EN

Data protection notice

The personal data recorded in connection with the activities of TISIA Event Ltd. on the protection with regard to the processing of personal data and on the free movement of such data, and in accordance with the Regulation (EC) No. 2016/679 of the European Parliament (EU) and of the European Council (EC) revoking the Regulation No. 95/46 (hereafter: 'GDPR') and the CXII Act of 2011 on the right of information self-determination and freedom of information (hereafter : 'Info tv').

The publisher of this Data Management Notice is also the data management organisation. The data management is accomplished by the staff of our organization. Only TISIA Hotel & Spa employees are those who absolutely need them to do their job will have access to the data subjects' data. Access rights to personal data are governed by internal rules.

Name and contact details of the data con troller's representative (Article 13 of the GDPR) Article 1/a):

Name: TISIA Event Ltd.
Address of Head Office: 3580, Tiszaújváros, Kandó Kálmán street 2.
Represented by: Zsolt Jáborszki
E-mail: zsolt.jaborszki@tisiaevent.hu

Data Protection Officer (Article 13 1/b of the GDPR)

Name: András Szabó
Postal Address: 3580, Tiszaújváros, Teleki Blanka street 4.
E-mail: andras.szabo@tisiaevent.hu

Available means of redress:

If the Data Subject considers that the processing did not comply with the legal requirements, they have the right to file a complaint with the National Data Protection and Freedom of Information Authority. Right to express grievances to the supervisory authority (due to Article 77 (+of the) GDPR) and the right to judicial redress against a decision of the supervisory authority (due to Article 78 of the GDPR) are available.

Contact details of the National Data Protection and Freedom of Information Authority:

Headquarter’s Address: 1125, Budapest, Szilágyi Erzsébet fasor 22/C.
Postal Address: 1530, Budapest, Pf.: 5.
Website: http://naih.hu
E-mail: ugyfelszolgálat@naih.hu
Telephone: +36-1-391-1400

Management of the website visitors' data:
Scope of managed data start and end time of the website user's visit, IP address and other recorded browsing data (cookies)
Purpose of data management identifying visitors to the website’s visitors, observing/analyzing their browsing habits
Legal basis for data management consent of the data subject / to Article 6 (1) (a) of the GDPR
Data source from the data subject
Data transmission
Deadline for deleting data until the consent of the data subject is withdrawn
Direct marketing (sending newsletter)
Scope of managed data name and email address
Purpose of data management for marketing purposes, promoting the hotel 's services by sending an online newsletter
Legal basis for data management consent of the data subject to Article 6 (1) (a) of the GDPR
Data source from the data subject 
Data transmission
Deadline for deleting data until the consent of the data subject is withdrawn
Offer request
Scope of managed data name, e-mail address, telephone number, number of persons wishing to use the service, (number of children, their age)
Purpose of data management establishing contact, keeping in touch, sending out personalized offers
Legal basis for data management performance of the contract of GDPR Article 6 (1) (b)
Data source from the data subject
Data transmission
Deadline for deleting data - in the event of a successful request for quotation, in accordance with the reservation rules,
- in the event of a rejection of the tender, until the date of the rejection,
- if no reply to the offer is received, by the day following the expiry of the time limit for the submission of offers.
Direct booking
Scope of managed data name, e-mail address, telephone number, number of persons wishing to use the service, (number of children, their age)
Purpose of data management making a room reservation
Legal basis for data management performance of a contract of Article 6 (1) (b) of the GDPR data; processing based on legislation (Sections 30-31 of Act C of 1990) regarding the date of birth of Article 6 (1) (c) of the GDPR  
Data source from the data subject 
Data transmission
Deadline for deleting data - personal data received during the booking process will be processed for the duration of the contractual relationship with the data submitted,
- name and address: for 8 years pursuant to Section 169 of Act C of 2000 on Accounting,
- age of the guests: Act of the tax regime §CL. of 2017, pursuant to § 78 (3) and § 202 (1) of the Act until the last day of the 5th year following the year in question.
Booking through intermediaries
Scope of managed data name, e-mail address, telephone number, number of persons wishing to use the service (number of children, their age) and in some cases, credit card details
Purpose of data management making a room reservation
Legal basis for data management performance of the contract of the GDPR Article 6 (1) (b), statutory (1990 C. law. 30-31) data processing in respect of date of birth of GDPR Article 6 (1) (c)
Data source From on-line intermediaries and travel agencies specified according to laws as independent data controller
Deadline for deleting data - the personal data received during the booking will be processed for the duration of the contractual relationship with the data subject;
Except for:
- address: for 8 years under Section 169 of the Accounting Act C of 1990;
- age of the guests: under Section 78 (3) and §202 (1) of the Tax Code 2017, until the last day of the 5th year following the year in which they are subject.
Loyalty program
Scope of managed data name, number of previous hotel stays
Purpose of data management providing discounts, increasing sales, establishing a regular customer base obligation
Legal basis for data management consent of the data subject to Article 6 (1) (a) of the GDPR
Data source from the data subject, from own records
Deadline for deleting data until the consent of the data subject is withdrawn
Invoicing
Scope of managed data name, address, credit card details settlement of the value of the service used for consideration, fulfillment of the invoicing obligation
Purpose of data management payment of the value of the service used fulfillment of the invoicing obligation
Legal basis for data management fulfillment of the legal obligation contained in Section 169 of Act C of 2000 on Accounting of Article 6 (1) (c) of the GDPR
Data source from the data subject
Deadline for deleting data pursuant to Section 169 of Act C of 2000 on Accounting for 8 years
Newsletter
Scope of managed data e-mail address, name
Purpose of data management maintaining and developing relations with guests and partners
Legal basis for data management the data subject's consent to Article 6 (1) (a) of the GDPR, which the data subject gives when he or she starts using the specific function
Data source from the data subject
Deadline for deleting data it lasts until the user unsubscribes from the newsletter
Data transmission
Application form
Scope of managed data name, date of birth, identity card / passport number, residential address, billing address, e-mail address, car registration number
Purpose of data management direct marketing, sale of services
Legal basis for data management consent of the data subject to GDPR Article 6 (1) (b) of the GDPR; Article 6. Paragraph 1 - fulfillment of the legal obligation contained in Section 169 of Act C of 2000
Data source from the data subject
Data transmission
Credit card details
Scope of managed data cardholder's name, card number, expiration date, CVV / CVC
Purpose of data management performance of a hotel service contract
Legal basis for data management consent of the data subject to Article 6 (1) (b) of the GDPR
Data source from the data subject
Data transmission
Camera system
Scope of managed data the portrait, conduct and behavior of those affected/data subjects
Purpose of data management protection of physical integrity of the persons staying in the territory of the Hotel, protection of personal and property safety
Legal basis for data management consent of the data subject to Article 6 (1) (a & f) of the GDPR, for the duration of 30 days after its registration
Data source electronic surveillance system (camera system)
Data transmission
Report of a complaint
Scope of managed data name, address of the data subject, a detailed description of the complaint and the documents, photographs, image recordings pertinent to the matter
Purpose of data management protection of the life and physical integrity of persons staying in the territory of the Hotel, protection of personal and property safety
Legal basis for data management Law No. CLV. of 1997 on consumer protection, Section 17 / A. § (7), which makes data storage mandatory for 5 years from the date of the report
Data source from the data subject
Data transmission

Usage of the central safety box

Scope of managed data

Name, address and phone number of renters

Purpose of data management

Usage of the central safety box

Legal basis for data management

fulfillment of the contract /GDPR article 6. §(1) a) és b)

Data soursea

from the renters

Data transmission

Deadline for deleting the data

the personal data received are processed for the duration of the contractual relationship with the data subject concerning the use of the central safe

Access to an effective judicial remedy against the controller (Article 79 of the GDPR) may bring an action before the competent tribunal in the event of a breach of the rules on the processing of personal data.

Competent Tribunal:

Address: 3525 Miskolc, Dózsa György Avenue 4
Postal Address: 3550 Miskolc, Pf. 370.

Scope of the Data subjects' managed data:

eContact details for the purpose of requesting an offer or booking (surname, first name, address, telephone number, e-mail address) in accordance with Article 6 (1) (b) and (c) of the GDPR,

The scope of the data processed is contained in the Data Controller's documentation or computer database.

Purposes and legal basis of data processing:

The Data Controller handles the personal data of the Data Subjects for the purpose of making personal, online or telephone bookings, using the Hotel's services, liaising and fulfilling their statutory obligations, in particular tax and accounting obligations.

The legal basis for the processing of personal data is the voluntary, prior informed consent of the Data Subject.

By submitting the personal data provided on the Hotel's website, the Data Subject declares that they has become aware of the version of the Privacy Notice in force at the time the data is provided and voluntarily contributes to the use of their Personal Data. The Data Subject may transfer personal data in accordance with relevant data protection legislation and warrants that they provides consent for the transfer of information.

Upon entering the Website, the Data Controller shall record the IP Address of the Data Subject in connection with the provision of the Service, taking into account the legitimate interest of the Data Controller and the lawful provision of the Service, without the Data Subject's separate Consent.

Duration of data processing:

Pursuant to Section 169(1) of the Accounting Act of 2000 An entity shall be bound to preserve the accounts for the financial year in question, the annual report and the inventory, valuation, ledger statement, logbook or other records complying with the requirements of the law in legible form for at least 8 years.
(1) The accounting document (including ledger accounts, analytical or detailed records) supporting the accounts directly and indirectly shall be kept in legible form for at least 8 years and shall be relatable by reference to the accounting records. Pursuant to Section 78 (1) CL. Law 2017 on the tax regime: The documents set out in Paragraph 77(1) must be preserved by the taxpayer liable to keep them at the place declared to the tax authorities.
(2) Documents may be forwarded to another place for the period of accounting and processing, but shall be presented within three working days at the request of the tax authorities.
(3) The documents shall be kept by the taxpayer, irrespective of the method of recording, until the right to determine the tax gets time-barred, in the case of deferred tax, it should be kept for a period of five years from the last day of the calendar year in which the deferred tax is due.
(4) The employer (the payer) shall keep the supporting documents on which the withholding tax is established until the date referred to in paragraph 3.
77.§ (1) Statutory documents, book and register required by law, including electronic data and information saved on a computer medium, shall be issued or maintained in such a way so as to be capable of establishing and verifying the basis of taxation, the taxable amount, the tax exemption, discount, budget support base and amount, and be able to establish and control their payment and use.

Consent of the Data Subject:

The processing of personal data is based on the consent of the Data Subject. Consent may be given on

- a separate declaration
- a document establishing the legal relationship between the Data Controller and the Data Subject (e.g. online booking, completion of the notification form, contract)

Beside the consent of the Data Subject, the processing of personal data is based on the performance of the contract between the parties and the fulfilment of the legal obligations of the Data Controller.

Consent is voluntary and the Data Subject has the right to withdraw his or her consent at any time without restriction by making a unilateral declaration addressed to the Data Controller.

Data which the Data Controller is obliged to process in accordance with their own legal obligations. Even in the case of withdrawl of the Data Subject's contributing consent, they are to continue data processing according to relevant legal provisions.

Recipient of personal data:

The Data Controller may transfer the Personal Data of the Data Subject to public authorities and tax authorities in order to fulfil their obligations under the law.

Rights of the Data Subject:

The data subject shall have the right to have, in respect of personal data processed by the controller and by a processor acting on their behalf or at their disposal:

The data controller shall immediately delete the personal data of the data subject if:

- the processing is unlawful,
- the data subject withdraws their consent to the processing or requests the deletion of their personal data, unless the processing of the data is carried out by Infotv. Paragraph 5(1) (a) or (c) or paragraph 2 (b), the deletion of the data has been ordered by law, by an act of the European Union, by the Authority or by a court, or ,
- the personal data are no longer needed for the purposes from which they were collected or otherwise processed.

The data shall not be deleted by the controller if the processing is necessary for one of the following reasons:

- for the purpose of exercising the right to freedom of expression and information,
- for the purpose of fulfilling a legal obligation to process personal data,
- necessary for the submission, enforcement and defense of legal claims.

- the data subject disputes the accuracy of the personal data, in such a case where the restriction shall apply to the period of time that allows the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the deletion of the data and instead requests that their use be restricted;
- the controller no longer needs the personal data for the purpose of data processing, but the data subject requests them in order to make, enforce or protect legal claims;
- the data subject has objected to the processing of data in the legitimate interest; in that case, the restriction shall apply for as long as it is established whether the legitimate reasons of the controller take precedence over the legitimate reasons of the data subject;
- where data processing is restricted, personal data other than storage may only be processed with the consent of the data subject or for the purpose of bringing, enforcing or protecting legal claims or protecting the rights of another natural or legal person or in the important public interest of the Union or a Member State. The coontroller will inform the data subject in advance about the lifting of the restriction.

Scope of data protection notice:
This notice is issued on May 1st, 2021. The data controller is entitled to amend it independewithout prior notice at any time.