Data Management Information

Introduction

The Szimbiózis Foundation (hereinafter: Data Controller) hereby presents its data management principles (which are in accordance with the applicable data protection legislation), and outlines the expectations it has set for itself as a data controller. In connection with data management, the Data Controller hereby informs the data subjects about the method and possibilities of exercising their rights.

Data and contact details of the data controller

Name: Szimbiózis Foundation
Registered office: 3527 Miskolc, Augusztus 20 u. 12.
Company registration number: 00-18-432930
Name of the registering court: Miskolc Regional Court
Tax number: 18432930-1-05
Phone number: +36 30 681 4482
E-mail: szimbiozis@szimbiozis.net
Official representative: László Jakubinyi, Chairman of the Board of Trustees

Information on payments

Payment at Baráthegyi Majorság

The consideration for the services available at Baráthegyi Majorság, operated by the Szimbiózis Foundation, can be paid by visitors and guests in cash or by credit card, as determined by the Szimbiózis Foundation.

  • Purpose of data management: Use of Baráthegyi Majorság services, invoicing, registration and differentiation of visitors, documentation of purchase and payment, fulfillment of accounting obligations.
  • Legal basis for data management: Article 6 (1) (b) of the GDPR and Section 169 (2) of the Accounting Act.
  • Type of personal data processed: transaction number, date and time; content of the document; name, quantity and purchase price of the service used; method of payment; payment details (date, time, name of items on the invoice, amount).
  • Duration of data management: 8 years, based on Section 169 (2) of the Accounting Act.

If the data is not provided, the Szimbiózis Foundation may not be able to issue an invoice in the buyer’s name.

In the case of payment by credit card, the payment transaction data (payer’s ID, transaction amount, date, time) will be forwarded to Erste Bank Hungary Zrt. for processing purposes.

Catering, service

Registration for the services and program elements of Baráthegyi Majorság, operated by the Szimbiózis Foundation, can be done: after a personal request, based on telephone or e-mail consultation, as well as through online booking via www.barathegy.com. Our staff record the received bookings in Excel spreadsheets.

  • Purpose of data management: to track bookings, to provide the highest level of service to visitors’ needs.
  • Legal basis for data management: Article 6 (1) (b) of the GDPR.
  • Type of personal data processed: date of booking, date and exact time of the agreed program/service, number of participants, exact detailed list and name of the services and/or program elements they have chosen, name, telephone number and e-mail address of the booker, any special needs of the guests.
  • Duration of data management: 5 years.

If the data is not provided, the booking may not be registered in the guest’s name and for the time requested, and the Szimbiózis Foundation may not be able to issue an invoice in the name of the guest.

Data management related to accommodation

Booking

Accommodation in the Baráthegyi Family-Friendly Guesthouse, operated by the Szimbiózis Foundation, and in the youth accommodation in the Baráthegyi Forest School can be booked on the website www.barathegy.com, by e-mail, in person or by telephone. The Szimbiózis Foundation stores the accommodation booking data in its business management system in electronic form. Documents containing personal data created on paper are stored in parallel with the electronic system until the date indicated in the relevant part of this information.

  • Purpose of data management: booking accommodation, registering booking guests, differentiating them from each other, pre-ordering services for booking guests, maintaining contact.
  • Legal basis for data management: Article 6 (1) (b) of the GDPR and Section 169 (2) of the Accounting Act.
  • Type of personal data processed: date of arrival and departure; number of rooms booked; number of children and adults using the services; age of children; exact name of the requested additional services. Guest name; phone number; e-mail address; additional information provided in case of special needs (e.g. special needs); method of payment. In case of payment by credit card: name of the cardholder, type and number of the card, expiration date and CVC number.
  • Duration of data management: 8 years, based on Section 169 (2) of the Accounting Act.

Possible consequences of not providing the data may be that accommodation and other services cannot be booked for the guest. With regard to the data management carried out during the fulfillment of the payment obligation arising from the use of the service, the provisions of Chapter 2.1 of this information shall apply.

Check-in

The Szimbiózis Foundation stores the check-in data in its business management system in electronic form. Documents containing personal data created on paper are stored in parallel with the electronic system until the date indicated in the relevant part of this information.

  • Purpose of data management: providing accommodation services, registering and differentiating hotel guests. Providing services to hotel guests, maintaining contact, ensuring and fulfilling bookings. Fulfillment of accounting and tourism tax declaration obligations and the obligations prescribed by Section 73 (2) of the Harmtv.
  • Legal basis for data management: Article 6 (1) (b) of the GDPR, and Section 169 (2) of the Accounting Act, point a) of Section 30 (1) of the Htv. and Section 73 (2) of the Harmtv.
  • Type of personal data processed: room number, name, date of birth, address, citizenship, date of arrival and departure, date of completion and signature, data related to the use of accommodation services, payment data (date, time, name of items on the invoice, amount, card details in case of credit card payment).
  • Duration of data management: 8 years, based on Section 169 (2) of the Accounting Act.

Possible consequences of not providing the data may be that the guest cannot use the accommodation service. With regard to the data management carried out during the fulfillment of the payment obligation arising from the use of the service, the provisions of Chapter 2.1 of this information shall apply.

Data management related to online interfaces

Server logging of Barathegy.com

When visiting the www.barathegy.com website, the web server automatically logs the activity of users.

  • Purpose of data management: to monitor the operation of the website, to monitor visitor searches, to prevent abuse.
  • Legal basis for data management: Article 6 (1) (f) of the GDPR and Section 13/A (3) of the Eker. Act.
  • Type of personal data processed: identification number, date and time of visit, address of the visited page, user’s IP address, type of operating system and browser.
  • Duration of data management: 30 days.

The html code of barathegy.com contains references from and to external servers independent of the Szimbiózis Foundation. The website displays a map from the http://maps.google.com service provider. The website displays videos from the www.youtube.com service provider. The website connects directly to the servers of the service providers available at facebook.com and youtube.com in order to access the services of Facebook and YouTube. We would like to draw the attention of our visitors that the direct connection to the servers of the service providers of the links is able to collect user data due to the direct connection with the user’s browser.

Own cookie management of barathegy.com

In order to provide customized service, the service provider places so-called cookies on the user’s computer and reads them back during a later visit. If the browser sends back a previously saved cookie, the service provider managing the cookie has the opportunity to link the user’s current visit to previous ones, but only with regard to its own content.

  • Purpose of data management: to identify users, to distinguish them from each other, to identify the current session of users, to store the data provided during it, to prevent data loss.
  • Legal basis for data management: Article 6 (1) (f) of the GDPR and Section 13/A (3) of the Eker. Act.
  • Type of personal data processed: identification number, date, time and the previously visited page.
  • Duration of data management: two hours.

Cookies with an exact validity period (permanent) are stored on the computer until they are deleted, but no later than the expiration of their validity period. The user can delete the cookie from his/her own computer or disable their use in his/her browser.

Taking and using photos and film recordings

Employees, visitors and guests of the Szimbiózis Foundation appear on the pictures and film recordings published in the electronic and printed marketing materials, websites, Facebook pages and YouTube channel of the Szimbiózis Foundation.

  • Purpose of data management: To promote the Szimbiózis Foundation and increase its awareness.
  • Legal basis for data management: voluntary consent of the data subjects.
  • Type of personal data processed: the facial image of the persons appearing in the recordings, their voice heard in the film recordings and other recorded personal data.
  • Duration of data management: 10 years.
  • Disclosure: the recordings made are published in the electronic and printed marketing materials, websites, Facebook pages and YouTube channel of the Szimbiózis Foundation.

Other data management

Information on data management not listed in this information will be provided when the data is collected. We inform our clients that the court, the prosecutor, the investigating authority, the regulatory authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, or other bodies authorized by law, may contact the data controller for the purpose of providing information, communicating data, transferring data, or making documents available. The Szimbiózis Foundation provides personal data to the authorities – if the authority has specified the exact purpose and scope of the data – only to the extent and to the extent that is absolutely necessary to achieve the purpose of the request.

Method of storing personal data, data management security

The Szimbiózis Foundation, taking into account the state of data processing technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of the data management, and the risk of varying probability and severity to the rights and freedoms of natural persons, shall take appropriate technical and organizational measures to ensure a level of data security appropriate to the degree of risk.

The Szimbiózis Foundation selects and operates the IT tools used in the provision of services for the management of personal data in such a way that the managed data:

  • is accessible to those authorized to do so,
  • its authenticity and authentication are ensured,
  • its immutability can be verified,
  • is protected against unauthorized access.

The Szimbiózis Foundation protects the data with appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as against accidental destruction, damage, and inaccessibility resulting from changes in the technology used. In order to protect the electronically managed data files in its various registers, the Szimbiózis Foundation ensures with appropriate technical solutions that the stored data – unless permitted by law – cannot be directly linked and assigned to the data subject.

The Szimbiózis Foundation, taking into account the state of the art at all times, shall ensure the protection of the security of data management with technical, organizational and organizational measures that provide a level of protection appropriate to the risks associated with data management. The Szimbiózis Foundation preserves during data management:

  • confidentiality: ensures that only those who are authorized to do so can access the information;
  • integrity: protects the information, as well as the accuracy and completeness of the processing method;
  • availability: ensures that when the authorized user needs it, he/she can actually access the desired information.

The IT system and network of the Szimbiózis Foundation are both protected against computer-aided fraud, espionage, sabotage, computer viruses, computer intrusions and denial-of-service attacks. The operator ensures security with server-level and application-level protection procedures.

The Szimbiózis Foundation, as data controller, keeps records of any data protection incidents, indicating the facts related to them, their effects and the measures taken to remedy them. The Szimbiózis Foundation shall notify the National Authority for Data Protection and Freedom of Information of any data protection incident without undue delay and, if possible, no later than 72 hours after becoming aware of the data protection incident, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.

Remedies

The data subject may request information about the management of his/her personal data, and may request the rectification of his/her personal data or – with the exception of mandatory data management – its deletion, withdrawal, restriction of data management and may exercise his/her right to data portability and objection in the manner indicated when the data was collected, at the above contact details of the data controller, or through its customer service.

Right to information

At the request of the data subject, the Szimbiózis Foundation shall take appropriate measures to provide the data subjects with all the information referred to in Articles 13 and 14 of the GDPR relating to the management of personal data and all information under Articles 15-22 and 34 in a concise, transparent, understandable and easily accessible form, clearly and in plain language.

Data subject’s right of access

The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data relating to him or her are being processed and, where that is the case, access to the personal data and the following information:

  • the purposes of the data management;
  • the categories of personal data concerned;
  • the categories of recipients to whom the personal data have been or will be disclosed (including in particular recipients in third countries and international organizations);
  • the planned duration of the storage of personal data;
  • the right to rectification, erasure or restriction of data management and the right to object;
  • the right to lodge a complaint with a supervisory authority;
  • information on data sources;
  • the fact of automated decision-making, including profiling, and understandable information on the logic used and on the significance and foreseeable consequences of such data management for the data subject.

Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer. The Szimbiózis Foundation shall provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. The Szimbiózis Foundation shall provide the information by electronic means at the request of the data subject. Information may also be provided orally to the data subject upon request – after credible verification and identification of his/her identity.

Right to rectification

The data subject may request the rectification of inaccurate personal data relating to him or her and the completion of incomplete data managed by the Szimbiózis Foundation.

Right to erasure

The data subject shall have the right to obtain from the Szimbiózis Foundation the erasure of personal data relating to him or her without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject withdraws the consent on which the data management is based and there is no other legal basis for the data management;
  • the data subject objects to the data management and there are no overriding legitimate grounds for the data management;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject;
  • the personal data have been collected in relation to the offer of information society services.

Data may not be deleted if the data management is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation under Union or Member State law requiring the management of personal data to which the data controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
  • on the grounds of public interest in the field of public health, or for archival, scientific and historical research or statistical purposes;
  • for the submission, enforcement and protection of legal claims.

Right to restriction of data management

At the request of the data subject, the Szimbiózis Foundation shall restrict data management if one of the following conditions is met:

  • the accuracy of the personal data is contested by the data subject (in this case, the restriction applies for the period enabling the verification of the accuracy of the personal data);
  • the data management is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead;
  • the data controller no longer needs the personal data for the purposes of data management, but the data subject requires them for the submission, enforcement or protection of legal claims;
  • or the data subject has objected to the data management (in this case, the restriction applies for the period until it is established whether the legitimate grounds of the data controller override the legitimate grounds of the data subject).

Where data management has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the submission, enforcement or protection of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Szimbiózis Foundation shall inform the data subject in advance of the lifting of the restriction of data management.

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller.

Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the management of his or her personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, or to the management necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, including profiling based on those provisions. In the event of an objection, the data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the submission, enforcement or protection of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed by the Szimbiózis Foundation for such purposes.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply if the data management:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  • is authorized by Union or Member State law to which the data controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
  • or is based on the data subject’s explicit consent.

Right to withdraw

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of data management based on consent before its withdrawal.

Rules of procedure

The data controller shall inform the data subject of the measures taken following a request under Articles 15-22 of the GDPR without undue delay and in any event within 1 month of receipt of the request. Where necessary, taking into account the complexity of the request and the number of requests, that period may be extended by a further 2 months. The data controller shall inform the data subject of any such extension within 1 month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. If the data controller does not take action on the data subject’s request, the data controller shall inform the data subject without delay and at the latest within 1 month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. The Szimbiózis Foundation shall provide the requested information and information free of charge.

Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data controller shall communicate any rectification or erasure of personal data or restriction of data management carried out by it to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about those recipients if the data subject requests it.

The data controller shall provide the data subject with a copy of the personal data undergoing processing. For any further copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, the information shall be provided in electronic form, unless otherwise requested by the data subject.

Compensation and damages

Any person who has suffered material or non-material damage as a result of an infringement of the data protection regulation shall have the right to receive compensation from the data controller or data processor for the damage suffered. The data controller shall only be liable for damage caused by data management if it has not complied with the obligations laid down in law which are specifically incumbent on data processors. Where more than one data controller or more than one data processor, or both a data controller and a data processor, are involved in the same data management and are liable for damage caused by the data management, each data controller or data processor shall be held jointly and severally liable for the entire damage. The data controller or data processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Complaint to the data protection officer

If you have a problem with the data management of the Szimbiózis Foundation, please contact our data protection officer: György Szilágyi (foglalkoztatas@szimbiozis.net)

Right to appeal to a court

In the event of a violation of his/her rights, the data subject may appeal to the court against the data controller (at the court with jurisdiction according to the registered office of the defendant or the domicile of the data subject, at the data subject’s choice). The court shall act out of turn in the case. The lawsuit initiated in connection with the protection of personal data is free of charge.

Data protection authority procedure

Complaints can be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information
Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mailing address: 1530 Budapest, pf.5