Information About Data Management

1. GENERAL PROVISIONS

Shiraz Team Szállodaüzemeltető Kft. (Hotel Operator Ltd.), 1025 Budapest, Verecke u. 4. always provides the lawfulness and expediency of the data handling for the personal data it manages. The purpose of this brochure is to give our guests information about the terms and conditions, the guarantees and the length of time our company handles the data of our booking guests, who give their personal information, from the period before the booking and the giving of their personal information to the time of their departure. Our company complies with everything written in this brochure during any personal data management; we consider such requirements mandatory for ourselves.

However, we reserve the right to change the content of this unilateral legal declaration, in which case we will inform the data subjects in advance. The data management by our company is based on voluntary consent, and in some cases, the data management is necessary to take actions at the request of the data subject prior to the conclusion of the contract.

Our data management practice complies with the applicable laws, in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as „GDPR”).
Act CXII of 2011 on Informational Self-Determination and Freedom of Information („Privacy Act.”).

Our company's data and contact details are as follows:

Name: Shiraz Team Kft.

Head office: 1025 Budapest, Verecke u. 4.

Company registration number: 01-09-927978

Tax number: 14963106-2-41

Phone number: +3636 574 500

E-mail: info@shirazhotel.hu

1.2. DEFINITIONS

data subject: shall mean any natural person directly or indirectly identifiable by reference to specific personal data;

personal data: shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;

consent:shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;

data controller: shall mean the natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;

data management: shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

data transfer: shall mean ensuring access to the data for a specified third party;

disclosure: shall mean ensuring open access to the data;

data deletion: shall mean making data unrecognisable in a way that it can never again be restored;

data processing: shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;

data processor: shall mean any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions;

privacy incident: unauthorized management or processing of personal data, including unauthorized access, alteration, transmission, disclosure, deletion or destruction, and any incidental destruction or damage.

We provide the following information about our data management practice.

2. DATA MANAGEMENT RELATED TO ONLINE BOOKING

Our company offers an online booking system so that you can book a room at the Shiraz Hotel quickly, conveniently and cost-free.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: to make booking easier, cost-free and more efficient.

The legal basis for data handling: the prior consent of the person booking the hotel room.

The scope of the managed personal data: greeting; surname and first name; home address (country, postal code, town, street, house number, telephone number, e-mail address; for business companies: company name and registered office, bank card number, SZÉP card data (identification number, cardholder’s name), gender.

The duration of data management: two years after the last day of the stay as booked.

Use of data processor: our company uses an information technology service provider for the online booking system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Providing the possibility of online booking through the RESnWEB system

By accepting this information about data management, the data subject gives his express consent to the Data Processor to employ additional data processors to make the service more convenient and customized, as follows:

The further data processor’s name	Registered office	Description of the data processor’s tasks
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the case of booking, giving of quotations and satisfaction surveys.
Hostware Kft.	1149 Budapest, Róna Street 120-122	Performing the client management tasks when using the Hostware Front Office hotel system.
Triptease Limited	WeWork 3 WaterhouseSquare 138-142 Holborn London EC1N 2SW United Kingdom	Online chat feature that allows the guests to contact the hotel and make their bookings quickly and efficiently.
BIG FISH Internet-technológiai Kft.	1066 Budapest, Nyugati Square 1-2	Providing data communication between the trader and the payment service provider’s system necessary for the payment transactions, ensuring the traceability of the transactions for the trader partners.
OTP Mobil Kft.	1093 Budapest, Közraktár u. 30-32.	Providing data communication between the trader and the payment service provider’s system necessary for the payment transactions, customer service assistance to the users, transaction verification, and fraud-monitoring for the protection of the users.
Barion Payment Zrt.	1117 Budapest, Infopark sétány (promenade) 1, building I.	Providing data communication between the trader and the payment service provider’s system necessary for the payment transactions, customer service assistance to the users, transaction verification, and fraud-monitoring for the protection of the users.
Creative Management Kft.	8200 Veszprém, Boksa Square 1. building “A”	Performing server hosting tasks

The possible consequences of the failure to provide data: No contract is concluded for the hotel room.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Other information related to data management: our company takes all the necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage or loss of files containing personal data, their becoming available to unauthorized persons). For any potential incident, we keep a record to check the necessary measures and inform the data subject, which includes the scope of the personal data of the data subject, the circle and number of the persons affected by the data protection incident, the date, the circumstances, and the effects of the data protection incident, and the measures taken to remedy it, and other data specified in the law that orders data management.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Ltd. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

3. DATA MANAGEMENT RELATED TO A REQUEST FOR QUOTATION

Our company offers the option to our guests to request for a quotation (RFQ) electronically. In the light of the free capacities, our company gives the quotation through an automated system.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: preliminary inquiry about the hotel's prices

The legal basis for data handling: the prior consent of the person booking the hotel room.

The scope of the managed personal data: greeting; surname and first name; telephone number, e-mail address, number of hotel guests, gender.

The duration of data management: two years after the last day of the stay as booked.

Use of data processor: our company uses an information technology service provider for the online RFQ system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Operating the request for quotation (RFQ) module

The further data processor’s name	Registered office	Description of the data processor’s tasks
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the case of booking, giving of quotations and satisfaction surveys.
Creative Management Kft.	8200 Veszprém, Boksa Square 1. building “A”	Performing server hosting tasks

The possible consequences of the failure to provide data: The hotel is unable to give a quotation.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

4. DATA MANAGEMENT CONNECTED TO THE SUBSCRIPTION TO THE NEWSLETTER

Our company keeps in touch with guests, and offers them services, and provides them with news and promotions, connected to the hotel’s operation.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: maintaining contact with the potential hotel guests

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

Indication of a legitimate interest: maintaining and developing business relations with the partners and guests

The scope of the managed personal data: name, e-mail address

The duration of data management: our company handles the e-mail addresses until the data subject unsubscribes from the newsletter.

Use of data processor: our company uses an information technology service provider for the online accommodation system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Storing the newsletter-sending database
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Operating the newsletter-sending system

The possible consequences of the failure to provide data: The data subject does not receive newsletters from our company.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

You can unsubscribe from our newsletter at any time by sending a mail to info@shirazhotel.hu or by clicking on the unsubscribe icon in the newsletter. In this case, your email address will be deleted from our database immediately.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. and Creative Management Kft. undertake to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

5. MANAGEMENT OF PERSONAL DATA RELATED TO SATISFACTION SURVEYS

As a hotel, we aim to provide our guests with high-quality services, so we constantly ask our guests to give us feedback on their experiences during their stay at our hotel.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: requesting feedback from our hotel’s guests to further develop and improve our services.

The legal basis for data handling: the legitimate interest of the hotel’s operator pursuant to Article 6 (1) f) of the GDPR.

Indication of a legitimate interest: our company has a legitimate interest in receiving information to develop our services based on feedback.

The scope of the managed personal data: name, gender, e-mail address

The duration of data management: two years after the last day of the stay as booked.

Use of data processor: our company uses an information technology service provider for the online accommodation system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Operating the Satisfaction Survey Module

The further data processor’s name	Registered office	Description of the data processor’s tasks
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the case of booking, giving of quotations and satisfaction surveys.

The possible consequences of the failure to provide data: The data subject does not receive any satisfaction survey questionnaire from our company.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

6. COOKIE MANAGEMENT

In order to provide customized service, the Data Controller places a small data packet, a so called cookie, on the user's computer, which he reads during a later visit. If your browser returns a previously saved cookie, the service provider which manages the cookie can link the user's current visit with the previous ones, but only for its own content.

The purpose of data management: identifying and tracking the users and differentiating between them, identifying the user's current work session, storing the data given during the work session, preventing any loss of data, web analytical measurements, and customized service.

The legal basis for data handling: consent of the data subject.

The scope of the managed personal data: ID number, date, time, and the previously visited site.
The duration of data management: maximum 90 days

Data processor’s name	Registered office	Description of the data processor’s tasks
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Website operation

More information about data management: The user can delete the cookie from his own computer or disable the use of cookies in his browser. To manage the cookies, you should usually go to the Tools / Preferences menu, Privacy / History / Custom Settings menu, and find the cookies or tracing.

The possible consequences of the failure to provide data: the user will not be able to use the part of the services detailed in the above paragraphs 2-5.

Our company has concluded a data processing contract for data processing tasks, in which Creative Management Kft.undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

7. THE WEBSITE’S SERVER LOGGING

When visiting the shirazhotel.hu website, the web server automatically logs the user activity.

The purpose of data management: During a visit to the website, the service provider checks the functionality of the services, and records the visitor data to prevent any abuse.

The legal basis for data handling: Article 6 (1) f) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

The type of the managed personal data: ID number, date, time, address of the visited website.

The duration of data management: maximum 90 days

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Recording the visitors’ data and the information necessary for the server’s operation

Data processor’s name	Registered office	Description of the data processor’s tasks
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Website operation

Further information: our company does not link the data collected during the analysis of logs with other information, and does not try to identify the user. The addresses of the visited websites, as well as the date and time data in themselves are not suitable for identifying the data subject, but linked with other data (such as those provided during registration), they are suitable to draw conclusions about the user.

Data management by external service providers connected to logging:

The portal’s html code contains links to an external server that arrive from an external server which is independent of our company. The external service provider’s server is connected directly to the user's computer. Please note that the service providers of such links are able to collect user data (e.g. IP address, browser, operating system details, cursor’s movement, address of the visited site, and time/date of the visit) due to their direct connection to the servers and their direct communication with the user's browser. The IP address is a series of numbers with which the computers and the mobile devices of the users accessing the Internet can be identified clearly.

Using the IP addresses, the visitor using a given computer can be located even geographically. The addresses of the visited websites, as well as the date and time data in themselves are not suitable for identifying the data subject, but linked with other data (such as those provided during registration) they are suitable to draw conclusions about the user.

8. HANDLING THE DATA ON THE REGISTRATION FORM

The hotel asks the guests to fill in a registration form when they arrive, which contains the guest's personal information. The information on the registration form is stored on the hotel’s software and on paper.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: maintaining contact with the guest during his stay, maintaining contact after departure, sending birthday greetings, distinguishing the guests, helping the declaration of the tourist tax, managing the regular guest (loyalty) program, ordered obligation.

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: name, e-mail address, phone number, date of birth, address, car registration number, room number, date of arrival and departure, details of accompanying guests, subscription to newsletter, payment method.

The duration of data management: The guest declares on the registration form that he consents to the storage of personal data and the hotel stores such data for 8 years after the approval.

Use of data processor: Fidelio V8 hotel software

Data processor’s name	Registered office	Description of the data processor’s tasks
HRS Magyarország \| Hospitality and Retail Systems	1138 Budapest, Madarász Viktor u. 47-49.	Storing the guests' details

The possible consequences of the failure to provide data: The data subject cannot take his hotel room.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which HRS Magyarország Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

9. MANAGEMENT OF DATA CONNECTED TO THE PURCHASE OF GIFT VOUCHERS

The hotel sells gift vouchers, and stores the details of the customer and the gift’s receiver during the sale.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: maintaining contact with the customer, sending the gift voucher to the customer.

Indication of a legitimate interest: purchase of a gift voucher

The scope of the managed personal data: name, e-mail address, phone number, home address, name of the gift’s recipient, gift voucher’s number,

The duration of data management: two years from the last date of validity of the gift voucher.

Use of data processor: Stored on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The possible consequences of the failure to provide data: The data subject is unable buy the gift voucher.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

10. MANAGEMENT OF DATA CONNECTED TO ROOM RESERVATION BY PHONE

The hotel accepts room reservations by phone, but asks the guests to send a written order, as well. The hotel records the rooms booked through the phone in the hotel’s software, along with the booking person’s details.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: recording the room booking

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: name, phone number, email address.

The duration of data management: The hotel stores such data for 8 years after the approval.

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
HRS Magyarország \| Hospitality and Retail Systems	1138 Budapest, Madarász Viktor u. 47-49.	Storing the guests' details

The possible consequences of the failure to provide data: The room is not booked.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

11. MANAGEMENT OF DATA CONNECTED TO FOUND OBJECTS

The hotel keeps a register of the items found in the room and in the community spaces after the guests depart.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: recording the found objects, notifying the guests, returning the found objects

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: room number, name, description of the found object, date

The duration of data management: the found objects are stored by the hotel for 6 months, so the data connected to them are stored for 6 months from the date they are added to the list. If the object found is received by the owner, the data will be deleted.

Use of data processor: Stored on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

12. MANAGEMENT OF DATA CONNECTED TO CORRESPONDENCE

Keeps in touch with the guests and the inquiring persons through the email addresses used by the data controller.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: maintaining contact with the guests

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: name, email address, content of the correspondence.

The duration of data management: 5 years

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Providing online storage space
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintenance of the email software on the workstations

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which Átme-net Kft. + Creative Management Kft. undertake to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

13. DATA MANAGEMENT DURING PAYMENT:

Our guests can pay in cash, by gift vouchers, SZÉP cards, Erzsébet vouchers or by bank cards.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: issuing an invoice for the used service

The legal basis for data handling: voluntary consent of the data subject

The scope of the managed personal data: name on the invoice, address, list of services, total amount, method of payment, invoice date, invoice’s payment date

The duration of data management: 8 years

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
K@H Bank Zrt.	1055 Budapest, Lechner Ödön fasor 9.	In case of payment by bank card, identification number, amount, date

14. ELECTRONIC SURVEILLANCE SYSTEM

Surveillance camera recordings are made in the area of the Shiraz Hotel.

In the hotel’s park, car park, indoor communal areas and commercial spaces, camera recordings are made. Only the properly authorized people are allowed to view and have access to the camera recordings.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: promoting the safety of the guests and staff, to preserve the values, to prove violations, and to clarify any disputed issues.

The legal basis for data handling: voluntary consent of the data subject by entering the area.

The duration of data management: 30 days at the reception and in the business areas, and 3 days outside the above areas.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining the camera system

Our company has concluded a data processing contract for data processing tasks, in which Átme-net Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

15. MANAGEMENT OF DATA CONNECTED TO VOUCHER SALES

Our company offers the option to purchase gift vouchers with pre-booking discount, during which data are stored.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: selling gift vouchers with discount

The duration of data management: two years after the gift voucher’s validity or the last day of the stay.

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Through the RESnWEB system, the guests can buy gift vouchers for a fixed date.
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Operating the sub-site on www.shirazhotel.hu with the option of the discount

The possible consequences of the failure to provide data: no contract is concluded for the gift voucher.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

16. MANAGEMENT OF DATA CONNECTED TO VOUCHER SALES THROUGH AGENT

Our company is in contractual relationship with PK Travel Kft. which sells Maiutazas.hu gift vouchers, which, within the framework of a contract, offers gift vouchers with pre-booking discount for sale. The guests’ details are provided for the hotel by PK Travel Kft.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: identifying the guests who buy gift vouchers with discount.

The legal basis for data handling: consent of the person who books the gift vouchers

The scope of the managed personal data: greeting; surname and first name; home address (country, postal code, town, street, house number, telephone number, e-mail address; for business companies: company’s name and registered office, gender, voucher’s number.

The duration of data management: 5 years

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
PK Travel Kft.	1055 Budapest, Stollár Béla u. 22.	sells gift vouchers on Maiutazas.hu

The possible consequences of the failure to provide data: no contract is concluded for the gift voucher.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which PK Travel Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

17. MANAGEMENT OF DATA CONNECTED TO GROUP BOOKINGS AND CORPORATE EVENTS

Shiraz Hotel also provides group booking and event organization, and stores the personal data connected to them.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: booking for groups and/or organization of events, identifying the guests, holding events

The legal basis for data handling: the prior consent of the person who makes the group booking and/ or reserves the event

The scope of the managed personal data: For companies: company name, tax number and registered office, name, phone number, email address of the booking person, name and date of birth of the participants, registration numbers of their cars, the list of the services in the confirmation and in the offer

The duration of data management: 5 years of the last day of the stay as booked

Use of data processor: It is recorded on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The possible consequences of the failure to provide data: no contract is concluded for the event and/or group booking.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

18. MANAGEMENT OF DATA CONNECTED TO PICTURES AND VIDEOS

Shiraz Hotel takes photos and makes videos for marketing purposes.

The data controller of the personal data: Shiraz Team Kft., 1025 Budapest, Verecke u. 4

The purpose of data management: assisting in the sales of the hotel, increasing the potential guests’ desire to stay in the hotel.

The legal basis for data handling: the prior consent of the data subject.

The scope of the managed personal data: photos, videos and sound recordings made of the guests, staff and models.

The duration of data management: 100 years

Use of data processor: It is recorded on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The possible consequences of the failure to provide data: the recordings cannot be made.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

19. OTHER DATA MANAGEMENT

Information about data management not listed in this brochure is provided when the data is recorded. We inform our customers that some authorities, public service bodies, and courts can contact our company for the purpose of requesting personal information. After the body concerned has indicated the exact purpose and scope of the data, our company discloses personal data to such bodies only to the extent that is absolutely necessary for the purpose of the request and if such a disclosure is required by law.

20. THE MODE OF STORING PERSONAL DATA AND THE SECURITY OF DATA MANAGEMENT

Our company’s IT systems and other data storage places are located on the premises and on the servers rented by the data processor. Our company chooses and operates the IT tools used to manage the personal data during the provision of the services so that the managed data:

a) is accessible to the authorized person (availability);

b) its authenticity and verification can be provided (authenticity of data management);

c) its unchanged condition can be verified (data integrity);

d) is protected against unauthorized access (confidentiality of data).

We pay particular attention to the security of the data; we take the technical and organizational measures and develop procedural rules which are necessary to provide the guarantees as per the GDPR. The data are protected by appropriate measures, particularly against unauthorized access, alteration, forwarding, disclosure, deletion or destruction, as well as against inaccessibility caused by accidental destruction, damage, and any change in the used technique.

The IT system and network of our company and of our partners are protected against computer-aided fraud, computer viruses, computer burglaries, and attacks leading to denial of service. The operator provides the security through server-level and application-level security procedures. The daily data backup is solved. In order to avoid any privacy incident, our company takes every possible precaution; if such an incident occurs, we take immediate measures to minimize the risks and reduce the damage – accordance with our incident management policy

21. THE RIGHTS OF THE DATA SUBJECTS, OPTIONS FOR LEGAL REMEDIES

The data subject may request information about the management of his personal data, and he may request the correction of his personal data or, with the exception of mandatory data management, their erasure, revocation, and may exercise his right to portability of data or right to object, in the manner indicated at the data recording or on the above contact details of the data controller.

At the request of the data subject, we provide the information in electronic format without delay, but no later than within 30 days, in accordance with our applicable regulations. We meet the requests of the data subjects for the protection of the below rights free of charge.

The World of Shiraz

Our room types

Gastronomy

Wellness & SPA

Experiences

Events

Information About Data Management

Wellness relaxation

Events

Follow us