The Vendégváró Vendégfogadó Kft., as the operator of www.gastlandbistrok.hu, http://gastlandm0.hu/, http://gastlandm1.hu/ and associated websites, is committed to protecting the personal data of its customers and partners, and attaches great importance to respecting the right of information self-determination of its customers. The Vendégváró Vendégfogadó Kft. treats personal data confidentially and takes all security, technical and organizational measures to guarantee the security of the data. Vendégváró Vendégfogadó Kft. describes its data management practices below:
Company name: Vendégváró Vendégfogadó Kft.
(1136 Budapest, Pannónia utca 19. 1. floor 4.)
Company registration number: 01-09-301151
Tax number: 26086974241
1. SCOPE OF PERSONAL DATA, PURPOSE, LEGAL BASIS AND DURATION OF PROCESSING
The data processing of the activities of Vendégváró Vendégfogadó Kft. is based on voluntary consent.
The data processing activities of Vendégváró Vendégfogadó Kft. are based on the data subject's consent.
The data processing principles of the Vendégváró Vendégfogadó Kft. are in accordance with the applicable laws on data protection, in particular with the following:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR);
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.)
Act V of 2013 - on the Civil Code (Civil Code)
Act CLV of 1997 - on Consumer Protection (Fgytv.)
Act C of 2000 - on Accounting (Accounting Act)
Act CVIII of 2001 - on certain aspects of electronic commerce services and information society services (Eker. tv.)
Act C of 2003 - on Electronic Communications (Eht.)
Act XLVIII of 2008 on Certain Restrictions on Commercial Advertising (Act XLVIII of 2008)
Act CXXXIII of 2005 - on the Rules of Personal and Property Protection and Private Investigation (Act on the Protection of Personal and Property and Private Investigation);
1.1 Customer data
The purpose of data processing is: to make purchases, bookings, issue invoices in the restaurants of Gastland Bistrok, to register and distinguish between guests, to document purchases and payments, to fulfil accounting obligations, to maintain customer relations, to analyse customer habits, to provide more targeted service.
Legal basis for data processing: processing is necessary for the performance of the contract [Article 6 (1) (b) GDPR], Section 169 (2) of the Act on Accounting.
Type of personal data processed: identification number, date, time, name, address, name, quantity, purchase price, method of payment.
Duration of data processing: eight years in accordance with Section 169 (2) of the Invoice Act. In case of payment by card, the data of the credit card and the card payment transaction are stored by K&H Bank Nyrt. (1095 Budapest, Lechner Ödön fasor 9.).
In the case of payment by bank card, the payer's ID, the amount, date and time of the transaction are stored at K&H Bank Nyrt. (1095 Budapest, Lechner Ödön fasor 9.).
Legal basis for the transfer: processing is necessary for the performance of the contract [Article 6(1)(b) GDPR].
Gastland M0 Hotel, Étterem és Konferencia Központ
Szabó Ádám Balázs EV.
3377 Szihalom Jókai Mór út 14.
Az étterem, hotel rendszergazdai feladatainak ellátása
Gastland M1 Hotel, Étterem és Konferencia Központ
Vendégváró Vendégfogadó Kft.
(1136 Budapest, Pannónia utca 19. 1. em. 4.)
Az éttermem, hotel rendszergazdai feladatainak ellátása
Peuker Tibor, Kerszocentrum Z.C.
2310 Szigetszentmiklós Bajcsy Zs. u. 43/c
Az éttermek, POS és a kasszarendszerének karbantartása
K&H Bank Nyrt.
1095 Budapest, Lechner Ödön fasor 9.
Az éttermekben, található kártyaolvasó terminálok üzemeltetése
www.gastlandbisztok.hu és aloldalai.
Across Media Kft.
Budapest, Városligeti fasor 47, 1071
A honlappal kapcsolatos feladatok ellátása
1.2 Bookings, Events
The purpose of data processing: on-line or off line reservations, birthday or other events in the restaurants of the Vendégváró Vendégfogadó Kft.
Legal basis for processing: processing is necessary for the performance of the contract [Article 6(1)(b) GDPR].
Data processed: name, telephone number, e-mail address of the customer, number of participants, name of the hostess who will host the event, any special requests, food sensitivity data, other data provided during the ordering process; for event orders placed on-line on the website www.gastlandbisztrok.hu, the same personal data.
Duration of data processing.
Across Media Kft., Budapest, Városligeti fasor 47, 1071 Budapest, Hungary.
1.3 Quality complaints handling
The purpose of the data management is the management of quality complaints related to the products and services offered by Vendégváró Vendégfogadó Kft.
Legal basis for processing: processing is necessary for the performance of the contract [Article 6 (1) (b) of GDPR] and Section 17/A (7) of the Act on the Protection of the Data of the Hungarian Consumer Protection Act.
The type of personal data processed: the unique identification number of the complaint, the name and address of the consumer, the place and time of the complaint, the manner in which the complaint was lodged, the list of documents, records and other evidence submitted by the consumer, the description of the complaint, the place and time of the recording of the report and the name and signature of the person who recorded the report.
Duration of data processing: five years in respect of copies of the minutes of the complaint and of the replies to written complaints pursuant to Article 17/A(7) of the Act on the Protection of Consumer Rights and Fundamental Freedoms, two years in respect of copies of the entries in the customer register.
Legal basis for processing: processing is necessary for the performance of the contract [Article 6(1)(b) GDPR].
1.4 Exceptional events
Purpose of the processing: management and recording of exceptional occurrences in restaurants.
Legal basis for processing: legitimate interest of the controller or other persons in the management of the exceptional occurrences [Article 6(1)(f) GDPR],
Data processed: name, address, telephone number, contact details of the injured person, date and time of the accident, description of the injury and the accident, description of the action taken by the restaurant, name of any first aid provider, name, address, telephone number and contact details of any witness, and the location of the accident.
Duration of data processing.
1.5 Objects found
Purpose of the processing: to keep a record of the objects found in the restaurants of the Guest Waiting and Waiting Accommodation Ltd.
Legal basis for data processing. 5:54. §-a.
The type of personal data processed: date and time of the find, the identity of the finder, the name of the object found, the fact whether the owner was notified, the place of storage, the signature of the finder and, in case of delivery, the signature of the recipient.
Duration of data processing: the data are deleted or destroyed after the owner has taken possession of the found object or, in the case of a transfer to the municipal clerk, after the transfer, or, in the case of a sale, after one year from the date of the find.
Data processor: authorised employees of the Vendégváró Vendégfogadó Kft.
1.6 Restaurant wifi
The Vendégváró Vendégfogadó Kft., its restaurants provide internet access to their guests via wifi connection using the services of HITELES KFT.
Please be informed that the use of the free wifi network in our restaurants is subject to a time limit. By connecting to the wifi network, guests agree to allow Vendégváró Vendégfogadó Kft. to monitor the duration of the connections based on the network unique identifier (MAC address) of the devices. After 2 hours after the 30 minute time limit has expired, the device data will be deleted. Wifi traffic in restaurants is not recorded by Vendégváró Vendégfogadó Kft.
2. ASSET PROTECTION,
Electronic surveillance system
An electronic surveillance and recording system is in place in the restaurants operated by the Hospitality and Catering Ltd., which includes cameras in the buildings and in parts of the car parks. The exact location of the cameras and the areas monitored are available in the Electronic Monitoring Information Sheet.
The purpose of data processing is to prevent and detect violations of the law, to catch offenders in the act and to prove violations of the law, to identify unauthorised persons entering the restaurant, to record the fact of entry, to document the activities of unauthorised persons, to investigate the circumstances of any accidents at work or other accidents that may occur, in order to protect human life, physical integrity and property.
Legal basis for data processing: in the case of guests, the consent of the data subject by entering the restaurant, in the case of employees, Article 11 of Act I of 2012 on the Labour Code (Labour Code), and Article 6(1)(f) of the GDPR, according to which Vendégváró Vendégfogadó Kft. has a legitimate interest in the protection of property.
The type of personal data processed: facial images of persons entering the restaurant area and using the parking road, as well as other personal data recorded by the surveillance system.
Duration of data processing: 30 days if not used [Art. 31 (3) (c) of the Act on the Protection of Personal Data].
Data processor: authorised employees of Vendégváró Vendégfogadó Kft.
Maintenance of the electronic surveillance and recording system, recording of the recordings: authorised employees of Vendégváró Vendégfogadó Kft.
Use of the recordings
Authorised employees of the Guest Waiting and Waiting Accommodation Ltd.
The right to view the recording of the cameras: the authorised employees of Vendégváró Vendégfogadó Kft.
The following persons are entitled to record the recordings of the cameras on a data carrier: the authorised employees of the Vendégváró Vendégfogadó Kft.
Persons authorised to view the recordings of the camera surveillance and recording system operated by the Guest Waiting Room Guest Accommodation Ltd.
A data subject whose right or legitimate interest is affected by the recording of an image recording may request, by justifying his or her right or legitimate interest, that the recording not be destroyed or erased by the controller until a court or public authority has requested it, but for a maximum period of 30 days. The person recorded may request information about the recording made of him by the electronic surveillance system, request a copy or, if the recording includes another person, have access to the recording. The data subject may request the deletion of the recording, the modification of the data relating to the recording or object to the processing of the data
The data controller shall keep a record of the access to the recorded recordings, the name of the person who accessed the recordings, the reason for access and the time of access.
Transmission of data: in the event of offences or criminal proceedings, to the authorities or courts conducting such proceedings.
Scope of data transmitted: recordings made by the camera system containing relevant information.
Legal basis for the data transfers: § 71 (1), § 151 (2) a) and § 171 (2) of the Criminal Code, § 75 (1) a) and § 78 (3) of the State Act.
3. COOKIE MANAGEMENT:
Pursuant to Article 20(1) of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the following must be specified in the cookie management of the website:
a) the fact of data collection,
b) the data subjects concerned,
c) the purpose of the data collection,
(d) the duration of the processing,
(e) the identity of the potential controllers who have access to the data,
(f) a description of the data subjects' rights in relation to the processing.
Fact of processing, scope of data processed: unique identifier, dates, times
Data subjects: all data subjects visiting the website.
Purpose of processing: identification of users and tracking of visitors.
Duration of data processing, time limit for deletion of data: the duration of data processing for session cookies is until the end of the visit to the websites.
Possible controllers who may have access to the data: personal data may be processed by the controller's staff, in compliance with the principles set out above.
Data subjects' rights regarding data processing.
4. HOW THE PERSONAL DATA ARE STORED, THE PROCESSING
The Vendégváró Vendégfogadó Kft., its data processors, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing, as well as the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, implement appropriate technical and organisational measures to ensure a level of data security appropriate to the level of risk.
The Vendégváró Vendégfogadó Kft., selects and operates the IT tools used to process personal data in such a way that the data processed:
accessible to those authorised to access it (availability);
its authenticity and authenticity are ensured (authenticity of processing);
its integrity can be verified (data integrity);
is protected against unauthorised access (data confidentiality).
In particular, the Vendégváró Vendégfogadó Kft. shall take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, deletion or destruction, accidental destruction, damage and loss of accessibility due to changes in the technology used.
In order to protect the data files managed electronically in its various registers, the Vendégváró Vendégfogadó Kft. ensures, by means of appropriate technical solutions, that the stored data cannot be directly linked and attributed to the data subject, except where permitted by law.
The Vendégváró Vendégfogadó Kft., with regard to the current state of the art, ensures the security of data processing by means of technical, organisational and organisational measures that provide a level of protection appropriate to the risks associated with data processing.
The Vendégváró Vendégfogadó Kft. shall keep the following data during the processing
confidentiality: it protects the information so that only authorised persons have access to it;
integrity: to protect the accuracy and completeness of the information and the method of processing;
availability: it ensures that when the authorised user needs it, he has effective access to the information and the means to obtain it.
The information technology systems and networks of the Guest Waiting Guest Accommodation Ltd. and its partners involved in data processing are protected against computer fraud, espionage, sabotage, vandalism, fire and flooding, computer viruses, computer intrusions and attacks leading to denial of service. The operator ensures security through server-level and application-level protection procedures. Users are informed that electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or the disclosure or modification of information. The controller will take all reasonable precautions to protect against such threats. It monitors systems in order to record and provide evidence of any security incidents. System monitoring also allows the effectiveness of the precautions taken to be checked.
The Guest Waiting Guest Inn Ltd, as the data controller, keeps a record of any data breaches, indicating the facts related to the data breach, its effects and the measures taken to remedy it. The Vendégváró Vendégfogadó Kft. shall notify the National Authority for Data Protection and Freedom of Information of any data protection incident without delay and, if possible, no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.
5. OTHER DATA PROCESSING
We will provide information on data processing not listed in this notice at the time of collection. We inform our customers that the court, the prosecutor, the investigative authority, the criminal investigation authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorised by law may contact the controller to provide information, to disclose or transfer data, or to provide documents.
The Vendégváró Vendégfogadó Kft. shall disclose personal data to the authorities only to the extent and to the extent strictly necessary for the purpose of the request, provided that the authorities have indicated the exact purpose and scope of the data.
The data subject may request information about the processing of his or her personal data, request the rectification, erasure or withdrawal of his or her personal data, or the restriction of processing, except for mandatory processing, and exercise his or her rights of retention and objection, as indicated when the data were collected, or by contacting the Customer Service.
Gastland Restaurant and Conference Centre M1, Gastland Restaurant and Conference Centre M0
by post. 5.
6.1 Right to information:
At the request of the data subject, Vendégváró Vendégfogadó Kft. shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language.
6.2 Right of access of the data subject:
The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, where such processing is taking place, the right to access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; the envisaged period of storage of the personal data; the right to rectification, erasure or restriction of processing and the right to object; the right to lodge a complaint with a supervisory authority; information on the data sources; the fact of automated decision-making, including profiling, and clear information on the logic used and the significance of such processing and its likely consequences for the data subject. In the event of a transfer of personal data to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer. The Vendégváró Vendégfogadó Kft. shall provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs.
At the request of the data subject, the Vendégváró Vendégfogadó Kft. shall provide the information in electronic form and in writing.
At the request of the data subject, information may also be provided orally, after the identity of the data subject has been verified and identified.
6.3 Right of rectification:
Vendégváró Vendégfogadó Kft. will correct the personal data if it is inaccurate and the correct personal data is available to it.
6.4 Right to erasure:
The data subject has the right to have personal data concerning him or her erased by Vendégváró Vendégfogadó Kft. without undue delay upon request if one of the following grounds applies:
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
the personal data have been unlawfully processed;
the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
the personal data have been collected in connection with the provision of information society services.
The erasure of the data may not be initiated if the processing is necessary: for the exercise of the right to freedom of expression and information; for compliance with an obligation under Union or Member State law to process personal data or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for public health purposes or for archiving, scientific or historical research purposes or statistical purposes in the public interest; or for the establishment, exercise or defence of legal claims
6.5 Right to restriction of processing:
At the request of the data subject, the Vendégváró Vendégfogadó Kft., restricts the processing if one of the following conditions is met: the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the accuracy of the personal data to be verified;
The processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.
Where processing is subject to restriction, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.
The Vendégváró Vendégfogadó Kft. shall inform the data subject in advance of the lifting of the restriction on processing.
6.6 Right to data retention:
The data subject has the right to receive the personal data concerning him or her that he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit these data to another controller.
6.7 Right to object:
The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on the aforementioned provisions.
In the event of an objection, the controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed by the Vendégváró Vendégfogadó Kft. for those purposes.
6.8 Automated decision-making in individual cases, including profiling:
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply where the processing is necessary for entering into, or the performance of, a contract between the data subject and the controller; is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or is based on the data subject's explicit consent.
6.9 Right of withdrawal:
The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
6.10 Procedural rules:
The controller shall inform the data subject without undue delay, but in any event within one month of receipt of the request, of the action taken in response to the request pursuant to Articles 15-22 GDPR. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months.
The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request. Where the data subject has made the request by electronic means, the information shall be provided by electronic means unless the data subject requests otherwise.
If the controller does not act on the data subject's request, the data subject shall be informed without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.
The Vendégváró Vendégfogadó Kft. shall provide the requested information and notification free of charge. If the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller may, having regard to the administrative costs entailed in providing the information or information requested or in taking the action requested, charge a reasonable fee or refuse to act on the request.
The controller shall inform any recipient to whom or with whom the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of those recipients.
The controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in electronic format, unless the data subject requests otherwise.
6.11 Damages and compensation:
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the GDPR is entitled to compensation from the controller or processor for the damage suffered. The processor shall be liable for damage caused by the processing only if it has failed to comply with the obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller. Where more than one controller or more than one processor, or both controller and processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the total damage. The controller or processor shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage
6.12 Right of recourse to the courts:
In the event of a breach of his/her rights, the data subject may take legal action against the controller (at the choice of the defendant's place of establishment or the data subject's place of residence). The court shall decide the case out of turn. Actions relating to the protection of personal data are free of charge.
6.13 Data protection authority procedure:
A complaint may be lodged with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
The User, prior to the first use of the booking and event reservation service provided by Vendégváró Vendégfogadó Kft. through www.gastlandbisztrok.hu and the portal linking to it, expressly acknowledges that he/she has read and accepted these Rules and expressly consents to the processing of his/her personal data provided during the booking process.