2.1. When the User visits a service interface, the Data Controller’s system automatically records the User’s IP address.

2.2. Based on the User’s decision, the Data Controller may process the following data in connection with the use of the services: name, nickname, gender, place of residence, place of stay, postal code, place of birth, date of birth, telephone number, e-mail address, secondary e-mail address, introduction, IP address of last login, time of last login.

2.3. If the User sends an email (e.g., a message, request for a quote, etc.) for the purpose of a service, the Data Controller shall record the User’s email address and process it to the extent and for the duration necessary to provide the service.

2.4. If the User decides to link their Facebook account to the Data Controller’s Facebook account, the Data Controller may process the following personal data of the User in addition to those referred to above: Facebook, profile name, Facebook profile URL, Facebook profile ID, Facebook profile picture, Facebook email address, address provided on Facebook, gender provided on Facebook, birthday, introduction, marital status, and website URL.

4.1. Hotel data processing:

4.1.1 Guest data: Purpose of data processing: Purchases made at the hotel and its restaurant, issuing invoices, guest registration, documenting purchases and payments, fulfilling accounting obligations, maintaining guest relations Legal basis for data processing: data processing is necessary for the performance of a contract Types of personal data processed: name, address, name of service used, purchase price, payment method, date of service use Duration of data processing: 8 years in accordance with the provisions of the Accounting Act In the case of card payments, the bank card and card payment transaction data are processed by Raiffeisen Bank Zrt. Data transfer: in the case of bank card payments, the payer’s ID, transaction amount, date and time are transferred to the Bank. Legal basis for data transfer: data processing is necessary for the performance of the contract in accordance with the provisions of the GDPR.

4.1.2 Events: Purpose of data processing: organizing, conducting, coordinating, and supervising events by Hotel Orchidea Kft. Legal basis for data processing: data processing is necessary for the performance of the contract in accordance with the provisions of the GDPR. Scope of data processed: booking ID number, date of order and event, customer name, telephone number, email address, number of participants, name of data subject, age, gender, any special requests, food sensitivity data, other data provided during the order Duration of data processing: one month after the event. Data processing is necessary for the performance of the contract.

4.1.3. Handling quality complaints and grievances: Purpose of data processing: Handling quality complaints arising in connection with the services provided by Hotel Orchidea Kft. Legal basis for data processing: data processing is necessary for the performance of the contract Type of personal data processed: unique complaint identification number, consumer’s name, address, place, time and method of complaint submission, list of documents and other evidence submitted by the consumer, description of the complaint, place and time of recording, name and signature of the person recording the complaint. Duration of data processing: 5 years in accordance with the Fgytv. with regard to copies of reports recorded on complaints and responses to written complaints and proof of posting. 2 years with regard to the retention of duplicate copies of entries made in the customer book. No data transfer takes place.

4.1.4. Extraordinary events: Purpose of data processing: handling extraordinary events occurring at the hotel and recording them in a report. Legal basis for data processing: the data controller. The legitimate interests of other persons require the handling of extraordinary events. Scope of data processed: name, address, telephone number of the injured person, date and time of the accident, description of the injury and accident, description of the measures taken, name of the first aider, name, address, telephone number and contact details of witnesses. Duration of data processing: 5 years for guest accident reports.

4.1.5. Handling of lost property: Purpose of data processing: to record items found on the hotel premises and to notify the owner or finder. Legal basis for data processing: in accordance with the Civil Code. Type of personal data processed: date and time of discovery, details of the finder, description of the lost property, whether the owner was successfully notified, storage location, name and signature of the finder, recipient and transferor. Duration of data processing: the data will be deleted and destroyed after the found item has been collected by its owner.

4.1.6. Hotel Wi-Fi service: By connecting to the Wi-Fi network, guests consent to Hotel Orchidea Kft. monitoring their connection based on the unique network identifier of their device. Hotel Orchidea Kft. does not record hotel Wi-Fi traffic.

4.2. Marketing and market research database:

4.2.1. Marketing database: The data of those who consent to direct marketing is managed by Hotel Orchidea Kft. The purpose of data processing: building a database for business purposes, sending newsletters containing commercial advertising to data subjects via email, preparing personalized offers using online analytical data, and forwarding offers from the data controller and its partners. Only persons over the age of 16 may consent to direct marketing communications. Legal basis for data processing: the voluntary consent of the data subject in accordance with the provisions of the Grt. Scope of data processed: identification number, name, address, email address, telephone number, consent given for DM purposes, data related to the sending, delivery, and opening of messages, and the online activity of the data subjects are stored by the system. Duration of data processing: until the data subject withdraws their consent. The withdrawal of consent for the transmission of DM messages and the deletion or modification of personal data can be requested at the central email address of Hotel Orchidea Kft.

4.2.2. Database for market research purposes: The data of persons involved in market research is processed by Hotel Orchidea Kft. The purpose of data processing: recording and segmenting the data of persons participating in market research, sending research invitations, coordinating and conducting market research. Legal basis for data processing: voluntary consent of the data subject. Only persons over the age of 16 may participate in market research. Type of data processed: identification number, name, address, email address, telephone number, other data provided. Duration of data processing: until the data subject withdraws their consent.

4.3. Property protection:

4.3.1. Electronic surveillance system: An external electronic surveillance and recording system operates in the parking lot and park of Hotel Orchidea Kft., as part of which cameras have been installed throughout the entire guest area. The exact location of the cameras and the names of the areas under surveillance are displayed in a visible place in the unit, and guests are informed of this when they enter the hotel. Personal data controller: the competent manager of Hotel Orchidea Kft.

Purpose of data processing: prevention and detection of violations, apprehension of perpetrators, and proof of violations in order to protect human life, physical integrity, and property rights; identification of persons entering the hotel premises without permission, recording of the fact of entry, documentation of the activities of unauthorized persons, and to investigate the circumstances of any workplace or other accidents that may occur. Legal basis for data processing: in the case of guests, the consent of the data subject upon entering the hotel premises; in the case of employees, the legitimate interest of Hotel Orchidea Kft. in protecting its property, as accepted under the Labor Code. Type of personal data processed: facial images of persons entering the hotel premises visible in the images and other personal data recorded by the surveillance system. Duration of data processing: 30 days if not used (SzvMt) Use of recordings: Authorized to view the current images from the cameras: authorized employees of Hotel Orchidea Kft. Authorized to view the recordings from the cameras: authorized employees of Hotel Orchidea Kft. Authorized to record the camera footage on data storage media: authorized employees of Hotel Orchidea Kft.

The recordings stored by the camera surveillance and recording system operated by Hotel Orchidea Kft. may only be viewed by authorized persons for the purpose of proving violations committed against human life, physical integrity, and property, and for identifying the perpetrator. Those whose rights or legitimate interests are affected by the recording of the image may, upon proof of their rights or legitimate interests, request that the data controller not destroy or delete the recording until requested to do so by a court or authority, but for a maximum of 30 days. The person appearing in the recording may request information about the recording made of them by the surveillance system, request a copy of it, or, if other persons also appear in the recording, they may view the recording. The data subject may request the deletion of the recording made of them, the modification of data related to the recording, or may object to the data processing. The data controller is obliged to record in a log the fact that the recordings have been viewed, the name of the person who viewed them, the reason for viewing the data, and the time of viewing. Data transfer: in the event of administrative or criminal proceedings, to the authorities and courts conducting those proceedings. Scope of data transferred: recordings made by the camera system containing relevant information. Legal basis for data transfer: Be. Sztv.

4.4. Data processing by hotelorchidea.hu: 4.4.1. Server logging by hotelorchidea.hu Data processing is carried out by Hotel Orchidea Kft. and the server does not record user data when visiting the website. Data processing by external service providers: The portal’s HTML code contains links that come from and point to external servers independent of Hotel Orchidea Kft. The servers of external service providers are directly connected to the user’s computer, so we would like to draw users’ attention to the fact that they are therefore able to collect user data. Any personalized content for users is served by the servers of external service providers, and the relevant data controllers can provide information about the data processing involved. (Google Analytics server). The service code available at facebook.com has been placed on the website. The hotelorchidea.hu website was created and is operated by: Onmediaweb Bt. 1027 Budapest, Bem J. u. 9. info(at)onmediaweb.eu Tax ID: 26728768-1-41 4.5. Mobile application: When the data subject uses the mobile application of Hotel Orchidea Kft. or otherwise contacts the Kft., personal data may be collected about the data subject. The data collected can be divided into two categories: data provided by the data subject data collected by automated means.

The following information may be provided by data subjects: name, email address, date of birth, login password, legal statements related to the use of the application. The following information may be collected by automated means: the IP address used by the data subject the date of registration of the application the date of redemption of offers the type of operating system and browser running on the data subject’s computer or mobile device the type and ID of the data subject’s mobile device, advertisements, Wifi, GPS, Bluetooth usage, and activities related to the use of the application. The data collected may be used by Hotel Orchidea Kft. for the following purposes:

fulfilling the requests of the data subject, processing service orders sending information about the services, offers, promotions, or events of Hotel Orchidea Kft. and its business partners We only share the personal data of data subjects with third parties for direct marketing purposes if the data subject gives their consent.

4.6. Applying for a job: It is possible to apply for a job on the website operated by Hotel Orchidea Kft. The controller of personal data is Hotel Orchidea Kft. The employer, as the data controller, processes the personal data provided by the data subject during the selection process and for one year thereafter for the purpose of selecting personnel. Purpose of data processing: applying for a job at Hotel Orchidea Kft., participating in the selection process. Legal basis for data processing: voluntary consent of the data subject

Types of personal data processed: name, permanent address, place of residence, telephone number, email address, place and date of birth, as well as uploaded or sent photographs, CVs, and cover letters. Deadline for data deletion: one year from the date of submission of the application. 4.7. Other data processing: We will provide information about data processing not listed in this Notice at the time of data collection.

5.1. The Data Controller processes personal data in accordance with the principles of good faith, fairness and transparency, as well as the provisions of applicable laws and this Notice.

5.2. The Data Controller uses personal data that is essential for the use of the services based on the consent of the User concerned and exclusively for the purpose for which it was collected.

5.3. The Data Controller shall process personal data only for the purposes specified in this Notice and in the relevant legislation. In all cases where the Data Controller intends to use personal data for purposes other than those for which it was originally collected, it shall inform the User thereof, request his or her prior express consent, and ensure that he or she may prohibit such use.

5.4. The Data Controller shall not verify the personal data provided to it.

5.5. The personal data of persons under the age of 16 may only be processed with the consent of an adult exercising parental authority over them. The Data Controller is not in a position to verify the eligibility of the consenting person or the content of their statement, so the User or the person exercising parental authority over them guarantees that the consent complies with the law. 5.6. The Data Controller shall not transfer the personal data it processes to third parties other than the Data Processors specified in this Notice and, in certain cases, external service providers.

In certain cases – official court or police requests, legal proceedings, copyright, property or other infringements or reasonable suspicion thereof, harm to the interests of the Data Controller, jeopardizing the provision of services, etc. – the Data Controller shall make the personal data of the user concerned available to third parties.

5.7. The Data Controller’s system may collect data on user activity, which cannot be linked to other data provided by users during registration, nor to data generated when using other websites or services.

5.8. The Data Controller shall notify the user concerned and all those to whom it has previously transferred personal data for data processing purposes of any correction, restriction or deletion of the personal data it processes. Notification may be omitted if this does not prejudice the legitimate interests of the data subject in view of the purpose of the data processing.

5.9. The Data Controller shall ensure the security of personal data, take the technical and organizational measures and establish the procedural rules necessary to ensure that the data recorded, stored or processed are protected and to prevent their accidental loss, unlawful destruction, unauthorized access, unauthorized use, unauthorized alteration, and unauthorized dissemination.

6.1. The User may request that the Data Controller inform them whether they are processing the User’s personal data and, if so, provide them with access to the personal data they are processing.

6.2. The User may request the correction or modification of their personal data processed by the Data Controller.

6.3. The User may request the deletion of their personal data processed by the Data Controller. Deletion may be refused for the purpose of exercising the right to freedom of expression and information, or if the processing of personal data is authorized by law, as well as for the purpose of submitting, enforcing, or defending legal claims. The Data Controller shall inform the user in all cases of the refusal of the request for deletion, indicating the reason for the refusal. Newsletters sent by the Data Controller can be unsubscribed from via the unsubscribe link contained therein or by sending an email. In the event of unsubscribing, the Data Controller shall delete the user’s personal data from the newsletter database.

6.4. The User may request that the Data Controller restrict the processing of their personal data if the User disputes the accuracy of the data being processed. In this case, the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data. The User may request the restriction of the processing of their personal data if the processing is unlawful, and may also request it if the purpose of the processing has been fulfilled but the User requires the Data Controller to process it for the purpose of submitting, enforcing or defending legal claims.

6.5. The User may request that the Data Controller transfer the personal data provided by the User and processed by the User in an automated manner to the User in a structured, commonly used, machine-readable format, or transfer them to another data controller. 6.6. The User may object to the processing of their personal data if the processing of personal data is necessary solely for the fulfillment of a legal obligation applicable to the Data Controller or for the enforcement of the legitimate interests of the Data Controller, a service operator, or a third party.

7.1. The Data Controller uses Data Processors to perform its activities.

7.2. Data Processors do not make independent decisions; they are only entitled to act on the basis of the contract concluded with the Data Controller and the instructions received. After May 25, 2018, Data Processors shall record, manage, and process personal data transmitted to them by the Data Controller and managed or processed by them in accordance with the provisions of the GDPR, and shall make a statement to this effect to the Data Controller.

7.3. The Data Controller shall supervise the work of the Data Processors.

7.4. Data Processors shall only be entitled to involve additional data processors with the consent of the Data Controller.

8.1. The Data Controller is entitled and obliged to transfer all available personal data stored by it in accordance with the law to the competent authorities if it is required to do so by law or by a final official order. It shall not be held liable for any consequences arising therefrom.

8.2. If the Data Controller transfers the operation or utilization of the content provision and hosting services found on the service pages, in whole or in part, to a third party, it may transfer the personal data it processes, in whole or in part, to this third party without requesting the User’s separate consent, provided that the Users are informed in advance and that this data transfer does not place the User in a more disadvantageous position than that specified in the Privacy Policy. The Data Controller shall provide the User with the option to prohibit the transfer of data.

9.1. The Data Controller reserves the right to amend the provisions of the Data Processing Notice at any time by unilateral decision.

9.2. By logging in, the User accepts the provisions of the Policy in force at the time; beyond this, it is not necessary to seek the consent of individual Users.

10.1. Questions or comments regarding data processing may be addressed to the Company’s data protection officer at …………………………………….. e-mail address. 10.2. Users may submit complaints regarding data processing directly to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C). 10.3. In the event of a violation of the User’s rights, the User may take legal action. The adjudication of the case falls within the jurisdiction of the court. The case may also be brought before the court of the place of residence or domicile of the data subject, at the discretion of the data subject.