Introduction

Termál-Medical Zrt. (Martfű-Termál SPA) (Address: 1037 Bp. Pirkadat u.13., phone: 06 56/452 416, e-mail: info@spamedical.hu, VAT number: 12400139-2-41, company registration number: 01-10-043889) (hereinafter: Service Provider, data controller) adheres to the following notice.

In accordance with the Regulation (EU) 2016/679 of the European Parliament and Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the following information is provided:

This privacy notice regulates the data processing of the website https://martfuspa.hu/ and Martfű-Termál SPA.

The privacy policy is available at: https://martfuspa.hu/adatkezelesi-szabalyzat

Any modifications to this notice will come into effect upon publication at the above address.

Data Controller and Contact Information
Name: Termál-Medical Zrt.
Headquarters: 1022 Budapest, Bimbó út 7. 2nd floor
E-mail: info@spamedical.hu
Phone number: 06 56/452 416

Definitions

1. “Personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
2. “Data processing”: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
3. “Data controller”: The natural or legal person, public authority, agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; if the purposes and means of processing are determined by EU or member state law, the data controller or specific criteria for its designation may be specified by EU or member state law.
4. “Data processor”: A natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the data controller.
5. “Recipient”: A natural or legal person, public authority, agency, or any other body to whom or to which personal data are disclosed, whether a third party or not. Public authorities that may receive personal data in the framework of a specific inquiry in accordance with Union or member state law are not considered recipients; the processing of such data by public authorities must comply with applicable data protection rules in line with the purpose of processing.
6. “Data subject’s consent”: The data subject’s voluntary, specific, informed, and unambiguous indication of their wishes, by which they, by statement or by a clear affirmative action, consent to the processing of their personal data.
7. “Data protection incident”: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

Principles for Processing Personal Data

Personal data shall be:

a) Processed lawfully, fairly, and transparently in relation to the data subject (“lawfulness, fairness, and transparency”);
b) Collected for specified, legitimate, and explicit purposes, and not processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research, or statistical purposes shall not be considered incompatible with the original purpose (“purpose limitation”);
c) Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods if they will be processed solely for archiving purposes in the public interest, scientific or historical research, or statistical purposes, subject to the implementation of appropriate technical and organizational measures to safeguard the rights and freedoms of the data subjects (“storage limitation”);
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).

The data controller is responsible for ensuring compliance with the above principles and must be able to demonstrate compliance (“accountability”).

Data Processing

Room Reservation, Request for Offer

1. The fact of data collection, the scope of the processed data, and the purpose of data processing:

Personal Data	Purpose of Data Processing
Name (first and last name)	Necessary for contact, request for an offer, room reservation, and the proper issuance of an invoice.
Email address	For communication.
Phone number	For communication, more effective coordination of issues related to room reservation, offer request, and invoicing.
Billing name and address	For proper invoice issuance, as well as for the creation of the contract, determination of its content, modification, monitoring its fulfillment, invoicing the fees, and enforcing any claims related to it.
Reservation-related data (date and time, check-in time, check-out time, number of adults, number of children, children’s age, type of meal, room type)	To enable room reservations and offer requests.
Date and time of the reservation/offer request	Technical operation execution.
IP address at the time of reservation/offer request	Technical operation execution.
The email address is not required to contain personal data.

2. The scope of the data subjects: All individuals making room reservations or requesting offers on the website.
3. Duration of data processing, data deletion deadline: The data will be deleted immediately after providing a response to the user’s offer request (in this case, the user will no longer be eligible to receive newsletters from the data controller) if no room has been reserved. If the user has made a room reservation, a contract is established, and the retention period for personal data is different in the case of accounting documents, as according to Section 169 (2) of Act C of 2000 on Accounting, such documents must be kept for 8 years. Accounting documents (including general ledger accounts, analytical and detailed records) must be kept in a readable format and in a manner that is retrievable based on the reference to accounting records for at least 8 years.
4. The potential data processors authorized to access the data, the recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff in accordance with the above principles.
5. Rights of data subjects regarding data processing:

• The data subject may request access to their personal data from the data controller, correction, deletion, or restriction of processing, and
• they may object to the processing of such personal data, and
• the data subject has the right to data portability and may withdraw consent at any time.

6. How the data subject can initiate access, deletion, modification, restriction of processing, data portability, and objection to data processing:

• By post at 5435 Martfű, Ifjúság út 2.
• By email at info@spamedical.hu
• By phone at 06 56/452 416.

7. The data subject’s consent, Article 6(1)(a) and (b) of the GDPR, Section 5(1) of the Infotv., Section 169(2) of Act C of 2000 on Accounting, and Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce and Certain Issues Related to Information Society Services (hereinafter: Elker Act): The service provider may process personal data that is technically necessary for the provision of the service. The service provider must choose and operate the tools used in the provision of the service in such a way that personal data is only processed if this is strictly necessary for the provision of the service and to fulfill other purposes defined by law, and even then, only to the extent and for the duration necessary.
8. Notice:

• The data processing is based on your consent.
• You are required to provide personal data in order for us to complete the room reservation or respond to the offer request.
• Failure to provide the data will result in the inability to process your room reservation or offer request.

---

Gift Voucher

1. The fact of data collection, the scope of the processed data, and the purpose of data processing:

Personal Data	Purpose of Data Processing
Name	Necessary for contact, gift voucher purchase, and the proper issuance of an invoice.
Email address	For communication, sending confirmation.
Company name	Necessary for contact, gift voucher purchase, and the proper issuance of an invoice.
Billing address	Necessary for proper invoice issuance.
Beneficiary’s name	For communication, sending confirmation.
Beneficiary’s email address	For communication, sending confirmation.
Date of gift voucher purchase	Technical operation execution.
IP address at the time of gift voucher purchase	Technical operation execution.
The email address is not required to contain personal data.

2. The scope of the data subjects: All individuals purchasing a gift voucher on the website.
3. Duration of data processing, data deletion deadline: If any of the conditions in Article 17(1) of the GDPR are met, the data will be deleted until the data subject requests deletion. The data controller will inform the data subject of any deletion of the personal data electronically in accordance with Article 19 of the GDPR. If the data subject’s deletion request includes their email address, the data controller will delete the email address following notification. Except in the case of accounting documents, as according to Section 169(2) of Act C of 2000 on Accounting, these documents must be kept for 8 years. The data subject’s contractual data can be deleted after the civil law limitation period has expired, upon the data subject’s deletion request. Accounting documents (including general ledger accounts, analytical, and detailed records) must be kept in a readable form for at least 8 years, retrievable based on accounting records.
4. The potential data processors authorized to access the data, the recipients of personal data: Personal data may be processed by the data controller’s sales and marketing staff in accordance with the above principles.
5. Rights of data subjects regarding data processing:

• The data subject may request access to their personal data from the data controller, correction, deletion, or restriction of processing, and
• they may object to the processing of such personal data, and
• the data subject has the right to data portability and may withdraw consent at any time.

6. How the data subject can initiate access, deletion, modification, restriction of processing, data portability, and objection to data processing:

• By post at 5435 Martfű, Ifjúság út 2.
• By email at info@spamedical.hu
• By phone at 06 56/452 416.

7. The data subject’s consent, Article 6(1)(a) and (b) of the GDPR, Section 5(1) of the Infotv., Section 169(2) of Act C of 2000 on Accounting, and Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce and Certain Issues Related to Information Society Services (hereinafter: Elker Act): The service provider may process personal data that is technically necessary for the provision of the service. The service provider must choose and operate the tools used in the provision of the service in such a way that personal data is only processed if this is strictly necessary for the provision of the service and to fulfill other purposes defined by law, and even then, only to the extent and for the duration necessary.
8. Notice:

• The data processing is necessary for the completion of the gift voucher purchase.
• You are required to provide personal data in order for us to complete the gift voucher purchase.
• Failure to provide the data will result in the inability to process your gift voucher purchase.

Data Processors Used

Hosting Service Provider

1. Activity performed by the data processor: Hosting service
2. Data processor’s name and contact information:

• WEBPRO Solutions Ltd.
• Address: 7626 Pécs, Ady Endre Street 30.
• Email: info@web-pro.hu
• Phone number: +36 70 236 1259

3. Data processing fact and scope of data processed: All personal data provided by the data subject.
4. Scope of data subjects: All individuals using the website.
5. Purpose of data processing: To make the website accessible and ensure its proper operation.
6. Duration of data processing, deadline for data deletion: Data processing continues until the termination of the agreement between the data controller and the hosting service provider or until the data subject requests deletion from the hosting provider.
7. Legal basis for data processing: Article 6(1)(c) and (f) of the GDPR, and Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce and Certain Issues Related to Information Society Services (Elker Act).

---

Cookies Handling

1. Data processing fact and scope of processed data: Unique identifier number, dates, and times.
2. Scope of data subjects: All individuals visiting the website.
3. Purpose of data processing: Identification of users and tracking of visitors.
4. Duration of data processing, deadline for data deletion:

Cookie Type	Session Cookies (session)
Persistent or Saved Cookies
Legal Basis for Data Processing	Section 13/A(3) of Act CVIII of 2001 on Electronic Commerce and Certain Issues Related to Information Society Services
Data Processing Duration	Until the corresponding visitor session ends or up to 30 days after the data subject’s deletion.
Processed Data	connect.sid

5. Data controllers authorized to access the data: The data controller does not process personal data using cookies.
6. Rights of data subjects regarding data processing: The data subject may delete cookies through the browser’s Tools/Settings menu, usually under the Privacy section.
7. Legal basis for data processing: No consent is needed from the data subject if the only purpose of the cookies is the communication transmission through the electronic communication network or if the service provider needs them to provide the information society service specifically requested by the subscriber or user.

---

Google Ads (AdWords) Conversion Tracking Usage

1. The data controller uses the “Google Ads (AdWords)” online advertising program, and within that, it utilizes Google’s conversion tracking service. Google Conversion Tracking is an analytical service by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; “Google”).
2. When a user reaches a website through a Google ad, a cookie necessary for conversion tracking is placed on their computer. These cookies have a limited validity and do not contain any personal data, meaning the user cannot be identified by them.
3. If the user browses specific pages on the website and the cookie has not expired, both Google and the data controller can see that the user clicked on the advertisement.
4. Every Google Ads (AdWords) client receives a different cookie, so they cannot be tracked across websites belonging to other Ads (AdWords) clients.
5. The information obtained through conversion tracking cookies is used to prepare conversion statistics for Google Ads (AdWords) customers. These customers can see the number of users who clicked on their ad and were forwarded to a page with a conversion tracking tag. However, they do not have access to information that would allow the identification of any individual user.
6. If a user does not wish to participate in conversion tracking, they can reject it by disabling the ability to set cookies in their browser. In that case, the user will not appear in the conversion tracking statistics.
7. Further information and Google’s privacy statement can be found at: www.google.de/policies/privacy/

---

Use of Google Analytics

1. This website uses the Google Analytics application, a web analytics service by Google Inc. (“Google”). Google Analytics uses “cookies”, text files that are stored on the user’s computer to help analyze how they use the website.
2. The information generated by cookies regarding the user’s use of the website is usually sent to a Google server in the USA and stored there. By activating IP anonymization on the website, Google will shorten the user’s IP address within the EU member states or other states that are parties to the European Economic Area Agreement.
3. In exceptional cases, the full IP address may be sent to a Google server in the USA and shortened there. On behalf of the website operator, Google will use this information to evaluate how the user has used the website, to prepare reports related to the website activity, and to provide other services related to website and internet usage.
4. Google will not link the IP address sent by the user’s browser within the Google Analytics framework with other data held by Google. The user can prevent cookies from being stored by adjusting their browser settings, but please note that doing so may result in reduced functionality of the website. Furthermore, the user can prevent Google from collecting and processing the data generated by the cookies regarding their use of the website (including the IP address) by downloading and installing the browser plugin available at this link: https://tools.google.com/dlpage/gaoptout?hl=hu

---

Customer Relations

1. Fact of data collection, scope of processed data, and purpose of data processing:

Personal Data	Purpose of Data Processing
Name, email address, phone number	Communication, identification, contract fulfillment, business purposes

2. Scope of data subjects: All individuals who are in contact with the data controller via phone/email/in-person or are in a contractual relationship.
3. Duration of data processing, deadline for data deletion: Data processing lasts until the termination of the relationship between the data controller and the data subject or for 5 years after the contract in the case of claims.
4. Data controllers authorized to access the data: The data can be accessed by the data controller’s authorized staff in accordance with the above principles.
5. Rights of data subjects regarding data processing: The data subject has the right to access, correct, delete, or restrict the processing of their personal data, and they have the right to data portability, as well as the right to withdraw their consent at any time.
6. How data subjects can request access, deletion, modification, restriction, or portability of their data:

• By post at 5435 Martfű, Ifjúság út 2.
• By email at info@spamedical.hu
• By phone at +36 56/452 416.

7. Legal basis for data processing:

7.1. Article 6(1)(b) and (c) of the GDPR.

7.2. In the case of claims arising from a contract, the Civil Code (Act V of 2013) Section 6:21. § (5 years).

8. Notice:

• Data processing is necessary for the performance of the contract and for providing offers.
• You are required to provide personal data so we can fulfill your order/request.
• Failure to provide the data will result in the inability to process your request/order.

---

Request for Offer for Conference Organization / Personalized Offers Form

1. Fact of data collection, scope of processed data, and purpose of data processing:

Personal Data	Purpose of Data Processing
Name	Identification
Phone number	Communication, coordination
Email address	Communication, sending the offer (response)
Message	Necessary for developing and customizing the offer
Date of request	Technical operation execution
IP address at the time of request	Technical operation execution

2. Scope of data subjects: All individuals requesting an offer on the website.
3. Duration of data processing, deadline for data deletion: Data will be processed until the data subject requests deletion. The data controller will inform the data subject of any deletion of the personal data electronically. If the deletion request includes their email address, the data controller will delete it after the notification.
4. Data controllers authorized to access the data: The personal data will be processed by authorized personnel of the data controller in accordance with the above principles.
5. Rights of data subjects regarding data processing: The data subject has the right to access, correct, delete, or restrict the processing of their personal data, and they have the right to data portability, as well as the right to withdraw their consent at any time.
6. How data subjects can request access, deletion, modification, restriction, or portability of their data:

• By post at 5435 Martfű, Ifjúság út 2.
• By email at info@spamedical.hu
• By phone at +36 56/452 416.

7. Legal basis for data processing: Article 6(1)(b) of the GDPR.
8. Notice:

• Data processing is necessary for providing an offer.
• You are required to provide personal data so we can send you an offer.
• Failure to provide the data will result in the inability to send you a customized offer.

Contact Form

1. The fact of data collection, scope of processed data, and purpose of data processing:

Personal Data	Purpose of Data Processing
Name	Identification
Email Address	Communication, sending response messages
Phone Number	Communication
Content of Message	Necessary for responding
Date of Contact	Technical operation execution
IP Address at Time of Contact	Technical operation execution

The email address does not need to contain personal data.

2. Data Subjects: All individuals who send a message via the contact form.
3. Duration of Data Processing, Deadline for Data Deletion: Until the data subject requests deletion.
4. Possible Data Processors and Recipients of the Personal Data: The personal data can be accessed by authorized employees of the data controller.
5. Rights of Data Subjects Regarding Data Processing:

• The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data.
• The data subject has the right to data portability and may withdraw consent at any time.

6. Methods for Requesting Access, Deletion, Modification, or Restriction of Data, and Data Portability:

• By post to: 7346 Bikal, Rákóczi u. 22.
• By email to: info@puchner.hu
• By phone: +36 72 459 546

7. Legal Basis for Data Processing: Consent of the data subject, Article 6 (1) a) and b) of the GDPR.
8. Important Information:

• This data processing is based on your consent and is necessary for contacting you or providing an offer.
• You are required to provide personal data to be able to contact us.
• Failure to provide the data will result in not being able to contact the service provider.

Guestbook

1. The fact of data collection, scope of processed data, and purpose of data processing:

Personal Data	Purpose of Data Processing
Name	Identification
Email Address	Communication, identification
Date, IP Address	Technical operation execution

The email address does not need to contain personal data.

2. Data Subjects: All individuals who write in the guestbook.
3. Duration of Data Processing, Deadline for Data Deletion: Until the data subject requests deletion.
4. Possible Data Processors and Recipients of the Personal Data: The personal data can be accessed by authorized employees of the data controller.
5. Rights of Data Subjects Regarding Data Processing:

• The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data.
• The data subject has the right to data portability and may withdraw consent at any time.

6. Methods for Requesting Access, Deletion, Modification, or Restriction of Data, and Data Portability:

• By post to: 5435 Martfű Ifjúság út 2.
• By email to: info@spamedical.hu
• By phone: 06 56/452 416

7. Legal Basis for Data Processing: Consent of the data subject, Article 6 (1) a) and b) of the GDPR.
8. Important Information:

• This data processing is based on your consent.
• You are required to provide personal data to write in the guestbook.
• Failure to provide the data will result in not being able to write in the guestbook.

Newsletter, Direct Marketing (DM) Activities

1. According to Section 6 of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities, the User can expressly and beforehand consent to being contacted by the Service Provider with advertisements and other communications using the contact details provided during registration.
2. The User may consent to the Service Provider processing their personal data necessary for sending advertising offers.
3. The Service Provider does not send unsolicited advertising messages, and the User may unsubscribe from such offers at any time without restriction or justification. In this case, the Service Provider will delete all personal data required for sending advertising messages from its records and will not contact the User with further advertising offers. The User can unsubscribe from the offers by clicking the link in the message.
4. The fact of data collection, scope of processed data, and purpose of data processing:

Personal Data	Purpose of Data Processing
Name, Email Address	Identification, enabling subscription to the newsletter
Subscription Date	Technical operation execution
IP Address at Time of Subscription	Technical operation execution

5. Data Subjects: All individuals who subscribe to the newsletter.
6. Purpose of Data Processing: Sending electronic messages containing advertisements (email, SMS, push notifications) to the data subject, providing information on current events, products, offers, new features, etc.
7. Duration of Data Processing, Deadline for Data Deletion: Until the withdrawal of consent, i.e., until unsubscribing.
8. Possible Data Processors and Recipients of the Personal Data: The personal data may be accessed by the Service Provider’s sales and marketing staff in accordance with the above principles.
9. Rights of Data Subjects Regarding Data Processing:

• The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data.
• The data subject may object to the processing of their personal data.
• The data subject has the right to data portability and may withdraw consent at any time.

10. Methods for Requesting Access, Deletion, Modification, or Restriction of Data, Data Portability, or Objection to Data Processing:

• By post to: 5435 Martfű Ifjúság út 2.
• By email to: info@spamedical.hu
• By phone: 06 56/452 416

11. The data subject may unsubscribe from the newsletter at any time and free of charge.
12. Legal Basis for Data Processing: Consent of the data subject, Article 6 (1) a) and f) of the GDPR and Section 6 (5) of Act XLVIII of 2008.
13. Important Information:

• Data processing is based on your consent and the legitimate interest of the service provider.
• You must provide personal data if you want to receive the newsletter.
• Failure to provide the data will result in not being able to send you the newsletter.

Complaints Handling

1. The fact of data collection, scope of processed data, and purpose of data processing:

Personal Data	Purpose of Data Processing
First and Last Name	Identification, communication
Email Address	Communication
Phone Number	Communication
Billing Name and Address	Identification, handling complaints related to services

2. Data Subjects: All individuals who file complaints regarding the hotel services.
3. Duration of Data Processing, Deadline for Data Deletion: As required by the Consumer Protection Act of 1997, records of complaints and responses must be retained for 5 years.
4. Possible Data Processors and Recipients of the Personal Data: The personal data may be accessed by the Service Provider’s sales and marketing staff, in accordance with the principles outlined above.
5. Rights of Data Subjects Regarding Data Processing:

• The data subject may request access to, correction of, deletion of, or restriction of processing of their personal data.
• The data subject may object to the processing of their personal data.
• The data subject has the right to data portability and may withdraw consent at any time.

6. Methods for Requesting Access, Deletion, Modification, or Restriction of Data, Data Portability, or Objection to Data Processing:

• By post to: 5435 Martfű Ifjúság út 2.
• By email to: info@spamedical.hu
• By phone: 06 56/452 416

7. Legal Basis for Data Processing: Article 6 (1) c) of the GDPR, and Section 17/A (7) of the Consumer Protection Act 1997.
8. Important Information:

• The provision of personal data is required by law.
• Processing personal data is a prerequisite for handling your complaint.
• Failure to provide the data will result in not being able to handle your complaint.

Recipients with Whom Personal Data is Shared

A “recipient” is any natural or legal person, public authority, agency, or any other body with whom or with which the personal data is shared, regardless of whether they are a third party.

Data Processors (who process data on behalf of the data controller):
The data controller may use data processors to assist with their data processing activities or to fulfill their obligations under contracts and relevant legal requirements.

The data controller ensures that they only use data processors who provide appropriate guarantees for complying with the requirements of the GDPR and protecting the rights of data subjects.

The data processor only processes the data based on the instructions of the data controller.

Some Data Processors:

• Web Hosting and Web Development: WEBPRO Solutions Bt., Address: 7626 Pécs, Ady Endre utca 30.
• Online Payments: OTP Bank Nyrt., Address: 1051 Budapest, Nádor utca 16.

Internal Data Protection (Data Sheet)

1. Legal Basis for Data Processing: Article 6(1)(c) of the GDPR.
2. Purpose of Data Processing: Compliance with legal requirements related to the tourism tax.
3. Duration of Data Processing and Data Deletion Deadline: Until the relevant authority can verify the fulfillment of the obligations defined in the applicable legislation, and in the case of a contract, the deadline is in accordance with Section 169(2) of Act C of 2000 on Accounting, by December 31 of the seventh year following the given year.
4. Scope of Processed Data: Name, email, address, ID number, nationality, date of birth, license plate number, and other personal data.
5. Possible Data Processors Authorized to Access the Data: The personal data may be processed by the data controller’s employees in compliance with the above principles.
6. Rights of Data Subjects Regarding Data Processing:

The data subject may request access to their personal data, rectification, deletion, or restriction of processing from the data controller, and the data subject has the right to data portability, as well as the right to withdraw consent at any time.

9. Methods of Requesting Access, Deletion, Modification, or Restriction of Processing, or Data Portability:

• By post: 5435 Martfű, Ifjúság street 2.
• By email: info@spamedical.hu
• By phone: 06 56/452 416

---

Social Media

1. Fact of Data Collection and Scope of Processed Data: The name registered on social media sites such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and the publicly visible profile picture of the user.
2. Scope of Data Subjects: Any data subject who has registered on social media sites such as Facebook, Google+, Twitter, Pinterest, YouTube, Instagram, etc., and “liked” the website.
3. Purpose of Data Collection: To share or “like” individual content elements, products, promotions, or the website itself on social media platforms and promote the website.
4. Duration of Data Processing, Data Deletion Deadline, Possible Data Processors Authorized to Access Data, and Information on Data Subject Rights: Information on the data source, processing, and transfer method, and legal basis can be found on the specific social media platform. Data processing is carried out on social media platforms, so the duration, method, and data deletion options are regulated by the platform’s policies.
5. Legal Basis for Data Processing: The data subject’s voluntary consent to the processing of their personal data on social media platforms.

---

Customer Relations and Other Data Processing

1. If a question arises or an issue occurs during the use of our services, the data subject can contact the data controller via the methods provided on the website (phone, email, social media, etc.).
2. The data controller will delete any emails, messages, or other data provided by the data subject (such as name, email, and other voluntarily provided personal data) no later than 2 years after receiving the communication.
3. For data processing not listed in this notice, information will be provided at the time of data collection.
4. In case of exceptional official inquiries or legal obligations, the Service Provider is obliged to provide information, share data, or make documents available to other authorities.
5. In these cases, the Service Provider will only disclose personal data to the requesting party to the extent necessary for the purpose of the inquiry, provided the purpose and scope of the requested data are specified.

---

Electronic Surveillance System Notification
Please be advised that our company operates an electronic surveillance and recording system (camera system) in the customer area and its units. When entering the monitored area (room), the system will record your image and actions.

The legal basis for camera surveillance is the data subject’s voluntary consent, as informed by the company’s warning signs. Consent may be given through explicit actions, such as entering or staying in the monitored area. If you do not wish to give consent, please avoid entering the areas marked with the warning signs.

The purpose of video surveillance is to protect human life, physical integrity, personal freedom, protect business secrets, ensure personal and property security, prevent, detect, and document violations, and to document any potential accidents in the customer area for insurance purposes.

The camera system does not record sound.

The location of stored video footage is the company’s headquarters, and the storage duration is 3 working days from the date of creation.

Scope of Processed Data: Image of the data subject recorded by the camera system, and other personal data.

Categories of Recipients of Personal Data: The company’s manager, employees operating the camera system, and data processors operating the system for the purpose of detecting violations and system monitoring.

---

Rights of Data Subjects

1. Right of Access: You have the right to request confirmation from the data controller whether your personal data is being processed, and if it is, you are entitled to access your personal data and the information listed in the regulation.
2. Right to Rectification: You are entitled to request the rectification of inaccurate personal data concerning you without undue delay. Considering the purpose of the data processing, you are entitled to request the completion of incomplete personal data, including through supplementary statements.
3. Right to Deletion: You are entitled to request the deletion of your personal data without undue delay under certain conditions.
4. Right to Erasure: If the data controller has made personal data public, they must take reasonable steps, including technical measures, to notify other data controllers about the request for deletion of links or copies of those personal data.
5. Right to Restriction of Processing: You are entitled to request the restriction of data processing if any of the following conditions apply:
   • You dispute the accuracy of personal data, during the period that allows the data controller to verify the accuracy of the personal data.
   • The data processing is unlawful, and you oppose the deletion of the data and instead request the restriction of its use.
   • The data controller no longer needs the personal data for processing, but you require it for the establishment, exercise, or defense of legal claims.
   • You have objected to the processing; in this case, the restriction will apply during the period in which it is determined whether the legitimate grounds of the data controller take precedence over your rights.
6. Right to Data Portability: You are entitled to receive your personal data provided to the data controller in a structured, commonly used, and machine-readable format and transmit it to another controller.
7. Right to Object: You have the right to object to the processing of your personal data based on your particular situation at any time.
8. Right to Object in Case of Direct Marketing: You have the right to object to the processing of your personal data for direct marketing purposes, including profiling related to direct marketing. If you object, your personal data will no longer be processed for such purposes.
9. Automated Individual Decision-Making, Including Profiling: You have the right not to be subject to decisions based solely on automated processing, including profiling, which significantly affect you.

---

Response Time
The data controller will inform you of the actions taken regarding your request within one month of receiving it, without undue delay.

If necessary, this period can be extended by two months, and the data controller will inform you of the delay within one month of receiving the request.

If the data controller does not act upon your request, they must inform you of the reasons and that you have the right to lodge a complaint with a supervisory authority or seek judicial remedy.

---

Data Security
The data controller and data processor shall implement appropriate technical and organizational measures, considering the nature, scope, context, and purposes of data processing and the risks to individuals’ rights and freedoms, to ensure a level of data security appropriate to the risks.

---

Data Breach Notification
If a data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller shall notify the affected individuals without undue delay.

---

Data Breach Reporting to the Authorities
The data controller shall notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.

---

Complaint Submission
In case of a possible data protection violation, a complaint can be filed with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, P.O. Box 5.
Phone: +36 1 391 1400
Fax: +36 1 391 1410
Email: ugyfelszolgalat@naih.hu