Privacy notice
(for Partners)

I. General provisions

SH-Fejlesztő Kft., as the operator of Hotel Yacht**** Wellness & Business (address: 8600 Siófok, Vitorlás utca 12-14.; website: https://hotel-yacht.hut), ensures the legality and appropriateness of the processing of personal data it handles at all times. The purpose of this notice is to provide our partners (contractors and associates) with adequate information about the conditions and guarantees under which their data is processed and for how long. Our company adheres to the provisions outlined in this notice in all cases involving the processing of personal data, considering them mandatory.

Our company's information and contact details are as follows:

• Name: SH-Fejlesztő Kft.
• Registered Office: 8600 Siófok, Vitorlás utca 12-14.
• Company Registration Number: 14-09-314943
• Tax Number: 14861011-2-14
• Representative: Péter Havas, Managing Director
• Phone Number: +36-84-696-020
• E-mail: info@hotel-yacht.hu
• Website: https://yacht.service4you.hu

(hereinafter referred to as "Data Controller")

Our data processing practices comply with the relevant regulations, particularly the following:

• Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) – on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "GDPR");
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Infotv.”);
• Act V of 2013 on the Civil Code;
• Act I of 2012 on the Labour Code (hereinafter “Labour Code”);
• Act LXXX of 1997 on the Provisions of Social Security and Private Pension;
• Act C of 2000 on Accounting;
• Act CL of 2017 on the Rules of Taxation;
• Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (hereinafter “Szvtv.”).
• We provide the following information regarding our specific data processing activities.

II. Specific data processing practices

1. CCTV monitoring

Our company operates an electronic surveillance system within the premises of Hotel Yacht**** Wellness & Business.

Purpose of Data Processing: To protect the life and physical integrity of individuals within the Hotel Yacht**** Wellness & Business premises and to maintain personal and property security through the use of the electronic surveillance system (CCTV).

The purpose of CCTV monitoring by the Data Controller is not to carry out employer surveillance as defined in Section 11(1) of the Labour Code.

Legal Basis for Data Processing: The explicit voluntary consent of the data subject [GDPR Article 6(1)(a)] and the legitimate interest of the Data Controller as per Szvtv. Sections 26(1)(e) and 31(1)-(4) [GDPR Article 6(1)(f)].

Scope of Personal Data Processed: The image, sound, and behavior of data subjects as recorded by the surveillance cameras.

Retention Period: 3 business days from the entry of the data subject onto the premises of Hotel Yacht**** Wellness & Business, or 30 days in the case of public events.

Engagement of Data Processors: Our company does not engage any data processors for the operation of the electronic surveillance system (CCTV).

Rights of the Data Subject: The individual (whose personal data is processed by our company) has the right to:
a) request information and access regarding the processing of their personal data,
b) request rectification of the data,
c) request deletion of the data,
d) request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., the company shall not delete or destroy the data until a court or authority decision is made, but no longer than thirty days, and shall not process the data for other purposes during this time),
e) object to the processing of their personal data,
f) exercise the right to data portability. This means the data subject is entitled to receive their personal data in Word or Excel format and may request our company to transfer this data to another Data Controller upon request.

Additional Information Regarding Data Processing: Our company takes all necessary technical and organizational measures to prevent any potential data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of such an incident, we maintain a record for monitoring the necessary actions and informing the affected individuals. This record includes details about the personal data involved, the affected parties, the time, circumstances, and impact of the incident, as well as the measures taken to resolve it.

Our company does not have a contract with any data processor for these tasks, but we commit to applying the required data protection and processing guarantees prescribed by the data processor contract if we do engage additional data processors in the future.

2. Processing of partners' data

We continuously process the personal data of our partners (contractors and associates) for purposes related to contract management, communication, and invoicing.

Purpose of Data Processing: Communication, invoicing, and managing contracts with partners (contractors and associates).

Legal Basis for Data Processing: The necessity of fulfilling a contract to which the data subject is a party [GDPR Article 6(1)(b)].

Scope of Data Subjects: Natural persons who are partners, and the representatives and contacts of legal entities who are partners.

Scope of Personal Data Processed: The name, address, email address, and phone number of natural person partners, and the name, email address, and phone number of representatives or contacts of legal entity partners.

Retention Period: From the time personal data is provided by the data subject until 5 years after the fulfillment of the contract (statutory limitation period). In case of issuing an invoice, the retention period is 8 years from the date of issuance, in line with accounting requirements.

Engagement of Data Processors: Our company engages the following data processor for accounting tasks:

Rights of the Data Subject: The individual (whose personal data is processed by our company) has the right to:

a) request information and access regarding the processing of their personal data,
b) request rectification of the data,
c) request deletion of the data,
d) request restriction of data processing under the conditions specified in GDPR Article 18 (i.e., the company shall not delete or destroy the data until a court or authority decision is made, but no longer than thirty days, and shall not process the data for other purposes during this time),
e) object to the processing of their personal data,
f) exercise the right to data portability. This means the data subject is entitled to receive their personal data in Word or Excel format and may request our company to transfer this data to another Data Controller upon request.

Additional Information on Data Processing: Our company takes all necessary technical and organizational measures to prevent potential data protection incidents (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of an incident, we maintain a log for reviewing the necessary measures and informing the affected individuals. This log includes the scope of the affected personal data, the scope and number of individuals impacted, the time, circumstances, and effects of the data protection incident, as well as the measures taken to mitigate it and other data specified by applicable data processing regulations.

Our company has not entered into a data processing agreement for these tasks. However, should we engage an additional data processor, we will mandatorily apply the necessary data protection guarantees required by such an agreement, ensuring the lawful processing of personal data by any data processor.

III. Storage and security of personal data

Our company’s IT systems and other data storage facilities are located at our headquarters and on servers leased by the data processor. We select and operate the IT tools used for data processing in a way that ensures the processed data:

a) Is accessible to authorized personnel (availability);
b) Has its authenticity and validation ensured (data authenticity);
c) Has its integrity verified (data integrity);
d) Is protected against unauthorized access (data confidentiality).

We pay special attention to data security and take the necessary technical and organizational measures, as well as establish procedural rules, to ensure compliance with GDPR standards. We protect the data particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental destruction, damage, and inaccessibility due to technological changes.

Our company and its partners' IT systems and networks are protected against computer fraud, viruses, hacking, and denial-of-service attacks. The operator ensures security through server-level and application-level protective measures. Daily data backups are also provided. To avoid data protection incidents, our company takes all possible measures, and in the event of such an incident, we act promptly—according to our internal policies—to minimize risks and eliminate damages.

IV. Rights of data subjects and remedies

Data subjects may request information about the processing of their personal data and may also request the correction, deletion (except in cases of mandatory data processing), or withdrawal of their data. They may also exercise their right to data portability and the right to object, as indicated at the time of data collection or via the contact details provided above.

Upon the data subject’s request, information is provided electronically without delay, but no later than 30 days, in accordance with our internal policy. Requests relating to the exercise of the following rights are fulfilled free of charge.

Right to Information:

Our company takes appropriate measures to provide all information regarding personal data processing mentioned in Articles 13 and 14 of the GDPR, and the information required by Articles 15–22 and 34, in a concise, transparent, understandable, and accessible manner, ensuring clarity and precision.

The right to information can be exercised in writing through the contact details provided in point 1. Upon request, and after verifying the identity of the data subject, information can also be provided orally. We inform our clients that if our employees have doubts about the identity of the data subject, we may request additional information necessary to confirm the identity.

Right of Access:

The data subject has the right to receive confirmation from the Data Controller regarding whether their personal data is being processed. If such processing is taking place, the data subject is entitled to access the personal data and the following information:

• The purposes of processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom the personal data has been or will be disclosed, including particularly recipients in third countries (outside the European Union) or international organizations;
• The planned duration of personal data storage;
• The right to rectification, erasure, restriction of processing, and the right to object;
• The right to lodge a complaint with a supervisory authority;
• Information about the sources of the data; the existence of automated decision-making, including profiling, and comprehensible information on the applied logic and the significance and expected consequences of such processing for the data subject.

Additionally, in the case of the transfer of personal data to a third country or an international organization, the data subject has the right to be informed about the appropriate safeguards for such transfers.

Right to Rectification:

Any person may request the correction of inaccurate personal data processed by our company concerning them and the completion of incomplete data.

Right to Erasure:

The data subject has the right to request the deletion of their personal data without undue delay if one of the following grounds applies:

a) The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
b) The data subject withdraws their consent on which the processing is based, and there is no other legal ground for the processing;
c) The data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
d) The personal data has been unlawfully processed;
e) The personal data must be erased to comply with a legal obligation under European Union or Member State law applicable to the Data Controller;
f) The personal data was collected in connection with offering information society services.

Data deletion cannot be initiated if processing is necessary for the following purposes:
a) Exercising the right of freedom of expression and information;
b) Compliance with a legal obligation requiring processing under European Union or Member State law applicable to the Data Controller, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller;
c) Public health, archival, scientific, historical research, or statistical purposes based on the public interest;
d) Or for the establishment, exercise, or defense of legal claims.

Right to Restrict Processing:

The data subject has the right to request the restriction of processing under Article 18 of the GDPR if:
a) The accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
b) The processing is unlawful, and the data subject opposes the erasure of the data and requests the restriction of its use instead;
c) The Data Controller no longer needs the personal data for processing purposes, but the data subject requires it for the establishment, exercise, or defense of legal claims; or
d) The data subject has objected to processing; in such cases, the restriction applies until it is determined whether the Data Controller’s legitimate grounds override those of the data subject.

If processing is restricted, the personal data, with the exception of storage, may only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or a Member State. The data subject must be informed in advance about lifting the restriction.

Right to Data Portability:

The data subject has the right to receive the personal data they provided to the Data Controller in a structured, commonly used, and machine-readable format, and to transmit those data to another Data Controller. Our company can fulfill such a request in Word or Excel format.

Right to Object:

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such purposes, including profiling related to direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.

Automated Individual Decision-Making, Including Profiling:

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not apply if:
) Processing is necessary for entering into, or the performance of, a contract between the data subject and the Data Controller;
b) Processing is authorized by European Union or Member State law applicable to the Data Controller, which also lays down suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests;
c) Or processing is based on the data subject’s explicit consent.

Right to Withdraw Consent:

The data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Procedural Rules:

The Data Controller shall inform the data subject without undue delay, but no later than one month from the receipt of the request, of the actions taken upon the request made under Articles 15–22 of the GDPR. If necessary, considering the complexity and number of requests, this period may be extended by an additional two months. The Data Controller shall inform the data subject of any extension within one month of receipt of the request, along with the reasons for the delay.

If the data subject submitted the request electronically, the information will be provided electronically unless otherwise requested by the data subject.

If the Data Controller does not take action on the data subject's request, it shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The Data Controller shall inform each recipient to whom the personal data has been disclosed of any rectification or erasure of personal data or restriction of processing unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about these recipients upon request.

Compensation and Damages:

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the Data Controller or processor for the damage suffered. The processor shall be liable for damages caused by processing only where it has not complied with the obligations of the GDPR specifically directed to processors or acted contrary to lawful instructions of the Data Controller. Where multiple Data Controllers or processors are involved, they shall be jointly and severally liable for the entire damage.

The Data Controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to Seek Judicial Remedy and Data Protection Authority Procedures:

If the data subject believes that the Data Controller has violated their right to the protection of personal data during processing, they may seek a remedy from the competent authorities as follows:

– File a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH):
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.;
Website: www.naih.hu;
Email: ugyfelszolgalat@naih.hu;
Phone: +36-1-391-1400

– Bring the case before the competent court.
The court will proceed in an expedited manner.
The Data Controller commits to cooperating with the data subject, the court, or the NAIH during such procedures, providing all necessary information about the data processing.

V. Miscellaneous provisions

The Data Controller undertakes that all data processing related to its activities complies with the provisions of this privacy notice, its internal policies (which meet the same requirements as this notice), and the applicable legislation.

The Data Controller reserves the right to amend this privacy notice at any time and will notify affected individuals via a notice posted in the office of Hotel Yacht**** Wellness & Business once the changes have been implemented.

If you have any questions regarding the content of this notice, please send us an email.

Last updated: January 1, 2020.