Privacy Policy

1. Introduction

The Normafa Hotel (hereinafter: ‘Hotel’) offers restaurant and event services as well as accommodation facilities and adult education services. The Hotel is operated by Normawood Kft. (see Section 1), which in the course of its business and operations establishes business relations with natural persons, legal entities and unincorporated organisations and their representatives (hereinafter: ‘Client’ or ‘Principal’) and provides services to natural persons (hereinafter: ‘Guest’). If the Guest orders a service for themselves (e.g. dining, accommodation), they are also a Client/Principal. The protection of the personal data of our Clients/Principals and Guests is important to us, therefore this Privacy Notice describes what personal data we process in the course of our business, how long, for what purposes and on what legal ground, as well as the organisational and technical measures we implement in order to protect the personal data.

Definitions relating to the processing and protection of personal data: (a) the subject of the personal data (in this case, the natural person Customer/Principal or Guest) is the Data Subject, (b) any information that relates to or may pertain to the Data Subject is Personal Data, (c) any operation (collection, recording, storage, processing, disclosure, transmission, consultation, access, consultation, publication, etc.) which is performed upon the personal data is Processing, (d) the decision maker in relation to the purposes and means of the processing is the Controller, (e) those who are not part of the controller but who are involved in processing operations on the basis of a written agreement, are the processors, (f) a person other than the data subject, the controller and the processor is referred to as a third party. These terms are used in the present Privacy Notice.

The Privacy Notice also describes the data protection rights of natural persons (Data Subjects) when using our services.

This Privacy Notice applies together with the effective General Contracting Terms and Conditions.

Information about the processing of personal data of natural persons, who are in an employment relationship with Normawood Kft., is contained in a separate Privacy Notice.

2. Details of the controller

Controller: Normawood Kft. (hereinafter: ‘Controller’ or ‘Hotel’ or ‘Normawood Kft.’
Registered office: 1121 Budapest, Eötvös út 52-54
Company reg. no.: 01-09-880180
Tax number: 10437340-2-43
Adult education institution reg. no.: B/2021/002407
Phone number: +36 1 395 6505
Data Protection Officer: IDBC Creative Solutions Kft.

3. Main legislation taken into account in the processing

  • the Regulation of the European Parliament and of the Council (EU) 2016/679 (27 April 2016) on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (hereinafter: ‘GDPR’ or ‘General Data Protection Regulation’)
  • Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter: ‘Freedom of Information Act’).
  • Act V of 2013 on the Civil Code (hereinafter: ‘Civil Code’)
  • Act CXXXIII of 2005 on the Rules of Security Services and the Activities of Private Investigators (hereinafter: ‘Security Services Act’)
  • Act CVIII of 2001 on Certain Aspects of Electronic Commerce and Information Society Services (hereinafter: ‘E-commerce Act’)
  • Act CXXVII of 2007 on Value Added Tax (hereinafter: ‘VAT Act’)
  • Act C of 2000 on Accounting (hereinafter: ‘Accounting Act’)
  • Act CLV of 1997 on Consumer Protection (hereinafter: ‘Consumer Protection Act’)
  • Act LXXVII of 2013 on Adult Education (hereinafter: ‘Adult Education Act’)
  • Government decree no. 11/2020 (II.7.) on the execution of the Adult Education Act (hereinafter: ‘Adult Education Act Execution Decree’)

4. Processing activities

4.1 Processing related to the calls for proposals

The Client requests a written proposal for the Hotel’s services, to which the Hotel responds in writing within 72 hours at the latest.
Processed personal data
Purpose of the processing
the name, e-mail address, phone number of the Client requesting the proposal, other data provided in the call for proposal (e.g. address, content of the requested service, date and time)
proposal management (preparation and sending of the proposal, etc.)

Legal ground of the processing: Article 6 (1) b) of the GDPR – preparation of the contract Term of processing: if no order is placed after the call for proposal, the data are erased 14 days after the date of the proposal, in all other cases, pursuant to Section 6:22 of the Civil Code, personal data are stored for 5 years from the date of performance of the contract.

4.2 Processing related to ordering and contracting

The ordering and contracting of services provided by Normawood Kft. (e.g. provision of event venue, catering, engineering and technical planning, organisation, lending of equipment relating 4 to events, accommodation, adult education) is usually conducted in writing in accordance with specific formal and content requirements (see: General Contracting Terms and Conditions). The ordering accommodation services by electronic mail (e-mail), by telephone, on the website of the Controller or through online booking websites also constitutes the conclusion of a contract (see: Chapter 4.2 of the General Contracting Terms and Conditions). Further detailed information on the services and their use can be found in the General Contracting Terms and Conditions.This Section also applies to data processing in the case of contracts for the provision of services necessary for the operation of Normawood Kft. (building maintenance works, orders for raw materials, accounting, website development and operation, hosting rental, etc.); in these cases, however, the scope of the personal data processed is narrower than in the following table and only covers personal data that are indispensable for the services contractually required for the operation of Normawood Kft.

Processed personal data
Purpose of the processing
Name, (billing) address, e-mail address, phone number, delivery address of the Principal/contracting Client/Guest details of the ordered service (e.g. accommodation, food, duration, quantity, selected language of the hotel telephone and television interface, fact of check-in and check-out, date, time and duration of outgoing payable calls made via hotel telephone system, called number, amount of fees etc.), contents of the statement of consent related to the services provided and events managed by the Controller.
contracting, fulfilment of the order and the tasks, services provided for in the contract

In case the order is received via the booking site booking.com, then Booking.com B.V. (registered office: Oosterdokskade 163, 1011 DL, Netherlands, company registration number: 31047344, EU VAT number: NL805734958B01) as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: name, payment data, names of the people accompanying the Data Subject, any other information or preferences specified by the Data Subject in the course of making the trip reservation.

In case the order is received via the booking site szallas.hu, then Szallas.hu Zrt. (registered office: 3525 Miskolc, Régiposta utca 9., company registration number: 05-10-000622, VAT number: 26721761-2-05) as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: name, e-mail address, telephone, address, details of the reservation, information set out in the comments field, in case of customer service administration, a description of the case, its details.

In case the order is received via the booking site hrs.com/hrs.de/hrs.cn, then HRS GmbH (registered office: Breslauer Platz 4, 50668 Köln, Germany, company registration number: HRB 90154, VAT number: DE 252323088) as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: name, payment details, any other information specified by the Data Subject in the course of making the trip reservation, names of the people accompanying the Data Subject.

In the case of online booking, Normawood Kft. may not receive the data necessary for the performance of the contract directly from the Data Subject, but through the booking site. The booking sites referred to above are not data processors used by Normawood Kft. but act as 5 independent data controllers under their own responsibility. The personal data that they transmit to Normawood Kft. for invoicing and payment, contact, consumer protection and claims purposes in addition to the present purpose (ordering and contracting) are described in the relevant sections of this Privacy Policy (sections Hiba! A hivatkozási forrás nem található.., 4.5., Hiba! A hivatkozási forrás nem található.. and Hiba! A hivatkozási forrás nem található..).

The legal ground for the processing by Normawood Kft. if the Data Subject is a contracting party: Article 6 (1) b) of the GDPR – contract performance. The legal ground for the processing by Normawood Kft. if the Data Subject is not a contracting party: Article 6 (1) f) of the GDPR – Normawood Kft.’s legitimate interest in the performance of the order and contract. For the processing of data relating to the communication related to the preparation (proposal) and performance of the contract see Section4.5. Term of processing by Normawood Kft.: Pursuant to Section 6:22 of the Civil Code, 5 years from the date of performance of the contract, and pursuant to Section 169 (2) of the Accounting Act, 8 years from the date of performance of the contract if the contract is considered an accounting record.

The processing related to contracts concluded by Normawood Kft. includes the tax number and the company registration number/registration number of the legal person (including a private entrepreneur) or unincorporated entity, which are not considered personal data, with the tax identification number of natural persons, however, considered as such. The tax identification number of a natural person is only included in the service contract if the Data Subject explicitly requests it (in writing). Additional identifiers (e.g. application number) are only included in the contract in cases expressly requested (in writing) in advance.

Information about contributors involved in the performance of contract (e.g. booking system available on the website of the Controller, hotel telephony system, smart television system, administration system) and the processing of data relating to contribution is set out in Section 6. The present section does not apply to the education services (Normawood Academy trainings) provided by Normawood Kft. (see Section Hiba! A hivatkozási forrás nem található.).

4. 3 Processing related to adult education

Normawood Kft. shall enter into an adult education agreement in writing with the participant of the adult education (hereinafter in the present Section: Client) irrespective whether the participation in the training is initiated by the Client or by any other third party individual or entity with or without legal personality (Principal), and irrespective whether the training fee is paid by the Client or by any other third party individual or entity with or without legal personality (cost bearer). Since the trainings provided by Normawood Academy cannot be attended within the framework of closed system distance learning, the adult education agreement shall not be entered into by electronic means (e.g. in e-mail). At the request of the Client, Normawood Kft. issues a certificate to certify the completion of the training. Information on the processing related to the payment of the training fee is set out in Section Hiba! Information on the data forwarding related to the adult education service (including the application for educational identification code and the issuance of the certificate).

Processed personal data
Purpose of processing
natural identification data of the Client participating in the training (name, place and date of birth, mother’s name), name of the training and number of lessons, projected date of commencement and end of the training (year, month, day), time schedule of progress broken down by content units, indication of the document that can be obtained by completing the training, means of monitoring and evaluating the performance provided during the training, extent of permitted absence and the consequences of exceedance applicable to the Client, amount of the fee of training and method of payment, consequences of breach of the agreement between the Client and Normawood Kft.
execution, performance, suspension, and termination of adult education agreement
natural identification data of the Client participating in the training (name, place and date of birth, mother’s name), educational identification code, e-mail address, highest completed level of education and trainings, qualification and vocational qualification, foreign language skills, date of commencement and end of training, assessment/qualification during training, data related to payment obligation and training loan (amount, due date, details of cost bearer)
conducting adult education (including the application for educational identification code for a Client who does not have an educational identification code)
serial number of certificate, name and registration number of Normawood Kft., family and given name of the Client, birth family and given name, place and date of birth, mother’s birth family and given name, name and date of the training, number of lessons, an indication that the certificate does not certify qualification or vocational qualification, and that the certificate does not entitle the holder to be employed in specific positions, but it may entitle the holder to pursue specific activities in cases specified by the law, place and date of issuance of the certificate, name and position of the person issuing the certificate
issuance and management of certificate at the request of the Client
attendance sheet drawn up on each contact lesson and signed by the Client, documents supporting the professional training and inspection by electronic means
enabling the adult education supervisory authority to exercise its inspection powers
personal data of the Client required for conducting the adult education, original documents or copies thereof certified by Normawood Kft. to support the conditions required for commencement of, and participation in, the education and training, documents to support the input competence measurement and preliminary competence measurement
enabling the adult education supervisory authority to exercise its inspection powers

Legal ground of the processing: Article 6 (1) c) of GDPR– compliance with legal obligation under Articles 11(1), 12/A-13/B, 16 and 21 of the Adult Education Act, as well as Articles 21 and 26 of the Adult Education Act Execution Decree Duration of processing: until the last day of the 8th year of the conclusion of the adult education agreement

4.4 Processing related to invoicing and electronic payment

Processed personal data
Purpose of processing
the name and billing address of the Client/Guest, name, quantity, amount of service, in case of electronic payment, electronic payment information (e.g. bank or credit card details, name of payment service provider, transaction ID), other identifiers requested by the Principal/Client/Guest or necessary to identify the payment (e.g. name, date of training)
invoice management (issue, storage, etc.), consideration settlement

In case the order is received via the booking site booking.com and the payment was not made at the time of the booking, then Booking.com B.V. as an independent controller forwards the name and bank or credit card details of the Data Subject to Normawood Kft. for further processing (provided that the Data Subject provided Booking.com B.V. with the above card details).

In case the order is received via the booking site szallas.hu, then in the case of card guaranteed booking, Szallas.hu Zrt. as an independent controller forwards the following personal data to Normawood Kft. an independent controller: name, bank or credit card details. In connection with the booking process, Szallas.hu Zrt. stores only a fragment of the bank or credit card number, from which the full bank or credit card number cannot be reconstructed. Upon the end of the transmission of the data, even the partially stored data gets deleted.

In case the order is received via the booking site hrs.com/hrs.de/hrs.cn and the payment was not made at the time of the booking, then HRS GmbH as an independent controller forwards the name and bank or credit card details of the Data Subject to Normawood Kft. for further processing (provided that the Data Subject provided HRS GmbH with the above card details).

In the case of online booking, if the Data Subject did not pay the fee of the accommodation service in the course of the booking procedure, the operator of the booking site forwards to Normawood Kft. the card details, if provided by the Data Subject.

Legal ground of the processing: Article 6 (1) c) of the GDPR – to fulfil a legal obligation pursuant to Section 159 (1) of the VAT Act and Section 166 (1) of the Accounting Act. Duration of the processing: 8 years pursuant to Section 169 (1) of the Accounting Act.

Invoicing-related processing also includes the tax number of a legal entity (including a private entrepreneur) or an unincorporated organisation, which is not considered personal data, with the 8 tax identification number of natural persons, however, considered as such. The tax identification number of a natural person is included in the invoice only if explicitly requested (in writing).

Normawood Kft. allows the natural person Client/Guest to pay the consideration for its services in cash, by debit or credit card or by MHB/OTP/K&H SZÉP card, at their discretion. A legal person or an unincorporated organisation may also choose to pay by bank transfer in addition to the above options. Normawood Kft. is informed by the payment service provider about the information related to the payment of the consideration for the service (e.g. name, payment transaction ID, date, amount). Information on the payment service provider’s processing (including the exact scope of the personal data transferred to Normawood Kft.) and data protection is provided to the Data Subject by the payment service provider.

Further information about contributors and relating to contribution as well as the data forwarding related to invoices is set out in Section 6.

4.5 Processing relating to communication in relation to the preparation and performance of a contract

Processed personal data
Purpose of processing
the name, e-mail address and phone number of the contracting entity/Principal/contracting Client (contact person) or Guest, other data relating to the contact (e.g. duration of their stay)
communication (including the electronic sending of electronic invoices), handling problems that can be dealt with quickly

In case the order is received via the booking site Booking.com, then Booking.com B.V. as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: name, contact details.

In case the Data Subject enquires about the reservation via the service of Booking.com, then Booking.com B.V. may forward personal data to, and receive personal data from, Normawood Kft. to the extent necessary to answer the question of the Data Subject.

In case the order is received via the booking site hrs.com/hrs.de/hrs.cn then HRS GmbH as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: name, contact details.

In case the Data Subject enquires about the reservation via the service of hrs.com/hrs.de/hrs.cn, then HRS GmbH may forward personal data to, and receive personal data from, Normawood Kft. to the extent necessary to answer the question of the Data Subject.

Legal ground for the processing if the Data Subject is a contracting party: Article 6 (1) b) of the GDPR – preparation or performance of a contract The legal ground for the processing if the Data Subject is not a contracting party: Article 6 (1) f) of the GDPR – legitimate interest of Normawood Kft. in the preparation or performance of a contract Duration of the processing: if no order is placed after the call for proposal, the data are erased 14 days after the date of the proposal, in all other cases the term of processing shall be 5 years, pursuant to Section 6:22 of the Civil Code. In the case of a legal entity or an unincorporated organisation contracting entity/contracting party, in addition to the above data of the natural contract person, we also process the name, 9 registered office and/or postal address and central phone number of the contracting party, but these are not considered personal data.

4.6 Processing relating to accommodation service

In the course of the check-in procedure, Normawood Kft., shall, with the use of the PMS system (see Section 7.1) record the personal data of the Guest using the accommodation service. The Guest shall, in the course of the check-in, produce their identification or travel documents to the designated employee (receptionist) of Normawood Kft. to allow the recording of personal data. In case no identification or travel document is produced, Normawood Kft. shall refuse the provision of the accommodation service. The information on the data forwarding related to the use of accommodation service is set out in Section 7.1.

Processed personal data
Purpose of processing
family name and given name, birth family and given name, place and date of birth, sex, nationality of the Guest, mother’s birth family and given name, identifiers of the identification or travel document of the Guest, in the case of third-party nationals, number of the visa or residence permit, date and place of entry, date of commencement, expected and actual date of end of the use of the accommodation
the protection of the rights, safety and assets of the Data Subject (Guest) and others, ensuring compliance with the provisions regarding stay and residence of third country nationals and persons with freedom of movement and of residence

Legal ground of the processing: Article 6 (1) c) of the GDPR – legal obligation to which the Controller is subject, in particular, Article 9/H of Act CLVI of 2016, Articles 7, 14 and 14/C of Government Decree No. 235/2019. (X. 15.). Duration of the processing: until the last day of the year following the year of recording.

The above data is collected directly from the Data Subject even if the reservation was made through an online accommodation intermediary.

The police may perform queries in the database of the National Touristic Data Service Center, and may request the forwarding of data processed by the Controller, for the purposes of law enforcement, crime prevention, the protection of public order, public security, the order of the state border, the rights, security and assets of the Data Subject and others, and to issue arrest warrants (see further: last paragraph of Section 6).

4.7 Processing relating to a consumer complaint concerning services

The Client/Guest may lodge a complaint with Normawood Kft. regarding problems arising both in the preparation of the contract (call for proposal and proposal submission) and in the performance of the contract. This section does not contain all the information related to the exercise of the Client’s/Guest’s right to lodge a consumer complaint (e.g. consumer protection rights, names of supervisory bodies, contact details), but only information on the processing of personal data related to the handling of complaints. Detailed information on the exercising of the right to submit a complaint relating to consumer protection can be found in the General Contacting Terms and Conditions. For complaints regarding the processing of personal data, see also Section 4.9 and Chapter 10 of this Privacy Notice.

Processed personal data
Purpose of processing
the name, e-mail address and other data of the complaint submitting Client/Guest (e.g. address, order details, subject of the complaint)
handling of the complaint

In case the order is received via the booking site booking.com, then Booking.com B.V. as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: in certain cases booking.com forwards historical information concerning the Data Subject to Normawood Kft., this means the fact whether the Data Subject had made any booking on the platform, the number of completed bookings, the confirmation of no complaints made that pertain to the Data Subject, the percentage of bookings cancelled by the Data Subject in the past, and whether the Data Subject has given reviews about past bookings.

In cases of accommodation reservation-related claims or disputes, Booking.com B.V. forwards to Normawood Kft. the contact details of the Data Subject and other information about the booking process, as needed to resolve the situation. The personal data forwarded may include, but might not be limited to, the email address and a copy of the reservation confirmation of the Data Subject as proof that the booking was made or to confirm reasons for cancellation.

In cases of accommodation reservation-related claims or disputes, HRS GmbH forwards to Normawood Kft. information pertaining to the booking process, including the booking confirmation, which serves as a receipt for actual completion of the booking.

Legal ground of the processing: Article 6 (1) c) of the GDPR – fulfilling a legal obligation pursuant to Section 17/A of the Consumer Protection Act. Duration of the processing: 3 years from the date of the complaint pursuant to Section 17/A (7) of the Consumer Protection Act.

4.8 Enforcement of claims relating to a contract

Normawood Kft. processes the following personal data of the Client/Guest for the purpose of enforcing its claims in connection with the services it has provided or is to provide (e.g. nonpayment, damages in connection with the services used etc.) or in the case of any other dispute or claim in connection with the contract, in order to protect its interests, regardless of the party making the claim. In the event of a dispute or claim arising in connection with the contract, it is essential to preserve the contract, be it required in court proceedings or out of court. Under the rules of civil procedure, the parties have an obligation to provide evidence, i.e. they must provide evidence to support their material allegations in the lawsuit, and the opportunity to provide evidence is therefore an explicit legal requirement. The personal data processed may be transferred to the lawyer/legal adviser or court.

Processed personal data
Purpose of processing
the name and natural person identification data of the Client/Guest, personal data relating to the service received and the claim
enforcement of a claim relating to a contract

In case the order is received via the booking site booking.com, then Booking.com B.V. as an independent controller forwards the following personal data to Normawood Kft. as an independent controller: in certain cases booking.com forwards historical information concerning the Data Subject to Normawood Kft., this means the fact whether the Data Subject had made any 11 booking on the platform, the number of completed bookings, the confirmation of no complaints made that pertain to the Data Subject, the percentage of bookings cancelled by the Data Subject in the past, and whether the Data Subject has given reviews about past bookings.

In cases of accommodation reservation-related claims or disputes, Booking.com B.V. forwards to Normawood Kft. the contact details of the Data Subject and other information about the booking process, as needed to resolve the situation. The personal data forwarded may include, but might not be limited to, the email address and a copy of the reservation confirmation of the Data Subject as proof that the booking was made or to confirm reasons for cancellation.

In cases of accommodation reservation-related claims or disputes, HRS GmbH forwards to Normawood Kft. information pertaining to the booking process, including the booking confirmation, which serves as a receipt for actual completion of the booking.

Legal ground of the processing: Article 6 (1) f) of the GDPR – legitimate interest of Normawood Kft. to enforce a claim Term of processing: pursuant to Section 6:22 of the Civil Code, 5 years from the performance of the contract.

4.9 Processing relating to the exercising of the rights of the data subject or in relation to a complaint concerning the processing of personal data

The Data Subject may exercise the rights set out in Chapter 9 of this Privacy Notice and may lodge a complaint with the Controller regarding the processing of their personal data, in connection with all processing activities carried out by Normawood Kft. (including the food delivery service provided by a contributor). If the problem with the processing of the personal data is linked to the activities of the contributors, then the given contributor is obliged to conduct the procedure (see: Section 6). In the case of data protection complaint or the enforcement of data subject rights concerning the Processors (see Section 7), Normawood Kft. shall act only if the data protection complaint or the enforcement of data subject rights concerns the processing activity carried out by Normawood Kft. Normawood Kft. may involve the Processor in the investigation of the data protection complaint or the enforcement of data subject rights concerning the Processor, to this end Normawood Kft. may forward the personal data concerning the Data Subject pursuant to this Section to the Processor, provided that such transfer does not infringe the rights and freedoms of the Data Subject. The processing of data protection complaint or the enforcement of data subject rights concerning the Processor that is not subject to the scope of the contract between the Processor and Normawood Kft. shall be handled directly by the Processor. The full processing of the data subject’s personal identification data (name, place and date of birth, mother’s name) is only performed in cases where the data subject’s rights cannot be exercised or where a complaint regarding the processing cannot handled without the provision of these data. Where the Data Subject does not provide the Controller with the personal data necessary to identify them, which are indispensable for the exercising of their rights or the handling of a complaint regarding the processing, the Controller shall refuse to exercise the data subject’s rights or reject the complaint regarding the processing.

Processed personal data
Purpose of processing
the name, date and place of birth, mother’s name, e-mail address, other data (e.g. address, order details, subject of the complaint) provided by the Client/Guest who exercises their rights or lodges a complaint about the processing
exercising of data subject rights, handling of the complaint

Legal ground of the processing: Article 6 (1) c) of the GDPR – to comply with a legal obligation under Articles 15 to 18 and 21 of the GDPR, and Article XXVIII (7) of the Fundamental Law.
Duration of the processing: 5 years after the exercising of the data subject’s rights or the settlement of a complaint relating to the processing (general limitation period under the Civil Code). If the enforcement of the data subject’s rights or the settlement of the Data Subject’s complaint involves official or judicial proceedings, the term of the processing of data pursuant to this Section shall last until the retention of the records of the official or judicial proceedings.

4.10 Processing relating to the notification of an extraordinary event

The Client/Guest who comes into contact with the Hotel is obliged to notify the Hotel of an extraordinary event in accordance with the General Contracting Terms and Conditions. Where the processing of personal data may be affected by the extraordinary event (e.g. load-bearing network attack, authentication problems, power failure), the Controller conducts an internal investigation (personal data breach management procedure), in which it may be necessary to interview the person who reported the extraordinary event and to process their data.

Processed personal data
Purpose of processing
the name and contact details of the extraordinary event notifying Client/Guest, other data necessary for the processing of the notification (e.g. nature, date, impact of the event)
handling of the extraordinary event fulfilment of the obligations related to the handling of the personal data breach

Legal ground of the processing: Article 6 (1) c) of the GDPR – to comply with a legal obligation under Articles 33-34 of GDPR
Duration of the processing: 5 years from the end of the handling of the extraordinary event (general limitation period under the Civil Code), in the case of personal data in the register of personal data breaches, the retention period shall be 10 years from the investigation of the personal data breach

4.11 Security cameras

Normawood Kft. operates security cameras in order to ensure the continuous, uninterrupted and safe operation of Normawood Kft., to protect the life, physical integrity, personal freedom and property of Data Subjects entering or staying on the premises of Normawood Kft., to support the detection and consequence management of possible extraordinary situations (natural disasters, accidents, attacks against persons or property) and to protect the assets and business secrets of Normawood Kft.

The security cameras record the (movements and behaviour) of the Data Subjects in such a way that a natural person in the area covered by the camera can be identified. No facial recognition or other computer program that establishes or retrieves the exact identity of the Data Subject is assigned to the security cameras or to the examination of the recorded images. The Data Subjects, who are employed by Normawood Kft. can find more details on the processing related to the operation of the security cameras in the Employee Privacy Notice.

Processed personal data
Purpose of processing
the image, location, time, duration, direction of travel of the person moving/residing in the area within the field of view of the security camera
protection of life and physical integrity, property security, business secret protection, handling of extraordinary events complaint handling

Legal ground of the processing: Article 6 (1) f) of the GDPR – legitimate interest in the proper and secure operation of the Controller
Duration of the processing: the recorded camera footage is erased 30 days after recording if not used.

Depending on the content of the complaint, the camera recordings may be used for the purposes of assessing the complaint, initiating or conducting official proceedings in respect of a suspected offence or crime, or investigating the circumstances of an extraordinary event (e.g. natural disaster, accident). If an offence or crime is suspected, Normawood Kft. may attach to the document initiating the official procedure (e.g. a denunciation) the recordings of the event or make them available to the authority conducting the procedure in a documented manner.

Normawood Kft. endeavours to protect the rights of persons who are not involved in the complaint, offence, criminal proceedings or the extraordinary event (e.g. by making their image unrecognisable) when using the camera footage.

4.12 Use of website cookies

Information regarding the cookies used on the website of Normawood Kft. is set out in the cookie policy of the Controller.

4.13 Processing of data related to social media profiles

Normawood Kft. maintains a business profile (fan page) on the social media sites Facebook and Instagram in order to present its services, products and activities. For the purposes of this Section, a Data Subject is any natural person who visits the social media pages of Normawood Kft., who gives a review of, reacts to (likes, etc.) or comments on the publications, offers or services of Normawood Kft. published by the Controller, and who shares the social media page or any of the posts of the Controller. In relation to the processing of personal data, Normawood Kft. either acts on its own or cooperates with Facebook, depending on the action it is entitled to take in relation to the personal data concerned.

The business platform provided by Facebook (including Instagram) includes a number of options that the creator of a business fan page can use, but cannot change. This includes, for example, the cookies Facebook uses to track visitors to the fan page (quantify and analyse user behaviour). Normawood Kft. as the operator of a fan page may have access to demographic information about its target audience (e.g. age, gender, marital status, and occupational status), information about the lifestyle and interests of its target audience (including information about online purchases made by people who visit its page), and geographic information that may be used to better target the content shared and to decide where to offer special discounts or organise events. Normawood Kft. uses statistical data provided by Facebook (including Instagram) only to the extent necessary. Given that the aggregated data provided by Facebook (including Instagram) may sometimes be used to identify individuals, but Normawood Kft. has no control over the collection and analysis of this data, it is advisable for users (visitors to the Normawood Kft. fan page) to set privacy permissions on their personal Facebook and Instagram profiles to allow the sharing of their private information in the most limited way possible.

The Messenger messaging service is part of the Facebook platform, through which Normawood Kft. answers questions and other inquiries about the services and products it offers, but does not accept actual orders through the messaging service. It is the Data Subject who is able to erase the messaging via Messenger in relation to their own account. If the Data Subject requests it, Normawood Kft. erases the messages exchanged with the Data Subject from its own account. Normawood Kft. has no direct influence on the characteristics of the processing other than erasure at its own endpoint, but cooperates with the owner of the messaging service, Facebook, upon request.

4.14 Sending newsletters

The Controller sends newsletters to the Clients/Customers who have contact with the Hotel if they subscribe. The newsletters are intended to promote the services provided by the Controller and the Hotel and to introduce new services. Subscription to the newsletter is not a condition for using the services of the Hotel. The Clients/Customers are free to withdraw their consent at any time, either by sending an unsubscribe e-mail to the e-mail address included in the newsletter or by sending an e-mail to the Data Protection Officer’s e-mail address or by using an unsubscribe link. Withdrawal of consent does not affect the lawfulness of the processing prior to the withdrawal of consent.

Processed personal data
Purpose of processing
name and e-mail address of the Client/Customer
marketing communications (sending e-mails)

Legal ground of processing: Article 6 (1) a) of GDPR – consent of the data subject; Duration of the processing: until the withdrawal of the consent of the data subject.

4.15 Making image and/or sound recordings at programs organized by the Controller

For all programs organized by the Controller at the Hotel, including but not limited to yoga classes and meditation and relaxation exercises, the Controller makes image and/or sound (i.e. photo and video) recordings (hereinafter: Recordings) of the participants of the event. By entering and participating in the event, participants consent to the making and use of the Recordings. Means of use: reworking, publication on the Organizer’s own website, social media sites. The Recordings are not used by the Data Controller for identification purposes, and no facial recognition software is used. The Data Subjects are not entitled to any compensation in connection with the making and use of the Recordings.

Processed personal data
Purpose of processing
Image and sound recording (image, behavior, sound)
Promotion of the programs organized by the Hotel and the Controller

Legal ground of processing: Article 6 (1) a) of GDPR and Article 2:48(1) of the Civil Code of Hungary – consent of the Data Subject;
Duration of the processing: 1 year from the making of the Recording.

4.16 Sale of gift vouchers

The Controller provides the opportunity to purchase a personalized online gift voucher electronically. The gift vouchers may be purchased and delivered on the website of the Controller.

Processed personal data
Purpose of processing
Title; family name and given name; address (country, zip code, city/town/village, street address); telephone; e-mail (of the purchaser and the recipient), company name and registered office in case of business association, bank card number, CVC code, details of the Széchenyi Recreation Card (card number, cardholder name).
Sale and delivery of gift vouchers

Legal ground of processing in the case of the purchaser: Article 6 (1) b) of the GDPR – contract performance.
Legal ground of processing in the case of the recipient: Article 6 (1) f) of the GDPR – Normawood Kft.’s legitimate interest in the performance of the order and contract.

Term of processing: 2 years from the expiry date of the gift voucher.

5. Profiling, automated decision-making

Normawood Kft. does not use profiling (grouping by some characteristic, evaluation, etc.) or automated decision-making (decisions made solely by machine that affect the Data Subject) with the personal data (including security camera footage) that it processes.

6. Access to data, transfer of data

The personal data may be accessed by Normawood Kft. and its contracted partners and employees of organisations involved in the business, solely for the purposes and to the extent necessary for the performance of their tasks.

Some of Normawood Kft.’s contracted partners are considered controllers while others are considered processors. Information on the processors is provided in Section 7.

The contracted partner controllers are involved in the following activities:

6.1. Social media platform owner (see the related processing activity in Section 4.13)
Services (Facebook, Instagram) provided by Meta Platforms, Inc. and Meta Platforms Ireland Limited [European registered office: Ireland, Dublin 2, Grand Canal Harbour, Grand Canal Square 4] – joint controller with Normawood Kft. for the processing of personal data of natural persons who visit the Controller’s business profile (fan page) and interact with the posts published on the fan page (e.g. like, share, comment)

The Privacy Notice of the Facebook social media site is available here.
The Privacy Notice of the Instagram social media site is available here.

6.2. Transfer of data related to the fulfilment of tax obligations, invoices (see the related processing activity in Section 4.4)

National Tax and Customs Administration (registered office: 1054 Budapest, Széchenyi u. 2) – privacy notice: here.

6.3. Data forwarding related to adult education service (see the related processing activity in Section 4.3)

Pest County Government Office (Pest Megyei Kormányhivatal adult education government authority, registered office: 1089 Budapest, Kálvária tér 7., website: here – privacy policy here.

Pursuant to Article 15 of the Adult Education Act, Normawood Kft. shall forward the following data to the adult education data supply system (Vocational and adult training module of the Public Education Registration and Study Basic System):name of the education or training, its nature, place, number of lessons, commencement date and projected completion date, natural identification data of participants, e-mail address, highest level of education completed, the fee of the training and the person or entity who or which pays the fee.

Pursuant to Section 25/A(2) of the Adult Education Act Execution Decree, Normawood Kft. shall apply for the issuance of an educational identification code in the adult education data supply system for the Client who has not been provided with an educational identification code yet. Normawood Kft. shall issue the certificate requested by the Client in the adult education data supply system.

6.4. The booking site booking.com (related processing activities in Sections 4.2, 4.4, 4.5, 4.7 and 4.8)

The operator of the booking site booking.com is Booking.com B.V. (registered office: Oosterdokskade 163, 1011 DL, Netherlands, company registration number: 31047344, VAT number: NL805734958B01). The Customer is entitled to book the accommodation service offered by the Controller via the above website, in this case the operator of the booking site may, in addition to the booking and contracting, cooperate with the Controller in invoicing and electronic payment, communication in relation to the preparation and performance of contract, processing of consumer complaints and enforcement of claims relating to a contract and in this regard personal data is/may be transferred between the operator of the booking site and the Controller. Privacy policy here.

6.5. The booking site szallas.hu (related processing activities in Sections 4.2 and 4.4)
The operator of the booking site szallas.hu is Szallas.hu Zrt. (registered office: 3525 Miskolc, Régiposta utca 9., company registration number: 05-10-000622, VAT number: 26721761-2-05). The Customer is entitled to book the accommodation service offered by the Controller via the above website, in this case the operator of the booking site may, in addition to the booking and contracting, cooperate with the Controller in invoicing and electronic payment and in this regard personal data is/may be transferred between the operator of the booking site and the Controller. Privacy policy here.

6.6. The booking site(s) hrs.com/hrs.de/hrs.cn (related processing activities in Sections 4.2, 4.4, 4.5, 4.7 and 4.8)

The operator of the booking site(s) hrs.com/hrs.de/hrs.cn is HRS GmbH (full company name: HRS Hotel Reservation Service Robert Ragge GmbH, registered office: Breslauer Platz 4, 50668 Köln, Germany, company registration number: HRB 90154, VAT number: DE 252323088). The Customer is entitled to book the accommodation service offered by the Controller via the above website, in this case the operator of the booking site may, in addition to the booking and contracting, cooperate with the Controller in invoicing and electronic payment, communication in relation to the preparation and performance of contract, processing of consumer complaints and enforcement of claims relating to a contract and in this regard personal data is/may be transferred between the operator of the booking site and the Controller. Privacy policy here.

Normawood Kft. only transfers the personal data processed by it to third parties (e.g. public authorities, courts or other public bodies) in the manner and for the purposes specified by law, except as described in this Privacy Notice.

7. Processors

Normawood Kft. also works with contributors in the course of its business activity. Some of these contributors are considered controllers and are described in the previous section. Other contributors may also have access to personal data processed by Normawood Kft. and perform processing operations on behalf of the Controller (e.g. accounting, invoicing, website operation) and are therefore considered as Processors under the GDPR.

The Processors do not make independent processing decisions and are only entitled to act in accordance with the contract with Normawood Kft. and the instructions they receive. Normawood Kft. only uses Processors that implement appropriate technical and organisational measures to ensure a level of data security appropriate for the level of risk. The specific tasks and responsibilities of the Processor are set out in the contract between Normawood Kft. and the Processor.

7.1.  Normawood Kft. uses the PMS system of Chrome-Soft Kft. (registered office: 8226 Alsóörs, Rege köz 9; company registration no.: 19-09-507691; tax number: 13306612-2-19) for the processing of data related to the ordering and performance of hotel services (reservations, modifications, invoicing, etc.), and also uses the maintenance and support services related to the software.

7.2.  For the fulfilment of its bookkeeping (accounting) and financial record-keeping obligations related to its operation, Normawood Kft. uses the services of Docler Services Kft. (registered office: 1101 Budapest, Expo tér 5-7, company registration no.: 01-09-186181, tax number: 24856984-2-42).

7.3.  For the operation of the security cameras and the maintenance of the security system, Normawood Kft. uses the services of DoclerPro Kft. (registered office: 1101 Budapest, Expo tér 5-7, company registration no.: 01-09-889799, tax number: 14119699-2-42).

7.4. TRUSTED ADVISER Könyvvizsgáló és Tanácsadó Kft. (registered office: 1082 Budapest, Baross utca 66-68, 3rd Floor 11., company registration no.: 01-09-279282, tax number: 14967526-2-42) provides auditing services to Normawood Kft.

7.5.  In the course of the processing activity set out in Section 4.6, the storage space provider is the National Tourist Data Service Centre (NTAK) under a statutory obligation, which entity is operated by Magyar Turisztikai Ügynökség Zrt. (registered office: 1027 Budapest, Kacsa u. 15-23; company registration no.: 01-10-041364; tax number: 10356113-2-43). The privacy notice of Magyar Turisztikai Ügynökség Zrt. is available here (in Hungarian). The terms and conditions of the controller-to-processor relationship between Normawood and NTAK shall be set out in Article 14 of the Government Decree No. 235/2019. (X. 15.) en lieu of a data processing agreement.

7.6. The Res’nWeb online booking system used on the website of the Controller is provided by NetHotelBooking Korlátolt Felelősségű Társaság (registered office: 8200 Veszprém, Boksa tér 1. A. ép., company registration number: 19-09-512827, VAT number: 22710776-2-19). The website of NetHotelBooking Kft. is available here.

7.7.  The Controller uses the HostWare software suite for the administration related to the accommodation service. The HostWare suite is provided by MT-HostWare Számítástechnikai Korlátolt Felelősségű Társaság (registered office: 1149 Budapest, Róna utca 120-122., company registration number: 01-09-263594, VAT number: 10426917-2-42, website here.

7.8.  The support and repair of the hotel telephone system of the Controller is provided by ASSONO Magyarország Távközlési Korlátolt Felelősségű Társaság (registered office: 1149 Budapest, Róna utca 120-122., company registration number: 01-09-730753, VAT number: 12460906-2-42, website here.

7.9.  The operation, remote maintenance and repair of the hotel television system of the Controller is provided by CREATEVENT Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registered office: 1118 Budapest, Rodostó utca 7. II. ép. B. lház. II. em. 6. ajtó, VAT number: 13400905-2-43, company registration number: 01-09-968156, website here.

7.10. The management and synchronization of the booking/sales channels of the Controller is carried out with the assistance of D-Edge SAS (registered office: 66 Rue des Archives, 75003 Paris, France, SIREN: 431 513 852, APE/NAF code: 5829C EU VAT number: FR35 431 513 852).

7.11. The customer relationship management activities of the Controller (central customer database, storage and processing of customer data) are performed using the MiniCRM customer relationship system provided by MiniCRM Zrt. (registered office: 1075 Budapest, Madách Imre út 13-14., company registration number: 01-10-047449, VAT number: 23982273-2-42).

8. Data security measures

The Controller stores personal data on its own computer devices. Normawood Kft. ensures that the personal data it processes are protected against, inter alia, unauthorised access or unauthorised alteration, loss or destruction by appropriate IT, organisational and personnel measures. Access to the data contained in each register is subject to strict authorisation, is password-protected and logged, therefore it is possible to check who performed what processing operation and when.

9. Rights of Data Subject in relation to the processing

9.1 Right to request information and access to personal data

The Data Subject may request information and access from Normawood Kft., through the contact details provided in Section 2, on the personal data processed, the purpose, grounds and term of processing, and the sources from where the personal data have been obtained, and to whom, when, under what law, to which personal data of the Data Subject the Controller has granted access or to whom the Controller has transferred the personal data.

If the Data Subject requests more than one copy of the information referred to in this Section, the Controller is entitled to charge a reasonable fee proportionate to the administrative costs of producing the additional copies.

Prior to granting the request of the Data Subject, Normawood Kft. shall request the Data Subjects to identify themselves. In order to grant the request properly, the Controller may request the Data Subject to clarify the content of the request and to specify the information and processing activities requested prior to granting the request. Where the Data Subject’s access right under this Section adversely affects the rights and freedoms of others, in particular the business secrets or intellectual property of others, Normawood Kft. is entitled to refuse to comply with the Data Subject’s request to the necessary and proportionate extent.

The Controller shall comply with the request within a maximum of one month, of which the Data Subject will be notified by letter sent to the contact details provided by the Data Subject.

9.2 Right to rectification

The Data Subject may request in writing, through the contact details provided in Section 2, that Normawood Kft. amend (rectify or supplement) any of their personal data recorded (for example, they may change their e-mail address or other contact details at any time).
The Data Subject may also amend the data provided by them during the registration on the website of Normawood Kft. (see: Section 4.9), which is certified by the Controller by sending a message to the e- mail address provided by the Data Subject.

Normawood Kft., following the rectification of the Data Subject’s data, informs the persons with whom the Data Subject has communicated their personal data of the rectified data, provided that this is not impossible or requires a disproportionate effort on the part of the Controller.
The Controller will comply with the request within a maximum of one month, of which the Data Subject will be notified by letter sent to the contact details provided by the Data Subject.

9.3 Right to data portability

The Data Subject may request in writing, through the contact details provided in Section 2, that Normawood Kft. to provide the personal data concerning the Data Subject, which the Data Subject has provided to Normawood Kft., in a structured, commonly used and machine-readable format, furthermore, the Data Subject has the right to transmit those data to another controller without hindrance from the Controller. The right to data portability may be exercised where:

  • the processing is based on the consent of the Data Subject, or

  • the processing is necessary for the performance of a contract to which the data subject is party (including the case when steps are taken at the request of the Data Subject prior to entering into a contract), and

  • the processing is carried out by automated means.

 

The right to data portability may also be exercised by the Data Subject by having the personal data transmitted directly from the Controller to another controller, where technically feasible.
The right to data portability under this Section does not create an obligation for Normawood Kft. and the other controller indicated in the application of the Data Subject to introduce or maintain technically compatible information systems or applications.

In the event that the data subject’s right to data portability adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Controller shall be entitled to refuse to comply with the data subject’s request to the extent necessary.

9.4 Right to withdraw consent

The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. If consent is required to conduct an event or participate in an application in which the Data Subject wishes to participate and the Data Subject withdraws his or her consent to data processing, he or she may not participate in the event or participate in the application after the consent has been withdrawn. The withdrawal of consent to the processing shall mean the deletion of the personal data related to the participation to the event or the involvement in an application (see the next section) at the Controller. In case the withdrawal of the consent to the processing takes place in a phone or other computer application where the Controller has no system administrator privileges, information on the consequences of the withdrawal of consent (e.g. deletion of data) shall be provided by the operator or owner of the application.

9.5 Right to erasure

The Data Subject may request Normawood Kft. to erase all or some of their personal data in writing through the contact details provided in Section 2, provided that any of the following criteria are met:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  • the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

  • the data subject objects to the processing based on legitimate interest or for the purposes of direct marketing (including profiling for direct marketing), and there are no overriding legitimate grounds for the processing;

  • the personal data have been unlawfully processed;

  • the personal data have to be erased for compliance with a legal obligation in Union or Member

    State law to which the Controller is subject;

  • the personal data have been collected in relation to the offer of information society services

    referred to in Article 8(1) of GDPR.

Normawood Kft. will not comply with the erasure request if the processing is necessary:

  • for exercising the right of freedom of expression and information
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject,
  • for reasons of public interest in the area of public health, when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy,
  • for the establishment, exercise or defence of legal claims, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure of personal data is likely to render impossible or seriously impair the achievement of the objectives of that processing.

The Data Subject may also erase the data provided during the registration on the Normawood Kft. website (see: Section 4.9), of which the Data Controller informs the Data Subject by sending a message to the e-mail address provided by the Data Subject.
Normawood Kft. will process the Data Subject’s request within a maximum of one month and will notify the Data Subject of the erasure by sending a letter to the contact details provided by the Data Subject. Normawood Kft. shall inform those to whom the Personal Data of the Data Subject has previously been transferred of the deletion of personal data, provided that such information is not impossible or does not require a disproportionate effort from the Data Controller.

9.6 Right to restriction of processing (blocking)

The Data Subject may request in writing, through the contact details provided in Section 2, that their personal data be blocked by Normawood Kft. The blocking is done by clearly indicating the limited nature of the processing and by storing the data separately from other data. This means that no processing operation other than storage may be performed on the data. The blocking lasts as long as the reason indicated by the Data Subject requires the blocked storage of the personal data.

For example, the Data Subject may request the blocking of personal data if they believe that their personal data have been unlawfully processed by Normawood Kft. however, it is necessary for the purposes of official or judicial proceedings initiated by them that the personal data are not erased by the Controller. In such a case, Normawood Kft. keeps the personal data blocked until the authority or court requests it, and erases or continues to process the personal data after the end of the official proceedings.

9.7 Right to objection

The Data Subject may object in writing to the processing based on a legitimate interest of the controller or a third party [Article 6 (1) f) of the GDPR], through the contact details provided in Section 2. The Data Subject may object to the processing, for example, if Normawood Kft. were to transfer or use the personal data for the purposes of public opinion polling or scientific research without the Data Subject’s consent.

Normawood Kft. investigates the Data Subject’s objection within a maximum of one month and notifies the Data Subject of the outcome (including notification of the erasure of any personal data that may have been unlawfully processed) by sending a letter to the contact details provided by the Data Subject.

10. Enforcement and legal remedies related to the processing

The Data Subject may exercise their rights concerning the protection of their personal data by contacting Normawood Kft. via the contact details indicated in Section 2. See also Section 4.9 for more information on the processing that takes place in this context.

If the Data Subject believes that their rights to the protection of their personal data have been infringed, they may seek legal remedy from the designated data protection supervisory authority:

National Authority for Data Protection and Freedom of Information (NADPFI) registered office: 1055 Budapest, Falk Miksa u. 9-11

If the Data Subject experiences unlawful processing of their personal data, they may initiate legal proceedings (civil lawsuit) against the Controller. The case falls within the competence of the general court. At the discretion of the Data Subject, the lawsuit may also be brought before the general court in whose jurisdiction the Data Subject’s home address is located (the contact details of the courts are available on the following link.

11. Update and availability of the Privacy Notice

Normawood Kft. reserves the right to unilaterally amend this Privacy Notice. In particular, the Privacy Notice may need to be amended in the light of changes in legislation, the practices of data protection supervisory authorities, business needs or newly identified security risks.

© 2024, Normafa

A Docler Holding company