Privacy Notice

Privacy Notice of Erzsébet Park Kft.

1. General Provisions

Erzsébet Park Kft., HU-1133 Gogol utca 15, as the operator of Silver Crown Residence, always ensures the legality and purposefulness of the processing of personal data it manages. The purpose of this notice is to provide guests who book accommodation and provide their personal data with appropriate information about the conditions and guarantees under which our company manages their data, and for how long it retains them. Our company is committed to adhering to the provisions of this notice in all cases of personal data processing, and we consider these provisions binding on us.

We reserve the right to change the provisions described in this unilateral legal statement, in which case we will inform the affected parties in advance. If you have any questions regarding the provisions of this notice, please write to us. The data processing activities of our company are based on voluntary consent, and in some cases, data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

Our data processing complies with the relevant laws, particularly the following:

Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”)
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (“Info Act”).

Our company’s details and contact information are as follows:

Name: Erzsébet Park Kft.
Address: 1133 Budapest, Gogol utca 15
Company Registration Number: 01-09-866744
Tax Number: 13662077-2-41
Phone Number: +36205562927
Email: reception@silvercrowngroup.com

We provide the following information regarding our data processing activities.

2. Data Processing Related to Online Accommodation Booking

Our company provides the opportunity for online accommodation booking to enable quick, convenient, and cost-free room reservations at Hotel Visegrád.

Controller of personal data: Erzsébet Park Kft., 1133 Budapest, Gogol utca 15
Purpose of data processing: to facilitate, make cost-free, and more efficient the accommodation booking.
Legal basis for data processing: the prior consent of the person booking the accommodation.
Scope of personal data processed: salutation; surname and first name; address (country, postal code, city, street, house number); phone number; email address; in the case of a company, company name and registered office, credit card number, SZÉP card details (identifier, name on the card).
Duration of data processing: two years following the last day of the booked stay.
Use of data processor: our company uses the assistance of an IT service provider for the online accommodation system as follows:

Name of Data Processor	Address	Data Processing Task
D-Edge	SAS 66 rue des archives 75003 PARIS France	Online accommodation booking system
Morgens Kft	Nagykanizsa, Magyar u. 79, 8800	Loyalty program and online accommodation booking system

By accepting this privacy notice, the data subject gives their explicit consent for the Data Processor to use additional data processors to make the service more convenient and personalized as follows:

Name of Data Processor	Address	Data Processing Task
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications in case of booking, offer, and satisfaction measurement
Hostware Kft	1149 Budapest, Róna utca 120-122	Customer management tasks in case of using the Hostware Front Office hotel system
BIG FISH Payment Services Kft.	1066 Budapest, Nyugati tér 1-2	Managing the data communication required for payment transactions between the merchant and the payment service provider, ensuring the traceability of transactions for merchant partners

Possible consequences of not providing data: no contract will be concluded for the hotel room.

Rights of the data subject: the person whose personal data is processed by our company

may request access to their personal data,
may request their rectification,
may request their deletion,
may request the restriction of processing of personal data under the conditions specified in Article 18 of the GDPR (i.e., that our company does not delete or destroy the data until a court or authority request, but no longer than thirty days, and does not process the data for other purposes), may object to the processing of personal data, may exercise the right to data portability. This latter right entitles the data subject to receive their personal data in Word or Excel format and to request the transfer of these data to another data controller.

Additional information on data processing: our company takes all necessary technical and organizational measures to prevent a possible data protection incident (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of a data protection incident, we maintain a record for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of data subjects affected by the data protection incident, the date, circumstances, effects of the data protection incident, and the measures taken to prevent it, as well as other data specified in the law requiring data processing.

Our company has entered into a data processing agreement for data processing tasks, in which Morgens Kft. undertakes to apply all data protection and data processing guarantees required by the data processing agreement in case of using an additional data processor, ensuring the lawful processing of personal data by the data processor as well.

3. Data Processing Related to Requesting a Quote

Our company provides the opportunity for guests to request quotes electronically. The quote is provided by an automated system, taking into account available capacities.

Controller of personal data: Erzsébet Park Kft., 1133 Budapest, Gogol utca 15
Purpose of data processing: preliminary information about hotel prices
Legal basis for data processing: the prior consent of the person booking the accommodation, Article 6(1)(a) GDPR, and the necessity of data processing to take steps at the request of the data subject prior to the conclusion of the contract – Article 6(1)(b) GDPR
Scope of personal data processed: salutation; surname and first name; phone number; email address; number of hotel guests.
Duration of data processing: two years following the last day of the booked stay.
Use of data processor: Our company uses the assistance of an IT service provider for the operation of the online quote request system as follows:

Name of Data Processor	Address	Data Processing Task
D-Edge	SAS 66 rue des archives 75003 PARIS France	Online accommodation booking system
Morgens Kft	Nagykanizsa, Magyar u. 79, 8800	Loyalty program and online accommodation booking system

Name of Data Processor	Address	Data Processing Task
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications in case of booking, offer, and satisfaction measurement

Possible consequences of not providing data: The hotel cannot provide a quote.

Rights of the data subject: The person whose personal data is processed by our company

may request access to their personal data,
may request their rectification,
may request their deletion,
may request the restriction of processing of personal data under the conditions specified in Article 18 of the GDPR (i.e., that our company does not delete or destroy the data until a court or authority request, but no longer than thirty days, and does not process the data for other purposes),
may object to the processing of personal data,
may exercise the right to data portability. This right entitles the data subject to receive their personal data in Word or Excel format and to request the transfer of these data to another data controller.

Additional information on data processing: Our company takes all necessary technical and organizational measures to prevent a possible data protection incident (e.g., damage, loss, or unauthorized access to files containing personal data). In the event of a data protection incident, we maintain a record for the purpose of checking the necessary measures and informing the data subject, which includes the scope of personal data concerned, the scope and number of data subjects affected by the data protection incident, the date, circumstances, effects of the data protection incident, and the measures taken to prevent it, as well as other data specified in the law requiring data processing.

4. Data Processing Related to Newsletter Subscription

Our company maintains contact with its guests through newsletters, recommending its services and informing them about news and promotions related to its operations.

Controller of personal data: Erzsébet Park Kft., 1133 Budapest, Gogol utca 15
Purpose of data processing: maintaining contact with potential hotel guests
Legal basis for data processing: the consent of the data subject – Article 6(1)(a) GDPR.
Legitimate interest: maintaining and developing business relationships with partners and hotel guests
Scope of personal data processed: name, email address, phone number
Duration of data processing: Our company processes email addresses until the newsletter subscription is canceled.
Use of data processor: Our company uses the assistance of an IT service provider for the online booking system as follows:

Name of Data Processor	Address	Data Processing Task
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications in case of booking, offer, and satisfaction measurement
Morgens Kft	Nagykanizsa, Magyar u. 79, 8800	Loyalty program and online accommodation booking system

Name of Data Processor	Address	Data Processing Task
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications in case of booking, offer, and satisfaction measurement
Morgens Kft	Nagykanizsa, Magyar u. 79, 8800	Loyalty program and online accommodation booking system

Possible consequences of not providing data: The data subject will not receive newsletters from our company.

Rights of the data subject: The person whose personal data is processed by our company

may request access to their personal data,
may request their rectification,
may request their deletion,
may request the restriction of processing of personal data under the conditions specified in Article 18 of the GDPR (i.e., that our company does not delete or destroy the data until a court or authority request, but no longer than thirty days, and does not process the data for other purposes),
may object to the processing of personal data,
may exercise the right to data portability. This right entitles the data subject to receive their personal data in Word or Excel format and to request the transfer of these data to another data controller.
may unsubscribe from the newsletter at any time by sending an email to reception@silvercrowngroup.com or by clicking the unsubscribe button in the newsletter. In this case, we will immediately delete the email address from our database.

Here is the translation of the provided sections into legal English:

5. Data Processing Related to Satisfaction Measurement

As a hotel, our goal is to provide high-quality services to our guests, and therefore we continuously request feedback from our guests about their experiences during their stay at our hotel.

Controller of personal data: Erzsébet Park Kft., 1133 Budapest, Gogol utca 15
Purpose of data processing: requesting feedback from guests to further develop and improve our services.
Legal basis for data processing: the legitimate interest of the hotel operator – Article 6(1)(f) GDPR.
Specification of legitimate interest: our company has a legitimate interest in obtaining information for the development of our services based on feedback.
Scope of personal data processed: name, gender, email address.
Duration of data processing: two years following the last day of the booked stay.

Use of data processor: Our company uses the assistance of an IT service provider for the online booking system as follows:

Name of Data Processor	Address	Data Processing Task
D-Edge	SAS 66 rue des archives 75003 PARIS France	Online accommodation booking system
Morgens Kft	Nagykanizsa, Magyar u. 79, 8800	Loyalty program and online accommodation booking system

Name of Data Processor	Address	Data Processing Task
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	Owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails displaying confirmations, notifications in case of booking, offer, and satisfaction measurement

Possible consequences of not providing data: The data subject will not receive a satisfaction measurement questionnaire from our company.

Rights of the data subject: The person whose personal data is processed by our company

may request access to their personal data,
may request their rectification,
may request their deletion,
may request the restriction of processing of personal data under the conditions specified in Article 18 of the GDPR (i.e., that our company does not delete or destroy the data until a court or authority request, but no longer than thirty days, and does not process the data for other purposes),
may object to the processing of personal data,
may exercise the right to data portability. This right entitles the data subject to receive their personal data in Word or Excel format and to request the transfer of these data to another data controller.

6. Cookie Management

The Controller places a small data package, known as a cookie, on the user’s computer and reads it back during a later visit to provide a personalized service. If the browser returns a previously saved cookie, the service provider managing the cookie can link the user’s current visit to previous ones, but only concerning its own content.

Purpose of data processing: identifying users, tracking them, distinguishing them from each other, identifying the current session of users, storing data provided during the session, preventing data loss, web analytics measurements, personalized service.
Legal basis for data processing: the consent of the data subject.
Scope of data processed: identification number, date, time, and the previously visited page.
Duration of data processing: a maximum of 90 days.

Name of Data Processor	Address	Data Processing Task
DottRoll Kft	Budapest, Fogarasi út 3-5, 1148	Web cookie management

Additional information on data processing: The user can delete the cookie from their computer or disable the use of cookies in their browser. Cookie management is generally available in the Tools/Settings menu of browsers under the Privacy/History/Custom settings menu, under the name cookie, tracking, or similar.

Possible consequences of not providing data: inability to use the services described in sections 2-5 above.

7. Website Server Logging

When visiting the silvercrowngroup.com website, the web server automatically logs the user’s activity.

Purpose of data processing: during the visit to the website, the service provider records visitor data to check the operation of the services and prevent misuse.
Legal basis for data processing: Article 6(1)(f) GDPR. Our company has a legitimate interest in the secure operation of the website.
Scope of personal data processed: identification number, date, time, the address of the visited page.
Duration of data processing: a maximum of 90 days.

Name of Data Processor	Address	Data Processing Task
DottRoll Kft	Budapest, Fogarasi út 3-5, 1148	Web cookie management

Additional information: Our company does not link the data collected during the analysis of log files with other information and does not attempt to identify the user. The addresses of the visited pages, as well as the date and time data, are not sufficient to identify the data subject on their own, but when combined with other data (e.g., data provided during registration), they may be used to draw conclusions about the user.

Data Processing Related to Logging by External Service Providers

The portal’s HTML code contains references from and to external servers independent of our company. The external service provider’s server directly communicates with the user’s computer. We inform our visitors that due to the direct connection to their server and direct communication with the user’s browser, these service providers can collect user data (e.g., IP address, browser, operating system data, mouse pointer movement, the address of the visited page, and the time of the visit). The IP address is a series of numbers that uniquely identifies the computers and mobile devices of users accessing the internet. Using IP addresses, the visitor using a particular computer can be geographically located. The addresses of the visited pages, as well as the date and time data, are not sufficient to identify the data subject on their own, but when combined with other data (e.g., data provided during registration), they may be used to draw conclusions about the user.

8. Other Data Processing

For data processing not listed in this notice, we provide information at the time of data collection. We inform our clients that certain authorities, public bodies, and courts may contact our company to request the disclosure of personal data. Our company will only disclose personal data to these bodies to the extent and in the amount necessary to achieve the purpose of the request, provided that the requesting body specifies the exact purpose and scope of the data, and if the fulfillment of the request is required by law.

9. Method of Storing Personal Data, Data Processing Security

Our company’s IT systems and other data storage locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used for the provision of services in a way that ensures that the processed data:

is accessible to those authorized to access it (availability);
its authenticity and authentication are ensured (authenticity of data processing);
its integrity is verifiable (data integrity);
is protected against unauthorized access (data confidentiality).

We pay special attention to data security and take the necessary technical and organizational measures and establish the procedural rules required to enforce the guarantees provided by the GDPR. We protect the data with appropriate measures, particularly against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as accidental destruction, damage, and inaccessibility due to changes in the technology used. Our company’s and partners’ IT systems and networks are protected against computer-assisted fraud, computer viruses, computer intrusions, and attacks leading to denial of service. The operator ensures security with server-level and application-level protection procedures. Daily data backups are provided. To avoid data protection incidents, our company takes all possible measures, and in the event of such an incident, we act immediately to minimize risks and mitigate damages according to our incident management policy.

10. Rights of Data Subjects, Remedies

The data subject may request information about the processing of their personal data and may request the correction, deletion, or withdrawal of their personal data, except for mandatory data processing, and may exercise their right to data portability and objection in the manner indicated at the time of data collection or through the contact details provided above.

Upon the data subject’s request, we provide the information electronically without delay, but no later than 30 days, in accordance with our relevant policy. We fulfill requests related to the exercise of the rights below free of charge.

Right to Information:

Our company takes appropriate measures to provide all information regarding the processing of personal data referred to in Articles 13 and 14 of the GDPR and each notification referred to in Articles 15–22 and 34 in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

The right to information can be exercised in writing through the contact details provided in point 1. Upon request, information can also be provided orally to the data subject after verifying their identity. We inform our clients that if our company’s employees have doubts about the identity of the data subject, we may request the provision of information necessary to confirm the data subject’s identity.

Right of Access:

The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed. If personal data is being processed, the data subject has the right to access the personal data and the following information:

the purposes of the data processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries (outside the European Union) or international organizations;
the planned period for which the personal data will be stored;
the right to request rectification, erasure, or restriction of data processing and the right to object to data processing;
the right to lodge a complaint with a supervisory authority;
information on the sources of the data; the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

In addition to the above, where personal data is transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

Right to Rectification:

This right allows anyone to request the correction of inaccurate personal data concerning them and the completion of incomplete data processed by our company.

Right to Erasure:

The data subject has the right to obtain from us the erasure of personal data concerning them without undue delay where one of the following grounds applies:

the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;
the personal data has been unlawfully processed;
the personal data must be erased to comply with a legal obligation in Union or Member State law to which the data controller is subject;
the personal data has been collected in relation to the offer of information society services.

The right to erasure does not apply to the extent that processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
for reasons of public interest in the area of public health, or for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes;
for the establishment, exercise, or defense of legal claims.

Right to Restrict Data Processing:

At the request of the data subject, we restrict data processing under the conditions set out in Article 18 of the GDPR, i.e., if: • the data subject contests the accuracy of the personal data, in which case the restriction applies for a period enabling the controller to verify the accuracy of the personal data; • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; • the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; • the data subject has objected to processing pending the verification of whether the legitimate grounds of the controller override those of the data subject. If processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction on processing.

Right to Data Portability:

The data subject has the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller. Our company can fulfill such a request in Word or Excel format.

Right to Object:

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated Individual Decision-Making, Including Profiling:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right shall not apply if the decision: • is necessary for entering into, or performance of, a contract between the data subject and a data controller; • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or • is based on the data subject’s explicit consent.

Right to Withdraw Consent:

The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Procedural Rules:

The controller shall inform the data subject without undue delay and in any event within one month of receipt of the request under Articles 15 to 22 of the GDPR of the action taken on the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

If the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17, and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Right to Compensation and Damages:

Any person who has suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. The processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage.

The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to Lodge a Complaint with a Supervisory Authority and Judicial Remedy:

The data subject shall have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR. The supervisory authority shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy.

Complaints can be lodged with the National Authority for Data Protection and Freedom of Information.

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Pf.: 5.
Phone: +36-1-391.1400
Email: ugyfelszolgalat@naih.hu

In the case of translations into foreign languages, the original Hungarian document shall prevail. The translation into foreign languages is for informational purposes only.

Budapest, 01.01.2023