Our website uses cookies as a means of enhancing the experience of our visitors. Continuing to browse our site indicates that you agree to our use of cookies.
Last updated: 25 May 2018
This Privacy Policy
sets out how Danubius Zrt. (“Danubius” or “we”) uses and protects your
personal data. Danubius is the Controller for personal data given to us
by guests or prospective guests using the site
booking.danubiushotels.com, as well as for other groups of individuals
identified in the policy such as guests interacting with us through
different channels, business contacts, and our staff.
The
recording of bookings on booking.danubiushotels.com is managed by
Sceptre Hospitality Resource (“SHR”), a USA company. Our contractual
arrangements with SHR incorporate suitable safeguards over your personal
data in order to protect the rights you have under EU legislation. In
particular, SHR is registered for the “EU U.S. Privacy Shield”. This is
an intergovernmental agreement between the EU and the USA and is
recognised by the EU Commission as ensuring enforceable protection of
personal data equivalent to data protection standards in the EU. The EU
Commission decision can be seen on their official website, for example
their press release of 18 October 2017 at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield.
In
the course of its business activities, Danubius requests, obtains, and
processes personal data from guests, prospective guests, business
contacts, staff, and other individuals. We aim to process the minimum
personal data we need in order to provide a good service. We recognise
and respect the legal rights and reasonable expectations of individuals
over their personal data and privacy.
This Privacy Policy
explains how we protect personal data and privacy. Many of the
principles we follow are driven by the EU’s General Data Protection
Regulation (GDPR). However, we comply with all applicable legal
requirements on personal data protection and privacy.
You can
navigate through the Disclosure using the hyperlinks in the table of
contents below. You can also download a PDF version with the hyperlinks
embedded by clicking here.
We have tried to make this Privacy
Policy easy to use and to understand, within the constraints of the
complexity of the information we have to communicate. If you have any
questions on the material or any comments or suggestions as to how we
might improve the Disclosure, please contact us at:
Legal associate responsible for data protection: Dr. Helga Sztanó
adat(at)danubiushotels.com
data(at)danubiushotels.com
You
can navigate through this Policy by clicking through the table of
contents below. The main sections are the first two which cover:
1. Your rights under GDPR
2. The different processing activities in Danubius
3. Legal reference information (including contact details)
4. Terms and abbreviations used in this Disclosure
Table of contents
1) Legal rights of individuals (“data subjects”) under GDPR
1.1 Right to receive transparent information
1.2 Right of access to your own data
1.3 Right to rectify inaccurate data
1.4 Right to erasure (“Right to be forgotten”)
1.5 Right to withdraw consent
1.6 Right to request restriction of processing
1.7 Right to object to processing
1.8 Right not be subject to automated decisions
1.9 Data portability
1.10 Right to complain to a “Supervisory Authority”
1.11 Right to an effective judicial remedy against a controller or processor
1.12 Contacting Danubius regarding GDPR
2) Data processing
2.1 Reservations
2.2 Hotel registration cards
2.3 Wellness, medical and physical therapy
2.4 Gym
2.5 Guest survey and evaluation scheme
2.6 Video surveillance system
2.7 Newsletter
2.8 Loyalty Programme (Danubius EuroPoints and Bubbles Club) and Danubius Corporate Programme (Danubius Bonus)
2.9 Danubius Gift Card and Voucher
2.10 Debit card data
2.11 Social media (e.g. Facebook, Instagram)
2.12 Prize drawings:
2.13 Web store
2.14 Contact
2.15 Complaint management protocol
2.16 Danubius Blog
2.17 Automatically recorded data, cookies and “remarketing codes”
2.17.1 Automatically recorded data
2.17.2. Cookies and similar technologies
2.17.3. Web links
2.18 Job advertisements
2.19 Staff
2.20 Business contacts
2.21 Wi-Fi
3) Legal reference information (including contact details)
4) Terms and abbreviations used in this Policy
1) Legal rights of individuals (“data subjects”) under GDPR
The
“data subjects” covered by GDPR are living individuals anywhere who
deal with a “controller” in the EU, or living individuals in the EU who
deal with a controller outside the EU. A “controller” is the legal
entity which defines how personal data is processed. “Personal data” is
any data which can be linked to a data subject.
As explained below, data subjects have the following specific rights under GDPR:
a) Right to receive transparent information
b) Right of access to own data
c) Right to rectify inaccurate data
d) Right to erasure (“Right to be forgotten”) in specific circumstances
e) Right to withdraw consent
f) Right to request restriction of processing
g) Right to object to processing
h) Right not be subject to automated decisions
i) Right to data portability
j) Right to complain to a “Supervisory Authority”
k) to an effective judicial remedy against a controller or processor
This
Policy addresses all of these rights. Under your request on any of
them, we will respond without undue delay and in any case within one
month, and we will do our best to resolve even complex cases within
three months. We will respond to you electronically or by such other
medium as you request. We will not charge a fee for an initial request,
but we reserve the right to charge an administrative fee for handling a
request repeated with a year, or in case of otherwise manifestly
unfounded or excessive request.
Note that we will need to verify your identity to be able to act on any request.
If
we believe that we should not act on your request, we will write to
inform you of the basis for our decision, and also of your options for
legal remedy.
Separately from these rights, if you believe that
Danubius has mistreated you with regard to your personal data or your
privacy, please contact us so that we can rectify the situation and
improve our service to all guests. You can send a formal complaint to us
by email or by post to the address given in section 1.12 “Contacting
Danubius regarding GDPR” below.
We will aim to respond without undue delay and in any case within in a month.
1.1 Right to receive transparent information
We
will provide all information required by GDPR to you in a concise,
transparent, intelligible and easily accessible form, using clear and
plain language, particularly for any information specifically for
children. We shall provide the information in writing or by electronic
means. If you request, we will provide information orally.
We will facilitate your exercising your rights as described in the rest of section 1 below.
Section
1.12 “Contacting Danubius regarding GDPR” below gives email and postal
addresses for contacting us. Certain sections on individual activities
in section 2 give dedicated addresses for specific enquiries.
1.2 Right of access to your own data
You
have the right to obtain from Danubius confirmation as to whether
personal data on you is being processed, and, if so, to access the data
and the following information:
a) the purpose of the processing
b) the categories of personal data concerned
c)
the recipients to whom we have disclosed or will disclose the personal
data, in particular recipients in countries outside the EU
d) the period for which the personal data will be stored
e)
the existence of your right to request us to rectify or erase personal
data or to restrict processing of personal data or to object to such
processing
f) your right to lodge a complaint with a Supervisory Authority
g) where the personal data are not collected directly from you, information as to their source
h)
whether there is any automated decision-making from the data, and, if
so, meaningful information about the logic involved, as well as the
significance and the envisaged consequences of such processing for you.
i)
Where we transfer your personal data to a country outside the EU, the
appropriate safeguards we have in place to protect your rights.
1.3 Right to rectify inaccurate data
If we hold inaccurate or incomplete personal data on you, we will rectify this without undue delay on receiving your request.
1.4 Right to erasure (“Right to be forgotten”)
You
have the right to request us to erase your personal data and for us to
act on the request without undue delay, where one of the following
grounds applies:
(a) Your data are no longer necessary in relation to the purposes for which they were originally processed
(b) You withdraw consent and we have no other legal basis for processing your data
(c)
Our basis of lawfulness for processing is our legitimate interests, and
you claim that we have no legitimate grounds for the processing which
override your interest, rights, and freedoms
(d) The processing is for direct marketing, and you object to this
(e) We have been unlawfully processing your data
(f) We have to erase your data for compliance with a legal obligation in EU or Member State law to which we are subject
(g)
Our basis of lawfulness for processing the data is consent given by a
guardian for a child, and either (I) you are the guardian and the child
is still under the age of consent, or (II) you are the child now older
than the age of consent. (In Hungary, the age of consent for processing
of personal data is: 16.)
Please note that we cannot erase your personal data to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing;
(c) for reasons of public interest in the area of public health;
(d)
for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in so far as the request is
likely to render impossible or seriously impair the achievement of the
objectives of such processing; or
(e) for the establishment, exercise or defence of legal claims
Your
data will continue to exist temporarily on backup files after this
deletion, but we use IT security techniques to ensure that these are
accessible only for the purpose of restoring the database in the event
of a loss of data and that they cannot be copied to reveal data. We
destroy backup files on a rotating basis within [N MONTHS].
1.5 Right to withdraw consent
Where
you have given us consent for any processing, you have the right to
withdraw consent at any time. You can do this by sending a request to
the email address given in the relevant subsection of section 2
Activities below, which lists the different activities for which we
manage personal data. Alternatively, you can write to us at the address
in section 1.11 below.
Note that your withdrawal of consent will not affect processing which we have already done.
1.6 Right to request restriction of processing
You can request that Danubius restricts the processing of your personal data where one of the following applies:
- You contest the accuracy of the personal data
- We no longer have a basis of lawfulness for processing, but you oppose us erasing the data and you request that we restrict their use instead
- We no longer need the data for the original purpose, but you require them for the establishment, exercise, or defence of legal claims
- You object to our processing on the grounds that we state our legal basis as “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these.
Where processing is
restricted under your objection, except for continuing to store the data
we shall process them only with your consent or:
a) for the establishment, exercise or defence of legal claims
b) for the protection of the rights of another person, or
c) for reasons of important public interest of the EU or of a Member State.
Where we restrict processing, we shall inform you before we lift the restriction.
Operational
practicalities may prevent us restricting processing precisely as
envisaged by GDPR, but in such a case we will work with you to try to
find a satisfactory resolution.
1.7 Right to object to processing
You have the right to object to our processing your personal data where:
- Our basis of lawfulness for processing is “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these
- We process your data for direct marketing purposes, including “profiling” to the extent that it is related to such direct marketing. (Profiling is automated decision making which analyses or predicts aspects such as your economic situation, personal preferences, behaviour, or location.) Where you make such an objection we shall no longer process your data for such purposes.
1.8 Right not be subject to automated decisions
You
have the right not to be subject to a decision based solely on
automated processing, if this produces legal effects on you or similarly
significantly affects you.
However, this does not apply:
(a) if the decision is necessary for us to perform a contract with you or if we have your explicit consent, or
(b)
if the automated process is authorised by a EU or Member State law
which also defines measures we have to follow which safeguard your
rights, freedoms, and legitimate interests.
In case (a), we have
to implement suitable measures to safeguard your rights, freedoms, and
legitimate interests. This includes at least your right to make us
ensure human intervention, and your right to express your point of view
and to contest the decision.
1.9 Data portability
GDPR
gives a data subject the right in certain circumstances to receive the
personal data concerning him or her “in a structured, commonly used and
machine-readable format”. The right includes having the personal data
transmitted directly from one controller to another, where technically
feasible.
Where you apply under 1.2 above for access to your own
personal data, we will normally supply this in a commonly-used
electronic format, unless you specifically ask us to send you a written
copy.
1.10 Right to complain to a “Supervisory Authority”
If
you believe that we have treated you unfairly or unlawfully under GDPR,
you can complain to a Supervisory Authority for data protection. If
you are normally resident in an EU country other than Hungary, you have
the right to raise a complaint with the Supervisory Authority of that
country. This link will give you the name and contact details:
http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
If you are normally resident in Hungary or outside the EU, you can complain to the Hungarian Authority:
The Hungarian National Authority for Data Protection and Freedom of Information
1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail address for correspondence in English: privacy(at)naih.hu
E-mail address for correspondence in Hungarian: ugyfelszolgalat(at)naih.hu
Website: http://naih.hu
1.11 Right to an effective judicial remedy against a controller or processor
If
you believe that your rights under GDPR have been infringed as a result
of the processing of your personal data in non-compliance with GDPR,
you have the right to an effective judicial remedy.
Proceedings
against a controller or a processor shall be brought before the courts
of the EU Member State where the controller or processor has an
establishment. Alternatively, such proceedings may be brought before the
courts of the EU Member State where your habitual residence is.
In
Hungary, regional courts shall have jurisdiction in handling the case.
Data subjects can also choose to bring actions at regional courts of
their domicile or residence. Even individuals with no locus standi can
be parties to the proceedings. The Authority has the option to intervene
for the data subject to succeed in the proceedings.
Court
proceedings shall be governed by GDPR, by the provisions of Act V of
2013 on the Civil Code, Book Two, Part Three, Title XII (Sections 2:51
to 2:54), as well as by other legislative provisions applicable to court
proceedings.
1.12 Contacting Danubius regarding GDPR
Certain
sections on individual activities in section 2 give dedicated contact
addresses for specific enquiries. Otherwise, to exercise one of the
rights described above, or to make a complaint directly to Danubius or
to contact us with a general enquiry regarding GDPR or privacy, the
email and postal addresses are:
Email: in Hungarian: adat(at)danubius.com or in English: privacy(at)danubius.com
Address: Danubius Zrt.; H-1051 Budapest, Szent István tér 11. Hungary
2) Data processing
A
separate document attached to this Policy contains the list of intra-EU
data transfers and controllers; data transfers to third countries are
further highlighted in this Policy.
2.1 Reservations
For reservations made online, in person at a hotel, or by phone, we ask for some or all of the following personal data fields:
- Full name
- Title
- Arrival date
- Departure data
- Number of adults in the room
- Type of room
- Full credit card details
- If staying in a spa, the treatment bundle
- Email address
- Full postal address
- Arrival time
- Free text – including for example any preferences
Purpose of data processing:
The
purpose of our collecting this data is to enable us to identify the
guest making the reservation, so that we can keep the room for the right
person at check-in, and to record a means of payment so that we avoid
financial risk if the guest does not check in to the hotel. We will use
your email address (i) in the unusual situation where we have to advise
you of a change impacting your reservation
(ii) three days before your planned arrival, in order to remind you of details such as the hotel address and check-in time, and
(iii)
three days after you leave to ask for comments on your stay, in order
that we can improve our service for future visits for you and other
guests.
Legal basis of data processing:
The basis of
lawfulness of our processing this data is that we need them in order to
fulfil a contract to reserve a room for you. We process your email
address in addition to send you a post-stay email for “legitimate
interests pursued by the controller, except where such interests are
overridden by the interests or fundamental rights and freedoms of the
data subject”. Our legitimate interests here are maintaining a high
quality of service, and we believe that sending you the post-stay email
does not affect your fundamental rights.
If you do not give us
the data requested we will either be unable to reserve a room for you or
be unable to contact you if there is a problem.
Transfer of data outside the EU:
When
you make a reservation on our website you are entering data into an
application run by Sceptre Hospitality Resource, a USA company. Your
personal data is therefore transferred outside the EU. In order to
ensure that you maintain the rights you have under GDPR over your
personal data, we have implemented the following safeguards:
a) We have contractual terms between Sceptre and ourselves defining and restricting the processing they do on the data;
b)
Sceptre is certified for the “EU – US Privacy Shield”. This is an
intergovernmental agreement between the EU and the USA and is recognised
by the EU Commission as ensuring protection of data equivalent to data
protection standards in the EU.
The EU Commission decision can be seen on their official website, for example their press release of 18 October 2017 at http://europa.eu/rapid/press-release_IP-17-3966_en.htm.
Period of data processing:
We
manage retention of personal data at the level of individual data
fields, rather than at the level of the total data for a guest. For
example, we may retain a record of your name and check-in date for
longer than your email address. Data processed for the purposes of
providing our services are retained for 2 to 8 years, depending on such
data.
In some cases we have a statutory obligation to hold personal data for an extended period. The main categories are:
- Where information is needed for an invoice or other tax records, we have a statutory obligation to retain this for 8 years after the end of the calendar year. Thus if we invoice you on check-out on 30 June 2018, we have to keep the data until 31 December 2026.
- A hotel has a statutory obligation to make a report to its Municipality for all guests who check-in, and a report to the Police for all guests from outside the EU who check-in. We have a statutory obligation to keep the information included in these reports for 6 years from the date of check-In.
If, by checking the corresponding box, you
request us to retain your data in order to facilitate future
reservations (purpose of data processing), the legal basis for our data
processing will be your voluntary consent. Therefore if, by not checking
the corresponding box, you do not give your consent to our data
processing, you’ll have to enter such data again when making your next
reservation. You can withdraw your consent any time, however the
withdrawal of consent shall not affect the lawfulness of processing
based on consent before its withdrawal. In such cases, your personal
data are retained for 8 years after your latest reservation.
We delete all personal data after the longest of the relevant retention periods above.
If
you wish to exercise any of your rights referred to in Section 1,
regarding the data recorded in the course of the above activities, or if
you wish to contact us for any other reasons, please, inform us by
sending an e-mail to privacy(at)danubiushotels.com or adat(at)danubiushotels.com.
2.2 Hotel registration cards
Scope of data and legal basis of data processing:
Personal
data to be provided on a compulsory basis (Provision of these data by
the Guest is a precondition for the use of hotel services):
- Processing of the following data is required by law, e.g. first name, last name, mother’s name, billing data.
- In order to provide the requested services (accommodation, wellness etc.) (on a contractual basis) we also process the following data: contact details, loyalty programme registration number, and mode of payment, debit card details, room number, and number of guests.
- On the basis of the Company’s legitimate interest to improve its services, for three days after you leave we process your name and email address in order to ask you for your opinion on our services and thus to improve them.
Non-compulsory statistical data:
- For statistical purposes, the following data are processed separately from personal data: business trip, holiday.
By
the time you check in, some data will be filled on the basis of your
reservation in order to speed up the check-in process. You are kindly
asked to always check the accuracy of your data.
Purpose of data processing:
Provision of hotel services, including communications and the improvement of services.
Period of data processing:
We
manage retention of personal data at the level of individual data
fields, rather than at the level of the total data for a guest. For
example, we may retain a record of your name and check-in date for
longer than your email address. Data processed for the purposes of
providing our services are retained for 2 to 8 years, depending on such
data.
In some cases we have a statutory obligation to hold personal data for an extended period. The main categories are:
- Where information is needed for an invoice or other tax records, we have a statutory obligation to retain this for 8 years after the end of the calendar year. Thus if we invoice you on check-out on 30 June 2018, we have to keep the data until 31 December 2026.
- A hotel has a statutory obligation to make a report to its Municipality for all guests who check-in, and a report to the Police for all guests from outside the EU who check-in. We have a statutory obligation to keep the information included in these reports for 6 years from the date of check-In.
- Where guests book medical treatment at one of our spa hotels, we have a statutory requirement to keep the medical personal data which we receive for 30 years.
If, by checking the
corresponding box, you request us to retain your data in order to
facilitate future reservations (purpose of data processing), the legal
basis for our data processing will be your voluntary consent. Therefore
if, by not checking the corresponding box, you do not give your consent
to our data processing, you’ll have to enter such data again when making
your next reservation. You can withdraw your consent any time, however
the withdrawal of consent shall not affect the lawfulness of processing
based on consent before its withdrawal. In such cases, your personal
data are retained for 8 years after your latest reservation.
If
you wish to exercise any of your rights referred to in Section 1,
regarding the data recorded during check-in, or if you wish to contact
us for any other reasons regarding your data recorded during check-in,
please, let us know by sending an e-mail to szervezes(at)danubiushotels.com.
2.3 Wellness, medical and physical therapy
Medical
services may be used separately from other hotel services. In the
hotel, you will be provided the requested medical services on the basis
of a pre-ordered package or as selected by you on site. Before using the
medical service in question, a dispatcher working at the separated
medical department directs each Guest to a medical doctor. At the
doctor’s, you will receive a Treatment record card, filled by your
doctor on the basis of the following:
- Identification data: name, social security number, date of birth, phone number
- Medical history: illnesses, medicaments, ailments etc. Recording of medical data is part of the medical treatment. The attending doctor will decide what medical data shall be recorded in order to comply with professional standards.
After that, the Guest shall take their
Treatment record card to the treatment in question where staff
participating in the provision of the treatment will only see the
minimum information needed for the treatment indicated on the Treatment
record card. Detailed patient information will only be seen by the
doctor and their assistant.
Purpose of data processing:
To promote, improve and maintain your health.
Legal basis of data processing:
As
it was you who contacted us for the provision of medical treatment,
your consent to the processing of your medical and personal
identification data in the context of your medical treatment shall be
considered as granted, unless otherwise provided. You can withdraw your
consent any time, however, the withdrawal of consent shall not affect
the lawfulness of processing based on consent before its withdrawal. If
you withdraw your consent, we will be unable to provide medical services
to you.
Period of data processing:
We retain medical
documentation during 30 years from data recording, under Act XLVII of
1997 on the processing and protection of health care data and associated
personal data, Section 30(1).
Transfer of data:
Medical data
shall only be transferred at your request to another doctor or to a
third party, and your consent is needed for a doctor who has not treated
you yet to know your data recorded this way. However, medical data will
not be transferred to your GP only in case of your express objection.
The
Company and the person acting in representation and on behalf of the
Company, as well as the data processor shall maintain the
confidentiality of medical data they have become aware of.
The Company or the person acting on its behalf shall be exempted from the obligation of confidentiality if:
a)
the data subject or their legal representative gave their written
consent to the transfer of medical and identification data, in
accordance with the restrictions contained therein, and
b) transferring medical and identification data is required by law.
You
are entitled to receive information on data processing in connection
with your medical treatment, you can learn about medical and
identification data about you, view your medical documentation and
obtain a copy of it. During your medical treatment such right is
applicable also to the person authorized in writing by you, and after
your medical treatment, to the person you authorized in a private
document with full probative force. (You can obtain information on the
right of access of spouses, registered partners, relatives, heirs, legal
representatives in Act XLVII of 1997 on the processing and protection
of health care data and associated personal data, Section 7(5) to (7),
or by sending us an e-mail to the address specified hereunder.)
The
Company processes medical information according to the provisions of
GDPR and of Act XLVII of 1997 on the processing and protection of health
care data and associated personal data.
If you wish to exercise
any of your rights referred to in Section 1 regarding the data recorded
during the provision of health services, or if you wish to contact us
for any other reasons regarding your data recorded during the provision
of health services, please, let us know by sending an e-mail to info.premier(at)danubiushotels.com.
2.4 Gym
In the Gym the following data shall be provided for passes to be issued:
- Name
- Gender
- Language
- Address
- Nationality
- Date of birth
- Phone number
- E-mail address
- Photo
- Medical fitness and any other remarks (such as pregnancy, diabetes etc.)
- Membership registration number, type and validity
At the website www.premierfitness.hu,
you can obtain information on gym prices and initiate communication
with the Company, by entering your name, email address, address, postal
code and phone number. First, the Company will send you an email with
the prices of gym services, and, if necessary, will consult with you by
telephone about the details and in order to make an appointment.
Purpose of data processing:
Provision
of gym services. Name and photo are used for identification purposes;
medical information and membership data helps us provide you
personalized services and avoid health risks, other data are used for
communication purposes. Entering your contact details is not compulsory,
however, it is a precondition for us to get in touch with you.
Legal basis of data processing:
Performance
of the contract concluded for the provision of gym services. Entering
your data is voluntary, however, processing data such as your name, your
photo and membership card data is indispensable for the provision of
the service.
In the framework of this service, we process your
medical data on the basis of your express consent. You may withdraw your
consent any time, however, the withdrawal of consent shall not affect
the lawful processing before its withdrawal. Please note that if we are
not allowed to record your medical data, we will not be able to exercise
the utmost care when providing gym services.
Period of data processing:
Your personal data will be processed for 1 year following the year of expiry of your pass or your one-time entry.
If,
by checking the corresponding box, you request us to retain your data
in order to facilitate purchasing future passes (purpose of data
processing), the legal basis for our data processing will be your
voluntary consent. Therefore if, by not checking the corresponding box,
you do not give your consent to our data processing, you will have to
enter such data again when purchasing your next pass. You can withdraw
your consent any time, however the withdrawal of consent shall not
affect the lawfulness of processing based on consent before its
withdrawal. In such cases, your personal data shall be retained for 8
years after the expiry of your latest pass.
If you wish to
exercise any of your rights referred to in Section 1, regarding the data
recorded in the course of the above activities, or if you wish to
contact us for any other reasons, please, inform us by sending an e-mail
to info.premier(at)danubiushotels.com.
2.5 Guest survey and evaluation scheme
As
part of the quality assurance process within the Company, Guests can
express their opinion on the services provided by hotels of Danubius
Hotels Group through an email-based or paper-based guest survey, as well
as through the evaluation scheme. When completing the survey, you can
enter the following personal data:
- Name
- Date of visit
- Room number
- Contact details (address, e-mail address, phone number, home address)
Data provision is not compulsory, these data merely help us investigating any possible complaints, and ensure giving feedback.
Opinions
obtained this way and eventual data linked to such opinions, that
cannot be traced back to the Guest, and cannot be combined with Guest’s
name, can be used by the Company for statistical purposes.
If you
provide your opinion in an anonymous way, we will not process any
personal data. If you require a feedback, our colleague will contact you
on one of the contact details provided (email, postal address,
telephone), within 30 days at the latest.
Purpose of data processing:
Communication with the person expressing the opinion and handling of complaints.
Legal basis of data processing:
Your
implied voluntary consent. Please note that if we do not receive your
consent to the processing of your data or if you withdraw such consent,
we will not be able to answer your question. The withdrawal of consent
shall not affect the lawful processing before such withdrawal.
Period of data processing:
After
answering the relevant request, question or complaint, the messages and
the personal data obtained in this context shall be deleted after the
year following the given year. E-mail address and user name provided for
the evaluation scheme will be deleted upon your request.
If you
wish to exercise any of your rights referred to in Section 1, regarding
the data recorded in the course of the above activities, or if you wish
to contact us for any other reasons, please, inform us by sending an
e-mail to quality.management(at)danubiushotels.com.
2.6 Video surveillance system
Cameras
are used on the premises of hotels operated by the Company, in order to
guarantee the safety of Guests and their assets. Video surveillance is
indicated by an icon and a written warning.
Video surveillance is
used for the protection of property, that is, assets of considerable
value, and of the Guests’ personal belongings, taking into consideration
that otherwise it would not be possible to detect offences, catch
perpetrators in the act, prevent such unlawful acts, and provide
evidence.
For further information on data processing in
connection with such video surveillance, contact Front Desk staff at
your hotel. We will send you the Privacy Policy of such video
surveillance systems at your request. Such requests shall be sent to the
general e-mail or postal address of your hotel.
2.7 Newsletter
When
sending you newsletters, we process your name, e-mail address and
occasionally, your home address. When setting your newsletter
preferences, you can specify the topic of the newsletter, and also the
region it applies to.
Purpose of data processing:
The purpose of processing your data is to be able to notify you of our special offers and news.
Legal basis of data processing:
Your
voluntary consent. Please note that if we do not receive your consent
to the processing of your data we will not be able to send you
newsletters.
Period of data processing:
We will only send you
newsletters as long as you request them. If you no longer wish to
receive newsletters, you can unsubscribe at any time either by using the
dedicated link at the end of each newsletter or by notifying us at hirlevel(at)danubiushotels.com or newsletter(at)danubiushotels.com-ra. The withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal.
Transfer of data:
Data
is transferred within Danubius Hotels Group. Please note that Arisende
s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany,
a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. can
also be indicated as senders of the newsletter. For more information
please refer to Section 3. As regards the processing of data in the
framework of newsletters, the above mentioned hotels proceed in
accordance with this Policy.
If you wish to exercise any of your
rights referred to in Section 1, regarding the data recorded in the
course of the above activities, or if you wish to contact us for any
other reasons, please, inform us by sending an e-mail to hirlevel(at)danubiushotels.com or newsletter(at)danubiushotels.com.
2.8 Loyalty Programme (Danubius EuroPoints and Bubbles Club) and Danubius Corporate Programme (Danubius Bonus)
The
Company’s Loyalty Programme is an exclusive service provided for Guests
of the Hotel—natural persons—with the purpose of providing discounts to
returning guests. Within the Loyalty Programme, the Bubbles Club is for
Guests who arrive with their families and its purpose is to offer
unique discounts and children’s programmes for returning Guests arriving
with their families.
The Company's Corporate Programme is an
exclusive service provided for the hotels' corporate partners—legal
persons—with the purpose of providing discounts to returning guests.
Within the programmes, the Company processes the following personal data:
In case of a natural person:
- Name
- Gender
- Postal address
- Address
- Phone number
- E-mail address
- Date of birth (minors under eighteen years of age may not participate in the programme)
For Bubbles Club:
Data given by the parent/guardian who is already registered in the Loyalty Programme are the following:
- Child’s name
- Child’s data of birth (children under eighteen years of age may participate in the Bubbles Club programme)
- The parent’s/guardian’s consent to data processing.
Giving
the name and data of birth of the child enables us to send a birthday
surprise to the e-mail address of the parent/guardian for the child’s
birthday.
Personal data managed in the case of a legal person:
- Name of contact person
- Postal address
- Phone number
- E-mail address
Furthermore, we process your Loyalty card number and password.
Purpose of data processing:
Providing discounts for the participants. Sending notifications about the discounts.
Legal basis of data processing:
Your voluntary consent. You may withdraw your consent and may request the deletion of your data by sending an e-mail to dep(at)danubiushotels.com
or a letter to the Company’s postal address (Danubius Zrt. 1051
Budapest, Szent István tér 11.), with the proviso that this shall not
affect the lawful processing based on consent before its withdrawal.
Please note that without giving your consent you may not participate in
the Loyalty Programme.
Period of data processing:
The personal
data shall be processed for as long as the data subject participate in
the given programme. The data given on the application form shall be
processed until your child’s 18th birthday. Membership status in the
Loyalty Programme shall become inactive within 3 (three) years after the
date of the last hotel service used. Membership status of natural/legal
persons in the Corporate Programme shall become inactive within 2 (two)
years after the date of the last hotel service used. The Company shall
retain the members' personal data for the period of time defined in the
provisions of the relevant tax and accounting laws, and shall delete
them after that period.
Joint data processing:
Please note
that regarding the Loyalty Programme, for the sake of interoperability,
Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele
Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské
Lázně a.s. shall be joint controllers. For more information on the
hotels, please refer to Section 3. As regards the processing of data the
joint controllers proceed in accordance with this Policy.
Participation
in the programmes may occasionally require the provision of further
personal data, in which case the Company may request the given data and
inform the data subject about the purpose, manner and duration of data
processing.
For Frequent Guests signing up to the newsletter or
contributing to promotional activities, the Company shall further handle
the data listed above according to the provisions in Section 2.7 in
this Policy.
If you wish to exercise any of your rights referred
to in Section 1, regarding the data recorded in the course of the above
activities, or if you wish to contact us for any other reasons, please,
inform us by sending an e-mail to dep(at)danubiushotels.com.
2.9 Danubius Gift Card and Voucher
When purchasing a Danubius Gift Card or Voucher, you are requested to provide the following personal data:
In case of a personal purchase:
- Name
- Billing name and address
In case of an online order, via the Company's official websites:
- Name
- E-mail address
- Phone number
- Billing name and address
- Delivery name and address
You can inquire about the balance and the expiry date of the Gift Card at our website www.danubiushotels.com/hu/online-ajandekkartya-vasarlas, at www.gift-card.hu/index.php/kartyaadatok, at Accepting hotels, at Danubius Customer Service, or via Cardnet Zrt.’s Call Center (+36 1 346-0500) any time.
Purpose of data processing:
Maintaining contact for the sake of the delivery of the gift card or voucher, and billing.
Legal basis of data processing:
The
performance of the contract entered into for the issuance of the gift
card or voucher. Giving the data is mandatory, it is the requirement for
the provision of the service.
Period of data processing:
Personal
data obtained this way shall be retained by the Company for 8 years, in
accordance with the provisions of the prevailing tax and accounting
laws.
If you wish to exercise any of your rights referred to in
Section 1, regarding the data recorded in the course of the above
activities, or if you wish to contact us for any other reasons, please,
inform us by sending an e-mail to ajandekkartya(at)danubiushotels.com.
2.10 Debit card data
In case of room reservations, we request you to give the following debit card data:
- Name of debit card
- Number of debit card
- Expiry date of credit card/debit card
Purpose of data processing:
Providing reservations and charging the total amount of your reservation or only a part of it, depending on cancellation.
Legal basis of data processing:
The
performance of the contract entered into for the provison of room
reservation as a service. Giving the data is mandatory, it is the
requirement for the provision of the service.
Period of data processing:
Debit
card data shall be encrypted, and shall be revealed exclusively for
transaction purposes and only to authorized persons. After the departure
from the hotel, these data shall not be revealed, access to these data
is prevented. The data shall be deleted after 8 years.
If, by
checking the corresponding box, you request us to retain your data in
order to facilitate future reservations (purpose of data processing),
the legal basis for our data processing will be your voluntary consent.
Therefore if, by not checking the corresponding box, you do not give
your consent to our data processing, you’ll have to enter such data
again when making your next reservation. You can withdraw your consent
any time, however the withdrawal of consent shall not affect the
lawfulness of processing based on consent before its withdrawal. In such
cases, your personal data are retained for 8 years after your latest
reservation.
If you wish to exercise any of your rights referred
to in Section 1, regarding the data recorded in the course of the above
activities, or if you wish to contact us for any other reasons, please,
inform us by sending an e-mail to szervezes(at)danubiushotels.com.
2.11 Social media (e.g. Facebook, Instagram)
The
Company and the hotels/restaurants//fitness clubs/etc. operated by the
Company can also be contacted individually via Facebook and Instagram
social media portals. By clicking the “like” and “follow” buttons on the
given page, Facebook users may subscribe to the newsfeed published on
the wall, by clicking the “dislike” button they may unsubscribe and, by
adjusting the newsfeed settings, news they don’t wish to follow may also
be deleted from their Facebook wall. The Company is able to access its
“followers’” profiles, however, it does not record or process them in
its own internal system.
Purpose of data processing:
Sharing
the contents on the website of the Company and of the
hotels/restaurants//fitness clubs/etc. operated by the Company, sharing
other news and offers, maintaining contact. You may reserve rooms,
participate in prize drawings and learn about the latest offers via the
Facebook page.
Legal basis of data processing:
Your voluntary
consent which can be withdrawn at any time by unsubscribing. The
withdrawal of consent shall not affect the lawful processing based on
consent before its withdrawal. In case of a withdrawal, you will not get
notifications on your newsfeed, our news will not be posted in your
newsfeed and yet you can still access the Company’s newsfeed since our
page is public.
Period of data processing:
Data are processed until you unsubscribe.
Data shall not be transferred and data controller shall not be engaged.
Facebook
and Instagram are separate data comntrollers, independent of us. Please
visit the following links for more information regarding Facebook’s
data processing, data protection directives and regulations:
Regarding Instagram’s data processing, you can obtain more information by clicking the link below:
In
the course of using Facebook applications and prize drawings, data
processing shall be carried out in compliance with Section 2.12.
When
making a room reservation, the system automatically redirects the Guest
to the Company’s website. Data processing shall be carried out in
compliance with Section 2.1.
The Company also publishes
photos/videos about various events/hotels/fitness clubs/restaurants,
etc. on its Facebook page. Unless it is a photo of a group of people,
the Company shall always request the prior written consent of the data
subjects before publication.
If you wish to exercise any of your
rights referred to in Section 1, regarding the data recorded in the
course of the above activities, or if you wish to contact us for any
other reasons, please, inform us by sending an e-mail to
adat(at)danubiushotels.com.
2.12 Prize drawings:
On
its own or in cooperation with another member of Danubius Hotels Group
or with another external company, the Company occasionally organizes
prize drawings. Participants may sign up for a prize drawing through a
paper-based or online registration (at the Danubius Hotels website or
Facebook page), usually by providing the following data:
- Name
- Address
- Phone number
- E-mail address
It
is possible that there is no need to give the above data (e.g. in case
of Facebook prize drawings), or you are requested to give other data, so
the scope of data may vary.
Purpose of data processing:
Organizing prize drawings, maintaining contact in order to enable the Company to forward the prize to the winner.
Legal basis of data processing:
Your consent. You can withdraw your consent by writing an e-mail to the e-mail address marketing(at)danubiushotels.com
or sending a letter to the above address any time. The withdrawal of
consent shall not affect the processing based on consent before its
withdrawal.
The consent is required for the participation in the prize drawing.
Period of data processing:
Data
processing shall carried out until the end of the prize drawing, within
30 days of the drawing, the data processed in this context shall be
deleted (except for the data of the winner(s) and substitute winner(s)).
Data of the winner(s) and substitute winner(s) shall be retained by the
Company for 8 years, in accordance with the provisions of the
prevailing tax and accounting laws, and shall be deleted after that
period.
Information about any data transfer and data processors
as well as details of data processing that are different than the ones
indicated in this information guide shall always be provided in the
course of the given prize drawing.
For Frequent Guests signing up
to the newsletter or contributing to promotional activities, the
Company shall further handle the data listed above according to the
provisions in Section 2.7 in this Policy.
If you wish to exercise
any of your rights referred to in Section 1, regarding the data
recorded in the course of the above activities, or if you wish to
contact us for any other reasons, please, inform us by sending an e-mail
to marketing(at)danubiushotels.com.
2.13 Web store
Bubbles
Club gift products, hotel restaurant voucher and tickets, daily tickets
for the use of different fitness and spa services, different passes and
day spa programmes may also be purchased in the form of vouchers via
the online system (web store), by filling out the online order form for
which you shall be requested to give the following data:
- Last name
- First name
- E-mail address
- Phone number
- Billing data (name, country, postcode, city, street, house number)
In
addition to the above, the Company processes the date and time of
purchase, the description and price of the service, the total amount of
purchase and the IP address of the customer.
Purpose of data processing:
Maintaining
contact with the customers, the provision of service, the processing of
the purchase and the fulfilment of the relevant accounting obligations.
Legal basis of data processing:
The
performance of the contract, Article 13/A of Act CVIII of 2001 on
certain issues of electronic commerce services and information society
services and Article 169(2) of Act C of 2000 on accounting. Giving the
data is mandatory, it is the requirement of the purchase.
Period of data processing:
Personal
data shall be deleted after the provision of services, data on the
certificate of purchase shall be retained for 8 years from the purchase.
For online payment with debit card you shall automatically be redirected to the website of the following data controller:
OTP Bank Nyrt. (Registered seat: 1051 Budapest, Nádor Street 16.; registration number: 01-10-041585; web:www.otpbank.hu )
If
you wish to exercise any of your rights referred to in Section 1,
regarding the data recorded in the course of the above activities, or if
you wish to contact us for any other reasons, please, inform us by
sending an e-mail to adat(at)danubiushotels.com.
2.14 Contact
You
can contact us at any of our contact details (e-mail, Facebook, phone,
by post or through the forms developed for this purpose, e.g. inquiry).
In such cases, we assume your consent to the processing of personal data
shared with us.
Purpose of data processing:
Maintaining contact with the requesting person, answering and resolving the question/request.
Legal basis of data processing:
Since
you contacted us, the legal basis of data processing is your (presumed)
voluntary consent. You may withdraw your consent at any time, however,
in this case we cannot answer your request. The withdrawal of consent
shall not affect the lawful processing based on consent before its
withdrawal.
Please note, that the data fields of certain forms
have been developed according to our experiences, thus you are only
requested to give the data most necessary for answering the
question/request. The mandatory fields are marked with a red asterisk.
Period of data processing:
After
answering the relevant request, question or complaint, the messages and
the personal data obtained in this context shall be deleted after the
year following the given year. However, for tax and accounting purposes
or if it is necessary to protect the applicant’s rights and interests,
these data are archived and retained for as long as necessary which
period is individually defined in each case.
Transfer of data:
The inquiry regarding a particular hotel shall be forwarded to the relevant member of the Danubius Hotels Group.
2.15 Complaint management protocol
During
the consumer complaint handling, if you do not agree with the handling
of your complaint or immediate investigation of the complaint is not
possible, the Company is obliged to immediately issue a protocol about
the complaint and its related position.
The protocol shall contain the following data:
- The name and address of the customer
- The place, time and mode of submitting the complaint
- The detailed description of the complaint of the customer, the list of documents and other evidences provided by the customer
- The Company’s declaration of its position regarding the complaint of the consumer, if immediate investigation of the complaint is possible
- The signature of the person issuing the protocol and—except for verbal complaints communicated by phone or e-mail—of the customer
- The place and time of the issuance of the protocol
- In case of a verbal complaint communicated by phone or e-mail, the unique identification number of the complaint
Purpose of data processing:
Investigation of the complaint and maintaining contact with the complainant.
Legal basis of data processing:
Provisions of Section 17/A (7) of the Act CLV of 1997 on consumer protection which makes the above processing mandatory.
Period of data processing:
5 years from issuing the protocol.
If
you wish to exercise any of your rights referred to in Section 1,
regarding the data recorded in the course of the above activities, or if
you wish to contact us for any other reasons, please, inform us by
sending an e-mail to adat(at)danubiushotels.com.
2.16 The Danubius Blog
The
Company regularly publishes new articles in their online travel
magazine. If you wish to receive notifications of the new articles,
please subscribe to our mailing list by providing us with your name and
e-mail address.
Purpose of data processing:
The purpose of processing your data is to be able to notify you of the new articles.
Legal basis of data processing:
Your
voluntary consent. Please note that if we do not receive your consent
to the processing of your data we will not be able to send you
notifications.
Period of data processing:
We will only send
you the requested notifications as long as you request them. If you no
longer wish to receive notification e-mails you can unsubscribe at any
time either by using the dedicated link at the end of each notification
e-mail or by notifying us about unsubscribing at
adat(at)danubiushotels.com. The withdrawal of consent shall not affect
the lawful processing based on consent before its withdrawal.
If
you wish to exercise any of your rights referred to in Section 1,
regarding the data recorded in the course of the above activities, or if
you wish to contact us for any other reasons, please, inform us by
sending an e-mail to adat(at)danubiushotels.com.
2.17 Automatically recorded data, cookies and “remarketing codes”
2.17.1 Automatically recorded data
When
you open our website on a device (such as a laptop or desktop computer,
a smartphone or a tablet) select data of that device will be
automatically recorded. The data automatically recorded include the IP
address of your device, the date and time of your visiting our website,
the browser type and the domain name and address of your Internet
provider. The recorded data will be automatically logged by the web
server of the website, without requiring your consent or any dedicated
activity on your part. The system uses the recorded data to
automatically generate statistical data. These data cannot be associated
with other personal data except where such an association is mandated
by law. These data will exclusively be used in an aggregated and
processed form, to correct errors and improve the quality, of our
services, and for statistical purposes.
Purpose of data processing:
The
technical development of the informatics system, to monitor of the
service, and to generate statistical data. In case of fraudulent
activities these data can also be used – in co-operation with the user’s
Internet provider and the law enforcement authorities – to determine
the source of such fraudulent activities.
Legal basis of data processing:
The
requirement of the provision of the service as per Act CVIII of 2001 on
certain issues of electronic commerce services and information society
services, Article 13/A Section (3).
Period of data processing: 30 days from your opening our website.
2.17.2. Cookies and similar technologies
What are cookies?
Cookies
are small, text-based files which are stored on the hard disk drive of
computers or smart devices until their validity end date set within the
cookie file, and is activated (sending a notification to the web server
of the website) every time the website is opened in a browser on the
device. Websites use cookies for the purpose of recording information
regarding the use of the website (pages visited, time spent on the
pages, browsing information, logouts etc.) and personal settings – but
these data cannot be associated with the visitor’s identity. Cookies
allow the websites’ operators to maintain user-friendly sites and
enhance the user experience their websites offers to their visitors.
On
platforms where cookies are not available or cannot be used, other
technologies are applied to achieve goals similar to those of using
cookies – examples include the ad-IDs used on Android-based mobile
devices.
Cookies come in two types: “session cookies” and “persistent cookies”.
•
“Session cookies” are only stored on the computer or smart device
temporarily while the visitor is using the website; these cookies allow
the system to “remember” certain information, so the visitor will not
have to provide them every time they open the website. The validity
period of session cookies is limited to the duration of the use of the
website; the purpose of the use of session cookies is to prevent the
loss of data (for example when filling in a longer form). At the end of
each use of the website – each session – as well as when the browser is
closed cookies of this type are automatically deleted.
•
“Persistent cookies” will remain stored on the computer or smart device
after the website is closed. Cookies of this kind are used to allow the
website to identify returning visitors. Persistent cookies identify
returning visitors by associating the server-side ID with the user,
therefore they are an essential part of the functionality of websites
which require the users to be authenticated – for example on web stores,
netbanking websites and webmail sites. The persistent cookies do not
contain personal data, they can only be used for the unique
identification of users by associating them with the proper item in the
database stored on the web server of the website. The inherent risk of
using persistent cookies is that they can only identify the web browser
as opposed to the user themselves, so if a user uses a public access
point – such as a computer in an Internet café or a public library – to
log in to a web store and fails to log out of the store at the end of
their session another person can have unauthenticated access to the web
store, being falsely identified by the system as the original (and
therefore authenticated) user.
How can I allow and disable cookies?
Most
Internet browsers automatically allow cookies, but the users can delete
or reject them. As every browser is different you can set your cookie
preferences manually in the Settings section of your browser. If you do
not want to allow any cookies of our website on your device you can
modify your browser settings so you are notified of cookies sent to your
device, or you can simply reject all cookies. You can also delete the
cookies stored on your computer or mobile device, any time. For more
information on modifying the browser settings please consult the Help
function of your browser. Please note that if you choose to disable
cookies you limit the functionality of the website.
What cookies do we use?
1. Cookies essential for the operation of the website:
These
cookies are essential for the proper functionality of the website, so
in their cases the legal basis of data processing is the requirement of
the provision of the service as per Act CVIII of 2001 on certain issues
of electronic commerce services and information society services,
Article 13/A Section (3). No transfer of data occurs.
a.) Fill-in guide
Purpose
of data processing: To facilitate the filling in of the forms by
automatically providing the user with the data deemed correct by the
system.
Period of data processing: the duration of the visit to the website
b) Search aid
Purpose of data processing: Aids search sessions to minimalize search time
Period of data processing: the duration of the visit to the website
c) Spell check
Purpose of data processing: Automatic notification regarding suspected typing errors
Period of data processing: the duration of the visit to the website
d) Language setting identification:
Purpose
of data processing: The system uses the normal cookie to uniquely
identify the visitor while they are using the website, to be able
“remember” the visitor’s language settings.
Period of data processing: This cookie is stored for 29 days.
e) Social network cookie (Facebook, Instagram, Google+, Youtube)
Purpose of data processing: This cookie allows the sharing of content of the website, on social media.
Period of data processing: This cookie is stored for the duration of sharing the content.
Regarding Facebook please read Section 2.
f) Multimedia player (YouTube)
Purpose of data processing: This cookie allows the playing of videos on the website.
Period of data processing: This cookie is stored for the duration of playing the video.
2. Cookies to obtain statistical data
The
sole function of these cookies is to obtain statistical data, which
means they do not involve personal data. They monitor the visitor’s use
of the website, which topics they prefer, what they click on, how they
scroll on the website, what pages they visit. It is important to note
that these cookies strictly obtain anonymous data. These cookies let us
know, for example, how many visitors has our website per month. The
obtained statistical data allow us to improve our website so they
reflect the preferences of our users even more. Google Tag Manager (and
Google Analytics) and Hotjar help us obtaining such statistical data.
3. Marketing cookies
The purpose of using marketing cookies is to create and send personalised ads.
Legal
basis of data processing: Using these cookies always require the
recipient’s consent which the recipient may grant us in a pop-up window
on the website. The user may withdraw their consent any time, however,
the withdrawal of consent shall not affect the lawful processing based
on consent before its withdrawal. Upon the withdrawal of consent the
personalised ads created for the user will not be published on other
sites.
a) Categorisation based on the location of the visit
Period of data processing: 269 days
b) Personalised offers on Facebook
Period of data processing: a maximum of 180 days
c) Monitoring clicks on Company ads
Period of data processing: 2 years
If
you wish to exercise any of your rights referred to in Section 1,
regarding the data recorded in the course of the above activities, or if
you wish to contact us for any other reasons, please, inform us by
sending an e-mail to adat(at)danubiushotels.com.
Joint data processing:
Regarding
the processed data Arisende s.r.o., CP Regents Park Two Ltd., Slovenske
liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné
lázně Mariánské Lázně a.s. are joint controllers. For more information
please refer to Section 3.
As regards the processing of data the joint controllers proceed in accordance with this Policy.
2.17.3. Web links
Our
website may contain web links to sites which are not managed and
operated by the Company, and are linked to our site for the purpose of
providing information to the users. The Company has no influence over,
and therefore may not be hold responsible for, the content and the
safety situation of the websites managed by its partner companies.
Please, consult their privacy policies before providing any information
on such websites you visit.
2.18 Job advertisements
By registering online via e-mail, in printed format or on the webpage under the link http://karrier.danubiushotels.com/
on the Company website, you can apply for jobs advertised by Danubius
Zrt. and/or Danubius Hotels Zrt. (please visit the above link for a
detailed guide of the registration process).
Purpose of data processing:
The
purpose of data processing is to allow the provision of information to
the job seekers regarding the advertised jobs, the selection of the
qualifying applicants and to contact the selected applicants.
Legal basis of data processing:
Your
consent, which is implicit for applications via e-mail or in printed
format, and explicit for online applications. You have the right to
withdraw you consent at any time, via e-mail or in a letter, and you can
also delete your registration any time. The withdrawal of consent shall
not affect the lawful processing based on consent before its
withdrawal. Please note that while you provide the requested data on a
voluntary basis, we cannot proceed with your application in lack of any
requested document or data, or if you withdraw your consent.
Period of data processing:
Having made the selection, we process the CVs, personal data and documents of the applicants to specific job advertisements upload/send to us as part of their application, as per the following:
- We ask, via e-mail, a system notification or in a letter, the applicants we did not select for the job whether they wish their application to be retained in our applicant database for a period of one year. Upon receiving a negative or no answer within 30 days of the inquiry the application and data of the applicant is deleted from the system.
- We transfer the data of the applicant selected for the job, to our employee database, and delete them from the applicant database.
The processing of general, non-specific applications:
- We store the application we receive in a letter or email, in our database for a period of one year. After one year the CVs and data contained by such applications, are deleted from the system.
- For online registrations the data provided by the registering individuals, are stored by the system for a period of one year, then, in lack of user activity, are permanently deleted from the system. The system sends the applicant a notification 30, 7 and then 1 day before the end of the one-year retention period, containing information about the option for the applicant to extend the registration by an additional year.
If
an applicant’s data are deleted from the system for any reason, the
applicant must register again to be included in the database.
Transfer of data:
Upon
data subject consent the data are transferred to Danubius Hotels Zrt.
For more information please refer to Section 3. Danubius Hotels Zrt.
processes the data obtained regarding their job advertisements, as per
this Policy.
If you wish to exercise any of your rights referred
to in Section 1, regarding the data recorded in the course of the above
activities, or if you wish to contact us for any other reasons, please,
inform us by sending an e-mail to danubius.hr(at)danubiushotels.com.
2.19 Staff
All
of the information in this Policy and all of the rights described in
section 1 also apply to the staff of Danubius Zrt. and Danubius Hotels
Zrt. and to our processing of their personal data.
We provide staff directly with full information of our Employee Privacy Policy and of our processing of their personal data.
2.20 Business contacts
In
common with most companies, we deal with individuals at other
organisations and store their name, business function, and business
contact details.
Purpose of data processing:
This is done by mutual agreement in order to enable our two companies to communicate with a view to working together.
Legal basis of data processing:
Our
basis of lawfulness for doing this is “our legitimate interests in the
performance of the contract or keeping contact between companies”.
We
will not use the data on these business contacts other than to
facilitate business with the other company. For example, we will not
market services to the individuals whose data we hold or transfer the
data to any third party.
Period of data processing:
At least annually we will review our records of business contacts and delete those which are no longer current.
The same policy applies to the processing of personal data of press contacts.
2.21 Wi-Fi
In
certain hotels in order to reach Wi-Fi we request name and address to
be given. Simultaneously, the system records the IP address of your
device.
Purpose of data processing:
The purpose of data
processing is ensuring that services are reached during Wi-Fi usage,
while following your departure, handling of complaints and detection of
fraud or abuse.
Legal basis of data processing:
The legal
basis for data processing is the „performance of the contract”,
considering the fact that reaching Wi-Fi is one of the services provided
by our hotel. However, following your departure the legal basis is “the
legitimate interest of the controller related to the handling of
complaints and detection of fraud or abuse”. Providing your data is an
indispensable condition for using the services.
Period of data processing:
The data are erased within 1 (one) year of the year under review.
3) Legal reference information (including contact details)
Under
GDPR, Danubius, as the controller of the personal data which it
processes, must publish information about its legal name and how to
contact it, together with other details. This section contains all the
information required by GDPR, together with some useful additional legal
information.
The full legal name of the legal entities which operates our hotels is:
Full legal name: Danubius Szállodaüzemeltető és Szolgáltató Zártkörűen Működő Részvénytársaság
Foreign name: Danubius Hotel Operation and Services Private Company Limited by Shares
Abbreviated name: Danubius Zrt.
Registered seat: 1051 Budapest, Szent István square 11.
Name of Registration Court: Metropolitan Court as Court of Registration
Registration number: 01-10-041120
Tax number: 10219522-2-44
It is represented by: Péter Dienes CEO
Its legal associate responsible for data protection is: Dr. Helga Sztanó
Its phone number is: 06/1-8894172
She can be contacted by email at: adat(at)danubiushotels.com
Its business activity is: hotel operation and services
Danubius
Zrt. is 100% owned by Danubius Hotels Zrt. This is a non-trading
holding company but employs a small number of staff. Its legal details
are:
Full legal name: Danubius Szálloda és Gyógyüdülő Zártkörűen Működő Részvénytársaság
Foreign name: Danubius Hotel and Spa Private Company Limited by Shares
Abbreviated name: Danubius Hotels Zrt.
Registered seat: 1051 Budapest, Szent István square 11.
Name of Registration Court: Metropolitan Court as Court of Registration
Registration number: 01-10-041669
Tax number: 10594702-2-41
It is represented by: Balázs Kovács CEO
Its legal associate responsible for data protection is: Dr. Helga Sztanó
Its phone number is: 06/1-8894172
She can be contacted by email at: adat(at)danubiushotels.com
The
only personal data held by Danubius Hotels Zrt. is, in its function as
employer, for a small number of senior staff. Dr. Helga Sztanó also has
responsibility for data protection for Danubius Hotels Zrt.
For
the purpose of profile cleaning, Danubius hotels have been divided into
two divisions: City Division comprises of city hotels while SPA Division
manages health spa & wellness hotels. City hotels are continued to
be operated by Danubius Zrt, while the operation of health spa &
wellness hotels has been taken over by Arisende s.r.o. of Prague. As a
result, Danubius Zrt and Arisende s.r.o. act as joint controllers for
the hotels indicated below as per the provisions of this Policy. Dr
Helga Sztanó is responsible for issues of data protection arising in the
course of joint data processing.
Company name: Arisende s.r.o.
Registered seat: Masarykova 22/5, 353 01 Mariánské Lázně
Court of Registration: Krajský soud v Plzni
Registration number: C 33301
ID number: 05456274.
In addition to Danubius Zrt/Danubius Hotels Zrt, the owners of the hotels operated by Arisende are the following:
Company name: CP Regents Park Two Ltd.
Registered seat: CP House, Otterspool Way, Watford WD25 7JP, UK
Registration number: 5307946.
EU tax number: GB 848957555
Click here to read the Privacy policy of Danubius Hotel Regents Park >
Company name: Slovenske liecebne kupele Piešťany, a.s.
Abbreviated name: SLKP, a.s.
Registered seat: Winterova 29, 921 29 Piešťany, Slovakia
Registration number: Obch. reg. KS Trnava, odd. Sa, vlozka č. 181/T
EU tax number: SK2020389668
Company name: SC Balneoclimaterica SA Sovata
Registered seat: Str, Trandafirilor nr. 99, Cod.545500, Romania
EU tax number: RO1245068
Registration number: J26/266/1991
Company name: Léčebné lázně Mariánské Lázně a.s.
Registered seat: Masarykova 22, 353 29 Mariánské Lázně, Czech Republic
Registration number: B 196
EU tax number: CZ45359113
The above companies are jointly deemed the Danubius Hotels Group.
Hotels involved in joint data processing are the following:
Danubius Zrt.:
Danubius Hotel Margitsziget
Danubius Grand Hotel Margitsziget
Danubius Thermal Hotel Sárvár
Danubius Thermal Hotel Bük
Danubius Thermal Hotel Aqua
Danubius Thermal Hotel Hévíz
Léčebné lázně Mariánské Lázně a.s.
Hotel Nové Lázně
Hotel Centrální Lázně
Hotel Hvězda
Grandhotel Pacifik
Hotel Butterfly
(Spa) Hotel Vltava
(Spa) Hotel Svoboda
Slovenske liecebne kupele Piešťany, a.s.
Health Spa Resort Thermia Palace
Health Spa Resort Esplanade
Spa Hotel Grand Splendid
Vila Trajan
Hotel Jalta & Dependances
Hotel Centrál
Hotel Vietoris
Dependance Morava
SC Balneoclimaterica SA Sovata
Danubius Health Spa Resort Bradet
Danubius Health Spa Resort Sovata
Hotel Faget
4) Terms and abbreviations used in this Policy
Most
of the definitions refer to the EU’s General Data Protection Regulation
(GDPR). This is a legal document, and it is not possible to give a
short definition in simple language which is fully exact. The aim here
is to give a clear explanation which will facilitate the reader’s
understanding; this may sometimes exclude detail of the full legal
definition. Our policy is to comply with the full requirement of GDPR,
and your rights are not affected by any simplification in the
explanations here.
Term or Abbreviation | Explanation |
Controller | The legal entity which determines the purposes and means of the processing of personal data; |
Data subject | A
live individual inside or outside the EU dealing with an organisation
in the EU. Such an individual is a “data subject” and under GDPR has
rights over the processing of his or her personal data. |
EU | The European Union |
GDPR | The General Data Protection Regulation of the EU, which came into force 25 May 2018. |
Personal data | Any
information relating to an individual who is or can be identified
through a wide variety of methods, including but not limited to:
|
Processing | Any
operation or set of operations which is performed on personal data,
whether or not automatically means, including but not limited to: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction. |
Processor | A legal entity which processes personal data on behalf of a controller. |
Profiling | Automated
processing which uses personal data in order to analyse or predict
aspects of performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location, or movements
of an individual |
Pseudonymisation | Encrypting
or otherwise holding personal data in a way in which it cannot be
linked to a specific data subject without additional information. The
additional information has to be kept separately and protected by
technical and organisational measures to prevent its unauthorised use. |
Special categories of data | There are very strict restrictions on processing of personal data within “special categories”. These are:
|
Supervisory Authority | An
independent public body set up by an EU state to monitor the
application of GDPR and, as necessary, to intervene to protect the
rights of individuals under GDPR |
Third Country | Any country outside the EU |
Transfer | Sending of personal data from the controller or processor to a legal entity outside the EU. |