I. General. Besides other general information, this chapter contains the data of the Controller and some processors.
II. Ways of processing. In this chapter you may find specific information (the purpose, grounds and period of processing, the scope of data subjects and the data processed) per each purpose of the processing:
II/2. Contacting us
II/5. Debt collection
II/6. Personal data of partners
III. The rights of the users as data subjects. Here you may find a detailed description of your rights regarding the processing and the related procedure.
IV. Remedies. In this chapter you may find the detailed description of the remedies you can have if our rights related to your personal data are violated.
Company name/ Name: MELBA Kávézó Étterem Korlátolt Felelősségű Társaság
Registered and postal address: 1138 Budapest, Meder utca 9.
Phone: +36 30 161 0162
Tax No: 26746269-2-41
Registration No: 01-09-342532
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
4. The Controller provides its services protecting the personality rights of the visitors of the Website and its clients, in accordance with the law, especially:
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
- the Hungarian Civil Code;
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the Data Protection Act)
6. The Controller may forward personal data to pursue its activities, to the extent required thereto, to data processors as recipients. ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
6.1. The accountant of the Controller is considered a data processor:
Company name/ Name: SZEMFÉNYVESZTŐ Bt.
Registered and postal address: 2119 Pécel, Csatári utca 50.
Activities: accountancy, in case no data is provided, the Controller cannot fulfill its activities.
Forwarded personal data: personal data required for invoices, name and address.
6.2. The personal data processed by us are stored at our storage provider as a data processor:
Activities: web storage, in case no data is provided, the Controller cannot fulfill its activities.
Viacom Informatikai Kereskedelmi és Szolgáltató Kft.
Contact: 2225 Üllő, Gyár utca 8.; +36 (1) 348-5000; email@example.com
II. Ways of processing:
7. For complying with bookings made on the Website or on the phone, the Controller shall take and keep the data required for the booking. The processed personal data: name, phone number, email address in case of an online booking, the date and time of the booking. Without a registration the Controller cannot provide its services. The data provided shall be processed by the Controller fit to the purpose, as and to the extent required to provide the services and keep contact as provided for by law.
8. The ground for processing is the performance of the contract. [point (b) of subparagraph 1 of Article 6 of the GDPR]. The Controller will use the personal data only for the purpose known by the data subject at the provision, and shall not forward them or grant access to them to any third parties without any authorization and keep them separately and encrypted. The employees or subcontractors of the Controller shall have access to the personal data.
9. The purpose of processing is to ensure that the Controller fulfills the bookings of the guests as data subjects.
10. Period of processing: 2 weeks after the booked appointment.
11. The recipients of the data are our employees handling the booking.
12. When contacted (e.g. in e-mail or on the phone) for the first time without any previous processing, the Controller processes personal data.
13. The purpose of the processing is keeping contact.
14. The ground for processing is the voluntary consent of the data subject (the visitor) in accordance with point (a) of subparagraph 1 of Article 6 of the GDPR.
15. Period of processing: until the communication lasts or the ground changes (e.g. for entering into an agreement).
16. Providing the personal data is not a condition to entering into an agreement but without it keeping contact may not be granted.
17. The scope of the processed data: the personal data provided by the data subject in the course of making contact, especially his or her name, e-mail address, phone number, job or title.
18. The recipient of the data is our employee dealing with client care or the addressee of the message sent by the data subject or the person handling the matter.
19. The Controller stores, i.e. processes the personal data on the invoices.
20. The purpose of processing is issuing invoices, compliance with the laws for accounting.
21. The ground for processing is compliance with a legal obligation, in accordance with paragraph (1) of Article 159 of Act CXXVII of 2007, and paragraph (2) of Article 169 of Act C of 2000 [point (c) of subparagraph 1 of Article 6 of the GDPR].
22. Processed personal data: name, address, e-mail address, phone number.
23. The data subjects are the natural persons on the invoices.
24. Period of processing: 8 years.
25. The processing shall be made for the purpose of complaint-handling, the Contractor is obligated to keep the complaint.
26. The data subject is the person making a complaint.
27. The ground for processing is compliance with a legal obligation, in accordance with paragraph (7) of Article 17/A of Act CLV of 1997, and paragraph (2) of Article 169 of Act C of 2000 [point (c) of subparagraph 1 of Article 6 of the GDPR].
28. Processed personal data: name, address, e-mail address, phone number.
29. Period of processing: 5 years, as provided for by law.
II/5. Debt collection
30. Data is processed in order to collect our claims.
31. The data subject is the natural person making a contract with us.
32. The ground for processing is the legitimate interest of the Controller to be able to collect its claims [point (f) of subparagraph 1 of Article 6 of the GDPR].
33. Processed personal data: name, address, mother’s name, date and place of birth.
34. Period of processing: the civil law expiry period of 5 year.
35. The recipients of the data: the data may be accessed by our employees dealing with contracts, finances and debt collection, as well as the appointed book-keeping company, and in case of debt-collection, the data may be forwarded to the co-operating agents, i.e. attorneys and debt-collectors.
II/6. Personal data of partners
36. In respect of the Controller’s contractual partners (especially restaurants) which are not its clients, the Controller processes the personal data of natural person partners and the natural person contact persons of the partners not being natural persons (names, home addresses, email addresses, phone numbers of partners and names, phone numbers, email addresses, titles, position the contact persons).
37. The ground for processing is the performance of the contract [point (b) of subparagraph 1 of Article 6 of the GDPR] in case of natural person partners. In respect of natural person contact persons of the partners not being natural persons, the ground for processing is the legitimate interests of the Controller and the partner that their agreement be fulfilled [point (f) of subparagraph 1 of Article 6 of the GDPR].
38. Period of processing: the civil law expiry period of 5 year.
39. In order to monitor the Website, the Controller uses an analytical tool (cookie) which prepares a data string and tracks how the visitors use the internet pages. When a page is viewed, the system generates a cookie in order to record the information related to the visit (pages visited, time spent on the Controller’s pages, browsing data, exits, etc) and installs it on the computer of the visitor but these data cannot be linked to the visitor’s person. This tool is instrumental in improving the ergonomic design of the website, creating and improving a user-friendly website, enhancing the online experience for visitors and preventing data loss. Cookies recognize the computer of the visitor and manage its IP address. Most internet browsers accept cookies, but visitors have the option of deleting or automatically rejecting or allowing them. The visitor has the option to decline the installation of cookies. Since all browsers are different, visitors can set their cookie preferences individually with the help of the browser toolbar. Users might not be able to use certain features on the Website if they decide not to accept cookies. Using cookies, the websites seen by the visitor and the internet use customs of the visitor may be monitored. Only upon revisiting the Website and exclusively the respective service provider can link such data to the person of the visitor. The duration of the storing of such data depends on the type of the cookies. Session cookies erase the data upon closing the Website, Flash-cookies, however may store the data up to one year of inactivity.
40. The ground for processing is the voluntary consent of the data subject (the visitor) in accordance with point (a) of subparagraph 1 of Article 6 of the GDPR.
41. Processed data: browser history, identification No, date, time of visit.
42. The purpose of processing: improvement of the user experience, storing of the data of the respective session, prevention of data loss, identification and tracking of the data subjects, web analytics .
43. In the Menu of most of the browsers, there is a “Help” function providing information for the data subject, in his or her browser
– where to disable cookies,
– how to accept new cookies,
– how to instruct the browser to set new cookies or
– turn off other cookies.
44. Outer servers help the impartial measuring and auditing of the visitor and other web analytics data (Google Analytics and Facebook). The service providers can provide detailed information for the data subject.
44.1. We use Google cookies for visitors’ satisfaction surveys (__utma, __utmb, __utmc, __utmz, PREF, NID, GAPS). Google will store these cookies in your browser.
Further information on the cookies used by Google may be found via this link: http://www.google.com/policies/technologies/ads/.
Description of the Analytics cookies:
44.2. Facebook cookies (datr, reg_ext_ref, reg_fb_gate, reg_fb_ref) are connected to the functions of Facebook, e.g. like and share. These cookies will be stored in your browser for two years. Information regarding the analytics cookies of Facebook:
45. The Controller uses the session cookie ‘PHPSESSID’ which shall be deleted upon closing your browser.
III. The rights of the users as data subjects
46. The data subject may exercise his or her following rights via the contacts of the Controller listed above:
- right to request information on the processing of the personal data and the right of access;
- right to rectification,
- right to request erasure except the cases of obligatory processing,
- right to withdraw the cosent,
- right to data portability,
- Right to objection;
- right to object against automated individual decision-making.
III/1. Right for information and access:
47. The Controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
48. Information may be requested in writing through the contact data of the Controller specified above. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
49. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; the envisaged period for which the personal data will be stored; the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
50. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
51. The Controller shall be obliged to respond to requests from the data subject at the latest within one month.
III/2. Right to rectification:
52. The data subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data and the completion of incomplete personal data concerning him or her.
III/3. Right to erasure (‘right to be forgotten’):
53. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
– the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
– the data subject objects to the processing and there are no overriding legitimate grounds for the processing,;
– the personal data have been unlawfully processed;
– the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
– the personal data have been collected in relation to the offer of information society services.
54. Erasure may not be requested to the extent that processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; for reasons of public interest in the area of public health; for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or for the establishment, exercise or defence of legal claims.
III/4. Right to restriction of processing:
55. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
– the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
56. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
57. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
III/5. Right to data portability:
58. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
III/6. Right to object:
59. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
60. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
III/7. Right to object against automated individual decision-making:
61. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This right may not be exercised if the processing is necessary for entering into, or performance of, a contract between the data subject and a data controller; is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or is based on the data subject’s explicit consent.
III/8. Right of withdrawal:
62. The data subject shall have the right to withdraw his or her consent anytime. The withdraw of the consent shall not affect affecting the lawfulness of processing based on consent before its withdrawal.
III/9. Rules on the procedure of the enforcement of rights:
63. Deadline: The Controller shall provide information on actions taken on a request under Chapter III hereof to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
64. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
65. Information shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request.
66. The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
67. Any person shall have the right to notify the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság; http://www.naih.hu/; registered seat: 1125 Budapest Szilágyi Erzsébet fasor 22/c, post address: 1530 Budapest, Pf.: 5., telephone: +36 (1) 391-1400) and request an investigation alleging an infringement relating to his or her personal data or concerning the exercise of the rights of access to public information or information of public interest, or if there is imminent danger of such infringement. The Authority shall carry out the investigation free of charge; the costs thereof shall be advanced and borne by the Authority.
68. In the event of any infringement of his rights, the data subject may turn to court action against the controller. The court shall hear such cases in priority proceedings. The action shall be heard by the competent tribunal. If so requested by the data subject, the action may be brought before the tribunal in whose jurisdiction the data subject’s home address or temporary residence is located. Data controllers shall be liable for any damage caused to a data subject as a result of unlawful processing or by any breach of data security requirements. The data controller shall also be liable for any damage caused by data processors acting on its behalf. The data controller may be exempted from liability if it proves that the damage was caused by reasons beyond his control. No compensation shall be paid where the damage was caused by intentional or serious negligent conduct on the part of the aggrieved party. Should the data controller infringe the personality rights of the data subject with the illegal control of the data subject’s data or with the breach of data security requirements, the data subject may claim restitution from the data controller.