DATA PROTECTION INFORMATION SHEET I (20/04/2018)
1. The purpose of data processing:
The purpose of this Information Sheet is to set the data protection and data processing guidelines as well as the data protection and data processing policy of Csónakázótó Vendéglátóipari Kft. (hereinafter: Data Controller) who have undertaken to be bound by these guidelines and policies.
Csónakázótó Vendéglátóipari Kft. reserves the right to change the content of this Information Sheet at any time, about which Data Controller informs its Customers and Partners without undue delay.
Data Controller undertakes to keep the Personal Data that comes into their possession confidential, and also undertakes to take every necessary security, technical and organisational measure to secure and guarantee safe processing of Personal Data during the entire period of data processing.
Unless otherwise specified, the scope of this Information Sheet does not cover the services and data processing in connection with the promotions, prize competitions and services relating to these campaigns and their shared content that are published by Third Parties other than Data Controller, the operator of Data Controller’s website and those listed in this Information Sheet as advertisers or any other type of content-publishers of the Company’s website. Similarly, unless otherwise specified, the scope of this Information Sheet does not cover the services and data processing of those websites and service providers that are connected via a link to the websites covered by this Information Sheet. Such services are covered by the Data Protection Policies of the service providing Third Party and therefore Data Controller shall not by liable for their data processing.
Data Controller carries out the processing, storage and transfer of Personal data in compliance with the legislation in force, in particular with the following:
2. Personal Data processed:
2.1. If User visits the platform of a service, the system of Data Controller automatically records the IP address of User.
2.2. In order to provide services and based on the consent of User, Data Controller may process the following data: name, nickname, sex, address, place of residence, zip code, place of birth, date of birth, phone number, email address, secondary email address, introduction, IP address of last login, date and time of last login.
2.3. If, as a part of a service (e.g. a message to contact, request for quotation, etc.), User sends and email, Data Controller may store and use the email address of User for a period and to an extent that is necessary in order to provide the ordered service.
2.4. If User agrees to connect their Facebook profile with the Facebook profile of Data Controller, then Data Controller – apart from the Personal Data listed above – may process the following Personal Data: Facebook profile name, Facebook profile’s URL, Facebook username, Facebook profile picture, Facebook email address, address provided on the Facebook profile, sex provided on the Facebook profile, birthday, introduction, marital status and website URL.
2.5. Regardless of the above, it may occur that a service provider that is technically connected to the operation of the service, processes data on one of the websites and without informing Data Controller about this activity. Such activity does not constitute data processing of Data Controller, and this is why Data Controller attempts to prevent and filter such activities.
3. Further data processed by Data Controller:
3.2. Data that is technically stored during the operation of the system: data of User’s login computer that are created while using the service and that are automatically stored by Data Controller’s system as a result of technical processes. These automatically stored data are automatically logged by the system upon login and logout unless otherwise declared and specified by User.
4. A detailed description of the categories of data processed by Data Controller:
4.1. Data processing carried out by the restaurant:
4.1.1. Guest data:
The purpose of data processing: To make purchases in the restaurants of Csónakázótó Vendéglátóipari Kft., to issue invoices, to keep records of guests, to document purchases and payments, to meet accounting requirements, to keep contact with guests.
The legal basis of data processing: data processing is required in order to fulfil contracts.
Type of Personal Data processed: name, address, name and price of service offered, payment method, date of service provided.
Data processing period: 8 years as required by the Act C of 2000 on accounting.
In case of payments by credit or debit card, the transaction data are controlled by Raiffeisen Bank Zrt. In order to enable payment by credit or debit card: user ID, sum in transaction, transaction date and time to the bank.
Legal basis of data transfer: it is required in order to fulfil a contract, in compliance with the provisions of GDPR.
The purpose of data processing: organizing, hosting, coordinating and controlling events of Csónakázótó Vendéglátóipari Kft.
Legal basis of data processing: it is required in order to fulfil a contract, in compliance with the provisions of GDPR.
Scope of data processed: reservation ID; date of order and event; name, phone number, email address of the customer; number of participants; name, age, sex, possible special requests, food intolerances of data subject as well as other data provided during in the order.
Data processing period: one month after the end of the event.
Data processing is required in order to fulfil contracts.
4.1.3. Handling complaints:
The purpose of data processing: Handling complaints regarding the quality of services provided by Csónakázótó Vendéglátóipari Kft.
The legal basis of data processing: data processing is required in order to fulfil the contract.
Type of Personal Data processed: unique identification of complaint; name, address of customer; place, time and method of registering the complaint; supporting documents submitted by customer; record of further receipts; the description of the complaints; place and time of recording the complaint, name and signature of recipient.
Data processing period: the records and a copy of every response given to written complaints as well as delivery receipts shall be kept for 5 years, according to Act CLV of 1997 on consumer protection.
The copy of complaints written in the book of complaints shall be kept for 2 years.
There is no data transfer.
The purpose of data processing: incident handling in the restaurant and recording incidents.
The legal basis of data processing: legal interest of Data Controller and other persons demand the handling of incidents.
Scope of data processed: name, address, phone number of injured person; date and time of accident; description of the accident and injuries; description of measures taken; name of person providing first aid; name, address, phone number and other contact details of witness.
Data processing period: 5 years for the accident report.
4.1.5. Lost and found procedures:
The purpose of data processing: keeping record of items lost and found in the restaurant, contacting the owner of the items and the person who found them.
The legal basis of data processing: according to Act V of 2013 on the Civil Code.
Type of Personal Data processed: date and time of finding the items; personal data of finder; name of items lost and found; whether or not the staff was able to contact the owner of the items; location of storage; name and signature of finder and recipient of items lost and found and person responsible for handing it back.
Data processing period: all data is destroyed as soon as the owner receives the lost and found items.
4.1.6. Wi-Fi service at the restaurant:
By connecting to the Wi-Fi network, customers allow Csónakázótó Vendéglátóipari Kft. to monitor their connection using the unique network ID of their device.
Data transfer through the restaurant Wi-Fi network is not recorded by Csónakázótó Vendéglátóipari Kft.
4.2. Marketing and market research database:
4.2.1. Marketing database:
The data of those who agree to be contacted for direct marketing purposes is processed by Csónakázótó Vendéglátóipari Kft.
The purpose of data processing: creating a business database; targeting data subjects with email newsletters that contain commercial advertising; creating tailored offers using online analytical data; and sending offers of Data Controller and their partners.
Only people of the age of 16 or above may agree to be contacted for direct marketing purposes.
The legal basis of data processing: consent of data subject according to Act XLVIII of 2008 on the essential conditions and certain limitations of business advertising activity.
Scope of data processed: identification number; name; address; email address; phone number; consent to direct marketing communications; and data regarding the sending, delivery and opening of messages, as well as online activity of data subjects is recorded by the system.
Data processing period: until the revocation of data subject’s consent.
The revocation of consent to direct marketing communications and the request to rectify or erase Personal Data can be sent to the central email address of Csónakázótó Vendéglátóipari Kft.
4.2.2. Market research database:
The data of Data Subjects involved in market research is processed by Csónakázótó Vendéglátóipari Kft.
The purpose of data processing: keeping record and segmenting of the data of those who participate in the market research; sending invitations to surveys; coordinating and carrying out market research.
The legal basis of data processing: consent of Data Subject. Only people of the age of 16 or above may agree to participate in market research.
Type of Personal Data processed: identification number, name, address, email address, phone number and other data provided.
Data processing period: until the revocation of data subject’s consent.
4.3. Property protection:
4.3.1. Electronic surveillance system:
Csónakázótó Vendéglátóipari Kft. uses electronic surveillance systems in their restaurants. These systems include cameras that survey the entire guest area. The exact place of cameras and the area they survey is indicated at a visible location and guests are informed about the cameras upon their arrival to the restaurant.
Data Controller: the assigned manager of Csónakázótó Vendéglátóipari Kft.
The purpose of data processing: preventing and detecting criminal activities in order to protect human life, physical integrity and property; catching criminals in the act; providing proof for criminal activities; identifying those who enter the restaurant without permission; recording their entrance; documenting the activities of those who are inside without permission; as well as examining the circumstances of occupational and other accidents.
The legal basis of data processing: guests agree upon entering the restaurant while in case of employees, this is a legitimate interest for the property protection of Csónakázótó Vendéglátóipari Kft., according to Act I of 2012 on the Labour Code.
Type of Personal Data processed: the facial image and other Personal Data of those who enter the restaurant and are recorded by the surveillance system.
Data processing period: 30 days unless used (according to Act CXXXIII of 2005 on the rules of the protection of persons and property and of the activity of private detectives)
Usage of records:
Person authorized to view the current image of the camera: authorized personnel of Csónakázótó Vendéglátóipari Kft.
Person authorized to view the recorded image of the camera: authorized personnel of Csónakázótó Vendéglátóipari Kft.
Person authorized to store the image of the camera on a data carrier: authorized personnel of Csónakázótó Vendéglátóipari Kft.
The records of surveillance cameras operated by Csónakázótó Vendéglátóipari Kft. are only allowed to be viewed by authorized people and only in order to prove infringement against human life, physical integrity and property and only to identify the perpetrator.
Those Data Subjects whose rights or rightful interests are affected by the camera recordings may request, upon proving their rights or rightful interests, Data Controller not to erase the records until further notice of the court or authority involved, but up to 30 days. Persons appearing on the records may request information regarding the record of the surveillance system; they may request a copy; or, if there are other people appearing on the record, they may view the record. Data Subject may request the erasure of the records where they appear; the modification of data in connection with the records; or they can object to the processing of data.
Data Controller is obliged to keep a report on who, when and for what purpose viewed the records.
Recipients of data transfer: in case of infringement or criminal proceedings, the authorities or courts that carry out the proceedings.
Scope of data transferred: records of the surveillance system that contain relevant information.
The legal basis of data transfer: Act XIX of 1998 on Criminal Proceedings; Act C of 2000 on accounting.
Data processing is carried out by Csónakázótó Vendéglátóipari Kft. and the website does not record user data when visited.
Data processing of external service providers:
The HTML code of the website contains links that are independent from Csónakázótó Vendéglátóipari Kft. and that lead to or originate from external servers. The server of external service providers is in direct connection with the computer of the user. Therefore, we inform our users that these external service providers may be able to collect user data.
Possible tailored contents are provided by the servers of external service providers. These service providers can provide information about their data processing methods. (i.e. the Google Analytics server).
The website contains the service provider code available at facebook.com.
4.5. Mobile application:
When Data Subject uses the mobile application of Csónakázótó Vendéglátóipari Kft. or in other ways contacts Csónakázótó Vendéglátóipari Kft., data may be collected in connection with Data Subject.
Data collected can be divided into two categories:
Data Subjects may provide the following information:
The following information can be collected autimatically:
Data collected may be used by Csónakázótó Vendéglátóipari Kft. for the following purposes:
We only share Personal Data of Data Subjects with Third Parties for direct marketing purposes if Data Subjects provided us with their consent.
4.6. Application to job advertisements:
The website operated by Csónakázótó Vendéglátóipari Kft. provides the opportunity to apply for positions. The Data Controller of these Personal Data is Csónakázótó Vendéglátóipari Kft.
Employer as Data Controller may process Personal Data provided by applicants during the selection process and for another year for the purpose of selecting employees.
The purpose of data processing: application for a job at Csónakázótó Vendéglátóipari Kft., participation in the selection procedure.
The legal basis of data processing: consent of Data Subject.
Type of Personal Data processed: name, permanent address, place of residence, phone number, email address, place and date of birth, as well as CVs, images and cover letters uploaded by the applicant.
Deadline to erase data: one year after the submission of the application.
4.7. Other data processing:
If a type of data processing is not included in this Information Sheet, Data Subjects are informed about that data processing before providing Personal Data.
5. Principles and methods of data processing:
5.1. Data Controller processes Personal Data based on the principles of fairness, good faith, transparency and the provisions of existing laws and this Information Sheet.
5.2. Data Controller processes Personal Data that is strictly necessary to provide services in accordance with the consent of User and solely for the purpose agreed upon.
5.3. Data Controller may only process Personal Data for the purposes set in this Information Sheet or in existing laws. In every case Data Controller wishes to use Personal Data for other than the agreed upon purposes, Data Controller shall request prior consent of User and shall provide User the opportunity to object and prohibit this processing of Personal Data.
5.4. Data Controller does not verify the provided Personal Data.
5.5. Personal Data of people under the age of 16 may only be processed with the consent of person(s) of legal age having parental care over them. Data Controller cannot verify the content of the consent or whether the person providing the consent is authorized, therefore the legality of the consent is the responsibility of User and the person(s) having parental care over them.
5.6. Data Controller shall not transfer Personal Data in certain cases to Third Parties through external service providers or to data processors other than those listed in this Information Sheet.
Data Controller shall share User’s Personal Data with Third Parties in certain cases including court, legal and police procedures or other infringements or in case of reasonable suspicion, if the interests of Data Controller are damaged, if the provision of services is endangered, etc.
5.7. The system of Data Controller may collect User activity data that cannot be connected with any other data provided by User, nor with data that are created using other services.
5.8. Data Controller shall notify Data Subject and those who received the Personal Data for data processing in case of rectification, restriction or erasure of these Personal Data. This notification is not mandatory if – based on the purpose of data processing – this does not adversely affect the interests of Data Subject.
5.9. Data Controller secures Personal Data and takes the necessary technical and organizational security measures as well as establishes the rules of procedure in order to guarantee that data collected, stored and processed is protected, and Data Controller undertakes to protect Personal Data against accidental loss, unlawful destruction or damage or unauthorized access, use, modification or distribution.
6. Rights of User and how to enforce them:
6.1. Upon the request of User, Data Controller shall provide information on whether they are processing Personal Data of User, and if yes, Data Controller shall grant access to User to all the Personal Data processed.
6.2. User may request the rectification or modification of Personal Data processed by Data Controller.
6.3. User may request the erasure of Personal Data processed by Data Controller.
This request may be rejected for exercising the right of freedom of expression and information, for the establishment, exercise or defence of legal claims or if laws allow the processing of Personal Data.
Data Controller shall in every case inform User about the fact that their request was rejected, including the reason for this rejection.
User can unsubscribe from the newsletters of Data Controller using the link included in the newsletter or by sending an email. In case User unsubscribes from a newsletter, Data Controller erases Personal Data of User.
6.4. The User shall have the right to obtain from the controller restriction of processing if the accuracy of the personal data is contested by the User. In this case, this applies for a period enabling the Controller to verify the accuracy of the Personal Data.
User may restrict processing of Personal Data if the processing is unlawful or if the purpose of data processing was fulfilled, but User may allow the processing Personal Data where necessary for the establishment, exercise or defence of legal claims.
6.5. The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
6.6. User may object to processing of their Personal Data if the processing of Personal Data is solely necessary for compliance with a legal obligation to which Controller, a service provider or a Third Party is subject.
7.0 Data processing:
7.1. In order to provide their services, Controller uses the services of Data Processors.
7.2. Data Processors may not decide on their own, they shall follow the provisions of the contract concluded with Controller as well as the instructions of Controller. After 25/05/2018, Data Processors shall store, handle and process Personal Data transferred to them by Data Controller according to the provisions of GDPR and they shall include this in a written agreement sent to Data Controller.
7.3. Data Controller shall supervise the work of Data Processor.
7.4. Data Processors are only allowed to involve further data processors with the consent of Data Controller.
8.0. The possibility to transfer data:
8.1. Data Controller shall have the right and the duty to transfer legally stored Personal Data to the competent authority when complying with existing laws of compulsory orders. Data Controller shall not be held responsible for the consequences of such data transfer.
8.2. In case Data Controller fully or partly assigns a Third Party with the operation or utilization of the content and storage services, then Personal Data processed by Data Controller shall be transferred to this Third Party without the consent of User. However, User shall be informed prior to handing over the operation to the Third Party and this action shall not create a situation to User that is less advantageous than what is set in this Information Sheet.
Data Controller shall provide User the opportunity to prohibit data transfer.
9.0 Modifying the Information Sheet:
9.1. Data Controller reserves the right to modify the contents of the Information Sheet at any time.
9.2. Upon next login, User accepts the current version of the Information Sheet with all its provisions and there is no need for further User consent.
10.0 Possible ways to enforce rights:
10.1. For questions and comments regarding data protection, please refer to the Data Protection Officer of the company at the following email address: firstname.lastname@example.org
10.2. In case of data processing complaints, User may directly turn to the Hungarian National Authority for Data Protection and Freedom of Information (H-1125. Budapest, Szilágyi Erzsébet fasor 22/C).
10.3. If the rights of User are violated, User may bring an action before court. The court shall decide on the case. Data Subject may choose a court based on his or her place of residence or permanent address.