1. Introduction
Studio Casa Korlátolt Felelősségű Társaság (Studio Casa Limited Liability Company), in its capacity as the Accommodation Provider and Data Controller, considers the protection and enforcement of the data processing rights of all natural persons concerned (hereinafter: ‘You’) to be of utmost importance. When handling, recording, processing, and transferring your personal data, we act in accordance with Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter: ‘Information Act’), REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR), and other applicable data protection laws.
2. Who is the Data Controller?
Name: Studio Casa Korlátolt Felelősségű Társaság (hereinafter: ‘Data Controller’)
Registered office (mailing address): H-1068 Budapest, Király utca 102.
Company registration number: 01-09-906350
Tax identification number: 14494635-2-42
Statistical code: 14494635-6832-113-01
E-mail address: info@immocto.com
Telephone number: +36 20 278 1822
3. What are the basic principles and legal bases of Data Processing?
3.1. Principles of Data Processing
As stated in Section 4 of the Privacy Policy, we treat the personal data provided to us confidentially, comply with the principles of lawfulness, fairness, and transparency under the GDPR, process personal data for specified purposes in accordance with the principle of data minimisation, adhere to the principle of storage limitation, protect the confidentiality and integrity of personal data, and respect the principle of accuracy as set out in the GDPR.
3.2. Legal Bases for Data Processing
The legal bases for data processing by the Data Controller are set out in Section 4.
4. What processing operations are carried out by the Data Controller, for what purposes, what categories of data are processed, and for how long are they retained?
|
|
Type of data processing |
Legal bases for data processing |
Purpose of data processing |
Scope of processed data |
Duration of the processing |
|
1 |
Recording the personal data of customers using accommodation services. |
Compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR. Point (1) of Section 9/H. of Act CLVI of 2016 on the state’s responsibilities regarding the development of tourism regions |
The Data Controller, as the accommodation provider, processes your personal data for the purposes of protecting your rights, safety and property as well as those of others, and for monitoring compliance with the provisions concerning the residence of third-country nationals and persons enjoying the right of free movement and residence. |
· Name (first name and surname) · Birth name (first name and surname) · Place of birth · Date of birth · Gender (male/female) · Nationality · Mother’s maiden name (first name and surname) · Identification document number / identifying data of travel document / visa or residence permit number, date, and place of entry (the identification numbers of the documents are not recorded for accommodation service users under the age of 14). · Accommodation address. · The start, expected end, and actual completion dates of the accommodation service usage. |
In accordance with Point (3) of Section 9/H. of Act CLVI of 2016 on the state’s responsibilities regarding the development of tourism regions, the Data Controller retains your personal data until the last day of the first year after becoming aware of them.
|
|
2 |
Data processing related to invoice issuance |
Compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR, and in accordance with Paragraph (2) of Section 169 of Act C of 2000 on Accounting, and Paragraph (1) of Section 179 of Act CXXVII of 2007 on Value Added Tax. |
compliance with legal requirements |
· Name · address |
In accordance with Paragraph (2) of Section 169 of Act C of 2000 on Accounting, and Paragraph (1) of Section 179 of Act CXXVII of 2007 on Value Added Tax, for a period of eight plus one years following the date of invoice issuance. |
5. Where does the Data Controller obtain your personal data from?
Only the personal data that You have provided will be processed by the Data Controller.
We hereby specify that the personal data specified in Section 4 is collected via our software, Immocto Real Estate Management System. It may occur that a given accommodation service is used by multiple natural persons (Data Subjects); however, the mandatory data reporting is carried out by a single natural person on behalf of all Data Subjects concerned. In such cases, the Data Subject responsible for fulfilling the mandatory data reporting obligation undertakes to make the contents of this Privacy Policy known to all other Data Subjects whose data are required to be reported.
6. Where are the data stored?
Your personal data are stored electronically by the Data Controller via the hosting provider indicated in Section 7.2.
7. Is a data processor engaged?
In the course of data processing, the Data Controller uses the following data processors, who act solely on the instructions of the Data Controller and do not collect, store, or process personal data for their own purposes.
|
|
Name |
Registered office |
Company registration number |
Tax identification number |
Purpose of data processing |
Data processed by the data processor |
|
1 |
NTAK (National Tourist Information Center) Magyar Turisztikai Ügynökség Zrt. |
H-1027 Budapest, Kacsa utca 15-23. |
01-10-041364 |
10356113-4-41 |
Creation of a user account, provision of services and intermediary services accessed through the website, invoicing of fees related to the services, retention of documents related to the services and invoicing, and fulfilling statutory data reporting obligations. |
· name, · birth name, · e-mail, · mother’s name, · date of birth, · place of birth, · home country, · tax identifier, · permanent residency, · notification address, · telephone number, · type and serial number of the identification document and the photograph on the identification document. |
|
|
STRIPE, INC |
354 Oyster Point Blvd, South San Francisco, California, United States, 94080 (EU-based registered office: The One Building, 1 Grand Canal Street Lower, Dublin 2, D02 H210, Ireland) |
4675506 (EU: 513174) |
EU: IE9825611F |
Storage and validity verification of bank card data provided by the user, assessment of funds necessary for order fulfilment, and detection of bank card-related fraud and misuse. |
· Name · e-mail address · bank card data |
|
2 |
Amazon Web Services, Inc. (AWS), eu-central-1 (Frankfurt |
2121 7th Avenue (SEA41) Seattle, WA 98121. USA |
Contact details of the hosting provider: aws.amazon.com/contact-us |
Hosting provider |
Data specified in Section 4. |
- |
|
3 |
WP Online Magyarország Kft. |
H-1094 Budapest, Balázs Béla utca 15-21. D. lház. 2. em. 4. ajtó |
01-09-967529 |
23480403-2-43 |
Providing downloadable documents requested by the user, managing newsletter subscriptions, and enabling user contact. |
· Surname · First name · E-mail address · Telephone number · Message · Newsletter subscription |
|
4 |
Framer B.V. |
Rozengracht 207B, 1016 LZ, Amsterdam |
59920637
|
NL853695386B01 |
domain service |
- |
8. What measures does the Data Controller take to ensure the security of the personal data it processes?
8.1. The Data Controller designs and carries out data processing operations in such a way as to ensure the highest level of protection of your privacy when applying the provisions of the Information Act, the GDPR, and other data protection regulations.
8.2. The Data Controller ensures the security of the data, implements the necessary technical and organisational measures, and establishes procedural rules required for the enforcement of the provisions of the Information Act, the GDPR, and other data protection and confidentiality regulations.
8.3. The Data Controller protects the data with appropriate measures, particularly against unauthorised access, alteration, transmission, disclosure, erasure, or destruction, as well as accidental loss or damage, and inaccessibility resulting from changes in the technology used.
8.4. If the Data Controller uses an automated system for processing personal data, it shall ensure additional measures to guarantee the following:
a) the prevention of unauthorised data entry;
b) the prevention of unauthorised use of automated data processing systems by unauthorised persons through data transmission equipment;
c) the ability to verify and determine which entities have received or may receive personal data through the use of data transmission equipment;
d) the ability to verify and determine which personal data, when, and by whom have been entered into the automated data processing systems;
e) the ability to restore the installed systems in the event of a malfunction, and
f) that errors occurring during automated processing are reported.
8.5. The Data Controller shall consider the development stage of technology at all times when establishing and applying measures to safeguard data security. Where multiple data processing options are available, the Data Controller shall select the solution that provides the highest level of personal data protection, except where such a choice would impose a disproportionate difficulty to the Data Controller.
9. Under what circumstances may personal data be transferred to third parties?
The Data Controller shall not disclose your personal data to third parties.
10. What rights do You have and how can they be exercised?
You are entitled to various rights concerning the processing of your personal data, which You may exercise at any time.
The Data Controller lists these rights below, with explanations of their implications for you. You may exercise your rights by submitting a request to one of the contact details specified by the Data Controller in Section 2.
We point out that the processing of personal data covered by this privacy policy is based on the fulfilment of a legal obligation; therefore, You cannot exercise your right to withdraw consent in relation to this data processing.
Rights of access to and rectification of personal data
You have the right to access your personal data, request a copy, and have them rectified or updated at any time.
Based on the right of access, You are entitled to receive information about the following:
a) the purposes of data processing;
b) the categories of personal data relating to the data subject;
c) the recipients or categories of recipients with whom the personal data have been or will be shared, including in particular third-country recipients and international organisations;
d) where appropriate, the intended storage period of the personal data;
e) the data subject’s right to request the Data Controller to rectify, erase, or restrict the processing of their personal data, and to object to such processing;
f) the right to lodge a complaint with a supervisory authority; and
g) the fact of automated decision-making, including profiling (which in this case refers to determining personal preferences and interests based on the personal data in the database, and sending direct marketing messages accordingly).
We understand the importance of this, so if You wish to exercise these rights, please contact us using any of the contact details specified in Section 2.
Right to data portability
Your personal data are portable. This means that your personal data can be transferred, copied, and transmitted electronically.
If You wish to exercise your right to data portability, please contact us through any of the contact details specified in Section 2.
Right to delete personal data
You have the right to request the deletion of your data in the following cases:
a) your personal data are no longer necessary for the purpose(s) for which they have been collected; or
b) You withdraw your previous consent to the processing of your personal data and there is no other legal basis for the processing; or
c) You object to the processing of your personal data;
d) the processing of personal data is not executed in a lawful fashion; or
e) the deletion of your personal data is required for compliance with legal obligations.
However, the Data Controller is not obliged to comply with your request if the data processing is necessary for the following:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in so far as the deletion of data is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise, or defence of legal claims.
If You wish to exercise this right, please contact us using any of the contact details specified in Section 2.
Right to restriction of processing
You may request the restriction of the processing of your personal data under the following conditions:
a) if You believe that the personal data stored in relation to You are not accurate; or
b) the processing of personal data is not executed in a lawful fashion, but instead of requesting their erasure, You would prefer to restrict their processing; or
c) the Data Controller no longer needs your personal data for the original purpose(s) for which they have been collected; however, You need them for the purpose of lodging or enforcing a claim or to object to a particular claim; or
d) You have objected to the processing of your personal data and are awaiting verification as to whether the legitimate grounds of the Data Controller override your interests related to the objection.
If You wish to restrict the processing of your personal data, please contact us using any of the contact details specified in Section 2.
Right to object
You may object to the processing of your personal data at any time. If You intend to exercise this right, please contact us using any of the contact details specified in Section 2.
Automated decision-making
The Data Controller does not carry out automated decision-making processes.
11. What are the consequences of unlawful data processing? Right to lodge a complaint with a supervisory authority
11.1. The Data Controller is liable to compensate for any damage caused by unlawful processing of your data or by a breach of data security requirements.
11.2. If the Data Controller, through unlawful processing of your data or breach of data security requirements, also infringes your personal rights, You may claim compensation from the Data Controller.
11.3. If the Data Controller refuses to recognise any of your rights, or if You are not satisfied with our response, or if You wish to file a complaint, You may approach a civil court as well as the supervisory authority, the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11.; postal address: H-1363 Budapest, Pf.: 9.; telephone number: +36 (1) 391-1400; e-mail address: ugyfelszolgalat@naih.hu).
Dated: Budapest, 1 January 2024
We have recorded your request and one of our colleagues is going to contact you soon.
