Privacy notice
(for Employees)

I. General provisions

SH-Fejlesztő Kft., as the operator of Hotel Yacht**** Wellness & Business (address: 8600 Siófok, Vitorlás utca 12-14.; website: https://hotel-yacht.hu), ensures the legality and appropriateness of the processing of personal data it handles at all times. The purpose of this notice is to provide our employees with adequate information about the conditions and guarantees under which their data is processed and for how long. Our company adheres to the provisions outlined in this notice in all cases involving the processing of personal data, considering them mandatory.

Our company's information and contact details are as follows:

• Name: SH-Fejlesztő Kft.
• Registered Office: 8600 Siófok, Vitorlás utca 12-14.
• Company Registration Number: 14-09-314943
• Tax Number: 14861011-2-14
• Representative: György Ecseri, Managing Director
• Phone Number: +36-84-696-020
• Email: info@hotel-yacht.hu
• Website: https://yacht.service4you.hu

(hereinafter referred to as "Data Controller")

Our data processing practices comply with the relevant regulations, particularly the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "GDPR");
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Infotv.”);
• Act V of 2013 on the Civil Code;
• Act I of 2012 on the Labour Code (hereinafter “Labour Code”);
• Act LXXX of 1997 on the Provisions of Social Security and Private Pension;
• Act C of 2000 on Accounting;
• Act CL of 2017 on the Rules of Taxation;
• Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (hereinafter “Szvtv.”).
• Below we provide detailed information about our specific data processing practices.

II. Specific data processing practices

1. CCTV monitoring

Our company operates an electronic surveillance system within the premises of Hotel Yacht**** Wellness & Business.

Purpose of Data Processing: To protect the life and physical integrity of individuals within the Hotel Yacht**** Wellness & Business premises and to maintain personal and property security through the use of the electronic surveillance system (CCTV).

• The purpose of CCTV monitoring by the Data Controller is not to carry out employer surveillance as defined in Section 11(1) of the Labour Code.
• Legal Basis for Data Processing:** The explicit voluntary consent of the data subject [GDPR Article 6(1)(a)] and the legitimate interest of the Data Controller as per Szvtv. Sections 26(1)(e) and 31(1)-(4) [GDPR Article 6(1)(f)].

Scope of Personal Data Processed: The image, sound, and behavior of data subjects as recorded by the surveillance cameras.

Retention Period: 3 business days from the entry of the data subject onto the premises of Hotel Yacht**** Wellness & Business, or 30 days in the case of public events.

Engagement of Data Processors: Our company does not engage any data processors for the operation of the electronic surveillance system (CCTV).

Rights of the Data Subject: The individual (whose personal data is processed by our company) has the right to:
a) request information and access regarding the processing of their personal data,
b) request rectification of the data,
c) request deletion of the data,
d) request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., the company shall not delete or destroy the data until a court or authority decision is made, but no longer than thirty days, and shall not process the data for other purposes during this time),
e) object to the processing of their personal data,
f) exercise the right to data portability. This means the data subject is entitled to receive their personal data in Word or Excel format and may request our company to transfer this data to another Data Controller upon request.

Additional Information Regarding Data Processing: Our company takes all necessary technical and organizational measures to prevent any potential data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of such an incident, we maintain a record for monitoring the necessary actions and informing the affected individuals. This record includes details about the personal data involved, the affected parties, the time, circumstances, and impact of the incident, as well as the measures taken to resolve it.

Our company does not have a contract with any data processor for these tasks, but we commit to applying the required data protection and processing guarantees prescribed by the data processor contract if we do engage additional data processors in the future.

2. Processing of employee data

We continuously process the personal data of our employees for the purpose of establishing and maintaining employment relationships and payroll processing.

Purpose of Data Processing: Establishment and maintenance of employment relationships, payroll processing.

Legal Basis for Data Processing: The necessity of fulfilling a contract to which the data subject is a party [GDPR Article 6(1)(b)].

Scope of Data Subjects: Natural persons employed by the Data Controller.

Scope of Personal Data Processed:

Duration of Data Processing: From the time of data provision by the data subject until eight years after the termination of the employment relationship, unless otherwise required by law.

Engagement of Data Processors: Our company engages the following data processor for accounting tasks.

Rights of the Data Subject: The individual (whose personal data is processed by our company) has the right to:

a) request information about the processing of their personal data and access to the data,
b) request the rectification of the data,
c) request the erasure of the data,
d) request the restriction of processing under Article 18 of the GDPR (i.e., to prevent deletion or destruction until the request is reviewed, up to a maximum of thirty days, without processing for other purposes),
e) object to the processing of the personal data,
f) exercise the right to data portability. This means the data subject has the right to receive their personal data in Word or Excel format and to have the data transferred to another controller upon request.

Additional Information on Data Processing: Our company takes all necessary technical and organizational measures to prevent data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we keep a log for auditing and notifying the data subject. This log includes the scope of the affected data, the number and nature of the data subjects affected, the time of the incident, its circumstances, its impact, and measures taken to mitigate the incident, along with other data as required by law.

Our company has not entered into a data processing agreement for the described tasks. However, should we engage another data processor, we will apply the required data protection and data processing guarantees to ensure the lawful processing of personal data by any data processor involved.

III. Storage and security of personal data

Our company's IT systems and data storage locations are at our headquarters and on servers leased by the data processor. We ensure that the IT tools used in data processing meet the following criteria:

a) accessibility for authorized personnel (availability);
b) guarantee of authenticity and validation (data authenticity);
c) verification of data integrity (data integrity);
d) protection against unauthorized access (data confidentiality).

We take special care to secure the data, implementing both technical and organizational measures, as well as establishing procedural rules to guarantee compliance with GDPR standards. We protect the data against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, and accidental destruction, damage, or inaccessibility due to technological changes.

Our company's and partners’ IT systems and networks are protected against computer fraud, viruses, cyberattacks, and denial-of-service attacks. The operator ensures security through both server-level and application-level protective measures. Daily backups of the data are in place. In the event of a data protection incident, we act immediately in accordance with our internal policies to minimize risks and eliminate damages.

IV. Rights of data subjects and remedies

Data subjects have the right to request information about the processing of their personal data, as well as to request the correction or, except for mandatory data processing, deletion, and withdrawal of their data. They may also exercise their right to data portability and the right to object, as indicated at the time of data collection or through the contact details provided above.

Upon the data subject’s request, the information is provided electronically without delay, but no later than within 30 days, in accordance with our internal policy. Requests related to the exercise of the rights listed below are fulfilled free of charge.

Right to Information:

Our company takes appropriate measures to provide all information regarding the processing of personal data mentioned in Articles 13 and 14 of the GDPR, and the information required by Articles 15–22 and 34, in a concise, transparent, understandable, and easily accessible manner, clearly and simply, while ensuring precision.

The right to information can be exercised in writing through the contact details provided in point 1. Upon request, and after verifying the identity of the data subject, information can also be provided orally. We inform our clients that if our employees have doubts about the identity of the data subject, we may request additional information necessary to confirm the identity.

Right of Access:

The data subject has the right to receive feedback from the Data Controller on whether their personal data is being processed. If such processing is taking place, the data subject is entitled to access the personal data and the following information:

• The purposes of processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, including especially recipients in third countries (outside the European Union) or international organizations;
• The planned duration of personal data storage;
• The right to rectification, erasure, restriction of processing, and the right to object;
• The right to lodge a complaint with a supervisory authority;
• Information on the data sources; the existence of automated decision-making, including profiling, and understandable information about the applied logic and the significance and expected consequences of such processing for the data subject.

In addition to the above, if personal data is transferred to a third country or international organization, the data subject is entitled to be informed about the appropriate safeguards for such transfers.

Right to Rectification:

Anyone may request the correction of inaccurate personal data processed by our company concerning them and the completion of incomplete data.

Right to Erasure:

The data subject has the right to request the deletion of their personal data without undue delay if one of the following grounds applies:

a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) The data subject withdraws their consent on which the processing is based, and there is no other legal ground for the processing;
c) The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
d) The personal data has been unlawfully processed;
e) The personal data must be erased to comply with a legal obligation under European Union or Member State law applicable to the Data Controller;
f) The personal data was collected in connection with offering information society services.

Data deletion cannot be initiated if the processing is necessary for the following purposes:
a) Exercising the right of freedom of expression and information;
b) Compliance with a legal obligation requiring processing under European Union or Member State law applicable to the Data Controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
c) Reasons of public interest in the area of public health, or for archival, scientific, historical research, or statistical purposes in the public interest;
d) Or for the establishment, exercise, or defense of legal claims.

Right to Restrict Processing:

The data subject has the right to request restriction of processing under the conditions set out in Article 18 of the GDPR, such as:
a) If the data subject contests the accuracy of the personal data, the restriction applies for the period necessary for the Data Controller to verify the accuracy of the personal data;
b) If the processing is unlawful, and the data subject opposes the erasure of the data and instead requests the restriction of its use;
c) If the Data Controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims; or
d) If the data subject has objected to the processing; in such cases, the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the data subject.

If processing is restricted, the personal data, with the exception of storage, shall only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State. The data subject must be informed in advance about lifting the restriction.

Right to Data Portability:

The data subject has the right to receive the personal data they provided to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit those data to another Data Controller. Our company can fulfill such a request in Word or Excel format.

Right to Object:

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such purposes, including profiling related to direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

Right Not to be Subject to Automated Individual Decision-Making, Including Profiling:

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if the processing:
a) Is necessary for entering into, or the performance of, a contract between the data subject and the Data Controller;
b) Is authorized by European Union or Member State law applicable to the Data Controller, which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests;
c) Or is based on the data subject’s explicit consent.

Right to Withdraw Consent:

The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Procedural Rules:

The Data Controller shall inform the data subject without undue delay, but no later than within one month from the receipt of the request, of the actions taken upon the request made under Articles 15–22 of the GDPR. If necessary, considering the complexity of the request and the number of requests, this period may be extended by an additional two months. The Data Controller shall inform the data subject of any extension within one month of receipt of the request, along with the reasons for the delay.

If the data subject submitted the request electronically, the information will be provided electronically unless otherwise requested by the data subject.

If the Data Controller does not take action on the data subject's request, it shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Data Controller shall inform each recipient to whom the personal data has been disclosed of any rectification or erasure of personal data or restriction of processing unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about these recipients upon request.

Compensation and Damages:

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the Data Controller or processor for the damage suffered. The processor shall be liable for damages caused by processing only where it has not complied with the obligations of the GDPR specifically directed to processors or acted contrary to lawful instructions of the Data Controller. Where multiple Data Controllers or processors are involved, they shall be jointly and severally liable for the entire damage.

The Data Controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to Seek Judicial Remedy and Data Protection Authority Procedures:

If the data subject believes that the Data Controller has violated their right to the protection of personal data during processing, they may seek a remedy from the competent authorities as follows:

– File a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
Website: www.naih.hu;
Email: ugyfelszolgalat@naih.hu;
Phone: +36-1-391-1400

– Bring the case before the competent court.
The court will proceed in an expedited manner.
The Data Controller commits to cooperating with the data subject, the court, or the NAIH during such procedures, providing all necessary information about the data processing.

V. Miscellaneous provisions

The Data Controller undertakes that all data processing related to its activities complies with the provisions of this privacy notice, its internal policies (which meet the same requirements as this notice), and the applicable legislation.

The Data Controller reserves the right to amend this privacy notice at any time and will notify affected individuals via a notice posted in the office of Hotel Yacht**** Wellness & Business once the changes have been implemented.

If you have any questions regarding the content of this notice, please send us an email.

Last updated: January 1, 2020.