PRIVACY STATEMENT

DECLARATION OF DATA PROTECTION

Data management information

Company Name: NIMFEUM Limited Liability Company

Registered office: 8261 Badacsonytomaj, Bogyay Lajos út 6.

Company registration number: 19 09 516920

Name of the representative: Simon Beáta Managing Director

The purpose of the Data Management Information (hereinafter: the Prospectus) is that the commercial-, data management of accommodation and other activities of NIMFEUM Kft. (Hereinafter: Our Company) complies with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter “GDPR”), and Act CXII of 2011 on the right to information self-determination and freedom of information. (hereinafter: InfoAct.).

The purpose of the Prospectus is to provide data subjects with clear and detailed information on all facts relating to the processing of their data, even before or during the commencement of data processing, in particular the purpose and legal basis of the data processing, the person entitled to the data processing and the processing, the duration of the data processing and who may know the data.

The establishment and amendment of the Prospectus is the responsibility of the Executive Director.

The Prospectus is published on the Company’s website and is also available to the persons concerned at the Company’s registered office or commercial units.

Date: Badacsonytomaj, May 15, 2021.

Simon Beáta, managing director

Table of contents

  1. General provisions
  2. Legality of data processing

III.    Processing of personal data in case of contact

  1. Data management related to the accommodation service activities of Villa Salve Panzió
  2. Electronic monitoring system
  3. Data management on the Facebook page

VII.   Data management related to the organization of a prize game

VIII.  Cookies

  1. Contractual data processing
  2. Data processing based on legal obligations
  3. Data management for the fulfillment of tax and accounting obligations

XII.    Data management to meet anti – money laundering obligations

XIII.   Data Security

XIV.   Contractual partners in data management

  1. Data protection rights and remedies of the data subject

XVI.  Management of privacy incidents

XVII. Final provisions

Chapter I.

General provisions

Our company declares that it carries out its data management activities in accordance with the GDPR, InfoAct. and all other relevant legislations.

 The purpose of the Prospectus is to establish internal rules and measures that ensure that the activities of our Company’s data controller comply with legal provisions.

The scope of the Prospectus extends to all natural persons whose personal data is processed by our Company and to employees of our Company who process personal data.

Terms used in the Prospectus:

  1. Data subject: a natural person identified or identifiable on the basis of any information;
  2. Personal data: any information about the data subject;
  3. Data management: any operation or set of operations on the data, regardless of the procedure used, in particular the collection, recording, recording, systematization, storage, alteration, use, retrieval, transmission, disclosure, coordinating or linking, blocking, deleting and destroying the data and preventing their further use, taking photographs, sound or images, and physical characteristics that can identify the person (eg fingerprints or palmprints, DNA sample, iris image);
  4. Data controller: a natural or legal person or an organization without legal personality, who, within the framework set by – or a binding act of the European Union, – alone or together with others determines the purpose of the processing of the data, make and implement decisions on data management (including the means used) or implement it with the data processor;
  5. Data processor: a natural or legal person or an organization without legal personality who, within the framework and under the conditions set out in – law or a binding act of the European Union –, the controller.
  6. Consignee: a natural or legal person or an organization without legal personality to whom personal data are made available by the controller or the processor;
  7. Third party: a natural or legal person or an organization without legal personality who is not the same as the data subject, the controller, the processor or the persons, who carry out personal data processing operations under the direct control of the controller or processor;
  8. Consent: a voluntary, firm and well-informed statement of the will of the data subject, indicating by means of the declaration concerned or other conduct which unequivocally expresses his will, to consent to the processing of personal data concerning him or her;
  1. Data protection incident: a breach of data security which results in the accidental or unlawful destruction, loss, alteration, unauthorized transfer or disclosure of personal data transmitted, stored or otherwise handled, or results in unauthorized access to them;
  2. Data transfer: making the data available to a specific third party;
  3. Disclosure: making data available to anyone.

Chapter II.

Legality of data processing

Our company may only process personal data for clearly defined, legitimate purposes, in order to exercise a right and fulfill an obligation. At all stages of data management, the purpose of the data processing must be met, the collection and processing of the data must be fair and lawful.

Our company can only process personal data that is essential for the realization of the purpose of data management and suitable for the achievement of the purpose. Personal data may be processed only to the extent and for the time necessary to achieve the purpose.

The processing of personal data is lawful if:

(a) it is required by law for reasons of public interest;

(b) the data subject has expressly consented to the processing of personal data;

(c) is necessary and proportionate to protect the vital interests of the data subject or of another person and to eliminate or prevent an imminent threat to the life, physical integrity or property of persons, or

(d) the personal data have been expressly disclosed by the data subject and are necessary and proportionate to achieve the purpose of the processing.

Chapter III.

Processing of personal data in case of contact

  1. If the natural person wants to receive information from our Company, he can send a message or inquire at our telephone number via the website (www.villasalve.hu) or at the contact details provided there. (legal basis of data management)
  2. Our company records these contacts together with the provided personal data and our employees contact the data subject at the given e-mail address or telephone number, they provide information to him.
  3. The data provided during the contact will be stored by our Company for a maximum of one year. If the data subject withdraws his or her consent to the processing, either in writing or by telephone, we will immediately delete his or her personal data from our records.
  4. When contacting us in writing via the www.villasalve.hu website, the natural person declares by ticking the relevant box that he has read this Privacy Policy and consents to the processing of his or her personal data. The person sending the e-mail via the website must provide the following information to contact us:
  5. a) the name of the natural person (surname, first name),
  6. b) telephone number,

(c) e-mail address.

  1. It is also possible to contact our Company by phone. If the conversation is recorded, our staff will inform the person concerned at the beginning of the conversation. The data subject’s attention must then be drawn to the fact that we have included our Data Management Information on our Company’s website. The caller must also be informed that the personal data he has provided will be processed for a maximum of one year. You should also be made aware that you may withdraw your consent to the processing, in which case we will delete your personal data from our records without delay.

Chapter IV.

Data management related to the accommodation service activities of Villa Salve Panzió

  1. Villa Salve Panzió (address: Badacsonytomaj, Bogyay Lajos út 6, 8261) manages on the website www.villasalve.hu and on other Internet interfaces operated by accommodation reservation companies (eg www.szallas.hu, www.booking.com) provided personal information (name, date of birth, address, bank card details of the accommodation provider), which are automatically forwarded to our Company by the booking executors (legal basis of data management) for the purpose of booking the requested room on certain days (purpose of data management).
  2. The person who is listed in Annex III also consents to the processing of his / her personal data (name, date of birth, address, bank card details of the accommodation provider). When contacting the property in accordance with Chapter II, enter your details for the purpose of booking the accommodation (purpose of data management).
  3. Our company data on the state tasks of the development of tourist areas on the state tasks of the development of tourist areas arriving at Villa Salve Pension CLVI. in accordance with the provisions of the Act. In this case, the processing is carried out on the basis of Article 6 (1) (c) of the GDPR (the processing is necessary for the fulfillment of the legal obligation of the controller).
  4. On the state tasks of the development of tourist areas in 2016 CLVI. Act 9 / H. § (1) – (3):

„ Accommodation provider – to protect the rights, security and property of the data subject and others, and in order to verify compliance with the provisions on the residence of third-country nationals and persons enjoying the right of free movement and residence, – records at check-in at the hosting provided by the hosting provider designated by the Government Decree

  1. a) the surname and first name, surname and first name of birth, place and date of birth, sex, nationality and mother’s surname and first name of the accommodation service,

(b) the identity of the identity document or travel document of the recipient of the accommodation service, in the case of a third-country national, the number of the visa or residence permit, the date and place of entry, and

(c) the address of the accommodation service, the start and expected and actual end dates of the use of the accommodation.

  1. The recipient of the accommodation service shall present the document referred to in paragraph 1 (b) to the accommodation provider for the purpose of recording the data. In the absence of presentation of the document, the accommodation provider refuses the accommodation service. Data not included in the document referred to in paragraph 1 (b) need not be recorded.

(3) The accommodation provider shall be informed of the data specified in paragraph 1 (a) and (b) of the accommodation service user.”

  1. The duration of the storage of personal data on the state tasks of the development of tourist areas is CLVI. until the last day of the first year following its notification under the Act, ie for a maximum of two years, their company then deletes the personal data.

 Chapter V.

Electronic monitoring system

1. In the area of Villa Salve Panzió, our company uses an electronic monitoring system for the prevention, detection and proof of violations in order to ensure human life, physical integrity, personal freedom and property protection, which also enables image recording.

2. The legal basis for data management is Act CXXXIII of 2005 on the rules of personal and property protection and private investigation. Subject to Section 31 of the Act, it is in the legitimate interest of our company [GDPR 6. Article 1 (1) (f)].

3. The scope of the managed data: the facial image of the persons entering the area, the physical characteristics and behavior of the persons enabling other personal identification; the registration number and characteristics of the vehicles entering the area.

4. A warning signal and information on the fact of the application of the electronic monitoring system must be placed in a conspicuous place, legibly, in a way that facilitates the information of persons wishing to enter the territory of Villa Salve Pension. This information includes the fact of the monitoring by the electronic property protection system, as well as the purpose of the recording and storage of personal data recorded by the system, the legal basis of the data processing, the place of storage of the recording, information on the duration of storage, the identity of the (operator) applying the system, the persons authorized to access the data, as well as the provisions on the rights and enforcement of the data subjects.

5. Duration of data management: In the absence of use, the recorded recording will be destroyed or deleted at most 3 days after the recording. In this respect, it is considered to be its use if the recorded recording and other personal data are used as evidence in judicial, official, labor law or other proceedings.

  1. The reason and time of learning about the recorded image, as well as the person of the acquaintance, must be recorded in the minutes. An electronic register containing this information in a verifiable manner shall also be considered a protocol.
  2. Our company does not use an electronic monitoring system in the guest rooms of the pension or in a room in which the observation may violate human dignity.
  3. In addition to those authorized to do so by law, the management staff (port service staff) and certain employees of our Company are entitled to view the data recorded with the electronic monitoring system for the purpose of detecting violations and checking the operation of the system in order to supply.
  4. The recordings are stored at our company’s headquarters, they can be viewed there. The reason and time of learning about the image recorded through the operation of the electronic monitoring system and the person familiar with it shall be recorded in the minutes. An electronic register containing this information in a verifiable manner shall also be considered a protocol.


Chapter VI.

Data management on the Facebook page

  1. Our company maintains a Facebook page (Villa Salve Badacsony; @VillaSalveBadacsony) in order to introduce and promote the activities of our company.
  2. We do not collect, process or store personal information published by visitors on our Facebook page. Visitors to our company’s Facebook page are governed by the Facebook Privacy and Service Terms. The question asked on Facebook does not constitute an official complaint.
  3. In case of illegal or offensive content, our company may exclude the data subject or delete its post without prior notice.
  4. Our company is not responsible for any data content, comments, errors, malfunctions or problems arising from the operation of Facebook that violate the legislation published by Facebook users.

Chapter VII.

Data management related to the organization of a prize game

  1. If our Company organizes a prize competition, it handles the personal data of the data subjects based on the consent of the participants (legal basis of data management): name, address, telephone number, e-mail address. Participation in the game is voluntary, the rules of the given prize competitions are included in separate rules of the game. The data management consent may be requested with the content according to the relevant data request form when applying for each prize competition.
  2. The purpose of the processing of personal data: to establish and notify the winner of the prize competitions, to send the prize. Legal basis for data processing: consent of the data subject.
  3. Managers of personal data: Employees of our company performing prize competition tasks.
  4. Duration of storage of personal data: 1 year after the prize competition.

Chapter VIII.

Cookies

  1. Our company’s website (www.villasalve.hu) automatically collects data in the so-called through the use of cookies. A cookie is a small text file that stores Internet settings. Almost every website uses this technology.

When the person concerned first visits the website, the cookie is automatically downloaded from his search engine if he or she consents. The next time you access the website from the same device, the cookie – and the information contained therein – will be returned to the website that created it (so-called your own cookie), or send it to another website to which it belongs (so-called partner cookie). This allows the website to recognize that the page has been opened with this search engine and in some cases to modify the displayed content. You can find more information about the cookies used on our websites on the links placed on each website, including the consequences of a general ban on the use of cookies.

2. With the help of cookies, the server has the opportunity to identify the given user, collect various information about it and make analyzes of it. The main functions of cookies are:
(a) collect information about visitors and their devices;
b) note the individual settings of the visitors, which can be used for e.g. when using online transactions, so you don’t have to retype them;
(c) facilitate, simplify, make the use of the website easier and smoother;
(d) make it unnecessary to re-enter data already provided;
(e) they usually improve the user experience.

3. Using cookies With the consent of the data subject, our company performs data management, the main purposes of which are: identification of the user, identification of each session, identification of the devices used for access, storage of certain specified data, storage and transmission of tracking and location information, storage and transmission of data required for analytical measurements.

4. The legal basis for data processing is the consent of the data subject. The scope of the managed data: the IDs of the data subject (user ID, session ID, device ID), the date of entry and the duration of use, the GPS coordinate of the user.

Duration of data processing: 1 year from the granting of the data subject’s consent.

Chapter IX.

Contractual data processing

  1. Our company manages the name, birth name, date of birth, mother’s name, address, tax identification number, tax number, identity card number of the natural person contracted with him in order to conclude, fulfill and terminate the contract in order to fulfill the contract, address, telephone number, e-mail address. If any of the listed data is not required for the conclusion of the contract, our staff will not request it from the data subject.

Data processing is also considered lawful if the data processing is necessary to take measures at the request of the data subject before the conclusion of the contract.

  1. Managers of personal data: Our company’s employees and data processors performing customer service, accounting and taxation tasks.

The period of storage of personal data is 3 years after the termination of the contract. If the contract is not concluded after the data management, the data will be deleted by our Company immediately.

  1. Persons wishing to establish a contractual relationship with our Company must be informed before the start of data management that the data management is based on the right to perform the contract. The information can be provided in the contract (by accepting the information in the text of the contract by signing the contract) and by providing the data necessary for the conclusion of the contract, by filling in and signing the appropriate form.
  2. Our company may not link the conclusion or performance of the contract to the provision of consent to the processing of personal data that are not necessary for the performance of the contract.
  3. In the case of legal entity customers in connection with the conclusion of the contract Our company manages the names, telephone numbers and e-mail addresses of the natural persons representing the legal entity.

Chapter X.

Data processing based on legal obligations

  1. The data processing carried out in order to fulfill the legal obligation is independent of the data subject’s consent, as the data processing is prescribed by law, its legal basis, the scope of the data and the rules of data management have been defined by law.
  2. The data subject must be informed before the start of data processing on the basis of which legislation the data processing is mandatory.
  3. Before commencing data processing, the data subject shall be clearly and in detail informed of all facts relating to the processing of his or her data, in particular the purpose and legal basis of the processing, the person entitled to data processing and data processing, the duration of the processing and storage of data, the processing of the data subject’s personal data by the data controller in accordance with its legal obligation and who may know the data. The information should also cover the data subject’s rights and remedies in relation to the processing. In the case of mandatory data processing, the information may also be provided by reference to legal provisions.

Chapter XI.

Data management for the fulfillment of tax and accounting obligations

  1. Our company handles the data of natural persons entering into a contractual relationship with it for the purpose of fulfilling the tax and accounting obligations prescribed by law (accounting, taxation).
  2. The period of storage of personal data in the event of the fulfillment of tax and accounting obligations is 5 years after the termination of the legal relationship giving rise to the legal basis, unless otherwise provided by law.
  3. Managers of personal data: Employees and data processors of our company performing tax, accounting, payroll and social security tasks.

Chapter XII.

Data management to meet anti money-laundering obligations

  1. In order to fulfill its legal obligation, our company manages its customers, their representatives and the beneficial owners in 2017 on the prevention and prevention of money laundering and terrorist financing in order to prevent and prevent money laundering and terrorist financing. year LIII. personal data as defined in the Act (Pmt.): name, birth name, citizenship, place of birth, time, mother’s birth name, address (place of residence), type and number of identification document, the number of the official card certifying the address, a copy of the documents presented.
  1. Managers of personal data: Employees of our company.
  2. he period of storage of personal data is 5 years from the termination of the contractual relationship.

 

XIII. Chapter

Data Security

  1. In order to ensure the security of personal data, our company will take the technical and organizational measures and establish the procedural rules that the Regulation and Infotv. necessary for its effective enforcement. It shall protect the data by appropriate measures against accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure or unauthorized access.
  2. Our company imposes an obligation of confidentiality on employees regarding the processing of personal data.
  3. Our company protects IT systems with a firewall and protects them with viruses.
  4. Our company performs electronic data processing and registration through a computer program that meets the requirements of data security. The program ensures that only those persons who need it in order to perform their duties have access to the data under targeted, controlled conditions.
  5. Only the competent employees have access to the documents in progress and in processing. Documents containing staff, wage and labor and other personal data must be kept securely locked up. Adequate physical protection of data and the means and documents that carry them must be ensured.

Chapter XIV.

Contractual partners in data management

  1. Our company uses contractual partners to operate the customer database related to the contracts and the website, as well as to perform its data management operations related to the performance of its tax, payroll and social security (payrollers) tasks. No substantive decision can be made on the use of the data, the data is processed in accordance with the provisions of the Prospectus, in accordance with the provisions of our Company, the data is not transferred to third parties (in addition to fulfilling legal obligations). They have only the necessary technical access to the data to the extent necessary for the service, and no further activity is performed with the data.
    Our company is entitled to check the implementation of the contract activity and compliance with the Prospectus at the data processors. Data processors are obliged to report immediately if the instruction from our Company or its implementation would be in violation of the law.

3.Our company informs the natural persons concerned about the data processing according to the Prospectus, and also obtains their consent in case of legal regulations.

Chapter XV.

Data protection rights and remedies of the data subject

 The rights and remedies available in the event of a suspected infringement as set out in Regulation (EU) 2016/679 of the European Parliament and of the Council are set out below, and Act CXII of 2011 on the right to information self-determination and freedom of information. Act provides to our guests, customers, partners or other persons involved in the data management implemented by our Company:

  1. Right to request information

The data subject may request information about what data of our Company, on what legal basis, for what data management purpose, from what source, for how long. Our company will inform the data subject about the measures taken following the request without undue delay, but in any case within one month of receiving the request.

  1. Right to rectification

The data subject may request that we modify one of the data registered by our Company. Our company will inform the data subject about the measures taken following the request without undue delay, but in any case within one month of receiving the request.

  1. Right to delete („ forget ”)

The data subject may request the deletion of his or her data if one of the following reasons exists:

(a) personal data are no longer required for the purpose for which they were collected or otherwise processed;

(b) has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;

(c) objects to data processing pursuant to Article 21 (1) of the GDPR and there is no overriding legitimate reason for data processing, or Article 21 of the GDPR. object to the processing pursuant to Article 2 (2)

(d) personal data have been processed unlawfully;

(e) personal data must be deleted in accordance with the legal provision applicable to the controller;

(f) personal data have been collected through the provision of information society services referred to in Article 8 (1) of the GDPR.

If our Company has disclosed personal data and is obliged to delete it at the request of the data subject, then, taking into account the available technology and the costs of implementation, take reasonably expected steps – including technical measures – to, for controllers to delete links to the personal data in question or a duplicate of that personal data.

Our company will inform the data subject about the measures taken following the request without undue delay, but in any case within one month of receiving the request.

  1. Right to restrict data processing

The data subject shall have the right to restrict the processing at his or her request if one of the following is met:

(a) disputes the accuracy of personal data, in which case the restriction shall apply to the period of time which allows us to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the deletion of the data and instead requests that their use be restricted;

(c) we no longer need personal data for the purpose of data processing, but the data subject requests them to make, assert or protect legal claims; obsession

(d) the data subject has objected to the processing; in that case, the restriction shall apply for as long as it is established whether the legitimate reasons of the controller take precedence over the legitimate reasons of the data subject.

If the processing is restricted on the basis of the above, such personal data, with the exception of storage, may be processed only with the consent of the data subject. The data subject must be informed in advance of the lifting of the data processing restriction.

Our company will inform the data subject about the measures taken following the request without undue delay, but in any case within one month of receiving the request.

  1. Right to protest
    The data subject may object to the data processing. Our company will inform the data subject about the measures taken following the request without undue delay, but in any case within one month of receiving the request.
  2. Right to data portability
    The data subject has the right to receive the personal data concerning him or her provided to us in a structured, widely used machine-readable format. You are also entitled to transfer this data to another data controller without hindering it.
    Conditions for this:
    (a) the processing is based on consent or a contract, and
    (b) the processing is automated.
    The data subject has the right to request the direct transfer of personal data between data controllers – if this is technically feasible –.

Our company will inform the data subject about the measures taken following the request without undue delay, but in any case within one month of receiving the request.

  • Enforcement option related to data management
    If you notify our Company in the event of unlawful data processing experienced by the data subject, we will take all measures to restore the legal condition as soon as possible.

 

Chapter XVI.
Management of privacy incidents

In the event of a data protection incident, ie when the data managed by our Company is accidentally or unlawfully destroyed, lost, changed, unauthorizedly communicated to a third party, or unauthorized access by someone, it may be necessary to transfer certain data to the data protection authority. Our company will provide – to the authorities if the authority has indicated the exact purpose and scope of the data – will only release personal data to the extent and to the extent that is essential to achieve the purpose of the request. The most common privacy incidents can be, for example, the loss of a laptop or mobile phone, the insecure storage of personal information, the insecure transmission of data, the unauthorized copying, transmission of data of contractors, attacks on a server, and the hacking of a website.

  • Prevention and management of data protection incidents, compliance with the relevant legal regulations It is the responsibility of the head (executive) of our company.
  • If our Company’s employees detect a data protection incident in the performance of their duties (or the data subject indicates a data protection incident to them), they must notify the Managing Director immediately.
  • In the event of a data protection incident, the administrator shall immediately examine the report and establish:

 

– the date and place of the incident,

– the occurrence, circumstances, effects of the incident,

– the range of data compromised during the incident,

– the persons concerned,

– measures taken to remedy the incident,

– measures taken to prevent, repair and reduce damage.

  1. In the event of a data protection incident, the systems, persons and data concerned must be delimited, segregated and the collection and preservation of evidence supporting the occurrence of the incident must be ensured. It is then possible to begin repairing the damage and restoring legal operation.
  2. Our company keeps a register of data protection incidents, which includes:

– the scope of the personal data concerned,

– the range and number of people affected by the data protection incident,

– the date of the data protection incident,

– the circumstances and effects of the data protection incident,

– measures taken to remedy the data protection incident,

– other data specified in the legislation requiring data processing.

 Data on data protection incidents in the register must be kept for 3 years.

  1. The data protection incident will be notified to the competent supervisory authority (National Data Protection and Freedom of Information Authority) without delay, but no later than 72 hours after becoming aware of our Company, except, if the incident is not likely to pose a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, the reasons for the delay must be attached.

The data processor must report the data protection incident to the Managing Director of our Company without undue delay after becoming aware of it.

Provisions on the content of the notification are set out in Article 33 (3) of the GDPR.

  1. Our company will inform the data subject without delay about the data protection incident and the measures taken.
  2. In the event of a breach of his or her rights, the data subject shall have the right to lodge a complaint with the National Data Protection and Freedom of Information Authority, which shall act as the competent supervisory authority:

Postal address: 1530 Budapest, Post Box .: 5.

Address: 1055 Budapest, Falk Miksa u. 9-11.

Telephone: + 36 (1) 391-1400, fax: + 36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

URL: https://naih.hu

Information on the order of complaint handling can be found at the following link:

http://naih.hu/panaszuegyintezes-rendje.html

The competent supervisory authority shall have the right to a legally binding decision.

Chapter XVII.

Final provisions

  1. The Managing Director of our Company is entitled to establish and amend the Prospectus.
  2. The prospectus is effective May 15, 2021.