PRIVACY POLICY

Tata and its Surroundings Tourist Association

 

1. Purpose and scope of the Notice

(1) The purpose of this data management information sheet (hereinafter: "Information") is to define the legal order for the use of records / databases maintained by the Tata és Környéke Turistzki Egyesület (hereinafter: "Data Controller"), and to ensure the constitutional principles of data protection, the information the enforcement of the right to self-determination and the requirements of data security, and that everyone can dispose of their personal data within the framework of the legal regulations, learn about the circumstances of their management, and prevent unauthorized access, changes and unauthorized disclosure of data. Furthermore, this Information Sheet serves as information for those concerned to present the data management practices of the Data Controller.

(2) The scope of the Notice covers the handling of personal and special data at all organizational units of the Data Controller.

2. Governing laws

Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and on the repeal of Regulation 95/46/EC (general data protection regulation; hereinafter: "GDPR")

  • CXII of 2011. Act on the right to informational self-determination and freedom of information (hereinafter: "Infotv")

  • Act V of 2013 on the Civil Code (hereinafter: "Civil Code")

  • CXXX of 2016. Act on Civil Procedure (hereinafter: "Pp.")

3. Data of the Data Controller

The current data of the Data Controller are as follows:

Name: Tata and its Surroundings Tourist Association
Headquarters: H-2890 Tata, Bercsényi utca 1.
Court Record Number: 11-02-0001768
Tax number: 18140022-2-11
Registry court: Tatabánya Court
Phone number: +36 34 588-633
Email address: tdmtata@visittata.com

4. The scope of personal data managed, the purpose, duration and legal title of data management

(1) The Data Controller performs its data processing based on the voluntary consent of the data subjects or on the basis of legal authorization. In the case of voluntary consent, the data subject may at any time request information on the scope of the processed data and the manner in which it is used, and may also withdraw his consent, except in specific cases in which the data processing continues based on a legal obligation (in such cases, the Data Controller shall provide the data subject with information on the further processing of the data).

(2) Data informants are obliged to provide all provided data accurately to the best of their knowledge.

(3) If the informant does not provide his own personal data, the informant is obliged to obtain the consent of the data subject.

(4) If the Data Controller forwards the data to data processors or other third parties, the Data Controller keeps a record of them. The record of data transmission must include the recipient, the method, the date of the data transmission, as well as the scope of the data transmitted.

(5) Data management related to certain activities of the Data Controller:

a.Guest inquiries, ordering tourist publications
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address, telephone number, residential address / mailing address
Purpose of data management: provision of information
Data transmission: none
Legal basis for data transmission: not relevant
Data processors: not relevant
Data deletion deadline: 6 months
Possible consequence of the lack of data communication: service failure

b.Request for offers on tourist services and program options
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address, telephone number, residential address
The purpose of data management: providing an offer
Data transmission: none
Legal basis for data transmission: not relevant
Data processors: not relevant
Data deletion deadline: 6 months
Possible consequence of the lack of data communication: service failure

c. Accommodation request (via website)
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address, telephone number, residential address, expected time of arrival, expected length of stay, number of people traveling together, number and age of children traveling together
The purpose of data management: providing an offer
Data transmission: via an IT system
Legal basis for data transfer: contractual obligation
Data processors: sales / front office staff of accommodation facilities, Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
Data deletion deadline: 6 months
Possible consequence of the lack of data communication: service failure

d. Webshop purchase (via website)
Legal basis for data management: contractual obligation
Scope of processed data: name, e-mail address, telephone number, residential address / mailing address
Purpose of data management: delivery of ordered products
Data transmission: via an IT system
Legal basis for data transmission: contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

e. Newsletter subscription (via website)
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address
Purpose of data management: information service
Data transmission: via an IT system
Legal basis for data transmission: contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
Data deletion deadline: within 24 hours after the data subject withdraws his consent
Possible consequence of the lack of data communication: service failure

f. Website user registration (www.visittata.com, www.dunamente-card.com, www.podunajsko-card.com)
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address, surname / first name, company name, country, address, telephone number, mobile phone number, fax number, language
Purpose of data management: personalized use of the website
Data transmission: via an IT system
Legal basis for data transmission: contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
Data deletion deadline: within 24 hours after the data subject withdraws his consent
Possible consequence of the lack of data communication: service failure

g. Logging of the website of the Data Controller (www.visittata.com, www.dunamente-card.com, www.podunajsko-card.com)
Legal basis for data management: consent of the data subject
Scope of managed data: anonymized IP address
Purpose of data management: creating statistics
Data transfer: Google, IT system
Legal basis for data transmission: consent of the data subject, contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
Data deletion deadline: -
Possible consequence of the lack of data communication: not relevant

h. Logging of the use of the audio guide application (Guide@Hand Tata / Guide@Hand Dunamente tourist area).
Legal basis for data management: consent of the data subject
Scope of managed data: anonymized IP address, type of mobile device used, downloaded walk / POI
Purpose of data management: statistical preparation
Data transmission: App Stores, Tata TE, SZTAKI
Legal basis for data transmission: consent of the data subject
Data processors: Paksiné Czirkó Enikő office manager Tata TE, SZTAKI
Data deletion deadline: -
Possible consequence of the lack of data communication: not relevant

i. Tourist card (Dunamente / Podunajsko Card) registration
Legal basis for data management: contractual obligation
Scope of processed data: name, address, date of birth (year), e-mail address, phone number, start and end of stay at the accommodation
The purpose of data management is to ensure the use of the discount card system
Data transmission: via the CityPay system (Chrome-Soft Kft.)
Legal basis for data transmission: contractual obligation
Data processors: front office staff of affiliated hotels / Dunamente Card Call Center Tata TE / Chrome-Soft Kft.
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

j. SOrdering leisure services (free play, guided tours)
Legal basis for data management: contractual obligation
Scope of processed data: name, address, e-mail address, telephone number
Purpose of data management: provision of leisure services
Data transmission: Kuny Domokos Museum Tata (in the case of the game Legend of the Castle Prison), Tatai Városgazda Nonprofit Kft.
Legal basis for data transmission: contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

k. Primary market research (with paper-based and online questionnaires)
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address
Purpose of data management: information about the results of the survey, participation in a prize draw
Data transmission: none
Legal basis for data transmission: not relevant
Data processors: Paksiné Czirkó Enikő office manager Tata TE
Data deletion deadline: end of research program
Possible consequence of the lack of data communication: not relevant

l. Advertisement recording (Superinfo)
Legal basis for data management: contractual obligation
Scope of processed data: name, address, telephone number, product offered for advertisement, real estate / chattel / service data
Purpose of data management: publication of advertisement
Data transmission: Szuperinfó Media Kft.
Legal basis for data transmission: contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE, Szuperinfó Média Kft.
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

m. Complaint handling
Legal basis for data management: consent of the data subject
Scope of processed data: name, e-mail address, telephone number, residential address
Purpose of data management: complaint management
Data transmission: none
Legal basis for data transmission: not relevant
Data processors: not relevant
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

n. Managing the product list of private suppliers (gift items, local products).
Legal basis for data management: legal obligation
Scope of processed data: name, address, e-mail address, telephone number, mobile phone number, tax number
Purpose of data management: sale of souvenirs and local products
Data transmission: János Hlogyik e.v. booking
Legal basis for data transmission: fulfillment of contractual obligations, legal obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE, János Hlogyik e.v. booking
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

o.Publication of private accommodation provider data on the website (www.visittata.com)
Legal basis for data management: association membership
Scope of processed data: name, name of accommodation, address, e-mail address, telephone number, mobile phone number, website, tax number
Purpose of data management: accommodation advertising service
Data transmission: via an IT system
Legal basis for data transmission: association membership
Data processors: Paksiné Czirkó Enikő office manager Tata TE, Chrome-Soft Kft.
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

p. Data controller's employment contracts
Legal basis for data management: legal obligation
Scope of processed data: name, mother's name, residential address, place/time of birth, TAJ number, tax number, account holder bank and bank account number, pension fund
Purpose of data management: salary and contribution payment
Data transmission: János Hlogyik e.v. booking
Legal basis for data transmission: fulfillment of contractual obligations
Data processors: Paksiné Czirkó Enikő office manager Tata TE, János Hlogyik e.v. booking
Data deletion deadline: 1 year after the termination of the contract
Possible consequence of the lack of data communication: failure to pay wages and contributions

q. Tata Card application
Legal basis for data management: contractual obligation
Scope of processed data: name, address, mother's name, place of birth, date of birth, telephone number
Purpose of data management: Tata card application or extension
Data transmission: Sárkány Informatikai Zrt.
Legal basis for data transmission: contractual obligation
Data processors: Paksiné Czirkó Enikő office manager Tata TE
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

r. Sales of KombiBike bicycle rental system cards
Legal basis for data management: contractual obligation
Scope of processed data: academic degree, surname and first name, permanent address, mother's name, place of birth, date of birth, telephone number, number and type of personal identification document, e-mail address, applicant's details
Purpose of data management: purchase of a KombiBike card
Data transfer: Pons Danubii limited liability European Territorial Cooperation Group
Legal basis for data transmission: contractual obligation
Data processors: Enikő Paksiné Czirkó office manager Tata TE, Pons Danubii European Territorial Cooperation Group with limited liability
Data deletion deadline: 5 years
Possible consequence of the lack of data communication: service failure

5. Rights of the affected parties, legal remedies

(1) At any time, the data subjects may request information in writing from the Data Controller about the way their personal data is managed, indicate their request for deletion or modification, and withdraw their previously given consent at the contact details provided in point 3.

(2) The data subject may not exercise his right to deletion in the case of data management as required by law.

(3) Content of the right to information: Based on the data subject's request, the Data Controller shall provide the data subject with the information listed in Articles 13 and 14 of the GDPR regarding the processing of personal data, as well as Articles 15-22. and provides the information in accordance with Article 34 in a concise, understandable form.

(4)  Content of the right to access: Upon request of the data subject, the Data Controller provides information on whether data processing is ongoing for the Data Controller. If the Data Controller is processing the applicant's data, the data subject is entitled to access with regard to the following:

a. The relevant personal data;
b. purpose(s) of data management;
c. categories of personal data concerned;
d. the persons to whom the data subject's data has been disclosed or will be disclosed;
e. the duration of data storage;
f. the right to correction, deletion, and restriction of data processing;
g. the right to appeal to the court or supervisory authority;
h. the source of the processed data;
i. profiling and/or automated decision-making, as well as the details and practical effects of such application;
j. transfer of processed data to a third country or international organization.

(5) In the event of a data request according to the above, the Data Controller shall issue to the data subject a copy of the data processed by him corresponding to the request. Upon separate request, it is possible to request electronic delivery from the Data Controller.

(6) The data controller requests an administration fee of HUF 500 per page for each additional copy.

(7) The deadline for issuing the requested data is 30 days from the receipt of the request.

(8) Right to rectification: The data subject may request the rectification of inaccurate data concerning him/her managed by the Data Controller.

(9) Right to erasure: If any of the following reasons exist, the Data Controller will delete the data concerning the data subject as soon as possible, but no later than within 5 working days, at the request of the data subject:

a.The data was processed illegally (without legal authorization or personal consent);
b. the processing of the data is not necessary to achieve the original purpose;
c. the data subject withdraws his consent to the data management, and the Data Controller has no other legal basis for the data management;
d. the data in question was collected in connection with the offering of services related to the information society;
e. personal data must be deleted to fulfill the legal obligations of the Data Controller.

(10) It is not possible for the Data Controller to delete the data if the data management is still necessary for any of the following:

a. Further data management is necessary to comply with the legal requirements applicable to the Data Controller;
b. it is necessary for the purpose of exercising the right to express an opinion and obtain information;
c. in the public interest;
d. for archival, scientific, research or statistical purposes;
e. to assert or defend legal claims.

(11) The right to limit data processing: If any of the following reasons exist, the Data Controller will limit data processing at the request of the data subject:

a. The data subject disputes the accuracy of the data concerning him, in which case the restriction applies to the time until the review of the accuracy and correctness of the data in question takes place;
b. the data management is illegal, but at the same time the data subject requests not to delete it, but only requests the limitation of data management;
c. the data is no longer needed for data management, but the data subject requests their further storage to assert or defend their legal claims;

(12) If the Data Controller introduces a restriction on any processed data, during the period of the restriction, it will only process the relevant data if and to the extent that:

a.The data subject consents to this;
b. necessary to assert or defend legal claims;
c. necessary to enforce or protect the rights of another person;
d. necessary to assert public interest.

(13) Right to withdraw: The data subject has the right to withdraw the consent given to the Data Controller - in writing - at any time. In the event of such a request, the Data Controller shall immediately and permanently delete all data that it has processed in relation to the data subject, and the further storage of which is not required by law, or is not necessary for the enforcement or protection of rights related to legitimate interests. The legality of the data management up to the withdrawal of the consent is not affected by the withdrawal.

(14)  The right to data portability: The data subject has the right to request that the data controller transmits the data concerning him in a commonly used format readable by computer software to another data controller. The Data Controller fulfills the request as soon as possible, but within 30 days at the latest.

(15) Automated decision-making and profiling: The data subject has the right not to be the subject of a decision based solely on automated data management (e.g. profiling) that would have a legal effect on him or otherwise adversely affect him. This right is not applicable if:

a. data management is essential for the purpose of concluding or fulfilling the contract between the data subject and the Data Controller;
b. the data subject expressly consents to the application of such a procedure;
c. its use is permitted by law;
d. necessary to enforce or protect legal claims.

6. Contact

The e-mail received during contact with the Data Controller and its content (especially the sender's name, address, date, attachments) are stored by the Data Controller for 5 years and then deleted.

7. Method of data storage and provision

(1) The data controller shall:

  • archived on paper at its headquarters;

  • accounting for the current year and the year before the current year with the accountant,

  • accounting materials for years prior to the current year at its registered office;

  • it is kept in electronic form on computers and servers located in its office (2890 Tata, Bercsényi u. 1.).

(2) An exception to point (1) is the data stored by the data processors of the Data Controller, whose storage location is located at the headquarters of the data processors.

(3) For its operation, the data controller uses an IT system that ensures that the data:

a. its immutability can be verified (data integrity);
b. its authenticity must be ensured (authenticity of data management);
c. be accessible to those entitled to it (availability);
d. and to be protected against unauthorized access (data confidentiality).

(4) Data protection covers in particular:

a. for unauthorized access;
b. to change;
c. to transmit;
d. to delete;
e. for disclosure;
f. for accidental damage;
g. for accidental destruction;
h. and to inaccessibility resulting from a change in the technology used.

(5) In order to protect electronically managed data, the data controller uses a solution that provides an appropriate level of security according to the current state of the art. During the examination of compliance, particular emphasis is placed on the degree of risk arising during data processing by the Data Controller. IT protection ensures that the stored data cannot be directly assigned or connected to the data subjects (unless permitted by law).

(6) The Data Controller ensures during its data management that:

a.the right holder can access the data when they need it;
b. only the husband has access to the information, who is entitled to it;
c. the accuracy and completeness of the information and the method of processing must be protected.

(7) The Data Controller and its data processors, if any, provide protection against fraud, espionage, viruses, break-ins, vandalism, and natural disasters against their IT systems at all times. The data manager (or the data processor) uses server-level and application-level protection procedures.

(8) Messages sent to the Data Controller via the Internet - in any form - are highly exposed to network threats that lead to the modification of information, unauthorized access, or other illegal activities. At the same time, the Data Controller does everything that can reasonably be done and is expected of it according to the state of the art at the time. To this end, the systems used are monitored in order to record security deviations, to obtain evidence of a security incident, and to examine the effectiveness of precautions.

 

8. Procedural rules

(1) If GDPR 15-22. article, the data controller shall inform the data subject in writing as quickly as possible, but no later than within 30 days, of the measures taken based on the request. 

(2) If the complexity of the application or other objective circumstances justify it, the above deadline can be extended once, for a maximum of 60 days. The Data Controller shall notify the data subject in writing of the extension of the deadline, together with the appropriate justification for the extension.

(3) The data controller provides the information free of charge, unless:

a. the data subject repeatedly requests information/measures for essentially unchanged content;
b. the request is clearly unfounded;
c. the request is excessive.

(4) In cases according to point (3), the Data Controller is entitled to:

a.deny the request;
b. to bind the fulfillment of the request to the payment of a reasonable fee related to it.

(5) If the applicant requests the transfer of data on paper or electronic media (CD or DVD), the Data Controller will transfer a copy of the relevant data free of charge in the manner requested (unless the chosen platform would be technically disproportionately difficult) . An administration fee of HUF 500 per page/CD-DVD is charged for each additional requested copy.

(6)  The data controller shall notify all persons to whom the relevant data were previously disclosed of the correction, deletion, or restriction carried out by it, unless the disclosure is impossible or requires a disproportionately large effort. 

(7) If requested by the data subject, the Data Controller will provide information to which persons their data has been forwarded.

(8) The data controller shall respond to the request in electronic form, unless:

a.the data subject specifically requests the answer in a different way, and it does not cause unreasonably high additional expenses for the Data Controller;
b. The Data Controller does not know the electronic contact information of the data subject.

9. Compensation

(1) If any data subject suffers material or non-material damage as a result of the violation of data protection legislation, he is entitled to demand compensation from the Data Controller and/or the data processor. If the Data Controller and data processor(s) are also involved in the infringement, they are jointly and severally liable for the resulting damage.

(2) The data processor is only responsible for the damages incurred if it has violated the provisions of the relevant data protection legislation specifically formulated for data processors, or if the damage occurred due to disregarding the instructions of the Data Controller.

(3) The Data Controller and any data processors are only liable if they cannot prove that they are not responsible for the event or circumstance that caused the damage.

10. Remedy

(1) If, according to the data subject's point of view, his rights have been violated by the Data Controller and/or the Data Processors, he is entitled to Pp. to apply to a court with jurisdiction and authority. The court acts out of sequence in the case.

(2) If the data subject wishes to file a complaint regarding data management, he may do so at the National Data Protection and Freedom of Information Authority, at the following contact details: headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; mailing address: 1530 Budapest, Pf.: 5. Telephone: 06-1/391-1400; fax: 06-1/391-1410; e-mail address: ugyfelszolgalat@naih.hu; website: www.naih.hu.

11. Authority cooperation

(1) If the Data Controller receives an official request from the authorized authorities, it will obligatorily hand over the specified personal data.

(2) The Data Controller only provides data in the cases referred to in point (1) that are absolutely necessary to achieve the goal indicated by the requesting authority.

 

Dated: Tata, 01.07.2023.