ELISABETH GRAND HOTEL

PRIVACY STATEMENT

 
1. GENERAL REGULATION
The ATOMIX Trade and Provider Ltd. (hereinafter referred to as Company) the operator of Elisabeth Grand Hotel**** Conference and Wellness hotel (2. Szent István square, Paks-Hungary) continously ensure in point of the handled personal datas that the data protection is legitimate and expedient. The purposes of this document are the following: Our guests already before booking and giving personal datas can get information of the data protection in our company. (how long we keep datas, under what conditions and guarantie). Our Company sticks up in every case for the informations content in the document. Following rules are obligatory for our company as well.
Our companys data protection based on voluntary contribution and legal obligation compliance furthermore in some case the data protection necessary before the contracting at the affected requested steps to taking.If you have any further questions, please write a mail to erzsbethotelpaks@npp.hu.
The content of the policy is based in particular ont he relevant provisions of the following national and European Union legislation:
· Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as „GDPR”)
· Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (hereinafter referred to as „Infotv.”)
Controller:
· Name: ATOMIX Trade and Provider Ltd./Elisabeth Grand Hotel
· Seat/Head of Premises: 7030-Paks topographical number: 8803/17
· Park: 7030-Paks, Szent István square 2.
· Company registration number: 17-09-001944
· Tax number: 11284327-2-17
· Telephone number: +36/75/501-510
· E-mail: atomix@npp.hu
In line with data managing we give the following coverages.
 
2. USE OF SERVICES DATA MANAGEMENT
Our company in the Elisabeth Grand Hotel open the door to personal check-in, check-ot, to rent a conference room, and connected with this or without reference to this restaurant, caffé,or wellness/spa-recreation services.
· The personal datas handler: ATOMIX Ltd. 7030-Paks, topographical number: 8803/17
· The purposes of processing: in case of shopping in the hotel and in the hotel restaurant, caffé house: billing, shopping and payment documentation, counting bond performance, shopper relationship, to analyse the habitats of the shoppers, targeted serving, booking have bearing on spa using, counting documentation, counting bond performance, shopper relationship, to analyse the habitats of the shoppers, targeted serving
· Lawfulness of processing: the data handling is necessary to the successful contracting, GDPR 6th par, point b.), and the (2) article of Számv. tv. 169. §
· The processed personal datas hotel services recourse in case of EU nationality: style, forname and lastname, address (country), postal code, city, street, number of house, nationality, personal ID number, phone number, e-mail address.
· The processed personal datas hotel services recourse in case of not EU nationality: style, forname and lastname, dte and place of birth, pasport number, visa number, place and date of arrival to Hungary, address (country), postal code, city, street, number of house, nationality, phone number, e-mail address.
· The processed personal datas in case of booking restaurant, caffé, or wellness/spa services: style, forname, surname, phone number, booking appointment.
· The handled personal datas in case of restaurant, caffé, or wellness/spa services: date, appointment, style, forname, surname, adress, bought product’s name, amount, price, payment.
· Consequences of failure to provide data: booking will not be fixed on the room, on the restaurant/caffé table, and on the spa services. Furthermore the restaurant/caffé/spa invoice may not be issued.
· Duration of the processing in case of billing: 8 years like The Act of Accounting § 169. (2) paragraph
· Duration of the processing in case of using restaurant, caffé or spa services: in 24 hours after using services
· Processor: our company using an IT service for hotel system, and hospitality system:
Processors name
Registered seat
Data processing task
Hostware Ltd.
120-122. Róna street Budapest 1149.
In case of using HostWare FRO hotel system customer service tasks
In case of HostWare VEN restaurant system customer service tasks
SAP Hungary Ltd.
7. Záhony strett Budapest, 1031
Billing services
NÜSz Ltd.
1. Gagarin street,Paks 7030
Customer or supplier invoices systematization
MVMI Ltd.
1 Vasút street, Paks 7030
Server hosting tasks
 
In case of payment by credit card the datas of the transactions managing OTP Bank Plc. (16. Nádor street Budapest, 1051)
Data transmission in third countries: our company do not data transmitting in third countries.
The rights of the concerned: The concerned person (whose details handled our company)
1. can request access for his/her personal datas
2. can request the datas correction
3. can request cancelling of the datas
4. can request the personal datahandling restriction if conditions what are in GDPR law 18th article consist (so our company do not cancel and annihilate the datas till the court or authorities vist, but maximum for 30 days and do not handle datas for other purposes)
5. can protest against the personal datas management
6. can exercise the right to the data portability. The concerned shall have the right to recieve personal data in format of MS Word or Excel. Furthermore the concerned shall have the right to request our company to forward the data to an other Processor.
Other informations connected with processing: Our company perform every necessary technical and organisational provision to avoid an accidental data protection incident (for example: to injure fileswht containes personal datas, work off files, to be access files with personal datas for unwarranted).
In case of a forthcoming incident we keep a record of with purpose to controll the the necessary provisious and to inform concerned. This record containes the personal datas of concerned, the number of persons who are concerned with data protection incident, the data protection incident’s time, conditions, impacts and the provisious for troubleshooting.Furthermore other details what are specify int he data protection law.
 
3. PROCESSING OF REQUEST FOR QUOTATION
Guests have the option of requesting a quotation from the Controller by electronic mail. We give the offer by automaticly system, in point of free capacity.
· The personal datas handler: ATOMIX Ltd. 7030-Paks, topographical number: 8803/17
· The purposes of processing: previous informations from the hotel prices and capacity
· Lawfulness of processing: booking person’s privious contribution, GDPR 6th paragraph, article (1), point a), and ppoint b)
· The processed personal datas: style, forname, lastname, phone number, e-mail, number of potential guests.
· Duration of the processing: to recieve request for quotation for maximum 180 days.
· Processor: our company do not use processors to this method
· Data transmission in third countries: our company do not datta transmitting in third countries
Consequences of failure to provide data: Hotel can ot give an offer.
The rights of the concerned: The concerned person (whose details handled our company)
1. can request access for his/her personal datas
2. can request the datas correction
3. can request cancelling of the datas
4. can request the personal datahandling restriction if conditions what are in GDPR law 18th article consist (so our company do not cancel and annihilate the datas till the court or authorities vist, but maximum for 30 days and do not handle datas for other purposes)
5. can protest against the personal datas management
6. can exercise the right to the data portability. The concerned shall have the right to recieve personal data in format of MS Word or Excel. Furthermore the concerned shall have the right to request our company to forward the data to an other Processor.
 
Other informations connected with processing: Our company perform every necessary technical and organisational provision to avoid an accidental data protection incident (for example: to injure fileswht containes personal datas, work off files, to be access files with personal datas for unwarranted).
In case of a forthcoming incident we keep a record of with purpose to controll the the necessary provisious and to inform concerned. This record containes the personal datas of concerned, the number of persons who are concerned with data protection incident, the data protection incident’s time, conditions, impacts and the provisious for troubleshooting.Furthermore other details what are specify int he data protection law.
 
4. PROCESSING TO SUBSCRIBE TO NEWSLETTER
Our company keep connectoin with guests by newsletter and give informations from services, news, offers.
· The personal datas handler: ATOMIX Ltd. 7030-Paks, topographical number: 8803/17
· The purposes of processing: to contact with potentional guests, to send electronic newsletters with business ads, to give informations from actualizations and services.
· Lawfulness of processing: contribution ofthe concerned – GDPR 6th paragraph (1) article, point a)
· Legitimate interest appellation: to keep and develop business connect with partners and guests
· The processed personal datas: name, e-mail
· Duration of the processing: until the unsubscribe
· Processor: our company use IT service like following:
 
Proccesors name
Registered seat
Data processing task
MVMI Zrt.
1 Vasút street, Paks 7030.
Server hosting
 
Consequences of failure to provide data: Concerned give not newsletter from our company.
The rights of the concerned: The concerned person (whose details handled our company)
1. can request access for his/her personal datas
2. can request the datas correction
3. can request cancelling of the datas
4. can request the personal datahandling restriction if conditions what are in GDPR law 18th article consist (so our company do not cancel and annihilate the datas till the court or authorities vist, but maximum for 30 days and do not handle datas for other purposes)
5. can protest against the personal datas management
6. can exercise the right to the data portability. The concerned shall have the right to recieve personal data in format of MS Word or Excel. Furthermore the concerned shall have the right to request our company to forward the data to an other Processor.
Guests can unsubscribe whenewer to send an e-mail to erzsbethotelpaks@npp.hu, or click on Unsubscribe in the newsletter. In case of unsubscribe, we cancel forthwith your e-mail from our data base.
Other informations connected with processing: Our company perform every necessary technical and organisational provision to avoid an accidental data protection incident (for example: to injure fileswht containes personal datas, work off files, to be access files with personal datas for unwarranted).
In case of a forthcoming incident we keep a record of with purpose to controll the the necessary provisious and to inform concerned. This record containes the personal datas of concerned, the number of persons who are concerned with data protection incident, the data protection incident’s time, conditions, impacts and the provisious for troubleshooting.Furthermore other details what are specify int he data protection law.
 
5. PROCESSING RELATED TO CONSUMER SATISFACTION ASSESSMENT
For the Controller it is of the utmost importance that guests recieve the highest quality service, thus the Controller requests feedback from guests on their hotel experiences.
· The personal datas handler: ATOMIX Ltd. 7030-Paks, topographical number: 8803/17
· The purposes of processing: Further development and continuous improvement of the services provided by the Controller
· Legitimate interest appellation: our companys legitimate interest to recieve feedback becauase service developments based on those informations.
· The processed personal datas: room number, date of filling questionary (date of check out)
· Duration of the processing: to date of filling questionary until maximum 180 days.
· Processor: our company do not use IT services, or proccessors, we managing questionary on paper
 
Consequences of failure to provide data: The concerned do not recieve consumer satisfaction assessment from our company.
The rights of the concerned: The concerned person (whose details handled our company)
1. can request access for his/her personal datas
2. can request the datas correction
3. can request cancelling of the datas
4. can request the personal datahandling restriction if conditions what are in GDPR law 18th article consist (so our company do not cancel and annihilate the datas till the court or authorities vist, but maximum for 30 days and do not handle datas for other purposes)
5. can protest against the personal datas management
6. can exercise the right to the data portability. The concerned shall have the right to recieve personal data in format of MS Word or Excel. Furthermore the concerned shall have the right to request our company to forward the data to an other Processor.
Other informations connected with processing: Our company perform every necessary technical and organisational provision to avoid an accidental data protection incident (for example: to injure fileswht containes personal datas, work off files, to be access files with personal datas for unwarranted).
In case of a forthcoming incident we keep a record of with purpose to controll the the necessary provisious and to inform concerned. This record containes the personal datas of concerned, the number of persons who are concerned with data protection incident, the data protection incident’s time, conditions, impacts and the provisious for troubleshooting.Furthermore other details what are specify int he data protection law.
 
 
5. COOKIE POLICY
In order for the Controller’s website to work as efficiently as possible, the Controller uses cookies, primarily the so-called session cookie, wich is required to browse the site, use the features and enables, among other things, the user operations related to functions or services on the given site to be remembered. Without using ’session cookies’, the smooth of use of the website cannot be guaranted. Their expiration date extends for the duration of thet visit, cookies are automatically deleted at the end of the session or when the browser closed.
Otherwise , via the cookies a website recognizes recurring users and allows the Controller to collect data about its user behavior, for example, in which country the user has accessed the site, its browser software and operating system, its IP address, the pages it has viewed ont he site and features it has used.
· Purpose of proceccing: While visiting the site, the Controller logs the visitor data in order to check the functionality of the services and to prevent abuse.
· Lawfulness of processing: The Controller has a legitimate interest in the safe operation of the website. Article 6 (1) (f) GDPR.
· Processed data categories: IP address, date, time, previously visited page
· Duration of the processing: maximum 30 days
· Further informations: the Controller does not link the data generated by the analysis of the log files with other information and does not attempt to identify the user. The addresses of the pages visited, as well as the date and time data are not suitable themselves for identifying the data subject, but after linking to other data (such as those provided during registration) they may be utilised to draw conclusions about the user.
A cookie is an informatin package of variable content sent by the web server that is stored on the user’s computer and provides an opportunity to query some of its data. You can delete your cookie from your computer at any time or disable it in your browser settings.
 
7. SOCIAL MEDIA PLUG-INS
The website may contain plug-ins (‘plug-ins’) of Facebbok. plug-in will forward to the Service Providers information on which websites you have opened. If you are logged in to your user account while browsing our Website, Service Providers can compare the information you are interested in (that is, information you have reached) with your user account. When using plug-in functions (for example commenting), the browser will forward this information directly to the Service Providers for retention.
For more information about Facebook's privacy policy, please see the links below: http:66www.facebook.com/about/privacy/ and http://www.facebook.com/help/?faq=186325668085084
 
8. 
 
9. LOGGING OF THE SERVER
When visiting the website http://erzsebethotelpaks.hu/ the web server automatically logs user activity.
· Purpose of proceccing: While visiting the site, the Controller logs the visitor data in order to check the functionality of the services and to prevent abuse.
· Lawfulness of processing: The Controller has a legitimate interest in the safe operation of the website. Article 6 (1) (f) GDPR.
· Processed data categories: IP address, date, time, previously visited page
· Duration of the processing: maximum 90 days· Further informations: the Controller does not link the data generated by the analysis of the log files with other information and does not attempt to identify the user. The addresses of the pages visited, as well as the date and time data are not suitable themselves for identifying the data subject, but after linking to other data (such as those provided during registration) they may be utilised to draw conclusions about the user.
A cookie is an informatin package of variable content sent by the web server that is stored on the user’s computer and provides an opportunity to query some of its data. You can delete your cookie from your computer at any time or disable it in your browser settings.
Data processing of external service providers related to logging: the html code of the portal contains hyperlinks from and to an external server, independent from the Controller. The server of the external service provider is connected directly to the user’s computer. We are reminding our visitors that the providers of these links are able to collect user data (e.g. IP address, browser and operating system details, cursor movement, visited page title, and time of visit) due to direct connection to their server and direct communication with the user’s browser. The IP address is a series of number by wich the computers and mobile devices of users on the Internet can clearly be identified. IP addresses can also geographically locate a visitor using that computer. The addresses of the pages visited, as well as the date and time data are not suitable themselves for identifying the data subject, but after linking to other data (such as those provided during registration) may be utilised to draw conclusions about the user.
 
10. ELECTRONIC SURVEILLANCE SYSTEM
Purpose of data processing: the prevention and detection of perpetration for the protection of human life, physical integrity and property; surprising the perpetrator, as well as proof of perpetrations, the identification of unauthorized entrants to the Hotel, the recording of the fact of entry, the documentation of the activities of unauthorized persons, investigation of the possible occurrence of the circumstances of work and other accidents.
Lawfulness of processing:
(a) In case of entering the Hotel area, consent of the guest - the data subject has given
consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR);
(b) Enforcement of a legitimate interest - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (Article 6(1) (f) of the GDPR; the Controller has a legitimate interest in the protection of personal and property rights)
Processed data categories: the image of the persons entering the Hotel as well as other personal details recorded by the surveillance system.
Duration of data processing: 72 days
Pursuant to Article 31 (3) of the Szvmtv.: recorded images, sound, as well as image and
sound recordings not used up to thirty days after recording shall be destroyed or deleted if the recording was carried out
a) at a public event for the protection of human life, physical integrity or personal freedom,
b) at a public event, at a public transport vehicle station or stop (e.g. train station, airport, metro stop) for the prevention of terrorist acts or public menace,
c) for the safe storage, handling and transportation of money, securities, precious metals and gems of significant value under the Act on the Criminal Code
d) for the protection of dangerous substances.
Use of recordings
Person authorized to view the camera recordings: the Controller's authorized employees on te reception
The stored recordings of the camera surveillance and recording system operated by the Controller can only be viewed by authorized persons solely for the purpose of demonstrating violations of human life, physical integrity and property as well as in order to identify the perpetrator. Any data subject whose right or legitimate interest is affected by the recording of an image can request with the justification of his or he right or legitimate interest the recording not to be cancelled or deleted by the Controller until the court or the authority is requested, but for a maximum of 30 days. The person on the record may ask for information about the recording made by the electronic surveillance system, request a copy, or if there is another person present in the recording, can gain insight into the recording. The data subject may request the deletion of the recording on him/her, the modification of the recording data or may object to the processing. The Controller records the insights into the stored recordings, the name of the person performing it, the reason and the time of gaining insight to the data by taking minutes.
Data transfer: in the case of an offense or criminal procedure, to the authorities, courts and tribunals that carry them out.
Scope of the transmitted data: images take by the camera system with relevant information.
Within the Hotel area, the Controller operates an electronic surveillance system (video surveillance system). The security cameras are located as follows and serve the monitoring of the following areas / premises:
· Group I.
Wellness entrance
Wellness foreground
Cam 2
Garage
Cam 3
Garage-storages
Cam 4
Garage
Cam 5
Garage
Cam 6
Garage
Cam 7
Garage
Cam 8
Garage
Cam 9
Restaurant
Cam 10
Kitchen staff entrance
Cam 11
Hotel court
Cam 12
Caffé back entrance
Cam 13
Hotel court
Cam 14
Hotel court
Cam 15
Corridor between new and old building
Cam 16
Caffé
· Group II.
Cam 1
Groundfloor-between glasdoors South
Cam 2
Groundfloor-between glasdoors North
Cam 3
Old building- between glasdoors
Cam 4
Old building-stairs
Cam 5
Between Restaurant entrance and Foyer
Cam 6
Groundfloor-wardrobe
Cam 7
Old building-planed reception
Cam 8
Old building-floor wardrobe
Cam 9
Entrance from garage
Cam 10
Reception-mainentrance
Cam 11
Reception
Cam 12
Back office of the reception
Cam 13
First floor-elevator
Cam 14
Second floor-elevator
Cam 15
New building-floor corridor
Cam 16
New building-floor corridor
 
11. HOTEL WIFI
Hotel provide internet connection via WIFI for guests.
· Purpose of data processing: to provide wireless internet connection for guests
· Lawfulness of processing: The Controller has a legitimate interest in the safe operation of the website. Article 6 (1) (f) GDPR.
· Processed data categories: IP address, date, time, visited pages address
· Duration of data processing: maximum 90 days
· Processor:
Name of the Processor
Seat
Data processing task
Tarr Kft.
7100. Szekszárd, Kadarka u. 18.
Provide internet connection
 
12. OTHER PROCESSING
The Controller keeps records of the objects found in the room and / or the lobby area after the guest has left.
Purpose of processing: Records of lost and found objects, notification of the owner, return of the object
Lawfulness of processing:
(a) Consent - the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6 (1) (a) of the GDPR
Processed data categories: room number, date of finding, designation of the object, recipients name
(b) Compliance with a legal obligation - processing is necessary for compliance with a legal obligation to which the Controller is subject; (Article 6 (1) (c) of the GDPR);
Pursuant to Articles 5:54- 5:64 of the Ptk.: Items found in a building or room that are open to the public are to be handed over to the operator's staff without delay. Ownership of such a thing cannot be claimed by the finder. If the person authorized to receive the found item can be identified, the operator shall notify him/her and will hand it over to him/her without delay. If the person authorized to receive cannot be identified, the operator shall retain the item for three months after the handover or, if no retention is possible, to the notary within eight days of the handover. If the claimant does not appear for the item within three months, the operator or the notary shall sell it.
Duration of the processing:
(a) The data will be erased and destroyed upon receipt by the owner of the object found
or in case of a handover to the notary following the handover;
(b) In the case of sales, following 1 (one) year from the date of the finding;
(c) Until the guest's consent is withdrawn;
Consequences of failure to provide data: the Controller cannot fulfil its statutory obligation
 
13. DATA SECURITY MEASURES AND THE WAY DATA IS PROCESSED
The Controller shall ensure that the data security is proportionate to the risk and shall take the technical and organizational measures and establish the procedural rules, which are necessary to enforce the provisions of the GDPR, the Infotv. and other privacy and data protection rules. 
The Controller shall protect data by risk-proportionate measures against any unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as any unintentional destruction or damage or unavailability resulting from a change in the technique used. Within this framework, the Controller stores your personal information in a password- protected and / or encrypted database. The Controller protects the data within the framework of a risk-proportional protection with firewalls, antivirus software, encryption mechanisms, content filtering, and other technical and process solutions. Privacy incidents are being continuously monitored.
The Controller stores hard copy and personal data files in a lockable room equipped with fire and property protection. Manually handled documents containing personal data are filed in order to fulfil the retention obligation of the Controller, which room shall also be a lockable area with fire and property protection.
Rights of the Data Subject and Enforcement Options
You may exercise your rights listed in the following points by submitting an oral or written request to the Controller. The contact details of the Controller are provided in Section II of the Policy.
1. Information on the Treatment of Your Personal Data
At the request of the data subject, the Controller shall provide information on the data it manages or a data processor has processed upon its assignment or its commission, their source, the purpose of the processing, its legal basis and duration, the name and address of the Processor, activities related to processing, conditions and effects of the privacy incident as well as the preventative measures taken, and in case of the transmission of the data subject's personal data, the legal basis of the transfer and its recipient.
Upon the data subject’s request, the Controller shall provide information in writing, in a clearly understandable form.as soon as possible, but no later than 25 days following the submission of the request.
2. Access to Personal Data
The data subject has the right to be informed by the Controller if any of its personal data are being processed, and if so, it has the right to access such personal data and the following information:
a) the purposes of processing;
b) the categories of the personal data concerned;
c) the recipients or categories of recipients to whom or which personal data were disclosed or will be disclosed, including in particular third country recipients or international organizations;
d) where appropriate, the intended duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
e) the right of the data subject to request the Controller rectification, erasure or restriction of the processing of its personal data, and to object to the processing of its personal data;
f) the right to lodge a complaint addressed to a supervisory authority;
g) if the data was not collected from the data subject, all available information about their source;
h) he fact of an automated decision-making, including profiling, and at least in such cases, the logic used and the understandable information about the nature of such processing and the likely consequences regarding the data subject.
Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed about the appropriate guarantees regarding the transfer.
On request, the Controller shall provide the data subject with one copy of the processed personal data. The Controller may charge the data subject a reasonable administration fee for any additional copies by. If the application has been submitted electronically, the information should be provided in a widely used electronic format, unless otherwise requested by the data subject.
The right to request a copy should not adversely affect the rights and freedoms of others.
3. Right to Rectification
The data subject shall have the right to make the Controller rectify its incorrect personal data immediately. Taking into account the purpose of processing, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.
4. Right of Erasure (so-called ‘right to be forgotten’):
The data subject shall have the right to request the Controller erasure of its personal data without undue delay and the Controller shall delete the personal data of the data subject without undue delay, if one of the following reasons exists:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws its consent on which the data processing is based, and there is no other legal ground for the processing;
c) the data subject objects to the data processing, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation as per a Union or
Member State law to which the Controller is subject;
f) the personal data have been collected in relation to the offering of information society services.
If the Controller has made the personal data public and is obliged pursuant to the above to erase such personal data, by taking account of available technology and the cost of implementation, the Controller shall take reasonable steps to inform Controllers processing the data that the data subject has requested the erasure by such controllers of any links to those personal data, or their copy or replication.
Deletion of data cannot be initiated if processing is required for the following reasons: to exercise the right to freedom of expression and the right of information; the fulfilment of an obligation under a Union or Member State law for the processing of personal data, applicable to the Controller, or for the performance of a task carried out of public interest or in the exercise of a public authority delegated to the Controller; for the purpose of archiving, scientific and historical research or for statistical purposes in the public health field, out of public interest; or for the submission, enforcement or protection of legal claims.
5. Right to Restriction of Processing
The data subject shall have the right to request that the Controller restrict the processing if one of the following conditions is met:
a) the data subject contests the accuracy of the personal data; such restriction shall be valid for a period enabling the Controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the submission, enforcement or protection of legal claims;
d) the data subject has objected to processing; in this case, such restriction shall be valid for a period until it is determined whether the legitimate grounds of the Controller override those of the data subject.
Where processing has been restricted pursuant to the above, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the submission, enforcement or protection of your legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Prior to the discontinuation of the limitation of processing, the Controller informs the data subject at whose request the processing has been restricted.
The Controller shall inform each recipient of any rectification, erasure or restriction related to processing, whom or which the personal data have been disclosed to, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the Controller informs it on the recipients.
Right to Data Portability
The data subject shall have the right to receive personal data to be provided to the Controller in a widely used, machine-readable format and shall be entitled to transfer these data to another Controller without being obstructed by the Controller to whom it has provided personal information, if:
a) the processing is based on the consent of the data subject or a contract; and b) the processing is carried out in an automated way.
In exercising the right to data portability as described above, the data subject is entitled to request the direct transfer of personal data between Controllers, if technically feasible. The exercise of this right shall be without prejudice to the right to erasure. This right does not apply in the case where the processing is required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller. The right referred to in this paragraph shall not adversely affect the rights and freedoms of others.
Right of Withdrawal
The data subject has the right to withdraw its consent to the processing of its personal data at any time, the exercise of which right does not affect the lawfulness of the processing performed on a basis of a consent prior to withdrawal.
Lodging a Complaint with a Supervisory Authority
In order to enforce the right to the protection of personal data, it is possible to apply to the National Data Protection and Information Authority, based on which application a proceeding of the data protection authority can be launched. If the proceeding of the data protection authority is preceded by an investigation based on notification, the notifying person shall be notified of the initiation or termination of the data protection authority proceedings.
Name: National Authority for Data Protection and Freedom of Information
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C Mailing address: 1530 Budapest, P.O. Box 5
Phone number: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu
Homepage: http://www.naih.hu 
Right to Apply to the Courts
The data subject may apply to the court in case of violations of its rights. Such court proceedings shall be conducted under priority. Controller shall demonstrate that processing is in compliance with the law. lawsuit can be initiated by the data subject, according to its choice, before the competent court of domicile or place of residence. Also such party may be involved in the action which otherwise has no legal capability in the lawsuit. For the sake of success, the National Authority for Data Protection and Freedom of Information can intervene in the case in question.
If the court upholds the application, the Controller is required to provide information, rectification, blocking, deletion of data and annulment of the decision by automated data processing and taking into account the right of protest of the data subject.
The court may order the disclosure of its judgment by publishing the identifying data of the Controller by publishing it, if it is required by the interests of data protection and by a greater number of data subjects protected by this Act.
Information on a Privacy Incident (Breach)
If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the Controller shall inform the data subject of the privacy incident without undue delay.
The information provided to the data subject must clearly and easily disclose the nature of the privacy incident and shall include at least the name and contact details of the informing contact person, the likely consequences of the privacy incident and any actions taken or planned by the data controller to remedy the privacy incident, including measures to mitigate the possible adverse consequences of the privacy incident.
The data subject shall not be informed if any of the following conditions are met:
a) the Controller has implemented appropriate technical and organizational protection measures and applies these measures to data covered by the privacy incident, in particular measures such as the use of encryption that make it impossible for persons who are not entitled to gain access to personal data;
b) the Data Controller has taken further measures following the privacy incident to ensure that the high risk for the rights and freedoms of the data subject is no longer likely to be realized;
c) the provision of the information would involve a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or a similar measure shall be taken to ensure that information of the data subject is equally effective.
If the Controller has not yet notified the data subject of the privacy incident, the supervisory authority may, after considering whether the privacy incident is likely to pose a high risk, impose the informing of the data subject or determine whether one of the necessary conditions has been met.