Loading…

INFORMATIONAL DOCUMENT ABOUT THE PROCESSING OF PERSONAL DATA
TATA ÉS KÖRNYÉKE TURISZTIKAI EGYESÜLET (TATA AND ENVIRONS TOURISM ASSOCIATION)

1. The aims and effectiveness of this informational document

(1) The aim of this informational document about the handling of personal data (hereinafter as “Informational document”) is to set a legal way of administrating records/ using databases with the Tourist non-profit organisation Duna-Gerecse ( i.e. an operator for the purpose of processing data, hereinafter as “Operator”), also to ensure the application of constitutional principles of the protection of data, the right for informational self-determination and demands for the security of data, so that everybody can handle their own personal data according to their wishes according to the legislative regulation, to be informed about the processing of their data, i.e. to prevent unauthorised access to the data, changes or unauthorised publication. Also, this informational document acts as an introduction of the practice of the Operator regarding the processing of personal data to affected people.

(2) The effectiveness of this informational document includes the processing of personal and special data performed by every organisational unit of the Operator.

2. Determinative legal regulations

  • Regulation (EC) No 2016/679 (27th of April 2016) of the European Parliament and of the Council about the protection of personal data of natural persons and the processing of personal data and about the free flow of this data, further about the termination of the effectiveness of regulation No 95/46/EC (General regulation of the protection of personal data; hereinafter: “GDPR”);
  • Act No CXII. from the year 2011 about the information self-determination and freedom of information (hereinafter: “Info-act”);
  • Act No V. from the year 2013 of the Civil Code (hereinafter as “CC”);
  • Act No CXXX. from the year 2016 of the civil judicial code (hereinafter as “CJC”).

3. Data of the Operator

The current valid data of the Operator is stated bellow:

  • Name: Tata és Környéke Turisztikai Egyesület (Tata and Environs Tourism Association)
  • Address: H-2890 Tata, Bercényi utca 1.
  • ID number in the NGO Register: 11-02-0001768
  • Tax number: 18140022-2-11
  • Registry court: Tatabányai Törvényszék
  • Telephone number: +36 34 588 633
  • E-mail address: tdmtata@visittata.com

4. The range of processed personal data, the aim of processing data, its period and legal basis

(1) The operator performs the processing of data on the basis of the voluntary agreement of affected persons or on the basis of legal authorisation. In case of a voluntary agreement, the affected person can request information about the range of processed data at any time, or rather about their usage; the person can also cancel the agreement, apart from specific cases, where the processing of data will be performed on the basis of a legal order (in these cases, the Operator informs the affected person about the further processing of data).

(2) The providers of data are obliged to provide accurate data, according to the best of their knowledge.

(3) If the provider of data does not provide their personal data, the provider of data is obliged to ensure a consent of the data subject.

(4) If the Processors of data provides data to third parties, the Operator runs a register of such actions. The register of providing data to third parties has to contain the address, the way, time and range of provided data.

5) Processing of data associated with individual activities of the Operator:

  1. Interests of the visitors, ordering publication associated with tourism
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address, telephone number, address/postal address
    The aim of processing data: providing information
    Transfer of data: not realised
    Legal basis of data transfer: irrelevant entry
    Data processors: irrelevant entry
    Date of data erasure: 6 months
    Potential consequences of not providing: no service realisation
  2. Requesting offers about tourist services, program options
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address, telephone number, address
    The aim of processing data: providing offers
    Transfer of data: not realised
    Legal basis of data transfer: irrelevant entry
    Data processors: irrelevant entry
    Date of data erasure: 6 months
    Potential consequences of not providing: no service realisation
  3. Requesting offers about accommodation facilities (via www.visittata.com webpage)
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address, telephone number, address, expected date of arrival, expected duration of stay, number of persons traveling together, number and age of children traveling together
    The aim of processing data: providing offers
    Transfer of data: via IT-system
    Legal basis of data transfer: consent of the data subject, contractual duty
    Data processors: front office / sales workers connected to the accommodation facilities, Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
    Date of data erasure: 6 months
    Potential consequences of not providing: no service realisation
  4. Online shopping (via www.visittata.com webpage)
    The legal basis of processing data: contractual duty
    Range of processed data: name, e-mail address, telephone number, address, postal address
    The aim of processing data: delivery of purchased goods
    Transfer of data: via IT-system
    Legal basis of data transfer: consent of the data subject, contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  5. Signing up for newsletter (via www.visittata.com webpage)
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address
    The aim of processing data: providing information
    Transfer of data: via IT-system
    Legal basis of data transfer: consent of the data subject, contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
    Date of data erasure: within 24 hours after the consent of the data subject has been withdrawn
    Potential consequences of not providing: no service realisation
  6. User registration on webpages (www.visittata.com, www.dunamente-card.com, www.podunajsko-card.com)
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address, first name, surname, company name, country, address, phone number, mobile phone number, language
    The aim of processing data: persoanlization of webpage
    Transfer of data: via IT-system
    Legal basis of data transfer: consent of the data subject, contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
    Date of data erasure: within 24 hours after the consent of the data subject has been withdrawn
    Potential consequences of not providing: no service realisation
  7. Daily administration of using webpages (www.visittata.com, www.dunamente-card.com, www.podunajsko-card.com)
    The legal basis of processing data: consent of the data subject
    Range of processed data: anonymous IP address
    The aim of processing data: producing statistics
    Transfer of data: via Internet (Google), IT-system
    Legal basis of data transfer: consent of the data subject, contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
    Date of data erasure: -
    Potential consequences of not providing: irrelevant entry
  8. Daily administration of using the “Audio guide” application (Guide@Hand Tata / Guide@Hand Danubeland tourism region)
    The legal basis of processing data: consent of the data subject
    Range of processed data: anonymous IP address, type of used mobile device, downloaded route / POI
    The aim of processing data: producing statistics
    Transfer of data: App Stores, Számítástechnikai és Alkalmazási Kutatóintézet, Tata TE
    Legal basis of data transfer: consent of the data subject
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Számítástechnikai és Alkalmazási Kutatóintézet
    Date of data erasure: -
    Potential consequences of not providing: irrelevant entry
  9. Registration of a tourist card (Dunamente / Podunajsko Card)
    The legal basis of processing data: contractual duty
    Range of processed data: name, address, date of birth, e-mail address, telephone number, date of arrival and departure
    The aim of processing data: ensuring the usage of the system of cards with advantages
    Transfer of data: via the system CityPay (Chrome-Soft Kft.)
    Legal basis of data transfer: contractual duty
    Data processors: front office / sales workers connected to the accommodation facilities, Dunamente / Podunajsko Card Call Center Tata TE, Chrome-Soft Kft.
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  10. Booking of leasure services, programmes (exit games, guided tours)
    The legal basis of processing data: contractual duty
    Range of processed data: name, address, e-mail address, telephone number, date of arrival
    The aim of processing data: providing leasure services, programmes
    Transfer of data: Kuny Domokos Museum Tata (exit game: The legend of the castle prison), Tatai Városgazda NKft. (exit game: Explorers), Létesítményeket Üzemeltető NKft. / Mining Museum of Oroszlány (exit game: Sabotage in the mine plant)
    Legal basis of data transfer: contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  11. Primary market survey (paper basis and an online survey method)
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address
    The aim of processing data: information about the results of the surveys, participation in the prize draw
    Transfer of data: not realised
    Legal basis of data transfer: irrelevant entry
    Data processors: Paksiné Czirkó Enikő office manager Tata TE
    Date of data erasure: end of the survey program
    Potential consequences of not providing: irrelevant entry
  12. Recording of advertisements (Szuperinfó)
    The legal basis of processing data: contractual duty
    Range of processed data: name, address, telephone number, data about the subject (property, good, service) of the advertisement
    The aim of processing data: publishing of advertisement
    Transfer of data: Szuperinfó Média Kft.
    Legal basis of data transfer: contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Szuperinfó Média Kft.
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  13. Complaints
    The legal basis of processing data: consent of the data subject
    Range of processed data: name, e-mail address, phone number, address
    The aim of processing data: settling the complaint
    Transfer of data: not realised
    Legal basis of data transfer: irrelevant entry
    Data processors: irrelevant entry
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  14. Handling of data of private suppliers (local products, handicrafts)
    The legal basis of processing data: legislative duty
    Range of processed data: name, address, e-mail address, phone number, tax number
    The aim of processing data: selling of local products, handicrafts
    Transfer of data: Hlogyik János accountant
    Legal basis of data transfer: contractual duty, legislative duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Hlogyik János accountant
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  15. Publication of data of private service providers on the web pages (www.visittata.com, www.dunamente-card.com, www.podunajsko-card.com) and in printed materials
    The legal basis of processing data: membership record
    Range of processed data: name, type of service, address, -mail address, phone number, mobile number, webpage, tax number
    The aim of processing data: propagational service for members
    Transfer of data: through IT-system
    Legal basis of data transfer: membership record
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  16. Employment contracts of the Operator
    The legal basis of processing data: legislative duty
    Range of processed data: name, name of the mother, address, place and date of birth, TAJ number, tax number, bank information and account number, pension fund
    The aim of processing data: payment of salary and social charges
    Transfer of data: Hlogyik János accountant
    Legal basis of data transfer: contractual duty, legislative duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Hlogyik János accountant
    Date of data erasure: 1 year after the termination of contact
    Potential consequences of not providing: no payment of salary and social charges
  17. Request for Tata Card
    The legal basis of processing data: contractual duty
    Range of processed data: name, address, name of the mother, place and date of birth, phone number
    The aim of processing data: request for a Tata Card
    Transfer of data: Sárkány Informatikai Zrt.
    Legal basis of data transfer: contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Sárkány Informatikai Zrt.
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation
  18. Selling of KombiBike bycicle sharing rental systam card
    The legal basis of processing data: contractual duty
    Range of processed data: academic degree, first name, surname, address, name of the mother, place and date of birth, phone number, type and ID of personal document, e-mail address
    The aim of processing data: Selling of KombiBike bycicle sharing rental systam card
    Transfer of data: Pons Danubii korlátolt felelősségű Európai Területi Együttműködési Csoportosulás
    Legal basis of data transfer: contractual duty
    Data processors: Paksiné Czirkó Enikő office manager Tata TE, Pons Danubii korlátolt felelősségű Európai Területi Együttműködési Csoportosulás
    Date of data erasure: 5 years
    Potential consequences of not providing: no service realisation

5. The rights of affected persons and possible correction means

(1) The affected persons have the right to request in written form from the Operator information about the processing way of their personal data, they can announce their claim to delete or change the data, also withdraw their former consent via contacts stated in paragraph no. (3).

(2) The affected persons cannot apply their right for eradication of their data in case of a legally obliged prescribed administration of data.

(3) The content of the right to be informed: On the basis of the right of the affected person, the Operator will provide information associated to articles no.13 and 14. of the GDPR law to the affected person, also information according to articles no.15.-22. and 34. in a short, generally understandable form.

(4) The content of the right for the availability of information: On the basis of the request of the affected person, the Operator will provide information about the current status of processing of the data of the affected person. If the Operator is already in the process of processing personal data, the affected person has the right to access data regarding the following:

  • personal data regarding the affected person;
  • aim(s) of processing the data;
  • categories of the given personal data;
  • list of people that had or will have access to the data of the affected person;
  • time period of recording the data;
  • right to edit, erase or limit the processing of data;
  • right to address the court, i.e. a control body;
  • sources of processed data;
  • profile creation and/or automatic decision making, i.e. details of using the stated, their impact in practice;
  • transfer of processed data to a third state or international organisation.

(5) On the basis of the above stated, in case of a request, the operator will provide a duplicate of the processed data to the affected person, in a form that corresponds to the request. On the basis of an individual request, it is possible to request the information to be delivered in an electronic format.

(6) The provider charges an administration fee for every other exemplar 500,-  Ft/page.

(7) The due date of the requested data is 30 days from receiving the request by the Operator.

(8) The right to correct the data: The Affected person can ask the Operator to correct the data by the Operator of the processed incorrect data, regarding the affected person.

(9) The right to erase the data: If any of the bellow-mentioned reasons arise, the Provider will erase any data regarding the affected person, on the basis of the request of the affected person, in the shortest possible time, no later than 5 days:

  • the data was processed without authorisation (without legal authorisation or personal consent);
  • the processing of data is unnecessary due to the completion of the original aim;
  • the affected person withdraws their consent to process the data and the Operator does not have another legal basis for the rocessing of data;
  • the collection of the given data was realized in context with the offer of services regarding the informational company;
  • the personal data has to be erased due to realisation of legal rights of the Operator.

(10)  The Provider cannot perform the eradication of data, if the processing of data is further needed to the points stated below:

  • further processing of data is needed to fulfil the duties of the Operator based on legal regulations;
  • is necessary due to the fulfilment of the right to expres an opinion and right to be informed;
  • it is in the interest of the public;
  • from archival, scientific, statistic reasons, or due to realising research;
  • for the application of legal rights or the protection of rights.

(11)  The right to limit the processing of data: If any of the bellow mentioned reasons arise, the Operator will limit the processing of data on the basis of the request of the affected person:

  • the affected person denies the correctness of their data, in this case the limitation applies to the time period, when a trustworthy verification of accuracy of the questionable data will be performed;
  • the processing of data is not authorised, but at the same time the affected person does not request the eradication of data, just the limitation of their processing;
  • the data is not needed anymore for the processing of data, but the affected person requests their further registration to claim and protect their rights.

(12)  If the Operator implements a limitation on any of the processed data, during the period of limitation, the data is processed only according to the points stated bellow:

  • if the affected person agrees;
  • at a level necessary to apply legal claims and protection;
  • at a level necessary to apply and protect the rights of other persons;
  • at a level necessary to apply public interest. 

(13)  The right to withdraw the consent: The affected person has the right to withdraw their consent given to the Operator in writing. In case of a claim, the Operator will immediately and definitely erase all data that was processed regarding the affected person and other registration that is not prescribed by a legal regulation and are not necessary to rightful claims and protection of rights and rightful interests. The withdrawal does not apply to the right of processing data to the moment of withdrawal.

(14)  The right of data transfer via a data carrier: The affected person has the right to request transfer of their processed data by the Operator to another Operator, in a generally used computer software of a readable format. The Operator will fulfil this request in the shortest possible time, 30 days at the latest.

(15)  Automated decision making and profile creation: The affected person has the right not to be a subject of such a decision that is mainly based on automated processing of data (profile creation), which can lead to legal consequences or can cause other negative impacts. The stated right cannot be applied if:

  • the processing of data is unforgivable due to conclusion or fulfilling a contract between the affected person and the Operator;
  • the affected person specifically agrees with applying of such a procedure;
  • the application is allowed by a legal regulation;
  • is necessary to apply and protect legal requirements.

6. Creating contacts

E-mails arriving during entering contact with the Operator and their content (mainly name and address of the sender, date and attachments) is registered by the Provider for a time period of 5 years and then they are erased.

7. The way of saving and data protection

(1) The provider:

  • archives the processed data at the place of their main office on a paper basis;
  • archives its accountancy regarding the current and former year at the place of the accountant;
  • archives processed data in an electronic form via computers and a server at the place of their main office (2890 Tata, Bercsényi utca 1.).

(2) Data archived at individual data processors of the Provider, which archive the data at the place of their main offices is considered an exception.

(3) The Operator uses an information system that ensures:

  • the consistency of the data to be provable (data integrity);
  • trustworthiness of data (data processing trustworthiness);
  • that the data is accessible to authorised persons (to be accessible);
  • i.e., that the data will be ensured against unauthorised access (data reliability).

(4) The data protection mainly applies to:

  • unauthorised access;
  • changes;
  • transfer;
  • erasure;
  • publication;
  • random damages;
  • random destruction;
  • i.e. impossible access due to the change of applied technology.

(5) The Provider applies solutions, corresponding to the current state and level of technology, towards the interest of protecting electronic processed data. When assessing the adequacy, a lot of emphasis is stressed on the risk that can occur during processing of the data by the Provider. Informational security ensures that the saved data cannot be associated or connected to affected persons (with an exception, if the legal regulations allow this).

(6) The Operator ensures that during the processing of data:

  • the authorised person has unlimited access to their data, according to the need;
  • only authorised people have access to information;
  • the protection of correctness and wholeness of information and way of processing is ensured.

(7) The provider and the connected processors (if any) always ensure protection of their information systems against fraud, espionage, viruses, break-ins, damages, natural catastrophes. The Operator (i.e. the data processor) apply protection procedures at the level of servers and applications.

(8) Messages sent to the Operator – sent in whatever form through the internet, are exposed to a high risk of server dangers that lead to change in information, unauthorised access or other illegal activities. However, the Provider will do everything in their power to prevent any damages that is possible and expected from the actual state of the technology. The applied systems are under constant checks in this interest, so that registration of security deviations can be registered, evidence of a security incident can be accumulated, i.e. so the effectivity of security measures can be analysed.

8. Procedural rules

(1) If the Operator receives whatever request according to article no. 15.-22. GDPR, the Operator informs the affected person in a written form about the measures taken on the basis of the request, in the shortest possible time, 30 days at the latest.

(2) If the complexity or another objective reason of the request justifies this, the stated request can be prolonged once, for a maximum period of 60 days. The operator informs the affected person in a written form about the prolongation, together with an adequate reason for the prolongation period.(

3) The Operator ensures to provide information free of charge, with an exception, if:

  • the affected person requests information/ measures repeatedly and on the basis of unchanged content;
  • the request is obviously not justifiable;
  • the request is extreme.

(4) The Operator has the right to (according to article no.3):

  • reject the request;
  • connect the realisation of the request to an associated, rational fee.

(5)  If the claimant requests to access the data on paper, or on an electronic medium (CD or DVD), the Operator will provide one exemplar of the copies of the requested data, as requested free of charge (with an exception, if the chosen platform would cause disproportionate problems). The Operator charges for every other exemplar an administration fee of 500,- Ft/page/CD/DVD.

(6) The Operator will inform all persons of received data beforehand about any conducted repairs, erasure or limitations (with an exception- if the informing process is not possible or will cause a disproportionate effort).

(7) If the affected person requests, the Operator will announce the transfer of data to third parties.

(8) The Operator sends their reply to a request in an electronic format, with exception, if:

  • the affected person requests a different form and does not cause the Operator disproportionate increase in costs;
  • the Operator does not have electronic contact of the affected person.

9. Damage compensation

(1) If any material or non-material damage is done to an affected person related to the violation of legal regulation regarding the protection of data, this person has the right to request compensation for the damage from the Operator and/or the processor. If the Operator and processor(s) of the data are also affected when violating the law, they are both responsible for the damage.

(2) The processor of the data is responsible for damages only in the case, if they violated those legal rules of data protection that are related to the processor of the data, i.e. if the damage occurred due to failing the orders of the Operator.

(3) The Operator and potential processors of data are responsible only if they cannot provide evidence that they are not responsible for the event, conditions creating this damage.

10. Repair means

(1) If the rights according to the statement of the affected person where violated by the Operator and/or by the processor, the affected person can address the competent court, according to PP. The court will decide out of order in this case.

(2) If the affected person wishes to file a complaint regarding the processing of data, they can do so at the National office for the protection of data and freedom of information (Nemzeti Adatvédelmi és Információszabadság Hatóság), using the following information: address 1055 Budapest, Falk Miksa utca 9-11., postal address : 1363 Budapest, Pf.: p., telephone number: 06-1/391-1400; fax: 06-1/391-1410; e-mail address: ugyfelszolgalat@naih.hu; web page: www.naih.hu. 

11. Co-operation with the authorities

(1) The Operator is obliged to provide the specified personal data to the concerned authorities, if they receive an official formal notice.

(2) The Operator in cases according paragraph no. (1) will only provide data to the authorities that are necessary to meet the aim given by the stated authority.

Place and date: Tata, 01. 07. 2023