1. Data controller

Name: DemRem Property Kft.

Address: 2141 Csömör, Középhegy utca 20.

Data Controller's representative: Imre Mikulás

Contact details of the Data Controller in relation to data protection: adatvedelem@demrem.hu

This notice is a unilateral commitment of the data controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and the relevant legislation of the Member States.

This information may be unilaterally amended and/or withdrawn by the Data Controller at any time, with the simultaneous notification of the Data Subjects. The information is provided by publication on the website or, depending on the nature of the change, by directly notifying the Data Subjects.

2. Purpose of data processing

2.1 Liaising with suppliers, customers and partners in domestic and EEA Member States

Keeping contact with domestic suppliers and customers, processing contact person data, concluding contracts, managing e-mail and phone numbers, personal contact, managing orders, finding new suppliers
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - Keeping contact with the business partner during the preparation and performance of the contract.

Scope of processed data: Name, e-mail, phone number

Planned deadline for data processing: The last working day of March of the 2nd year following the termination of the employment contract or until the objection of the Data Subject deemed legitimate

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.2 Liaising with suppliers and partners outside the EEA

Keeping contact with foreign suppliers, managing contact details, concluding contracts, managing e-mail and phone numbers, personal contact, managing orders, finding new suppliers.
Legal basis of processing: Consent of the Data Subject (Article 6(1)(a))

Scope of processed data: Name, e-mail, phone number

Planned deadline for data processing: The last working day of March of the 2nd year following the termination of the employment contract or until the withdrawal of consent

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.3 Ensuring IT business continuity and data backup

Operation of IT systems and infrastructure, including operation of workstations, servers and network elements, archiving and backup of data and their restoration in case of an emergency.
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - It is the legitimate interest of the Data Controller to supervise, maintain, assemble, troubleshoot, regularly save and archive IT systems in order to maintain business operations.

Scope of data processed: All categories of digital data collected or processed by the Organization

Planned deadline for data processing: The organization shall save the data of the IT system for 30 days, and the data archiving until the last working day of March of the 2nd year following the backup.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.4 Booking accommodation via the website

Manage the date of stay, the number and age of the accommodation through the hotel's website. Registration of information about the use of related services and the time of planned departure.

My personal data will be transferred to OTP Mobil Kft. as data processor. The scope of data transmitted by the data controller is as follows: Name, address, email address, telephone number, tax number

The nature and purpose of the data processing activity carried out by the data processor can be viewed in the SimplePay Privacy Policy at the following link: https://simplepay.hu/vasarlo-aff

Legal basis of processing: Performance of a  contract (Article 6 (1) b)).  

Scope of processed data: Name, address, email address, phone, tax number

Planned deadline for data processing: 8 years

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.5 Check-in - check-out and guest registration

Managing individual and group registration forms, managing check-out documents.
Legal basis of data processing: Compliance with a legal obligation to which the controller is subject (Article 6(1), c)).

Scope of data processed: Name, address, date of birth, identity document number, signature

Planned deadline for data processing: 8 years

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.6 Registration of parental consent

Processing of the guardian's statement of persons under the age of 16 who arrive with the accommodation service user regarding the processing of personal data.
Legal basis of data processing: Compliance with a legal obligation to which the controller is subject (Article 6(1), c)).

Scope of processed data: Name, address, mother's name, date of birth, place of birth, signature

Planned deadline for data processing: 8 years

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.7 Keeping in touch with customers, guests, partners, customers, suppliers

Guests - identifying the website user, distinguishing them from other customers, users and interested parties, keeping contact, sending system messages(s) related to the service. Issuing a quote, concluding a contract, managing and registering contact person data, personal contact, telephone booking.
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - It is the legitimate interest of the Data Controller to register the contact person data for the performance of contracts

Scope of processed data: Name, address, email address, phone, unique identifier

Planned deadline of data processing: The last working day of March of the 4th year following the termination of the partnership contract or until the objection of the Data Subject.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.8 Guestbook - web guestbook

Guests have the opportunity to leave a review in the physical guestbook on site. The accommodation will display the data provided on the satisfaction questionnaire at the time of check-out in the guestbook on its website.
Legal basis of processing: Consent of the Data Subject (Article 6(1)(a))

Scope of data processed: Name, room number, place of residence, additional data provided by the guest, signature

Planned deadline of data processing: until the withdrawal of the Data Subject's consent.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.9 Managing bank card payment receipts

Processing of receipts related to bank card payment at the Data Controller
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - The Data Controller's legitimate interest is to settle accounts with the bank card service provider

Scope of data processed: Signature

Planned deadline of data processing: 1 year

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.10 Issuing an invoice and issuing the mandatory documentation related to the performance of the service

Issuing invoices, issuing the related mandatory documentation for the performance of services, as well as ensuring compliance with accounting laws.
Legal basis of data processing: Compliance with a legal obligation to which the controller is subject (Article 6(1), c)).

Scope of processed data: Billing name and address, e-mail address, Contact person's name, position

Planned deadline for data processing: At least 8 years

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.11 Managing a request for quotation

Registering and responding to requests for quotation received at the central email address of the Organization or to the personal email address of a colleague. Issuing offers.
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - Legitimate interest – The legitimate interest of the data controller is to maintain contact prior to the contract and to record the data of contact persons.

Scope of processed data: Name, address, email address, phone, unique identifier

Planned deadline of data processing: Until the last working day of March of the 1st year from the receipt of the request for quotation or until the objection of the Data Subject.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.12 Management and filing of contracts

Registration of contracts, Registration of contracts related to the activity of the Data Controller, processing of the data of the contact persons of the contracting party at the time of the conclusion of the contract and keeping them up to date, data of the authorised persons of the contracting party and keeping them up to date
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6, (1) f)). - It is the legitimate interest of the data controller to register the data of the contact person.

Scope of processed data: Name, phone, position, e-mail, signature

Planned deadline of data processing: The last working day of March of the 4th year following the termination of the contract or until the objection of the Data Subject.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.13 Advertising of service(s), provision of information to partners, sending newsletters

Direct marketing and marketing inquiries with advertising content, customer satisfaction measurements, surveys, invitations to marketing events, eDMs, telephone inquiries with the involvement of telemarketing services.
Legal basis of processing: Consent of the Data Subject (Article 6(1)(a))

Scope of processed data: Name, company name, e-mail address, telephone number

Planned deadline of data processing: Until the withdrawal of the Data Subject's consent

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.14 Advertising of service(s), provision of information to partners, sending newsletters

Direct marketing and marketing inquiries with advertising content, customer satisfaction measurements, surveys, invitations to marketing events, eDMs, telephone inquiries with the involvement of telemarketing services.
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - The Data Controller's legitimate interest is direct marketing

Scope of processed data: Name, company name, e-mail address, telephone number

Planned deadline for data processing: Until the Data Subject's objection.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.15 Mail handling, mail handling

Registration of registered mail and mail with acknowledgement of receipt related to the activity of the Data Controller, as well as of items sent with other service providers
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - It is the legitimate interest of the data controller to register the data of the contact person.

Scope of processed data: Name, address

Planned deadline of data processing: The last working day of March of the 4th year following the termination of the partnership contract or until the objection of the Data Subject.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.16 Measuring customer satisfaction, advertising service(s), providing information to partners

Direct marketing and marketing inquiries with advertising content, customer satisfaction measurement, surveys, invitations to marketing events, eDMs, telephone inquiries with the involvement of telemarketing service providers.
Legal basis of data processing: Enforcement of the legitimate interest of the Data Controller (Article 6 (1) f)). - The legitimate interest of the data controller is direct marketing

Scope of processed data: Name, company name, e-mail address, telephone number

Planned deadline for data processing: Until the Data Subject's objection.

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.17 Complaint book management

Complaint book management, Processing of the data specified in the complaint book in the commercial unit operating at the premises of the Data Controller
Legal basis of data processing: Fulfilment of a legal obligation to which the Data Controller is subject (Article 6, (1), c)).

Scope of processed data: Name, address, phone number, e-mail address, signature

Planned deadline for data processing: 5 years

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.18 Operation of an electronic video surveillance system

To protect the security of the Controller's premises, to protect the property of the Controller, to protect the physical integrity and property of the Controller's employees and visitors, to investigate the circumstances of any accidents and crimes that may occur
. Legal basis of data processing: Enforcement of the legitimate interest of the Controller (Article 6, (1) f)). - The data controller's legitimate interest is to protect his or her assets

Scope of data processed: Images and video recordings of natural persons (hereinafter collectively recorded)

Planned deadline for data processing: 10 days

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

2.19 Data processing in connection with the GDPR regulation

Data processing in connection with the GDPR regulation.
Legal basis of data processing: Compliance with a legal obligation to which the controller is subject (Article 6(1), c)). - xxx

Scope of data processed: Name, Data Protection ID, Data Subject Request, Date, Type, Content, Result of Data Subject Request, Date of Incident, Documentation, Result

Planned deadline for data processing: Not to be discarded

Source of data collection: Data from data subject

New data processing purpose: N/A

New data processing deadline: N/A

3. Consequences of not providing data

Possible consequence of failure to provide data: Failure of the purpose of data processing.

4. Scope of data subjects

Representatives of natural or legal persons using the services of the Data Controller.

5.Scope of mandatory data

The Data Controller does not separately mark the data to be filled in on the individual data entry interfaces, where all data must be provided. On interfaces where not all data is mandatory, the data controller indicates the mandatory data fields by displaying an asterisk*.

6. Children

The services of the Data Controller are services related to the information society, so in connection with the use of the services, the users are entitled to make a legal declaration after reaching the age of 16, and accordingly they may use the services of the Data Controller without parental consent.

However, our products and services are not intended for anyone under the age of 16. Persons under the age of 16 are requested not to provide personal data to the Data Controller. If we become aware that we have collected personal information from a child under the age of 16, we will take steps to delete the information as soon as possible.

7. Information on the use of a data processor

In the course of data processing, the data controller forwards the data to the data processor(s) contracted with it for the performance of the contract.

Categories of recipients:  courier services, forwarding companies, Magyar Posta, Internet payment service provider, Legal advisor, Application developer, operator,

Categories of data processors: IT operators, web hosting providers, web content developers, accounting service providers, security service providers, GDPR consultants, information security consultants,

Joint Repository: Social Media Sites

8. Scope of persons entitled to access the data

The data obtained shall not be transferred by the data controller to third parties, with the exception of the data processor(s) and recipients specified in Section 7.

8.1 Access to IT Backup Data

The Data Controller stores IT backups separately with access control. The saved data can only be accessed by colleagues working in IT operation under appropriate documentation procedures. In the case of data recovery recovery, it has a documented procedure for the process of reviewing data restored from data backup before it is used in production.

8.2 Access to video surveillance system data

The data controller shall not hand over the recordings to third parties, with the exception of the Asset Protection Service Provider specified in Section 7. The recordings may only be accessed by the Data Controller and the designated employees of the Data Processor(s).

The recordings previously recorded by the electronic surveillance system can be accessed by the Data Protection Officer, the Managing Director. The Data Subject, upon request, may only access the recordings made of his or her own person in the presence of one of the above-mentioned persons. In all cases, you must request access in writing to the Data Protection Officer.

The Data Controller always prepares a record of the fact of access, which is stored by the company for 1 year.

8.3 Persons entitled to restrict the images of the electronic surveillance system

The restriction of the recordings recorded by the electronic surveillance system may only be implemented in cases where the Data Controller has detected an event that is likely to endanger the objective intended to be achieved by the electronic surveillance system.

At the request of the Data Subject, only the processing of recordings made of his or her own person may be restricted.  The Data Subject must request the blocking in writing to the Data Protection Officer, indicating its purpose and expected duration.

The Data Controller prepares a record of each step of the blocking process, which is stored by the Data Controller for 1 year.

8.4 Disclosure of data

The data controller does not publish the recordings of the electronic surveillance system.

9. Processing of data received from third parties

If the User/Partner does not provide his/her own data to the Data Controller, but that of another natural person, in this case it is the sole responsibility of the User/Partner that he/she has made the provision of the data with the consent, knowledge and appropriate information of this natural person. The Data Controller is not obliged to examine the existence of these. The Data Controller draws the attention of the User/Partner to the fact that if the Data Subject fails to comply with this obligation and therefore the Data Subject asserts a claim against the Data Controller, the Data Controller may pass on the claimed claim or the amount of the related damage to the User/Partner.

10. Transfer of data to a third country or international organisation

In the case of data transfers to countries outside the EEA, the Data Controller forwards the data of the users to the following recipients as data processors along the following guarantees.

11. Rights of data subjects

The Data Subject is the 1. At the contact details specified in this section at the Data Controller,

1. You can request to provide access to a copy of your personal data processed by the Data Controller.
2. request the correction of your data,
3. request information on the purpose and legal basis of data processing
4. request the deletion of your personal data and the restriction of data processing,

The data subject may exercise the above rights at any time.

Furthermore, the Data Subject shall be entitled to the provisions of Section 1. You can send it to the Data Controller at one of the contact addresses specified in the Section.

1. request the transfer of your data to another data controller if the data processing is based on a contract or consent and is processed by the Organization within the framework of an automated procedure.
2. may dispose of the withdrawal of his/her consent to data processing previously given

The Data Controller shall arrange or reject the notification (with justification) within 1 month of the submission of the request at the latest, or in exceptional cases within a longer deadline permitted by law.  The Data Subject shall be informed of the results of the investigation in writing.

11.1 Cost of information

The Organization provides the measures and the necessary information free of charge for the first time  .

If the Data Subject requests the same data for the 2nd time within one month, which have not changed during this time, the Data Controller will charge an administrative fee.

1. The basis of the accounting of administrative costs is the hourly cost of the prevailing minimum wage as an hourly rate.
2. The number of working hours used for the information, calculated at the above hourly rate.
3. Furthermore, in the case of a paper-based information request, the printing cost of the response at cost price and its postage cost are included.

11.2 Refusal of Information

If the Data Subject's request is clearly unfounded, the Data Controller is not entitled to information, or the Organization, as the data controller, can prove that the Data Subject has the requested information, the Data Controller rejects the request for information.

If the request of the data subject is excessive due to its particularly repetitive nature, the Organization may refuse to take action on the basis of the request if:

1. the Data Subject submits a request for the exercise of his or her rights under Articles 15 to 22 on the same subject for the third time within one month.

11.3 Right to Object

The data subject has the right to object at any time to the processing of his or her personal data on the basis of a legitimate interest or a legal basis of official authority.

In this case, the Organization may no longer process the personal data unless it proves that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or which are related to the establishment, exercise or defence of legal claims.

If the legal basis of the objection is established, the Authority shall terminate the processing of the data – including the transfer and further recording of the data – as soon as possible. Notify all those to whom the Data Subject has previously forwarded their data of the objection.

The processing of the request is free of charge, except for unfounded or exaggerated requests, for the handling of which the Data Controller may charge a reasonable fee corresponding to its administrative costs. If the Data Subject does not agree with the decision made by the Data Controller, he/she may turn to the court.

12. Information on data security measures

The Data Controller processes the data in a closed system based on the requirements of the Information Security Policy.

Data controller takes care of the default and built-in data protection. To this end, the Data Controller shall apply appropriate technical and organizational measures in order to:

1. precisely controls access to data;
2. allow access only to persons who need the data to perform the task with it, and even then only those data should be accessed that are minimally necessary for the performance of the task;
3. carefully select the data processors it entrusts and ensure the security of the data with an appropriate data processing agreement;
4. ensure that the data processed remains unchanged (data integrity), authenticity and protection.

The Data Controller shall apply reasonable physical, technical and organizational security measures to protect the Data Subject's data, in particular against accidental, unauthorized, unlawful destruction, loss, alteration, transfer, use, access or processing of the Data Subject's data. The Data Controller shall immediately notify the Data Subject in the event of known unauthorized access to or use of personal data that poses a high risk to the Data Subject.

If the transfer of Data Subject data is necessary, the Data Controller shall ensure the appropriate protection of the transmitted data, for example by encrypting the data file. The Data Controller shall be fully responsible for the Data Subject data processing carried out by third parties.

The Data Controller shall also ensure that the Data Subject's data are protected against destruction or loss by means of appropriate and regular backups.

13. Remedies

Any data subject if, in his or her opinion,

1. the Data Controller restricts the enforcement of its rights or rejects its request to do so, may initiate an investigation by the National Authority for Data Protection and Freedom of Information in order to examine the lawfulness of the Data Controller's action;
2. in the course of processing your personal data, the Data Controller violates the legal requirements relating to the processing of personal data,
   1. may request the National Authority for Data Protection and Freedom of Information to conduct a data protection authority procedure, or
   2. may turn to the court against the Data Controller, and may also initiate the lawsuit before the court competent for its place of residence or residence, according to its choice.

Contact details of the National Authority for Data Protection and Freedom of Information:

President: dr. Attila Péterfalvi,

Address: 1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1363 Budapest, Pf. 9.

Tel.: +36-1-3911400

E-mail: ugyfelszolgalat@naih.hu

www.naih.hu

Budapest, 15.11.2022

I acknowledge that the following personal data stored by DemRem Property Kft. (2141 Csömör, Középhegy utca 20.) in the user database of https://szelrozsavendeghaz.hu/ will be transferred to OTP Mobil Kft. as data processor. The scope of data transmitted by the data controller is as follows:

1. Name
2. Email address
3. Phone number
4. How many people the user is booking for
5. How many guests are over 18 years old
6. Arrival Date
7. Departure date
8. Note

The nature and purpose of the data processing activity carried out by the data processor can be viewed in the SimplePay Privacy Policy at the following link: https://simplepay.hu/vasarlo-aff/