Privacy policy
Privacy Policy
COMPANY NAME: Kristály Hotel Kft.
REGISTERED OFFICE: 8400 Ajka, Korányi Frigyes u. 20
TAX NUMBER:
COMPANY REGISTRATION NUMBER:
REPRESENTED BY: Adrienn Gugi (hereinafter: the Company)
This Policy contains the internal rules of the Company’s data processing activities in order to comply with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR).
The adoption and amendment of this Policy falls within the competence of the managing director.
TABLE OF CONTENTS
CHAPTER I – GENERAL PROVISIONS
1. Introduction
• The purpose of the Policy
• Scope of the Policy
• Definitions
CHAPTER II – ENSURING THE LAWFULNESS OF DATA PROCESSING
• Data processing based on the data subject’s consent
CHAPTER III – DATA PROCESSING RELATED TO EMPLOYMENT
• Labour and personnel records
• Data processing related to fitness/medical aptitude examinations
• Processing of data of job applicants, applications and CVs
• Data processing related to monitoring the use of e-mail accounts
• Data processing related to monitoring computers, laptops and tablets
• Data processing related to monitoring workplace internet use
• Data processing related to monitoring the use of company mobile phones
• Data processing related to workplace entry and exit control
• Data processing related to workplace CCTV monitoring
CHAPTER IV – DATA PROCESSING RELATED TO CONTRACTS
• Processing of data of contracting partners – customer and supplier records
• Contact details of natural-person representatives of legal-entity clients, customers and suppliers
• Visitor data processing on the Company’s website – information on the use of cookies
• Registration on the Company’s website
• Data processing related to newsletter services
• Community guidelines / Data processing on the Company’s Facebook page
• Data processing related to organising prize draws
• Data processing for direct marketing purposes
CHAPTER V – DATA PROCESSING BASED ON A LEGAL OBLIGATION
• Data processing for fulfilling tax and accounting obligations
• Data processing as a payer
• Data processing relating to records of archival value under the Archives Act
• Data processing for fulfilling anti-money-laundering obligations
CHAPTER – DATA SECURITY MEASURES
• Data security measures
CHAPTER VI – HANDLING PERSONAL DATA BREACHES
• Definition of a personal data breach
• Handling and remedying personal data breaches
• Register of personal data breaches
CHAPTER VII – RIGHTS OF THE DATA SUBJECT
• Summary information on the data subject’s rights
• Detailed information on the data subject’s rights
CHAPTER VIII – SUBMISSION OF THE DATA SUBJECT’S REQUEST, MEASURES TAKEN BY THE DATA CONTROLLER
• Measures based on the data subject’s request
CHAPTER IX – FINAL PROVISIONS
• Adoption and amendment of the Policy
• Measures to familiarise persons with the Policy
ANNEXES
1st annex
Request form for the consent-based processing of personal data
2nd annex:
Data processing notice on the rights of the natural person concerned regarding the processing of personal data
3rd annex
Notice to employees on the processing of personal data and personality rights
4th annex
Notice to employees regarding fitness/medical aptitude examinations
5th annex
Visitor notice on the use of a CCTV surveillance system
6th annex
Data processing clause for contracts concluded with a natural person
7th annex
Consent statement for processing the contact details of natural-person representatives of legal-entity contracting partners
8th annex
Employment contract clause on acknowledging and applying the data processing policy and confidentiality obligations
CHAPTER I
GENERAL PROVISIONS
Introduction
The Company declares that it carries out its data processing activities – by adopting appropriate internal rules and technical and organisational measures – in a manner that ensures compliance at all times with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: the Regulation), as well as Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the Infotv.).
Purpose of the Policy
The purpose of this Policy is to establish internal rules and to underpin measures that ensure the Company’s data controlling activities comply with the provisions of the Regulation and the Infotv.
The purpose of this Policy is also to serve as evidence of the Company’s compliance with the Regulation and the principles relating to the processing of personal data (Article 5) set out therein.
Scope of the Policy
(1) The scope of this Policy extends to the Company’s processing of personal data relating to natural persons.
(2) Sole proprietors, sole companies and primary agricultural producers as clients, customers or suppliers shall be regarded as natural persons for the purposes of this Policy.
(3) The scope of this Policy does not extend to personal data processing relating to legal persons, including the name and legal form of a legal person and the contact details of a legal person. (GDPR (14))
Definitions
For the purposes of this Policy, the definitions contained in Article 4 of the Regulation shall apply. Accordingly, we highlight the main terms:
Personal data:
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing:
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Restriction of processing:
The marking of stored personal data with the aim of limiting their processing in the future.
Profiling:
Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation:
The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
Filing system:
Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Controller:
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor:
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Recipient:
A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
Third party:
A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Consent of the data subject:
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal data breach:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
CHAPTER II
ENSURING THE LAWFULNESS OF DATA PROCESSING
Data processing based on the data subject’s consent
(1) In the case of consent-based processing, the data subject’s consent for the processing of personal data shall be requested using the request form set out in Annex 1.
(2) Consent shall also include cases where the data subject ticks a box when visiting the Company’s website, makes relevant technical settings when using information society services, or makes any other statement or action which, in the given context, clearly indicates consent to the intended processing of personal data. Silence, pre-ticked boxes or inactivity shall not constitute consent.
(3) Consent shall cover all processing activities carried out for the same purpose or purposes. Where processing has multiple purposes, consent must be given for all purposes.
(4) If the data subject gives consent in a written declaration that also concerns other matters – e.g. concluding a sales or service contract – the request for consent must be presented in a manner clearly distinguishable from those other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration that infringes the Regulation shall not be binding.
(5) The Company may not make the conclusion or performance of a contract conditional upon consent to the processing of personal data that are not necessary for performing the contract.
(6) Withdrawal of consent must be made as easy as giving consent.
(7) Where personal data have been collected based on the data subject’s consent, the controller may, in the absence of a statutory provision to the contrary, process the collected data without further consent for the purpose of complying with a legal obligation applicable to the controller, even after the withdrawal of consent.
(8) The Company shall make its general data processing information notice (Annex 2) available to data subjects on its website in the footer. The purpose of this notice is to inform data subjects clearly and in detail – before and during processing – of all facts related to the processing, including in particular the purpose and legal basis of processing, the persons authorised for processing and data processing, the duration of processing, whether the controller processes personal data pursuant to Section 6 (5) of the Infotv., and who may access the data. The information must also cover the data subject’s rights and available remedies. This notice must be made available via a separate link at each key step of processing (e.g. before registration, during the registration process, etc.). Data subjects must be informed of the availability of this notice.
(9) Processing based on compliance with a legal obligation is independent of the data subject’s consent, as processing is prescribed by law. In such cases, the data subject must be informed before processing begins that the processing is mandatory. The data subject must also be informed clearly and in detail before processing begins about all relevant facts of processing, in particular its purpose and legal basis, the persons authorised for processing and data processing, the duration of processing, and who may access the data, as well as the data subject’s rights and remedies. In the case of mandatory processing, the information may also be provided by publishing a reference to the statutory provisions containing the above information.
CHAPTER III
DATA PROCESSING RELATED TO EMPLOYMENT
Labour and personnel records
(1) Only data necessary for establishing, maintaining and terminating the employment relationship and for providing social and welfare benefits may be requested from employees and recorded, and only such occupational medical fitness examinations may be carried out as do not infringe the employee’s personality rights.
(2) On the legal basis of enforcing the Company’s legitimate interests as an employer, for the purpose of establishing, performing or terminating the employment relationship, the Company processes the following data of employees:
• name
• birth name
• date of birth
• mother’s name
• address
• citizenship
• tax identification number
• social security number (TAJ)
• pension registration number (in the case of pensioner employees)
• phone number
• e-mail address
• ID card number
• number of the official address card
• bank account number
• online identifier (if any)
• start and end date of employment
• job title/position
• copy of documents proving education and qualifications
• photograph
• CV
• salary amount and data related to salary payment and other benefits
• debts to be deducted from salary based on a final decision or law or written consent, and the legal basis thereof
• performance evaluation
• method and reasons for termination of employment
• certificate of good conduct, depending on the position
• summary of occupational medical fitness examinations
• in the case of private pension fund or voluntary mutual insurance fund membership: name and ID number of the fund and the employee’s membership number
• in the case of foreign employees: passport number; name and number of the document proving the right to work
• data recorded in accident reports relating to the employee
• data necessary for welfare services and the use of commercial accommodation
• data recorded by the CCTV and access control system used for security and asset protection purposes at the Company
• and data recorded by location tracking systems.
(3) Data relating to illness and trade union membership may only be processed by the employer for the purpose of fulfilling a right or obligation defined in the Labour Code.
(4) Recipients of personal data: the employer’s manager, the person exercising employer’s rights, employees and processors performing HR tasks at the Company.
(5) Only personal data of senior executive employees may be transferred to the Company’s owners.
(6) Storage period of personal data: 3 years following the termination of employment.
(7) Before processing begins, the data subject must be informed that processing is based on the Labour Code and on enforcing the employer’s legitimate interests.
(8) Upon concluding the employment contract, the employer informs the employee about the processing of personal data and personality rights by handing over the notice set out in Annex 3 of this Policy.
…
…The data subject shall be entitled to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is based on point (e) of Article 6(1) of the Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller)…
