Privacy Policy

Statement on the Protection of Personal Data.

I. GENERAL PROVISIONS

Hotel &; More Hotels Zrt., as the operator of Hotel&More Holding (address: 1022 Budapest Fillér u. 84/a; website: www.hotelandmore.hu), always ensures the lawfulness and expediency of data processing in respect of the personal data it manages. The purpose of this information is to provide our guests who have booked accommodation and provided their personal data with adequate information about the conditions and guarantees under which our company processes their data and for how long before booking or providing their personal data. Our company adheres to the contents of this information in all cases involving personal data processing, we consider the contents of this information binding on us.

The data and contact details of our company are as follows:
Name: Hotel & More Hotels Zrt.
Headquarters: 1022 Budapest, Fillér utca 84/a
Company registration number: 01-10-049927
Tax number: 26494515-2-41
Represented by: Balázs Lajos Klemm
Phone number: +36 1 792 2950
Email: info@hotelandmore.hu
Website: www.hotelandmore.hu
(hereinafter also referred to as "Data Controller")

Our data processing complies with applicable legislation, in particular:
➢ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR");
➢ Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Privacy Act");
➢ Act V of 2013 on the Civil Code;
➢ Act C of 2000 on Accounting;
➢ Act CL of 2017 on the Rules of Taxation;
➢ Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigator Activities (hereinafter: "Act on Personal and Property Protection");
➢ Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities;
➢ Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
We provide the following information in connection with each of our data processing.

II. INDIVIDUAL DATA PROCESSING

1. DATA PROCESSING RELATED TO ONLINE ACCOMMODATION BOOKING

Our company offers the possibility of booking accommodation online in order to book rooms in hotels operated by Hotel & More Management Company in a fast, convenient and free of charge way.

The purpose of data processing: to make accommodation booking easier, free of charge and more efficient.

Legal basis for data processing: prior consent of the person booking the accommodation [Article 6 (1) (a) of the GDPR], the need to take steps at the request of the data subject prior to entering into a contract between the Data Controller and the data subject [Article 6 (1) (b) of the GDPR].

Scope of personal data processed: salutation; surname and first name; address (country, postal code, city, street, house number); telephone number; email address; in case of a business association, company name and registered office, bank card number, SZÉP card data (identifier, name on the card), representative, contact person's name, e-mail address and telephone number.

Duration of data processing: two years after the last day of the booked date of stay.

Use of data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

Providing the possibility of online accommodation reservation through the Hotelizer system
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

Operation of the website

By accepting this prospectus, the data subject expressly consents to the Data Processor engaging further data processors in order to make the service more convenient and customized, as follows:

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

The owner of the software integrated into the reservation system. This software is responsible for sending automatic e-mails displaying confirmations and notifications in case of booking, quotation and satisfaction measurement
Hostware Ltd.

1149 Budapest, Róna utca 120-122

Performing customer management tasks when using the Hostware Front Office hotel system

K&H Bank Zrt.

1095 Budapest, Lechner Ödön fasor 9.

Conducting data communication required for payment transactions between the merchant and the payment service provider's system, ensuring the traceability of transactions for merchant partners
K&H Bank Zrt.

1095 Budapest, Lechner Ödön fasor 9.

Conducting data communication necessary for payment transactions between the merchant and the payment service provider's system, providing customer service assistance to users, confirming transactions and fraud monitoring for user protection.
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.
Server hosting tasks

Possible consequences of failure to provide data: no contract is concluded for the hotel room.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) request information on, and access to, personal data relating to him or her,
(b) request their rectification,
(c) request their deletion,
d) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and does not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to transmit these data to another data controller at his request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized access). In the event of an incident nevertheless occurring, we keep records for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of persons affected by the data protection incident, the date, circumstances, effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the law prescribing data processing.

Our company has concluded a data processing contract for data processing tasks, in which Igor Corner Kft. undertakes to apply the data protection and data management safeguards prescribed by the data processing contract in case of engaging another data processor, therefore we ensure the lawful processing of personal data also in the case of the data processor.

2. DATA PROCESSING IN CONNECTION WITH THE REQUEST FOR QUOTATION

Our company provides an opportunity for our guests to request offers electronically. The offer is provided by our company through an automated system, taking into account the available capacities.

Purpose of data processing: preliminary information about hotel prices

Legal basis for data processing: prior consent of the person booking the accommodation [Article 6 (1) (a) of the GDPR] or data processing is necessary to take steps at the request of the data subject prior to entering into a contract [Article 6 (1) (b) of the GDPR]

Scope of personal data processed: salutation; surname and first name; telephone number; email address; number of hotel guests, billing name and address, number and age of children.

Duration of data processing: two years after the last day of the booked date of stay.

Use of a data processor: our company uses the assistance of an IT service provider to operate the online quotation system as follows.

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

Operation of a contracting module
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

Operation of the website

By accepting this prospectus, the data subject expressly consents to the Data Processor engaging further data processors in order to make the service more convenient and customized, as follows:

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

The owner of the Hotelizer software integrated into the reservation system. This software is responsible for sending automatic emails displaying confirmations and notifications in case of booking, quotation and satisfaction measurement
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály utca 13.

performing server hosting tasks

Possible consequences of failure to provide data: The hotel cannot provide an offer.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) request information on, and access to, personal data relating to him or her,
(b) request their rectification,
(c) request their deletion,
d) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and does not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to transmit these data to another data controller at his request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized access). In the event of an incident nevertheless occurring, we keep records for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of persons affected by the data protection incident, the date, circumstances, effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the law prescribing data processing.

Our company has concluded a data processing contract for data processing tasks, in which Igor Corner Kft. undertakes to apply the data protection and data management safeguards prescribed by the data processing contract in case of engaging another data processor, therefore we ensure the lawful processing of personal data also in the case of the data processor.

3. DATA PROCESSING RELATED TO THE PROVISION OF SERVICES AND INVOICING

Our company processes the personal data of guests in order to fulfil the contract concluded with the guests of Hotel&More, including the payment of fees related to the use of the hotel's services.
The purpose of data processing: the use of the services provided by the hotels operated by Hotel&More by the data subject, determination and billing of the consideration.

Legal basis for data processing: the necessity for the performance of a contract to which the data subject is a party [Article 6 (1) (b) of the GDPR] and compliance with a legal obligation pursuant to the provisions of Section 69 (1) and (2) of Act C of 2000 on Accounting [Article 6 (1) (c) of the GDPR]

Scope of personal data processed: first and last name, address.

Duration of data processing: 5 years from the date of provision of personal data by the data subject to the performance of the contract (limitation period). In case of issuing an invoice, the duration of data processing is 8 years from the date of providing the personal data by the data subject and from the preparation of the financial statement, annual report or accounting account for the given financial year.

Use of a data processor: our company uses the assistance of an accountant for invoicing as follows.

Name of data processor

Seat

Description of the data processing task
MT Signal Ltd.

1163 Budapest Veres Péter u. 51.

Performing accounting tasks

Possible consequences of failure to provide data: The data subject may not use the services of hotels operated by Hotel&More.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) request information on, and access to, personal data relating to him or her,
(b) request their rectification,
(c) request their deletion,
d) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and does not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to transmit these data to another data controller at his request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized access). In the event of an incident nevertheless occurring, we keep records for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of persons affected by the data protection incident, the date, circumstances, effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the law prescribing data processing.

Our company has concluded a data processing contract for data processing tasks, in which MT Szignal Kft. undertakes to apply the data protection and data processing safeguards prescribed by the data processing contract when engaging another data processor, therefore we ensure the lawful processing of personal data also in the case of the data processor.

4. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION

Our company keeps in touch with its guests through a newsletter, to whom it recommends its services, informs about novelties and promotions related to its operation.

The purpose of data processing: maintaining and developing business relationships with potential hotel guests, partners and hotel guests.

Legal basis for data processing: consent of the data subject [Article 6 (1) (a) of the GDPR].

Scope of personal data processed: first and last name, e-mail address

Duration of data processing: until unsubscribing from the newsletter.

Use of data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Operation of a contracting module
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13..

Operation of the website
By accepting this prospectus, the data subject expressly consents to the Data Processor engaging further data processors in order to make the service more convenient and customized, as follows:

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Operation of newsletter sending system
Possible consequences of failure to provide data: The data subject does not receive newsletters from our company.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)
a) request information on, and access to, personal data relating to him or her,
(b) request their rectification,
(c) request their deletion,
d) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and does not process the data for any other purpose beyond that),
e) object to the processing of personal data,
f) exercise the right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to transmit these data to another data controller at his request.

You can unsubscribe from the newsletter at any time by sending an e-mail to our company at the info@hotelandmore.hu e-mail address or by clicking on the unsubscribe icon in the newsletter. In this case, your personal data related to the newsletter will be immediately deleted from our database.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized access). In the event of an incident nevertheless occurring, we keep records for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of persons affected by the data protection incident, the date, circumstances, effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the law prescribing data processing.

Our company has concluded a data processing contract for data processing tasks, in which Igor Corner Kft. undertakes to apply the data protection and data management safeguards prescribed by the data processing contract in case of engaging another data processor, therefore we ensure the lawful processing of personal data also in the case of the data processor.

5. PERSONAL DATA PROCESSING RELATED TO SATISFACTION MEASUREMENT

Our goal is to provide our Hotel&More guests with a high level of services, so we are constantly asking for feedback from our guests about their experiences during their stay at our hotel.

The purpose of data processing: to request feedback from hotel guests in order to further develop and improve our services.

Legal basis for data processing: legitimate interest of the controller [Article 6 (1) (f) of the GDPR], consent of the data subject [Article 6 (1) (a) of the GDPR].

Indication of legitimate interest: our company has a legitimate interest in receiving information to improve our services based on feedback.

The scope of personal data processed: first and last name, gender, e-mail address, date of arrival and departure.

Duration of data processing: two years after the last day of the booked date of stay.

Use of data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Operation of the satisfaction measurement module
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Operation of the website

By accepting this prospectus, the data subject expressly consents to the Data Processor engaging further data processors in order to make the service more convenient and customized, as follows:
Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

The owner of the Hotelizer software integrated into the reservation system. This software is responsible for sending automatic emails displaying confirmations and notifications in case of booking, quotation and satisfaction measurement

Possible consequences of failure to provide data: The data subject does not receive a satisfaction survey from our company.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)
g) request information on, and access to, personal data relating to him or her,
h) request their rectification,
(i) request their deletion,
j) request the restriction of the processing of personal data under the conditions set out in Article 18 of the GDPR (i.e. that our company does not delete or destroy the data until a court or authority requests it, but for a maximum of thirty days, and does not process the data for any other purpose beyond that),
k) object to the processing of personal data,
l) exercise the right to data portability. According to the latter right, the data subject has the right to receive the personal data concerning him or her in word or excel format and has the right to transmit these data to another data controller at his request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, unauthorized access). In the event of an incident nevertheless occurring, we keep records for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of persons affected by the data protection incident, the date, circumstances, effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the law prescribing data processing.

Our company has concluded a data processing contract for data processing tasks, in which Igor Corner Kft. undertakes to apply the data protection and data management safeguards prescribed by the data processing contract in case of engaging another data processor, therefore we ensure the lawful processing of personal data also in the case of the data processor.

6. COOKIES TREATMENT

In order to provide customized service, the Data Controller places a small data package, a so-called cookie on the user's computer and reads it back during a later visit. If the browser returns a previously saved cookie, the service provider managing the cookie has the opportunity to link the user's current visit with previous ones, but only for its own content.

The purpose of data processing: identification, tracking, differentiation of users, identification of users' current session, storage of data provided during it, prevention of data loss, web analytics measurements, personalized service.

Legal basis for data processing: consent of the data subject [Article 6 (1) (a) of the GDPR].

The scope of processed data: date, time and previously visited page.

Duration of data processing: maximum 30 days from visiting the website
Use of data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Recording visitor data
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Operation of the website

Further information on data processing: The user can delete the cookie from his/her computer or disable the use of cookies in his/her browser.

You can find more information on setting cookie preferences within your browser in the following policies:

• Internet Explorer
• Firefox
•Chrome
•Safari

Possible consequences of failure to provide data: impossibility of using the service in accordance with II.1-5. in respect of the services described in points above.

7. WEBSITE SERVER LOGGING

When you visit the www.hotelandmore.hu website, the web server automatically logs the user's activity.
Purpose of data processing: during the visit of the website, the service provider records visitor data in order to control the operation of the services and prevent abuse.

Legal basis for data processing: Legitimate interest of the Data Controller [Article 6 (1) (f) of the GDPR]

Indication of legitimate interest: our company has a legitimate interest in the secure operation of the website.

Type of personal data processed: IP address, identification number, date, time, address of the page visited.

Duration of data processing: maximum 90 days from visiting the website.
Use of data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Name of data processor

Seat

Description of the data processing task
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Recording visitor data and information necessary for server operation
Igor Corner Internet Ltd.

9730 Kőszeg, Táncsics Mihály street 13.

Operation of the website

Further information: our company does not link the data obtained during the analysis of log files with other information, and does not seek to identify the user. The address of the pages visited, as well as the date and time data alone are not suitable for identifying the data subject, however, when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

Data processing related to logging by external service providers:
The html code of the portal contains links from and to external servers independent of our company. The server of the external service provider is connected directly to the user's computer. We draw the attention of our visitors to the fact that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, mouse pointer movement, address of the page visited and time of visit) due to direct connection to their server and direct communication with the user's browser. An IP address is a series of numbers with which the computers and mobile devices of users accessing the Internet can be clearly identified.

IP addresses can even be used to geographically locate visitors using a given computer. The address of the pages visited, as well as the date and time data alone are not suitable for identifying the data subject, however, when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

8. OTHER DATA PROCESSING

Information on data processing not listed in this prospectus will be provided at the time of data collection. We inform our clients that certain authorities, bodies performing public tasks and courts may contact our company for the purpose of providing personal data. Our company will disclose personal data to these bodies – if the body concerned has indicated the exact purpose and scope of the data – only to the extent and to the extent that is strictly necessary to achieve the purpose of the request, and if the fulfillment of the request is required by law.

III. METHOD OF STORING PERSONAL DATA, SECURITY OF DATA MANAGEMENT

Our company's IT systems and other data retention locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used to manage personal data during the provision of the service in such a way that the data processed:

(a) accessible to authorised persons (availability);
b) its authenticity and authentication is ensured (credibility of data processing);
(c) its unchangedness can be demonstrated (data integrity);
d) protected against unauthorized access (confidentiality of data).

We pay special attention to the security of data, furthermore we take the technical and organizational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, we protect the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage or becoming inaccessible due to changes in the technology used.

The IT systems and networks of our company and our partners are protected against computer-aided fraud, computer viruses, computer burglaries and attacks leading to denial of service. The operator ensures security with server-level and application-level protection procedures. Daily backup of data is solved. In order to avoid personal data breaches, our company takes all possible measures, in the event of such an incident – in accordance with our internal regulations – we take immediate action to minimize risks and avert damages.

IV. RIGHTS OF DATA SUBJECTS, LEGAL REMEDIES

The data subject may request information about the processing of his or her personal data, and may request the rectification of his or her personal data, or, with the exception of mandatory data processing, erasure or withdrawal, exercise his or her right to data portability and objection in the manner indicated at the time of recording the data or at the above contact details of the data controller.

At the request of the data subject, we will provide the information in electronic form without delay, but no later than within 30 days, in accordance with our relevant regulations. Requests from data subjects to fulfil the rights below will be fulfilled free of charge.



Right to information:

Our company shall take appropriate measures to provide data subjects with all information referred to in Articles 13 and 14 GDPR and each communication pursuant to Articles 15 to 22 and 34 relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language and at the same time precisely.

The right to information can be exercised in writing via the contact details provided in point 1. At the request of the data subject, information may also be provided orally after verifying his/her identity. We inform our clients that if our employees have doubts about the identity of the data subject, we may request the provision of information necessary to confirm the identity of the data subject.
Right of access by the data subject:

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If personal data are being processed, the data subject shall have the right to access the personal data and the following listed information.
• Purposes of processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries (outside the European Union) or international organisations;
• the envisaged period for which the personal data will be stored;
• the right to rectification, erasure or restriction of processing and the right to object;
• the right to lodge a complaint with a supervisory authority;
• information on data sources; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, the significance and the envisaged consequences of such processing for the data subject.

In addition, where personal data are transferred to a third country or international organisation, the data subject shall have the right to be informed of the appropriate safeguards applicable to the transfer.

Right to rectification:

Under this right, anyone may request the rectification of inaccurate personal data concerning them processed by our company and the completion of incomplete data.

Right to erasure:

The data subject shall have the right to obtain from us the erasure of personal data concerning him or her without undue delay on one of the following grounds:

(a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
(d) unlawful processing of personal data is established;
(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
(f) the personal data have been collected in connection with the offer of information society services.

The erasure of data cannot be initiated if data processing is necessary for the following purposes:
(a) for exercising the right to freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the field of public health or for archiving, scientific or historical research purposes or statistical purposes;
(d) or for the establishment, exercise or defence of legal claims.

Right to restriction of processing:

At the request of the data subject, we restrict processing under the conditions of Article 18 GDPR, i.e. if:
(a) the accuracy of the personal data is contested by the data subject, for a period enabling the accuracy of the personal data to be verified;
(b) the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead
(c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
d) the data subject has objected to the processing; In this case, the restriction applies for the period until it is established whether the legitimate reasons of the controller override those of the data subject.

Where processing has been restricted, personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction of processing.

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and to transmit those data to another controller. Our company can fulfill such a request of the data subject in word or excel format.

Right to object:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, including profiling to the extent that it is related to such direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for such purposes.

Automated individual decision-making, including profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply if data processing
(a) necessary for entering into, or performance of, a contract between the data subject and the controller;
(b) is authorised by Union or Member State law to which the controller is subject and which safeguards the data subject's rights and freedoms and legitimate interests
(c) lay down appropriate measures for its protection; or
(d) is based on the explicit consent of the data subject.

Right of withdrawal:

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Rules of procedure:

The controller shall inform the data subject without undue delay and in any event within one month of receipt of the request of the action taken in response to a request pursuant to Articles 15 to 22 GDPR. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.

Where the data subject makes the request by electronic means, the information shall be provided by electronic means, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the supervisory authority and seeking a judicial remedy.

The controller shall communicate any rectification, erasure or restriction of processing carried out by the controller to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. At the request of the data subject, the controller shall inform him or her of those recipients.

Damages and grievance fees:

Any person who has suffered material or non-material damage as a result of an infringement of the Data Protection Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. The processor shall only be liable for damages caused by data processing if it has failed to comply with the obligations laid down by law specifically incumbent on processors or if it has ignored or acted contrary to lawful instructions of the controller. Where several controllers or processors, or both controller and processor, are involved in the same processing and are liable for damage caused by the processing, each controller or processor shall be jointly and severally liable for the entire damage.

The controller or processor shall be exempted from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to turn to court and data protection authority procedure:

If the data subject considers that the Data Controller has violated his or her right to the protection of personal data in the course of data processing, he or she may seek legal remedy in accordance with the applicable legislation before the competent bodies as follows:

- lodge a complaint with the National Authority for Data Protection and Freedom of Information
address: 1125 Budapest, Szilágyi Erzsébet street 22/c.;
website: www.naih.hu;
e-mail address: ugyfelszolgalat@naih.hu;
Phone: +36-1-391-1400
(hereinafter referred to as "NAIH")


- apply to the competent court.
The court shall deal with the case as a matter of priority.
The Data Controller undertakes to cooperate fully with the court concerned or NAIH during these proceedings, and to disclose the data related to data processing to the NAIH or the court concerned.

V. MISCELLANEOUS PROVISIONS

The Data Controller undertakes to ensure that all data processing related to its activities complies with the requirements set in this prospectus, in the internal regulations of the Data Controller – which have the same requirements as in this prospectus – and in the applicable legislation.

The Data Controller reserves the right to change this information at any time, provided that it informs the data subjects of any changes by means of a notice published on the website of Hotel & More after the changes have been implemented.

If you have any questions about the contents of this notice, please email us.