Barion Pixel
BOOK A TABLE

Privacy Notice of SUNSET ANGEL Ltd.

SUNSET ANGEL Ltd. (hereafter referred to as the “Company”) hereby fulfills its obligation to provide preliminary information concerning the handling of personal data of the concerned individuals, as required by the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. This notice is made available to individuals involved in data processing in a concise, transparent, intelligible, and easily accessible form, clearly articulated.

DATA CONTROLLER IDENTIFICATION

The Company informs the data subject that it qualifies as a data controller regarding the handling of personal data.

COMPANY NAME: SUNSET ANGEL Ltd.

REGISTERED OFFICE: 1097 Budapest, Könyves Kálmán krt. 16.

COMPANY REGISTRATION NUMBER: 01 09 675505

TAX NUMBER: 11765033-2-43

PHONE: +

EMAIL: hello@romkert.eu

WEBSITE: romkert.eu

Employees of the Company with relevant access rights for data processing purposes, as well as individuals and organizations performing data processing activities under service contracts with the Company, are privy to personal data to the extent and measure necessary for their activities.

DATA PROCESSORS IDENTIFICATION

(1) The Company employs external data processors based on voluntary consent for personal data handled for the operation and maintenance of its website.

DEFINITIONS

“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“data processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future.

“profiling”: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“pseudonymization”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.

“controller”: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

“processor”: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

“recipient”: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

“third party”: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

“consent of the data subject”: any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“data protection incident”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

“enterprise”: any natural or legal person engaged in economic activity, regardless of its legal form, including partnerships or associations regularly engaged in economic activity.

LEGAL BASIS FOR DATA PROCESSING The consent of the concerned person

(1) The legality of processing personal data must be based on the consent of the concerned person or another legal basis established by law.

(2) If the processing is based on the consent of the concerned person, the consent may be given in the following form:

a) in writing, in a statement granting consent to the processing of personal data, b) electronically, through explicit conduct on the Company’s website, such as checking a checkbox, or if technical settings are made in connection with the use of information society services, and any other declaration or action that clearly indicates the consent of the concerned person to the planned processing of personal data in the given context. (3) Silence, pre-ticked boxes, or inaction, therefore, do not constitute consent. (4) Consent extends to all processing activities carried out for the same purpose or purposes.

(5) If the processing has multiple purposes, consent must be given for all processing purposes. If consent is requested electronically following a request, the request must be clear and concise and must not unnecessarily hinder the use of the service for which consent is sought.

(6) The concerned person has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The concerned person must be informed of this before giving consent. The withdrawal of consent must be as easy as giving it.

Performance of a contract

The processing of personal data is lawful if it is necessary for the performance of a contract to which the concerned person is a party or in order to take steps at the request of the concerned person prior to entering into a contract. The handling of personal data not necessary for the performance of a contract may not be a condition for entering into a contract.

Compliance with a legal obligation of the data controller or protection of vital interests of the concerned person or another natural person

The legal basis for processing is determined by law when fulfilling a legal obligation, thus the consent of the concerned person to the processing of their personal data is not necessary. The data controller must inform the concerned person of the purpose, legal basis, and duration of the processing, the identity of the data controller, as well as their rights and the remedies available. After the withdrawal of the concerned person’s consent, the data controller is entitled to handle the data necessary for the fulfillment of a legal obligation.

Performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or for the legitimate interests of the data controller or a third party

The data controller – including the one to whom personal data may be disclosed – or a third party’s legitimate interest may provide a legal basis for data processing, provided that the interests or fundamental rights and freedoms of the concerned person do not take precedence, taking into account the reasonable expectations based on their relationship with the data controller. Such legitimate interest could arise, for example, when there is a relevant and appropriate relationship between the concerned person and the data controller, such as when the concerned person is a client or employee of the data controller.

The existence of a legitimate interest must be carefully assessed, including whether the concerned person could reasonably expect at the time of the collection of personal data and in the context of the collection that processing for that purpose may occur. The interests and fundamental rights of the concerned person may take precedence over the interests of the data controller, especially when personal data are processed in circumstances where data subjects do not expect further processing.

RIGHTS OF THE CONCERNED PERSON RELATING TO THE PROCESSING OF THEIR PERSONAL DATA

The Company briefly informs the concerned person of the following rights:

the right to be informed before the start of data processing, the right to receive feedback from the data controller on whether personal data concerning them is being processed and if such processing is taking place, the right to access the personal data and the following information, the right to request the rectification or erasure of data and to be informed by the data controller of this fact, the right to request the restriction of processing and to be informed by the data controller of this fact, the right to data portability, the right to object, especially if personal data are processed for public interest purposes or on the basis of the legitimate interests of the data controller, to be exempt from automated decision-making, including profiling, the right to lodge a complaint with the supervisory authority. The concerned person may exercise their right to lodge a complaint using the following contact details: National Authority for Data Protection and Freedom of Information, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., Phone: +36 (1) 391-1400; Fax: +36 (1) 391-1410., www: http://www.naih.hu, email: ugyfelszolgalat@naih.hu the right to effective judicial remedy against the data controller or the data processor, the right to be informed about a data protection incident.

DETAILED INFORMATION ON THE RIGHTS OF THE CONCERNED PERSON

Right to information

(1) The concerned person has the right to be informed about the processing of their data before such processing begins.

(2) Information to be made available if personal data are collected from the concerned person:

the identity and the contact details of the data controller and, if applicable, the data controller’s representative; the contact details of the data protection officer, if applicable; the purposes for which the personal data are intended to be processed and the legal basis for the processing; where processing is based on point (f) of Article 6(1), the legitimate interests pursued by the data controller or by a third party; where applicable, the recipients or categories of recipients of the personal data; where applicable, the fact that the data controller intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

(3) In addition to the information referred to in paragraph 1, the data controller shall provide the concerned person with the following additional information necessary to ensure fair and transparent processing at the time of obtaining the personal data:

the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning the concerned person, and to object to processing as well as the right to data portability; where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; the right to lodge a complaint with a supervisory authority; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the concerned person is obliged to provide the personal data and the possible consequences of failure to provide such data; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the concerned person.

(4) If the personal data are not collected from the concerned person, the data controller shall provide the concerned person with the following information:

the identity and the contact details of the data controller and, if applicable, the data controller’s representative; the contact details of the data protection officer, if applicable; the purposes for which the personal data are intended to be processed and the legal basis for the processing; the categories of personal data concerned; where applicable, the recipients or categories of recipients of the personal data; where applicable, the fact that the data controller intends to transfer personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

(2) In addition to the information referred to in paragraph 1, the data controller shall provide the concerned person with the following additional information necessary to ensure fair and transparent processing:

the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; where processing is based on point (f) of Article 6(1), the legitimate interests pursued by the data controller or by a third party; the existence of the right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning the concerned person, and to object to processing as well as the right to data portability; where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; the right to lodge a complaint with a supervisory authority; the source of the personal data and, if applicable, whether it came from publicly accessible sources; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the concerned person.

(3) If the data controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the data controller shall provide the concerned person prior to that further processing with information on that other purpose and all relevant further information as referred to in paragraph 2.

(4) Paragraphs 1 to 3 shall not apply where and insofar as:

the concerned person already has the information; the provision of such information proves impossible or would involve a disproportionate effort, particularly for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the Regulation or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the data controller shall take appropriate measures to protect the concerned person’s rights and freedoms and legitimate interests, including making the information publicly available; the data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including statutory obligations of secrecy.

Right of access by the concerned person

(1) The concerned person shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data and the following information:

the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing concerning the concerned person, and to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal data are not collected from the concerned person, any available information as to their source; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the concerned person.

(2) Where personal data are transferred to a third country or to an international organization, the concerned person shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

(3) The data controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the concerned person, the data controller may charge a reasonable fee based on administrative costs. If the concerned person makes the request by electronic means, and unless otherwise requested by the concerned person, the information shall be provided in a commonly used electronic form.

Right to rectification and erasure

Right to rectification

(1) The concerned person shall have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the concerned person shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

(1) The concerned person shall have the right to obtain from the data controller the erasure of personal data concerning them without undue delay, and the data controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; the concerned person withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; the concerned person objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the concerned person objects to the processing pursuant to Article 21(2); the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject; the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

(2) Where the data controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the data controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the concerned person has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(3) Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise, or defense of legal claims.

Right to restriction of processing

(1) The concerned person shall have the right to obtain from the data controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by the concerned person, for a period enabling the data controller to verify the accuracy of the personal data; the processing is unlawful and the concerned person opposes the erasure of the personal data and requests the restriction of their use instead; the data controller no longer needs the personal data for the purposes of the processing, but they are required by the concerned person for the establishment, exercise, or defense of legal claims; the concerned person has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the data controller override those of the concerned person.

(2) Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the concerned person’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

(3) A data controller who has obtained restriction of processing pursuant to paragraph 1 shall inform the concerned person before the restriction of processing is lifted.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

(1) The data controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The data controller shall inform the concerned person about those recipients if the concerned person requests it.

(2) The concerned person has the right to be informed about those recipients if they request it.

Right to data portability

(1) The concerned person shall have the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another data controller without hindrance from the controller to which the personal data have been provided, where:

the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and the processing is carried out by automated means.

(2) In exercising their right to data portability pursuant to paragraph 1, the concerned person shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

(3) The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to object

  1. The concerned person shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The data controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the concerned person or for the establishment, exercise or defense of legal claims.

(2) Where personal data are processed for direct marketing purposes, the concerned person shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

(3) Where the concerned person objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

(4) At the latest at the time of the first communication with the concerned person, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the concerned person and shall be presented clearly and separately from any other information.

(5) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the concerned person may exercise their right to object by automated means using technical specifications.

(6) Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the concerned person, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Right not to be subject to a decision based solely on automated processing

(1) The concerned person shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

(2) Paragraph 1 shall not apply if the decision:

is necessary for entering into, or performance of, a contract between the concerned person and a data controller; is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the concerned person’s rights and freedoms and legitimate interests; or is based on the concerned person’s explicit consent.

(3) In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the concerned person’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

(4) Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the concerned person’s rights and freedoms and legitimate interests are in place.

Right to lodge a complaint with a supervisory authority and to an effective judicial remedy

Right to lodge a complaint with a supervisory authority.

(1) The concerned person shall have the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work or place of the alleged infringement if the concerned person considers that the processing of personal data relating to them infringes this Regulation.

(2) The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

Right to an effective judicial remedy against a supervisory authority

(1) Without prejudice to any other administrative or non-judicial remedy, every natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

(2) Without prejudice to any other administrative or non-judicial remedy, each concerned person shall have the right to an effective judicial remedy where the competent supervisory authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the concerned person within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

(4) Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

Right to an effective judicial remedy against a controller or processor

(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each concerned person shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

(2) Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the concerned person has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Restrictions

(1) Union or Member State law may restrict by legislative measures the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34 as well as Article 5 in respect of processing by the controller or the processor, and the scope of the rights provided for in Articles 12 to 22 in respect of such processing, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

national security; defence; public security; the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security; the protection of judicial independence and judicial proceedings; the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in the cases referred to in points (a) to (e) and (g); the protection of the concerned person or the rights and freedoms of others; the enforcement of civil law claims.

(2) In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

the purposes of the processing or categories of processing; the categories of personal data; the scope of the restrictions introduced; the safeguards to prevent abuse or unlawful access or transfer; the specification of the controller or categories of controllers; the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; the risks to the rights and freedoms of concerned persons; and the right of concerned persons to be informed about the restriction, unless that may jeopardise the purpose of the restriction.

Notification of a personal data breach

(1) In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

(2) The processor shall notify the controller without undue delay after becoming aware of a personal data breach.

(3) The notification referred to in paragraph 1 shall at least:

describe the nature of the personal data breach including where possible, the categories and approximate number of concerned persons involved and the categories and approximate number of personal data records concerned; communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(4) If and when the controller has not already communicated the personal data breach to the concerned person, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Procedures applicable upon the request of the concerned person

(1) The Company facilitates the exercise of the rights of concerned persons, and the request for the exercise of rights set forth in this data protection notice cannot be refused unless the Company proves that it is not in a position to identify the concerned person.

(2) The Company shall inform the concerned person without undue delay, but in any event within one month of receipt of the request, of the actions taken on the request. If necessary, considering the complexity of the request and the number of requests, this period may be extended by a further two months. The data controller shall inform the concerned person of the extension within one month of receipt of the request, including the reasons for the delay.

(3) If the concerned person has made the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the concerned person.

(4) If the Company does not take action on the request of the concerned person, it shall inform the concerned person without undue delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

(5) The Company provides the following information and action free of charge to the concerned person: feedback on the processing of personal data, access to processed data, rectification of data, addition, deletion, restriction of data processing, data portability, objection to data processing, and information about a data protection incident.

(6) If the request of the concerned person is manifestly unfounded or excessive, particularly because of its repetitive character, the data controller, taking into account the administrative costs of providing the information or communication or taking the action requested, may either charge a fee of HUF 5000 or refuse to act on the request.

(7) The burden of proving the clearly unfounded or excessive nature of the request lies with the data controller.

(8) Without prejudice to Article 11, if the data controller has reasonable doubts concerning the identity of the natural person making the request under Articles 15 to 21, it may request the provision of additional information necessary to confirm the identity of the concerned person.

Procedures applicable in the event of a PERSONAL DATA BREACH

(1) A personal data breach in the sense of the Regulation is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(2) A personal data breach includes the loss of personal data-bearing devices (laptop, mobile phone), theft of such devices, loss or inaccessibility of the decryption code for encrypted files managed by the data controller, infection by ransomware that makes the data managed by the data controller inaccessible until the ransom is paid, an attack on the IT system, mistakenly sent emails containing personal data, public disclosure of a mailing list, etc.

(3) Upon detection of a personal data breach, the Company’s representative shall immediately conduct an investigation to identify the personal data breach and determine its possible consequences. Necessary measures must be taken to mitigate the damages.

(4) The personal data breach must be reported to the competent supervisory authority without undue delay, and if possible, no later than 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the report is not made within 72 hours, it must be accompanied by reasons justifying the delay.

(5) The processor shall notify the controller of the personal data breach without undue delay after becoming aware of it.

(6) The report referred to in paragraph 3 shall at least:

describe the nature of the personal data breach including, where possible, the categories and approximate number of concerned persons involved and the categories and approximate number of personal data records concerned; communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(7) If and insofar as it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay.

(8) The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. This documentation shall enable the supervisory authority to verify compliance with Article 33.

DATA PROCESSING IN RELATION TO THE WEBSITE

Information on data relating to visitors to the Company’s website

(1) During visits to the Company’s website, one or more cookies – small packets of information sent by the server to the browser, which then sends them back to the server with every request directed to the server – are sent to the computer of the person visiting the website, thereby uniquely identifying the browser if the visitor to the website gives their express (active) consent to further browsing the website following clear and unequivocal information.

(2) Cookies function solely to improve the user experience and automate the login process. The cookies used on the website do not store information capable of personally identifying the user, and the Company does not conduct personal data processing in this regard.

Registration, newsletter subscription

(1) The legal basis for data processing in the case of registration or newsletter subscription is the consent of the concerned person, which the concerned person gives by ticking the checkbox next to the “registration” or “newsletter subscription” text on the Company’s website after being informed about data processing.

(2) The circle of concerned persons in the case of registration, newsletter subscription: all natural persons who wish to subscribe to the Company’s newsletter or wish to register on the website and give their consent to the processing of their personal data.

(3) Scope of data processed in the case of newsletter subscription: name, email address.

(4) Scope of data processed in the case of registration: name, address, email address, phone number, entry password.

(5) Purpose of data processing in the case of newsletter subscription: to inform the concerned person about the Company’s services, products, changes therein, news about events.

(6) Purpose of data processing in the case of registration: contact for the preparation of contract negotiations, provision of services available on the website free of charge to the concerned person, access to non-public content on the website.

(7) Recipients of the data (who may become acquainted with the data) in the case of newsletter subscription, registration: the Company’s manager, customer relationship manager, employees of the data processor managing the Company’s website.

(8) Duration of data processing in the case of newsletter subscription, registration: in the case of newsletter subscription, until unsubscribing; in the case of registration, until deletion at the request of the concerned person.

(9) The concerned person can unsubscribe from the newsletter at any time or request the deletion of their registration (personal data). Unsubscribing from the newsletter is done by clicking on the unsubscribe link located in the footer of electronic mails sent to the concerned person, or through a letter sent to the Company’s address.

Direct marketing data processing

(1) The legal basis for the Company’s direct marketing data processing is the explicit and clear prior consent of the concerned person. The concerned person gives their explicit and clear prior consent to the Company’s processing of their personal data for direct marketing purposes by ticking the checkbox next to the text concerning consent to direct marketing on the Company’s website after being informed about data processing.

(2) The concerned person can also give their consent in paper form by filling out the data sheet forming Annex 2 of this policy.

(3) Circle of concerned persons: all natural persons who give their explicit, clear consent for the Company to process their personal data for direct marketing purposes.

(4) Data processing objectives: sending advertisements, offers related to service provision, product sales, notification of promotions by electronic or postal means.

(5) Recipients of the personal data: the Company’s manager, employees performing customer service and marketing tasks as part of their job responsibilities.

(6) Scope of personal data processed: name, address, phone number, email address.

(7) Duration of data processing: processing of personal data for direct marketing purposes until withdrawal by the concerned person.

Data processing related to the web store

(1) Data processing activities related to registration in the web store, subscription to the newsletter, and visitor information are governed by the above provisions.

(2) Online, electronic contract conclusions (purchases) on the Company’s website are subject to Act CVIII of 2001 (Eker tv.), hence the purpose of data processing, in addition to the above, includes proving compliance with the statutory consumer information obligation, proving contract conclusion, creating the contract, specifying its content, monitoring its performance, billing the fees arising from it, and enforcing related claims.

(3) The legal basis for data processing in the case of purchases in the web store is the performance of the contract, fulfillment of a legal obligation.

(4) Categories of data involved in data processing: name, address, phone number of buyers, their entry passwords, bank account numbers.

(5) Categories of persons involved in data processing: all natural persons who register in the Company’s web store, subscribe to the newsletter, make purchases.

(6) Categories of data recipients: the Company’s manager, employees handling customer relations, tasks related to sales, employees of the data processor managing the Company’s website, as well as the Company’s accounting tasks, employees of the data processor performing these tasks.

(7) Place of data processing: the Company’s headquarters.

(8) Duration of data processing: 5 years from the termination of the contract.

Data processing related to the performance of the contract

(1) The Company processes the personal data of natural persons – customers, buyers, suppliers – with whom it has contractual relations in connection with the contractual relationship. The concerned person must be informed about the processing of personal data.

(2) Circle of concerned persons: all natural persons who establish a contractual relationship with the Company.

(3) Legal basis for data processing: performance of the contract, purpose of data processing: contact maintenance, enforcement of claims arising from the contract, ensuring compliance with contractual obligations.

(4) Recipients of the personal data: the Company’s manager, employees of the Company handling customer service, accounting tasks, data processors.

(5) Scope of personal data processed: name, address, headquarters, phone number, email address, tax number, bank account number, entrepreneur’s license number, producer’s license number.

(6) Duration of data processing: 5 years from the termination of the contract.

Information on data processing related to the use of an electronic monitoring system

(1) Our Company operates an electronic monitoring and recording system (camera system) in the customer area/property it owns, including its associated units. Upon entering the area (premises) marked with a sign indicating monitoring, the electronic monitoring system will record the image and actions of the concerned person.

(2) The legal basis for camera monitoring is the voluntary consent of the concerned person based on the information placed by our Company in the form of warning signs. The concerned person’s consent can also be given in the form of an explicit indicative behavior. Such explicit indicative behavior includes entering and staying in the premises/area monitored and recorded by the electronic monitoring and recording system. If you do not wish to give your consent, please do not enter the premises/areas or units marked with the warning sign.

(3) The purpose of recording is to protect human life, physical integrity, personal freedom, protect trade secrets, and prevent, detect, and prove violations, document the circumstances of possible accidents occurring in the customer area, and perform tasks related to insurance, as well as to protect the private area accessible to the public. The camera monitoring system does not record sound.

(4) The legal basis for camera monitoring is the voluntary consent of the concerned person based on the information placed by the Company in the form of warning signs. The concerned person’s consent can also be given in the form of explicit indicative behavior. Such explicit indicative behavior includes entering and staying in the premises/area monitored and recorded by the electronic monitoring and recording system.

(5) The place of storage of the recordings (personal data) captured by the electronic monitoring system is the headquarters of our Company, and the duration of storage of the recordings is 3 working days from the date of recording.

(6) Scope of data processed: the image of the concerned person captured by the operating camera system, and other personal data.

(7) Recipients who may become acquainted with the camera footage: the Company’s manager, employees operating the camera system, the data processor handling the operation for the purpose of detecting violations, checking system operation.

Provisions relating to data security

(1) The Company may process personal data only in accordance with the activities specified in this policy, according to the purpose of data processing.

(2) The Company shall ensure the security of the data, hereby undertaking to take all technical and organizational measures that are indispensably necessary for the enforcement of data security rules, data and secrecy protection rules, or to establish the procedural rules necessary for the enforcement of the aforementioned laws.

(3) The Company shall protect the data with appropriate measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as accidental destruction and damage, and from becoming inaccessible due to changes in the applied technology.

(4) The technical and organizational measures to be implemented by the Company for data security are specified in the Company’s data protection policy.

(5) In determining and applying data security measures, the Company considers the current state of the art, choosing a higher level of protection for personal data when several possible data processing solutions are available, except where it would involve disproportionate difficulty.

Rules related to data processing

General rules related to data processing (1) The rights and obligations of the data processor in relation to the processing of personal data are defined by law and by the specific laws applicable to data management within the limits set by the data controller.

(2) The Company declares that during its data processing activities, the data processor does not have the competence to make substantive decisions regarding data management, and must process the personal data known to it only according to the instructions of the data controller, cannot conduct data processing for its own purposes, and must store and maintain the personal data according to the instructions of the data controller.

(3) The Company is responsible for the lawfulness of the instructions given to the data processor regarding data processing operations.

(4) The Company is obliged to provide information to the concerned persons about the person of the data processor, the location of data processing.

(5) The Company does not authorize the data processor to employ additional data processors.

(6) The contract relating to data processing must be in writing. An organization that has an interest in the business use of the data to be processed may not be commissioned for data processing.

Dated, Budapest, May 23, 2018.

An oasis in the heart of downtown – a place where water meets shore, day meets night. In the capital's premier open-air club, you can dance through the nights with a cold cocktail in your hand, under the starry sky, admiring the Danube panorama.

Facebook Instagram Tripadvisor

Sitemap

Budapest, Döbrentei tér 9, 1013

Scroll to Top
BOOK A TABLE