal remedies available to them.
2. Name, seat and representative of the controller
Name: Spirit Hotel Kft.
Seat: H-1061 Budapest, Andrássy út 2., Hungary
Legal representative: Pocsai Alex General Manager
Contact person in data protection matters: Dr. Gábor Jeszenszki lawyer
3. Name, contact details, status and tasks of the Data Protection Officer
Dr. Boldizsár Morvay – dr.morvay@balintfy.hu
Legal status of the Data Protection Officer
The controller must ensure that the data protection officer is properly and timely involved in all matters relating to the protection of personal data. It must be ensured that the resources needed to maintain the level of expertise of the Data Protection Officer are available.
The Data Protection Officer must not accept instructions from anyone in the performance of his/her duties. The controller or the data processor may not dismiss or impose sanctions on the Data Protection Officer in the performance of his/her duties. The Data Protection Officer is directly responsible to the top management of the controller or processor.
The data subjects may turn to the Data Protection Officer for all matters relating to the management of their personal data and the exercise of their rights.
The Data Protection Officer is bound by the obligation of confidentiality or the obligation to manage data confidentially.
The Data Protection Officer may perform other tasks, but there may be no conflict of interest with the tasks.
Tasks of the Data Protection Officer
• Provides information and professional advice to the Data Controller or Data Processor as well as Data Management Staff;
• monitors compliance with the internal rules on the protection of personal data of the controller or processor;
• provides professional advice on the data protection impact assessment upon request and follows up the implementation of the impact assessment;
• cooperates with the supervisory authority.
4. Legislation on data management
– The Constitution of Hungary, article VI;
– Act CXII of 2011 on Informational Self-Determination and on Freedom of Information (hereinafter: “Privacy Act”);
– Regulation (EU) 2016/679 of the European Parliament and of the Council on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
5. Terms used in the present regulation
data processor
the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller
data management
any operation or set of operations performed in an automated or non-automated manner on personal data or files, such as collection, recording, systematization, division, storage, transformation or alteration, query, insight, use, communication, dissemination or other means of making accessible, coordination or interconnection, restriction, deletion or destruction
controller(service provider)
the undertaking, as well as any natural or legal person, public authority, agency or any other body that determines the purposes and means of the processing of personal data, either alone or in association with others; if the purposes and means of data processing are defined by EU or Member State law, the controller or the specific aspects of the appointment of the controller may be determined by Union or national law
privacy incident
security damage resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to the transferred, stored or otherwise processed personal data
biometric data
personal data obtained by any specific technical procedure relating to the physical, physiological or behavioural characteristics of a natural person, which enables or confirms the individual identification of a natural person, such as a portrait or dactyloscopic data
addressee
the natural or legal person, public authority, agency or any other body to whom the personal data are communicated, whether or not they are third parties. Public authorities that have access to personal data in accordance with Union or Member State law in the context of a specific investigation shall not be considered as an addressee; the management of such data by these public authorities must be in accordance with the data protection rules applicable to the purposes of the data management
data subject
the natural person whose personal data is being processed
consent of the data subject a declaration of the will of the data subject on a voluntary, concrete and appropriate basis and by means of a declaration deliberately expressing his/her consent or consent to the processing of personal data concerning him or her
GDPR
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (General Data Protection Regulation)
third party
the natural or legal person, public authority, agency or any other body that is not the identical to the data subject, the controller, the data processor or the persons authorized to process personal data under the direct control of the controller or processor
Privacy Act
Act CXII of 2011 on Informational Self-Determination and on Freedom of Information
employee
Person, contractor(s) and his/her agents employed by the service provider or in any other employment relationship with the Service Provider, in particular: service agreement, agency contract.
profiling
any form of automated processing of personal data during which personal data are used to assess certain personal characteristics associated with a natural person, especially used in order to analyse or forecast those relating to performance at work, economic situation, health status, personal preferences, interests, reliability, behaviour, residence or movement
Personal data
any information relating to an identified or identifiable natural person (“data subject”); a natural person is identifiable if he/she can be identified directly or indirectly, especially via an identifier, such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of a natural person
special categories of personal data
personal data referring to racial or ethnic origin, political opinion, religious or ideological beliefs or trade union membership, as well as genetic and biometric data intended to uniquely identify natural persons, personal data relating to the sexual life or sexual orientation of natural persons
6. Data protection impact assessment
The data controller is responsible for carrying out the data protection impact assessment on the rights and freedoms of natural persons, assessing the source, nature, uniqueness and severity of this risk. The findings of the impact assessment should be taken into account when determining which measures are appropriate to demonstrate that the processing of personal data complies with the GDPR. If, according to the data protection impact assessment, data management operations implies such a high risk that the controller is unable to mitigate it with the available technology and measures which comply with implementation costs, the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) should be consulted prior to data management. If a data protection impact assessment for high-risk data management needs to be carried out later on, then this is carried out with the help of an open source software (originally called “PIA software”, hereinafter referred to as “Impact Assessment Software”) published by the French National Data Protection Authority (Commission Nationale de l’Informatique et des Libertés, hereinafter referred to as “CNIL”).
In connection with the data protection impact assessment, the controller prepares a separate regulation.
7. Interest balancing test assessment – in the case of data management based on legitimate interest
In the case of data management based on legitimate interest (Section 6 (1) (f) of GDPR), the interest balancing test assessment is carried out on the basis of resolution NAIH/2015/3731/2/V. Based on this, the interest balancing test assessment is a multi-step process, during which the legitimate interest of the controller and the interest of the data subject, the underlying fundamental right making up the counterpart of the weighing must be determined, and after carrying out the weighing it must be determined whether the personal data can be managed.
The applied steps of the interest balancing test assessment:
1. step – examining if data management is needed or can be solved otherwise
2. step – determining legitimate interest as accurately as possible
3. step – determining the purpose of data management, what personal data and what duration data management involves
4. step – determining the aspects of the data subjects
5. step – carrying out the weighing
The controller prepares a separate regulation for the interest balancing test assessment.
8. The management and protection of personal data
8.1. The task, competence and responsibility of the controller
The controller carrying out primary data management is obliged to compensate for damage caused to others by unlawfully handling the data of the data subject or by violating the requirements of technical data protection. The controller is also responsible towards the data subject for the damage caused by the data processor. The controller is exempt from liability if it proves that the damage was caused by an unavoidable circumstance beyond the scope of data management. It is not necessary to indemnify the loss in so far as it has been caused by the deliberate or grossly negligent conduct of the injured party.
8.2. The task, competence and responsibility of data processing
The rights and obligations of the data processor related to the processing of personal data shall be determined by the controller in accordance with the present regulation and the relevant legislation. The controller is responsible for the processing, alteration, deletion, transmission and disclosure of personal data within the scope of the data processor or within the framework specified by the controller. The agreement concluded with the data processor must specify that the data processor may make use of other data processors when fulfilling their data processing activities and that the breach of the rules on data processing may also serve as a basis for the immediate termination of the contract.
9. Principles and basic provisions
– The principle of legality, fairness and transparency
(The recording and handling of data must be fair and lawful and transparent for the data subject.)
– The principle of purpose limitation
(According to the Privacy Act, personal data may be processed only for a specific purpose, for the purpose of exercising rights and fulfilling obligations. Data management must at all stages comply with the purpose of data management. Only personal data that is essential for the purpose and adequate to achieve the goal of data management can be managed. Personal data can only be managed to the extent and for the time necessary to achieve the goal.)
– The principle of data saving
(Based on the principle of data minimisation, the controller is only allowed to handle personal data that is strictly necessary for the purpose of data management)
– The principle of precision
(The data handled by the controller must be accurate and, where necessary, up to date; all reasonable steps must be taken to immediately delete or rectify personal data that are inaccurate for the purposes of the data processing.)
– The principle of limited storage
(The storage of personal data must take place in a form that permits the identification of data subjects only for the time necessary to achieve the purposes for which the personal data are processed.)
– The principle of integrity and confidentiality
(Personal data must be processed in a way as to ensure the proper security of personal data by applying appropriate technical or organizational measures, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage.)
– The principle of accountability
(The controller is responsible for complying with the principles and rules of data management, and the controller must also be able to certify this compliance.)
– The principle of data security
(The controller plans and executes the data management operations in a way that it ensures during the application of the Privacy Act and other rules referring to data management the protection of the privacy of those concerned. The controller ensures the security of the data and also takes the technical and organizational measures and establishes the procedural rules necessary to enforce the Privacy Act and other privacy and data protection rules. The data controller protects the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction and change in the technique used. In order to protect the data files managed electronically in the various registers, the data controller ensures via technical means that the data stored in the registers, if permitted by law, cannot be directly linked and assigned to the data subject. In order to maintain security and prevent any data management that violates GDPR, the data controller evaluates the risks arising from the nature of the data management and applies measures to mitigate such risks, for instance by applying encryption. These measures ensure an adequate level of security, including confidentiality, taking into account the state of science and technology as well as the costs of implementation risks and the nature of personal data requiring protection. When assessing data security risks, personal data management risks such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data transmitted, stored, or otherwise managed should be considered, which may result in material, pecuniary or non-pecuniary damage.)
10. The rights of the parties concerned
– The right to access
(The data subject has the right to be informed by the data controller whether his/her personal data are being processed and, if such data is being processed, to have access to the personal data and to be informed of the circumstances relating to their management. The controller informs the data subject of the action taken on his/her request without undue delay, but at the latest within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by further two months. The controller informs the data subject of the extension of the deadline by indicating the reasons for the delay within one month of receiving the request. If the data subject submitted the application electronically, the information shall be provided by electronic means, unless otherwise requested by the data subject.
– The right to rectification
(The data subject has the right, at his/her request, to correct the inaccurate personal data relating to him or her without undue delay and to request the completion of incomplete personal data.)
– The right to delete
(The data subject has the right to delete the personal data relating to him or her without undue delay upon request, if one of the following reasons exists:
a) the personal data are no longer needed for the purpose for which they were collected or otherwise managed;
b) the data subject withdraws his/her consent as the basis for data processing within the meaning of Article 6 (1) (a) or Article 9 (2) (a) of the GDPR and data processing has no other legal basis;
c) the data subject objected to the data processing in accordance with Article 21 (1) of the GDPR and there is no legal reason for the data to be given priority or the data subject objects against data processing under Article 21 (2) of the GDPR;
d) if the personal data have been unlawfully managed by the controller;
e) if the personal data have to be deleted by law;
f) personal data were collected in connection with the provision of services related to information society referred to in Article 8 (1) of the GDPR (conditions for child consent).
The data is not deleted by the controller if data management is necessary for one of the following reasons:
a) to exercise the right to freedom of expression and information;
b) for the purpose of fulfilling the obligation under the law governing the personal data processing;
c) data protection is necessary for the submission, validation or protection of legal claims.
– The right to restrict data management
(The data subject shall have the right to make the data controller limit data management at his/her request, if one of the following conditions is fulfilled:
a) the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the controller to verify the accuracy of the personal data;
b) data management is unlawful and the data subject objects to the deletion of the data and requests a restriction on their use instead;
c) the controller no longer needs personal data for data management purposes, but the data subject requests them for the submission, validation or protection of legal claims; or
d) the data subject objected to data management; in this case, the limitation applies to the period until it is decided whether the legitimate reasons of the controller prevail over the legitimate reasons of the data subject. In the case of limiting data processing, the personal data affected by the restriction may be managed only with the consent of the data subject or for the submission, validation or protection of legal claims or for the protection of the rights of other natural or legal persons, or in the important public interest of the Union or a Member State. The controller shall inform the data subject in advance of the lifting of the restriction.
– Right to object
(The data subject may, at any time, object to his/her personal data being processed based on Article 6 (1) (e) or (f) of the GDPR, including profiling based on the mentioned provisions. In this case, the controller may not further process the personal data unless it proves that data management is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject or which are related to the submission, validation or protection of legal claims.)
– Right to data storage
(The data subject is entitled to receive his/her personal data in an articulate, widely used, machine-readable format and is entitled to forward such data to another data controller without being impeded by the controller to whom he or she made the personal data available, if: a) the data management is based on the consent specified in Article 6 (1) (a) or Article 9 (2) (a) of the GDPR or on the agreement specified in Article 6 (1) (b) of the GDPR; and (b) data management happens automatically.)
11. Detailed rules for data management
11.1. Information on data management
Data subjects are entitled to have their personal data handled in a concise, transparent and easily accessible way and receive clear and comprehensible information. If personal data is collected from the data subject, the data subject must also be informed whether he/she is obliged to disclose personal data and what the consequences of non-disclosure are. Information relating to the processing of personal data relating to the data subject shall be provided to the data subject at the time of data collection, or, if the data were collected from other sources than the data subject, they shall be made available within a reasonable period of time, taking into account the circumstances of the case. If personal data can be lawfully communicated to another addressee, the data subject shall be informed of this at the first communication with the addressee. If the controller wishes to process the personal data for a purpose other than the original purpose for which they were collected, the controller must inform the data subject about this different purpose and all other necessary information before further processing.
The information should comprehend the following:
– the identity and contact details of the data controller
– contact details of the Data Protection Officer
– the purpose of the processing of personal data and the legal basis for data processing
– in the case of data processing based on “legitimate interest”, the legitimate interests concerned
– the addressees of the personal data
– the planned duration of data management
– the rights of the data subject
– whether data provision is a prerequisite for the conclusion of the contract or the eventual consequences in case of failure to provide the data
– eventual automated decision making, including profiling.
– the legal remedies available to the parties concerned
11.2 Legality of data management
The processing of personal data is legitimate if the controller has one of the following legal bases for data management:
– the data subject gave his/her consent to the processing of his/her personal data
– data management is necessary for the performance of an agreement in which one party is involved
– data management is necessary to fulfil the legal obligation of the controller
– data management is necessary to protect the vital interests of the data subject
– data management is necessary to perform a task of public interest
– data processing is necessary for the legitimate interests of the data controller or of a third party, unless such interests override the interests or fundamental rights and freedoms of the data subject, which make the protection of personal data necessary, especially when the data subject is a child.
11.3 The scope of the personal data managed by the controller, the purpose of data management and the duration of its legal basis are set out in the register of data management activities which make up Annex 1 to the present Regulation. The mentioned register is published by the controller on its website.
The data management register includes:
– the purpose of data management,
– the type of data,
– the legal basis for their management,
– the range of data subjects,
– the source of the data,
– the type, addressee and legal basis for the eventual data transfer,
– the deadline for deleting the given data type,
– if data processing is carried out with regard to the data, the data of the data processor, the location of data processing, the activities related to data processing of the data processor.
In connection with the data processing listed in the data management register, separate data management notes have been prepared, listed in Annex 1-21 of the register.
11.4. Duration of data management
Data can only be stored for the shortest possible period of time. When determining this time period, the reasons for which the controller handles the data and the legal obligations to maintain the data for a specified period of time should be taken into account.
11.5. Internal data transfer
Personal data can only be transferred within the organization of the data controller in accordance with the principle of purpose limitation and the right to data access can only be ensured if the purpose is adequate.
11.6. Data transfer to third parties
Personal data may be transferred to a third party only by law or with the consent of the data subject if the conditions of data management for each personal data are met. Prior to data transfer, the data controller is obliged to check whether its statutory conditions are met and whether the conditions for data management are implemented for each personal data following each transmission. The data protection officer should also be involved in the verification of the lawfulness of data transfer referring to the same data subjects and carried out for the same purpose, addressed to the same data controllers. There is no need to carry out a separate test during subsequent data transfers. The data protection officer is required to keep a data transfer record of the data transfer and store it in accordance with the rules. The data transfer register must be retained until the end of the fifth year following the year of the data reception or transfer (for twenty years in the case of special data).
The data transfer register includes:
– the date of transmission of the personal data handled by the person responsible for the transfer,
– the range of transferred data,
– the legal basis and addressee of the transfer (name, address, seat),
– the name and phone number of the person responsible for the transfer.
11.7 Data transfer abroad or to a third country
Prior to the data transfer – with the involvement of the data protection officer – it is the duty of the data controller to check that its legal conditions are met and that the conditions for data management are implemented for each personal data after each transfer.
11.8 The controller does not handle any special data, including biometric data.
12. Privacy incident
Under GDPR, a privacy incident means a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled.
12.1 Reporting a privacy incident
The data protection incident shall be notified to the competent supervisory authority (NAIH) without undue delay and, if possible, within 72 hours after the data protection incident has been brought to the attention of the data controller, unless the data protection incident is unlikely to pose a risk to the rights of natural persons and their freedoms. If the notification is not made within 72 hours, it shall be accompanied by the reasons for the delay.
12.2 Investigation and management of a privacy incident
The Data Protection Officer examines the notification, requests data provision from the notifier, which the notifier has to complete immediately, but no later than within 2 working days.
Data provision must include the following
– the date and location of the incident
– the description, circumstances and effects of the incident
– the range and number of the data involved in the incident
– the persons affected by the data
– a description of the measures taken to prevent the incident,
– a description of the measures taken to prevent, remedy and reduce the damage.
The Data Protection Officer will propose the necessary measures. The individual responsible for the management or processing of data shall be informed by the data protection officer of any measures taken to remedy the data protection incident within 2 working days of the implementation of the measures in question.
12.3 Registration of data protection incidents
The controller is obliged to register data protection incidents. Under the GDPR, the controller is required to take appropriate technical and organizational measures to be able to detect and evaluate vulnerabilities and security incidents. Thus, in addition to documenting data protection incidents, the controller must apply appropriate processes and measures to detect and manage security incidents in a timely manner.
13. Scope and modification of the current regulation
This regulation will enter into force on 1 March 2019. The controller is entitled to amend the regulation independently at any time – if the amendment does not conflict with the legislation in force. The regulation can be viewed at the headquarters of the controller.
Budapest, 1 March 2019
Spirit Hotel Kft.
Pocsai Alex General Manager
+36 95 889 500
info@spirithotel.hu
H-9600 Sárvár, Vadkert krt. 5.