This Data Management Notice contains how A/L Rent-A-Home Kft. uses and protects your personal data. A/L Rent-A-Home Kft. is the data manager of the personal data that our guests or future guests make available to us when they use the websites www.homeinbp.com and www.budapestflat.net, as well as for the persons who read this Information 3.2. identifies you as a guest after making a reservation through the accommodation booking portal mentioned in point 2, and those who contact us through various channels, business contacts and our employees.
During its business activities, A/L Rent-A-Home Kft. requests, obtains and processes personal data from guests, future guests, business partners, colleagues and other persons. Our aim is to process as little personal data as possible in order to provide the appropriate service. We acknowledge and respect the legal rights and reasonable expectations of natural persons regarding their personal data and data protection.
This Data Management Notice explains how we ensure the protection of personal data. Several of the principles we follow follow from the EU’s General Data Protection Regulation (GDPR). At the same time, we comply with all applicable legal requirements regarding the protection of personal data and data protection.
Company name: A/L Rent-A-Home Ingatlankezelő és Szolgáltató Kft.
Headquarters: 1052 Budapest, Aranykéz utca 4-6. IX. Floor 118.
Location: 1056 Budapest, Molnár utca 3. IV. Floor 6.
Company registration number: 01 09 107642
Tax number: 23850909-2-41
Represented by: Olesya Zobkova
Phone number: +36703296738
email: homeinbp@gmail.com
(hereinafter: Data Controller)
In the course of fulfilling the accounting and reporting obligations, the data included in the invoices comes into possession of:
Name: Tamásiné Brigitta Horváth
Address: Szentendre, Paprikabíró utca 7.
Phone number: +36305712221
Email: tammas1@tammas.hu
The Data Controller respects the personal rights of its Guests, and has therefore prepared the following Data Management Information Sheet (hereinafter: Information Sheet), which is available electronically on the Company’s official website and on paper at the Company’s premises.
The data controller declares that during data management, CXII of 2011 on the right to self-determination of information and freedom of information. acts in accordance with the provisions of the Act (hereinafter: “Data Protection Act”).
This information sheet provides general information about data management during the services provided by the Data Controller. Due to the diversity of the Guests’ needs, the method of data management may occasionally differ from that contained in this Notice, such deviations may be made at the Guest’s request, and the Data Controller will inform the Guest in advance of the exact method. The Data Controller will provide information on all data processing that may not be included in this Notice before the data processing.
The Data Controller only processes personal data for a predetermined purpose for the time necessary for that purpose, in order to exercise rights and fulfill obligations. The Data Controller only manages personal data that is essential for the realization of the purpose of data management and suitable for achieving the purpose.
The consent or subsequent approval of the legal representative of a minor under the age of sixteen is required for the legal declaration containing the consent of the affected minor to be valid.
In any case, if the Data Controller uses the provided data for a purpose other than the purpose of the original data collection, the data subject is informed of this and requests their prior, express consent, or provides them with the opportunity to prohibit the use.
During data management, the personal data that came to the attention of the Data Controller can only be seen by the persons on behalf of the Data Controller or in an employment relationship with the Data Controller, who have tasks related to the given data management.
Data subject: any natural person identified or – directly or indirectly – identified on the basis of personal data;
Personal data: data that can be related to the data subject – in particular the data subject’s name, identification mark, and one or more physical, physiological, mental, economic, cultural or social identity characteristics – as well as conclusions about the data subject that can be drawn from the data;
Special data: personal data relating to racial origin, belonging to a nationality, political opinion, party affiliation, religious or other worldview beliefs, interest-representative organization membership, sexual orientation, as well as personal data relating to health status, pathological passion, and criminal personal data;
Consent: a voluntary and decisive declaration of the data subject’s will, based on adequate information, and with which he gives his unequivocal consent to the processing of his personal data – fully or covering certain operations;
Objection: the statement of the data subject objecting to the processing of their personal data and requesting the termination of data processing or the deletion of processed data;
Data controller: a natural or legal person or an organization without legal personality who, independently or together with others, determines the purpose of data management, makes and implements decisions regarding data management (including the device used), or implements them with the data processor it has commissioned ;
Data management: regardless of the procedure used, any operation performed on the data or the set of operations, including in particular the collection, recording, recording, organization, storage, change, use, query, transmission, disclosure, coordination or connection, locking, deletion and destruction, and preventing further use of the data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying the person (e.g. fingerprint or palm print, DNA sample, iris image);
Data transfer: making the data available to a specific third party;
Disclosure: making the data available to anyone;
Data deletion: making data unrecognizable in such a way that their recovery is no longer possible;
Data marking: providing the data with an identification mark for the purpose of distinguishing it;
Data blocking: providing the data with an identification mark for the purpose of limiting its further processing permanently or for a specified period of time;
Data processing: performing technical tasks related to data management operations, regardless of the method and tool used to perform the operations, as well as the place of application, provided that the technical task is performed on the data;
Data processor: a natural or legal person, or an organization without legal personality, who processes data on the basis of a contract with the data controller, including contracts based on the provisions of the law;
Third party: a natural or legal person, or an organization without legal personality, who is or is not the same as the data subject, data controller or data processor.
Data protection incident: unlawful handling or processing of personal data, including in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage.
3.1. Use of other accommodation services
As part of the provision of services, the management of all data related to the data subject is based on voluntary consent, and its purpose is to ensure the provision of the service and maintain contact. The personal data contained in this point, with the exceptions contained in each sub-point, is A/L Rent-A – Home Kft. keeps it for a period of time in accordance with the current tax law and accounting regulations, and deletes them after the deadline.
For each service, it is possible to enter additional data in the comments section, which helps the Guest to fully understand our needs, but this is not a condition for booking a room or using other services.
3.2. Reservation
The Data Controller works together with certain accommodation portals (www.Airbnb.com, www.booking.com, www.tripadvisor.com, www.sabbee.com). In the event of an accommodation reservation, the accommodation portals are considered data controllers independent of this Data Controller, based on the voluntary consent of the User, they receive the personal data of the booking Guest at the same time as the booking and forward it to the Accommodation for the purpose of fulfilling the booking.
You can find information about the data management guidelines of accommodation portals on their own websites:
Booking.com:
https://www.booking.com/content/privacy.hu.html?aid=397634;label=gog235jc-index-hu-XX-XX-unspec-hu-com-L%3Ahu-V%3A0ahUKEwj5ja6PkcfbAhWCxaYKHUYoD0IQFggwMAA-O% 3Aabn-B%3AinternetSexplorer-N%3AXX-S%3Abo-U%3Ac-H%3As;sid=a46fbeb0970b7e81cebecc925923e394
Airbnb:
https://www.airbnb.hu/terms/privacy_policy
Tripadvisor:
https://tripadvisor.mediaroom.com/HU-privacy-policy
Sabbee
https://www.sabeeapp.com/hu/privacy-policy
3. 2. 1. In the case of online, personal (paper-based) or telephone room reservations, the Data Controller requests/can request the following data from the Guest
first name;
last name;
address (address, settlement, postal code, country);
email address;
telephone number;
mobile phone number (optional field);
credit card/debit card type;
credit card number/bank card number;
name of credit card/bank card holder;
credit card/debit card expiration date;
We do not ask for a credit card/bank card CVC/CVV code either on the website, by phone or by e-mail
3. 3. Bank card data
The Data Controller uses the bank and credit card/bank account data provided during the reservation of the apartment only to the extent and for as long as it is necessary to exercise its rights and fulfill its obligations. The data is managed by the Company’s contractual banking partners. You can find information about this data management on the website of the relevant Bank (MKB – www.mkb.hu, SixPayment-www.six-payment-services.com).
3.4. Guest questionnaire, evaluation system
Guests can give their opinion about the Data Controller’s services online, via e-mail, or with the help of the evaluation system of the Hotel Portals. When filling out the questionnaire, the Guest can provide the following personal data:
Name;
Check-in date;
Apartment name;
Availability (address, e-mail address, phone number).
Providing the data is not mandatory, it only serves to accurately investigate any complaints and to ensure that the Data Controller responds to the guest.
The Data Controller may also use the opinions received in this way and any related data that cannot be traced back to the given Guest and cannot be linked to the Guest’s name for statistical purposes.
The personal data provided by filling out the Guest Questionnaire will be deleted by the Data Controller within 5 (five) working days after the investigation of the complaint.
The purpose of data management is to share the contents of the Data Controller’s website. With the help of the Facebook page, the Guest can find out about the apartments, special offers, and programs recommended by the Data Controller.
By clicking on the “like” link on the Data Controller’s Facebook page, the data subject consents to the publication of the Data Controller’s news and offers on his own message board.
The Data Controller can also publish pictures/films of various events on the Facebook page. If it is not a mass recording, the Data Controller always asks for the written consent of the data subject before publishing the images.
Facebook is also considered a data controller operating independently of this Data Controller. The data management information of the social site can be read on the following website:
https://www.facebook.com/privacy/explanation
The Data Controller operates websites:
www.homeinbp.com
http://budapestflat.net/en/
5.1. References and links
The Data Controller’s website may also contain links that are not operated by the Data Controller and are only for the information of visitors. The Data Controller has no influence on the content and security of the websites operated by the partner companies, so it is not responsible for them. Please review the data management information and privacy statement of the pages you visit before entering your data in any form on that page.
5.2. Analytics, cookies
Cookies are not used when visiting the websites of the Data Controller
It is possible for anyone to contact the Data Controller by e-mail. The Data Controller handles the messages until the given request/question is solved/answered, and when the request/question is closed, such e-mails are archived and stored for 1 year.
The consent of the data subject must be assumed for the processing of personal data in resumes sent to the Data Controller in any form for job search purposes. The purpose of data management is to select suitable applicants.
If the data subject expressly prohibits the processing of such personal data, such data will be deleted by the Data Controller. If the applicant does not request the deletion of the data, the data of the resume and the data contained in it – if the person did not apply for a specific job advertisement – will be automatically deleted within 1 year from the date of sending. The CVs of applicants for a specific job advertisement will be deleted immediately after the person filling the position has been selected.
The Data Controller only forwards the applicant’s CV and/or the personal data contained therein to third parties with the express prior permission of the applicant.
8.1. Other security activities
The Data Controller ensures the verifiability and ascertainability of which bodies the personal data has been or can be transmitted using data transmission equipment, which personal data, when and by whom was entered into the system, and the restoreability of the system in the event of a malfunction. A report is prepared on errors that occur during automated processing.
The Data Controller treats personal data confidentially and does not provide them to unauthorized persons. It protects personal data in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, damage, and loss of access due to changes in the technology used. It takes all security measures to ensure the technical protection of personal data.
8. 2. Who can access the data
The processed personal data can be accessed by the employees of the Data Controller who need it in order to perform their duties in order to enforce the claims related to the reservation of the accommodation, as well as the occupation and departure of the accommodation.
The data can be viewed by local government tax authorities and their employees performing local government tax authority duties related to the declaration of tourism tax.
The data can also be accessed by the debt collection organization or court, bailiff, notary public acting to enforce claims.
The owners of accommodation are subject to the obligation to declare and register tourist tax. To fulfill this, you need the personal data contained in the regulation of the competent local government. II of 2007 In order to fulfill the registration obligation prescribed by § 73, paragraph (2) of the Act, the owner of the accommodation needs the following personal data from third-country nationals: surname and surname, surname and surname at birth; previous family name and surname; place and time of birth; not; his mother’s birth surname and first name; citizenship or stateless status, identification data of the travel document; the starting and expected end time of the use of the accommodation; visa or residence permit number and date and place of entry.
8.3. Data transfer
A/L Rent-A – Home Kft. keeps a data transfer register for the purpose of checking the legality of the data transfer and informing the data subject, which includes the date of transfer of the personal data managed by it, the legal basis and recipient of the data transfer, the definition of the scope of the personal data transferred, and the other data specified in the legislation requiring data management.
The Data Controller reserves the right to hand over the personal data managed by it to the competent authorities and courts in accordance with their request, even without the special consent of the data subject, in cases defined by law.
The Data Controller forwards the personal data to the following data processors for the purpose of data processing, in order to fulfill its legal obligations:
For a partner performing accounting and payroll tasks
Tourist tax for the purpose of registration control for the local municipality
For the owner of the accommodation or his agent
For the financial service provider that provides the company’s payment system
Legal basis for data transfer:
Article 6 (1) GDPR
XCII of 2003 on the taxation system. Act § 45
Decree of locally competent municipalities on tourism tax and record keeping obligations
Act C of 1990 on accounting
Act CXII of 2011 on the right to self-determination of information and freedom of information
During data processing and data transmission, the Data Controller also strives to comply with the data processor to the fullest extent possible:
The data transfer takes place based on the voluntary consent of the data subject or the provisions of the law, in the event that the legal basis for the data transfer is clear and the recipient and purpose of the data transfer is defined.
The instructions given to the data processor in connection with data processing are determined by the Data Controller, who is also responsible for the legality of the given instructions.
The data processor may not carry out further data processing or data management on its own part with regard to the personal data transferred to it.
The data processor is obliged to comply with the instructions of the Data Controller regarding the data transferred for data processing.
Accordingly, the data processor cannot independently make a substantive decision regarding the data provided to him (e.g., based on his independent decision, he cannot delete the personal data provided for the purpose of data processing.)
The data processor further so-called al data processor may only be used with the prior written permission of the Data Controller.
If a data protection incident occurs at the data processor, the data processor must report it to the Data Controller without undue delay.
Info tv makes every effort to be a data controller during data transmission and data processing. and to comply with the regulations and principles of the GDPR.
9.1. Right to information (Articles 13-14 GDPR)
Upon request sent to the e-mail address of the Data Controller or to the name and address of the Data Controller, the Data Controller shall provide information within a maximum of 30 (thirty) days from the date of submission of the request. The information must be about the following:
about the identity and availability of the data controller
the contact details of the data protection officer
on the purpose of processing personal data, as well as the legal basis of data processing
in the case of data processing based on “legitimate interest”, about these legitimate interests
about recipients of personal data
on the planned duration of data management
about the rights of the data subject
about whether the provision of data is a prerequisite for the conclusion of the contract, and what possible consequences the failure to provide data may have
about possible automated decision-making, including profiling.
on the legal remedies available to those concerned
The Data Controller keeps a register for the purpose of checking the measures related to the data protection incident and informing the data subject, which includes the range of personal data concerned, the range and number of people affected by the data protection incident, the date, circumstances, effects of the data protection incident and the measures taken to prevent it, as well as the data management other data specified in the prescriptive legislation.
In the event of a possible refusal to provide information, the Data Controller shall inform the data subject in writing of which provision of the law the refusal of information was based on, and shall inform the data subject of the legal remedies available.
9. 2. Right of access to personal data (GDPR Article 15)
The data subject has the right to receive feedback from the data controller as to whether his personal data is being processed, and if such data processing is underway, he is entitled to access the personal data and the following information:
the purposes of data management,
categories of personal data concerned,
the recipients or categories of recipients to whom the personal data has been or will be communicated, including in particular third-country recipients and international organizations,
where applicable, the planned period of storage of personal data or, if this is not possible, the criteria for determining this period,
the right of the data subject to request from the data controller the correction, deletion or restriction of processing of personal data concerning him and to object to the processing of such personal data,
the right to submit a complaint to a supervisory authority
if the data were not collected from the data subject, all available information about their source
the fact of automated decision-making, including profiling, as well as, at least in these cases, understandable information about the logic used and the significance of such data management and the expected consequences for the data subject.
9. 3. Right to rectification (GDPR Article 16)
If the personal data does not correspond to the reality, and the personal data corresponding to the reality is available to the Data Controller, the personal data will be corrected by the Data Controller.
The Data Controller will notify the data subject of the correction, as well as all those to whom the data may have previously been forwarded for the purpose of data management. The notification can be omitted if this does not harm the legitimate interests of the data subject in view of the purpose of the data management 9.1. the provisions contained in point
9. 4. Deletion, blocking, objection (Articles 17-21 GDPR)
The right to erasure: The data subject has the right to have the data controller erase his personal data without undue delay upon request, if one of the following reasons exists:
the personal data are no longer needed for the purpose for which they were collected or otherwise processed; the data subject withdraws the consent that forms the basis of the data processing pursuant to point a) of Article 6 (1) or point a) of Article 9 (2) of the GDPR, and there is no other legal basis for the data processing;
the data subject objects to the data processing based on Article 21 (1) of the GDPR and there is no overriding legal reason for the data processing, or the data subject is the GDPR. objects to data processing on the basis of Article 21 (2);
if the personal data was handled unlawfully by the data controller;
if the personal data must be deleted by law;
the collection of personal data took place in connection with the offer of information society-related services referred to in Article 8 (1) of the GDPR (conditions for child consent).
The data manager will not delete the data if the data management is necessary for one of the following reasons:
for the purpose of exercising the right to freedom of expression and information;
for the purpose of fulfilling the legal obligation requiring the processing of personal data;
or is necessary for the submission, enforcement or defense of legal claims.
The right to protest:
(The data subject has the right to object at any time to the processing of his personal data based on points e) or f) of Article 6 (1) of the GDPR, including profiling based on the aforementioned provisions, for reasons related to his own situation. In this case, the data controller may no longer process the personal data, unless it proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are related to the submission, enforcement or defense of legal claims. )
9. 5. The right to data portability:
The data subject has the right to receive his/her personal data in a segmented, widely used, machine-readable format, and is also entitled to transfer this data to another data controller without being hindered by the data controller to which the personal data was provided. , if: a) the data management is GDPR. It is based on consent according to Article 6 (1) point a) or Article 9 (2) point a) or on a contract according to Article 6 (1) point b) of the GDPR; and b) data management is performed in an automated manner.)
9. 6. Compensation and damages
If A/L Rent-A – Home Kft. causes damage by illegally handling data of the data subject or violates data security requirements, or violates the data subject’s right to privacy, damages may be demanded from the Data Controller.
The data controller shall be released from responsibility for the damage caused and from the obligation to pay compensation if it proves that the damage or the violation of the privacy rights of the data subject was caused by an unavoidable cause outside the scope of data management.
A/L Rent-A – Home Kft. is also liable to the data subject for the damage caused by the data processor, and the Data Controller is also obliged to pay the data subject the damages due in the event of a privacy violation caused by the data processor. The Data Controller shall be released from liability and the obligation to pay damages if it proves that the damage or the violation of the privacy rights of the data subject was caused by an unavoidable cause outside the scope of data management. There is no need to compensate the damage and no damages can be claimed if it resulted from intentional or grossly negligent behavior on the part of the person concerned.
9. 7. Judicial enforcement
In the event of a violation of their privacy rights, the data subject may apply to the court against the Data Controller. For the court procedure, § 22 of the Data Protection Act, Act V of 2013 on the Civil Code, Book One, Part Three, XII. The provisions contained in its title (§§ 2:51 – 2:54) and other relevant legal regulations shall apply.
By using the Website or making a reservation, the Data Subjects accept the contents of this Data Management Information.
A/L Rent-A – Home Kft. reserves the right to amend this Notice. about which amendment it notifies the affected parties.
A/L Rent-A – Home Kft. assumes no responsibility for the correctness of data provided by website visitors or Guests.
You can always ask the National Data Protection and Freedom of Information Authority for help with data protection issues:
Mailing address: 1534 Budapest Pf.: 834
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
www.naih.hu
e-mail: ugyfelszolgalat@naih.hu
