Personal Data Information

Website

The Hotel does not record either the IP address of the visitor (hereinafter: User) or any other personal data of the User when visiting the Website operated by the Hotel. The data technically recorded during the operation of the system are the data of the User's logging-in computer that are generated during the use of the service, and which are automatically recorded by the data controller's system as a result of technical processes. The automatically recorded data are automatically logged by the system upon login and logout without any separate declaration or action by the User. These data cannot be linked with other personal data of the User - except in cases mandated by law. Only the Hotel has access to the data. The purpose of the automatically recorded data is

The HTML code of the Website operated by the Hotel may contain links originating from and pointing to independent external servers for web analytics purposes. The measurement also includes conversion tracking. The web analytics service provider does not process personal data, only data related to browsing that is not suitable for identifying individuals. Currently, web analytics services are provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043) under the Google Analytics service. The data made accessible by Users during the use of the service can be used by the Hotel to form User groups and to display targeted content and/or advertisements on the Hotel's websites for these User groups.

Data automatically recorded during the operation of the system is stored in the system for a period justified by the need to ensure the operation of the system from the time they are generated. The Hotel ensures that these automatically recorded data cannot be linked with other personal data of the Users, except in cases mandated by law.

The Website of the Hotel is hosted and data processing activities related to the operation of the Website are carried out by WEB200 Internet Média Kft. (7400 Kaposvár, gróf Apponyi Albert u. 17.).

Cookies

During a visit to the Website, the Hotel places a small data package (known as a "cookie") on the User's computer. Based on these, the Hotel processes and stores data related to the Users' browsing habits and the information provided during the session, thereby ensuring the highest possible quality of the Website's operation and enhancing the user experience. The User can consent to the use of cookies through a layer displayed on the Website. As a general rule, cookies are stored for 30 days; however, the User can configure and block cookie-related activities using their browser settings. Please note that without the use of cookies, the User may not be able to use all the services of the Website.

The Hotel runs so-called remarketing advertisements through the Facebook and Google AdWords advertising systems. These service providers may collect or receive data from the Hotel's website and other internet locations using cookies, web beacons, and similar technologies. Using these data, they provide measurement services and target advertisements. Such targeted advertisements may appear on additional websites within the Facebook and Google partner networks. Remarketing lists do not contain personal data of visitors and cannot be used for personal identification.

The User can delete cookies from their own computer or prohibit their use in their browser. These options can typically be found in the Settings / Privacy menu, depending on the browser.

For more information on Google's and Facebook's privacy policies, please visit the following links:

Reservation

Guests can book a room at the hotel via email, phone, in person, or through the online booking system available on the website. Data processing is based on the User's voluntary declaration, which relies on appropriate information necessary for hotel room reservations. The legal basis for data processing is the voluntary consent of the Data Subject according to Section 5(1)(a) of the Information Act, as well as Section 169(2) of Act C of 2000 on accounting.

In the case of room reservations, in addition to stay-related data, the following personal data will be processed: last name, first name, phone number, email address, password provided during pre-registration, billing address provided for invoice issuance, transaction number, date, and time of transaction, content of receipt, customer code, name, address, and tax number in case of VAT invoice. The duration of data processing is 8 years. The Hotel uses this data for room reservation processing, communication with the User, keeping records and fulfilling accommodation reservations, documenting payments, and fulfilling accounting obligations. The purpose of data processing is also to identify the User as a requester of hotel services and to fulfill the ordered service, send related notifications, issue invoices, facilitate payment processing, maintain records of Users, and distinguish them from each other.

The Hotel processes personal data for the duration of the purpose of data processing, primarily during the contractual relationship with the respective User (after which the data provided by the User will be deleted), or until the User requests deletion of their data or withdraws their consent, except for mandatory data processing (especially in case of the preservation obligation specified in Section 169 of Act C of 2000 on accounting).

The technological background of the online booking system is currently provided by Morgens Design Kft. (8800 Nagykanizsa, Magyar utca 79.), who as a data processor consolidates the data of incoming reservations, stores them on their server, and enables confirmation of reservations through their online interface.

Other Data Management

In cases of data processing not listed in this policy, we provide information at the time of data collection. We inform our guests and clients that courts, prosecutors, investigative authorities, administrative authorities, the data protection ombudsman, or other bodies authorized by law may contact the Hotel to provide information, disclose data, transfer data, or provide documents. The Hotel only discloses personal data to authorities if the requesting authority specifies the exact purpose and scope of the data required, and only to the extent necessary to fulfill the purpose of the request.

The Hotel does not verify the personal data provided to it. The accuracy of the provided data is the sole responsibility of the individual providing it. When providing an email address, the user also assumes responsibility for ensuring that only they use the provided email address for availing services. Therefore, any liability arising from activities associated with a provided email address is solely the responsibility of the user who registered the email address. If the user provides personal data that does not belong to them, they are obligated to obtain the consent of the respective individual.

Employees of the Hotel who are employed or contracted by the Hotel have the right to access personal data.

Data Transfer

The Hotel only transfers personal data to third parties with the User's prior and informed consent, except in cases of mandatory data transfers based on law.

By using the service, the User consents to the Hotel informing them directly and immediately about any significant changes affecting the service they intend to use.

As the Data Controller, the Hotel is authorized and obliged to transmit any personal data it lawfully stores to the competent authorities, as required by law or by a legally binding administrative order. The Hotel cannot be held responsible for such data transfers or their consequences.

If the Hotel partially or entirely transfers the operation or utilization of content services found on its website to a third party other than WEB200 Internet Média Kft., it may transfer all personal data it holds to this third party for further processing without requiring additional consent. However, such data transfers can only serve the continuous registration of already registered Users, and they must not put the User in a disadvantageous position compared to the data processing and data security rules specified in this Policy.

Security of Data Management

The Hotel handles and stores personal data with the utmost care. In the field of information security, the Hotel employs the most efficient and modern tools and procedures reasonably available.

The Hotel is obliged to plan and execute data processing operations in a manner that ensures the protection of individuals' privacy.

Both the Hotel and its data processors are required to ensure the security of data and to take technical and organizational measures and establish procedural rules necessary to enforce the provisions of the Information Act and other data and confidentiality regulations.

Data must be protected against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental loss or damage, and against becoming inaccessible due to changes in the applied technology. To protect electronically managed data sets in various registries, suitable technical solutions must be implemented to ensure that the data stored in the registries, except where permitted by law, cannot be directly linked or attributed to the data subject.

During automated processing of personal data, both the data controller and the data processor take additional measures to ensure the protection of privacy, confidentiality, and integrity

1. Unauthorized data input prevention;
2. Prevention of unauthorized persons using automatic data processing systems with data transmission devices;
3. Verification and determination of which organizations have received or may receive personal data through the use of data transmission devices;
4. Verification and determination of which personal data has been inputted into automatic data processing systems, when, and by whom;
5. Ensuring the restoration of installed systems in case of operational failure;
6. Reporting of errors occurring during automated processing.

The data controller and data processor must consider the state of the art when determining and implementing security measures to safeguard data. Among several possible data processing solutions, the one chosen should provide a higher level of protection for personal data, except if it would represent a disproportionate burden for the data controller.

The Hotel selects and operates information technology tools used for handling personal data during service provision in a way that ensures:

1. Accessibility to authorized individuals;
2. Assurance of data integrity and authentication;
3. Demonstrable immutability;
4. Protection against unauthorized access.

The Hotel ensures data security through technical, organizational, and procedural measures commensurate with the risks associated with data processing. During data processing, the Hotel maintains:

1. Confidentiality: protecting information so that only authorized individuals can access it;
2. Integrity: ensuring the accuracy and completeness of information and processing methods;
3. Availability: ensuring that when needed, authorized users can access the desired information, and the necessary tools are available.

Electronic messages transmitted over the Internet, regardless of protocol (email, web, ftp, etc.), are vulnerable to network threats that can lead to malicious activity or disclosure or modification of information. To protect against such threats, the Hotel takes all reasonable precautions. Systems are monitored to record any security deviations and provide evidence in case of security incidents. However, the Internet, as commonly known to users, is not entirely secure. Despite the utmost care, the Hotel is not liable for damages resulting from unavoidable attacks. The Hotel's IT systems and networks are protected against computer-supported fraud, espionage, sabotage, vandalism, fire, flood, as well as computer viruses, intrusions, and denial-of-service attacks. The Hotel implements server-level and application-level security procedures to ensure security.

Audio and Video Recording of Events

The Guest acknowledges that during Events, audio and visual recordings may be made by Hotel employees, as well as Contractual Partners and Collaborators authorized by the Hotel, members of the press (in accordance with separate agreements), other Guests, and third parties. Accordingly, by participating in the Programs/Events, the Guest expressly consents to the recording and publication of their face, appearance, and expressions, with the understanding that they can only be identified by name with their explicit consent. If the Guest qualifies as a public figure, they may be named without their consent. The creator of such recordings gains unlimited, transferable, and exclusive rights in terms of spatial, temporal, and usage mode regarding the Guest's relationship. Hotel employees and individuals authorized by the Hotel are entitled to utilize the recordings without limitation in the Guest's context, including but not limited to promoting Events, reproducing, publishing, adapting, disclosing, broadcasting, transmitting to the public, and distributing, without being required to provide any compensation to the Guest. The Guest acknowledges separately that the Hotel records and reproduces the event, distributes it through various media, including online platforms like YouTube, and grants the public access at their own discretion regarding the time and place of access. In relation to the aforementioned representations, the Guest is not entitled to make any claims or demands against the Hotel. The Guest is entitled to make audio and visual recordings at the Event for personal use only, using personal telecommunication devices (e.g., mobile phones, tablets) integrated with image and sound recording functions, or non-professional photographic equipment. The Guest may not sell or utilize the recordings for compensation, nor use them for commercial purposes without compensation, and may not identify the Visitors depicted therein or violate their privacy rights without their consent. The Hotel expressly disclaims any liability if other Guests violate the foregoing provisions.

Rights and Their Validation

Changes to personal data and requests for the deletion of personal data may be communicated with a written declaration expressed in a document of full probative value sent to the registered email address or by post. Once a request for deletion or modification of personal data has been fulfilled, the previous (deleted) data cannot be restored.

Users may request information about the processing of their personal data. The Hotel considers an information request sent by email credible only if it is sent from the user's registered email address. Upon request, the data controller shall provide the data subject with information about the personal data managed by the data subject or by the data processor appointed by the data subject, including their source, purpose of processing, legal basis, duration, the name and address of the data processor, and its activities related to data processing, as well as - in case of the transfer of personal data - the legal basis and recipient of the data transfer. Requests for information must be sent via email to info@wellamarin.hu. The Hotel is obliged to provide information in a comprehensible form in writing within the shortest possible time from the submission of the request, but no later than within 30 days upon receipt of the request by the data subject.

The above-mentioned information is free of charge if the requester has not yet submitted an information request to the data controller for the same data set in the current year. In other cases, a fee may be charged. If the fee has already been paid and the data has been unlawfully processed, or if the request for information has led to a correction, the already paid fee must be refunded.

The data controller may refuse to provide information to the data subject only in cases specified in the Information Act. In case of refusal of information, the data controller shall inform the data subject in writing about the legal basis for denying the information. In case of refusal of information, the data controller shall inform the data subject about the possibility of judicial remedy and recourse to the National Data Protection and Freedom of Information Authority (hereinafter: Authority). The data controller shall notify the Authority of rejected requests annually by January 31 of the following year.

The data subject may request the correction, deletion, or blocking of personal data from the data controller. For the purpose of verifying the lawfulness of data transmission and informing the data subject, the Hotel keeps a record of data transfers, which includes the date of transmission of personal data managed by it, the legal basis and recipient of data transfer, the determination of the scope of personal data transmitted, as well as other data prescribed by law governing data processing.

If personal data does not correspond to reality, and if the correct personal data is available to the data controller, the data controller shall correct the personal data. Personal data must be deleted if:

1. its processing is unlawful;
2. the data subject requests it pursuant to the provisions of the Information Act;
3. it is incomplete or inaccurate - and this condition cannot be lawfully remedied -, provided that deletion is not excluded by law;
4. the purpose of data processing has ceased, or the statutory deadline for data storage has expired;
5. it has been ordered by a court or the Authority.

In the case specified in paragraph 4 above, the obligation to delete does not apply to personal data whose data carrier must be placed under archival retention pursuant to legislation protecting archival material.

Instead of deletion, the data controller shall block the personal data if requested by the data subject or if, based on the available information, it can be assumed that deletion would violate the legitimate interests of the data subject. The blocked personal data may only be processed as long as the purpose of data processing that prevented the deletion of personal data persists.

The data controller shall identify the personal data it manages if the data subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed personal data cannot be clearly established.

The data subject, as well as all those to whom the data was previously transmitted for the purpose of data processing, must be informed of corrections, blocking, identification, and deletion. Notification may be omitted if it does not violate the legitimate interests of the data subject in view of the purpose of data processing.

If the data controller fails to comply with the data subject's request for correction, blocking, or deletion, it shall inform the data subject in writing of the factual and legal reasons for rejecting the request for correction, blocking, or deletion within 30 days from the receipt of the request. In case of refusal of correction, deletion, or blocking, the data controller shall inform the data subject about the possibility of judicial remedy and recourse to the Authority.

The data subject must be informed before the start of data processing whether the data processing is based on consent or is mandatory. The data subject must be clearly and comprehensively informed before the start of data processing about all facts concerning the processing of his or her data, in particular the purpose and legal basis of data processing, the person authorized to process and process the data, the duration of data processing, whether the data controller processes the data of the data subject pursuant to Section 6 (5) of the Information Act, and who may have access to the data. The information must also include the data subject's rights and remedies concerning data processing. In the case of mandatory data processing, the information may be provided by making reference to legal provisions containing the information specified in the above paragraph.

The data subject may object to the processing of his or her personal data if:

1. the processing or transmission of personal data is necessary solely for the fulfillment of a legal obligation applicable to the data controller or to assert the legitimate interests of the data controller, the data recipient, or a third party, except in cases of mandatory data processing;
2. the use or transmission of personal data is for direct marketing, public opinion research, or scientific research purposes; and
3. in other cases specified by law.

The data controller shall examine the objection within the shortest possible time, but no later than 15 days from the submission of the objection, make a decision on its merits, and inform the applicant in writing. If the data controller establishes the justification of the data subject's objection, it shall cease the data processing - including further data collection and transmission - and block the data, and shall inform all those to whom the personal data affected by the objection has been transmitted previously and who are obliged to take action to enforce the right to object about the objection and the measures taken based on it.

If the data subject does not agree with the decision of the data controller or if the data controller misses the relevant deadline, the data subject may appeal to court within 30 days from the notification of the decision or the last day of the deadline, in the manner specified in Section 22 of the Information Act.

If the data recipient does not receive the necessary data due to the objection of the data subject, within 15 days from the notification, in order to obtain access to the data, the data recipient may, in the manner specified in Section 22 of the Information Act, file a lawsuit against the data controller. The data controller may also summon the data subject to court.

If the data controller fails to provide notification, the data recipient may request clarification from the data controller regarding the circumstances of the failure to transfer data within 8 days following the delivery of the data recipient's request, which the data controller must provide within 8 days. If a clarification is requested, the data recipient may, within 15 days from the provision of the clarification, or at the latest by the deadline, initiate legal action against the data controller. The data controller may also summon the data subject to court.

In case of infringement of the rights of the data subject, as well as in the cases specified in Section 21 of the Information Act, the data recipient may bring legal action against the data controller. The court shall handle the case expeditiously.

It is the responsibility of the data controller to prove that data processing complies with the provisions of the law. In cases specified in paragraphs (5) and (6) of Section 21 of the Information Act, it is the responsibility of the data recipient to prove the legality of data transmission to them. The adjudication of the case falls within the jurisdiction of the court. The lawsuit may be filed before the court having jurisdiction over the data subject's domicile or residence, as chosen by the data subject. The Data Protection Authority may intervene in the lawsuit to safeguard the interests of the data subject's success in the lawsuit.

If the court grants the request, it obliges the data controller to provide information, correct, block, delete, annul decisions made by automated data processing, consider the data subject's right to object, and release data requested by the data recipient, as specified in Section 21 of the Information Act.

If the court rejects the data recipient's request in the cases specified in Section 21 of the Information Act, the data controller must delete the personal data of the data subject within 3 days of the announcement of the judgment. The data controller is obliged to delete the data even if the data recipient does not go to court within the deadlines specified in paragraphs (5) and (6) of Section 21 of the Information Act.

The court may order the publication of its judgment, including the identification data of the data controller, if the interests of data protection and the rights of a larger number of data subjects protected by this law require it.

The data controller is liable for damages caused by the unlawful processing of the data of the data subject or by the breach of data security, to others. The data controller is also responsible for the damages caused by the data processor. The data controller is exempt from liability if it proves that the damage was caused by an unavoidable circumstance beyond the scope of data processing. Damages need not be reimbursed to the extent that they result from intentional or grossly negligent behavior on the part of the injured party.

Legal Remedy

Should you have any comments or complaints, please contact the staff at the email address info@wellamarin.hu. Users can exercise their legal remedies before the court based on the Information Act and the Civil Code. Remedies and complaints can be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Phone: +36 1 391-1400
Fax: +36 1 391-1410
Email: ugyfelszolgalat@naih.hu
Website: naih.hu