Kezdőlap » Privacy Policy

PRIVACY AND DATA PROTECTION NOTICE

 

1. PreambulumThe purpose of this Privacy and Data Protection Policy (hereinafter referred to as the “Policy”) is to fully regulate the data protection and data management principles and the data protection and data management policy of LAMEAPTE Service Provider Limited Liability Company (hereinafter referred to as the “Service Provider or the Data Controller) in relation to the accommodation provided by Treehouses Noszvaj apartment accommodation (hereinafter referred to as the “Accommodation/Service”) and other related services provided by the Service Provider.

   The Service Provider operates the website www.treehouses.hu (hereinafter referred to as the “Website”), where the booking system and webshop operated by the Service Provider are available.

   The purpose of this Policy is also to provide information on all aspects of the services provided by the Service Provider, in particular on www.treehouses. hu website, all natural persons concerned (hereinafter referred to as “Data Subjects”) should have access at all times to information enabling them to ascertain with certainty and clarity how their data is processed by the Service Provider, and to ensure that their fundamental freedoms and their rights to the processing, protection and privacy of their personal data are respected by the Service Provider at all times when processing their personal data, irrespective of their nationality, place of residence or domicile.

   This Notice applies to all processing carried out by the Service Provider.

    

   Data Controller’s Data:

   The Service Provider is the controller for the processing activities listed in this Notice.

   If you have any questions or comments regarding the processing of your personal data, you can contact the Data Controller using the contact details below.

   Company name: LAMEAPTE Szolgáltató Korlátolt Felelősségű Társaság

   Abbreviated company name. LAMEAPTE Ltd.

   Registered office.

   Company registration number: 10-09-036337

   Tax number: 25970704-2-10

   Website: www.treehouses.hu

   E-mail address: noszvaj@treehouses.hu

   Phone: on working days between 9:00 and 17:30 +36-20-518-0383

    

 

3. Scope of the ProspectusThe Data Controller provides its services from Hungary. Accordingly, the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”) and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter “Infotv.”) shall apply to the provision of the service and to the processing of personal data by the data subjects in the course of using the service.

   In preparing the information, the Service Provider has also taken into account the provisions of Act V of 2013 on the Civil Code (hereinafter: Civil Code), Act CLV of 1997 on consumer protection (hereinafter: Consumer Protection Act), Government Decree 45/2014 (26.II.) on the detailed rules of contracts between consumers and businesses, and Act C of 2000 on accounting (hereinafter: Accounting Act).

    

   Definitions used in the Privacy Notice

   Brief explanations of the terms used in this Privacy Notice:

   Personal Data: any information relating to a natural person who is identified, directly or indirectly, or who can be identified on the basis of one or more factors or attributes which identify that natural person.

   Data processing: any operation or set of operations which is performed upon personal data, whatever the means by which it is carried out; in particular, the collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, the prevention of their further use, the taking of photographs, audio or video recordings, the recording of physical characteristics which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans).

   Joint processing: a type of processing of personal data where the purposes and means of the processing are determined jointly by two or more controllers and the obligations and responsibilities for compliance with data protection requirements are set out in an agreement between them.

   Data Controller/Service Provider: LAMEAPTE Ltd. who determines the purposes and means of the processing of personal data.

    

Processing: the performance of technical tasks on personal data related to processing operations, regardless of the method and means used and the place of application.

Data processor: a natural or legal person who processes personal data on behalf of or under the authority and on behalf of the controller.

Consent: a freely given, explicit and properly informed indication of the data subject’s wishes by which he or she unambiguously signifies, by a statement or other conduct, his or her agreement to the processing of his or her personal data.

GDPR: General Data Protection Regulation 2016/679 of the European Parliament and of the Council, which contains binding rules on the processing of personal data and on the exercise of data subjects’ rights in relation to the processing of their personal data.

Restriction of processing: the marking of personal data stored in order to restrict their processing in the future.

Recipient: a natural or legal person, public authority or other body to whom or to which personal data are disclosed by the controller or processor.

Anonymisation: operations which, once carried out, no longer make it possible to identify the specific individual to whom the personal data relate, i.e. the data lose their personal character and no longer permit the identification of any natural person identifiable, and the link between the data subject and the data can no longer be established.

Supervisory Authority: an independent authority established to protect the rights and freedoms of natural persons with regard to the processing of personal data and to facilitate the free flow of personal data within the EU; in Hungary, the National Authority for Data Protection and Freedom of Information.

Data breach: a breach of data security resulting in the accidental or unlawful destruction, loss, alteration, disclosure to unauthorised persons or access by unauthorised persons of personal data transmitted, stored or otherwise processed.

Cookie: also known as a “cookie”, a so-called anonymous visitor identifier, which is placed and read back by the website www.treehouses.hu on the computers of data subjects who visit the website or log in to any profile they may have created on the website. A cookie is a unique piece of data that can be used to save the settings used on the website and to track how the visitor has accessed the website and what actions they have performed there.

Website: an online platform, available at www.treehouses.hu, which data subjects visit in order to consult the site or to use the services offered by our Company through it.

Consumer: a natural person acting outside the scope of his or her profession, self-employment or business activity.

 

Methods and principles of data processing

The Service Provider processes, stores and uses personal data for the purposes of the processing as set out in this Privacy Policy, which are directly provided by the data subjects or to which the data subjects provide access or authorise the Service Provider to provide access. The Service Provider also handles data of data subjects which are not provided to the Service Provider by the data subject, but by third parties who have a contractual relationship with the Service Provider. The Service Provider does not collect personal data from public databases and, apart from the above, no third parties transmit personal data to the Service Provider.

In any case, the Service Provider shall pay particular attention to ensure that the personal data it processes are only accessible to authorised persons, both within its organisation and in the case of its data processing partners, and that they are processed only to the extent and for the duration strictly necessary for the performance of their tasks or activities.

 

Please note that your data will also be processed by data processors as described in this notice, subject to the binding provisions of the relevant data processing contracts, within limited scope. This notice sets out when, beyond the scope of the processing, personal data may be accessed by third parties, including in particular when the Service Provider is approached by public authorities and fulfils its legal obligation to provide the data. The personal data of the data subjects shall be processed by the Service Provider solely in accordance with the applicable legal requirements and for the specific purposes of the processing as determined by the Service Provider.

The Service Provider shall process all personal data of which it becomes aware in a lawful and fair manner and in such a way that the processing is transparent to the natural persons concerned throughout the period of processing. The Service Provider shall collect personal data only for the lawful purposes clearly set out in this notice and shall pay particular attention not to process any personal data in a way incompatible with the purposes set out in this notice. The Service Provider’s data processing is not intended to track data subjects, nor to monitor their activities and behaviour, nor to profile them.

In determining the method of data processing and throughout the entire data processing process, the Service Provider shall implement all technical and organisational measures necessary to ensure that data protection principles and data subjects’ rights are respected and protected. The measures implemented by the Service Provider as the data controller have been determined after taking into account and evaluating the state of the art, the costs of implementation and the risks to the rights of natural persons.

The Service Provider shall in any case process only personal data that are adequate, relevant and strictly necessary for the purposes for which they are processed, and shall endeavour to keep the personal data it stores and processes accurate and up to date and shall take reasonable steps to ensure that inaccurate or incorrect data are corrected or deleted as soon as possible. If the data subject’s personal data have changed in the meantime or need to be corrected for any other reason, he or she may at any time notify us by e-mail at noszvaj@treehouses.hu.

The Service Provider shall store the data of the data subjects only for as long as it is strictly necessary for the achievement of the specific purpose of data processing and the availability of the data shall be adapted accordingly, and shall take all technical and organisational measures necessary to ensure the security of personal data, including, but not limited to, protection against unlawful processing, accidental loss, destruction or damage. In any case where it intends to use the personal data of the data subjects for a purpose other than the one initially envisaged in this notice, it shall give prior written notice to the data subjects, indicating the new purpose of the processing and additional information on the processing, and shall ensure that it has a legal basis for processing the personal data in that case.

Personal data in respect of which the purpose of the processing has been fulfilled, the period for which the data are processed has expired or the data subject has requested the Service Provider to delete the data without delay or, if deletion is not possible for any reason, to anonymise the data so that the link between the processed data and the data subject can no longer be established.

 

Data processing in relation to accommodation services

The Service Provider operates the website www.treehouses.hu, through which it provides accommodation services to natural and legal persons for a specified fee. The detailed conditions for the use of the service are regulated on the Service Provider’s website, in the General Terms and Conditions published by the Service Provider.

 

6.1.

The persons concerned by the processing of data are those persons who, via the website www.treehouses.hu operated by the Service Provider, submit a written request for an offer to the Service Provider, as set out in the Service Provider’s General Terms and Conditions.

The legal basis for processing in their case is the contractual legal basis, i.e. processing necessary for the performance of a contract to which the data subject is a party or necessary for taking steps at the request of the data subject prior to entering into the contract, where the data subject is a party. When sending the request for an offer, the data subject will be informed that the personal data provided will be processed by the Service Provider solely for the purpose of making the offer.

The personal data processed include: name, telephone number, e-mail address, and data relating to the data subject’s request: the accommodation chosen, the offer chosen (board, type of accommodation), the planned arrival and departure dates, the planned number of nights spent, the number of adults staying, the number of children staying and any other data provided by the data subject.

With regard to any additional data provided by the data subject in the request for an offer which are not necessary for the offer, the Service Provider shall only process the data when receiving the message sent, where necessary in relation to its content, but shall not request the data subject to provide any personal data which are not necessary for the offer. When such unexpected personal data are communicated, the Service Provider shall not store the unexpected personal data which are not necessary for the offer and shall delete them from its IT system without delay.

The purpose of the processing is solely to enable the Service Provider to request an offer from the data subject and to make an offer to the data subject. The purpose of the processing of the personal data of the data subject is to identify the data subject, while his/her telephone number is used by the Service Provider in case of possible contact necessary for the offer, while the Service Provider sends the offer, compiled according to the needs provided by the data subject, to the e-mail address of the data subject.

The duration of the processing of the data contained in the offer is processed by the Service Provider until the date indicated in the request for an offer, but no later than the date of validity of the offer. If the accommodation service provided by the Service Provider is not ordered or used, the Service Provider shall delete the data without delay after this has been established.

If the accommodation service provided by the Service Provider is ordered or used and the data subject accepts the Service Provider’s offer, the legal basis, purpose and duration of the data processing shall be the data processing related to the booking/order.

 

6.2. Processing of data related to the booking/order

The persons concerned by the data processing are those persons who transmit a reservation/order to the Service Provider via the website www.treehouses.hu operated by the Service Provider, in accordance with the Service Provider’s General Terms and Conditions.

In their case, the legal basis for processing is the contractual legal basis, i.e. processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to the conclusion of the contract, where the data subject is a party. When sending the reservation/booking, the data subject is informed that the personal data provided will be processed by the Service Provider solely for the purposes of the performance of the contract for the accommodation service resulting from the reservation/booking.

The personal data processed are: name, telephone number, e-mail address, and data relating to the data subject’s needs: the accommodation chosen, the offer chosen (board, type of accommodation), the planned arrival and departure dates, the planned number of nights spent, the number of adults staying, the number and age of children staying, the method of payment and the amount to be paid, and any other data provided by the data subject.

In the case of online payment by credit card or SZÉP card, the data of the credit card or SZÉP card used for the payment are not known to the Service Provider, they are not processed and are provided directly by the data subject to the payment service provider.

However, the Service Provider shall receive the following data provided by the data subject to the payment service provider during the payment transaction: name, address. The source of these data is therefore the payment service provider.

The purpose of the processing is the conclusion and performance of the contract resulting from the booking/order. The services related to the performance of the contract include, as purposes, the provision of the booked accommodation service, the provision of the requested care. The purpose of the processing of the personal data of the data subject is to identify the data subject, his/her telephone number is used by the Service Provider in case of a possible need to contact him/her in connection with the reservation/order, while the Service Provider, in addition to providing the accommodation service and the appropriate care according to the needs of the data subject, sends the confirmation of the reservation/order to the e-mail address of the data subject.

Duration of data processing The Service Provider shall keep the receipts containing the data (name, address, invoice data of the service used, price) necessary to fulfil the obligation to keep the data (name, address, invoice data of the service used, price) required by the Act on Accounting of 2000 (hereinafter: Accounting Act) for 8 (eight) years from the date of issue of the receipt, i.e. the data shall be processed until the expiry of which the data carriers shall be deleted within 1 (one) year. Further data processed in connection with the reservation/order, including messages with relevant content related to the reservation, shall be kept by the Service Provider until 5 (five) years from the date of confirmation of the reservation/order, i.e. from the conclusion of the contract, which is the general limitation period applicable to civil law claims.

 

6.3. Data processing for orders from individuals

The Service Provider does not require registration to use the website, however, when ordering / booking accommodation services or using the closed webshop also operated by the Service Provider on the website – which can be used in connection with the accommodation services – to provide the services to be used, the Service Provider will ask the data subject to provide the following personal data: name, e-mail address, address, billing address, telephone number.

The provision of this information is voluntary in all cases and is indispensable for the Service Provider to be able to provide the accommodation services requested by the data subject. The legal basis for the processing of the personal data provided is the contract between the Service Provider and the data subject, whereby the data subject transmits an order/reservation to the Service Provider via the website for the use of the accommodation service provided by the Service Provider and the Service Provider confirms it. The purpose of the processing of the data subject’s data is to enable the parties to conclude the accommodation service contract, to enable the Service Provider to make the necessary declarations in the performance of the contract, to contact the data subject if necessary and to issue an invoice for the service provided.

The Service Provider will also process the e-mail address provided during the order/reservation process in order to send to the data subjects information of public interest relating to the use of the service, including to inform the data subject that his/her reservation has been successfully completed. The information e-mails do not constitute a newsletter or any other marketing or advertising request and may be sent by the Service Provider without the need for the specific consent of the data subject.

The Service Provider draws the attention of the data subjects to the fact that failure to provide, or incomplete provision of, data concerning themselves, the contracting party and/or the guest, in the absence of data which are indispensable for the performance of the contract, may result in the refusal by the Service Provider to conclude the accommodation contract.

The Service Provider shall process the customer’s data until the performance of the given accommodation service, except for the data contained in the invoice issued for the consideration for the accommodation service, since pursuant to Section 169. § (2) of the Act on Accounting (C.C. No. 169 of the Act on Accounting), the Service Provider shall keep the data contained in the invoice for the consideration for the provision of accommodation services and the data related to the provision of the service (billing name and billing address) for 8 (eight) years from the date of issue of the invoice or the date of the customer register.

In the event of a difference between the identity of the Contracting Party and the Customer, the Service Provider shall process the Customer’s data on the basis of the legitimate interests of the Service Provider and the Contracting Party and the Customer. Without this data, the Service Provider would not be able to fulfil its obligations under the accommodation service contract, i.e. it would not be able to identify the order/reservation and the Guest entitled to use it. For the processing of the Guest’s data provided by the Contracting Party on the basis of legitimate interest, the Service Provider has carried out an interest test in accordance with the mandatory data protection requirements.

The balancing of interests test compared the legitimate interests and fundamental rights of the data controller and the third party and of the data subjects, and concluded that the legitimate interest of the data controller or the third party to process the Guest’s data is stronger and more important than the interest of the data subject not to have access to or to process the data, since the lack of processing would prevent the performance of the accommodation service contract. In fulfilment of its legal obligation, the Service Provider shall provide all data subjects with the possibility to be informed of the detailed balancing of interests test, if they make such a request to the Service Provider.

Given that the data subjects’ data are processed by the Service Provider on the basis of its own legitimate interests and the legitimate interests of the Contracting Party and the Customer’s customers, and the data subjects therefore have the right to object to the processing, the detailed rules and conditions for exercising this right are set out in this notice.

The purpose of the processing of data relating to an order for the provision of a specific accommodation service is to enable the Service Provider to fulfil the accommodation service contract with the Contracting Party – if the Contracting Party and the Guest are different – and to provide the Guest with the accommodation service. The processing of the data is also necessary to enable the Service Provider to contact the Guest directly in the course of the provision of the service. In any case, the processing of the data shall last until the termination of the contract for the accommodation service in question.

 

 

 

6.4. Data processing for orders from legal persons and unincorporated organisations

In the case of Customers who use the Service Provider’s services as legal entities or unincorporated entities (hereinafter referred to as Business Customers), the Service Provider shall process the data of the persons who request an offer from the Service Provider as the Business Customers’ contact person and with whom the Service Provider maintains contact during the performance of the contract in the event of acceptance of the offer and the order for the accommodation service. The following data of the Business Customer’s contact person are processed by the Service Provider: name, telephone number, e-mail address.

The legal basis for the processing of personal data provided by the Business Customer’s contact person is the Service Provider and the legitimate interest of the Business Customer to whom the contact person belongs. For the processing of contact data on the basis of legitimate interest, the Service Provider has carried out an interest balancing test, which has resulted in the conclusion that the legitimate interest of the Service Provider or its Business Customer to process the data is genuine and stronger than the interest of the data subjects not to have their data processed by the Service Provider. The knowledge and processing of the data is indispensable for the Service Provider to be able to provide the Business Partner with the accommodation service based on the information provided by the Business Partner and, if the Business Partner accepts the Service Provider’s offer and the accommodation service contract is concluded between them, to contact and consult directly with the Business Partner on issues arising in the course of the performance of the contract. In compliance with its legal obligation, the Service Provider shall provide all data subjects with the opportunity to be informed of the detailed balancing of interests test, if they so request.

Given that the data subjects’ data are processed by the Service Provider and the Service Provider on the basis of the legitimate interests of the Business Customers, and therefore the data subjects have the right to object to the processing, the detailed rules and conditions for exercising this right are set out in this notice.

The purpose of processing the data of the contact persons is therefore to provide the interested Business Partner with an offer for the service and, in the event of a contractual relationship, to ensure direct contact and smooth communication with the Business Partner. The Service Provider shall process the contact details of the contact persons until the contract for the accommodation service in question is terminated. In the event that the identity of the contact person of the Business Partner changes in the meantime, the processing of the data of the Business Partner concerned shall continue until the Business Partner notifies the Service Provider in writing of such change.

If the identity of the Business Customer and the Guest is different, the Service Provider shall process the Guest’s data on the basis of the legitimate interests of the Service Provider and the Business Customer and the Guest. Without such data, the Service Provider would not be able to fulfil its obligations under the accommodation service contract, i.e. it would not be able to identify the order/reservation and the Guest entitled to use it. For the processing of the Guest data provided by the Business Customer on the basis of legitimate interest, the Service Provider has carried out a merits test in accordance with the mandatory data protection requirements.

The balancing of interests test compared the legitimate interests and fundamental rights of the data controller and the third party and the data subjects, and concluded that the legitimate interest of the data controller or the third party to process the Customer’s data is stronger and more important than the interest of the data subject not to have access to or to process the data, as the lack of processing would prevent the performance of the accommodation service contract. In fulfilment of its legal obligation, the Service Provider shall provide all data subjects with the possibility to be informed of the detailed balancing of interests test, if they make such a request to the Service Provider.

Given that the Service Provider processes the data of the data subjects on the basis of its own legitimate interests and the legitimate interests of the Business Customer and the Customer’s customer, the data subjects have the right to object to the processing of their data, the detailed rules and conditions for exercising this right are set out in this information notice.

The purpose of the processing of data relating to an order for the provision of a specific accommodation service is to enable the Service Provider to fulfil the accommodation service contract with the Business Customer, where the Business Customer and the Guest are different persons, and to provide the Guest with the accommodation service. The processing of the data is also necessary to enable the Service Provider to contact the Guest directly in the course of the provision of the service. In any case, the processing of the data shall last until the termination of the contract for the accommodation service in question.

 

6.5. Processing of data relating to the registration of accommodation users

The persons concerned by the data processing are those who, through the website www.treehouses.hu operated by the Service Provider or through other accommodation intermediaries, transmit an order to the Service Provider in accordance with the Service Provider’s General Terms and Conditions, which is confirmed by the Service Provider and the accommodation service provided by the Service Provider is used by the person concerned on the basis of the contract concluded between the parties.

The legal basis for the processing is the contractual legal basis, i.e. processing necessary for the performance of a contract to which the data subject is a party, or necessary to take steps at the request of the data subject prior to entering into a contract where the data subject is a party, or necessary for the performance of a legal obligation to which the Service Provider is subject.

Pursuant to Act CLVI of 2016 on State Tasks for the Development of Tourist Areas (hereinafter: Tourism Act), the Service Provider is obliged to provide data to the National Tourism Data Service Centre (hereinafter: NTAK). The NTAK shall contain the data collected and prepared in accordance with the data reporting procedure specified in the legislation, which do not contain personal data and which are provided by the accommodation provider using the accommodation management software. The purpose of the NTAK is to provide anonymous, real-time statistical data on the turnover of all accommodation establishments in Hungary, and statistical analyses are produced from the data received directly through the accommodation management software.

In order to comply with its legal obligation to protect the rights, safety and property of the data subject and others, and to monitor compliance with the provisions on the residence of third-country nationals and persons enjoying the right of free movement and residence, the Service Provider records the first and last name of the data subject at the time of check-in on the storage space provided by the hosting provider via the accommodation management software, surname and given name at birth, place and date of birth, sex, nationality and mother’s surname and given name at birth, identification data of his/her identity document or travel document, visa or residence permit number in the case of third-country nationals, date and place of entry and address of the accommodation service, start and expected date of use of the accommodation and actual date of termination.

The Service Provider shall refuse to provide the accommodation service in the absence of the presentation of an identification document or travel document for the purpose of recording the data.

Only statistical data will be transmitted by the Service Provider via the accommodation management software, i.e. the NTAK system will not receive, record or store any personal data. Based on the data received – the guest’s gender, nationality, date of birth, permanent address, municipality and postal code – individual guests cannot be identified in the NTAK, and therefore no personal data is transmitted or processed, the NTAK is used for the sole purpose of cumulative statistical data collection for tourism purposes.

The Service Provider shall process the data thus made available to it – not including the address of the accommodation service, the start and expected and actual end dates of the use of the accommodation – for the purpose of fulfilling its statutory data reporting obligations until the last day of the first year following the date on which it becomes aware of them.

The purpose of data processing is to fulfil the data reporting obligations of the accommodation provider as defined by law. The duration of the processing of data which are not processed by the Service Provider for other purposes and/or for other purposes than those set out in this information notice and which are processed for the purpose of fulfilling its statutory data reporting obligations, shall be until the last day of the first year following the date on which the data are made available to the Service Provider. Any further data processed in connection with the reservation/order or the use of the accommodation service, including messages with relevant content related to the reservation, shall be kept by the Service Provider until 5 (five) years from the date of the reservation/order or the date of its disclosure, which is the general limitation period applicable to civil law claims.

The hosting service provider – which is the Hungarian Tourism Agency Limited Liability Company (abbreviated company name: Hungarian Tourism Agency, registered office: 1027 Budapest, Kacsa utca 15-23. , company registration number: 01-10-041364, tax number: 10356113-4-41), whose activities are limited to the storage of the data of the data service provided by the accommodation provider in encrypted form on a storage place, which is provided by the accommodation provider and the person or body authorised by the accommodation provider, in accordance with the encryption procedure designated by law, and to the provision of access to the data. The data stored in the hosting provider shall not be disclosed or processed by the hosting provider.

The data stored by the hosting provider may be searched by the police by means of an IT tool for the purposes of law enforcement, crime prevention, protection of public order, public security, public order, the order of the state border, the protection of the rights, safety and property of the data subject and others, and the conduct of wanted persons proceedings, and the information may be disclosed as a result of the search, which accommodation provider is a customer of the person who has provided the search criteria, and may further request the transmission of data processed by the accommodation provider, indicating the purpose of the request, which the accommodation provider shall provide free of charge.

In other respects, the Hungarian Tourism Agency Zrt., local governments, the National Tax and Customs Administration and the Central Statistical Office have access to NTAK data not suitable for individual identification for statistical purposes.

 

Processing of data of persons subscribing to the newsletter

If the data subject decides to subscribe to the Service Provider’s newsletter, the Service Provider will process the data necessary to deliver the newsletter to the data subject. In this case, the legal basis for the processing is the data subject’s consent, which he or she gives to the Service Provider by providing and sending his or her data and by clicking on the link in the confirmation e-mail sent to his or her e-mail address. By doing so, the data subject declares that he or she consents to the processing of his or her data as set out in the privacy policy and to the sending of newsletters.

The Service Provider processes the name and e-mail address of the data subject for the purpose of sending newsletters and other online marketing and information material, and the data are processed until the data subject withdraws his or her consent or requests the deletion of his or her data. The sending of newsletters means the sending of information about the services of the Service Provider, news and updates, attention-grabbing offers, promotional content.

The data subject may withdraw his or her consent to the processing of his or her data at any time by clicking on the link at the bottom of the newsletter sent by the Service Provider. The Service Provider’s system will detect and record the unsubscription – and thus the fact of withdrawal of consent to the processing of data – so that the Service Provider will no longer process the data subject’s data for the purpose of sending the newsletter.

If the Service Provider also processes the e-mail address of the data subject for other purposes listed in the prospectus (for example, in the context of the use of the service it provides), the unsubscription will not result in the deletion of the data. Withdrawal of consent will not affect the lawfulness of the Service Provider’s processing activities carried out on the basis of the data subject’s consent.

8. The purpose of data processing is to fulfil the data reporting obligations of the accommodation provider as defined by law. The duration of the processing of data which are not processed by the Service Provider for other purposes and/or for other purposes than those set out in this information notice and which are processed for the purpose of fulfilling its statutory data reporting obligations, shall be until the last day of the first year following the date on which the data are made available to the Service Provider. Any further data processed in connection with the reservation/order or the use of the accommodation service, including messages with relevant content related to the reservation, shall be kept by the Service Provider until 5 (five) years from the date of the reservation/order or the date of its disclosure, which is the general limitation period applicable to civil law claims.The hosting service provider – which is the Hungarian Tourism Agency Limited Liability Company (abbreviated company name: Hungarian Tourism Agency, registered office: 1027 Budapest, Kacsa utca 15-23. , company registration number: 01-10-041364, tax number: 10356113-4-41), whose activities are limited to the storage of the data of the data service provided by the accommodation provider in encrypted form on a storage place, which is provided by the accommodation provider and the person or body authorised by the accommodation provider, in accordance with the encryption procedure designated by law, and to the provision of access to the data. The data stored in the hosting provider shall not be disclosed or processed by the hosting provider.

   The data stored by the hosting provider may be searched by the police by means of an IT tool for the purposes of law enforcement, crime prevention, protection of public order, public security, public order, the order of the state border, the protection of the rights, safety and property of the data subject and others, and the conduct of wanted persons proceedings, and the information may be disclosed as a result of the search, which accommodation provider is a customer of the person who has provided the search criteria, and may further request the transmission of data processed by the accommodation provider, indicating the purpose of the request, which the accommodation provider shall provide free of charge.

   In other respects, the Hungarian Tourism Agency Zrt., local governments, the National Tax and Customs Administration and the Central Statistical Office have access to NTAK data not suitable for individual identification for statistical purposes.

    

   Processing of data of persons subscribing to the newsletter

   If the data subject decides to subscribe to the Service Provider’s newsletter, the Service Provider will process the data necessary to deliver the newsletter to the data subject. In this case, the legal basis for the processing is the data subject’s consent, which he or she gives to the Service Provider by providing and sending his or her data and by clicking on the link in the confirmation e-mail sent to his or her e-mail address. By doing so, the data subject declares that he or she consents to the processing of his or her data as set out in the privacy policy and to the sending of newsletters.

   The Service Provider processes the name and e-mail address of the data subject for the purpose of sending newsletters and other online marketing and information material, and the data are processed until the data subject withdraws his or her consent or requests the deletion of his or her data. The sending of newsletters means the sending of information about the services of the Service Provider, news and updates, attention-grabbing offers, promotional content.

   The data subject may withdraw his or her consent to the processing of his or her data at any time by clicking on the link at the bottom of the newsletter sent by the Service Provider. The Service Provider’s system will detect and record the unsubscription – and thus the fact of withdrawal of consent to the processing of data – so that the Service Provider will no longer process the data subject’s data for the purpose of sending the newsletter.

   If the Service Provider also processes the e-mail address of the data subject for other purposes listed in the prospectus (for example, in the context of the use of the service it provides), the unsubscription will not result in the deletion of the data. Withdrawal of consent will not affect the lawfulness of the Service Provider’s processing activities carried out on the basis of the data subject’s consent.

9. Processing of personal data through cookies
   On its website, the Service Provider uses anonymous visitor identifiers, also known as cookies (hereinafter referred to as “cookies”), the main purpose of which is to simplify the browsing process: cookies are also used for system administration, statistical and, in some cases, marketing purposes. A cookie is a unique piece of data that can be used to store the settings used on a website and to identify how a visitor has visited and interacted with the website, and whose basic function is to facilitate browsing on the website.
   Data technically recorded in the course of the operation of the website and the reservation system and webshop on the website: data of the visitor’s computer logging in, generated during the use of the service and recorded by the Service Provider’s system as an automatic result of technical processes. The data that are automatically recorded are automatically logged by the system at the time of entry or exit, without any special declaration or other action by the visitor. These data cannot be linked to personal data of other data subjects.
   When a data subject visits the website of the Service Provider, the legal basis for the processing of data collected by cookies that are installed on the device used by the data subject for browsing or on his or her browser and are essential for the functioning of the website www.treehouses.hu is the legitimate interest of the Service Provider. In order to apply this legal basis, the Service Provider has carried out a balancing of interests test, comparing the legitimate interests of the Service Provider on its own side and the interest of the visitors of the website not to have their data processed. The balancing of interests test shows that the legitimate interest of the Service Provider in processing the data collected by the cookies is real and prevails over the legitimate interest of the data subjects not to be subject to the processing carried out by the Service Provider on the website. The Service Provider shall provide all data subjects with the opportunity to be informed of the detailed balancing of interests test if they make such a request to the Service Provider.In the case of cookies, without which the Service Provider’s website can function properly, but which serve important statistical purposes for the Service Provider, the legal basis for the processing of data collected by cookies is the consent of the data subject, which he or she gives to the Service Provider by using the cookie panel displayed when accessing the website. The consent of the data subject, the website visitor, may be withdrawn at any time, but this does not affect the lawfulness of the processing carried out by the Service Provider prior to the withdrawal.

   If any person visits the website www.treehouses.hu in order to consult the website of the Service Provider or to use its services, the Service Provider explicitly draws the visitor’s attention to the fact that it uses cookies on the website. Here the visitor can give his/her consent to the use of cookies that are not strictly necessary for the proper functioning of our website.

   The data subject visiting the website can delete cookies from his/her computer or from the smart device used to view the Service Provider’s website at any time, and can also disable the use of cookies in his/her browser, in which case, however, for technical reasons, some functions of the Service Provider’s website may not be available at all or may be available only to a limited extent. The management of cookies is generally possible in the Tools/Preferences menu of browsers under the Privacy menu under the menu item Cookies, cookies or tracking. To find out more about cookies and how to use them, please visit one of the following websites: www.aboutcookies.org, www.allaboutcookies.org.

 

10. Data processing related to the maintenance of the Service Provider’s Facebook and Instagram pagesIf you like (“like”) the Service Provider’s Facebook page (https://www.facebook.com/TreeHousesNoszvaj) or follow the Service Provider’s Instagram page (https://www.instagram.com/treehousesnoszvaj/) (hereinafter collectively referred to as “Social Media Sites”), or perform any activity on these sites that involves the provision of your data – in particular, but not limited to liking, following or commenting on content on the sites – your personal data will be processed by the Service Provider on the basis of legitimate interest.

    The data processing activities of the Service Provider cover the data that the data subject has publicly indicated and published in his/her own profile as a user, or that the data subject, of his/her own choice, shares directly with the Service Provider, either on social media platforms or through the various messaging platforms and applications connected to them. The data of the data subject is processed in order to ensure the efficient management of the social media platforms and to enable the Service Provider to ensure their continuous maintenance and operation and to provide the user experience.

    For the processing based on legitimate interest, the Service Provider has carried out an interest balancing test in accordance with the mandatory data protection requirements, whereby it has examined the legitimate interests on its side and the basis for the processing, as well as the interests of the natural persons concerned by the processing and their rights and fundamental freedoms to the processing, and as a result of which it has been established that the legitimate interest of the Service Provider to allow the processing of personal data concerning the data subjects is genuine and stronger than the interest of the data subjects, not to process their data publicly disclosed in their profile as a user on the relevant social media platform or directly shared with the Service Provider for the purposes set out in this point, as without the processing of personal data the Service Provider would not be able to operate and maintain its social media platforms and provide the associated user experience, as it is an integral and indispensable part of their operation that the Service Provider has access to the data of persons who are active and engaged in activities on official social media platforms as data subjects.

    In view of the fact that the Service Provider processes the data of the data subjects on the basis of its own legitimate interests, and therefore the data subjects have the right to object to the processing of their data, the detailed rules and conditions for exercising this right are set out in this notice. However, the submission of such a request does not automatically imply the cessation of the processing and its immediate deletion, which will only take place if, after examining the request, the Service Provider establishes that the processing is not justified by compelling legitimate grounds which override the legitimate interests, rights and freedoms of the data subject or are necessary for the establishment, exercise or defence of legal claims.

    Where the Service Provider also processes personal data for other purposes and/or on other legal grounds as detailed in this notice, the acceptance and execution of the data subject’s objection will only relate to the processing activities for the purposes described in this point. In compliance with its legal obligation, the Service Provider will provide all data subjects with the opportunity to be informed of the detailed balancing of interests test, if they make such a request to the Service Provider.

    The personal data of the data subject will be processed by the Service Provider until the data subject objects to the processing, but also taking into account this, until such time as the Service Provider’s social media sites are closed down or the data subject deletes the account/profile on the social media site where the personal data have been disclosed.

11. Data processed in complaint handling
    If you have used the services provided by the Service Provider as a consumer and are not satisfied with them for any reason, you may lodge a complaint with the Service Provider. The Service Provider processes the data of the data subject in connection with the handling of complaints for the purpose of fulfilling its legal obligations under Articles 17/A and 17/C of Act CLV of 1997 on Consumer Protection (hereinafter referred to as the “Consumer Protection Act”), which are necessary to investigate and respond to the complaint. If the data subject raises a quality complaint regarding the Service Provider’s service, the Service Provider processes his data in order to fulfil its obligations under Act V of 2013 on the Civil Code and Government Decree No. 45/2014 (26.II.26.), i.e. to resolve the complaint. In order for a complaint to be considered, the data subject must provide the Service Provider with certain – personally identifiable – data, and if the complaint is found to be justified, the Service Provider may take the necessary steps to remedy the complaint.
    The Service Provider shall process the personal data of the data subject for a period of 3 (three) years from the date of the response to the request, in the case of a complaint or quality objection, pursuant to the mandatory provision of Article 17/A (7) of the Act on the Protection of Personal Data. 

    Processing of data of job applicants

    We inform the data subjects that in case they apply for one of the vacancies advertised by the Service Provider as the data controller, their data provided during the application process will be processed by the Service Provider. The scope of the data processed may vary depending on the way in which the data subject submits his/her application and the information provided in his/her CV, but typically includes the following data: name, e-mail address, telephone number, address, date and place of birth, education, professional experience, salary requirements, interests, language skills, IT skills, photo likeness, leisure activities and other data provided in the CV.

    If the persons concerned do not provide the Service Provider with the data necessary for the assessment of the application, or only partially, the Service Provider will not be able to accept the application.

    The legal basis for the processing of applicants’ data is the legitimate interest of the Service Provider. With regard to this legal basis, the Service Provider has carried out a balancing of interests test, the result of which shows that the Service Provider’s interest in processing the data is stronger and more important than the interest of the applicants concerned that their data should not be processed by the Service Provider. The existence of a legitimate interest is demonstrated by the fact that the data necessary for contacting the data subject and contained in his or her curriculum vitae, in particular his or her educational qualifications and professional experience, make it possible to determine whether he or she is or may be qualified for the position applied for. In compliance with its legal obligation, the Service Provider shall provide all data subjects with the opportunity to consult the detailed interest test, if they so request.

    Since the legal basis for the processing is the legitimate interest of the Service Provider, data subjects may object to the processing on grounds relating to their own situation, the detailed rules and conditions for exercising their rights are set out in this notice. However, the submission of such a request does not automatically imply the cessation of the processing and its immediate erasure, which will only take place if, after examining the request, the Service Provider establishes that the processing is not justified by compelling legitimate grounds which override the legitimate interests, rights and freedoms of the data subject or are necessary for the establishment, exercise or defence of legal claims.

    Where the Service Provider processes personal data for other purposes and/or on other legal grounds as detailed in this notice, the acceptance and execution of the data subject’s objection will only relate to the processing activities for the purposes described in this point.

    The purpose of the processing is to enable the Service Provider to assess the application received, to contact the data subject in this context, to verify his/her suitability, including by means of an interview, and to inform the data subject of the outcome of the assessment.

    The data are processed until the vacancy for which the data subject has applied is filled, except for candidates with whom the Service Provider enters into an employment relationship. Once the successful candidate has been selected, the Service Provider will inform the other candidates in writing that they have not been selected and that their personal data will no longer be processed for the above purposes, and will delete their data.

13. Use of data processors
    The Service Provider uses the assistance of data processors for certain data processing operations on the basis of a data processing contract included in a separate document, in the course of which it ensures in all cases that its data processing partners provide the necessary guarantees to ensure compliance with the applicable data protection rules and to take measures to protect the rights of the data subjects.
    The processors may not take any substantive decisions regarding the processing of the data, which they may process only in accordance with the instructions and provisions of the Service Provider and may not process or process the data for their own purposes. Personal data shall be transferred to persons and organisations that are contracted partners of the Service Provider. The list of these contracted partners, their details, the scope of the data to be transferred to them and the activities to which the processing relates are set out in Annex 1.Processing of personal data in connection with online payments
    14.1. Processing of personal data in the course of cooperation with Barion Payment Zrt.

    In order to ensure the payment of the fees for the services used through the website www.treehouses.hu by means of payment by credit card, the Service Provider shall, through the Barion Smart Gateway system, provide the customers with the services of Barion Payment Zrt. 5. floor. 5., company registration number: 01-10-048552), which necessarily involves the processing of certain personal data.

    If you, as a customer, pay the price of the accommodation service specified via the website by credit card through the Barion Smart Gateway system, the following personal data will be transferred to Barion Payment Zrt.  The transmission of these data is essential for the Service Provider to ensure the online payment of the fee for the service specified through the website by credit card via the Barion Smart Gateway system. The transfer of personal data is based on the contract concluded between the Service Provider and the data subject for the use of the service.

    During the online payment by credit card through the Barion Smart Gateway, Barion Payment Zrt. may ask the data subject to provide additional personal data, which must be provided after the data subject has been automatically redirected from the Service Provider’s website to the secure payment interface of Barion. Only Barion Payment Zrt. has access to the personal data provided by the data subject on the payment interface, the Service Provider is not entitled to do so and is therefore not a data controller with regard to these data.

    Both the Service Provider and Barion Payment Zrt. shall act as independent data controllers with regard to the data processed by the Service Provider in connection with the provision of the possibility of payment by credit card via Barion’s Smart Gateway system. Both the Service Provider and Barion Payment Zrt. are obliged to comply with the provisions of the GDPR and the applicable Hungarian data protection legislation, to ensure the secure handling of the data of the data subjects and to provide appropriate information in connection with data handling.

    The data subject may at any time exercise his/her data subject rights against the Service Provider and Barion Payment Zrt. by processing his/her personal data, and may submit his/her request for such processing in accordance with the provisions of this information, while Barion Payment Zrt. may do so in the manner described in its own data processing information. Barion Payment Zrt.’s privacy policy can be read by clicking on this link: https://www.barion.com/hu/adatvedelmi-tajekoztato/

 

14.2. Processing of personal data in connection with other online payments
When making an online payment with a bank card or Széchenyi Pihenő Kárty (hereinafter: SZÉP Card), the data subject shall already provide the card details used for the payment to the payment service provider on its online interface, to which he/she will be automatically redirected at the end of the booking/ordering process. In order to prevent and detect fraud and misuse of credit cards and SZÉP cards, and to perform any additional tasks that may be necessary to ensure the effectiveness of the payment service provider, the Service Provider shall forward the data indicated below to the payment service provider in order to confirm additional transactions. The total amount of the data transfer is necessary for the secure online payment.
Online payment by credit card and OTP SZÉP Card
Users who pay online on the website by credit card or OTP SZÉP Card are affected by the data transfer.
The recipient of the data transfer is OTP Bank Plc (company registration number: 01-10-041585, tax number: Tax number: 10537914-4-44 Registered office: 1051 Budapest, Nádor u.16. Postal address: 1876 Budapest, e-mail: adatvedelem@otpbank.hu, website: https://www.otpbank.hu) as the provider of the online payment service (hereinafter referred to as the Recipient)
The legal basis for the transfer of data is the legitimate interest of the Recipient, as the Recipient is required by law to operate a fraud prevention and detection system in connection with the provision of the payment service and is entitled to process the personal data necessary for this purpose. The recipient has established a system in compliance with its legal obligation, for the operation of which the transfer of data by the Service Provider is necessary. Accordingly, it is in the legitimate interest of the recipient to operate the fraud prevention and detection system in order to fulfil its legal obligation, and it is in the legitimate interest of the data controller and the recipient to prevent fraud and ensure the proper functioning of online payments, as the proper functioning of the payment service is a fundamental economic interest and a major source of revenue for both parties. In addition, it is also in the interest of the data subject to ensure the security of online payments and the proper functioning of the payment service. The transfer of data is necessary to achieve the above objectives and is also necessary to make the payment service more secure.
On the basis of the above, it can be concluded that the interests of the Service Provider and the recipient outweigh and outweigh the interest of the data subject not to have his/her data processed or transmitted. In breach of its legal obligation, the Service Provider shall ensure that all data subjects have the possibility to be informed of the detailed balancing of interests test, if they make such a request to the Service Provider.
Additional data related to the payment transaction: currency (HUF/EUR), language (Hungarian/English/German), legal title, unique identifier of the transaction, amount to be paid, pocket identifier (accommodation pocket) in case of payment by OTP SZÉP Card.
During the payment process, the data subject is redirected to the recipient’s website, thus during the payment process, the SZÉP Card and credit card and personal data are provided directly by the data subject to the recipient, and are not held or processed by the Service Provider.
OTP Bank Plc. is an independent data controller with regard to the processing of payments, and the data processing related to online payments can be found in the data processing information of OTP Bank Plc. at https://www.otpbank.hu/portal/hu/adatvedelem
The purpose of the transfer of data is to operate the so-called fraud-monitoring – a fraud detection system supporting the control of electronically initiated payment transactions -, to confirm transactions and to enable the performance of additional tasks that may be necessary to ensure the effectiveness of the payment.
Online payment with MKB SZÉP Card
The data transmission concerns users who pay online on the website using an MKB SZÉP Card.
The recipient of the data transfer is MKB Bank Plc (company registration number: 01-10-040952 Tax number: 10011922-4-44 Registered office: 1056 Budapest, Váci u. 38. Postal address: 1056 Budapest, Váci u. 38. e-mail: adatvedelem@mkb.hu, website: https://www.mkb.hu) as the provider of the online payment service with MKB SZÉP Card (hereinafter referred to as the Recipient)

The legal basis for the transfer is the legitimate interest of the recipient, as the recipient is required by the applicable legislation to operate a fraud prevention and detection system in connection with the provision of the payment service and is entitled to process the personal data necessary for this purpose. The recipient has established a system in compliance with its legal obligation, for the operation of which the transfer of data by the Service Provider is necessary. Accordingly, it is in the legitimate interest of the recipient to operate the fraud prevention and detection system in order to fulfil its legal obligations, and it is in the legitimate interest of the data controller and the recipient to prevent fraud and ensure the proper functioning of online payments, as the proper functioning of the payment service is a fundamental economic interest and a major source of revenue for both parties. In addition, it is also in the interest of the data subject to ensure the security of online payments and the proper functioning of the payment service. The transfer of data is necessary to achieve the above objectives and is also necessary to make the payment service more secure.
On the basis of the above, it can be concluded that the interests of the Service Provider and the recipient outweigh and outweigh the interest of the data subject not to have his/her data processed or transmitted. In breach of its legal obligation, the Service Provider shall ensure that all data subjects have the possibility to be informed of the detailed balancing of interests test, if they make such a request to the Service Provider.
Additional data relating to the payment transaction: purchase data (prices, costs), name (surname and first name), billing address, telephone number, e-mail address.
During the payment process, the data subject is redirected to the recipient’s website, thus during the payment process, the SZÉP Card and personal data are provided directly by the data subject to the recipient, and are not held or processed by the Service Provider.
MKB Bank Zrt. is an independent data controller with regard to the processing of payments, and the user can read about the processing of data related to online payments with SZÉP Cards in the data processing information of MKB Bank Zrt. at https://www.mkb.hu/adatvedelmi-iranyelvek
The purpose of the data transfer is to operate the so-called fraud-monitoring – a fraud detection system supporting the control of electronically initiated payment transactions -, to confirm transactions and to enable the performance of additional tasks that may be necessary to ensure the effectiveness of the payment.
Online payment with K&H SZÉP Card
The data subjects concerned by the transfer are users who pay online on the website using a K&H SZÉP Card.
The recipient of the data transfer is Kereskedelmi és Hitelbank Zártkörűűen Működő Részvénytársaság (abbreviated name: K&H Bank Zrt., company registration number: 01-10-041043, tax number: 10195664-4-44, registered office: 1095 Budapest, Lechner Ödön fasor 9., e-mail: bank@kh.hu, website: https://www.kh.hu/) as the provider of the online payment service with K&H SZÉP Card (hereinafter referred to as the Recipient).
The legal basis for the transfer of data is the legitimate interest of the Recipient, as the Recipient is required by law to operate a fraud prevention and detection system in connection with the provision of the payment service and is entitled to process the personal data necessary for this purpose. The recipient has established a system in compliance with its legal obligation, for the operation of which the transfer of data by the Service Provider is necessary. Accordingly, it is in the legitimate interest of the recipient to operate the fraud prevention and detection system in order to fulfil its legal obligations, and it is in the legitimate interest of the data controller and the recipient to prevent fraud and ensure the proper functioning of online payments, as the proper functioning of the payment service is a fundamental economic interest and a major source of revenue for both parties. In addition, it is also in the interest of the data subject to ensure the security of online payments and the proper functioning of the payment service. The transfer of data is necessary to achieve the above objectives and is also necessary to make the payment service more secure.

On the basis of the above, it can be concluded that the interests of the Service Provider and the recipient are stronger and more important than the interest of the data subject not to have his or her data processed or transmitted. In breach of its legal obligation, the Service Provider shall provide all data subjects with the opportunity to be informed of the detailed balancing of interests test, if they make such a request to the Service Provider.
Additional data relating to the payment transaction: purchase data (prices, costs), name (surname and first name), billing address, telephone number, e-mail address.
During the payment process, the data subject is redirected to the recipient’s website, thus, during the payment process, the SZÉP Card and personal data are provided by the data subject directly to the recipient, and are not held or processed by the Service Provider.
K&H Bank Zrt. is an independent data controller with regard to the processing of payments, and the user can read about the processing of data related to online payments with SZÉP Cards in the data processing information of K&H Bank Zrt. at https://www.kh.hu/adatvedelem
The purpose of the data transfer is to operate the so-called fraud-monitoring – a fraud detection system supporting the control of electronically initiated payment transactions -, to confirm transactions and to enable the performance of additional tasks that may be necessary to ensure the effectiveness of the payment.
14.3. Processing of data related to the online purchase of gift vouchers
The data subjects concerned by the processing are the data subjects who place an order for the purchase of a gift voucher made available by the Service Provider on the website.
The legal basis for the processing is the contractual legal basis, i.e. the processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into the contract, where the data subject is a party. The data subject is informed when placing the order that the personal data provided will be processed by the Service Provider solely for the purposes of the performance of the contract resulting from the order. The legal basis for the processing of personal data contained in the purchase invoice is the fulfilment of the Service Provider’s legal obligations under the Accounting Act.

The personal data processed include: name, telephone number, e-mail address, billing address, indication of the gift voucher ordered, the value of the gift voucher ordered, the method of payment, any other information provided by the data subject at the time of ordering which is necessary for the fulfilment of the order, the date of ordering, the date of payment.

The purpose of the processing is the conclusion and performance of the contract resulting from the order. The services related to the performance of the contract, such as the purposes of receiving and processing the order, the electronic transmission of the ordered gift voucher to the data subject, invoicing, the enforcement of the data subject’s rights.

The purpose of the processing of the personal data of the data subject is to identify the data subject, his/her telephone number is used by the Service Provider in case of possible contact in connection with the order, while the Service Provider forwards the gift voucher(s) issued according to the data subject’s request to the e-mail address of the data subject.

Duration of data processing The Service Provider shall keep the receipts containing the data (name, address, data on the invoice of the service used, consideration) necessary to fulfil the obligation to keep the data on the order (name, address, data on the invoice of the service used, consideration) for 8 (eight) years from the date of issue of the receipt, i.e. the data shall be processed until the expiry of which the data carriers shall be deleted within 1 (one) year. Further data processed in connection with the order, including messages with relevant content relating to the order, shall be kept by the Service Provider until 5 (five) years from the date of confirmation of the order, i.e. from the conclusion of the contract, which is the general limitation period applicable to civil law claims.

15. Access to personal data, transfer of dataThe Service Provider is not the sole controller of the data that it obtains as a result of its activities on Facebook or Instagram, in which case the data it shares will be processed jointly with Facebook Ireland Ltd. (headquarters: 4 Grand Canal Square, Grand Canal Harbour, D2 Dublin, Ireland) as co-controller.

    Both the Service Provider and Facebook Ireland Ltd. are obliged to comply with the provisions of the GDPR and the applicable Hungarian data protection legislation in the exercise of their data processing activities, to ensure the secure processing of personal data and to provide the data subjects with appropriate information in connection with the processing of their data. Facebook’s Privacy Policy is available here: https://www.facebook.com/privacy/explanation/ and https://www.facebook.com/policies/cookies.

    The data subject may exercise his or her data subject rights at any time in relation to the processing of his or her personal data by contacting the Service Provider or Facebook Ireland Ltd. in accordance with the provisions of this privacy notice, or by contacting Facebook Ireland Ltd. in accordance with the provisions of its privacy notice, which can be found at the link above.

    If the Service Provider receives a formal request, stating the reason for the transfer, from an authority or court authorised by law to transfer personal data or part of personal data processed by the Service Provider, the Service Provider is entitled and obliged to transfer the personal data requested in order to fulfil its obligation to do so.

    The Service Provider shall not transfer personal data other than those contained in this Notice, either within the European Union or to third countries, to data controllers, unless you request us to do so by exercising your right to data portability, or to international organisations or other recipients.

     

    Rights of data subjects, exercise of rights

    In the course of its data processing activities, the Service Provider ensures that each data subject is able to exercise his or her rights to the personal data processed for a specified purpose, as set out in this notice, in full and without any unjustified restriction or hindrance.

    The service provider shall also ensure that data subjects have at all times the right of access to data, the right to erasure, rectification and restriction of processing, the right to object in cases of processing based on legitimate interest, the right to withdraw consent and the right to data portability, and the right to seek legal remedies against processing.

    Right of access to data

    The data subject may at any time request information about the data processed by the Service Provider concerning the data subject and why and how these data are processed. Upon written request, the Service Provider shall provide a copy of the data processed concerning the data subject, information on the purposes of the processing and the recipients to whom the personal data are disclosed, the envisaged duration of the storage of the data, the rights of the data subject with regard to the processing and the rules governing the exercise of those rights.

    The Service Provider shall provide the request for a copy of the data free of charge at all times for the first copy of the document containing the data, and may charge a fee for the execution of the request in case of requesting additional copies and/or a new request with the same content within a short period of time, the exact amount of which shall be provided in the reply to the request.

    The Service Provider shall comply with requests for the provision of copies of data only if and to the extent that this does not infringe the rights and freedoms of other natural persons.

    Right to accurate, complete and up-to-date data processed

The data subject has the right to ensure that the data processed by the Service Provider meet the requirements of accuracy, completeness and timeliness. If the data provided to the Service Provider have changed, the data subject may notify the changes in writing by sending an e-mail to the Service Provider’s e-mail address noszvaj@treehouses.hu.

Right to rectification of data

If the data subject becomes aware that his or her personal data are being processed inaccurately by the Service Provider, he or she may at any time request that they be corrected or that the data he or she considers incomplete be completed, providing the correct or missing data in writing by e-mail to the Service Provider’s e-mail address noszvaj@treehouses.hu.

Right to erasure of data

In the following cases, the data subject may request the erasure of the personal data processed about him/her by the Service Provider without undue delay:

the purpose of the processing has ceased;
In the case of processing based on consent, the data subject has decided to withdraw consent and no other legal basis for further processing of the data can be established;
in the case of processing based on legitimate interests, the data subject has objected to the processing and there are no overriding reasons for continuing to process the data;
unlawful processing;
the Service Provider is required by law to erase the data.

All data subjects also have the so-called right to be forgotten, which provides for a broader right to make personal data inaccessible. When exercising this right, the Service Provider will use all possible and available IT solutions to ensure that the data are not available to it in any form in the future. In this context, the Service Provider will delete electronic files containing the data concerned from the backups stored and, in the case of possible paper processing, will simultaneously destroy the documents containing the data and carry out the operations necessary to anonymise the personal data. In addition, the Service Provider shall also oblige its contracted data processors to erase or destroy the personal data relating to the data subject which have been transmitted to them and shall notify the data processors cooperating with it of the request to take further action.

However, the Service Provider may not comply with a request for erasure if the further processing of the data is necessary for the establishment and protection of a legal interest, the exercise of the right of reply and information, the fulfilment of a legal obligation or task, the fulfilment of a statistical or research purpose or for reasons of public health.

Once a request for erasure has been complied with, it is no longer possible to restore the personal data previously processed.

Right to restriction of processing

The data subject may also request the Service Provider to restrict the processing of his/her personal data in the following cases and for the following period:

if the data subject becomes aware that his or her personal data are inaccurately processed by the Service Provider; in this case, the restriction may be requested until the accuracy of the personal data is verified;
where the data subject considers that the Service provider is unlawfully processing his or her personal data and therefore explicitly requests that the personal data not be erased;
where the Service Provider no longer needs the data concerned for the purposes for which it was collected, but the data subject requests the data for the establishment, exercise or defence of legal claims;
where the data subject has objected to the processing based on legitimate interests but his or her request has been rejected; in such a case, the restriction shall apply for a period of time until it is established whether the legitimate interests of the Service Provider or another third party prevail over the legitimate interests of the data subject.

Where the data subject’s request is justified, the Service Provider shall inform the recipients to whom the personal data have been previously disclosed of the restriction of processing. In the event of a request for restriction, the Service Provider shall not process the data subject to the restriction, but shall continue to store them, however, if the data subject has consented to their further processing, or if the processing is necessary for the establishment, exercise or defence of legal claims or if it is justified by the interests of the rights of another natural or legal person or by the public interest of the Union or of a Member State, the Service Provider shall continue to process the personal data.

If the ground for the restriction of processing indicated by the data subject no longer exists, the Service Provider shall provide written notice of the lifting of the restriction and the date of the lifting of the restriction no later than 15 (fifteen) days prior to the lifting of the restriction.

The right to data portability

On the basis of the right to data portability, the data subject shall have the right to request and receive from the Service Provider information on personal data processed by the Service Provider on the basis of the data subject’s consent or on the basis of a contract concluded with the data subject, and processed by automated means, in a structured, commonly used, machine-readable format, and the right to request the direct transfer of such data to one or more data controllers designated by the data subject.

Where the data subject exercises his or her right to data portability, the personal data processed about him or her shall be transferred by the Service Provider to one or more controllers designated by the data subject in a structured, commonly used, machine-readable and interoperable format. The Service Provider does not control the identity of the controllers to whom the data subject designates and to whom the personal data are transferred on the basis of the data subject’s request, and therefore the Service Provider is not liable for any damage or other adverse legal consequences suffered by the data subject in connection with the activities of the controller receiving the data.

Right to withdraw consent to data processing

Where the processing of personal data of the data subject is based on his or her consent, the data subject may at any time decide to withdraw it. The withdrawal of consent to the processing of personal data is valid in writing and may be sent by e-mail to noszvaj@treehouses.hu. The withdrawal of consent shall not affect the lawfulness of the processing activities of the Service Provider which it has previously carried out, in possession of the data subject’s consent, prior to the receipt of the declaration of withdrawal of consent.

Following the withdrawal of consent, the data subject’s data will be deleted from the records of the Service Provider, unless the data are also processed on another legal basis (e.g. contract, legitimate interest or legal requirement) or the data concerned by the withdrawal of consent are also processed on the basis of the data subject’s consent but for other purposes.

Objection to processing

Where the data subject’s data are processed by the Service Provider or a third party on the basis of a legitimate interest, the data subject may object to the processing at any time on grounds relating to his or her particular situation. In the event of an objection to the processing, the Service Provider shall no longer process the data, provided that there is no other legal basis for the processing, or the processing of the data subject’s data is not justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.

Processing of requests from data subjects

The Service Provider shall, upon receipt of a request relating to the processing of personal data of the data subject or for the purpose of exercising the rights of the data subject listed above, start the processing of the request, regardless of its content, without undue delay and shall inform the data subject of the outcome in writing, without undue delay and at the latest within 30 (thirty) days of receipt.

In view of the complexity of the request or the large number of requests received by the Service Provider from other data subjects, the Service Provider may extend the time limit for responding by up to 2 (two) months, of which it shall inform the data subject in writing within 30 (thirty) days of receipt of the request at the latest, stating the reason for the delay. The extension of the time limit shall not be granted if the Service Provider considers that, on the basis of the data subject’s request, no data protection measure is necessary. In such a case, the Service Provider shall reply to the request without undue delay, but at the latest within 30 (thirty) days of receipt of the request, and inform the data subject of the lack of further action and of the remedies available to him/her against its decision.

The Service Provider shall not charge a fee for the measures taken to reply to or comply with the request, unless the request is unfounded or is made again with the same content after the previous request has been dealt with, in which case it may charge a reasonable fee in proportion to the administrative costs incurred in complying with the request, the exact amount of which shall be notified to the data subject when replying to the request.

Remedies available

The Service Provider shall always endeavour to ensure that its data processing complies with the requirements of lawfulness, fairness and data security, therefore, if the data subject is not satisfied with the processing of his/her personal data for any reason, he/she may at any time lodge a complaint with the Service Provider, which shall send an acknowledgement of the complaints submitted and inform the data subject of the outcome of the investigation in a reasoned decision without undue delay, but no later than 30 (thirty) days after receipt of the request.

If the data subject considers that the data processing was unlawful, he or she may also lodge a complaint with the National Authority for Data Protection and Freedom of Information (registered office: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1374 Budapest, Pf. 603., e-mail address: ugyfelszolgalat@naih.hu). The rules on the receipt and handling of complaints and on the conduct of official proceedings can be found at www.naih.hu. If the data subject disagrees with the decision of the authority or if the authority fails to investigate the complaint within the time limit, he or she may appeal to the competent court of the seat of the authority (Fővárosi Törvényszék, address: 1055 Budapest, Markó u. 27., postal address: 1363 Budapest, Pf. 16.).

If the data subject considers that the Service Provider has violated the data subject’s rights by improper processing of his/her data, he/she may also apply directly to the Metropolitan Court of Budapest (address: 1055 Budapest, Markó u. 27., postal address: 1363 Budapest, Pf. 16.) for legal remedy, or may also initiate proceedings before the competent court of his/her place of residence or domicile. You can find the contact details of the competent courts at the following link: https://birosag.hu/birosag-kereso. Legal representation before the tribunal is mandatory under the relevant legal provisions, so you can only assert your claim if you are properly represented by a lawyer.

If the Service Provider or its data processor has processed the personal data of the data subject in breach of the applicable data protection provisions and the data subject suffers any damage in this connection, he or she may bring a claim for damages before the competent court, and in the event of non-material damage, for damages for loss of profits against the Service Provider or its data processors, on the understanding that the data processor is liable for the damage only if it has failed to comply with the legal provisions on data processing or the instructions of the data controller. You may also, at your choice, bring your claim for damages before the competent court in the place where the Service Provider or the offending processor is established or in the place where you are domiciled or resident. The competent courts and their contact details can be found at the following link: https://birosag.hu/birosag-kereso.

In order to avoid unauthorised access to the data, the Service Provider shall comply with the data subject’s request to exercise his or her rights to data processing if the identity of the data subject can be clearly established, which requires that the data subject indicate at least his or her name and e-mail address in any request submitted by him or her, which will enable the Service Provider to establish, by comparing the data at his or her disposal, whether the request was indeed submitted by the data subject.

Data security measures

The Service Provider is committed to, and therefore makes every effort to, ensure that all personal data processed about data subjects is treated with an adequate level of security. The selection of the most appropriate data security measure is made on a case-by-case basis, taking into account and assessing the existing and likely risks to the data processed.

In order to ensure the secure processing of personal data, the Service Provider shall ensure that the electronic records and programs allowing the processing of personal data are kept confidential at all times during the processing, that the electronic records and files containing the data have the necessary protection and are resistant to any unauthorized interference, attack, accidental destruction or loss of data. The Service Provider shall ensure that the records and programs used for data management are available to the extent necessary for carrying out data management operations and for exercising and enforcing the rights of data subjects.

In order to ensure that data security requirements are fully enforced, the Service Provider shall regularly monitor the effectiveness of all measures taken to ensure data security and evaluate the results of the monitoring in a documented manner.

The systems and tools used for data processing have been selected to ensure that they are capable and appropriate to ensure access to data in the event of a data breach and to ensure that data can be restored within a reasonable time in the event of loss or destruction. Before starting any data processing operation and throughout the entire duration of the processing, the Service Provider shall continuously monitor and assess the likely risks to which the personal data are exposed at any given moment, in particular the risks of accidental or unlawful destruction, alteration, loss or access by unauthorised persons of data recorded, stored or otherwise processed by the Service Provider.

The information technology systems and networks of the Service Provider and its data processing partners are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and attacks that could lead to denial of service.

In the course of its data processing activities, it ensures the security and protection of personal data by, inter alia, the following measures:

protection against fraud, espionage, computer viruses and other malware, unauthorized intrusions and attacks leading to denial of service (firewalling, installation of antivirus programs), both in relation to the IT system and network used by the Service Provider in connection with the operation of treehouses.hu;
the Service Provider regularly updates the necessary software for the electronic systems and programs used to process personal data;
all electronic files containing personal data are backed up on a daily basis;
the systems used for the electronic processing of personal data are designed in such a way that they continuously and traceably record the time of access to the data and the person who has accessed the data;
personal data can only be accessed by authorised persons after identification;
ensure, by appropriate technical measures, that personal data of the data subjects cannot be combined with other data;
as a general rule, store personal data only in electronic format, but where personal data would also be recorded in paper documents, store these documents in lockable cabinets, with access to these documents being restricted to duly authorised persons and only to the extent strictly necessary for the performance of their tasks.
Handling data protection incidents

Despite the data security measures implemented by the Service Provider and enforced throughout the entire process of processing personal data, unfortunate and undesirable events may occur that may compromise the protection and security of the personal data processed by the Service Provider (data breaches).

In the event of a data protection incident – in accordance with the provisions of the GDPR – the Service Provider shall notify the National Authority for Data Protection and Freedom of Information without delay, but no later than 72 (seventy-two) hours from the discovery of the incident.

In the event of a data breach, it shall notify the data subjects of incidents that are likely to pose a high risk to the rights and freedoms of data subjects. Such high risks include, in particular, where the incident involves data that is considered sensitive (e.g. sensitive data, information about the financial situation of the data subject, data that could be used for identity theft or to make a public statement about the data subject), in which case the Service Provider will inform the data subjects in detail about the nature and consequences of the incident and the measures it has taken and/or envisages to remedy the consequences and eliminate any possible adverse effects.

In addition to the notification of incidents involving personal data, the Service Provider always takes minutes and keeps separate records, which contain a description of the incidents, their classification and impact on the data subjects, as well as the measures taken by the Service Provider to eliminate them as soon as possible and to eliminate their undesirable consequences. In addition, the Service Provider shall ensure that the data processors cooperating with it comply with their obligations to both report and document incidents in accordance with the applicable legal provisions, and shall expect the independent data controllers cooperating with it to ensure that data protection incidents are prevented and, if they occur, to ensure that they are dealt with.

Amendments to the Privacy Notice

The Service Provider reserves the right to amend this Privacy Notice unilaterally and without time limitation.

In the event of amendment, the Service Provider shall inform all natural persons affected by any of its processing activities by publishing the information notice on its website, including the points affected by the amendment and the date of entry into force of the amendment, with a special notice, and by making the amended and consolidated version of the privacy policy available on its website to the persons concerned.

 

1. számú melléklet

Adatfeldolgozók listája

	Név	Székhely	Kezelt személyes adatok	Adatfeldolgozáshoz kapcsolódó tevékenység	Külföldi adattovábbítással összefüggő információk
1.	Divine Tax Kft.	1144Budapest Füredi utca 64-66. 6. em. 74.	Adatkezelő által a szálláshely szolgáltatás ellenértékéről kiállított számlában szereplő adatok (számlázási név, számlázási cím)	könyvelési szolgáltatás nyújtása	–
2.	thePass Korlátolt Felelősségű Társaság	1061 Budapest, Király utca 30-32. A. ép. 105.	Adatkezelő által kezelt, felhő alapú szerveren tárolt személyes adatok	szerverszolgáltatás nyújtása	–
3.	–		Adatkezelő elektronikus adatbázisaiban tárolt személyes adatok	szerverprogramozással összefüggő szolgáltatásnyújtás	–
4.	CLUSTER INFORMATIKA Kft.	2112Veresegyház Baragödör utca 2. 1.	Adatkezelő elektronikus adatbázisaiban tárolt személyes adatok	IT fejlesztési szolgáltatások nyújtása	–
7.	Google LLC	1600 Amphitheatre Parkway in Mountain View, California, Amerikai Egyesült Államok	Adatkezelő által használt levelezési rendszerben eltárolt megrendelői és kapcsolattartói adatok	Adatkezelő részére felhő alapú levelezőrendszer biztosítása	Az adatkezeléssel összefüggésben adattovábbítás történik az Amerikai Egyesült Államokba.   Az adatfeldolgozó szavatosságot vállal azért, hogy a személyes adatok vonatkozásában a GDPR által megkövetelt és abban garantált szintet biztosítja a személyes adatok védelmét illetően.   Adattovábbítás alapja: adatkezelő és adatfeldolgozó közötti szerződéses rendelkezések (Standard Contractual Clauses (SCC).   Az adatfeldolgozó által alkalmazott SCC az adatfeldolgozó szerződési, illetve adatfeldolgozási feltételeinek részét képezi.
9.	Billingo Technologies Zrt.   thePass Korlátolt Felelősségű Társaság	1133 Budapest, Árbóc utca 6.   1061 Budapest, Király utca 30-32. A. ép. 105.	Adatkezelő szálláshely szolgáltatásait megrendelőként igénybe vevő természetes személyek számlázási neve, számlázási címe	felhő alapú számlázóprogram biztosítása	–

 

This document is effective from 15 July 2021 and was published on 15 July 2021.