PRIVACY POLICY

Andrassy Thai Hotel – Thai Hotel Ltd. 

Privacy Policy

Relating to hotel management and guests

 

This Privacy Policy (“Policy”) is to inform data subjects in compliance with  Article 13 AND 14 of Regulation (EU) 2016/679 (General Data Protection Regulation) of the EU Parliament and Commission in relation to the processing of personal data during the course of providing and preparing hotel services.

 

1. Data Controller’s contact details

Company name of data controller: THAI HOTEL Ltd. (hereinafter referred to as: “Controller”)

Official Seat: 1061 Budapest, Andrássy Avenue 2.

Mailing address: 1061 Budapest, Andrássy Av. 2.

Tax ID number: 24854669-2-42

Registration Number: 01-09-186046

Represented by: Attila Kiss

 

Hotel: Andrassy Thai Hotel

Email address: reservation@andrassythaihotel.com

Phone number: +36 1 400 7620

Website: andrassythaihotel.com

2. Processing of data subjects’ personal data

2.1 Scope of data subjects

During the pursuit of its hotel management activities the Controller shall process the personal data of the following natural persons (hereinafter referred to as: Data Subjects): guests

2.2 Categories of personal data processed

The Controller shall process the following personal data relating to the Data Subject:

  1. family name and first name
  2. address
  3. nationality
  4. date and place of birth
  5. mother’s maiden name
  6. sex
  7. email address (personal or created by OTA)
  8. phone number
  9. date of arrival
  10. date of departure
  11. number of rooms
  12. number of adults
  13. number of children
  14. codes (promotion, group)
  15. passport / personal identification document number
  16. visa number
  17. date and place of entering Hungary
  18. preferences
  19. payment information, type of card, card number, expiration date, CVV code
  20. purpose of travel
  21. data related to dietary sensitivities
  22. name, phone number, email address of contact person (in case of events)
  23. flight number
  24. room number
  25. description of lost and found items with guest name and room number
  26. guest feedback information
  27. bar consumption details
  28. health issues (separate document to be filled out before a massage upon the masseur’s request)
  29. date of invoicing
  30. length of stay
  31. method of payment
  32. amount paid, date of crediting payment
  33. car registration number, value of possible fines

The Data Subject shall disclose the data to be processed to the Controller by the following channels:

  • hotel website upon making a reservation or direct reservation (email address, phone number)
  • check-in document
  • third country guest registration form
  • credit card authorization form
  • consumption form
  • guest satisfaction survey

The Controller shall obtain personal data for processing from the following source(s):

  • Re-seller booking system
  • Off-line and on-line travel agencies

2.3 Legal grounds, purpose and duration of data processing

2.3.1        Preparation and performance of a contract for the provision of hotel services

Personal data processing is necessary for the purpose of preparing and performing a contract for the provision of hotel services (hereinafter referred to as: the “Contract”).

Purpose of personal data processing:

  • performance of obligations related to room reservations and other services ordered
  • during his or her stay the Data Subject is identified (information is transferred between divisions) by his or her personal data for the purposes of performing contractual obligations (eg. housekeeping, breakfast, bar consumption),
  • record of pre-purchased and pre-paid gift certificates
  • pricing a room as part of an offer
  • the Data Subject’s contact details are processed for communication purposes; eg. managing issues arising during the guest’s stay, pre-stay emails etc.
  • invoice data are recorded for receivables management purposes
  • to ensure smooth check-out operations in case of IT problems

The duration of data processing shall be the same as the preparation and in case of concluding a contract the performance thereof, except for the following cases:

  • check-in card, invoices – paper version 8 years
  • massage information – 1 month
  • housekeeping list, emergency shift – 3 days
  • bar consumption slip – 1 month

With regard to the fact that the Controller is unable to prepare and perform the contract without disclosure of the above personal data the Data Subject shall be obliged to provide them to the  Controller. Failure to do so may result in the Controller refusing to prepare or perform the contract with the Data Subject.

In the event of failure to conclude a contract or the termination of a contract the Controller shall not erase the personal data from its database.  Data entered into Fidelio shall be  anonymized after 1 year.

2.3.2       Performance of legal obligations:

The Controller shall control the Data Subject’s personal data for the purpose of compliance with the following legal regulations for the following lengths of time:

  • Filing of tourist tax returns (Municipality Regulation No. 57/2010.(XII.30.) of City of Budapest VI. Terézváros Municipality and  Municipality Regulation No. 38/2010. (XII. , KSH [Central Statistics Bureau] statistics (Act No. CLV of 2016 on Official Statistics) and other mandatory reports, eg.: PTGSZLA (Act No. CXXVII of 2007 on VAT, Act No. CL of 2017 on Taxes and Regulations)– 8 years
  • Administration of guest register for the personal data relating to nationals of third countries (Article 2 of § 73 of Act No. II of 2007 on the entry and residence of third-country nationals ) – 8 years
  • Obligation to issue an invoice, correction of invoices in case of any errors upon issuing (Article 2 of § 169 of Act No. C of 2000 on accounting ) – 8 years

With consideration to the fact that the data processing described in this section is the Controller’s legal obligation, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.

2.3.3       Legitimate interests of the Controller AND/OR a third party

The Controller shall control the Data Subject’s personal data on the grounds of legitimate interests for the following purposes and for the following lengths of time:

  • Problem management
  • Guest satisfaction development
  • Informing guests
  • Verification of information provided by guests (eg. room number given at the bar)

The purpose of data processing under this section is to enable the Controller to exercise his legitimate interests.

The duration of data processing shall be the same as the preparation and in case of concluding a contract the validity thereof.

With consideration to the fact that the data processing described in this section is the Controller’s or third party’s legitimate interest, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.

2.3.4       Consent of the Data Subject

Personal data shall be processed on the basis of the Data Subject’s consent (voluntary expression of explicit will, based on specific and proper information). The Data Subject shall give his or her consent to the Controller on the check-in card or the guest satisfaction questionnaire.

Consent shall be voluntary and the Data Subject shall have the right to revoke his or her consent at any time without restrictions via a written notification to the Controller. The Data Subject may send his or her written notification to either of the contact details contained in section 1 of the Privacy Policy.

Revoking his or her consent shall result in no consequences to the Data Subject. However, revoking his or her consent shall not affect the lawfulness of data processing on the grounds of consent prior to revoking it.

2.4 Right to decide on automated individual decision-making, including profiling

The Controller does not pursue automated decision-making, including profiling.

3. Recipients of personal data

The Controller shall transmit the Data Subject’s personal data to the following persons and organizations (data processors):

  • External IT companies (Sybell Informatika Kft.) for the purposes of systems operation, see guest data in 2.2
  • D-edge, Hostware (have access with the hotel’s consent for the purposes of error correction) guest data contained in the invoicing software, see 2.2
  • Massage company Bamboo Kft. for the purpose of rendering services, see guest data in 2.2
  • Taxi companies for the purpose of rendering services, see guest data in 2.2
  • Police, upon request (camera recordings)

4. Data Subject rights

4.1        Right of access

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and if so, access to the personal data and the following information:

  • the purposes of the processing of the specific personal data,
  • the categories of personal data concerned,
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations (if personal data are transferred to a third country or to an international organization, the Data Subject shall have the right to be informed of whether the data transfer is done with the appropriate safeguards and guarantees),
  • the planned period for which the personal data will be stored, or if not possible, the criteria used to determine that period,
  • the rights of the Data Subject (rectification, erasure or restriction of processing, portability and the right to object to the processing of such personal data),
  • the right to lodge a complaint with a supervisory authority,
  • where the personal data were not collected from the Data Subject, all available information as to their source,
  • the existence of automated decision-making, including profiling; and, at least in cases where such processing is done, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.

The Controller shall have the right to request clarification or specification of the requested information or data processing activities from the Data Subject prior to responding to the Data Subject’s request.

In the event that the Data Subject’s right of access set forth in this section adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the  Data Subject’s request to the extent that is necessary and proportionate.

Where the Data Subject requests several copies of the above information, the Controller may charge a reasonable and proportionate fee based on administrative costs.

If the Controller does not process the personal data specified by the Data Subject, the former shall also inform the Data Subject of this fact in writing.  

4.2 Right to rectification

The Data Subject shall have the right to request the rectification of inaccurate personal data concerning him or her. The Data Subject shall have the right to have incomplete personal data completed.

Upon exercising his or her right of rectification/completion the Data Subject shall indicate exactly which data are inaccurate or incomplete and shall also communicate to the Controller the correct and complete data. The Controller has the right to request that the  Data Subject provide proper proof of the rectified data, primarily with proper documentation.

The Controller shall perform the rectification of inaccurate personal data without undue delay the.

Following rectification of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.

4.3 Right to erasure (“right to be forgotten”)

The Data Subject shall have the right to request that the Controller erase his or her personal data without undue delay where one of the following grounds applies:

  • the personal data specified by the Data Subject are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Controller,
  • the Data Subject withdraws consent on which the processing of his or her personal data (including special categories of personal data) was based and there is no other legal ground for the processing,
  • the Data Subject objects to the Controller processing his or her data on the grounds of its legitimate interests and the Controller has no legitimate grounds for the processing that override the Data Subject’s interests, rights or freedoms or that are relevant to the establishment, exercise or defense of legal claims,
  • the personal data was unlawfully processed by the Controller,
  • the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Controller is subject,
  • the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing.

The Data Subject shall submit his or her request relating to erasure in writing and shall specify the reason for requesting the erasure of each personal data.

In the event that the Controller grants the Data Subject his or her request of erasure, the former shall erase the specified personal data from all databases and duly inform the Data Subject of it.

Where the Controller is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. In its communication the Controller is obliged to inform the other controllers that the Data Subject had requested the erasure of all links to or copies of his or her personal data, as well as any copies thereof.

Following erasure of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.

The Controller is not obliged to erase the personal data in cases where the processing is necessary:

  • for exercising the right of freedom of expression and information,
  • for compliance with a legal obligation arising from a Hungarian or EU legal regulation which requires processing by the Controller,
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
  • for reasons of public interest in the area of public health,
  • for archiving purposes in the public interest, scientific or historical research purposes, in so far as the Data Subject’s exercising his or her right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing,for the establishment, exercise or defense of legal claims.

4.4 Right to restriction of processing

The Data Subject shall have the right to request that the Controller restrict the processing or use of his or her personal data without undue delay where one of the following grounds applies:

  • the accuracy of the personal data is contested by the Data Subject (in which cases the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data),
  • The data was unlawfully processed by the Controller, but the Data Subject requests restriction instead of erasure,
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims,
  • the Data Subject objects to the Controller processing his or her data on the grounds of its legitimate interests and the Controller has no legitimate grounds for the processing that override the Data Subject’s interests, rights or freedoms or that are relevant to the establishment, exercise or defense of legal claims; in such cases the restriction shall apply until it is established whether the legitimate interests of the Controller override the legitimate interests of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, shall only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.

A  Data Subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.

Following restriction of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.

4.5 Right to object

Considering that the Controller does not perform any data processing carried out in the public interest and has no official authority, does not pursue scientific or historical research and does not process data for statistics purposes, the right to object may be exercised on the grounds of data processing on the grounds of legitimate interests.

In the event that the the personal data of the Data Subjects are processed on the grounds of legitimate interests it is an imperative guarantee that the Data Subject shall be ensured proper information regarding the data processing of his or her data and his or her right to object. The Data Subject shall be expressly informed of this right latest at the time of initial contact.

The Data Subject is entitled to object to the processing of his or her personal data on the above grounds and in such cases the Controller shall no longer have grounds to lawfully process the Data Subject’s personal data, except in cases where it can be demonstrated that:

  • the Controller has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or
  • the processing of the data is related to the establishment, exercise or defense of legal claims by the Controller.

4.5.1 Right to object to direct marketing

The Data Subject is entitled to object to the processing of his or her personal data for direct market purposes, however, unlike in the case of data processing on the grounds of other legitimate interests, where the Data Subject objects to processing for direct marketing purposes the Controller shall not have the right to examine whether it still has any other grounds to proceed with the processing.

Where the Data Subject objects to processing for direct marketing purposes, the Controller shall no longer process the Data Subject’s personal data for such purposes.

4.5.2 Profiling

During profiling the personal aspects of the Data Subjects are evaluated with the use of any form of automated processing. Such evaluations are suitable to analyze or predict aspects concerning the Data Subject’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

The right to object also includes profiling on the grounds of legitimate interests in the form of special data processing operations. Where profiling is done for purposes relating to direct marketing the Controller shall no longer perform profiling of the Data Subject on the basis of his or her personal data upon the objection of the Data Subject.

4.6 Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller.

The right to data portability may only be exercised in relation to the personal data provided by the Data Subject to the Controller and

  • where data processing is based on the legal grounds of a contract and
  • data processing is performed by automated means.

Otherwise, in cases where it is technically possible, the Controller shall directly transmit the Data Subject’s personal data to another controller designated in the Data Subject’s written request. The right to portability as defined in this section does not give rise to an obligation for the controllers to introduce or maintain technically compatible data processing systems.

With regard to data portability the Controller shall provide the data media required to transfer the data to the Data Subject free of charge.

In the event that the Data Subject’s right to data portability adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the  Data Subject’s request to the extent that is necessary and proportionate.

Measures taken in relation to data portability do not mean the erasure of the data.  The Controller shall store the data up to the point that the Controller has relevant purposes and sufficient legal grounds to do so.

4.7 Right to decide on automated individual decision-making, including profiling

The Data Subject shall have the right to request not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

The Data Subject shall not have the right to request exemption from decision based on automated data processing if the decision is necessary for entering into, or performance of, a contract, or if the decision is based on the Data Subject’s explicit consent or is made possible by EU or member state law.

In cases where the automated data processing is necessary for the purposes of entering into, or performance of, a contract or is based on the Data Subject’s decision, the Data Subject shall have the right to request human intervention from the part of the Controller, express his or her views and have the right to contest the decision.

During the course of its data processing activities the Controller shall implement all measures to avoid the inclusion of special categories of personal data in automated decision-making processes. However, in cases where this cannot be avoided special categories of personal data can only be used for automated decision-making if the data processing is based on the Data Subject’s consent or is necessary due to substantial public interest or EU or member state law.

4.8 Right to legal remedies

4.8.1       Right to lodge a complaint

The Data Subject shall have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information if he or she considers that the processing of his or her personal data by the Controller infringes on the effective data protection legislation, especially the GDPR.

The contact details for the National Authority for Data Protection and Freedom of Information:

Website: http://naih.hu/

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: +36-1-391-1400

Fax: +36-1-391-1410

Email address: ugyfelszolgalat@naih.hu

The Data Subject shall have the right to lodge a complaint with other supervisory authorities, in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement.

4.8.2      Right of access to the courts (Right of legal action)

Without prejudice to his or her right to lodge a complaint, the Data Subject shall have the right of access to the courts where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data.

Proceedings against the Controller shall be brought before the courts of Hungary, as its activities are based in Hungary.

Pursuant to § 22. (1) of the effective Information Act, the Data Subject may also bring proceedings before the courts where the Data Subject has his or her place of habitual residence. The contact details of the Hungarian courts are available at: http://birosag.hu/torvenyszekek.

Since the Controller does not qualify as a public authority acting as an official authority of any member state, the Data Subject may bring proceedings before the courts with jurisdiction and authority at the place of the Data Subject’s place of residence in the event that his or her habitual residence is in another EU member state.

4.8.3      Other recourse options

The Data Subject shall have the right to mandate a not-for-profit body, organization or association which has been properly established in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise on his or her behalf the right to receive compensation, the right to an effective judicial remedy against a supervisory authority or to bring a legal suit in front of the courts.

5. Miscellaneous

Where the Controller has reasonable doubts regarding the identity of the person making the request relating to sections 4.1 – 4.6 of this Policy, the Controller may request that the Data Subject provide access to additional information needed to verify his or her identity.

The Controller reserves the right to modify this Policy at any time. The Controller shall notify the Data Subject of such modifications at least 8 days prior to their entering into force via publishing on its website

Close