Introduction
The Hungarian Camping Association (headquarters: 8649 Balatonberény, Gábor Áron u. 1.), (hereinafter referred to as the Service Provider, Data Controller) submits to the following policy:
According to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation), the following information is provided.
This privacy notice governs the processing of data on the following website: https://camping.hu/en/
The privacy notice is available at: https://camping.hu/en/adatvedelem/
Amendments to this notice will enter into force upon publication at the above address.
The data controller and its contact details
Name: Hungarian Camping Association
Registered office: 8649 Balatonberény, Gábor Áron u. 1.
E-mail: info@camping.hu
Tax number: 18072309-1-14
Definition of terms
(1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3) ‘controller’ means a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law;
(4) ‘processor’ means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of a controller;
(5) ‘recipient’ means a natural or legal person, public authority, agency or any other body to whom or with which personal data are disclosed, whether or not a third party. Public authorities which may have access to personal data in the context of an individual investigation in accordance with Union or Member State law are not recipients; the processing of those data by those public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;
(6) ‘the data subject’s consent’ means a freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies, by a statement or by an act expressing his or her unambiguous consent, that he or she signifies his or her agreement to the processing of personal data concerning him or her;
(7) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
Principles governing the processing of personal data
Personal data:
- (a) be processed lawfully and fairly and in a transparent manner for the data subject (“lawfulness, fairness and transparency”);
- (b) be collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitation’);
- (c) they must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (‘data minimisation’);
- (d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay (‘accuracy’);
- (e) be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures as provided for in this Regulation to safeguard the rights and freedoms of data subjects (‘limited storage’);
- (f) processing must be carried out in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (‘integrity and confidentiality’), by implementing appropriate technical or organisational measures.
The controller is responsible for compliance with the above and must be able to demonstrate such compliance (“accountability”).
The controller declares that its processing is in accordance with the principles set out in this point.
Certain processing
Contacting
1. The fact of data collection, the scope of data processed and the purpose of data processing:
The e-mail address does not need to contain personal data.
2. Data subjects: all data subjects who send a message via the contact form.
3. Duration of data processing, deadline for deletion of data: If one of the conditions of Article 17(1) GDPR is met, until the data subject’s request for erasure.
4. The identity of the potential controllers who are entitled to access the data, the recipients of the personal data: The personal data may be processed by authorised staff of the controller.
5. Description of the data subjects’ rights in relation to data processing: The data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and the data subject has the right to data portability and the right to withdraw consent at any time.
6. The data subject may request access to, erasure, rectification or restriction of the processing of personal data, or portability of the data, in the following ways:
- by post to the address at 8360 8649 Balatonberény, Gábor Áron u. 1,
- by e-mail to the e-mail address info@camping.hu,
7. Legal basis for processing: consent of the data subject, Article 6 (1) (a), (b) and (c). By contacting us, you consent to the processing of your personal data (name, telephone number, e-mail address) in accordance with this notice.
8. We inform you that
- the present processing is based on your consent or is necessary to make an offer or, in the case of a contractual relationship, is based on a legal obligation (cooperation).
- You are required to provide personal data in order to contact us.
- failure to provide the data will result in your inability to contact the Service Provider.
Customer contact
1. The fact of data collection, the scope of data processed and the purpose of data processing:
2. Data subjects: all data subjects who have a telephone/e-mail/personal contact or contractual relationship with the data controller.
3.Duration of processing, time limit for deletion of data: Letters of enquiry will be kept until the data subject requests their deletion, up to a maximum of 2 years.
4.Identity of the potential controllers of the data, recipients of the personal data: The personal data may be processed by authorised staff of the controller, in compliance with the principles set out above.
5.Description of the data subjects’ rights in relation to data processing: The data subject may request the controller to access, rectify, erase or restrict the processing of personal data relating to him or her, and the data subject has the right to data portability and the right to withdraw consent at any time.
6.The data subject may request access to, erasure, rectification or restriction of the processing of personal data, or portability of the data, in the following ways:
- by post to the address at 8360 8649 Balatonberény, Gábor Áron u. 1,
- by e-mail to the e-mail address info@camping.hu,
7.Legal basis of data processing:
7.1 GDPR Article 6 (1) (b) and (c).
7.2. 5 years in case of enforcement of claims arising from the contract pursuant to § 6:21 of Act V of 2013 on the Civil Code.
§ 6:22 [Limitation period]
- (1) Unless otherwise provided by this Act, claims shall be time-barred after five years.
- (2) The limitation period shall begin to run when the claim becomes due.
- (3) An agreement to change the limitation period shall be in writing.
- (4) An agreement excluding the limitation period is void.
8.Please note that
- the processing is necessary for the performance of a contract and the making of an offer.
- You are obliged to provide the personal data in order for us to be able to perform the contract/fulfil your other requests.
- failure to provide the data will result in our inability to fulfil your order/contract or process your request.
Complaints handling
1.The fact of data collection, the scope of data processed and the purpose of data processing:
2. Stakeholders: All data subjects who have a complaint on the website.
3. Duration of data processing, deadline for deletion of data: Copies of the record, transcript and reply to the objection shall be kept for 5 years pursuant to Article 17/A (7) of Act CLV of 1997 on Consumer Protection.
4. The identity of the potential data controllers entitled to access the data, the recipients of the personal data: The personal data may be processed by the sales and marketing staff of the controller, in compliance with the above principles.
5.Description of data subjects’ rights in relation to data processing: The data subject may request the controller to access, rectify, erase or restrict the processing of personal data concerning him or her, and the data subject has the right to data portability and the right to withdraw consent at any time.
6. The data subject may request access to, erasure, rectification or restriction of the processing of personal data, or portability of the data, in the following ways:
- by post at the address 1, Gábor Áron u., 8649 Balatonberény, 8649 Balatonberény,
- by e-mail to the e-mail address info@camping.hu,
7. Legal basis for data processing: article 6 (1) (c) of the GDPR and article 17/A (7) of the Consumer Protection Act of 1997 CLV.
8. We inform you that we are subject to the provisions
- The provision of personal data is based on a legal obligation.
- The processing of personal data is a precondition for the conclusion of the contract.
- The obligation to provide personal data in order for us to be able to deal with your complaint.
- failure to provide the data will result in our inability to handle your complaint.
Recipients to whom personal data are disclosed
“recipient” means a natural or legal person, public authority, agency or any other body with whom or to which personal data is disclosed, whether or not a third party.
Processors (those who carry out processing on behalf of the controller)
The controller uses processors to facilitate its own processing activities and to fulfil its contractual and legal obligations with data subjects.
The controller shall place great emphasis on using only processors that offer adequate guarantees to implement appropriate technical and organisational measures to ensure compliance with the requirements of the GDPR and to protect the rights of data subjects.
The processor and any person acting under the control of the controller or the processor who has access to the personal data shall process the personal data covered by this notice only in accordance with the instructions of the controller.
The controller shall be legally responsible for the activities of the processor. The processor shall only be liable for damage caused by the processing if it has failed to comply with the obligations expressly imposed on processors by the GDPR or if it has disregarded or acted contrary to lawful instructions from the controller.
The processor has no substantive decision-making power with regard to the processing of the data.
The data controller may use a hosting service provider to provide the IT back-up and a courier service as a data processor for the delivery of the ordered products.
Some data processors
Data processing activities:
Hosting, web development
- Name: Bábelhal Webstudio Kft.
- Address, contact details: 8360 Keszthely, Kossuth Lajos utca 35.
Management of cookies (cookie)
1. Cookies specific to webshops are the so-called “password-protected session cookies”, “security cookies”, “essential cookies”, “functional cookies” and “cookies responsible for the management of website statistics”, the use of which does not require prior consent from the data subject.
2. The fact of processing, the scope of the data processed: Unique identification number, dates, times
3. Data subjects: all data subjects visiting the website.
4. Purpose of processing:Identification of users and tracking of visitors.
5. Duration of processing, time limit for deletion of data:
Persistent or saved cookies
Statistical cookies
Persistent or saved cookies: until the deletion of the data subject
Statistical cookies: 1-2 months
6. Possible data controllers who are entitled to know the data: no personal data are processed by the data controller through the use of cookies.
7. Description of data subjects’ rights in relation to data processing: data subjects have the possibility to delete cookies in the Tools/Preferences menu of their browsers, usually under the Privacy settings.
8. Legal basis for processing:
No consent is required from the data subject where the sole purpose of the use of cookies is to provide a communication over an electronic communications network or where it is strictly necessary for the service provider to provide an information society service expressly requested by the subscriber or user.
9. Most browsers used by our users allow you to set which cookies should be saved and allow (certain) cookies to be deleted again. If you restrict the saving of cookies on specific websites or do not allow third party cookies, this may in certain circumstances lead to our website no longer being fully usable. Here you will find information on how to customise your cookie settings for standard browsers:
Google Chrome (https://support.google.com/chrome/answer/95647?hl=hu)
Internet Explorer (https://support.microsoft.com/hu-hu/help/17442/windows-internet-explorer-delete-manage-cookies)
Firefox (https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn)
Safari (https://support.apple.com/hu-hu/guide/safari/sfri11471/mac)
Use Google and Facebook services
Google Analytics
1. This website uses Google Analytics, a web analytics service provided by Google Inc (“Google”). Google Analytics uses so-called “cookies”, text files that are saved on your computer to help analyse the use of the website visited by the User.
2. The information generated by the cookie about the website you use is usually transmitted to and stored by Google on servers in the United States. By activating the IP anonymisation on the website, Google will previously shorten the User’s IP address within the Member States of the European Union or in other states party to the Agreement on the European Economic Area.
3. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity for the website operator and to provide other services relating to website activity and internet usage.
4. The IP address transmitted by the User’s browser within the framework of Google Analytics will not be merged with other data held by Google. The storage of cookies may be prevented by the User by means of the appropriate browser settings, but please note that in this case not all functions of this website may be fully functional. You may also prevent Google from collecting and processing information about your use of the website (including your IP address) by means of cookies by downloading and installing the browser plug-in available at https://tools.google.com/dlpage/gaoptout?hl=hu
Social Media pages
1. Fact of data collection, scope of data processed:
Name registered on Facebook / Twitter / Pinterest / Youtube / Instagram etc. social networking sites and public profile picture of the user.
2. Scope of data subjects:
All data subjects who have registered on Facebook / Twitter / Pinterest / Youtube / Instagram etc. and have “liked” the Service Provider’s social networking site or contacted the data controller via the social networking site.
3. Purpose of data collection:
To share or “like”, follow or promote certain content, products, promotions or the website itself on social networking sites.
4. Duration of data processing, time limit for deletion of data, identification of potential data controllers and description of data subjects’ rights in relation to data processing. The data are processed on the social networking sites, so the duration of the processing, the way in which the data are processed and the possibilities for deleting and modifying the data are governed by the rules of the social networking site concerned.
5. Legal basis for processing: the data subject’s voluntary consent to the processing of his or her personal data on social networking sites.
Customer relations and other data management
1. Should the data controller have any questions or problems when using our services, the data subject may contact the data controller using the methods provided on the website (telephone, e-mail, social networking sites, etc.).
2. The data controller will delete the received e-mails, messages, data provided by telephone, Facebook, etc., together with the name and e-mail address of the interested party and other personal data voluntarily provided by the interested party, after a maximum of 2 years from the date of the communication.
3. We will provide information on data processing not listed in this information notice at the time of data collection.
4. The Service Provider shall be obliged to provide information, to disclose data, to hand over data or to make documents available in response to exceptional requests from public authorities or other bodies authorised by law.
5. In these cases, the Service Provider shall only disclose personal data to the requesting party – provided that the exact purpose and scope of the data have been specified – to the extent and to the extent that is indispensable for the purpose of the request.
Rights of the data subjects
1. Right of access
You have the right to receive feedback from the controller as to whether or not your personal data are being processed and, if such processing is taking place, the right to access your personal data and the information listed in the Regulation.
2. Right to rectification
You have the right to have inaccurate personal data relating to you corrected by the controller without undue delay upon your request. Taking into account the purposes of the processing, you have the right to request the rectification of incomplete personal data, including by means of a supplementary declaration.
3. Right to erasure
You have the right to obtain from the controller the erasure of personal data relating to you without undue delay upon your request, and the controller is obliged to erase personal data relating to you without undue delay under certain conditions.
4. Right to be forgotten
If the controller has disclosed the personal data and is under an obligation to erase it, it will take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that you have requested the erasure of the links to or copies of the personal data in question.
5. Right to restriction of processing
You have the right to obtain, at your request, the restriction of processing by the controller if one of the following conditions is met:
- You contest the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the data and instead request the restriction of their use;
- the controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
- you have objected to the processing; in this case, the restriction applies for a period of time until it is established whether the controller’s legitimate grounds override your legitimate grounds.
6. Right to data portability
You have the right to receive the personal data concerning you which you have provided to a controller in a structured, commonly used, machine-readable format and the right to transmit these data to another controller without hindrance from the controller to whom you have provided the personal data (…)
7. Right to object
For processing based on legitimate interest or public authority as legal grounds, you have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data by (…), including profiling based on the aforementioned provisions.
8. Objection in case of direct marketing
Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such purposes, including profiling, where it is related to direct marketing. If you object to the processing of your personal data for direct marketing purposes, your personal data may no longer be processed for those purposes.
9. Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
The previous paragraph shall not apply where the decision:
- necessary for the conclusion or performance of a contract between you and the controller;
- it is permitted by Union or Member State law applicable to the controller which also lays down appropriate measures to protect your rights and freedoms and legitimate interests; or
- is based on your explicit consent.
Time limit for taking action
The controller shall inform you of the action taken on the above requests without undue delay and in any event within 1 month of receipt of the request.
If necessary, this may be extended by 2 months. The controller shall inform you of the extension, stating the reasons for the delay, within 1 month of receipt of the request.
If the controller does not take action on your request, it shall inform you without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of your right to lodge a complaint with a supervisory authority and to seek judicial remedy.
Security of processing
The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the scale of the risk, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons, including, where appropriate:
- (a) the pseudonymisation and encryption of personal data;
- (b) ensuring the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data;
- (c) the ability to restore access to and availability of personal data in the event of a physical or technical incident in a timely manner;
- (d) a procedure to test, assess and evaluate regularly the effectiveness of the technical and organisational measures taken to ensure the security of data processing.
- (e) The data processed shall be stored in such a way that unauthorised persons cannot have access to them. In the case of paper-based data carriers, by establishing physical storage and filing arrangements, and in the case of data in electronic form, by using a centralised access management system.
- (f) The method of storing the data by computerised means shall be such that their deletion can be carried out at the end of the deletion period, taking into account any different deletion deadline, or if otherwise necessary. Erasure shall be irreversible.
- (g) Paper-based data media shall be destroyed by shredding or by using an external organisation specialised in shredding. In the case of electronic data media, physical destruction and, where necessary, prior secure and irretrievable deletion of the data shall be ensured in accordance with the rules on the disposal of electronic data media.
- h) The controller shall take the following specific data security measures:
- i. Documents shall be stored in a secure, well-lockable dry room.
- ii. The Service Provider’s building and premises are equipped with fire and property protection equipment.
- iii. Personal data may be accessed only by authorised persons and not by third parties.
- iv. The Service Provider’s employees who process personal data may leave the premises where the data are processed only by locking the data media entrusted to them or by locking the premises.
- v. Where personal data processed on paper are digitised, the rules applicable to digitally stored documents shall apply.
- i. Computers and mobile devices (other data carriers) used in the course of data processing are the property of the Service Provider.
- ii. Access to the data on the computers is only possible with a user name and password.
- iii. Access to the central server computer is only permitted to persons with appropriate authorisation and only to those persons designated for this purpose.
- iv. The Service Provider uses backups and archiving to ensure the security of digitally stored data.
- v. Computer systems containing personal data used by the Service Provider are protected against viruses.
-
a. The Service Provider shall apply the following measures to ensure the security of personal data processed on paper (physical protection):
b. IT security
Informing the data subject about the personal data breach
Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.
The information provided to the data subject shall clearly and prominently describe the nature of the personal data breach and provide the name and contact details of the data protection officer or other contact person who can provide further information; describe the likely consequences of the personal data breach; describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.
The data subject need not be informed if any of the following conditions are met:
- the controller has implemented appropriate technical and organisational protection measures and those measures have been applied in relation to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;
- the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;
- the provision of information would require a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly disclosed information or by means of a similar measure which ensures that the data subjects are informed in an equally effective manner.
Where the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after having considered whether the personal data breach is likely to present a high risk, order the data subject to be informed.
Notification of a personal data breach to the authority
The controller shall notify a personal data breach to the supervisory authority competent under Article 55 without undue delay and, if possible, no later than 72 hours after the personal data breach has come to its attention, unless the personal data breach is unlikely to present a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by the reasons justifying the delay.
Possibility to lodge a complaint
A complaint against a possible infringement by the controller may be lodged with the National Authority for Data Protection and Freedom of Information:
- National Authority for Data Protection and Freedom of Information
- If you wish to inform the Data Protection and Information Protection Authority about any violation of the Privacy and Information Protection Act, please contact the Data Protection Authority at the following address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
- Postal address: 1530 Budapest, P.O. Box 5.
- Phone: +36 -1-391-1400
- Fax: +36-1-391-1410
- E-mail: ugyfelszolgalat@naih.hu
Closing address
The following legislation has been taken into account in the preparation of this information:
- REGULATION (EU) No 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation)
- Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Infotv.”)
- Act CVIII of 2001 – on certain aspects of electronic commerce services and information society services (in particular Article 13/A)
- Act XLVII of 2008 – on the Prohibition of Unfair Commercial Practices against Consumers;
- Act XLVIII of 2008 – on the basic conditions and certain restrictions on commercial advertising (in particular § 6)
- Act XC of 2005 on Freedom of Electronic Information
- Act C of 2003 on Electronic Communications (specifically § 155)
- Opinion No 16/2011 on the EASA/IAB Recommendation on best practice for behavioural online advertising
- Recommendation of the National Authority for Data Protection and Freedom of Information on data protection requirements for prior information
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC
Keszthely, 2023. április 20.