Data management information
Aquamed Hotel Harkány
1) Regarding price quotes and bookings, invoicing, and guest management record keeping.
This information informs the guest about the quotes and their preparation, as well as the personal data handled during bookings and invoicing, in accordance with Articles 13 and 14 of the European Parliament and Council Regulation (EU) 2016/679 (GDPR).
The data controller and their contact details:
- Data controller name: Zagore Property Zrt.
- Address: 1211 Budapest, Színesfém u. 10. 1.
- Phone number: +36 72 520 810
- Email adress: titkarsag@aquamedhotel.hu
- Website: https://hotelaquamed.hu/
2) The handling of the concerned data:
2.1. Scope of those concerned.
The data controller processes the personal data of the following natural persons (hereinafter: Guests) during the quotation process.
2.2. Categories of processed personal data.
The Data Controller processes the following personal data of the Data Subject during the price quotation:
- first and last name
- email address
- phone number
- age
- nationality
- adress
- identification document number
- service requirements.
The processed personal data is provided to the Data Controller by the guest via phone, email, in person, or in writing (contract, notification form). The Data Controller obtains the processed data from additional sources: travel agencies, booking systems.
2.3. The purpose and legal basis of data processing.
2.3.1. Preparation, conclusion, and fulfillment of the contract for accommodation and related services. To provide the services stipulated in the contract, personal data related to the room reservation is processed to ensure that the Data Controller can monitor the fulfillment of this contractual obligation, to determine the amount of the fee personal data is analyzed, to identify the guest based on personal data, to ensure communication, and for monitoring from a marketing perspective.
The duration of this data processing corresponds to the preparation of the contract and, in case of signing, the duration of the contract.
Considering that without providing the above personal data, the Data Controller cannot prepare, conclude and fulfill the contract, the Guest is obliged to provide personal data to the Data Controller. In case of failure to provide data, the Data Controller is entitled to refuse to conclude the contract with the guest or to fulfill the Contract. In the event of non-conclusion of the contract or termination of the Contract, the Data Controller will not delete the personal data but will retain it for the purpose and legal basis specified in point 2.3.5. Exceptions are those data that are no longer necessary for the purposes specified in point 2.3.5 and will be deleted upon the failure of the contract conclusion or termination of the contractual relationship.
2.3.2. Fulfillment of legal obligations
The Data Controller processes the Guests' data for the following legal obligations: - maintaining a guest book regarding third country nationals staying at the accommodation, in accordance with Section 73 (2) of Act II of 2007 on the entry and stay of third country nationals - local government regulations on tourism tax - Section 169 (2) of Act C of 2000 on accounting, which states that "(an) accounting document supporting the bookkeeping directly and indirectly (including the general ledger accounts, analytical or detailed records) must be retained in a readable form, in a way that can be retrieved based on references to accounting records, for at least 8 years."
2.3.3. Data Controller and the legitimate interests of third parties
The hotel operates a camera system in the lobby bar guest area and in the reception foyer, at the entrance of the conference room, in the parking lots, and at the outdoor beach exit for the following purpose: - The legitimate interest of the Data Controller in ensuring personal and property protection in the areas open to Guests. Legal basis: Act CXXXIII of 2005. The exact placement of the cameras:
- lobby bar 2
- reception 3
- outdoor beach exit 1
- wellness entrance 1
- parking lots 2
- conference foyer 1
Preservation of recordings: 3 days after the recording.
2.3.4. The Guests' Contributiona
The processing of personal data is based on the Guest's consent, which is voluntary, based on specific and adequate information, and a clear expression of intent. The consent is given separately from other declarations in the offer or contract aimed at providing accommodation, catering, and other services. The consent is voluntary. The Guest has the right to withdraw their consent at any time, without limitation, by notifying the Data Controller. The Guest can send the notification to the contact address specified in point 1 of the Information Document. The withdrawal of consent has no consequences for the Guest. However, the withdrawal of consent does not affect the lawfulness of the data processing performed based on the consent before the withdrawal, as stipulated in legal regulations.
2.3.5. Presentation, enforcement, and protection of legal claims arising from the Contract The Buyer’s personal data that are not deleted after the failure of the contract conclusion or the termination of the Contract shall be stored by the Data Controller for a period of five years following the failure of the contract conclusion or the termination of the Contract, in accordance with the general statute of limitations rules of Act V of 2013 on the Civil Code.
3) Recipients of personal data
The Data Controller forwards the personal data of Guests to the following organizations: - Zagore Property Zrt. server management support provider - Immigration Office data processor - Hostware Kft. hotel integrated IT system support provider - MorgensDesigne Kft. email hosting data processor.
4) The Rights of the Guest
4.1. The right to access
The Guest is entitled to receive feedback from the Data Controller regarding whether their personal data is being processed, and if such processing is ongoing, they are entitled to access their personal data and the following information:
4.1.1. the purpose of data processing in relation to the given personal data,
4.1.2. the categories of personal data concerned,
4.1.3. the categories of recipients to whom the Guest's personal data has been disclosed or will be disclosed, 4.1.4. the planned duration of storage of the personal data concerned, or, if this is not possible, the criteria for determining this duration,
4.1.5. The rights of the Guest as a data subject, such as the right to rectification, erasure or restriction, the right to data portability, and the right to object to the processing of such personal data,
4.1.6. the right to submit to any supervisory authority,
4.1.7. If the data is not obtained from the Guest by the Data Controller, then all available information regarding the source must be provided. If the Data Subject submits their request electronically, the requested information must be made available in a widely used electronic format, unless the Guest requests otherwise. The Data Controller may request clarification of the content, as well as specific identification of the requested information or data processing activities, from the Guest before fulfilling the request. If the Guest's right of access under this section adversely affects the rights and freedoms of others, especially the business secrets or intellectual property of others, the Data Controller is entitled to refuse to fulfill the Guest's request to the necessary and proportional extent. In the case that the Guest requests the above information in multiple copies, the Data Controller is entitled to charge a fee proportionate to the administrative costs of preparing the additional copies that is reasonable. If the Data Controller does not process the personal data indicated by the Guest, they are also obliged to inform the Guest in writing.
4.2. The right to rectification
The guest is entitled to request the rectification of personal data concerning them. If the personal data relating to the guest is incomplete, the guest is entitled to request the completion of personal data. When exercising the right related to rectification/completion, the data subject is obliged to specify which data is inaccurate or incomplete, and is also required to inform the Data Controller about the accurate and complete data. The Data Controller is entitled to remind the guest, in justified cases, that they must prove the rectified data appropriately – primarily with documentation – to the Data Controller.
4.3. The right to erasure (“the right to be forgotten”)
The Guest is entitled to request that the Data Controller delete their personal data without undue delay if any of the following reasons apply:
4.3.1.The personal data specified by the Guest is not necessary for the purpose for which the Data Controller collected or otherwise processed it,
4.3.2.The Data Controller processed the personal data based on the Guest's consent, the Guest has revoked their consent in writing, and there is no other legal basis for the data processing.
4.3.3. The Guest objects to the data processing based on the Data Controller's legitimate interest, and there is no compelling legitimate reason for the Data Controller that takes precedence over the interests, rights, and freedoms of the Guest, or that relates to the submission, enforcement, or defense of legal claims,
4.3.4. the Data Controller processed the personal data unlawfully,
4.3.5. The data managed by the Data Controller must be deleted to fulfill the legal obligations set out in applicable EU or national law applicable to the Data Controller.
4.3.6. The Guest protests against data processing and there is no overriding reason for the data processing. The Guest is required to submit their request for deletion in writing and must specify which personal data they wish to have deleted and for what reason. Following the fulfillment of the Guest's request to exercise their right to deletion, the Data Controller shall promptly inform the Guest, the other Data Controllers, and those individuals with whom the personal data has been shared, provided that this is not impossible or does not require disproportionate effort from the Data Controller. Upon the Guest's request, the Data Controller shall inform them about these recipients. The Data Controller is not obliged to delete personal data if the data processing is necessary:
4.3.7. to fulfill the obligation to process personal data imposed on the Data Controller by Hungarian or European Union legislation,
4.3.8. for the submission, enforcement, or defense of legal claims.
4.4. The right to restrict the processing of data
The Guest is entitled to request that the data controller restrict the processing and use of their personal data if any of the following reasons apply:
4.4.1. If the Guest disputes the accuracy of personal data, the restriction shall last until the Data Controller verifies the accuracy of the data,
4.4.2. the Data Controller processed the personal data unlawfully, but the Guest requested a restriction instead of deletion,
4.4.3. the purpose of data processing for the Data Controller has ceased, but the Guest requires them for the submission and enforcement of legal claims,
4.4.4. The Guest objects to the data processing based on the legitimate interest of the Data Controller and there is no compelling legitimate reason for the Data Controller that takes precedence over the interests, rights, and freedoms of the Guest, or which relates to the presentation, enforcement, or defense of legal claims. In this case, the restriction shall remain in effect until it is established whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the Guest. In the case of a restriction, personal data may only be processed, except for storage, with the consent of the Guest or for the purposes of presenting, enforcing, or defending legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the European Union or any of its member states. The Data Controller shall inform the Guest in advance about the lifting of the restriction on data processing.
4.5. The right to protest
If the processing of the guest's data is based on legitimate interests on the part of the data controller, it is important to provide adequate guarantees that the guest must be informed appropriately about the data processing and must have the right to object. This right should be specifically brought to the attention of the guest during the initial contact. After the guest's objection, the data controller may not further process the guest's personal data, unless it can be proven that
4.5.1. The data processing is justified by compelling legitimate reasons on the part of the Data Controller, which take precedence over the interests, rights, and freedoms of the Guest,
4.5.2. Data processing is related to the presentation, enforcement, or defense of the Data Controller's legal claims. The Guest has the right to object to the processing of their personal data for this purpose in the case of direct marketing (direct business acquisition) conducted by the Data Controller. Unlike data processing based on other legitimate interests, the Data Controller cannot consider whether it can continue processing the data if the Guest objects. If the Guest objects to the data processing for direct marketing purposes, the Data Controller can no longer process the data for this purpose.
4.6. The right to data portability
The Guest is entitled to receive the personal data concerning them, which is processed by the Data Controller, in a structured, commonly used, and machine-readable format, and is also entitled to transmit that data to another data controller without the Data Controller hindering this. Regarding data portability, the Data Controller is obliged to provide the Guest with the data carrier free of charge. Measures taken regarding data portability do not entail the deletion of data; the Data Controller will retain the data as long as they have a legitimate purpose and legal basis.
4.7. Right to appeal
4.7.1. Right to file a complaint
If the Guest deems that the processing of their personal data by the Data Controller violates the applicable data protection laws, particularly the provisions of the GDPR, they have the right to file a complaint with the National Authority for Data Protection and Freedom of Information.
Contact information:
- website: http//naih.hu,
- e-mail: ugyfelszolgalat@naih.hu
- address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
- postal address: 1530 Budapest, Pf.:5
- phone number: +36 1 391 1400
- Fax: +36 1 391 1410
4.7.2. A bírósághoz fordulás joga
The Guest may turn to court regardless of their right to lodge a complaint if their rights under the GDPR have been violated during the processing of their personal data. A lawsuit can be filed against the Data Controller, as a data controller with a domestic place of activity, before a Hungarian court. According to the current Information Act, a lawsuit may also be filed before the court of the place of residence according to Section 22 (1) of the Act.
4.7.3. Other options for enforcing claims
The Guest has the right to commission a nonprofit organization or association established in accordance with the laws of an EU member state, with the aim of serving the public interest and ensuring the protection of the rights and freedoms of those concerned regarding personal data, to seek judicial review of the decision of the supervisory authority, to initiate legal proceedings, and to enforce their right to compensation.
The Data Controller reserves the right to modify the Information at any time. The modifications will be communicated to the Data Subjects by publishing them on the website.
RoomSome Booking Engine online booking and offer system
| Name of data processing activity: | Online booking |
| The name of the data controller: | Zagore Property Zrt. |
| The contact information of the data controller: | Adress: 1211 Budapest, Színesfém u. 10. 1. |
| The purpose of data management: | simplifying the room booking process, making online reservations seamless and more convenient |
| The legal basis for data processing: | the explicit and voluntary prior consent of the person initiating the online booking |
| The designation of the personal data processed: |
The personal data of the person making the reservation is as follows: - name - email address - phone number - address (country, postal code, city, street, house number) - IP address (online identifier) |
| The intended duration of the processing of personal data: | until the withdrawal of consent |
| The necessity of the personal data provided by the concerned individual: | the online room booking process initiated by the affected party, as well as the execution of the transaction in the case of online payment |
| It is necessary to involve data processors for data management activities. | yes |
| The name of the data processor: | MORGENS Design Kft. |
| The address of the data processor: | 8800 Nagykanizsa, Magyar utca 79. |
| The purpose of data processing carried out on behalf of the data controller is: | the operation of the online reservation module on the server of Tárhely.Eu Szolgáltató Kft. (1144 Budapest, Ormánság street 4. 10th floor 241.), the storage of incoming online reservations in a closed system, enabling the confirmation of bookings. |
| The name of the data processor: | Rocket Science Group |
| The address of the data processor: | 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 |
| The purpose of data processing carried out on behalf of the data controller is: | providing the electronic mail sending function through the Mandrill software for recording online bookings, preparing confirmations, and using the guest review function. |
| The name of the data processor: | PayPal (Europe) S.à.r.l. et Cie, S.C.A. |
| The address of the data processor: | 22-24 Boulevard Royal, L-2449 Luxemburg |
| The purpose of data processing carried out on behalf of the data controller is: | Ensuring the execution of the data communication required for the online payment transaction between Zagore Property Zrt. and the electronic system of the payment service provider operating the PayPal online payment system, confirming the status of the transaction |
| The name of the data processor: | Barion Payment Zrt. |
| The address of the data processor: | 1117 Budapest, Irinyi József utca 4-20. 2. emelet |
| The purpose of data processing carried out on behalf of the data controller is: | Ensuring the execution of the data communication required for the online payment transaction between Zagore Property Zrt. and the electronic system of the payment service provider operating the Barion online payment system, confirming the status of the transaction |
| Name of data processing activity: | Online quote request |
| The name of the data controller: | Zagore Property Zrt. |
| The contact information of the data controller: | 1211 Budapest, Színesfém u. 10. 1. |
| The purpose of data management: | simplifying the procurement process without obligations, the visibility of personalized offers prepared by the data controller |
| The legal basis for data processing: | the explicit and voluntary prior consent of the person initiating the online request for quotation |
| The designation of the personal data processed: |
The personal data of the requester is as follows: - name - email address - phone number - address (country, postal code, city, street, house number) - IP address (online identifier) |
| The intended duration of the processing of personal data: | until the withdrawal of consent |
| The necessity of the personal data provided by the concerned individual: | the implementation of the online request for proposals initiated by the interested party, ensuring the seamlessness, efficiency, and speed of the subsequent online booking process if the proposal is compliant |
| It is necessary to involve data processors for data management activities: | yes |
| The name of the data processor: | MORGENS Design Kft. |
| The address of the data processor: | 8800 Nagykanizsa, Magyar utca 79. |
| The purpose of data processing carried out on behalf of the data controller is: | the operation of the online quote request module on the server of Tárhely.Eu Szolgáltató Kft. (1144 Budapest, Ormánság utca 4. 10th floor 241.), the storage of incoming online quote requests in a closed system, enabling the response to quote requests |
| The name of the data processor: | Rocket Science Group |
| The address of the data processor: | 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 |
| The purpose of data processing carried out on behalf of the data controller is: | providing the email sending function through the Mandrill software for recording online quote requests, preparing the quote, and its validity |
| Recipients of the data: | The business; the employees of the business; the fulfillment of the contract – including the enforcement of rights arising from the contract – for this purpose authorized persons; |
| Data transfer to a third country or international organization: | THERE IS |
| Automated decision-making / profiling: | NOTHING |
| The rights of the affected parties: | The affected person may request access to their personal data from the data controller, the correction, deletion, or restriction of processing of such data, may object to the processing of such personal data, and has the right to data portability. In the case of data processing based on consent, the right to withdraw consent at any time, which does not affect the lawfulness of the processing carried out on the basis of consent before the withdrawal. |
| Possible consequences of failing to provide data: | the affected person cannot take advantage of the services provided by the business |
| Complaint to the supervisory authority: | It can be submitted according to the provisions of the Data Processing Information and Data Processing Regulations. Any questions, comments, or issues related to data processing can be directed to the Data Controller using the contact details provided above. In case of violation of the rights of the data subject, they may go to court. The data subject can also lodge a complaint regarding data processing directly with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa Street 9-11; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu). |
Data related to newsletter service
| Name of data processing activity: | Newsletter subscription |
| The name of the data controller: | Zagore Property Zrt. |
| The contact information of the data controller: | 1211 Budapest, Színesfém u. 10. 1. |
| The purpose of data management: | Communication, information |
| The legal basis for data processing: | the express and voluntary prior consent of the person initiating the newsletter subscription |
| The designation of the personal data processed: |
Personal data processed for newsletter subscription as follows: - Subscriber's name - Subscriber's email address - Subscriber's IP address (online identifier) - Date of subscription - Source of subscription - Subscription status - Date of subscription status |
| The intended duration of the processing of personal data: | until the withdrawal of consent, until unsubscribing from the newsletter |
| The necessity of the personal data provided by the concerned individual: | the opportunity to learn about the highlighted offers of accommodations relevant to the interested party, current programs, and potential information gathering regarding unique promotions |
| It is necessary to involve data processors for data management activities: | yes |
| The name of the data processor: | MORGENS Design Kft. |
| The address of the data processor: | 8800 Nagykanizsa, Magyar utca 79. |
| The purpose of data processing carried out on behalf of the data controller | The provision of space for the Zadír MailR system, which is closed, online, and protected by an ID and password on the server of Tárhely.Eu Szolgáltató Kft. (1144 Budapest, Ormánság utca 4. X. floor 241.) for the data controller for the purpose of sending newsletters, according to the access account defined by them. |
| The name of the data processor: | Mailgun Technologies, Inc. |
| The address of the data processor: | 535 Mission St., 14th Floor San Francisco, California 94105 |
| The purpose of data processing carried out on behalf of the data controller | providing electronic mail sending functionality for newsletter sending through the Mailgun Technologies, Inc. mailing servers |
| The name of the data processor: | ActiveCampaign, LLC |
| The address of the data processor | 1 N Dearborn Street, Suite 500, Chicago, IL 60602 |
| The purpose of data processing carried out on behalf of the data controller | providing the electronic mailing function through the ActiveCampaign, LLC Postmark email sending servers for the purpose of sending newsletters. |
| Recipients of data | The business; the employees of the business; the fulfillment of the contract – including the enforcement of rights arising from the contract – for this purpose authorized persons; |
| Data transfer to a third country or international organization | THERE IS |
| Automated decision-making / profiling / profilalkotás | NOTHING |
| The rights of the affected parties | The affected person may request access to personal data concerning them from the data controller, as well as its rectification, deletion, or restriction of processing, they may object to the processing of such personal data, and they have the right to data portability. In the case of data processing based on consent, the right to withdraw consent at any time, which does not affect the legality of the processing carried out on the basis of consent before the withdrawal. |
| Possible consequences of failure to provide data | the affected person cannot take advantage of the services provided by the business |
| Complaint to the supervisory authority | It can be submitted according to the provisions of the Data Processing Information and Data Processing Regulations. Any questions, comments, or issues related to data processing can be directed to the Data Controller at the contact details provided above. In case of violation of the rights of the data subject, they may turn to the court. The data subject may also file a complaint regarding data processing directly with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu). |
RoomSome Voucher
| Name of data processing activity | Online gift voucher order |
| The name of the data controller: | Zagore Property Zrt. |
| The contact information of the data controller: | 1211 Budapest, Színesfém u. 10. 1. |
| The purpose of data management: | the simplification of the online gift voucher ordering process, making it more convenient |
| The legal basis for data processing: | the explicit and voluntary prior consent of the person initiating the online payment in the process of ordering the online gift voucher |
| The designation of the personal data processed: |
The personal data processed for ordering a gift voucher is as follows: - buyer's name - buyer's email address - buyer's phone number - buyer's mailing address (country, postal code, city, street, house number) - buyer's billing address (country, postal code, city, street, house number) - buyer's IP address (online identifier) - name(s) of the gift recipient(s) |
| The intended duration of the processing of personal data: | until the withdrawal of consent |
| The necessity of the personal data provided by the concerned individual: | the possibility of a simple and convenient realization of the gift voucher ordering process initiated by the concerned part |
| It is necessary to involve data processors for data management activities: | Yes |
The name of the data processor
| The name of the data processor | MORGENS Design Kft. |
| The address of the data processor: | 8800 Nagykanizsa, Magyar utca 79. |
| The purpose of data processing carried out on behalf of the data controller | the operation of the online gift voucher ordering module on the server of Tárhely.Eu Szolgáltató Kft. (1144 Budapest, Ormánság utca 4. X. floor 241.), the storage of incoming gift voucher orders in a closed system, enabling the sending of gift vouchers in online form. |
| The name of the data processor: | Rocket Science Group |
| The address of the data processor: | 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 |
| The purpose of data processing carried out on behalf of the data controller | providing email sending functionality through Mandrill software for recording online gift voucher orders |
| The name of the data processor: | PayPal (Europe) S.à.r.l. et Cie, S.C.A. |
| The address of the data processor: | 22-24 Boulevard Royal, L-2449 Luxemburg |
| The purpose of data processing carried out on behalf of the data controller is: | Ensuring the execution of the data communication required for the online payment transaction between Zagore Property Zrt. and the electronic system of the payment service provider operating the PayPal online payment system, confirming the status of the transaction |
| The name of the data processor: | Barion Payment Zrt. |
| The address of the data processor: | 1117 Budapest, Irinyi József utca 4-20. 2. emelet |
| The purpose of data processing carried out on behalf of the data controller is: | Ensuring the execution of the data communication required for the online payment transaction between Zagore Property Zrt. and the electronic system of the payment service provider operating the Barion online payment system, confirming the status of the transaction |
| Recipients of data | The company; the employees of the company; the performance of the contract - including the enforcement of claims arising from the contract - are entrusted. |
| Data transfer to a third country or international organization | THERE IS |
| Automated decision-making / profiling | NOTHING |
| The rights of the affected parties | The affected individual may request access to their personal data from the data controller, as well as correction, deletion, or restriction of processing of such data; they may object to the processing of such personal data, and they have the right to data portability. In the case of data processing based on consent, there is a right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal. |
| Possible consequences of failure to provide data | the affected person cannot take advantage of the services provided by the business |
| Complaint to the supervisory authority | It can be submitted according to the provisions of the Data Processing Information and Data Processing Regulations. Any questions, comments, or issues related to data processing can be directed to the Data Controller at the contact details provided above. In case of violation of the rights of the data subject, they may turn to the court. The data subject may also file a complaint regarding data processing directly with the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11; phone: +36-1-391-1400; email: ugyfelszolgalat@naih.hu; website: www.naih.hu). |
01.02. 2025 Harkány
Zagore Property Zrt.