Ochrana osobních údajů

Adventor Hotel Ltd. Effective date of this Information: November 16, 2020. We place great emphasis on the protection of personal data. Therefore, we would like to acquaint you with the data processing and data processing processes that we apply in connection with our activities, as well as with the information we send. Below, we inform you about what data we record, process for what purpose, and what we do to protect your data and enforce your rights.

1. Introduction

Adventor Hotel Ltd. (registered office: 9740 Bük, Golf út 4; tax number: 27290431-2-18; company registration number: 18-09-114181) (hereinafter referred to as "Data Controller") acknowledges the content of this data processing information as binding on itself. As the Data Controller, we process the personal data of the Data Subjects (hereinafter: "Data Subjects"), including partners, customers, visitors to the https://adventorhotels.hu/ website, interested parties, job applicants, members, volunteers, supporters, representatives of subcontractors entrusted with tasks, and, if applicable, recipients of activities, in connection with our activities. The Data Controller undertakes to ensure that data processing related to the services provided on the website complies with applicable laws. Adventor Hotel Ltd. respects the rights of Data Subjects, treats their personal data and all information and facts obtained by it confidentially, and uses them exclusively for carrying out its activities, for the activities set forth in the data processing information, and for its own research and statistical purposes. We take appropriate measures to provide the Data Subject with concise, transparent, understandable, and easily accessible information about the processing of personal data, formulated in a clear and comprehensible manner. The Data Controller reserves the right to unilaterally modify this Information. Therefore, it is advisable to regularly visit the website operated by the Data Controller at www.adventorhotels.hu, where the current content of the information is continuously available and can be saved. Upon request, we will send a copy of the Information in force at any given time to the Data Subject. The requirements set forth in the Data Processing Information are in line with the current legislation on data protection: Hungary's Fundamental Law (Freedom and Responsibility, Article VI); REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act); Act V of 2013 on the Civil Code; Sections 5:54, 5:55, 5:59, and 5:61 of Act V of 2013 on the Civil Code.

1.1. Data Controller's Details Adventor Hotel Ltd. Registered Office: 9740 Bük, Golf út 4. Company Registration Number: 18-09-114181 Tax Number: 27290431-2-18 Email: info@adventorhotels.hu Phone: +36 94 801 600

2. Basic Concepts of Data Protection

2.1. Personal Data Any data relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2.2. Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

2.3. Consent-based Data Processing: We request the consent of visitors to the website for the processing of data related to the visit to the website and for sending targeted advertising information (newsletter). By giving their consent statement, we process the personal data of the Data Subject until the withdrawal of consent. After the withdrawal of consent, we delete the Data Subject's data from the register. The legal basis for the processing of data provided on our website is the consent of the Data Subject based on the information provided to them.

2.4. Data Controller: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

2.5. Data Processing Any operation or set of operations performed on personal data, regardless of the method used, including collection, recording, organization, storage, alteration, use, transmission, disclosure, alignment, combination, blocking, erasure, and destruction of data, as well as preventing further use of the data. Data processing also includes the taking of photographs, sound or image recordings, and the recording of physical characteristics suitable for identifying a person (e.g., fingerprints, DNA samples, iris images).

2.6. Data Transmission Making data accessible to a specified third party.

2.7. Disclosure Making data accessible to anyone.

2.8. Data Erasure Rendering data unrecognizable in such a way that their restoration is no longer possible.

2.9. Data Blocking Permanently or for a specified period, making it impossible to transmit, access, disclose, transform, modify, destroy, delete, link, or combine data, and preventing their further use.

2.10. Data Destruction The complete physical destruction of data or the data carrier containing them.

2.11. Data Processing Performing technical tasks related to data processing operations, regardless of the method and tools used for the operations and the location of their application, provided that the technical task is performed on the data.

2.12. Data Processor A natural or legal person, or an organization without legal personality, who, on behalf of the data controller - including based on a mandate under legal provisions - processes personal data.

2.13. Third Party A natural or legal person, public authority, agency, or any other body that is not the data subject, the data controller, or the data processor, and who has been authorized by the data controller or processor to process personal data under their direct control.

2.14. EEA State A Member State of the European Union, a state party to the Agreement on the European Economic Area, or a state whose citizen enjoys the same legal status as a citizen of a state party to the Agreement on the European Economic Area between the European Community and its member states and a state not party to the Agreement on the European Economic Area.

2.15. Third Country: Any state that is not an EEA State.

2.16. Data Breach A breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to transmitted, stored, or otherwise processed personal data.

2.17. Biometric Data Any personal data obtained by specific technical procedures relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that person, such as facial images or dactyloscopic data.

2.18. Health Data: Personal data relating to the physical or mental health of a natural person, including data on health services provided to the natural person, which carry information about the health status of the natural person.

2.19. Security Event Any event that may have a harmful effect on the confidentiality, integrity, or availability of an information technology device or the data stored on it.

2.20. Confidentiality The characteristic of data whereby access is only permitted to a predefined user group (authorized users), and any other access is illegal.

2.21. Public Area of Private Property A private area accessible to anyone without restrictions, including that part of public property acquired for the conduct of personal and property protection activities through a civil legal transaction, particularly a lease or leasehold relationship, provided that: a) the use of the area is organically linked to the activities conducted in the public area of the protected private property, or serves to facilitate or assist in their continuity; or b) the data controller or the public using the public area of private property for placing movable property.

2.22. Profiling Any form of automated processing of personal data that involves the evaluation of certain personal characteristics relating to a natural person, particularly for the analysis or prediction of characteristics related to workplace performance, economic situation, health status, personal preferences, interests, reliability, behavior, place of residence, or movement.

2.23. Integrity The criterion of the existence, accuracy, integrity, and inherent completeness of data, information, or programs, ensuring that only authorized persons can modify them and they cannot be modified without detection.

2.24. Policy The Data Controller's Data Processing Policy.

2.25. Property Protection Security System An electronic signaling and visual surveillance system installed on properties falling within the territorial scope of the Data Processing Policy for property protection purposes. This includes electronic surveillance systems operated without recording for observation purposes, or electronic surveillance systems that allow audio or video recording (area surveillance), electronic access control systems, intrusion detection systems, remote monitoring systems, security systems aimed at data and information protection, as well as other electronic technical solutions enabling the transmission of signals or images or providing light or sound signals.

2.26. Guest A natural person staying with permission on properties falling within the territorial scope of the Data Processing Policy who is not an employee of the Data Controller.

2.27. Accessing, Using, Transmitting Data Only the person who is required to enforce their obligations is entitled to access personal data stored about the data subjects. The name of the person who processes personal data or is otherwise entitled to access it, the reason for accessing the data, and the time of access must be recorded in a protocol. Use of personal data constitutes evidence in judicial or other official proceedings. Within three (3) business days of the recording of personal data, anyone whose rights or legitimate interests are affected by the recording of personal data may request, with proof of their right or legitimate interest, that the data controller not destroy or delete the data. Upon request from a court or other authority, personal data must be promptly transmitted to the court or authority. If within thirty (30) days from the request to refrain from destruction, the recorded image and/or sound recordings and other personal data are not destroyed or deleted.

Personal data may only be transferred to third parties with the prior written consent of the data subject. This does not apply to data processing activities described in the Data Processing Information, or to any compulsory data transfers under the law, which may only occur in exceptional cases. Data subjects are informed that data processors are used for the processing and storage of data held in the employer's human resources system. The Data Controller informs data subjects of the identity of data processors in this document.

2.27. Data Access, Use, and Transmission Personal data stored about data subjects may only be accessed by the person authorized to do so for the enforcement of their obligations. The name of the person handling personal data, or any other person authorized to access it for any reason, the reason for accessing the data, and the time of access must be recorded in a protocol. Use of personal data is considered when personal data is used as evidence in judicial or other official proceedings. Anyone whose rights or legitimate interests are affected by the recording of personal data may request, within three (3) business days from the recording of personal data, with proof of their right or legitimate interest, that the data controller refrain from destroying or deleting the data. Upon request from a court or other authority, personal data must be promptly transmitted to the court or authority. If within thirty (30) days from the request to refrain from destruction, the recorded image and/or sound recordings and other personal data are not destroyed or deleted.

Personal data may only be transferred to third parties with the prior written consent of the data subject. This does not apply to data processing activities described in the Data Processing Information, or to any compulsory data transfers under the law, which may only occur in exceptional cases. Data subjects are informed that data processors are used for the processing and storage of data held in the employer's human resources system. The Data Controller informs data subjects of the identity of data processors in this document.

2.28. Protest The statement of the data subject, objecting to the processing of their personal data, and requesting the cessation of data processing or the deletion of processed data;

3. Principles of Data Protection Personal data must:

a) be processed lawfully and fairly, and in a transparent manner to the data subject ("lawfulness, fairness, and transparency"); b) be collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; for archival purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, it shall not be considered incompatible with the initial purposes ("purpose limitation"); c) be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization"); d) be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy"); e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject ("storage limitation"); f) be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality"). The data controller is responsible for compliance with the above, and must be able to demonstrate such compliance ("accountability"). The Data Controller does not collect personal data relating to minors.

4. Detailed Rules of Data Management

Scope of data access:

The Data Controller undertakes a strict obligation of confidentiality without temporal limitation regarding the personal data it manages, and, except as provided for in the Consent of the Data Subject and the data processing described in this Information, shall not disclose them to third parties.

Employees and partners of the Data Controller contractually undertake to treat the data entrusted to them, collected, processed, or accessed by them in accordance with the provisions of this Information and the Data Processing Policy, confidentially and shall not disclose them to third parties.

Withdrawal of consent does not affect the lawfulness of previous data processing.

4.1. Visiting the Website

Purpose of data processing

By using the website, the Data Subject (user of www.adventorhotels.hu website) can obtain information about the services provided by the Data Controller.

Scope of processed data and detailed purposes of data processing

Legal basis for data processing:

The legal basis for data processing is the consent of the Data Subject (GDPR. Article 6 (1) a.).

Balancing of interests: our company has a legitimate interest in ensuring the secure operation of the website.

Duration of data processing

The Data Controller retains personal data until the withdrawal of consent by the Data Subject; in the absence of this, personal data will be deleted 90 days after leaving the website. Data Subjects may withdraw their consent at any time by post to Golf út 4, 9740 Bükfürdő, or electronically by sending a message to info@adventorhotels.hu, requesting the deletion of their personal data.

4.2. Data Processing Related to Cookies Placed on Our Website

Purpose of data processing

The services available on the Data Controller's www.adventorhotels.hu website place unique identifiers, called cookies, on the computers of Data Subjects (users). These are solely for identifying the current visitor session, storing data provided during the session, preventing data loss, and anonymously analyzing visitor habits using Google Analytics. Such data may include the visitor's IP address, visit time and duration, visited pages, browser type, operating system, etc. This data is stored confidentially and is only used for the further development of the Data Controller's website and for statistical purposes.

The details of the operation and management of cookies are described in Section 10 of the Information.

Scope of processed data and detailed purposes of data processing

Legal basis for data processing

The legal basis for data processing is the consent of the Data Subject (GDPR. Article 6 (1) a.). Visitors can give their consent to the use of cookies by clicking the "OK" button in the pop-up window displayed on the homepage of the respective website. By visiting the Data Controller's website and accepting cookies, you agree to the terms below, even if you have not registered as a Data Subject. Users can delete cookies from their own computers or disable the use of cookies in their browsers.

Duration of data processing

The Data Controller retains personal data until the withdrawal of consent by the Data Subject. Data Subjects may withdraw their consent at any time by sending a letter by post to Golf út 4, 9740 Bükfürdő, or electronically by sending a message to info@adventorhotels.hu, requesting the deletion of their personal data. In the absence of withdrawal, data will be deleted within a maximum of 30 days following the visit to the website.

4.3. Contacting, fulfilling information requests

Purpose of data processing

Data Subjects may contact the Data Controller with questions and information requests. By storing the provided data, the Data Controller can identify the inquirer and provide the necessary response or information to the Data Subject.

Scope of processed data and detailed purposes of data processing

Personal data of the Data Subject:

Subject of the contact

Text related to the contact

Legal basis for data processing

The legal basis for data processing is the consent of the Data Subject (GDPR Article 6 (1) a)).

Duration of data processing

The Data Controller retains personal data until the withdrawal of consent by the Data Subject. Data Subjects may withdraw their consent at any time and request the deletion of their personal data by sending a letter by post to Golf út 4, 9740 Bükfürdő, or electronically by sending a message to info@adventorhotels.hu.

4.4. Data processing related to complaint management

Purpose of data processing

Data Subjects have the opportunity to lodge complaints regarding the services provided by the Data Controller.

Scope of processed data and detailed purposes of data processing

Legal basis for data processing

The legal basis for data processing is the provision of Act CLV of 1997 on Consumer Protection, Section 17/A (7).

Duration of data processing

The Data Controller retains personal data for a period of 5 years from the submission of the complaint.

4.5. Sending messages, newsletters, direct marketing activities, phone calls

Adventor Hotel Ltd. sends newsletters to natural persons who subscribe to the newsletter, as well as to natural person contacts of its natural and legal person clients.

Purpose of data processing

The Data Controller sends promotional materials to subscribers by postal mail and/or email, sends newsletters, circulars, and individual messages in the form of direct electronic messages, and provides information over the phone regarding its activities, events, campaigns, and membership and support opportunities to Data Subjects who have subscribed to the list and provided their email address and phone number.

Data Subjects can unsubscribe from receiving offers from the newsletter at any time, free of charge, by clicking the "unsubscribe" icon in the newsletter or by sending a message to info@adventorhotels.hu. In this case, all personal data necessary for sending the newsletter will be deleted from our records, and the Data Subject will not be contacted with further emails.

Scope of processed data and purpose of data processing

The legal basis for data processing

In the case of an existing customer relationship, the legitimate interest of the data controller; otherwise, the consent of the data subject (GDPR Article 6 (1) a)).

Description of the legitimate interest

Direct marketing and informational outreach activities are based on legitimate interests.

Categories of data subjects

Natural person customers of the data controller, natural persons subscribing to the newsletter, natural person contacts of legal entity clients.

Duration of data processing

The Data Controller deletes personal data from its database following the Data Subject's unsubscribe from the newsletter.

4.6. Loyalty program

The Data Controller provides personalized services and discounts to Data Subjects participating in the loyalty program. The Data Subject may provide data electronically on the website or personally to the service providers to be made available to the Data Controller.

Scope of processed data and detailed purpose of data processing:

Legal basis for data processing:

The legal basis for data processing is the consent of the Data Subject (GDPR Article 6 (1) a)).

Duration of data processing:

The Data Controller processes personal data until the withdrawal of consent by the Data Subject. Consent can be withdrawn at any time by sending an email to info@adventorhotels.hu.

4.7. Equipment procurement, service ordering

Purpose of data processing

Procurement of necessary equipment, devices, and related services.

Legal basis for data processing

Performance of a contract, fulfillment of legal obligations in billing, during the limitation period, or during contact: legitimate interest.

Description of the legitimate interest

In the case of contact, appropriate information provided through the customer contact person. Assertion of rights during the limitation period.

Categories of data subjects

Natural persons in contractual relationship with the data controller, natural person contacts of legal entity clients, data of intermediaries involved in delivery and commissioning.

Categories of personal data

Storage duration

The duration of the contract and thereafter the civil law statute of limitations period (last day of the 5th year). For invoice data, the date of issue of the invoice is the last day of the 8th year. Regarding invoice data, the legal obligation is based on Act CXXVII of 2007, Sections 159, 169, and Act C of 2000, Sections 166-169.

5. Persons authorized for data processing, data transmission

In certain legal obligations and tasks, the Data Controller transfers the data of the Data Subject to other Data Controllers or engages data processors to perform certain subtasks.

5.1. Data processing

The rights and obligations of the data processor regarding the processing of personal data are determined by the GDPR and other relevant laws within the framework set by the Data Controller. The legality of the instructions provided by the Data Controller is the responsibility of the Data Controller. The data processor cannot make substantive decisions regarding data processing, can only process personal data according to the instructions of the Data Controller, cannot carry out data processing for its own purposes, and is obliged to store and preserve personal data according to the instructions of the Data Controller.

The Data Controller engages the data processors listed in the table below to perform technical tasks related to data processing.

Name and contact information of the data processors Activities performed during data processing

Invitech ICT Ltd. It operates the customer service telephone center.

Regarding the operation of the IT management system of Adventor Hotel Ltd., it has access to the personal data of employees and business partners' contacts. It stores personal data related to business processes.

In connection with the operation of the newsletter engine, it has access to personal data sent in newsletters sent by the Data Controller.

Its task is the technical implementation of online marketing services. It has access to the data of the Data Controller's clients to the extent necessary for the performance of the service.

6. Data Security Measures

The Data Controller complies with the provisions of "Regulation 2016/679 of the European Parliament" and "Act CXII of 2011 on Information Self-Determination and Freedom of Information" regarding the personal data provided by the Data Subject.

The Data Controller takes all necessary measures to ensure the security of the data, ensuring their adequate protection, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental destruction and damage.

Please assist us in safeguarding the information by avoiding the use of overly obvious login names or passwords, regularly changing your password, and refraining from sharing your password with others.

7. Rights of Data Subjects Concerning Data Processing

The Data Subject's rights and remedies regarding data protection, as well as the relevant provisions and limitations of the GDPR, are detailed in the GDPR (particularly Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, and 82). Below, we summarize the most important provisions.

7.1. Right of Access by the Data Subject

The Data Subject is entitled to receive confirmation from us as to whether personal data concerning them are being processed. If such processing is underway, the Data Subject is entitled to access the personal data and the following information:

the purposes of the processing;

the categories of personal data concerned;

the recipients or categories of recipients to whom the personal data have been or will be disclosed, including particularly recipients in third countries or international organizations;

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

the Data Subject's right to request from us rectification or erasure of personal data or restriction of processing concerning the Data Subject and to object to such processing;

the right to lodge a complaint with a supervisory authority; and

where the personal data are not collected from the Data Subject, any available information as to their source;

the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the Data Subject.

Where personal data are transferred to a third country, the Data Subject is entitled to be informed of the appropriate safeguards relating to the transfer.

We provide the Data Subject with a copy of the personal data undergoing processing. If the Data Subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless requested otherwise by the Data Subject.

7.2. Right to Rectification

The Data Subject has the right to obtain from us without undue delay the rectification of inaccurate personal data concerning them. The Data Subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement.

7.3. Right to Erasure ("Right to be Forgotten")

The Data Subject has the right to obtain from us the erasure of personal data concerning them without undue delay, where one of the following grounds applies:

Where we have made personal data public and are obliged to erase the personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers processing the personal data that the Data Subject has requested erasure of any links to, or copy or replication of, those personal data.

The above shall not apply where processing is necessary for, among other things:

7.4. Right to restriction of processing

The Data Subject is entitled to request the restriction of processing if one of the following applies:

If processing is restricted pursuant to paragraph 7.4.1., such personal data, except for storage, may only be processed with the Data Subject's consent, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The Data Subject shall be informed in advance of the lifting of the restriction on processing.

7.5. Obligation to notify in connection with the rectification or erasure of personal data or the restriction of processing

The Data Controller shall inform all recipients regarding any rectification, erasure, or restriction of processing of personal data, unless this proves impossible or involves disproportionate effort. Upon request of the Data Subject, we shall inform these recipients.

7.6. Right to data portability

When exercising the right to data portability pursuant to paragraph 7.6.1., the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

7.7. Right to object

The Data Subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on legitimate interests, including profiling. In such cases, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

If personal data are processed for direct marketing purposes, the Data Subject has the right to object at any time to the processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If the Data Subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the Data Subject may exercise their right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the Data Subject, on grounds relating to their particular situation, shall have the right to object to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.8. Right to lodge a complaint with a supervisory authority

The Data Subject may enforce their rights before a court based on the GDPR and the Civil Code, and may also turn to the National Authority for Data Protection and Freedom of Information (NAIH) (1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: 1530 Budapest, Pf. 5; phone: +36 1 391 1400; email: ugyfelszolgalat@naih.hu) in case of a complaint regarding the data controller's data processing practices. Detailed rights and remedies related to data processing are provided in Articles 77, 79, and 82 of the GDPR.

7.9. Right to an effective judicial remedy against a supervisory authority

The Data Subject has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

The Data Subject has the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or fails to inform the Data Subject within three months of the progress or outcome of the complaint submitted.

Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.

7.10. Right to an effective judicial remedy against the data controller or processor

The Data Subject is entitled to an effective judicial remedy if they consider that the processing of their personal data infringes the rights under the GDPR.

Proceedings against the data controller or processor shall be brought before the courts of the Member State where the data controller or processor has its establishment. Such proceedings may also be brought before the courts of the Member State where the Data Subject has their habitual residence.

It is advisable to submit a complaint to the data controller before initiating any proceedings.

Information related to children

Persons under the age of 16 may not provide personal data about themselves unless permission has been obtained from one of the parents or guardians. The data of persons under the age of 16 shall not be processed unless the legal representative, parent, guardian, or custodian has given their consent or if it is not possible to obtain consent, the data shall be anonymized.

In the case of a Data Subject who has not reached the age of 14, personal data may be provided by their legal representative or guardian or declarations may be made on their behalf.

For a Data Subject who has reached the age of 14 but has not yet reached the age of 18, personal data may only be provided and declarations may only be made with the consent of their legal representative or guardian.

By providing information, you declare and warrant that you act in accordance with the above and that your legal capacity is not limited in relation to the provision of information. If you are not legally authorized to provide the information, you are obliged to obtain the consent of third parties (e.g., legal representative, guardian). In this regard, you are required to consider whether the consent of a third party is necessary regarding the provision of the information. It may happen that the Data Controller does not directly contact you, so you are responsible for complying with this section, and the Data Controller is not liable in this regard.

The Data Controller does not process personal data belonging to persons under the age of 16 in the context of its business activities. The Data Controller does not have sophisticated methods to verify the legitimacy of the consenting person, their real age, or the authenticity of their statement, so the user or the person exercising parental supervision is responsible for ensuring that the consent complies with the laws. In the absence of consent, the Data Controller shall not collect personal data of a Data Subject who has not reached the age of 16.

We make every reasonable effort to detect any cases where data of minors have been unlawfully provided to us, and in such cases, we promptly ensure the deletion of the data.

Please inform us if you become aware that a child has unlawfully provided information about themselves. You can contact us at the contact details provided at the beginning

7.5. Notification obligation regarding the correction or erasure of personal data, or the restriction of data processing

The Data Controller shall inform all recipients about any correction, erasure, or restriction of data processing, except if this proves impossible or involves disproportionate effort. Upon request of the Data Subject, we shall inform these recipients.

7.6. Right to data portability

The Data Subject is entitled to receive the personal data concerning them, which they have provided to us, in a structured, commonly used, machine-readable format, and have the right to transmit those data to another controller without hindrance from the Data Controller, if:

In exercising the right to data portability pursuant to Article 7.6.1., the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

7.7. Right to object

The Data Subject shall have the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them based on legitimate interests, including profiling. In such cases, the personal data shall not be processed further unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

If personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.

If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In relation to the use of information society services and without prejudice to Directive 2002/58/EC, the Data Subject may exercise their right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the Data Subject shall have the right to object, on grounds relating to their particular situation, to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.8. Right to lodge a complaint with a supervisory authority

The Data Subject may enforce their rights before a court under the GDPR and the Civil Code, and may also contact the National Authority for Data Protection and Freedom of Information (NAIH) (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; mailing address: 1530 Budapest, Pf. 5; phone: +36 1 391 1400; email: ugyfelszolgalat@naih.hu) in case of complaints regarding the data controller's data processing practices. Detailed rights and remedies regarding data processing are provided in Articles 77, 79, and 82 of the GDPR.

7.9. Right to effective judicial remedy against the supervisory authority

The Data Subject is entitled to an effective judicial remedy against a legally binding decision of the supervisory authority concerning them.

The Data Subject is entitled to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the Data Subject of the progress or outcome of the complaint procedure within three months.

Proceedings against the supervisory authority shall be brought before the courts of the Member State where the supervisory authority has its seat.

7.10. Right to effective judicial remedy against the data controller or processor

The Data Subject is entitled to an effective judicial remedy if they consider that the processing of their personal data does not comply with the GDPR and has infringed their rights under the GDPR.

Proceedings against the data controller or processor shall be brought before the courts of the Member State where the data controller or processor has its main establishment. Such proceedings may also be initiated before the courts of the Member State where the Data Subject has their habitual residence.

It is advisable to send the complaint to the data controller before initiating any proceedings.

8. Information related to children

Persons under the age of 16 may not provide personal data about themselves unless they have obtained permission from a parent or guardian. The personal data of persons under the age of 16 shall not be processed unless the consent of the legal representative, parent, guardian, or custodian has been obtained.

In the case of a Data Subject who has not reached the age of 14, their legal representative or custodian may provide personal data or make declarations on their behalf.

For a Data Subject who has reached the age of 14 but has not yet reached the age of 18, personal data may only be provided or declarations may only be made with the consent of their legal representative or custodian.

9.

By providing the information, you declare and warrant that you act in accordance with the above and that your capacity to act is not restricted in relation to the provision of information. If you are not legally authorized to provide the information, you are obliged to obtain the consent of third parties (e.g., legal representatives, guardians). In this regard, you must consider whether the consent of a third party is required for the provision of the information in question. It may happen that the Data Controller does not enter into personal contact with you, so you are responsible for ensuring compliance with this section, and the Data Controller is not liable in this regard.

The Data Controller does not process personal data belonging to persons under the age of 16 in the context of its business activities. The Data Controller does not have sophisticated methods to verify the legitimacy of the consent given by the person, their actual age, or the authenticity of their declaration, so the user or the person exercising parental supervision warrants that the consent complies with the legal requirements. In the absence of a consent declaration, the Data Controller shall not collect personal data concerning a Data Subject who has not reached the age of 16.

We make every reasonable effort to detect any cases where data of minors are unlawfully provided to us, and in such cases, we promptly ensure the deletion of the data.

Please inform us if you become aware that a child has provided information about themselves unlawfully. You can contact us at the contact details provided at the beginning of the Privacy Policy.

Data transfer to countries outside the EEA and its guarantees

The Data Controller does not transfer data to any countries outside the European Union or the EEA in any way.

10. Analytical services, cookies

The Data Controller uses cookies and tracking codes from external service providers (especially Google, Facebook) to monitor user interests, demographic data, and behavior exhibited on the website. The collected data is not used for profiling, automated decision-making, but specifically for statistical purposes and analysis to improve its services.

Additionally, the Data Controller may use aggregated data obtained from interest-based advertising services or audience data (such as age, gender, and interests) for general website reporting and development, as well as for advertising and marketing list purposes.

The aim of the above is to continuously improve our online platforms and increase the effectiveness of our website and campaign-related advertisements.

10.1. Google Analytics

The independent measurement and auditing of website traffic and other web analytical data are facilitated by external service providers (For details, please visit: google.com/analytics/).

The Google Analytics service can be disabled for Display ads and customized for ads on the Google Display Network on the Ad Settings page provided by Google. All tracking by Google Analytics can be disabled using browser add-ons.

10.2. Facebook remarketing

We use Facebook remarketing code to display targeted advertisements. If you do not wish to see ads based on your website visits and interests, you can disable this service.

10.3. Cookies

Cookies are small packages of information consisting of letters and numbers. When a visitor first visits the website, the server automatically sends the cookie to the visitor's browser. The visitor's computer or mobile device stores the cookie for the duration specified by the person placing the cookie.

When the visitor revisits the website, the browser sends the cookie back to the server. Based on the data sent, the server can identify the computer or mobile device sending the cookie and associate the cookies sent by that device. The cookie provides information about the activities performed on the website to the server. Web beacons are small, usually invisible, images placed on the website. By placing web beacons, the actions performed by visitors on the website can be tracked, and statistics can be generated from the obtained data.

Adventor Hotel uses cookies and web beacons on the website to recognize visitors who have previously visited the website; map the interests of visitors; improve the user experience of visitors; and display personalized advertisements to visitors, as well as to improve the security of the website.

The operation of www.adventorhotels.hu website is supported by the following cookies:

We inform our users that the use of cookies operated by our website requires the prior, informed consent of the user under Section 155 (4) of Act C of 2003 on Electronic Communications (“Eht.”). Therefore, upon the first visit to the website, a notice will pop up at the bottom of the screen stating that the website uses cookies, along with a link to this information. Users can consent to the use of cookies by clicking the "Allow" button.

For further information on the use of cookies, visit the allaboutcookies.org website – it includes a detailed guide on deleting cookies from your computer. For information on deleting cookies from your mobile phone, please refer to the manual of your device.

By using the site, you accept the use of technical data and cookies as described above. It is important to note that cookies themselves cannot be used to identify you, and they are deleted according to the settings of your web browser after leaving the site.

The cookies used on the website do not store personally identifiable information.

If you do not wish to accept certain types of cookies, you can configure your browser to prevent the placement of unique identifier marks, or your browser will alert you if the website wants to send a cookie.

11. Remedies

In case of a request or problem, please contact us; by post to Adventor Hotel Kft, 4 Golf Road, Bük, 9740, or electronically at info@adventorhotels.hu, and we will endeavor to respond promptly and fulfill your request as soon as possible. If you are not satisfied with something or feel that your rights regarding the processing of personal data have been violated, you can also turn to the competent court, including the Metropolitan Court in Budapest or initiate an investigation with the National Authority for Data Protection and Freedom of Information.

Bük, November 16, 2020.