Data processing policy - Bo33 Hotel****Family & Suites

Data processing policy

Bo33 Hotel****Family & Suites Data Processing Policy

1. General Provisions

Ipoly-Rákóczi Kft. (seat: 1074 Budapest, Szövetség utca 33., registry number: 01-09-180316, registered by Company Registry Court of Budapest Capital Regional Court, hereinafter: Company), as the operator of Bo33 Hotel****Family & Suites is continuously ensuring in respect of all personal data processed by the Company the legality and expediency of the data processing.

The purpose of present policy is to provide appropriate information for the accommodation reserving and personal data providing customers about the conditions, guarantees and duration of the data processing by the Company even before the reservation and the provision of the their personal data.

The data processing linked to the activity of the Company is based on voluntary consent and the performance of legal obligations, and in some other cases the data processing is necessary in order to take steps prior to entering into a contract at the request of the data subject;

 The data processing of the Company complies with the relevant provisions of law, particularly the following:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR)
  • Act CXII of 2011 on the right of informational self-determination and on freedom of information (Infotv.)

Data and contact of the Company:

  • Name: Ipoly-Rákóczi Kft.
  • Seat: 1074 Budapest, Szövetség utca 33.
  • Phone: 003617963270
  • E-mail: fom@bohotels.hu

Miscellaneous information regarding data processing:

The Company takes every necessary technical and organizational measures for the evasion of an occasional data protection incident (e.g. damage, disappearance, and disclosure for unauthorized person of files containing personal data).

In case of an incident a register is being kept for the purpose of the supervision of the necessary measures and the information of the data subject, which contains the scope of personal data concerned, the persons and their number affected by the data protection incident, the point of time, circumstances, effects and measures taken for the mitigation of the data protection incident and other data detailed in the provisions of law prescribing data processing.

2. Data processing regarding services

In connection of the accommodation services carried out by the Company the following applies to the data processing:

  • The processor of personal data: Ipoly-Rákóczi Kft., (1074 Budapest, Szövetség street 33.)
  • Purpose of data processing: the documentation of purchases in the hotel and the restaurant of the hotel, the issue of invoices, the documentation of purchases and payments, the fulfillment of accountancy obligations, keeping contact with customers, analyzing of customer habits, expedient services.
  • Legal basis of data processing: the data processing is necessary for the fulfillment of contractual and legal obligations pursuant to GDPR Article 6 (1) b) and c).
  • The scope of processed personal data – in case of using the accommodation service – in case of EU citizens: salutation, family name and given name, address (country), post code, city, street, house number, citizenship, number of ID, phone number, e-mail address.
  • The scope of processed personal data – in case of using the accommodation service – in case of non-EU citizens: salutation, family name and given name, birth place, time of birth, mother’s maiden name, number of passport, number of visa, place and time of entry, address (country), post code, city, street, house number, citizenship, phone number, e-mail address.
  • Possible consequences of the failure to provide data: contract is not concluded regarding the hotel room.
  • Duration of data processing: 8 years pursuant to Számv. tv. Article 169 (2).
  • Utilization of data processor: the Company avails to the assistance of the informatics service provider for the accommodation registry system as follows:
Name of Data ProcessorSeat:Description of data processor task
Hostware Kft.1149 Budapest, Róna street 120-122During the application of Hostware Front Office, the implementation of customer management.

In case of card payment, the data of bankcards/SZÉP cards and the payment transactions are handled by our hotel reception.

Rights of the data subject: the data subject

  • may request the access to the personal data concerning him/her,
  • may request their amendment,
  • may request their deletion,
  • may request the restriction of processing of personal data subject to the circumstances pursuant to GDPR Article 18 (namely the Company shall not delete or destruct the data until the request of courts or authorities, but at the longest for 30 days and furthermore the data shall not be processed for any other purpose).
  • if it is necessary, that the data processing shall happen pursuant to legal interest of the Company as well, may object against the processing of personal data.
  • can practice the right to data portability. Pursuant to the latter right, the data subject is entitled to obtain the personal data concerning him/her in the format of MS Word or Excel, and furthermore entitled to request that the Company forward the data to another data processor on his/her demand.

3. Reservation

The Company provides the opportunity for the customers to make their reservations by electronic means.

  • Processor of personal data: Ipoly-Rákóczi Kft., (1074 Budapest, Szövetség street 33.)
  • Purpose of data processing: the facilitation of accommodation reservation, rendering it free of charge and more effective,
  • Legal basis of data processing: preliminary consent of person reserving accommodation pursuant to GDPR Article 6 (1) a) and the data processing is necessary to take steps at the request of the data subject prior to entering into a contract pursuant to GDPR Article 6 (1) b).
  • Scope of personal data processed: salutation, family and given name, address (country, post code, settlement, street, house number, phone number, e-mail address, number of customers.
  • Duration of data processing: 2 years calculated from the last day of the stay pursuant to the reservation,
  • Utilization of data processor: the Company does not have resort to an external service provider regarding reservations.
Name of data processor:Seat:Description of data processing task
Globres6003, Luzern, Hirschmattsrasse 28Implementation of tasks regarding recording online reservations.

Possible consequences of the failure to provide data: contract is not formed regarding the hotel room.

 Rights of the data subject:

  • may request the access to the personal data concerning him/her,
  • may request their amendment,
  • may request their deletion,
  • may request the restriction of processing of personal data subject to the circumstances pursuant to GDPR Article 18 (namely the Company shall not delete or destruct the data until the request of courts or authorities, but at the longest for 30 days and furthermore the data shall not be processed for any other purpose).
  • if it is necessary, that the data processing shall happen pursuant to legal interest of the Company as well, may object against the processing of personal data.
  • can practice the right to data portability. Pursuant to the latter right, the data subject is entitled to obtain the personal data concerning him/her in the format of MS Word or Excel, and furthermore entitled to request that the Company forward the data for another data processor on his/her demand.

4. Newsletter

The Company maintains contact with their customers by sending newsletters to call their attention to the services offered, and to inform them about new services and special offers.

  • Processor of personal data: Ipoly-Rákóczi Kft., (1074 Budapest, Szövetség street 33.)
  • Purpose of data processing: maintaining relation with potential overnight customers,
  • Legal basis of data processing: consent of the data subject pursuant to GDPR Article 6 (1) a)
  • Determining the legal interest: maintaining and developing business relations with partners and overnight customers,
  • Scope of personal data processed: name and e-mail address,
  • Duration of data processing: The Company handles e-mail addresses until the unsubscription from the newsletters, nevertheless the Company sends a reminder for the data subject in every 2 year, in which the subscription can be confirmed, otherwise the Company does not provide any additional newsletters hereafter.
  • Utilization of data processor: the Company does not have resort to an external data processor regarding call for offer.

Possible consequences of the failure to provide data: the data subject does not receive any newsletters from the Company.

 Rights of the data subject:

  • may request the access to the personal data concerning him/her,
  • may request their amendment,
  • may request their deletion,
  • may request the restriction of processing of personal data subject to the circumstances pursuant to GDPR Article 18 (namely the Company shall not delete or destruct the data until the request of courts or authorities, but at the longest for 30 days and furthermore the data shall not be processed with any other aim).
  • may object against the processing of personal data.
  • can practice the right to data portability. Pursuant to this right, the data subject is entitled to obtain the personal data concerning him/her in the format of MS Word or Excel, and furthermore entitled to request that the Company forward the data for another data processor on his/her demand.

The newsletter can be unsubscribed at any time with an e-mail sent to fom@bo33hotel.hu or by clicking on the icon indicating unsubscribtion. In this case the e-mail address is deleted from our database without undue delay.

5. Customer satisfaction assessment

The Company’s goal is to continuously maintain the service standards of its hotel on a high level which requires feedback from the guests about their experiences gathered in the course of their stay. The feedbacks are as a main rule anonymous, however the customer can provide his/her personal data voluntarily, in which case the following applies:

  • Processor of personal data: Ipoly-Rákóczi Kft., (1074 Budapest, Szövetség street 33.)
  • Purpose of data processing: requiring feedback for the further development and improvement of services,
  • Legal basis of data processing: consent of the data subject pursuant to GDPR Article 6 (1) a)
  • Scope of the processed personal data: family name and given name, e-mail address
  • Duration of data processing: 2 years calculated from the last day of the stay pursuant to the reservation,

Possible consequences of the failure to provide data: the data subject does not receive questionnaire on customer satisfaction assessment and his/her opinion is not taken into consideration.

Rights of data subject:

  • may request the access to the personal data concerning him/her,
  • may request their amendment,
  • may request their deletion,
  • may request the restriction of processing of personal data subject to the circumstances pursuant to GDPR Article 18 (namely the Company shall not delete or destruct the data until the request of courts or authorities, but at the longest for 30 days and furthermore the data shall not be processed with any other aim).
  • may object against the processing of personal data.
  • can practice the right to data portability. Pursuant to the latter right, the data subject is entitled to obtain the personal data concerning him/her in the format of MS Word or Excel, and furthermore entitled to request that the Company forward the data for another data processor on his/her demand.

6. Rating (TripAdvisor)

The Company based on the prior consent of its guests asks its guests via e-mail using TripAdvisor’s system to rate the time spent in the hotel.

  • Processor of personal data: Budapestinside Kft. (1082 Budapest, Vajdahunyad street 18) and TripAdvisor LLC (400 1st Avenue Needham, MA 02494, USA)
  • Purpose of data processing: request of TripAdvisor rating.
  • Legal basis of data processing: consent of the data subject pursuant to GDPR Article 6 (1) a)
  • Scope of the processed personal data: e-mail address, the fact that the guest has stayed at the hotel operated by the Company and the data concerning the rating. According to the agreement between the Company and TripAdvisor, persons who are employed by the Company or in a personal or business relationship with the Company or receives incentives for the rating are excluded from the rating, thus the negative statement concerning these conditions are also acknowledged by TripAdvisor by the starting of the processing.
  • Duration of data processing: until the withdrawal of the consent.

Possible consequences of the failure to provide data: the data subject does not receive a request from TripAdvisor’s system to participate in the rating.

Rights of the data subject:

  • may request the access to the personal data concerning him/her,
  • may request their amendment,
  • may request their deletion,
  • may request the restriction of processing of personal data subject to the circumstances pursuant to GDPR Article 18 (namely the Company shall not delete or destruct the data until the request of courts or authorities, but at the longest for 30 days and furthermore the data shall not be processed with any other aim).
  • may object against the processing of personal data.
  • can practice the right to data portability. Pursuant to the this right, the data subject is entitled to obtain the personal data concerning him/her in the format of MS Word or Excel, and furthermore entitled to request that the Company forward the data for another data processor.

The Company wishes to call the attention of the guests that the personal data of the guest is transferred as soon as the provision of consent and the stay at the hotel to TripAdvisor.

The Company further informs the guests that TripAdvisor LLC is a company registered in the United States of America, thus if the guest provides his or her consent, then the personal data will be forwarded outside of the EEA. Although the EU Commission has issued an adequacy decision concerning the data processing performed in the framework of the Privacy Shield, TripAdvisor LLC has not undertaken the Privacy Shield self-certification. As a result of this, it is possible that the following seven principles don’t apply to the processing:

  • the Notice Principle
  • the Data Integrity and Purpose Limitation Principle
  • the Choice Principle
  • the Data Integrity and Purpose Limitation Principle
  • the Security Principle
  • the Access Principle
  • the Recourse, Enforcement and Liability Principle

(The above seven principles are explained in detail in article 2.1. of the Commission Implementing Decision (EU) 2016/1250.) As a result of this the practice of the rights of the data subject, the safe processing for the exclusive purpose stated above and the guarantee that the data is not forwarded to third party is not assured on the same level as in the cases of data processing in the European Union.

The data protection policy of TripAdvisor may be found at the bottom of the webpage www.tripadvisor.com or under the following direct link: https://tripadvisor.mediaroom.com/us-privacy-policy.

7. WI-FI

The Bo33 Hotel****Family & Suites provides internet connection through wi-fi for its customers.

  • Purpose of data processing: the provision of wireless internet for the customers,
  • Legal basis of data processing: GDPR Article 6 (1) f),
  • Types of processed personal data: IP address, date, time, address of the visited website
  • Duration of data processing: maximum 90 days
  • Utilization of data processor: the Company has resort to external service provider for the provision of wi-fi service as follows:
Name of data processor:Seat:Description of data processing task
Bitadmin Kft.2120 Dunakeszi, Rév road 36.Provision of internet connection

8. Other data processing

Authorities, public sector bodies and courts may request the disclosure of personal data from the Company. In case the body concerned indicated the exact purpose and the scope of data, the Company discloses only those personal data and only to that extent, which are necessary for the performance of the request and only if the performance of the request is prescribed by law.

The Company keeps a record on the objects found in the hotel and restaurant, their owner and their founder:

  • Legal basis of data processing: Civil Code of Hungary 5:54. §
  • Scope of data processed: date of finding, name of the finder, designation of the found object, the fact whether the owner was notified, place of storage, signature of the founder and in case of transfer the signature of the recipient,
  • Duration of data processing: The data are deleted and destructed after the receipt by the owner of the found object or the transfer to the town clerk, in case of sale after 1 year after the finding.

Possible consequences of the failure to provide data: the data processor cannot comply with the obligations prescribed by law.

9. Rights of the data subjects, possibility for legal remedy.

The data subject may require information on the processing of his/her personal data, as well as may require the amendment of his/her personal data, furthermore – with the exception of the obligatory data processing – the deletion and withdrawal of them, may exercise his/her right to data portability and to objection as indicated at the data recording or on the contacts of the data processor as indicated above.

For the request of the data subject the information is forwarded without undue delay by electric means, but at the latest within 30 days. The Company performs these requests of the data subject free of charge.

Rights of requesting information:

The Company implements appropriate measures in order to provide for the data subjects all information regarding the processing of personal data pursuant to GDPR Article 13 and 14 and all instructions pursuant to GDPR Article 15-22 and 34 in a compact, transparent, comprehensible and easily accessible form, formulated in a clear and easy to understand way, precisely at the same.

Right of access of the data subject:

The data subject is entitled to receive feedback from the Company whether the process of his/her personal data is in progress. If the process of his/her personal data is in progress, the data subject is entitled to gain access to the personal data and the following information:

  • purpose of data processing,
  • categories of the personal data concerned.
  • addressees and the categories of addressees, for whom the personal data were disclosed or going to be disclosed, including particularly third country (non-European Union) addressees, and international organizations,
  • planned duration of the storage of personal data,
  • right of amendment, deletion or restriction of data processing and the right of objection,
  • right of submitting a complaint to the competent supervisory authority,
  • information regarding the data source; the fact of automated decision making, including profiling as well, and on the applied logics and comprehensible information on what kind of significance this data processing has and what kind of consequences does it have on the data subject.

Right of amendment:

Anyone can claim the amendment of inaccurate personal data concerning him/her and supplement of the incomplete data.

Right of deletion:

The data subject in case of the reasons below is entitled to make the personal data concerning him or her deleted on his demand without undue delay:

  • the personal data are not necessary anymore for the purpose on which they were collected or handled in another way,
  • the data subject withdraws the consent for data processing and the data processing does not have any other legal basis,
  • the data subject objects against the data processing and there is no  overriding legitimate interest as the basis of the processing,
  • unlawful processing of personal data can be established;
  • personal data shall be deleted for the fulfilment of obligations prescribed for the data processor by applicable the law of the European Union or member states,
  • personal data is collected regarding services being offered in relation to the offer of information society services,

The deletion of data cannot be initiated, if the data processing is necessary for the following purposes:

  • for the purpose of exercising freedom of expression and information,
  • for the implementation of the task carried out in the framework of the fulfilment of obligation pursuant to the law of the European Union or a member state prescribing the processing of personal data to be applied for the data processor or for the exercise of public authority vested on the data processor.
  • for the purpose of public health, archiving, scientific and historical research or statistics based on public interest,
  • or for submission, enforcement or protection of legal claims

Right of restriction of data processing:

On the request of the data subject, data processing can be restricted pursuant to the conditions set out in GDPR Article 18.

  • the data subject disputes the accuracy of personal data, the restriction applies to the period of time, which enables the supervision of the accuracy of personal data.
  • the data processing is unlawful and the data subject opposes the deletion of data and instead claims the restriction of application,
  • the data processor does not need the personal data for the sake of data processing, but the data subject requires those for the submission, enforcement or protection for legal claims,
  • the data subject objected against the data processing; the restriction applies to that period of time, while it is determined whether the legitimate interest of the data processor has priority with regards to the interests of the data subject.

If data processing falls under restriction, personal data with the exception of storage shall be processed only with the consent of the data subject, or for the submission, enforcement or protection for legal claims, or in favour of the protection of rights of natural and legal persons, or for the important public interest of the European Union or other member states. The data subject shall be informed preliminary about the release of the restriction of data processing.

Right to data portability:

The data subject is entitled to receive the personal data concerning him/her, which was provided for the data processor in a structured, commonly used and by computer readable format and to forward these data for another data processor. The Company shall fulfill these demands of the data subject in the format of MS Word or Excel.

Right of objection:

 If the processing of personal data is carried out in the interest of direct marketing, the data subject is entitled to object against the processing of the personal data concerning him or her for this purpose at any time, including profiling as well, if it relates to direct marketing. In case of objection against the processing of personal data for the sake of direct marketing, these data shall not be processed. The right of objection applies to the data subject, if the data processing is carried out pursuant to the legitimate interest of the data processor, however in this case the subject of evaluation is the fulfillment of the request depending on which party’s rights have priority pursuant to GDPR Article 21 (1).

Right of withdrawal:

The data subject is entitled to withdraw the consent at any time. The withdrawal of consent does not affect the lawfulness of data processing which based on consent prior to the withdrawal.

Procedural rules:

The data processor informs the data subject without undue delay but nonetheless within one month from the arrival of the request about the implemented measures based on the claim. If it is neccesary, taking into consideration the complexity of the claim and the number of claims, the deadline can be prolonged with additional 2 months. The data processor informs the data subject within one month calculated from the receipt of the claim about the prolongation of the deadline with indicating the reason of delay.

If the data subject submitted the claim by electronic mean, the information shall be granted also by electronic mean unless the data subject wishes it otherwise.

If the data processor does not take measures following the request of the data subject, without undue delay but at the latest within one month from the receipt of the request, the data processor informs the data subject about the reasons of the failure of measure, as well as the data subject is entitled to submit a complaint for the supervisory authority and may exercise the right of judicial remedy.

The data processor informs all those addressees on all the accomplished correction, deletion or restriction of processing, with whom the personal data were communicated, unless it is impossible or requires disproportionate exertion. On the request of the data subject the data processor provides information on these addressees.

Furthermore we inform you, that if you consider that Budapestinside Kft. infringed your rights on informational self-determination, you can either ask for the assistance of the data protection officer telephone: 0036304741393, e-mail address: fom@bohotels.hu ), or file a complaint at the Hungarian National Authority for Data Protection and Freedom of Information or at the competent court.

Hungarian National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, Pf.: 5.
Address: 1125 Budapest, Szilágyi Erzsébet alley 22/c
Phone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu/general-information.html