Elementor #3763 – Business & Leisure

PRIVACY NOTICE

Pursuant to Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the GDPR), Business and Leisure Services Kft. (hereinafter: the Data Controller) provides the following information to data subjects regarding the processing of personal data.

The Data Controller processes personal data for purposes arising in connection with its operations, in particular for contacting Guests who use accommodation and other services, for recording Guest data in order to comply with its statutory obligations, for document management processes related to the Data Controller’s operations, for invoicing, and for the performance of its contractual obligations.

Our company collects and processes personal data only in compliance with applicable laws. During the operation of our website, personal data (name, e-mail address, phone number) provided via the contact form and/or sent to the e-mail address indicated there are processed for the purpose of enabling us to provide appropriate services to visitors of the website. The Data Controller declares that it processes personal data in accordance with this privacy notice and complies with the provisions of the relevant legislation.

The Data Controller processes only such personal data that are indispensable for achieving the purpose of processing and are suitable for that purpose. Personal data are processed only to the extent and for the period necessary to achieve the purpose. The Data Controller protects the personal data it processes by all means reasonably expected.

Data Controller: Business and Leisure Services Kft. (represented by: Kiss Ildikó, Managing Director)
Registered address of the Data Controller: H-3525 Miskolc, Cserhát utca 48., 1st floor, door 2
Contact details of the Data Controller: phone: +36 70 743 7773; e-mail: booking@bandls.hu
Legal basis for processing: The legal basis for processing is the data subject’s consent. [Processing under Article 6(1)(a) of the GDPR]; Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, Section 5(1)(a): the data subject’s consent.

Consent to processing: Upon concluding the contract, the contracting party expressly gives consent to the processing of the personal data voluntarily provided by them and to the transfer of such data to Partners.

With respect to the legal basis for Business and Leisure Services Kft.’s data processing: in the case of employees it is a legal obligation, while in the case of registering clients and visitors it may be based on statutory authorization and legitimate interest.

Categories of data subjects: Contracting parties (Guests). The category of data subjects affected by the processing includes visitors to the website who provide personal data for the purpose of making contact. The duration of processing always depends on the specific user purpose; however, data are deleted without delay once the original purpose has been achieved. The data subject may withdraw their consent to processing at any time by sending a message to the contact e-mail address. If there is no legal obstacle to deletion, the data will be deleted.
Categories of personal data processed: Data necessary for performance of the contract provided by the contracting party (Guest) upon conclusion of the contract: name, birth name, permanent address, place of stay, tax identification number, tax number, ID card number, phone number, e-mail address, image/likeness, name of legal representative, permanent address, phone number and e-mail address of the legal representative.

Providing the requested personal data (name, phone number, e-mail address) is strictly necessary for communication. We require additional data when placing an order or issuing an invoice. Invoices issued by the company, with regard to personal data – in the case of private individuals and sole proprietors – contain the mandatory elements set out in Section 169 of Act CXXVII of 2007 on Value Added Tax: the buyer’s name, address, and tax number (in the case of a foreign buyer: Community VAT number) and bank account number.

The Guest expressly acknowledges and accepts (and consents to the recording of their image/likeness) that, for the protection of persons and property, a camera surveillance system operates at the entrance gate of the property (guesthouse: 7773 Villány, Béke utca 10), and the recordings are deleted in accordance with the relevant legal provisions.

We keep records of and process the personal and special categories of data of our employees and persons engaged under a mandate relationship in accordance with, and to the extent required by, the Hungarian Labour Code. We process the personal and special categories of data of our clients and visitors (Guests) to the extent necessary for the performance of a legal obligation and based on legitimate interest.

Purpose of data collection: conclusion and performance of the contract, communication, ensuring personal and property security, invoicing, ordering, refunds, and fulfillment of other statutory obligations.

CATEGORIES OF DATA PROCESSED — PURPOSE OF PROCESSING

Name of natural person / Company name: communication, ordering, invoicing
Address: ordering, invoicing
E-mail address: communication, ordering, invoicing
Phone number: communication
ID card number: fulfillment of statutory identification obligations
Image/likeness: ensuring personal and property security
Tax number and/or Community VAT number: invoicing
Bank account number: ordering, invoicing, refunds
Persons/entities entitled to access the data (potential data controllers):
- Employees/agents of Business and Leisure Services Kft.
- Partner service providers and their employees/agents

Those entitled to access the data are the Data Controller and its employees/agents, as well as Partner service providers and their employees/agents. The data subject may request from the Data Controller access to personal data relating to them, rectification, erasure, restriction of processing, may object to the processing of such personal data, and may exercise the right to data portability. The data subject may withdraw their consent to processing at any time; however, this does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.

The data subject may exercise the right to lodge a complaint with the supervisory authority. If the data subject wishes to use the relevant service of the website to inquire about our services, it is necessary to provide the requested personal data. The data subject is not obliged to provide personal data; failure to provide data entails no adverse consequences. However, certain functions of the website cannot be used without it. The data subject is entitled to request the Data Controller to rectify and/or supplement inaccurate personal data relating to them without undue delay, and to request the Data Controller to erase inaccurate personal data relating to them without undue delay. The Data Controller is obliged to rectify or erase personal data relating to the data subject without undue delay if there is no other legal basis for processing.

Requests for deletion or modification of personal data may be submitted as follows:

by post: Business and Leisure Services Kft.; 3525 Miskolc, Cserhát utca 48., 1st floor, door 2
by e-mail: booking@bandls.hu
by phone: +36 70 743 7773

Guests’ financial data are processed by the Data Controller and the Data Controller’s contracted partners. In the case of payment made directly to the Data Controller (bank transfer, cash or cash-equivalent payment instrument), Guest data are processed exclusively by the Data Controller. In the case of payments made via intermediary websites and financial service providers, Guest data (for communication, ordering, payment and invoicing) are processed not only by the Data Controller but also by the Data Controller’s authorized partners (intermediary websites and financial service providers) in accordance with their own privacy policies.

Our partners authorized to process data:

DATA PROCESSOR	CATEGORIES OF DATA PROCESSED	PURPOSE OF PROCESSING
Booking.com	Name, address, phone number, e-mail address, bank card data	communication, ordering, guarantee, invoicing
Szállás.hu	Name, address, phone number, e-mail address, bank card data	communication, ordering, guarantee, invoicing

Duration of processing: term of the contract + 5 years

We process and store data under the management of Business and Leisure Services Kft. for the period prescribed by law. Where legislation does not prescribe a retention period, we delete the data after the purpose has been achieved.

Method of data storage: electronic and paper-based.

The Data Controller stores Guests’ booking and personal data on paper and electronically, while Guests’ financial data are stored exclusively in electronic form in closed systems used in the course of operations. Business and Leisure Services Kft. and its employees/agents act with the highest level of care expected regarding data processing: the company takes all necessary and reasonable measures for the secure storage of electronic data, and employees’ confidentiality agreements guarantee secure handling of data.

DATA PROCESSING PRINCIPLES

Principle of purpose limitation:
One pillar of lawful processing is that we do not process data without a purpose, as that would be unlawful. We continuously review data to ensure they reflect reality. We process personal data only to the extent necessary to achieve the purpose. Processing must be suitable to achieve its purpose; if it no longer serves its defined purpose, it must be terminated. The purposes of Business and Leisure Services Kft.’s data processing are determined by legal provisions and contractual relationships. We never depart from this purpose. We always ensure that data are processed only until the purpose is achieved and that no further operations are carried out.

Principle of data minimization:
Business and Leisure Services Kft. always processes the data necessary and suitable to achieve the purpose. Employees continuously review datasets containing personal data to ensure that only data corresponding to reality are recorded and processed to the extent necessary for achieving the purpose.

Accuracy – data quality principle:
Data must always be up to date. The Data Controller must review datasets and correct incorrect or inaccurate data. Employees of the Data Controller verify data accuracy in their capacity as data controllers and correct incorrect or inaccurate data without undue delay, or, if correction is not feasible, the data are deleted.

Principle of storage limitation:
After achieving the defined purpose, data are deleted or anonymized.

GUESTS’ RIGHTS RELATING TO DATA PROCESSING

Consent to processing may be withdrawn at any time.
The data subject may request feedback as to whether the processing of their personal data is ongoing and, if so, may obtain access to the personal data and to the information contained in this Notice.
The data subject may request the Data Controller to:
- rectify personal data,
- erase, block or restrict processing of personal data.
The data subject may object to the processing of personal data.
Upon request, processing may be restricted.
Data relating to the data subject may be transmitted to another data controller.

Information about personal data, their modification, deletion, and the exercise of other rights may be initiated with the Data Controller in person, by post, by phone, or by e-mail.

The Data Controller provides the requested information in an understandable form as soon as possible, but no later than within 15 days from submission of the request, in writing at the request of the Guest. If the Guest’s request is deemed justified, the Data Controller takes measures without delay to rectify or erase the Guest’s personal data.

If personal data not corresponding to reality are recorded, the Data Controller modifies them if personal data corresponding to reality are available.

The Data Controller deletes personal data if:

processing is unlawful;
the data are incomplete or incorrect and this cannot be lawfully remedied;
the data subject requests deletion;
the purpose of processing has ceased, or the statutory storage period has expired;
a court or authority orders deletion.

Instead of deletion, the Data Controller blocks the personal data if the data subject so requests, or if, based on available information, it can be assumed that deletion would infringe the data subject’s legitimate interests. Blocked personal data may be processed only as long as the purpose of processing that precludes deletion exists.

From among lawfully processed data, the Data Controller may transfer those necessary for the purpose of processing to:

bodies authorized by law for the settlement of legal disputes;
the competent authority for national security, defense and public security, and for the prosecution of public crimes;
in accordance with other statutory provisions.

If the data subject does not agree with the decision or information provided by the Data Controller regarding the processing of their personal data, or if the Data Controller fails to meet the statutory deadline for response, the data subject may, within 30 days of communication of the decision or of the missed deadline, turn to a court or to the National Authority for Data Protection and Freedom of Information (NAIH). Proceedings fall within the competence of the regional court. If the court grants the request, it may order the Data Controller to provide information, rectify, block or erase data, annul decisions made by automated data processing, take into account the data subject’s right to object, and/or release data.

In the event of violation of the data subject’s rights and/or in case of comments, statements may be submitted and/or the following authorities may be contacted:

Competent Court
National Authority for Data Protection and Freedom of Information (NAIH): H-1530 Budapest, Szilágyi Erzsébet fasor 22/C
Business and Leisure Services Kft.: H-3525 Miskolc, Cserhát utca 48., 1st floor, door 2

DATA PROCESSING RELATED TO WEBSITE OPERATION

Website operator:
Name: Innovisuals Kft.
Registered office: 6760 Kistelek, Petőfi utca 53.
Mailing address: 6760 Kistelek, Petőfi utca 53.
Phone: +36 70 630 8991

Data processing principles during website operation

Personal data may be processed if:
a) the data subject consents, or
b) processing is ordered by law or – within the scope defined therein – by a local government decree, for a purpose in the public interest (mandatory processing).

Personal data may also be processed where obtaining the data subject’s consent is impossible or would involve disproportionate costs, and processing is necessary to comply with a legal obligation applicable to the data controller, or necessary for the purposes of the legitimate interests pursued by the data controller or a third party, provided that the enforcement of such interests is proportionate to the restriction of the right to protection of personal data.

Where personal data were collected with the data subject’s consent, unless otherwise provided by law, the data controller may, without further consent and even after withdrawal of consent, process the collected data for compliance with a legal obligation applicable to the data controller, or for the purposes of legitimate interests pursued by the data controller or a third party, provided that the enforcement of such interests is proportionate to the restriction of the right to protection of personal data.

Personal data may be transferred to a data controller or processor established in a third country only if the data subject has expressly consented or if the conditions set out above are met and an adequate level of protection of personal data is ensured in the third country during processing and handling of the transferred data. Transfers to EEA states shall be considered as transfers within Hungary.

Scope of personal data processed and characteristics of processing

Data processing activities on the https://bandls.hu website are based on voluntary consent. With regard to website visitors’ data:

Purpose of processing: During visits to the website, the hosting provider records visitor data in order to monitor operation of the service and prevent abuse.
Legal basis: the data subject’s consent and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services.
Categories of data: date, time, the IP address of the user’s computer, the address of the visited page, the address of the previously visited page, data related to the user’s operating system and browser.
Duration of processing: 365 days from viewing the website.

USE OF GOOGLE ANALYTICS

This website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files stored on your computer that help analyze the use of the website by the User.

Information generated by cookies relating to the User’s use of the website is generally transmitted to and stored on a Google server in the USA. By activating IP anonymization on the website, Google shortens the User’s IP address within Member States of the European Union or other states party to the Agreement on the European Economic Area prior to transmission. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.

On behalf of the website operator, Google uses this information to evaluate how the User uses the website, to compile reports on website activity for the website operator, and to provide further services relating to website and internet usage. Within Google Analytics, the IP address transmitted by the User’s browser is not merged with other Google data.

The User may prevent the storage of cookies by selecting the appropriate settings in their browser; however, please note that in this case it may be that not all functions of the website can be fully used. Google Analytics’ web analytics software and external server assist in independent measurement and auditing of website traffic and other web analytics data. Further information on the processing of measurement data is available at www.google-analytics.com.

External service providers may place and read back a small data package, a so-called cookie, on the user’s computer in order to provide customized services. If the browser sends back a previously stored cookie, the service providers managing it can link the user’s current visit with previous ones, but only with regard to their own content.

MANAGEMENT OF COOKIES

Pursuant to Section 20(1) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, the following must be defined in relation to the website’s cookie processing:

the fact of data collection and the categories of data processed: unique identifier, dates, times;
the categories of data subjects: all visitors of the website;
the purpose of data collection: identification of users, creation of statistics, keeping records of “requests for offers/bookings”, and tracking visitors;
duration of processing and deadline for deletion: the last viewed page is deleted after 10 years; PHP session ID is deleted when the browser is closed;
persons entitled to access and process the data: the Data Controller’s employees, observing the above principles;
description of data subjects’ rights relating to data processing: data subjects may delete cookies in the browsers’ Tools/Settings menu, typically under Privacy settings.

Legal basis: Consent from the data subject is not required if the sole purpose of using cookies is to transmit communication through an electronic communications network, or if the service provider strictly needs them to provide an information society service explicitly requested by the subscriber or user. Typical cookies include “cookies used for password-protected sessions”, “cookies necessary for shopping baskets” and “security cookies”, which do not require prior consent.

DATA TRANSFER

Based on written contractual authorization, possible transfers to third countries:

Business and Leisure Services Kft. transfers personal data to a data controller (processor) established in a third country in three cases:

if the data subject expressly consents to the transfer;
in the absence of express consent, if the following cumulative conditions are met:
a) the data controller (the transferring organization) has a legal basis for processing recognized by the Infotv., and
b) an adequate level of protection of personal data is ensured in the third country, as established by a binding legal act of the EU or by an international agreement providing adequate safeguards;
exceptional transfer based on Section 6(2) of the Infotv., in which case it is not necessary to examine whether the third country provides an adequate level of protection.

The conditions for international transfers under the Infotv. are based on Articles 25–26 of the Data Protection Directive.

Consent must be voluntary. Consent is not valid if the data subject had no real choice or was presented with a fait accompli. Consent must be explicit, i.e., it may serve as a valid legal basis for transfer only if given explicitly for a specific transfer or category of transfers. Consent must be informed: the information provided to the data subject must include the risks arising from the transfer of data to a country that does not ensure adequate protection.

CONTACT VIA THE https://bandls.hu WEBSITE

Purpose of processing: contact, communication, provision of information, requesting information.
Legal basis: the data subject’s consent.
Categories of data: name, e-mail address, phone number, date and time, and other personal data provided by the data subject.
Deadline for deletion: The duration of processing always depends on the specific user purpose, but data are deleted without delay once the original purpose has been achieved or if the data subject requests deletion.

Requests for deletion or modification of personal data may be submitted as follows:

by post: Business and Leisure Services Kft.; 3525 Miskolc, Cserhát utca 48., 1st floor, door 2
by e-mail: booking@bandls.hu
by phone: +36 70 743 7773

SOCIAL MEDIA SITES

Pursuant to Section 20(1) of Act CXII of 2011, the following must be defined regarding data processing on social media:

a) the fact of data collection;
b) the categories of data subjects;
c) the purpose of data collection;
d) duration of processing;
e) persons entitled to access the data (potential data controllers);
f) description of data subjects’ rights relating to data processing.

Fact of data collection and categories of data processed: registered name on social media sites (Facebook / Google+ / Twitter / Pinterest / YouTube / Instagram, etc.) and the user’s public profile picture.
Categories of data subjects: all data subjects who are registered on the above social media sites and have “liked” the company’s social media page.
Purpose of data collection: sharing and/or “liking” content elements, products, promotions, or the social media page itself, and promoting them.
Duration of processing, deletion deadline, persons entitled to access, and rights of data subjects: The data subject may obtain information on the source and processing of data, the method of transfer and legal basis on the given social media platform. Processing takes place on the social media platforms; therefore, the duration, method, and deletion/modification options are governed by the rules of the given platform.
Legal basis: the data subject’s voluntary consent to the processing of their personal data on social media sites.

PROCESSING, HANDLING AND STORAGE OF PERSONAL DATA

Data Controller details and contact information

Company name: Business and Leisure Services Kft.
Tax number: 32447512-2-05
Company registration number: 05-09-037306
Registered office: 3525 Miskolc, Cserhát utca 48., 1st floor, door 2
Website: https://bandls.hu
E-mail: booking@bandls.hu
Phone: +36 70 743 7773

Data processors’ details and contact information

2.1. Innovisuals Kft. – operator of our company’s website
Name: Business and Leisure Services Kft.
Registered office: 3525 Miskolc, Cserhát utca 48., 1st floor, door 2
Mailing address: 3525 Miskolc, Cserhát utca 48., 1st floor, door 2
Phone: +36 70 743 7773

2.2. Szallas.hu – accommodation booking website
Online contact: szallas@szallas.hu
Phone: (+36) 30/344-2000
Privacy: https://szallas.hu/adatvedelem

2.3. Booking.com – accommodation booking website
Online contact: dataprotectionoffice@booking.com
Phone: (+31) 70/770-3884
Privacy:
https://www.booking.com/content/privacy.hu.html?label=gen173nr-1FCAEoggI46AdIM1gEaGeIAQGYARG4AQzIAQ_YAQHoAQH4AQuoAgM;sid=44bf3df742939e5a40c97735653786ec

In the event of violation of the data subject’s rights and/or in case of comments, statements may be submitted and/or the following authorities may be contacted:

Competent Court
National Authority for Data Protection and Freedom of Information (NAIH): H-1530 Budapest, Szilágyi Erzsébet fasor 22/C
Business and Leisure Services Kft.: H-3525 Miskolc, Cserhát utca 48., 1st floor, door 2

RELEVANT LEGISLATION (IN PARTICULAR, BUT NOT LIMITED TO)

Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information
Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR)

This Notice is available, accessible and may be reviewed on the Service Provider’s website and at the accommodation operated by the Service Provider. By using the service, the Guest declares that they have understood and accept the provisions of this Notice, and consent that the Data Controller processes their personal data to the extent necessary for performing tasks related to the performance of the contract concluded with the Data Controller, and also consents that the Data Controller sends notifications relating to tasks necessary for performance of the contract to the contact details provided in the contract.

This Notice forms an inseparable annex to the Contract and the General Terms and Conditions (GTC). Villány, 27 May 2024.

Business and Leisure Services Kft.
Kiss Ildikó, Managing Director

INTERPRETATIVE PROVISIONS

GDPR [General Data Protection Regulation]

Data subject: [GDPR Article 4]
Any identified or identifiable natural person. An identifier may be name, birth data, location data, online identifier, phone number, etc.

Infotv. Section 3(1): Any natural person identified or identifiable – directly or indirectly – on the basis of specific personal data.

Personal data: [GDPR Article 4]
Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Infotv. Section 3(2): Data that can be linked to the data subject, and any inference relating to the data subject that can be drawn from the data; in particular the data subject’s name, identifying mark, and one or more items of knowledge characteristic of the data subject’s physical, physiological, mental, economic, cultural or social identity, as well as any inference that can be drawn from the data.

Personal data retain this quality throughout processing as long as the link to the data subject can be restored.

Special categories of data: [GDPR Article 9]
Within personal data, certain data are subject to stricter rules. Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation. Special categories also include personal data relating to criminal liability and offences, and children’s personal data enjoy increased protection.

Infotv. Sections 3(3)–(4): Personal data relating to racial origin, nationality, political opinion, religious or other philosophical conviction, membership of interest representation organizations, sex life, health status, harmful addictions, and criminal personal data.

Data controller: [GDPR Article 4]
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its designation may also be provided for by Union or Member State law.

Infotv. Section 3(9): The natural or legal person, or organization without legal personality, who or which, alone or jointly with others, determines the purpose of processing, makes and implements decisions relating to processing (including the tools used), or has them implemented by a processor.

Processing: [GDPR Article 26]
Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Where two or more controllers jointly determine the purposes and means of processing, they are joint controllers. Their respective responsibilities must be determined transparently in an arrangement between them, clearly indicating the roles and relationship of the joint controllers vis-à-vis the data subjects.

Infotv. Section 3(10): Any operation performed on data, irrespective of the procedure used, including in particular collection, recording, organization, storage, alteration, use, querying, transfer, publication, alignment or combination, blocking, deletion and destruction, as well as preventing further use of data; making photo, audio or video recordings, and recording physical characteristics suitable for identifying a person (e.g., fingerprint, palm print, DNA sample, iris image).

Processor: [GDPR Articles 4 and 26]
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor has no independent right of disposal or decision over the data.

Infotv. Section 3(18): A natural or legal person, or organization without legal personality, who or which carries out data processing on the basis of a contract, including contracts concluded pursuant to a legal provision.

Data processing (as a concept under Infotv.):
Infotv. Section 3(17): Carrying out technical tasks associated with processing operations, regardless of the method and tools used to carry out the operations, and the place of application, provided that the technical task is performed on the data. It is important to emphasize that if the processor departs from the tasks defined in the written contract during processing, it becomes a controller. The rights and obligations of the processor are determined by Business and Leisure Services Kft., as controller. The controller is responsible for the lawfulness of instructions for processing operations, but under the GDPR the processor also bears liability.

Recipient: [GDPR Article 4]
A natural or legal person, public authority, agency or other body, to which personal data are disclosed, whether or not a third party. In practice, recipients include all persons/entities to whom data subjects’ personal data are transferred and who receive the data for any purpose.

Data transfer: Infotv. Section 3(11)
Making data accessible to a specific third party.

Public interest data:
Any information or knowledge recorded in any manner or form, not qualifying as personal data, that is held by an entity or person performing a state or local government function or other public tasks defined by law, relating to its activity or arising in connection with the performance of public duties, irrespective of the manner of processing, whether individual or collected; including, in particular, information on competence, jurisdiction, organizational structure, professional activity, evaluation of its effectiveness, types of data held, legislation governing operation, management, and contracts concluded. It must be ensured that anyone may access public interest data held by Business and Leisure Services Kft., except where the data have been classified as state or service secrets by an authorized body, classified as business secrets by the head of the organization, or where the data are classified pursuant to obligations under an international treaty.

Business secret:
Any fact, information, solution or data related to economic activity whose disclosure, acquisition or use by unauthorized persons would harm or jeopardize the lawful financial, economic or market interests of the right-holder (excluding the Hungarian state), and in respect of which the right-holder has taken the necessary measures to keep it confidential.

Legal basis for processing: [GDPR Article 6]
The legal basis for processing is the User’s consent, Section 5(1) of the Infotv., and Section 13/A(3) of Act CVIII of 2001 on electronic commerce services and certain issues of information society services (hereinafter: the E-commerce Act): The service provider may process personal data necessary for providing the service. Where other conditions are the same, the service provider must select and operate the tools used in providing information society services in such a way that personal data are processed only if strictly necessary for providing the service and achieving the other purposes set out in the Act, and even then only to the extent and for the period necessary.