The company Hajdúszoboszlói Turisztikai Közhasznú Nonprofit Korlátolt Felelősségű Társaság (company registration number: 09-09-017830, tax number: 14960079-2-09, registered office: H-4200 Hajdúszoboszló, József Attila utca 2-18, Hungary) (hereinafter referred to as: ‘Service Provider’ or ‘controller’) undertakes to be bound by the provisions of the following Policy:
The company hereby provides the following information in accordance with REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Any amendments to the Policy shall take effect upon being published on the above website.
Name: Hajdúszoboszlói Turisztikai Közhasznú Nonprofit Korlátolt Felelősségű Társaság (Hajdúszoboszló Touristic Public-Benefit Non-Profit Limited Liability Company)
Registered office: H-4200 Hajdúszoboszló, József Attila utca 2-18, Hungary
Telephone: +36 52 558 928
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
4. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
5. ‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
6. ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
7. ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Personal data shall be:
The controller shall be responsible for the above and be able to demonstrate compliance with the above (‘accountability’).
The controller represents that its data processing operations are in line with the principles laid down in this Clause.
1. The fact of data collection, the categories of data processed, and the purpose of processing:
The email address shall not necessarily contain personal data.
2. Categories of data subjects: All data subjects who have registered/purchased a product in the webshop/on the website.
3. Duration of processing, time limit for erasure of the data: If any of the conditions laid down in Article 17(1) of the GDPR are met, it shall last until erasure is requested by the data subject. About the erasure of any specified personal data, the controller shall inform the data subject by electronic means as stipulated in Article 19 of the GDPR. If the data subject’s erasure request also extends to the email address given by the data subject, upon the delivery of the information the email address shall also be erased by the controller. Except for accounting documents, as these data shall be kept on file for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting. The contractual data of the data subject can be erased upon expiry of the limitation period under civil law, at the data subject’s erasure request.
The accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for minimum 8 years, shall be legible and retrievable by means of the code of reference indicated in the accounting records.
4. Potential controllers entitled to receive the data, recipients of personal data: The personal data may be processed by the controller’s sales and marketing personnel, by honouring the above principles.
5. Information on the rights of data subjects related to processing:
6. The data subject can initiate the provision of access to the personal data, the erasure, modification, restriction of processing, or data portability in the following manners:
7. Legal basis for processing:
7.1. points (b) and (c) of Article 6(1) of the GDPR,
7.2. Section 13/A (3) of Act CVIII of 2001 on Certain Issues of Electronic Commerce Activities and Information Society Services (hereinafter: Electronic Commerce Act):
In order to render the service, the service provider may process those personal data that are technically indispensable for the provision of the service. In circumstances where other conditions are identical, the service provider shall select and operate the tools used for rendering the information society services in such a way as to ensure that personal data are not processed unless it is indispensable for the provision of the service and the fulfilment of the purposes specified in this act, and even in such cases, only to the extent and for the duration as necessary.
7.3. In the case of issuing an invoice in compliance with accounting laws: point (c) of Article 6(1).
7.4. Pursuant to Section 6:21 of Act V of 2013 on the Civil Code 5 years for enforcing claims arising from the contract.
Section 6:22 [Statute of limitations]
8. Please note that
1. The fact of data collection, the categories of the data processed, and the purposes of processing:
2. Categories of data subjects: all data subjects requesting an offer on the website.
3. Duration of processing, time limit for erasure of the data: If any of the conditions laid down in Article 17(1) of the GDPR are met, it shall last until erasure is requested by the data subject. About the erasure of any specified personal data, the controller shall inform the data subject by electronic means as stipulated in Article 19 of the GDPR. If the data subject’s erasure request also extends to the email address given by the data subject, upon the delivery of the information the email address shall also be erased by the controller.
4. Potential controllers entitled to receive the data, recipients of personal data: Personal data may be processed by the authorised employees of the controller, and furthermore, the data are transferred to the selected accommodation.
7. Legal basis for processing: Article 6(1)(b) of the GDPR.
2. Categories of data subjects: All data subjects sending messages through the contact form.
3. Duration of processing, time limit for erasure of the data: If any of the conditions laid down in Article 17(1) of the GDPR are met, it shall last until erasure is requested by the data subject.
4. Potential controllers entitled to receive the data, recipients of personal data: Personal data may be processed by the authorised employees of the controller.
7. Legal basis for processing: the data subject’s consent, point (a), (b) and (c) of Article 6(1). By contacting us, you give us consent to process your personal data received by us in the course of such contact (name, telephone number, email address) in compliance with this Policy.
2. Categories of data subjects: All data subjects communicating by phone/email/in person, or in a contractual relationship with the controller.
3. Duration of processing, time limit for erasure of the data: Mails containing the requests are processed until the data subject’s erasure request but for no longer than 2 years.
4. Potential controllers entitled to receive the data, recipients of personal data: The personal data may be processed by the controller’s authorised personnel, by honouring the above principles.
7.1. points (b) and (c) of Article 6(1) of the GDPR.
7.2. Pursuant to Section 6:21 of Act V of 2013 on the Civil Code 5 years for enforcing claims arising from the contract.
2. Categories of data subjects: All data subjects writing a review on the website.
3. Duration of processing, time limit for erasure of the data: Until the data subject’s erasure request.
7.1. point (a) of Article 6(1) of the GDPR.
1. Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, the User may grant their prior and express consent to the Service Provider sending them promotional offers or other messages to their contact information provided during registration.
2. Bearing in mind the provisions of this Notice, the Customer may also consent to the Service Provider processing their data necessary for sending the promotional offers.
3. The Service Provider will not send unsolicited promotional messages, and the User may unsubscribe from the notifications without restriction, free of charge and without having to give the reasons. In such a case the Service Provider will erase all of the User’s personal data – that are necessary for the sending of promotional messages – from its records, and will not send further promotional messages to the User. The User can unsubscribe from advertisements by clicking on the link in the message.
4. The fact of data collection, the categories of the data processed, and the purpose of processing:
5. Categories of data subjects: All data subjects who have subscribed to newsletter.
6. Purpose of processing: to send electronic messages (email, SMS, push messages) containing advertisements to the data subject, and to provide information about news, products, promotions, new functions etc.
7. Duration of processing, time limit for erasure of the data: processing continues until the consent is withdrawn, i.e. until unsubscribing.
8. Potential controllers entitled to receive the data, recipients of personal data: The personal data may be processed by the controller’s sales and marketing personnel, by honouring the above principles.
9. Information on the rights of data subjects related to processing:
10. The data subject can initiate the provision of access to the personal data, the erasure, modification, restriction of processing, data portability, and may object to processing in the following manners:
11. The data subject may unsubscribe from the newsletter at any time, free of charge.
12. The processor used in the course of processing:
The Rocket Science Group, LLC
675 Ponce de Leon Ave NE
Atlanta, GA 30308 USA
13. Legal basis for processing: the data subject’s consent, points (a) and (f) of Article 6(1), and Section 6(5) of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities:
Advertisers, advertising service providers and publishers of advertising shall maintain records on the personal data of persons who provided the statement of consent to the extent specified in the statement. The data contained in the aforesaid records – relating to the person to whom the advertisement is addressed – may be processed only for the purpose defined in the statement of consent, until withdrawn, and may be disclosed to third persons subject to the express prior consent of the person affected.
14. Please note that
2. Categories of data subjects: All data subjects shopping on the website and submitting a quality or other complaint.
3. Duration of processing, time limit for erasure of the data: Copies of the minutes, memorandum recording the complaint and the response thereto shall be retained for 5 years pursuant to Section 17/A(7) of Act CLV of 1997 on Consumer Protection.
7. Legal basis for processing: point (c) of Article 6(1), and Section 17/A (7) of Act CLV of 1997 on Consumer Protection.
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.
In order to facilitate its own processing activities, and furthermore, to fulfil its obligations under contracts concluded with the data subject and/or prescribed by law, the controller uses processors.
The controller places strong emphasis on using only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process the personal data specified in this Policy except on instructions from the controller.
The controller shall have legal liability for the processor’s activities. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
The processor shall have no authority to make substantial decisions regarding the processing of data.
To provide for the IT background, the controller may use a web hosting provider as processor and, to deliver the items ordered, it may use a courier service as a processor.
Activity performed by the processor
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
2. The fact of processing, categories of data processed: Unique identifier, dates, times
3. Categories of data subjects: All data subjects visiting the website.
4. The purpose of processing: Identification of users, registration of the ‘shopping cart’ and monitoring of visitors.
5. Duration of processing, time limit for erasure of the data:
7. Information on the rights of data subjects related to processing: Data subjects can delete cookies in the Tools/Settings menu of their browser, generally among the settings of the Privacy menu.
8. Legal basis for processing: The data subject’s consent is not required if the exclusive purpose of using cookies is to communicate through the electronic communications network, or its use is indispensable for the service provider to render an information society service expressly requested by the subscriber or the user.
9. Most browsers used by our users enable them to set which cookies should be saved, and make it possible to delete (certain) cookies again. If you limit the saving of cookies on certain websites or disable third party cookies, under certain circumstances you may become unable to fully use our website. Here you can find information on how to customise cookie settings in the case of the usual browsers:
Google Chrome (https://support.google.com/chrome/answer/95647?hl=en)
Internet Explorer (https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies)
1. The controller uses the ‘Google Ads (Adwords)’ online advertising program, including Google’s conversion tracking service. Google conversion tracking is an analysis service offered by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; ‘Google’).
2. If a User visits a website through a Google-ad, a conversion tracking cookie is deposited on his or her computer. These cookies have limited validity and they do not contain any personal data, and therefore cannot be used for the User’s identification.
3. If the User visits certain pages on the website and the cookie has not yet expired, both Google and the data controller can detect that the User has clicked on the advertisement.
4. Each Google Ads (Adwords) customer receives a different cookie, and so the cookies cannot be traced back via the websites of Ads (Adwords) customers.
5. The information obtained using the conversion cookie is used to generate conversion statistics for Ads (Adwords) customers. This way customers receive information on the number of users that clicked on their advertisement and were directed to the page marked with a conversion tracking tag. However, they will not receive any information that can be used to personally identify users.
6. If you want to opt out of conversion tracking, you can reject it by disabling the installation of cookies in your browser. After that, you will not be included in conversion tracking statistics.
1. This website uses Google Analytics, a web analytics service offered by Google, Inc. (‘Google’). Google Analytics uses ‘cookies’ that are text files placed on the User’s computer and which help analyse how Users use the site.
2. The information generated by the cookie about the User’s use of the website is generally transmitted to and stored by Google on servers in the USA. If, however, IP anonymisation is activated on the website, Google will beforehand shorten the User’s IP address within Member States of the European Union or in other states that are party to the Agreement on the European Economic Area.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to evaluate the User’s use of the website, to compile reports on the website activities and to provide further services associated with the use of the website and the Internet for the website operator.
4. The IP address that the User’s browser transmits as part of Google Analytics will not be associated with any other data held by Google. The User can prevent the storage of cookies by selecting the corresponding setting in his or her browser, but please note that in such a case the User may not be able to use all the functions on this website. The User can also prevent Google’s collection and use of data generated by the cookie and related to the User’s use of the website (including the User’s IP address) as well as the processing of this data by downloading and installing the browser plugin available at https://tools.google.com/dlpage/gaoptout?hl=hu
1. Facebook pixel is a code used for making conversion reports on the website, for compiling target audience groups, and for providing the site owner with detailed analysis on the visitors’ website use. With the help of the Facebook remarketing pixel tracking code, you can display personalised offers and advertisements on Facebook to website users. The Facebook remarketing list is not suitable for personal identification. Further information regarding Facebook Pixel can be found at https://www.facebook.com/business/help/651294705016616
1. The fact of data collection, the categories of data processed: The user’s name as registered on Facebook/Google+/Twitter/Pinterest/Youtube/Instagram or other social media sites, and the user’s public profile picture.
2. Categories of data subjects: All data subjects who have signed up for Facebook/Google+/Twitter/Pinterest/Youtube/Instagram or other social media sites and have ‘liked’ the Service Provider’s social media site, or have contacted the controller through the social media site.
3. The purpose of data collection: To share certain content elements of the website, or the products and promotions on the website or the website itself and/or to ‘like’, follow or promote the same on these social media sites.
4. Duration of processing, time limit for erasure of the data, potential controllers entitled to receive the data, and information on the rights of data subjects related to processing: Data subjects may receive information about the sources, the processing of data, the method of data transfer and the legal grounds thereof by visiting the relevant social media site. Processing is performed on the social media sites, therefore the duration and manner of processing, and also the option of data erasure and rectification shall be governed by the policy of the relevant social media site.
5. Legal basis for processing: the data subject’s voluntary consent to the processing of their data on the social media sites.
1. If the data subject has any questions or problems during their use of the controller’s services, they can contact the controller at its contact information (phone, email, social media sites etc.) specified on the website.
2. The emails and messages received, the data provided by telephone or via Facebook etc, including the name, email address and any other voluntarily provided personal data of the data subject will be erased by the controller within a maximum of 2 years from the date of provision.
3. Regarding any type of processing not listed herein, we will provide information at the time of recording the data in question.
4. In exceptional cases at the authorities’ request, or at the request of other bodies authorised by law, the Service Provider may be obliged to provide information, disclose and transfer data, or supply documents.
5. In such cases, provided that the requesting entity has specified the exact purpose of use and the scope of the data, the Service Provider will only disclose those personal data to the requesting entity and only to such extent that is indispensable for the implementation of the purpose of the request.
You shall have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information listed in the Regulation.
You shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay under certain conditions specified.
Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
You shall have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided (…)
In the case of processing on the legal basis of legitimate interest or official authority, you shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, including profiling based on those provisions.
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The previous paragraph shall not apply if the decision:
The controller shall provide you with information on action taken on the requests above without undue delay and in any event within 1 month of receipt of the request.
This period may be extended by 2 further months where necessary. The controller shall inform you of any such extension within 1 month of receipt of the request, together with the reasons for the delay.
If the controller does not take action on your request, the controller shall inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
b. IT protection
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
The notice delivered to the data subject shall define the nature of the personal data breach in clear and plain language, and it shall communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; it shall describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The communication to the data subject shall not be required if any of the following conditions are met:
If the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so.
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Complaints may be filed against the controller’s violation of law, if any, with the Hungarian National Authority for Data Protection and Freedom of Information:
When preparing the information document we took into account the provisions of the following laws:
Personal Data Breach Report
Notification to the data subject
Declaration on Withdrawal
Consent pursuant to the GDPR
Declaration on erasure
Hajdúszoboszló, August 23. 2018
By using the website you agree to accept cookies. Details... OK
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.