Data protection declaration

1. GENERAL PROVISIONS

The BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz, as the operator of the BalaLand Residence Apartment Hotel, ensures the lawfulness and expediency of the processing of personal data in all cases. The aim of this information is to provide our guests who book accommodation and provide their personal data with adequate information about the conditions and guarantees under which our company processes their data, and for how long, from the period before the booking or the provision of their personal data until the period following their departure. We will abide by the terms of this notice in all cases involving the processing of personal data and we consider ourselves bound by the information contained herein.

However, we reserve the right to change what is described in this unilateral declaration, in which case we will inform the data subjects in advance. The processing of data in our activities is based on voluntary consent and in some cases is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

Our data management practices comply with applicable law, in particular:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”)
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Info. tv.”).

Our company data and contact details are as follows:

Name: BalaLand Residence Kft.

Registered office: 8000 Székesfehérvár, Horváth István u. 14. fsz.

Company registration number: 01-09-332870

Tax number: 26573685-2-41

Telephone number: +3636 534 500

E-mail: info@balalandresidence.hu

1.2. DEFINITIONS

data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;

personal data: data which can be associated with the data subject, in particular his or her name, identification mark and one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity, and the inference that can be drawn therefrom concerning him or her;

consent: a voluntary and explicit expression of the data subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous agreement to the processing of personal data concerning him or her, either in full or in relation to specific operations;

controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or has the data processed by a processor;

data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and physical features which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

transfer: making data available to a specified third party;

disclosure: making data available to any person;

erasure: making data unrecognisable in such a way that it is no longer possible to recover it;

data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

data processor: a natural or legal person or unincorporated body which processes data on the basis of a contract, including a contract concluded pursuant to a legal provision;

Personal data breach: unlawful processing or handling of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage.

The following information is provided in relation to each of our data processing operations.

2. DATA PROCESSING RELATED TO ONLINE BOOKING

We offer online booking to make your reservation at BalaLand Residence Apartmenthotel fast, convenient and free of charge.

The controller of the personal data is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

The purpose of the data processing: to facilitate the booking of accommodation, to make it more cost-effective and efficient.

Legal basis for data processing: prior consent of the person booking the accommodation.

The personal data processed include: address; surname and first name; address (country, postcode, city, street, house number; telephone number; e-mail address; in the case of a company, company name and registered office, bank card number, SZÉP card data (ID, name on the card), gender.

Duration of data processing: two years after the last day of the booked stay.

Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.

Name of Data Processor	Headquarters	Data processing job description
NetHotelBooking Kft.	8200 Veszprém, Boksa tér 1/A	Providing the possibility to book accommodation online through RESnWEB

By accepting this Privacy Notice, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:

Name of additional data processor	Headquarters	Data processing job description
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, offers and satisfaction measurements
Hostware Kft.	1149 Budapest, Róna utca 120-122	Performing customer management tasks for the Hostware Front Office hotel system
Triptease Limited	WeWork 3 Waterhouse Square 138-142 Holborn London EC1N 2SW United Kingdom	Online chat function, allowing guests to stay in touch with the hotel and manage their reservations quickly and efficiently
BIG FISH Internet-technológiai Kft.	1066 Budapest, Nyugati tér 1-2	Data communication between the merchant and the payment service provider’s system for payment transactions, ensuring transaction traceability for merchant partners
OTP Mobil Kft.	1093 Budapest, Közraktár u. 30-32.	Handling data communication between the merchant’s system and the payment service provider’s system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.
Barion Payment Zrt.	1117 Budapest, Infopark sétány 1. I. épület	Handling data communication between the merchant’s system and the payment service provider’s system for payment transactions, providing customer service assistance to users, confirming transactions and fraud monitoring to protect users.
Creative Management Kft.	8200 Veszprém, Boksa tér 1. A ép.	Szerverhoszting feladatok ellátása

Possible consequences of not providing the data: no contract for the hotel room.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. May exercise their right to data portability. Under the latter right, the data subject has the right to receive personal data concerning him or her in Word or Excel format and the right to have these data transmitted to another controller at his or her request.

Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has concluded a data processing contract for the data processing tasks, in which NetHotelBooking Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.

3. PROCESSING OF DATA RELATED TO THE REQUEST FOR PROPOSAL

Our company offers the possibility to request an offer electronically. The offer is made by our automated system, subject to availability.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: preliminary information on hotel prices

Legal basis for processing: prior consent of the person booking the accommodation

The scope of personal data processed: address; surname and first name; telephone number; e-mail address; number of guests, gender.

Duration of processing: two years after the last day of the booked stay.

Use of a data processor: our company uses the services of an IT service provider for the operation of the online reservation system as follows

Name of data processor	Headquarters	Data processing job description
NetHotelBooking Kft.	8200 Veszprém, Boksa tér 1/A	Running the Request for Proposals module

By accepting this Privacy Notice, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:

Name of additional data processor	Headquarters	Data processing job description
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, offers and satisfaction measurements
Creative Management Kft.	8200 Veszprém, Boksa tér 1. A ép.	server hosting tasks

Possible consequences of not providing the data: the hotel cannot make an offer.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has concluded a data processing contract for the data processing tasks, in which NetHotelBooking Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.

4. DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTIONS

Our company keeps in touch with its guests by means of a newsletter, to whom it offers its services and informs them about news and promotions related to its operations.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: contacting potential guests

Legal basis for processing: consent of the data subject – GDPR Article 6(1)(a).

Indication of legitimate interest: to maintain and develop business relations with partners and hotel guests

Scope of personal data processed: name, e-mail address

Duration of processing: our company processes e-mail addresses until unsubscription from the newsletter.

Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.

Name of additional data processor	Headquarters	Data processing job description
NetHotelBooking Kft.	8200 Veszprém, Boksa tér 1/A	Newsletter database storage
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A	Operation of a newsletter system

Possible consequences of not providing the data: the data subject will not receive newsletters from our company.

Data subject’s rights: the data subject (the person whose personal data is processed by our company).

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

You can unsubscribe at any time by sending an email to info@balalandresidence.hu or by clicking on the unsubscribe icon in the newsletter. In this case, your e-mail address will be immediately deleted from our database.

Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Ltd. and Creative Management Ltd. undertake to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.

5. PERSONAL DATA PROCESSING RELATED TO SATISFACTION MEASUREMENT

As a hotel, our aim is to provide our guests with a high quality of service, and we constantly seek feedback from our guests about their experience of their stay at our hotel.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

The purpose of data processing: to request feedback from our guests in order to further develop and improve our services.

Legal basis for data processing: legitimate interest of the hotel operator – GDPR Article 6 (1) (f).

Indication of legitimate interest: our company has a legitimate interest in obtaining information to improve our services based on feedback.

The scope of personal data processed: name, gender, e-mail address.

Duration of processing: two years after the last day of the booked stay.

Use of a data processor: our company uses an IT service provider for the online accommodation system as follows.

Name of additional data processor	Headquarters	Data processing job description
NetHotelBooking Kft.	8200 Veszprém, Boksa tér 1/A	Operation of the satisfaction module

By accepting this Privacy Notice, the data subject gives his or her explicit consent for the Processor to use additional processors as follows, in order to make the service more convenient and customized:

Name of additional data processor	Headquarters	Data processing job description
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails with confirmations, notifications for reservations, offers and satisfaction measurements

Possible consequences of not providing the data: the data subject does not receive a satisfaction questionnaire from our company.

Data subject’s rights: the data subject (the person whose personal data is processed by our company)

1. The data subject (the person whose personal data is processed by our company) may request access to the personal data concerning him or her,
2. The person whose personal data we are processing may request access to his/her personal data and request that it be rectified,
3. request access to his/her personal data, rectification of his/her personal data, request the erasure of his/her personal data,
4. may request, under the conditions set out in Article 18 of the GDPR, the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until a court or public authority requests it, but for a maximum period of thirty days, and that the data are not processed for any other purpose beyond that period),
5. object to the processing of personal data,
6. exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information about data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has concluded a data processing contract for the data processing tasks, in which NetHotelBooking Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.

6. COOKIE MANAGEMENT

In order to provide a personalised service, the Data Controller places a small data package, a so-called cookie, on the user’s computer and reads it back during a subsequent visit. If the browser returns a previously saved cookie, the cookie management service provider has the possibility to link the user’s current visit to previous visits, but only in relation to its own content.

The purpose of data processing is: to identify, track and distinguish users, to identify users’ current session, to store the data provided during the session, to prevent data loss, to measure web analytics, to provide personalized service.

Legal basis for processing: consent of the data subject.

Data processed: ID number, date, time and the page previously visited.

Duration of processing: maximum 90 days

Name of additional data processor	Headquarters	Data processing job description
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A	Website operation

Additional information on data management: the user can delete the cookie from his/her computer or disable the use of cookies in his/her browser. The cookie management is usually available in the Tools/Preferences menu of browsers under Privacy/Preferences/Custom Settings, under the menu item Cookie, Cookie or Tracking.

Possible consequences of not providing the data: inability to use the service for the services described in points 2 to 5 above.

Our company has concluded a data processing contract for the data processing tasks, in which Creative Management Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and to this end we also ensure the lawful processing of personal data in the case of the data processor.

7. WEBSITE SERVER LOGGING

When visiting the balalandresidence.hu website, the web server automatically logs the user’s activity.

The purpose of data management: during the visit of the website, the service provider records the visitor’s data in order to monitor the operation of the services and to prevent abuse.

Legal basis for processing: article 6 (1) (f) of the GDPR. Our company has a legitimate interest in the secure operation of the website.

Type of personal data processed: ID number, date, time, address of the page visited.

Duration of processing: up to 90 days.

Name of additional data processor	Headquarters	Data processing job description
NetHotelBooking Kft.	8200 Veszprém, Boksa tér 1/A	Recording visitor data and information necessary for the operation of the server
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A	Website management

Additional information: our company does not link the data obtained from the analysis of log files with other information and does not seek to identify the user. The address of the pages visited, as well as the date and time of the visit, are not in themselves suitable for identifying the data subject, but when combined with other data (e.g. data provided during registration) they can be used to draw conclusions about the user.

Logging-related data management by external service providers:

The html code of the portal contains links from and to an external server that is independent of our company. The external provider’s server is directly connected to the user’s computer. Please note that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, mouse cursor movement, visited page address and time of visit) due to the direct connection to their server, direct communication with the user’s browser. An IP address is a sequence of numbers that uniquely identifies the computers or mobile devices of users accessing the Internet.

IP addresses can even be used to geolocate the visitor using a particular computer. The address of the pages visited, as well as the date and time of the visit, are not in themselves suitable for identifying the data subject, but when combined with other data (e.g. data provided during registration) they can be used to draw conclusions about the user.

8. PROCESSING OF DATA ON THE NOTIFICATION FORM

The hotel will ask guests to fill in a registration form when they check in, which will contain their personal data. The data on the registration form is stored in the hotel software and on paper.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

The purpose of the data processing: contact during the guest’s stay at the hotel, contact after departure, sending birthday greetings, distinguishing guests, assisting with the registration of tourist tax, managing the frequent guest programme, the required obligation.

Legal basis for processing: consent of the data subject – Article 6(1)(a) GDPR.

Personal data processed: name, e-mail address, telephone number, date of birth, address, registration number, room number, date of arrival and departure, details of accompanying persons, newsletter subscription, method of payment.

Duration of data processing: on the registration form, the guest gives his/her consent to the storage of personal data, which will be stored by the hotel for 8 years from the date of consent.

Use of data processor: Fidelio V8 hotel software

Name of additional data processor	Headquarters	Data processing job description
HRS Magyarország | Hospitality and Retail Systems	1138 Budapest, Madarász Viktor u. 47-49.	Storage of guest data

Possible consequences of not providing the data: the person concerned cannot collect their hotel room.

Data subject’s rights: the data subject (the person whose personal data is processed by our company)

1. The data subject (the person whose personal data are processed by the data controller) may request access to the personal data concerning him or her,
2. The person whose personal data we hold may request access to his/her personal data and request that it be rectified,
3. request the access to his/her personal data, the right to rectification, the right to request the erasure of his/her personal data,
4. may request, under the conditions set out in Article 18 of the GDPR, the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until a court or public authority requests it, but for a maximum period of thirty days, and that the data are not processed for any other purpose beyond that period),
5. object to the processing of personal data,
6. exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which HRS Hungary Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.

9. PROCESSING OF DATA RELATING TO THE PURCHASE OF GIFT VOUCHERS

The hotel sells gift vouchers, and in the course of the sale, the data of the customer and the gift recipient are stored.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: contacting the customer, sending the gift voucher to the customer.

Indication of legitimate interest: purchase of a gift voucher

Scope of the personal data processed: name, e-mail address, telephone number, address, name of the recipient, serial number of the gift voucher

The duration of the processing: is two years from the last day of validity of the gift voucher.

The use of a data processor: the hotel’s own server.

Name of additional data processor	Headquarters	Data processing job description
Átme-net Kft.	3300 Eger, Baktai u. 8.	Maintenance of your own server

Possible consequences of not providing the data: the person concerned cannot purchase the gift voucher.

Data subject’s rights: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

10. PROCESSING OF DATA RELATING TO ROOM RESERVATIONS BY TELEPHONE

The hotel also sells its rooms by telephone, after which it requests written orders from guests.The hotel records reservations made by telephone in its hotel software together with the data of the person making the reservation.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: recording the room reservation.

Legal basis for processing: consent of the data subject – GDPR Article 6(1)(a).

Personal data processed: name, telephone number, email address.

Duration of processing: the data will be stored by the hotel for 8 years from the date of consent.

Use of a data processor:

Name of additional data processor	Headquarters	Data processing job description
HRS Magyarország | Hospitality and Retail Systems	1138 Budapest, Madarász Viktor u. 47-49.	Storage of guest data

Possible consequences of not providing the data: the reservation will not be made.

Data subject rights: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which HRS Hungary Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract, including the lawful processing of personal data by the data processor, in the event of the use of an additional data processor.

11. PROCESSING OF DATA RELATING TO FOUND OBJECTS

The hotel keeps a record of objects found in rooms and common areas after the departure of guests.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: record of found objects, notification of guests, return of found objects

Legal basis for processing: consent of the data subject – GDPR Article 6 (1) (a).

Scope of personal data processed: room number, name, name of found object, date

Duration of data processing: the hotel keeps the found objects for 6 months, so the data will be kept for 6 months from the date of listing. If the found object is taken over by the owner, the data will be deleted.

Use of a data processor: the data is stored on the hotel’s own server.

Name of additional data processor	Headquarters	Data processing job description
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Maintaining your own server

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing, in order to monitor the measures taken and to inform the data subject.

12. DATA PROCESSING IN RELATION TO DIVESTMENT

The email addresses used by the data controller to contact guests and interested parties.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: contact with guests

Legal basis for processing: consent of the data subject – GDPR Article 6(1)(a).

Scope of personal data processed: name, email address, content of correspondence.

Duration of processing: 5 years

Use of a data processor:

Name of additional data processor	Headquarters	Data processing job description
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Providing online hosting
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Maintenance of mail software on workstations

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has concluded a data processing contract for the data processing tasks, in which Átme-Net Kft+ Creative Management Kft. undertakes to apply the data protection and data management guarantees provided for in the data processing contract, including the lawful processing of personal data by the data processor, in the event of the use of an additional data processor.

13. PROCESSING OF DATA DURING PAYMENT:

Guests can pay by cash, gift voucher, SZÉP card, Erzsébet voucher or credit card.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: issuing an invoice for the service used

Legal basis for processing: voluntary consent of the data subject

Scope of personal data processed: name and address of the person who issued the invoice, list of services, total amount, method of payment, date of invoice, time of invoice execution

Duration of processing: 8 years

Use of a data processor:

Name of additional data processor	Headquarters	Data processing job description
Budapest Bank	1138 Budapest, Váci út 193.	In the case of payment by bank card, ID, amount, date

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

14. ELECTRONIC MONITORING SYSTEM

The BalaLand Residence Apartment Hotel has security cameras on the premises.

The hotel’s park, car park, indoor public areas and service areas are all equipped with CCTV. Only designated persons are authorised to view and access the camera recordings.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

The purpose of the data processing: to promote the safety of guests and staff, to protect the values, to prove violations, to clarify disputes.

Legal basis for data processing: voluntary consent of the data subject by entering the premises.

Duration of processing: 30 days at reception and in the service areas, 3 days in areas other than the above.

Name of additional data processor	Headquarters	Data processing job description
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Maintenance of the camera system

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which Creative Management Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract, including the lawful processing of personal data by the data processor, in the event of the use of an additional data processor.

15. PROCESSING OF DATA RELATED TO COUPON SALES

Our company offers the possibility to purchase gift vouchers with a pre-booking discount, whereby we store data.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: sale of discounted gift vouchers

The scope of the personal data processed: address; surname and first name; address (country, postal code, city, street, house number; telephone number; e-mail address; in the case of a company, company name and registered office, bank card number, SZÉP card data (ID, name on the card), gender, gift voucher number.

Duration of processing: two years after the expiry of the gift voucher or the last day of the stay.

Use of a data processor:

Name of additional data processor	Headquarters	Data processing job description
NetHotelBooking Kft.	8200 Veszprém, Boksa tér 1/A.	The RESnWEB system allows guests to purchase gift vouchers for a fixed date.
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Operation of a sub-page on the www.balalandresidence.hu website containing the discount offer

Possible consequences of not providing the data: no contract for the gift voucher.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. may request access to personal data concerning him or her,
2. request the rectification of personal data,
3. request their deletion,
4. request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. object to the processing of personal data,
6. exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which NetHotelBooking Ltd. and Creative Management Ltd. undertake to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard we also ensure the lawful processing of personal data in the case of the data processor.

16. PROCESSING OF DATA RELATING TO THE SALE OF COUPONS THROUGH AN INTERMEDIARY

Our company has a contractual relationship with PK Travel Kft., which sells gift vouchers on Maiutazas.hu, and offers the possibility to purchase gift vouchers with a pre-booking discount. PK Travel Kft. provides the hotel with the guest data.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of data processing: identification of guests who purchase discount gift vouchers.

Legal basis for processing: prior consent of the person booking the gift voucher.

Personal data processed: address; surname and first name; address (country, postal code, city, street, house number; telephone number; e-mail address; in the case of a company, company name and registered office, gender, voucher number.

Duration of data processing: 5 years

Use of a data processor:

Name of additional data processor	Headquarters	Data processing job description
PK Travel Kft.	1055 Budapest, Stollár Béla u. 22.	It sells gift vouchers via maiutazas.hu.

Possible consequences of not providing the data: no contract for the gift voucher.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

Our company has entered into a data processing contract for data processing tasks, in which Pk Travel Ltd. undertakes to apply the data protection and data management guarantees provided for in the data processing contract in the event of the use of an additional data processor, and in this regard, we also ensure the lawful processing of personal data in the case of the data processor.

17. DATA PROCESSING IN CONNECTION WITH GROUP BOOKINGS AND CORPORATE EVENTS

The BalaLand Residence Apartmanhotel also offers the possibility of group bookings and the organisation of events, in connection with which personal data is stored.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

Purpose of the data processing: booking accommodation for groups and organizing events, identification of guests, event management

Legal basis for data processing: prior consent of the person booking the group reservation or event.

Personal data processed: company name, tax number and registered office, name, telephone number, email address of the person making the booking, names, date of birth, registration number of the participants, list of services ordered in the confirmation and offer.

Duration of processing: 5 years after the last day of the booked stay.

Use of a data processor: it is recorded on the hotel’s own server.

Name of additional data processor	Headquarters	Data processing job description
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Maintaining your own server

Possible consequences of not providing the data: no contract for the event or group booking.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

18. PROCESSING OF PHOTOGRAPHS AND VIDEOS

BalaLand Residence takes photos and videos for marketing purposes.

The controller of the personal data: is BalaLand Residence Kft., 8000 Székesfehérvár, Horváth István u. 14. fsz

The purpose of the data processing: to help the hotel’s sales, to arouse the interest of potential guests.

Legal basis for processing: prior consent of the data subject.

The scope of personal data processed: guests, staff, pictures, videos and audio recordings of models.

Duration of processing: 100 years

Use of a data processor: data is recorded on the hotel’s own server.

Name of additional data processor	Headquarters	Data processing job description
Creative Management Kft.	8200 Veszprém, Boksa tér 1/A.	Maintaining your own server

Possible consequences of not providing the data: the recordings may not be made.

Rights of the data subject: the data subject (the person whose personal data is processed by our company)

1. May request access to personal data concerning him or her,
2. Request the rectification of personal data,
3. Request their deletion,
4. Request the restriction of the processing of personal data (i.e. that our company does not delete or destroy the data until requested by a court or public authority, but for a maximum period of thirty days, and that the data is not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
5. Object to the processing of personal data,
6. Exercise the right to data portability. Pursuant to the latter right, the data subject is entitled to receive personal data concerning him or her in Word or Excel format and to have these data transmitted to another controller at his or her request.

Other information on data management: our company takes all necessary technical and organisational measures to avoid a possible data breach (e.g. damage, loss, unauthorised access to files containing personal data). In the event of an incident, we will keep a record of the personal data concerned, the number and type of data subjects affected by the incident, the date, circumstances and effects of the incident, the measures taken to remedy the incident and other information required by the law governing the processing.

19. OTHER DATA PROCESSING

We will provide information about any processing not listed in this notice at the time of collection. We inform our customers that certain authorities, public bodies and courts may contact our company for the purpose of disclosing personal data. Our company will disclose personal data to these bodies only to the extent and to the extent strictly necessary for the purpose of the request and to the extent that the execution of the request is required by law, provided that the body concerned has indicated the exact purpose and scope of the data.

20. HOW PERSONAL DATA ARE STORED, SECURITY OF PROCESSING

Our company’s computer systems and other data storage locations are located on the premises and on servers rented by the data processor. Our company selects and operates the IT tools used to process personal data in the course of providing the service in such a way that the data processed:

1. a) accessible to authorised persons (availability);
2. b) its authenticity and authenticity are assured (authenticity of processing);

(c) its integrity can be verified (data integrity);

1. d) protected against unauthorised access (data confidentiality)

We take particular care to ensure data security, and we take the technical and organisational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, we take appropriate measures to protect the data against unauthorised access, alteration, disclosure, disclosure, erasure or destruction, accidental destruction or accidental damage, and against inaccessibility resulting from changes in the technology used.

Our company and our partners’ IT systems and networks are protected against computer fraud, computer viruses, computer intrusions and denial of service attacks. The operator ensures security through both server-level and application-level protection procedures. Daily data backup is provided. To avoid data breaches, our company takes all possible measures, and in the event of such an incident, we take immediate action to minimise the risks and repair the damage, in accordance with our incident management policy.

21. RIGHTS OF DATA SUBJECTS, REMEDIES

The data subject may request information about the processing of his or her personal data, and may request the rectification, erasure or withdrawal of his or her personal data, except for mandatory data processing, and may exercise his or her right to data portability and objection in the manner indicated when the data were collected or by contacting the controller at the above contact details.

At the data subject’s request, information will be provided in electronic form without delay and within 30 days at the latest, in accordance with our applicable policies. Requests by data subjects to exercise the rights set out below will be granted free of charge.

Right to information:

We will take appropriate measures to provide data subjects with all the information referred to in Articles 13 and 14 of the GDPR and each of the disclosures referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, but in a precise manner.

The right to information may be exercised in writing using the contact details provided in point 1. The data subject may also be provided with information orally at his or her request, after verification of his or her identity. We inform our customers that if our company’s employees have doubts about the identity of the data subject, we may request the information necessary to confirm the identity of the data subject.

The right of access of the data subject:

The data subject has the right to receive feedback from the controller on whether his or her personal data are being processed. Where personal data are being processed, the data subject has the right to obtain access to the personal data and the following information listed below.

• Purposes of the processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries (outside the European Union) and international organisations;
• The envisaged duration of the storage of the personal data;
• The right to rectification, erasure or restriction of processing and the right to object;
• The right to lodge a complaint with a supervisory authority;
• Information on the sources of the data; the fact of automated decision-making, including profiling, and clear information on the logic used and the significance of such processing and its likely consequences for the data subject.

In addition to the above, where personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer.

Right to rectification:

Under this right, any person may request the rectification of inaccurate personal data relating to him or her processed by our company and the completion of incomplete data.

Right to erasure:

The data subject shall have the right to obtain, upon his or her request, the erasure of personal data relating to him or her without undue delay where one of the following grounds applies:

1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. The data subject withdraws his or her consent on the basis of which the data are processed and there is no other legal basis for the processing;
3. The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
4. Unlawful processing of personal data can be established;
5. The personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
6. The personal data have been collected in connection with the provision of information society services.

The erasure of data cannot be initiated if the processing is necessary for the following purposes:

1. to exercise the right to freedom of expression and information;
2. for the purposes of complying with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for archiving purposes, scientific and historical research purposes or statistical purposes in the public interest in the field of public health;
4. or for the establishment, exercise or defence of legal claims.

Right to restriction of processing:

We restrict processing at the request of the data subject in the circumstances set out in Article 18 of the GDPR, i.e. if:

1. the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the accuracy of the personal data to be verified;
2. the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use
3. the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
4. the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction on processing.

Right to data retention:

The data subject has the right to obtain the personal data concerning him or her that he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit these data to another controller. Our company can fulfil such a request in word or excel format.

Right to object:

Where personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for those purposes.

Automated decision-making on individual cases, including profiling:

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply where the processing

1. necessary for the conclusion or performance of a contract between the data subject and the controller;
2. is permitted by Union or Member State law applicable to the controller, which safeguards the rights and freedoms and legitimate interests of the data subject
3. rights of the data subject; or
4. is based on the explicit consent of the data subject.

Right of withdrawal:

The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

Rules of Procedure:

Without undue delay and in any event within one month of receipt of the request, the controller shall inform the data subject of the action taken in response to the request pursuant to Articles 15 to 22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The controller shall inform the data subject of the extension, stating the reasons for the delay, within one month of receipt of the request.

If the data subject has made the request by electronic means, the information will be provided by electronic means unless the data subject requests otherwise.

If the controller does not act on the data subject’s request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of the right to lodge a complaint with the supervisory authority and to seek judicial remedy.

The controller shall inform any recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.

Compensation and damages:

Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the GDPR is entitled to compensation from the controller or processor for the damage suffered. The processor shall be liable for damage caused by the processing only if it has failed to comply with the obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the controller. Where more than one controller or more than one processor, or both controller and processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the total damage.

The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to apply to the courts and data protection authority procedure:

The data subject may take the controller to court in the event of a breach of his or her rights. The court will rule on the case out of turn.

A complaint can be lodged with the National Authority for Data Protection and Freedom of Information.

The Authority’s address: is 22/C Szilágyi Erzsébet fasor, 1125 Budapest, Hungary, and its postal address is 1530 Budapest, PO Box 5.

Phone: +36-1-391.1400

E-mail: ugyfelszolgalat@naih.hu