Data Management Information

Declaration on the protection of personal data.

I. GENERAL PROVISIONS



As the operator of Hotel & More Hotels Ltd., Hotel & More Holding (address: 1022 Budapest, Fillér u. 84/a; website: www.hotelandmore.hu) always ensures the legality and appropriateness of the handling of personal data it manages. This information aims to provide guests who book accommodation and provide their personal data with adequate information about the conditions and guarantees under which their data is handled, as well as the duration of this data handling. Our company adheres to the contents of this notice in all cases involving the processing of personal data and considers the terms described here as binding.

Our company’s data and contact details are as follows:
Name: Hotel & More Hotels Ltd.
Headquarters: 1022 Budapest, Fillér utca 84/a
Company registration number: 01-10-049927
Tax number: 26494515-2-41
Represented by: Balázs Lajos Klemm
Phone number: +36 1 792 2950
Email: info@hotelandmore.hu
Website: www.hotelandmore.hu
(hereinafter referred to as “Data Controller”)

Our data processing complies with the relevant laws, in particular:
➢ Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”);
➢ Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act);
➢ Act V of 2013 on the Civil Code;
➢ Act C of 2000 on Accounting;
➢ Act CL of 2017 on the Rules of Taxation;
➢ Act CXXXIII of 2005 on the Rules of Personal and Property Security, and Private Investigation Activities (hereinafter “RPPS.”);
➢ Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising;
➢ Act CVIII of 2001 on Electronic Commerce Services and on Certain Issues Related to Information Society Services.

We provide the following information regarding each data processing activity.

II. SPECIFIC DATA PROCESSING ACTIVITIES



1. DATA PROCESSING RELATED TO ONLINE ACCOMMODATION BOOKING



Our company offers the possibility of online accommodation booking to provide a fast, convenient, and cost-free way to book rooms in hotels operated by the Hotel & More Management Company.

Purpose of data processing: To facilitate booking accommodation, making it cost-free and more efficient.

Legal basis for data processing: The prior consent of the person booking the accommodation [GDPR Article 6(1)(a)], the necessity of taking steps at the request of the data subject prior to entering into a contract [GDPR Article 6(1)(b)].

Scope of personal data processed: Salutation; last name and first name; address (country, postal code, city, street, house number); phone number; email address; in the case of a business entity, company name and headquarters, bank card number, SZÉP card details (identifier, name on the card), representative, contact person’s name, email address, and phone number.

Duration of data processing: Until two years after the last day of the stay according to the booking.

Use of a data processor: Our company uses an IT service provider for the online booking system as follows.

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Providing the online booking system through the Hotelizátor system

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Website operation

By accepting this notice, the data subject expressly consents to the Data Processor engaging additional data processors to make the service more convenient and customized as follows:

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Owner of the software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications for bookings, offers, and satisfaction measurement.

Data Processor Name: Hostware Ltd.
Headquarters: 1149 Budapest, Róna utca 120-122
Description of Data Processing Task: Customer management tasks when using the Hostware Front Office hotel system.

Data Processor Name: K&H Bank Ltd.
Headquarters: 1095 Budapest, Lechner Ödön fasor 9.
Description of Data Processing Task: Conducting the necessary data communication for payment transactions between the merchant and the payment service provider system, ensuring the traceability of transactions for merchant partners.

Data Processor Name: K&H Bank Ltd.
Headquarters: 1095 Budapest, Lechner Ödön fasor 9.
Description of Data Processing Task: Conducting the necessary data communication for payment transactions between the merchant and the payment service provider system, providing customer service assistance to users, transaction confirmations, and fraud monitoring to protect users.

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Server hosting tasks

Possible consequences of failure to provide data: No contract for the hotel room will be established.

Rights of the data subject: The data subject (the person whose personal data is processed by our company) may
a) Request information and access to the personal data processed concerning them,
b) Request correction of the data,
c) Request deletion of the data,
d) Request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., our company must not delete or destroy the data until requested by a court or authority, but not exceeding thirty days, and should not process the data for other purposes),
e) Object to the processing of personal data,
f) Exercise the right to data portability. This right entitles the data subject to receive their personal data in a word or excel format and to request the transfer of these data to another data controller.

Other information related to data processing: Our company takes all necessary technical and organizational measures to avoid any possible data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record to verify the necessary measures and to inform the affected data subject, which includes the scope of personal data concerned, the scope and number of individuals affected by the incident, the date, circumstances, effects of the incident, and the measures taken to remedy it, as well as other data specified by the law mandating the data processing.

Our company has entered into a data processing agreement with the data processors in which Igor Corner Ltd. undertakes to apply the same data protection and data processing guarantees prescribed by the data processing agreement when engaging additional data processors. Thus, the lawful handling of personal data is ensured in the case of the data processor as well.

2. DATA PROCESSING RELATED TO INQUIRY



Our company provides the opportunity for guests to inquire electronically. Our company provides the inquiry via an automated system, taking into account available capacities.

Purpose of data processing: Preliminary information about hotel prices.

Legal basis for data processing: The prior consent of the person booking the accommodation [GDPR Article 6(1)(a)], and the necessity of taking steps at the request of the data subject before entering into a contract [GDPR Article 6(1)(b)].

Scope of personal data processed: Salutation; last name and first name; phone number; email address; number of guests, billing name and address, number and age of children.

Duration of data processing: Until two years after the last day of the stay according to the booking.

Use of a data processor: Our company uses an IT service provider for the online inquiry system as follows.

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Operation of the inquiry module

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Website operation

By accepting this notice, the data subject expressly consents to the Data Processor engaging additional data processors to make the service more convenient and customized as follows:

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Owner of the Hotelizátor software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications for bookings, offers, and satisfaction measurement.

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Server hosting tasks

Possible consequences of failure to provide data: The hotel cannot provide an inquiry.

Rights of the data subject: The data subject (the person whose personal data is processed by our company) may
a) Request information and access to the personal data processed concerning them,
b) Request correction of the data,
c) Request deletion of the data,
d) Request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., our company must not delete or destroy the data until requested by a court or authority, but not exceeding thirty days, and should not process the data for other purposes),
e) Object to the processing of personal data,
f) Exercise the right to data portability. This right entitles the data subject to receive their personal data in a word or excel format and to request the transfer of these data to another data controller.

Other information related to data processing: Our company takes all necessary technical and organizational measures to avoid any possible data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record to verify the necessary measures and to inform the affected data subject, which includes the scope of personal data concerned, the scope and number of individuals affected by the incident, the date, circumstances, effects of the incident, and the measures taken to remedy it, as well as other data specified by the law mandating the data processing.

Our company has entered into a data processing agreement with the data processors in which Igor Corner Ltd. undertakes to apply the same data protection and data processing guarantees prescribed by the data processing agreement when engaging additional data processors. Thus, the lawful handling of personal data is ensured in the case of the data processor as well.

3. DATA PROCESSING RELATED TO SERVICE PROVISION AND BILLING



Our company, Hotel & More, processes the personal data of guests to fulfill the contracts established with them, including the payment of fees for services utilized at the hotel.
Purpose of data processing: Utilization of services provided by hotels operated by Hotel & More, determining the fees, and billing.

Legal basis for data processing: Necessity for the performance of a contract in which the data subject is a party [GDPR Article 6(1)(b)], and compliance with legal obligations according to Sections 69 (1) and (2) of Act C of 2000 on Accounting [GDPR Article 6(1)(c)].

Scope of personal data processed: Last name, first name, address.

Duration of data processing: From the provision of personal data by the data subject until five years after the contract's fulfillment (statute of limitations). If an invoice is issued, the data processing duration is eight years from the date the financial report, business report, or accounting records for the given fiscal year are prepared.

Use of a data processor: Our company uses the assistance of an accountant for billing tasks as follows.

Data Processor Name: MT Szignál Ltd.
Headquarters: 1163 Budapest, Veres Péter u. 51.
Description of Data Processing Task: Accounting tasks.

Possible consequences of failure to provide data: The data subject cannot utilize the services of hotels operated by Hotel & More.

Rights of the data subject: The data subject (the person whose personal data is processed by our company) may
a) Request information and access to their personal data,
b) Request correction of the data,
c) Request deletion of the data,
d) Request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., our company must not delete or destroy the data until requested by a court or authority, but not exceeding thirty days, and should not process the data for other purposes),
e) Object to the processing of personal data,
f) Exercise the right to data portability. This right entitles the data subject to receive their personal data in a word or excel format and to request the transfer of these data to another data controller.

Other information related to data processing: Our company takes all necessary technical and organizational measures to avoid any possible data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record to verify the necessary measures and to inform the affected data subject, which includes the scope of personal data concerned, the scope and number of individuals affected by the incident, the date, circumstances, effects of the incident, and the measures taken to remedy it, as well as other data specified by the law mandating the data processing.

Our company has entered into a data processing agreement with the data processors in which MT Szignál Ltd. undertakes to apply the same data protection and data processing guarantees prescribed by the data processing agreement when engaging additional data processors. Thus, the lawful handling of personal data is ensured in the case of the data processor as well.

4. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION



Our company maintains contact with guests through newsletters, offering services and informing them about news and promotions related to our operations.

Purpose of data processing: Maintaining contact with potential hotel guests, partners, and developing business relationships with guests.

Legal basis for data processing: The consent of the data subject [GDPR Article 6(1)(a)].

Scope of personal data processed: Last name, first name, email address.

Duration of data processing: Until unsubscribing from the newsletter.

Use of a data processor: Our company uses an IT service provider for the online accommodation system as follows.

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Operation of the inquiry module and website operation.

By accepting this notice, the data subject expressly consents to the Data Processor engaging additional data processors to make the service more convenient and customized as follows:

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13.
Description of Data Processing Task: Operation of the newsletter sending system.

Possible consequences of failure to provide data: The data subject will not receive newsletters from our company.

Rights of the data subject: The data subject (the person whose personal data is processed by our company) may
a) Request information and access to their personal data,
b) Request correction of the data,
c) Request deletion of the data,
d) Request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., our company must not delete or destroy the data until requested by a court or authority, but not exceeding thirty days, and should not process the data for other purposes),
e) Object to the processing of personal data,
f) Exercise the right to data portability. This right entitles the data subject to receive their personal data in a word or excel format and to request the transfer of these data to another data controller.

You can unsubscribe from the newsletter at any time by sending an email to info@hotelandmore.hu or by clicking on the unsubscribe icon in the newsletter. In this case, we will promptly delete the personal data related to the newsletter from our database.

Other information related to data processing: Our company takes all necessary technical and organizational measures to avoid any possible data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain a record to verify the necessary measures and to inform the affected data subject, which includes the scope of personal data concerned, the scope and number of individuals affected by the incident, the date, circumstances, effects of the incident, and the measures taken to remedy it, as well as other data specified by the law mandating the data processing.

Our company has entered into a data processing agreement with the data processors in which Igor Corner Ltd. undertakes to apply the same data protection and data processing guarantees prescribed by the data processing agreement when engaging additional data processors. Thus, the lawful handling of personal data is ensured in the case of the data processor as well.


5. PERSONAL DATA PROCESSING RELATED TO SATISFACTION MEASUREMENT



Our goal is to provide high-quality services to Hotel&More guests, so we continuously request feedback from our guests about their experiences during their stay at our hotel.

Purpose of Data Processing: Requesting feedback from hotel guests to further develop and improve our services.

Legal Basis: Legitimate interest of the Data Controller [GDPR Article 6(1)(f)], consent of the data subject [GDPR Article 6(1)(a)].

Legitimate Interest: Our company has a legitimate interest in obtaining information from feedback to improve our services.

Scope of Personal Data Processed: First and last name, gender, email address, arrival and departure dates.

Duration of Data Processing: Two years from the last day of the stay as per the booking.

Use of Data Processors: Our company uses the assistance of an IT service provider for the online accommodation system as follows.

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Operation of the satisfaction measurement module

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Operation of the website

By accepting this notice, the data subject expressly consents to the Data Processor using additional data processors to make the service more convenient and personalized as follows:

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Owner of the Hotelizátor software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications in case of booking, offers, and satisfaction measurements.
Possible Consequences of Failure to Provide Data: The data subject will not receive a satisfaction survey from our company.

Rights of the Data Subject: The data subject (the person whose personal data is processed by our company) may:
a) request information about the processing of personal data concerning them and access to these personal data,
b) request the rectification of these data,
c) request their deletion,
d) request the restriction of processing of personal data under the conditions specified in Article 18 of the GDPR (i.e., our company should not delete or destroy the data until it is requested by a court or authority, but for a maximum of thirty days, and beyond this, the data should not be processed for other purposes),
e) object to the processing of personal data,
f) exercise the right to data portability. This means that the data subject is entitled to receive the personal data concerning them in Word or Excel format and to request the transfer of these data to another data controller specified by the data subject.

Other Information Related to Data Processing: Our company takes all necessary technical and organizational measures to prevent any data protection incident (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain records to verify the necessary measures taken and inform the data subject. These records include the scope of personal data affected, the number and scope of data subjects affected by the data protection incident, the date, circumstances, and effects of the data protection incident, and the measures taken to address it, as well as other data specified by law.

Our company has entered into a data processing agreement for data processing tasks, in which Igor Corner Ltd. undertakes to apply the same data protection and data processing guarantees required by the data processing agreement when using additional data processors, ensuring the lawful processing of personal data by the data processor as well.

6. COOKIE MANAGEMENT



To provide personalized services, the Data Controller places a small data packet, known as a cookie, on the user's computer and reads it during subsequent visits. If the browser sends back a previously saved cookie, the cookie handler can link the user's current visit with previous ones, but only with regard to its own content.

Purpose of Data Processing: Identifying users, tracking them, distinguishing between them, identifying the current session of users, storing data provided during that session, preventing data loss, web analytics measurements, and personalized service.

Legal Basis: Consent of the data subject [GDPR Article 6(1)(a)].

Scope of Data Processed: Date, time, and previously visited pages.

Duration of Data Processing: Up to 30 days from the visit to the website.
Use of Data Processors: Our company uses the assistance of an IT service provider for the online accommodation system as follows:

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Recording visitor data

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Operation of the website

Additional Information on Data Processing: Users can delete cookies from their own computers and can also disable cookies in their browser settings.

For more information on setting cookie preferences in browsers, see the following guidelines:

• Internet Explorer
• Firefox
• Chrome
• Safari

Possible Consequences of Failure to Provide Data: The inability to use the services described in points II.1-5.

7. WEBSITE SERVER LOGGING



When visiting the website www.hotelandmore.hu, the web server automatically logs the user’s activities.
Purpose of Data Processing: The provider logs visitor data to monitor the functioning of the services and prevent misuse during the visit to the website.

Legal Basis: Legitimate interest of the Data Controller [GDPR Article 6(1)(f)].

Description of Legitimate Interest: Our company has a legitimate interest in ensuring the secure operation of the website.

Types of Personal Data Processed: IP address, identification number, date, time, and the URL of the visited page.

Duration of Data Processing: Up to 90 days from the visit to the website.
Use of Data Processors: Our company utilizes the assistance of an IT service provider for the online accommodation system as follows:

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Recording visitor data and information necessary for server operation

Data Processor Name: Igor Corner Internet Ltd.
Headquarters: 9730 Kőszeg, Táncsics Mihály utca 13
Description of Data Processing Task: Operation of the website

Additional Information: During the analysis of log files, our company does not combine the data with other information and does not aim to identify users. The URLs of visited pages, as well as date and time data, are not sufficient alone to identify the individual, but when combined with other data (e.g., provided during registration), they could be used to draw conclusions about the user.

Data Processing by External Service Providers:
The portal’s HTML code contains links to and from external servers independent of our company. These external servers communicate directly with the user’s computer. We would like to alert visitors that service providers of these links can collect user data (e.g., IP address, browser, operating system information, mouse movements, URL of the visited page, and visit time) due to direct interaction with the user's browser. The IP address is a number that uniquely identifies users’ computers and mobile devices on the internet.

IP addresses can even be used to geographically locate the user’s computer. The URLs of visited pages, as well as date and time data, are not sufficient alone to identify the individual, but when combined with other data (e.g., provided during registration), they could be used to draw conclusions about the user.

8. OTHER DATA PROCESSING



For data processing not listed in this notice, we will provide information at the time of data collection. We inform our clients that certain authorities, public bodies, and courts may request personal data from our company. Our company will only disclose personal data to these entities to the extent necessary to fulfill the purpose specified by the requesting authority and if required by law.

III. STORAGE OF PERSONAL DATA AND DATA SECURITY



Our company’s IT systems and other data storage locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates IT tools used for data processing in a manner that ensures the data:

a) is accessible to authorized persons (availability);
b) is accurate and authenticated (data accuracy);
c) remains unchanged (data integrity);
d) is protected against unauthorized access (data confidentiality).

We pay special attention to data security and take technical and organizational measures and establish procedures necessary to ensure GDPR compliance. We protect data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental loss or damage, and from becoming inaccessible due to changes in technology.

Both our company’s and our partners’ IT systems and networks are protected against computer-assisted fraud, viruses, hacking, and denial-of-service attacks. The operator ensures security through server-level and application-level protective procedures. Daily backups of data are in place. To prevent data protection incidents, our company takes all possible measures and, if such an incident occurs, takes immediate action to minimize risks and mitigate damages according to our internal regulations.

IV. RIGHTS OF DATA SUBJECTS AND REMEDIES



The data subject may request information about the processing of their personal data and may request the correction, deletion, or withdrawal of their personal data, except for mandatory data processing, and exercise their rights to data portability and objection through the means indicated at the time of data collection or through the contact details of the data controller provided above.

Upon request, we will provide the information in electronic form without undue delay, but no later than within 30 days, in accordance with our relevant policy. Requests for the fulfillment of the rights listed below will be processed free of charge.

Right to Information:

Our company takes appropriate measures to ensure that all information related to the processing of personal data, as outlined in GDPR Articles 13 and 14, and notifications according to Articles 15–22 and 34, are provided to data subjects in a concise, transparent, intelligible, and easily accessible form, clearly and in plain language, while remaining precise.

The right to information can be exercised in writing through the contact details provided in point 1. Upon request and after verifying the data subject’s identity, information may also be provided verbally. We inform our clients that if our staff has doubts about the data subject’s identity, we may request additional information to confirm their identity.
Right of Access:

The data subject has the right to receive feedback from the data controller regarding whether their personal data is being processed. If personal data is being processed, the data subject is entitled to access the personal data and the following information:

• The purposes of data processing;
• The categories of personal data concerned;
• The recipients or categories of recipients with whom or which the personal data has been shared or will be shared, including particularly third countries (non-EU countries) or international organizations;
• The planned duration of data storage;
• The rights to rectification, deletion, or restriction of processing and the right to object;
• The right to lodge a complaint with a supervisory authority;
• Information about the sources of the data;
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and expected consequences of such processing for the data subject.

In addition, if personal data is transferred to a third country or international organization, the data subject has the right to be informed of the appropriate safeguards for such transfers.

Right to Rectification:

Under this right, individuals may request the correction of inaccurate personal data or the completion of incomplete data that is held by our company.

Right to Erasure (Right to be Forgotten):

The data subject is entitled to request the deletion of their personal data without undue delay if one of the following grounds applies:

a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) The data subject withdraws their consent on which the processing is based, and there is no other legal ground for processing;
c) The data subject objects to the processing and there are no overriding legitimate grounds for processing;
d) The personal data has been unlawfully processed;
e) The personal data must be erased to comply with a legal obligation under Union or Member State law to which the data controller is subject;
f) The personal data was collected in relation to offering information society services.

Deletion of the data cannot be requested if the processing is necessary for:
a) Exercising the right to freedom of expression and information;
b) Compliance with a legal obligation under Union or Member State law;
c) Reasons of public interest in the area of public health, or for archiving, scientific or historical research purposes or statistical purposes in the public interest;
d) Establishing, exercising, or defending legal claims.

Right to Restriction of Processing:

Upon request, we will restrict processing under the conditions set out in Article 18 of the GDPR, namely if:
a) The data subject contests the accuracy of the personal data, in which case the restriction applies for a period enabling the accuracy of the personal data to be verified;
b) The processing is unlawful, and the data subject opposes the deletion of the data and instead requests restriction of its use;
c) The data controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims;
d) The data subject has objected to the processing; in this case, the restriction applies for the period while it is determined whether the legitimate grounds of the data controller override those of the data subject.

If processing is restricted, personal data may only be processed, except for storage, with the data subject’s consent, or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest in the Union or a Member State. The data subject must be informed before the restriction on processing is lifted.

Right to Data Portability:

The data subject has the right to receive the personal data concerning them, which they have provided to the data controller, in a structured, commonly used, and machine-readable format, and to transmit those data to another data controller. Our company can fulfill such a request in Word or Excel format.

Right to Object:

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such purposes, including profiling related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data must no longer be processed for such purposes.

Automated Decision-Making in Individual Cases, Including Profiling:

The data subject has the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects concerning them or similarly significantly affect them. This right does not apply if the processing is:

a) Necessary for the performance of a contract between the data subject and the data controller;

b) Authorized by Union or Member State law to which the data controller is subject, which also provides appropriate measures to safeguard the data subject’s rights and freedoms, as well as legitimate interests;

c) Based on the data subject’s explicit consent.

Right to Withdraw Consent:

The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Procedural Rules:

The data controller will inform the data subject of the measures taken in response to a request under Articles 15-22 of the GDPR without undue delay, but at the latest within one month of receiving the request. If necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The data controller will inform the data subject of any extension of the deadline, including the reasons for the delay, within one month of receiving the request.

If the data subject has submitted the request electronically, the information will be provided electronically, unless otherwise requested by the data subject.

If the data controller does not take action in response to the data subject’s request, they will inform the data subject without undue delay, and at the latest within one month of receiving the request, of the reasons for not taking action and that the data subject has the right to lodge a complaint with a supervisory authority and to seek judicial remedy.

The data controller will notify all recipients with whom the personal data has been shared of any corrections, deletions, or restrictions on processing, except where this proves impossible or involves a disproportionate effort. The data subject will be informed of these recipients upon request.

Compensation and Damages:

Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation is entitled to compensation from the data controller or processor for the damage suffered. The processor is only liable for damages if it has not complied with specific obligations imposed on processors by the law or if it has acted contrary to lawful instructions of the data controller. If multiple controllers or processors or both the controller and processor are involved in the same processing, and are liable for the damage caused by the processing, each controller or processor is liable for the full damage.

The data controller or processor is exempt from liability if it can prove that it is not responsible for the event causing the damage.

Right to Legal Action and Data Protection Authority Proceedings:

If the data subject believes that the data controller has infringed their right to the protection of personal data, they may seek redress from the competent authorities as follows:

File a complaint with the National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
Website: www.naih.hu;
Email: ugyfelszolgalat@naih.hu;
Phone: +36-1-391-1400

Contact the competent court.
The court will handle the case as a matter of urgency.
The data controller undertakes to fully cooperate with the court or the NAIH during these procedures and to provide data related to the processing to the NAIH or the competent court.

V. MISCELLANEOUS PROVISIONS



The data controller commits to ensuring that all data processing activities related to its operations comply with this notice, the data controller’s internal regulations (which meet the same requirements as this notice), and the applicable legal requirements.

The data controller reserves the right to modify this notice at any time and will inform the data subjects about any changes through a notice posted on the Hotel & More website after such changes have been made.

For any questions regarding this notice, please contact us via email.

Last updated: 23 May 2018.

Hotel & More Hotels - a collection of Hotel & More Holding hotels and their offers