Privacy policy

General Provisions

Rosecho Villa Ingatlanhasznosító Kft (registered office: 1031 Budapest, Péter u. 4., company registration number: 01-09-334764, hereinafter referred to as the Data Controller), as the operator of Villa My Lake, ensures the legality and purposefulness of the processing of personal data it manages in every case. The purpose of this privacy notice is to provide our guests, who book accommodation and provide their personal data, with appropriate information before booking or submitting their personal data, about the conditions, guarantees, and duration under which our company processes their personal data. Our company complies with the provisions contained in this notice for all cases involving the processing of personal data and considers the contents herein as binding on ourselves.

However, we reserve the right to amend the provisions of this unilateral declaration. In such a case, affected parties will be informed in advance. Should you have any questions regarding the contents of this notice, please send us a letter or email. The data processing activities of our company are based on voluntary consent or, in some cases, are necessary to take steps at the request of the data subject prior to the conclusion of a contract.

Our data processing activities comply with the applicable laws, in particular the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) — on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”), as well as

• Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Infotv.).

Data Controller’s details and contact information are as follows:

• Name: Rosecho Villa Ingatlanhasznosító Kft.
• Registered office: 1031 Budapest, Péter u. 4.
• Mailing address: 8621 Zamárdi, Gáspár András u. 23.
• Company registration number: 01-09-334764
• Tax number: 26606929-2-41
• Phone number: +36 70 675 9122
• Email: info@villamylake.hu
• Representative of the Data Controller: Péter Zentai, Managing Director

Data Controller’s details and contact information are as follows:

•     Name: NetHotelBooking Kft
•     Responsibilities: online booking system
•     Registered office: 8200 Veszprém, Boksa tér 1/A
•     Mailing address: 8200 Veszprém, Ádám Iván u. 1.
•     Tax number: 22710776-2-19
•     Phone number: +36 30 650 0055
•     Email address: szilagyi.zsuzsa@resnweb.com
•     Website: resnweb.com
•     The Data Processor stores the personal data based on a written contract with the Data Controller.

Data Controller’s details and contact information are as follows:

•     Name: MT-HostWare Számítástechnikai Kft
•     Responsibilities: hotel PMS system
•     Registered office: 1149 Budapest, Róna utca 120.
•     Mailing address: 1149 Budapest, Róna utca 120.
•     Tax number: 10426917-2-42
•     Phone number: +36 1 469 9000
•     Email address: hostware@hostware.hu
•     Website: www.hostware.hu
•     The Data Processor stores personal data based on a written contract with the Data Controller.

Data Processor’s details and contact information are as follows:

•     Name: Hilaris Hotel Management Kft
•     Responsibilities: sales, marketing, communication, consulting
•     Registered office: 1031 Budapest, Péter utca 4.
•     Mailing address: 1031 Budapest, Péter utca 4.
•     Tax number: 32237557-2-41
•     Phone number: +36 30 448 4679
•     Email address: hello@hilarishotels.hu
•     Website: https://hilarishotels.hu/adatvedelmi-nyilatkozat/
•     The Data Processor stores personal data based on a written contract with the Data Controller.

Data Processor’s details and contact information are as follows:

• Name: ICT Megoldások Korlátolt Felelősségű Társaság
• Responsibilities: IT services / Information technology consultancy and operation of IT equipment and systems
• Registered office: 1119 Budapest, Nándorfejérvári út 42-44.
• Mailing address: 1119 Budapest, Nándorfejérvári út 42-44.
• Tax number: 25013322-2-43
• Phone number: +36 20 933 2866
• Email address: info@ict.hu
• Website: ict.hu
• The Data Processor stores personal data based on a written contract with the Data Controller. They are not authorized to access the personal data.

Data Processor’s information and contact details are as follows:

• Name: Mill-Co. Bt.
• Tasks: Accounting and payroll
• Headquarters: 1158 Budapest Jolán utca 18
• Mailing address: 1158 Budapest Jolán utca 18
• Tax number: 28715188-2-42
• Phone number: +3630 201 7668
• Email address: konyveles@millco.hu
• Website: N/a
• The Data Processor performs the storage of personal data based on a written contract with the Data Controller.

Interpretative provisions:

• In our policy, the explanations of data protection terms are as follows:
  • Data Subject: Any natural person who can be identified, directly or indirectly, based on any information.
  • Identifiable natural person: A natural person who can be identified, directly or indirectly, in particular by an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person.
  • Personal data: Any information related to the data subject.
  • Consent: The voluntary, explicit, and informed expression of will by the data subject, through a statement or other unequivocal indication of their wishes, that signifies their agreement to the processing of personal data related to them.
  • Objection: The statement made by the data subject opposing the processing of their personal data and requesting the cessation of processing or the deletion of the data.
  • Data Controller: The natural or legal person, or entity without legal personality, who determines the purposes and means of processing personal data, either alone or jointly with others, and makes decisions regarding the processing of the data (including the tools used), or who has the Data Processor carry out the processing.
  • Data Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, storage, alteration, retrieval, use, disclosure, dissemination, alignment, combination, blocking, deletion, and destruction of data, as well as preventing further use of the data, taking photographs, making audio or video recordings, and recording physical characteristics of the individual that can be used for identification.
  • Data Transfer: Making personal data accessible to a specified third party.
  • Disclosure: Making personal data available to anyone.
  • Data Deletion: Rendering data unrecognizable in a way that it can no longer be restored.
  • Data Marking: Assigning an identifier to data in order to distinguish it.
  • Data Locking: Marking data to limit its further processing either permanently or for a set period of time.
  • Data Destruction: Completely physically destroying the data storage medium.
  • Data Processing: A set of operations carried out by the Data Processor under the Data Controller’s instruction or on their behalf.
  • Data Processor: The natural or legal person, or entity without legal personality, who processes personal data based on a contract (including a contract prescribed by law).
  • Data File: A collection of data stored in a register.
  • Third Party: A natural or legal person, or entity without legal personality, who is not the data subject, Data Controller, Data Processor, or any person authorized to process personal data under the direct authority of the Data Controller or Data Processor.

The principles for the processing of personal data:

1. Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject [Section 4(1) of the Info Act].
2. Purpose limitation: Personal data should only be processed for specified, legitimate purposes [Section 4(1) of the Info Act].
3. Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed [Section 4(2) of the Info Act].
4. Accuracy: The data must be accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that inaccurate personal data is rectified or erased [Section 4(2) of the Info Act].
5. Storage limitation: Personal data should be kept in a form which permits identification of data subjects only for as long as necessary for the purposes for which the data are processed [Section 17(2) of the Info Act].
6. Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage [Sections 5-6, 14-21 of the Info Act].
7. Accountability: The Data Controller is responsible for compliance with the above principles and must be able to demonstrate such compliance.

Data Security Measures:

The Data Controller and the Data Processor take all necessary technical and organizational measures to ensure the appropriate level of security for the processed personal data, in order to prevent any potential data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In case of an incident, a record is kept for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data affected, the number and scope of those affected by the data protection incident, the date, circumstances, and impacts of the incident, the measures taken to eliminate it, and other data as specified by the relevant legislation on data processing.

We provide the following information in connection with each of our data processing activities:

Hotel Service-Related Data Processing:

Guests at the Villa My Lake (8621 Zamárdi, Gáspár András u. 23.), operated by the Data Controller, can avail of accommodation services, restaurant services, and other related services (such as bath use, sauna, etc.).

Purpose of Data Processing:

• Performing administrative tasks related to hotel services, billing, and handling individual requests.

Legal Basis for Data Processing:

• The legal basis is the contract and the fulfillment of the Data Controller’s legal obligations.

Scope of Processed Personal Data:

• Salutation, first and last name, address (country, postal code, city, street, house number), phone number, email address, company name and registered office (in case of a legal entity), bank card number, ID card data, vehicle registration number.

Data Retention Period:

• 7 years from the issuance of the voucher.

Duration of Data Processing for Immigration/Police Compliance:

• 3 years from the guest’s departure.

Duration of Data Processing for Customer Relationship and Quality Service:

• 2 years after the last day of the guest’s stay.

Consequences of Failing to Provide Data:

• A contract for hotel services cannot be concluded.

Data Processing Related to Requesting Offers:

Our company provides the possibility for our guests to request offers electronically. The offer is provided by our automated system, taking into account available capacity.

Purpose of Data Processing:

• Preliminary inquiry regarding the hotel’s pricing.

Legal Basis for Data Processing:

• The preliminary consent of the person making the reservation, and the data is necessary for taking steps at the request of the data subject before entering into a contract.

Scope of Processed Personal Data:

1. Salutation
2. First and last name
3. Phone number
4. Email address
5. Number of guests.

Duration of Data Processing:

• 2 years after the last day of the stay according to the reservation.

Consequences of Failing to Provide Data:

• The hotel will be unable to provide an offer.

Data Processing Related to Newsletter Subscription:

Our company maintains contact with our guests through newsletters, where we recommend services, inform them about new offerings, promotions, and news regarding our operations.

Data Controller:

• Rosecho Villa Ingatlanhasznosító Kft (Headquarters: 1031 Budapest, Péter u. 4.), and Nadel & Partners Communications Kft as the Data Processor.

Purpose of Data Processing:

• Communication with potential hotel guests.

Legal Basis for Data Processing:

• Consent of the data subject.

Scope of Processed Personal Data:

• Name, email address.

Duration of Data Processing:

• Our company processes the name and email address until unsubscribing from the newsletter.

Consequences of Failing to Provide Data:

• The data subject will not receive the newsletter from our company.

The data subject may unsubscribe from the newsletter at any time using the link provided in the newsletter or by sending an email to info@villamylake.hu. The email address will be deleted from our database immediately (within 2 business days if unsubscribed via email).

Data Processing Related to Satisfaction Surveys:

As a hotel, our goal is to provide high-quality services to our guests, and therefore we continuously ask for feedback from our guests regarding their experiences during their stay at our hotel.

Data Controller:

• Rosecho Villa Ingatlanhasznosító Kft (Headquarters: 1031 Budapest, Péter u. 4.), and Nadel & Partners Communications Kft as the Data Processor.

Purpose of Data Processing:

• Requesting feedback from guests to improve and enhance our services.

Legal Basis for Data Processing:

• Personal consent.

Legitimate Interest:

• Our company has a legitimate interest in receiving information based on feedback to improve our services.

Scope of Processed Personal Data:

1. Name
2. Gender
3. Email address

Duration of Data Processing:

• 2 years after the last day of the stay according to the reservation.

Consequences of Failing to Provide Data:

• The data subject will not receive the satisfaction survey from our company.

Cookie Management:

The Data Controller places a small data packet, a cookie, on the user’s computer to personalize the service and reads it during future visits. If the browser returns a previously saved cookie, the cookie handler can link the user’s current visit with previous visits, but only regarding their own content.

Purpose of Data Processing:

• User identification, tracking, differentiation, identification of the current session, storage of provided data, prevention of data loss, web analytics, personalized service.

Legal Basis for Data Processing:

• Consent of the data subject.

Scope of Processed Data:

• Identification number, date, time, and previously visited page.

Duration of Data Processing:

• Maximum 90 days.

Additional Information on Data Processing:

• The user can delete the cookie from their computer or disable cookies in their browser settings. Cookie management is usually found in the browser’s Tools/Settings menu under Privacy/History/Custom Settings, named “cookie,” “sweets,” or “tracking.”

Consequences of Failing to Provide Data:

• The service cannot be utilized.

---

Website Server Logging:

When visiting the nethotelbooking.net website, the web server automatically logs the user’s activities.

Purpose of Data Processing:

• The service provider logs visitor data to monitor the functionality of services and prevent misuse.

Legal Basis for Data Processing:

• Legitimate interest for the safe operation of the website.

Scope of Processed Data:

• Identification number, date, time, and the visited page URL.

Duration of Data Processing:

• Maximum 90 days.

Additional Information:

• Our company does not link the logged data to other information during the log file analysis and does not attempt to identify the user. The visited page URLs, date, and time alone cannot identify the data subject, but when combined with other data (e.g., data provided during registration), they may allow conclusions about the user.

Data Processing by External Providers:

The HTML code of the portal contains references to external servers unrelated to our company. The external service provider’s server is directly connected to the user’s computer. We remind our visitors that through these references, service providers are able to collect user data (e.g., IP address, browser, operating system data, mouse movement, visited page URL, and visit timestamp) through direct communication with the user’s browser.

IP addresses can even geographically locate the visitor using the computer. The visited page URLs, as well as the date and time data, cannot identify the data subject alone but may allow conclusions to be drawn when combined with other data (e.g., data provided during registration).

Other Data Processing:

Photo Taking:

Purpose of Data Processing:

• Taking photos by the accommodation during various events, with participants not appearing or with their faces obscured.

Legal Basis for Data Processing:

• Personal consent.

Scope of Processed Personal Data:

• Photos (not identifiable and/or face obscured).

Camera Usage Information:

• https://villamylake.hu/adatkezeles

In this notice, we inform our clients that certain authorities, public authorities, or courts may request personal data. Our company will only release personal data to such authorities when they clearly specify the purpose and scope of the request, and only to the extent necessary to fulfill the request, as required by law.

Method of Storing Personal Data and Data Processing Security:

Our company’s IT systems and other data storage locations are found at our headquarters and on servers rented by the data processor. We select and operate the IT tools used for personal data processing during the provision of services in such a way that the processed data:
a) is accessible to authorized individuals (availability);
b) its authenticity and validation are ensured (data processing authenticity);
c) its integrity is verifiable (data integrity);
d) is protected against unauthorized access (data confidentiality).

We pay special attention to the security of the data, and take the necessary technical and organizational measures and establish procedural rules to implement the guarantees required by the GDPR. The data is protected by appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental destruction, damage, or inaccessibility due to the change of applied technology.

Both our company and our partners’ IT systems and networks are protected against computer-assisted fraud, computer viruses, hacking attempts, and denial-of-service attacks. The operator ensures security through server-level and application-level protection procedures. Daily security backups of data are ensured. In order to prevent data protection incidents, our company takes all possible measures, and in the event of such an incident – in accordance with our incident handling policy – we act promptly to minimize risks and eliminate damages.

Rights of Data Subjects and Remedy Options:

The data subject can request information regarding the processing of their personal data, and may request correction of their personal data, or, with the exception of mandatory data processing, its deletion or withdrawal. The data subject can exercise their right to data portability and objection in the manner indicated when the data was collected, or at the above-mentioned contact details of the data controller. Upon the data subject’s request, the information will be provided in electronic form without delay, but no later than 30 days, in accordance with our relevant policy. Requests by the data subjects to exercise their rights below are fulfilled free of charge.

Right to Information:
Our company takes appropriate measures to ensure that all information regarding personal data processing is provided to the data subjects in a concise, transparent, understandable, and easily accessible form, clearly and in plain language, while still being precise.

The right to information can be exercised in writing through the contact details provided in point 1. Upon request, information may also be provided orally to the data subject, after verifying their identity. We inform our customers that if our staff have any doubts regarding the identity of the data subject, we may ask for information to confirm the identity.

Right of Access:
The data subject has the right to receive feedback from the data controller on whether their personal data is being processed. If processing is ongoing, the data subject is entitled to access the following information:

• The purposes of data processing;
• The categories of the data subject’s personal data;
• The categories of recipients or categories of recipients with whom or to whom the personal data has been or will be disclosed, including especially recipients in third countries (outside the European Union) or international organizations; the planned duration of storage of the personal data;
• The right to rectification, erasure, or restriction of processing, and the right to object;
• The right to lodge a complaint with the supervisory authority;
• Information about the sources of the data;
• The existence of automated decision-making, including profiling, and understandable information about the applied logic, as well as the significance of such processing and its anticipated consequences for the data subject.

In addition, if personal data is transferred to a third country or international organization, the data subject has the right to receive information on the appropriate safeguards for such transfer.

Right to Rectification:
Under this right, anyone can request the correction of inaccurate personal data or the completion of incomplete data held by our company.

Right to Erasure:
The data subject has the right to request the deletion of their personal data without undue delay if one of the following conditions applies:
a) The personal data is no longer necessary for the purposes for which it was collected or processed;
b) The data subject withdraws their consent on which the processing is based, and there is no other legal ground for processing;
c) The data subject objects to the processing, and there are no overriding legitimate grounds for processing;
d) The personal data has been unlawfully processed;
e) The personal data must be erased to comply with a legal obligation under Union or Member State law;
f) The personal data was collected in connection with offering information society services.

Data erasure cannot be initiated if the processing is necessary for:
a) Exercising the freedom of expression and the right to information;
b) Compliance with a legal obligation to which the data controller is subject, or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) Public health, archiving, scientific or historical research purposes, or statistical purposes, based on public interest;
d) The establishment, exercise, or defense of legal claims.

Right to Restriction of Processing:
Upon the data subject’s request, we will restrict processing under the conditions laid down in Article 18 of the GDPR, namely when:
a) The data subject contests the accuracy of personal data, in which case the restriction applies for the period enabling the accuracy to be verified;
b) The processing is unlawful, and the data subject objects to erasure, requesting the restriction of use instead;
c) The data controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims;
d) The data subject has objected to the processing; in this case, the restriction applies for the period necessary to determine whether the legitimate grounds of the data controller override those of the data subject.

If processing is restricted, personal data can only be processed with the data subject’s consent, for the establishment, exercise, or defense of legal claims, to protect the rights of another natural or legal person, or for reasons of public interest in the Union or a Member State. The data subject will be informed in advance before the restriction is lifted.

Right to Data Portability:
The data subject has the right to receive their personal data that they have provided to the data controller in a structured, commonly used, machine-readable format, and to transmit those data to another data controller. Our company can fulfill such a request in Word or Excel format.

Right to Object:
If the processing of personal data is for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing purposes, including profiling related to direct marketing. In case of objection to data processing for direct marketing purposes, the data should no longer be processed for that purpose.

Automated Decision-Making in Individual Cases, including Profiling:
a) The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them. This right does not apply if the processing is:

• a) Necessary for the performance of a contract between the data subject and the data controller;
• b) Authorized by Union or Member State law, providing suitable safeguards for the data subject’s rights, freedoms, and legitimate interests;
• c) Based on the explicit consent of the data subject.

Right to Withdraw Consent:
The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

Procedural Rules:

The data controller will inform the data subject without undue delay, but in any case, within one month of the receipt of the request, about the actions taken in response to a request made pursuant to Articles 15–22 of the GDPR. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by an additional two months. The data controller will inform the data subject about the extension of the deadline, specifying the reasons for the delay, within one month of receiving the request.

If the data subject submitted the request electronically, the information will be provided electronically unless the data subject requests otherwise.

If the data controller does not take action on the data subject’s request, they will inform the data subject about the reasons for not taking action, without undue delay, but no later than one month from the receipt of the request. The data subject will also be informed that they can lodge a complaint with the supervisory authority and exercise their right to judicial remedy.

The data controller will inform every recipient to whom personal data has been communicated about any rectifications, deletions, or restrictions of data processing, except if this proves impossible or requires disproportionate effort. Upon the data subject’s request, the data controller will inform them about these recipients.

Compensation and Damages:

Anyone who has suffered material or non-material damage as a result of an infringement of the data protection regulation has the right to compensation from the data controller or the data processor. The data processor will only be held liable for damages caused by data processing if they failed to comply with legal obligations specifically assigned to data processors, or if they ignored or acted contrary to the lawful instructions of the data controller. If more than one data controller or data processor, or both the data controller and the data processor, are involved in the same data processing, and are liable for the damages caused by the processing, each data controller or processor is jointly and severally liable for the full damage. The data controller or data processor is exempt from liability if they prove that they are not responsible for the event causing the damage in any way.

Remedy Options:

For any requests, questions, or remarks related to data processing, you can contact us via email at info@villamylake.hu.

In case of any violations by the data controller, complaints can be submitted to the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information
Postal Address: 1530 Budapest, P.O. Box 5.
Address: 1125 Budapest, Szilágyi Erzsébet Avenue 22/c
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
Website: https://naih.hu In the event of a violation of your rights, you can also turn to the court against the data controller. The lawsuit can be filed at the court that is competent based on your place of residence or stay, at your choicress…