1. Data Controller
Hotel Kentaur Korlátolt Felelősségű Társaság
Seat: 8600 Siófok Akácfa u.1. Hungary
Co. Reg. No.: 14-09-315108 Kaposvári Törvényszék
Phone number: +36-84 550055
The Company respects the personal rights of its Guests, hence it prepared this Data Protection Guide (hereinafter: Guide), which is available in electronic format at the Company’s website as well as in print format in the hotel.
The Company, as data controller, hereby states that it observes the provisions of Act (hereinafter: “Data Protection Act”) on the rights for information management and freedom of information.
This Guide provides a general overview on how the Company manages data in the course of its services.
The Company shall only manage personal data for pre-determined purposes, for the necessary period of time and in order to exercise its rights and fulfil obligations. The Company shall only manage such personal data that are indispensable and suitable for fulfilling the objective of the particular data management activity.
Legal statements containing the agreement of minors under sixteen years of age shall not be valid unless agreed or subsequently approved by the statutory guardian of such minors.
If the Company uses the received data for any other purpose than the original purpose of data collection, the Company shall inform the data subjects in each case and ask for their specific, prior consent and/or shall provide an opportunity for them to disallow such usage.
Personal data communicated to the Company during the data management process shall only be disclosed to such persons contracted or employed by the Company entrusted with duties in relation to the given data management process.
Data subject: any specific natural person identified or identifiable (directly or indirectly) based on the personal data;
Personal data: any data that can relate to the data subject – especially the data subject’s name, identification number, as well as one or more pieces of information characteristic of their physical, physiological, mental, economical, cultural or social attributes – and any such conclusions regarding the data subject that can be drawn from such data;
Special data: personal data regarding racial origin, nationality, political opinion or party affiliation, religious or other philosophical convictions, advocacy organisation membership and sexual activities, as well as personal data concerning health conditions and addictions, and personal data on prior criminal activity;
Consent: voluntary and specific expression of the data subject’s intention, which is based on proper information and by which the data subjects provide a clear and unambiguous consent to managing their personal data comprehensively or for particular operations;
Objection: a statement by the data subjects in which they object to the management of their personal data and request the termination of data management and/or the deletion of the data managed;
Data Controller: the natural or legal persons or organizations not having a legal personality, who or which determine the purpose of data management on its own or together with others, and make and carry out the decision regarding data management (including the equipment used), or have the data processor entrusted by them to carry out such decisions;
Data management: regardless of the procedure applied; any operation or the whole of operations performed on data, specifically including the collection, recording, systematization, storage, modification, application, query, transfer, publication, harmonisation or linking, blockage, deletion and destruction of data, as well as the prevention of the further usage of such data, photographing, audio or visual recording, as well as the recording of physical attributes suitable for the identification of a person (e.g.: finger- or palm prints, DNA samples, iris scans);
Data transfer: rendering data accessible for certain third parties;
Publication: rendering data accessible for the general public;
Data deletion: rendering data unrecognisable in such a manner that their restoration is no longer possible;
Tagging data: applying an identifying mark to the data in order to distinguish them;
Data blocking: applying an identifying mark to the data in order to block their management for a defined period of time or for good;
Data processing: performing any technical tasks related to data management operations, regardless of the method and equipment applied for the performance of such operations as well as of the place of application, provided that the tasks are performed in terms of data;
Data processor: natural or legal persons and/or organizations not having a legal personality, who or which perform data processing activities based on their contract with the data controller – including contracts concluded pursuant to legal provisions;
Third party: natural or legal persons and/or organizations without a legal personality, who or which are not identical with the data subject, the data controller or the data processor.
3. Data management
3.1. Using hotel and restaurant services
The management of any data related to the data subject and the provision of services are based on voluntary consent, with the purpose of such data management to provide services and/or maintain contact. The Company shall preserve the personal data described in this article (excluding the exceptions defined in the paragraphs) for the period of time defined in the provisions of the relevant tax and accounting laws, and shall delete them after that period.
In the case of particular services, additional data can be provided in the comments section, which allows for a complete assessment of the Guests’ needs. Making room reservations and using other services, however, shall not depend upon the provision of such additional data.
Guests may also sign up for the newsletter in the course of using each service. Data management related to the newsletter is provided for in Article 3.6.
3.1.1. Room reservations
In the case of online, personal (paper-based) or phone reservations, the Company requests/can request that the Guest makes the following data available:
• first name,
• last name;
• address (address, town, post code, country)
• e-mail address;
• phone number;
• mobile phone number (optional)
• type of credit card / debit card;
• number of credit card / debit card,
• name of credit card / debit card holder;
• expiry date of credit card / debit card;
• CVC/CVV code of credit card / debit card (in case of MasterCard: Card Validation Code(CVC2), in case of Visa International: Card Verification Value (CVV2) .)
If you have any further questions regarding the management of data related to room reservations, please send your enquiry to email@example.com.
3.1.2. Hotel registration cards
Upon using hotel services, Guests shall fill in a hotel registration card, in which they give their consent to the Company managing the data they are obliged to provide. The Company shall manage such data in order to fulfil its obligations prescribed in the relevant legal regulations (particularly regarding the laws related to immigration control and tourism tax) as well as to verify the completion of services and/or to identify the Guests for as long as required by the competent authority to manage the fulfilment of obligations as defined in the given laws. In order to speed up and simplify the check in administration, guests can pass their ID (ID card or passport), which will be returned after the data has been recorded.
• first name and surname,
• place and date of birth,
• purpose of travel,
• ID number (ID card or passport),
• beginning and ending date of the hotel stay,
• visa number, certificate of registration,
• time and place of entry into the country.
Providing the required data by the Guests is a precondition for using hotel services.
By signing the registration card, Guests consent to the Company managing and/or archiving the personal data provided by filling in the registration card in order to verify that the contract was concluded and/or performed, as well as to possibly enforce claims against the deadline specified above.
Guests may also sign up for the Company’s newsletter by providing their e-mail address in the registration card. In other matters, the provisions in 3.6. shall govern the management of newsletters.
If you require further information concerning the data managed in relation to the registration card, please send your questions to firstname.lastname@example.org.
3.1.3. Bank card data
For room reservations, the Company can only use the given bank card, credit card and bank account data to such an extent and period of time as necessary for the exercise of rights and fulfilment of obligations. Data is handled by the Company’s contractual bank partners. Information about their data handling policies can be found on the websites of the competent Bank (K&H –www.khb.hu, Sopron Bank -sopronbank.hu).
Guests can receive further information on the management of bank card data upon email request to email@example.com .
3.2. Guest Loyalty Programme and Corporate Programme
The Company’s Guest Loyalty Programme is an exclusive service provided for Guests of Hotel Kentaur Kft. – natural persons – with the purpose of providing discounts to returning guests.
The Company’s Corporate Programme is an exclusive service provided for the hotels’ corporate partners – legal persons – with the purpose of providing discounts to returning guests.
The participants of the given programme specifically consent to the company managing their personal data handed over for the purpose of operating the Guest Loyalty and the Corporate systems, and/or sending newsletters.
Membership status in the Guest Loyalty and Corporate Programme shall become inactive within 3 (three) years after the date of the last hotel/restaurant or any other service used. The Company shall store the members’ data for the period of time defined in the provisions of the relevant tax and accounting laws, and shall delete them after that period.
The personal data managed in the programmes are stored to maintain contact. The Company may manage the following personal data in the programmes:
In the case of a natural person:
• company name
• mailing address
• phone number
• e-mail address
• date of birth (Minors under eighteen years of age may not participate in the programme.)
For Frequent Guests signing up to the newsletter or contributing to promotional activities, the Company shall further handle the data listed above according to the provisions in Section 3.6 in the present Information Guide.
Guests can request the deletion of their data managed in the guest loyalty programme or corporate programme by sending an e-mail to firstname.lastname@example.org.
3.3. Gift Voucher
When purchasing a Gift Voucher, Customer shall provide the following personal data:
In case of a personal purchase:
• billing name and address,
• name of voucher recipient.
In case of an online order, via the Company’s official website:
• e-mail address,
• phone number,
• billing name and address,
• name of voucher recipient.
The purpose of data management is to maintain contact with the customer and deliver gift vouchers.
You can find the relevant balance and the expiry date on the Gift Voucher.
The Company shall store the personal data received therein for the period of time defined in the provisions of the relevant tax and accounting laws, and shall delete them after that period.
For further details on data management related to gift vouchers, please send your inquiry to email@example.com.
3.4. Guest questionnaire, evaluation system
As part of the quality assurance process applied by the Company, Guests may provide feedback on the services of the Hotel Kentaur Kft. via an online or paper-based guest questionnaire and/or evaluation system. When filling out the questionnaire, Guests may provide the following personal data:
• date of visit;
• room number;
• contact (address, e-mail address, phone number);
Providing these data is not obligatory, and merely serve the purpose of an accurate investigation of possible complaints and/or enable the Company to respond to the guest.
The feedback received in this manner and the data potentially provided by the Guest may not be traced back to the Guest or linked to the name of the Guest, but may be used by the Company for statistical purposes.
Personal data provided along with filling out the Guest Questionnaire shall be deleted by the Company within 5 (five) working days after the complaint was investigated. The Company shall delete the e-mail address and user name provided to use the evaluation system when Guests send such a request to firstname.lastname@example.org.
3.5. Surveillance cameras
The Company operates surveillance cameras in the area of the hotel and restaurant operated by the Company in order to ensure the security of Guests and their property. Camera surveillance is indicated by a pictogram and a warning sign with text.
The purpose of camera surveillance is the protection of property. More specifically, the purpose is to protect equipment with significant value as well as the personal valuables of Guests regarding detecting breaches of the law and catching perpetrators in the act, and the prevention of such criminal acts cannot be done in any other way, and/or there is no other method of presenting evidence.
You can receive more information about data management in relation to the camera system in the hotel.
The Company shall not send newsletters to natural persons unless consented to by the data subject. The data subjects consent to the Company sending electronic newsletters to their e-mail address by providing an address in the course of signing up for the newsletter (at the website, via e-mail or in print).
The Company shall store the provided personal data on a special list, separated from data handed over to the Company for other purposes. This list shall only be accessible to the Company’s authorized personnel and data processors. The Company shall not disclose the list or data to any third party and/or unauthorized parties, and shall take all security measures to prevent any unauthorized person from viewing them.
The purpose of data management in relation to sending newsletters is to provide comprehensive, general or customized information to the addressee regarding the Company’s latest special offers.
The Company shall only manage the personal data collected for this purpose for as long as the Company wishes to inform the data subjects via the newsletter and/or until the data subjects unsubscribe from the newsletter.
The data subjects may unsubscribe from the newsletter any time at the bottom of the newsletter or by sending a request to email@example.com.
3.7. Facebook page
You can find further information about the data management of the Facebook page in the data protection guidelines and rules at www.facebook.com.
3.8. Website traffic data
3.8.1. References and links
The Company’s website may contain links that are not operated by the Company, and are only there to inform visitors. The Company has no influence whatsoever on the content and security of the websites operated by partner companies, and therefore it is not responsible for them either. Before providing your data in any form at the given site, please review the data protection statements and data management guidelines of the websites you visit.
3.8.2. Analytics, cookies
In order to monitor its websites, the Company uses an analytical tool (Google Analytics) which prepares a data string and tracks how the visitors use the Internet pages. When a page is viewed, the system generates a cookie in order to record the information related to the visit (pages visited, time spent on our pages, browsing data, exits, etc) but these data cannot be linked to the visitor’s person. This tool is instrumental in improving the ergonomic design of the website, creating a user-friendly website and enhancing the online experience for visitors. The Company also uses Google Analytics Advertising Features like Remarketing with Google Analytics and Google Display Network Impression Reporting.
The Company does not use the analytical systems to collect personal information. Most Internet browsers accept cookies, but visitors have the option of deleting or automatically rejecting them. Since all browsers are different, visitors can set their cookie preferences individually with the help of the browser toolbar. You might not be able to use certain features on our website if you decide not to accept cookies.
3.8.3. Remarketing codes
We use remarketing codes to log when users view specific pages, allowing us to provide targeted advertising in the future. Visitors to the website may disable cookies that provide remarketing codes through the appropriate settings on the specific browser used.
The Company can be contacted via e-mail. The Company shall manage the messages until the given request/question is fulfilled/answered, then, after the request/question is closed, it archives such e-mails and stores them for 5 (five) years.
3.10. Managing job applicant data
If you need information about the Company’s management of job applicant data, please send an email to firstname.lastname@example.org.
4. Data security
4.1. SSL system
The Hotelgram booking engine uses SSL cryptography on its websites for online reservations. Any information shared by the data subject with the Company shall be encrypted automatically and be protected when transferred through the network. When the information is received by our server, it is decoded by using an individual private key. SSL enables the browser to connect to the website and establish a secure communication channel in a transparent manner. SSL is the most widely used and most successful cryptographic system. In order to use the system, the data subjects simply need to verify their browsers’ compatibility.
4.2. Other security-related activities
The Company shall manage personal data confidentially, and shall not disclose them to unauthorized persons. The Company shall particularly protect personal data from unauthorized access, modification, transfer, publication, deletion or destruction as well as from accidental destruction, harm and inaccessibility due to modification of the applied technology. The Company shall take all security measures in order to ensure the technical protection of personal data.
5. Data transfer
The Company does not pass personal data to any unauthorized third party.
6. Data processors
You can request the specific list of the Company’s data processors by sending an e-mail to email@example.com. Such requests shall be fulfilled in writing by the Company within 30 (thirty) days.
7. Rights and legal remedies
7.1. Providing information
Upon requests sent by the data subjects to the e-mail addresses in each chapter or addressed to the Company (Hotel Kentaur Kft. 8600 Siófok Akácfa u.1. Hungary), the Company shall provide information regarding the particular subject’s data managed by the Company and/or processed by the data processors entrusted by the Company; the source of such data; the purpose, legal basis and duration of the data management; the names and addresses of data processors as well as their activities related to data management; and (in the case of a transfer of the data subject’s personal data) the legal basis and recipient of data transfer. Such information shall be provided within 30 (thirty) days, free of charge once a year for identical data, and for a fee for all additional requests.
If the provision of information is denied, the Company shall inform the data subject in writing as to which provision of which law was the legal basis to deny the information, and also inform the data subject regarding options for legal remedy.
If the personal data are incorrect, and the correct data are available to the Company, it shall correct such personal data.
Corrections upon request, deadline for administration and legal remedy are governed by Article 7.1.
7.3. Deletion and blocking, objection
Cases of deletion and blocking of personal data and objections against data management are governed by the relevant provisions of the Data Protection Act in Sections 17 – 21.
The company shall provide information on the legal regulations laid out in this paragraph upon requests sent to firstname.lastname@example.org.
7.4. Judicial redress
If their privacy rights are breached, data subjects may file a lawsuit against the Company. The court procedure shall be governed by provisions in Section 22 of the Data Protection Act, and the First Book, Chapter Three, Title XII (Sections 2:51 – 2:54) of Act V of 2013 concerning the Civil Code, and other relevant legal provisions.
The company shall provide information on the legal regulations laid out in this paragraph upon requests sent to email@example.com.
7.5. Compensation and injury claims
If the Company causes injury or violates the subject’s privacy rights through handling the subject’s data in an unlawful manner or through violating its data security requirements, then the affected party may demand an injury claim from the Company.
The Company shall be exempted from liability and its obligation to compensate an injury claim, if it can prove that the damage or violation of the privacy rights of the affected party was caused by an unavoidable force outside the scope of data management.
The damage may not be compensated and an injury claim may not be demanded, if it was due to the wilful or grossly negligent misconduct of the damaged party.
8. Miscellaneous provisions
The Company reserves the right to modify this Guide.
The Company shall not assume liability for the accuracy of data provided by website visitors or Guests.
With regard to data protection issues, you can request the assistance of the local Office for personal data protection
Hungary – Hungarian National Authority for Data Protection and Freedom of Information
elnök: dr. Péterfalvi Attila
levelezési cím: 1534 Budapest, Pf.: 834
cím: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Telefon: +36 (1) 391-1400
Fax: +36 (1) 391-1410