Abbázia Group - Privacy policy

Contents

1. Introduction
2. Definitions
3. Principles for ABBAZIA Data Management
4. Scope of personal data, purpose, title and duration of data management
4.1. Visitor Information for Visitors
4.2. Data for accommodation nights
4.2.1. Offer and confirmation of accommodation nights
4.2.2. Recording of guest nights
4.3. Security cameras for hotels
4.4. Newsletter
4.5. Contest
4.6. Visitor Information for Visitors
4.7. Managing websites "cookies"
4.8. Found objects
4.9. ABBASIA Client Lines
4.10. Data holding of holiday makers
4.11. ROOMSOME
4.12. OPTIMONK
4.13. RCI guests
4.14. Mailchimp Mail System
5. How to store personal data, security of data management
6. Details of data controller, availability
7. Rights of the data subject, enforcement of rights
7.1 The right to information
7.2 Right of access to the access
7.3 Right of Correction
7.4 Right to Cancellation
7.5 Right to Restrict Data Management
7.6 Right to record
7.7 Right to Objection
7.8 Automated decision making in individual cases, profiling
7.9 Right of withdrawal
7.10 Right to Justice
7.11 Privacy Policy Procedures
8. Other provisions

1. Introduction

The Abbázia Group, hereinafter referred to as ABBÁZIA (provider data controller) as a data controller, is obliged to accept the content of this legal notice. It is responsible for ensuring that all data management related to your activity meets the requirements set out in this document and the applicable legislation.

ABBÁZIA reserves the right to change this information. Current status information is available at https://abbaziagroup.com/en/privacy-policy.

This brochure is developed by the "HELIKON" Utazási Iroda Kft. (Hereinafter referred to as "the Company") belonging to the Abbázia Group. Given that the group produces its activities for its customers at a group level, it is justified to introduce and maintain a uniform regulation for the entire group of companies by providing complex services for the individual customers by the participating group members.

The companies of the ABBÁZIA group:

1. ABBÁZIA Apartman Club Tourism Private Limited Company (Abbreviated name: ABBÁZIA Apartman Zrt., Registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 11828673-2-20, company registration number: 20-10-040184)
2. ABBÁZIA Tourism Private Limited Company (abbreviated company ABBÁZIA Zrt., Registered office8360 Keszthely Arany J. u. 1., tax number: 10645444-2-20, company registration number: 20-10-040029)
3. T. S. APARTMAN-CLUB Tourism Private Limited Company (abbreviated company: T. S. APARTMAN-CLUB Zrt., Registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 11342319-2-20, company registration number: 20-10-040053)
4. Petneházy Holiday Village Private Limited Company (abbreviated name: Petneházy Zrt., Registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 10330078-2-20, company registration number: 20-10-040173)
5. PLÁNINVEST Private Limited Company (abbreviated company name: Pláninvest Zrt., Registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 11533621-2-20, company registration number: 20-10-040155)
6. ABBÁZIA Apartment Tourism Limited Company (ABBÁZIA Apartman Kft., Headquarters: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 12482511-2-20, company registration number: 20-09-064581)
7. Abbázia-Group Real Estate Investment, Trading and Service Limited Company (abbreviated name: Abbázia-Group Ltd., registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 25310007-2-20, company registration number: 20-09-074707)
8. Helicomplex Real Estate Investment, Sales, Trade and Service Limited Liability Company (abbreviated name: Helicomplex Ltd., headquartered in: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 25436905-2-20, registration number: 20-09-074902)
9. CLUB DOBOGÓMAJOR Ltd. (abbreviated company: CLUB DOBOGÓMAJOR Ltd., registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 25079009-2-20, company registration number: 20-09-074438) CLUB DOBOGÓMAJOR Real Estate Manager, Trade and Service Limited Liability Company
10. Kalmainvest Investment Management and Tourism Limited Company (abbreviated name: Kalmainvest Ltd., registered office: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 25436967-2-20, company registration number: 20-09-074904)
11. HELIKON Travel Agency Limited Company (abbreviated name: "HELIKON" Travel Agency Ltd., registered seat: 8360 Keszthely, Erzsébet királyné útja 21, tax number: 10242986-2-20, registration number: 20-09-060182)

ABBÁZIA is committed to protecting the privacy of its clients' information, in order to protect the privacy of their dedicated customers and partners. Personal data is handled confidentially and we will take all security, technical and organizational measures that guarantee the security of your data.

ABBÁZIA will outline its data management principles below, present the expectations that it has formulated and complies with itself as a data controller. The data management principles are in line with existing data protection legislation, in particular:

• 2011 CXII. law on information self-disposal and freedom of information (Infotv.);
• Regulation (EU) No 2016/679 of the European Parliament and of the Council (27 April 2016);
• 2013 Act V. of The Civil Code (Ptk.);
• 2000 Act C. of Accounting (Accounting);
• 2001 Act CVIII. on Electronic Commerce Services and Certain Issues of Information Society Services (Eker.tv.);
• 2017 CL. Act on Taxation (Art.);
• 1990 Act C on Local Taxes;
• 2007 II. Law on the entry and residence of third-country nationals;
• 2005 CXXXIII. Act on the rules of personal and property protection and the activities of private investigators (Ministry of Social Affairs and Labor);
• 2008 XLVIII. Act on the Fundamental Terms and Limitations of Economic Advertising (Grt.).

If you would like to contact our Company staff, please do so at ABBÁZIA Data Protection Service at the following contact details:

• e-mail:
• by mail: "HELIKON" Utazási Iroda Kft., 8360 Keszthely, Erzsébet királyné útja 21.

2. Definitions

2.1. Concerned: any person identified or identified, directly or indirectly, by any specific personal data.

2.2. Personal data: any information relating to an identified or identifiable person ("concerned"); a person may be identified, directly or indirectly, based on one or more factors relating to the physical, physiological, genetic, intellectual, economic, cultural or social identity of an identifier such as name, number, positioning data, online identifier or any other personal identification.

2.3. Contribution: a voluntary and explicit statement of the wishes of the person concerned, based on appropriate information and with which he or she gives his / her unambiguous consent to the handling of his or her personal data, covering all or part of operations.

2.4. Protest: the statement of the person concerned with which he or she is objecting to the handling of his / her personal data and requesting the termination of data processing and the processing of the data processed.

2.5. "Data controller" means a legal person or an organization that does not have legal personality who either independently or with others determines the purpose of the processing of data, makes and executes decisions on data handling (including the equipment used) or performs data processing entrusted to it.

2.6. Data management: irrespective of the method used, any operation or all of the operations, such as collecting, capturing, systematizing, storing, modifying, using, querying, transmitting, publishing, aligning or linking, blocking, deleting and destroying any of the operations, or to prevent further use of the data, to take photographs, sound or images, and to record the physical characteristics (e.g,: finger or palm print, DNA sample, iris image) suitable for identifying the person.

2.7. Transfer of data: making the data available to a specific third party.

2.8. Disclosure: making the data available to anyone.

2.9. Data deletion: making data unrecognizable in such a way that their recovery is no longer possible.

2.10. Data designation: Providing the identification of the data with a view to distinguishing it.

2.11. Data encryption: for the purpose of limiting the further handling of the data by means of an identification mark for a definite or fixed period of time.

2.12. Data destruction: complete physical destruction of data-containing media.

2.13. Data processing: performing technical tasks related to data management operations, irrespective of the method and device used to implement the operations and the location of the application, provided that the technical task is carried out on the data.

2.14. "Data processor" means a legal person or an organization without legal personality, or who, by virtue of a contract concluded with the data controller, including the conclusion of a contract under the law, processes the data.

2.15. Third party: a legal person or a non-legal entity which is not the same as the data subject, the data controller or the data processor.

2.16. Third country: any State other than an EEA State.

3. Principles for ABBÁZIA data management

Personal data can be handled if:

a) the person concerned agrees or

b) it is governed by a law or by a decree of the local government on the basis of the authority of the law and within the scope defined therein for the purpose of public interest (mandatory data management).

Personal data may also be handled if the acquisition of the person concerned is impossible or disproportionate and the processing of personal data is necessary for the fulfilment of the legal obligation of the data controller, or for the legitimate interests of the data controller or third party and for the protection of the rights of the defence.

A declaration by a legal representative of a minor who is unable to act and is under 16 years of age, with a limited legal capacity, is required except for those parts of the service where the statement is intended to be mass-produced in everyday life and does not require any particular consideration.

If the person concerned is unable to give his consent due to incapacitation or for other unavoidable reasons, the protection of the vital interests of that person or of the life of the person, to the extent necessary to prevent a direct threat to his / her physical or mental integrity, the personal data of the person concerned may be handled during the existence of any obstacles to consent.

If the personal data has been collected with the consent of the data subject, the data controller shall record the data unless otherwise provided by law:

a) with a view to fulfilling a legal obligation on him, or

b) in order to enforce the legitimate interests of the data controller or a third party, where the enforcement of this interest is proportionate to the limitation of the right to the protection of personal data without further special consent, and following the withdrawal of the consent of the person concerned.

Personal data can only be handled for a specific purpose, in order to exercise rights and to fulfil obligations. At all stages of the data handling, the company must comply with this objective, and data capture and handling must be fair.

Only personal data that is essential for achieving the purpose of data management can be used and only to the extent and time necessary to attain it.

Personal data can only be handled with appropriate informed consent.

Before the data is processed, the data subject shall be informed that the data is based on consent or is compulsory. The data subject must be informed, in a clear, unambiguous and detailed manner, of all the facts related to his or her data management, in particular the purpose and legal basis of the data handling, the data controller and the person entitled to be processed, the duration of the data handling and whether the personal data of the data subject is required to fulfil a legal obligation for the data controller or to enforce a legitimate interest of a third party, who will be able to access the data. The information should also include the rights and remedies available to the data subject in question.

Data management must ensure the accuracy, completeness and up-to-dateness of the data as well as the identity of the data subject for the time needed for the purpose of data management.

Personal data may be transmitted to a data processor or data processor performing data processing in a third country, only if the data subject explicitly agrees or the above conditions for data processing are met and the data protection level in the third country is managed and processed to an adequate level of protection of personal data. Data transmission to EEA States shall be deemed to be the transfer of data within the territory of Hungary.

4. The scope of personal data, the purpose, title and duration of data management

The data management of ABBÁZIA activity is based on a voluntary contribution. In some cases, however, the management, storage and transmission of a particular set of data makes it compulsory for contracts, legislation or safe operation, which is specifically notified to our partners.

We call ABBÁZIA to the attention of all informants that, if they do not provide their personal data, the data supplier is obliged to obtain the consent of the person concerned.

4.1. Details of website visitors

www.abbaziagroup.com, www.clubdobogomajor.hu, www.hotelkalma.hu, www.petnehazy-clubhotel.hu, www.abbazia-nemesnep.hu, www.abbazia-clubhotel.hu, www.clubhotel-marotta.com

Purpose of data management: During a visit to the site, the service provider records the visitor data to monitor the operation of the service, to provide personalized service and prevent abuse.

Legal Basis for Data Management: Contribution of the Participant in accordance with the 2001. CVIII. Act 13/A. § (3) of certain aspects of electronic commerce services and information society services.

The range of data processed is: Date, Time, IP Address, Title of the visited page, Title of the page you have visited, User's operating system, and Browser data.

The duration of the data management is 30 days from the date of viewing the site.

ABBÁZIA does not link data generated by the analysis of logs with other information and does not seek to identify the user.

(The IP address is a series of numbers that can be uniquely identified by the computers of users on the Internet, and IP addresses can also geographically locate a visitor using that computer. The address of the pages visited and the date and time data are not sufficient to identify the person, (such as those provided during registration) however, combined with data can help to draw conclusions about users.)

Data service of external service providers:

The portal html code also contains references to an external server that is independent of ABBÁZIA and links to an external server. The external service provider is connected directly to the user's computer. We remind our visitors that the providers of these links are able to collect user data by direct connection from their server, by direct communication with the user's browser.

Potentially personalized content for the user is served by the external service provider. The link between the ABBÁZIA and the external service provider only covers the insertion of the latter code, so no personal data is transferred or forwarded.

The following webpages: Www.abbaziagroup.com, www.clubdobogomajor.hu, www.hotelkalma.hu, www.petnehazy-clubhotel.hu, www.abbazia-nemesnep.hu, www.abbazia-clubhotel.hu, www.clubhotel-marotta.com carry out independent measurement and auditing of sites visited and other web analytics data from websites, such as an external service provider,( www.google.com.) For details on managing measurement data, contact the data administrator at http://www.google.com/analytics/.

To facilitate user experience and ease of use, the service provider's code at www.chat4support.com has been embedded into the site. To facilitate access to community services, the service provider's code at www.facebook.com has been affixed.

4.2. Data for accommodation nights

4.2.1. Offer and confirmation of accommodation nights

The purpose of data management is to register the reservation of accommodation guests, to distinguish between them and to manage and follow bookings, as well as providing accommodation services.

The legal basis for data handling is the voluntary contribution of the concerned person, in accordance with: Section 169 (2) of Act C of 2000 on Accounting and the Act XLVIII of 2008 on the Fundamental Terms and Limitations of Economic Advertising Activity. (5) of the Act.

The range of managed data is: name, phone number, e-mail address, booking date, credit card details.

Duration of data handling:

• up to the final billing period of stay,
• credit card details up to the last day of the booking period,
• For direct marketing purposes, see section 4.7.

Data transfer: in the case of a credit card payments, the payer's ID, the amount, date and date of the transaction will be transferred to ERSTE Bank.

The legal basis of the transfer is the consent of the person concerned.

4.2.2. Records for guest nights

The purpose of data management is to provide accommodation services, register, distinguish between hotel guests, provide services to guests, maintain contacts, analyse guest habits, provide more targeted service, make reservations, fulfil payment, fulfilment of accounting obligations, and direct marketing inquiries. For guests coming from a non-EU country or EEA Member State, the recorded data will be supplemented with the following data: birth name, passport number, gender, date and place of birth, nationality, mother's birth name, place and time of entry into the country, visa number. These data will be sent to the immigration authorities on the basis of a statutory provision (Act II of 2007 on Entry and Stay of Third-Country Nationals).

The legal basis for data handling is the voluntary contribution of the concerned person, in accordance with: Section 169 (2) of Act C of 2000 on Accounting and the Act XLVIII of 2008 on the Fundamental Terms and Limitations of Economic Advertising Activity. (5) of the Act.

Details of managed data: name, address, e-mail address, telephone number, date, time, caravan serial number, nationality, identity card or passport number, date of birth, data on the use of the services (e.g.: arrival, (number, name, validity, signature), payment card details (date, time, name on the invoice, amount), voucher / coupon / payment slips/ voucher number, system, and the related date and time, as well as the contribution to direct marketing requests.

Duration of data handling:

• For direct marketing purposes, see section 4.7. and in respect of postal DM until the declaration of consent is withdrawn,
• in case of accommodation, from the final night of stay, to the end period for the right to tax
• for billing data up to the end period for the right to tax.

Data transmission:

• the number of guests, name, address, date of birth and the number of nights spent in order to collect the tourism tax will be transferred to the local tax office,
• When choosing a payment method with a credit card, the payer's ID, the amount, date and date of the transaction will be transferred to SIX PAY.

The legal basis for the transfer of data is as follows, in accordance with the 1990 Act C on Local Taxes for Tourism Tax and the 2017 Act CL of the Code of Taxation. In all other cases the consent of the person concerned acts as a legal basis.

In the case of the consent of users for direct marketing requests, the details of the person concerned (name, e-mail address, date, and in Section 4.5. in the DM Mail database as described above.

Information on the forbidding of forwarding direct marketing messages and deleting or modifying personal data can be obtained from the following contact information:

• by post, Sales and Marketing, Club Dobogomajor, H-8372 Cserszegtomaj, Hévízi út 1,
• by e-mail: adatvedelem@abbaziagroup.com,
• Using the Unsubscribe button links in the posted newsletters.

Data Management Registration Number: NAIH-60578/2012

4.3. Security cameras for hotels

In order to ensure the safety of operation, the protection of property and accident protection, Club Dobogómajor, the Hotel Kalma, the Petneházy Club Hotel and the Abbazia Club Hotel Keszthely have all been installed with camera surveillance systems. All relevant camera location points are notified by the signs of camera surveillance. Camera recordings are kept for three days.

4.4. Newsletter

The aim of data management is to send e-mail newsletters containing commercial advertisement to the interested parties, providing information about current information.

The legal basis for data handling is the voluntary contribution of the concerned person and in accordance with the 2008 Act XLVIII. on the Fundamental Terms and Limitations of Economic Advertising Activity. (5) .

Data managed: name, email address, IP address, date, time, consent for direct marketing purposes.

Duration of data management: Unsubscribe.

Information on the forbidding of forwarding direct marketing messages and deleting or modifying personal data can be obtained from the following contact information:

• by post, Sales and Marketing, Club Dobogomajor, H-8372 Cserszegtomaj, Hévízi út 1,
• by e-mail: adatvedelem@abbaziagroup.com,
• Using the Unsubscribe button links in the posted newsletters.

Data Management Registration Number: NAIH-60578/2012

4.5. Raffle

The purpose of data management is for guests to participate in the prize draw, organized by ABBÁZIA. Managed data is used for the drawing, notification, publication, and accounting obligation of the winners.

The legal basis for data handling is the volunteer's contribution.

Data managed: name, address, e-mail address, date, time, and different data fields per game, provided when announcing a given prize draw.

Deadline for data deletion: data of non-winners will be deleted immediately after the lottery, with 6 months for the winners' disclosed data, and in the case of accounting records related to prizes, eight years, in accordance with Article 169 of the Constitution.

Disclosure: the name of the winner, the settlement and the order number for 6 months after the draw.

Data Management Registration Number: NAIH-60578/2012

4.6. Details of website visitors

Domains owned by ABBÁZIA

The purpose of data management: When visiting the website, the service provider records the visitor data to check the functionality of the services, to provide personalized service and prevent abuse.

Legal Basis for Data Management: Contribution of the Contributor, in addition to and in accordance with Act 13 / A. § (3). The range of data processed is the date, time, address of the page you visited, previously visited page title, user's operating system and browser data, user's computer IP address, and geographic location of the user. Data management duration: The IP address of the user's computer will be deleted at the end of the visit, with the remaining data stored for one month.

ABBÁZIA does not link data generated by the analysis of logs with other information and does not seek to identify the user.

The IP address is a series of numbers that can uniquely identify users of Internet users. IP addresses can also geographically locate a visitor using that computer. The title of the pages you visit, as well as the date and time information are not sufficient for the identification of the user but are linked to other data (such as those provided during filling in the contact form) to help draw conclusions about the user.

Data management of external service providers: The html code of the portal contains links to external servers that are independent of ABBÁZIA and refer to an external server. The external service providers are connected directly to the user's computer. We remind our visitors that the providers of these links are capable of collecting user data by direct connection to their server and by direct communication with the user's browser.

Potentially personalized content for the user is provided by the servers of external service providers. The link between ABBÁZIA and third-party servers only covers the insertion of the latter's codes, so no personal data is transferred or forwarded.

Independent measurement and auditing of site visitation and other webanalytic data are assisted by Google Analytics, who server as external service providers. The data controller can provide detailed information on how to handle measurement data at www.google-analytics.com.

In order to fulfil their service, a small data packet or cookie is placed on the user's computer at the following external servers: google.com, facebook.com, chat4support.com, gpe.cz for detailed information on how to manage data see the above addresses.

For a tailor-made service, external service providers have a small data packet, Cookies are placed and read back. If your browser returns a previously saved cookie, the service providers that handle it will have the ability to link the user's current visit to the previous one, but only for their own content. More information about cookies can be found at:

http://www.adatvedelmiszakerto.hu/cookie

Cookies can be deleted from your computer or disabled in your browser. Cookies can usually be accessed under the Privacy settings in cookies or cookies in the Tools / Preferences menu of browsers.

4.7. Managing websites "cookies"

The web site operator has a small data packet, so called " cookies are placed and read back. If your browser returns a previously saved cookie, the cookie operator can link the user's current visit with the past, but only for their own content.

The purpose of data management is to identify, distinguish between users, identify user's current session, store data, prevent data loss, identify users, track user-generated bids (__utma, __utmb, __utmc, __utmt, __utmz, PHPSESSID, _C4vId).

Legal Basis for Data Management: Contribution of the Contributor. The range of data processed: identification number, date and time.

Duration of data handling:

• Until the session is completed (__utmc, PHPSESSID),
• Ten minutes (__utmt),
• Thirty minutes (__utmb),
• Six months (__utmz),
• One year (_C4vID),
• Two years (__utma).

More information on cookies can be found at http://www.adatvedelmiszakerto.hu/cookie

Cookies can be deleted from your computer or disabled in your browser. Cookies can usually be accessed under the Privacy settings in cookies or cookies in the Tools / Preferences menu of browsers. The site has a graphical point of measurement, the measurement results of which are recorded by the website's server. Based on graphical metrics, website visitors can not be identified later.

4.8. Lost and found

The purpose of data management is to register lost objects found on the properties of the following: Abbazia Club Hotel, Abbazia Country Club, Petneházy Club Hotel, Club Dobogómajor, Hotel Kalma, Kalma Villa, Abbazia Club Hotel (Marotta, Italy).
Legal Basis for Data Processing: 2013 Act V on the Civil Code, §§ 54, §§ 5: 59 and §§ 5:

Data managed: date and location, name of the finder, availability, details of the object found.

Duration of data management: one year.

4.9. ABBÁZIA customer requests

If you have any questions or comments about using our services, you can contact the data administrator as stated on the website. ABBÁZIA will delete all mail received by post, received emails with the sender's name, address or e-mail address and other voluntarily entered personal data will be deleted after a maximum of 5 years from the date of communication if there is no legal relationship, based on which data management is required.

4.10. Details of people with holiday entitlements

The purpose of data management is to fulfil contractual obligations arising out of holiday legislation and to guarantee rights.
The legal basis for data handling is the contract and the voluntary contribution of the concerned person.
The range of data to be processed: name, address, possibly - if you have entered - email address, phone number, nationality, identity card or passport number, date of birth, place of birth, birth name, mother's name, tax identification number.
Duration of data processing: 10 years after termination of the contract.
Data transfer: none.
A direct marketing request is made based on the volunteer's consent.
Business inquiry: enforcing contractual rights.
Those booking holidays with the hotel, must complete the registration form entitled: cardex card. This can be done for them on an open online platform. In general, the rules on data management of the contract on holiday law apply to the handling of identification data on the registration page, with the addition that the notifying party is sent to the local authority for the purpose of settling tourism tax. (see 4.2.2)

4.11. ROOMSOME

ROOMSOME is a reservation and booking system that helps guests to book online from hotels. Personal data is not stored in the ABBÁZIA system on this interface. The operation of the system is carried out by Morgens Design Kft. On its own servers in accordance with the data protection rules. For more information, see www.morgens.hu and http://roomsome.hu/adatvedelem.

4.12. OPTIMONK

Window pop up. Provides data (name and email address) to ABBÁZIA marketing database based on voluntary data. For more information, see Optimonk: https://www.optimonk.hu/privacy_policy

4.13. RCI Guest

Technical datasheet for bookings. Your information is based on your consent: name, email address, phone number, membership number. It is for data input to the Timeshare system. The list is deleted weekly by an overwrite.

4.14. Mailchimp levélküldő rendszer

A motor used to send marketing emails. See Mailchimp for more information: https://mailchimp.com/legal/privacy/

5. How to store personal data, security of data handling

ABBÁZIA s computing systems and other data retention centres at its headquarters, locations, branches, data processors and ATW Internet Kft. Headquarters: 1132 Budapest, Victor Hugo u. 11-15. ABBÁZIA selects and manages the IT tools used to manage personal data in the provision of the service so that the data treated:

a) is accessible to the authorized persons (availability);

b) has authenticity and authentication (credibility of data management);

c) so its unambiguousness can be verified (data integrity);

d) so it can be protected against unauthorized access (confidentiality of data).

ABBÁZIA protects the data by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as unavailability due to accidental destruction, damage, and other techniques used. ABBÁZIA will ensure, by means of an appropriate technical solution, that data stored in its various electronically managed registers data cannot be directly linked to the data subject, except where permitted by law. ABBÁZIA provides technical, organizational and organizational measures to protect the security of data management in view of the current state of the art, providing a level of protection appropriate to data management risks. The Company maintains in the course of data management:

a) confidentiality: it protects the information so that it can only be accessed by the person who is entitled to it;

b) integrity: it protects the accuracy and completeness of the information and the method of processing;

c) availability: Ensures that when the eligible user needs it, he / she can actually access the information required and have access to the related tools.

ABBÁZIA and its partners' IT systems and networks are both protected against computer-aided fraud, espionage, sabotage, vandalism, fire and flood, as well as computer viruses, computer burglaries, and attacks leading to service denial. The operator provides security through server-level and application-level security procedures.

We inform the users that electronic mails, protocols (email, web, ftp, etc.) transmitted over the Internet are vulnerable to network threats that lead to dishonest activity, controversy or disclosure or modification of information. To protect such threats, the data controller will take all the precautionary measures he or she may have to take. Systems are monitored to capture all security dangers and provide evidence of any security incident. System monitoring also allows checking of the effectiveness of the precautions used.

6. Details and contact details of the data controller

On behalf of ABBÁZIA: "HELIKON" Travel Agency Ltd.
Headquarters: 8360 Keszthely, Erzsébet királyné útja 21.
Company Registration Number: 20-09-060182
Tax number: 10242986-2-20
e-mail: titkarsag@abbaziagroup.com

7. Rights of the data subject, to enforce their own rights

You may request all information concerned with handling your personal data and may request the rectification of your personal data or, with the exception of mandatory data, cancellation or blocking as indicated in the data entry or the contact details of the data controller.

7.1 Right to information

ABBÁZIA as a data controller shall take appropriate measures to ensure that all information referred to in Articles 13 and 14 of the GDPR Decree on the management of personal data, as well as Articles 15 to 22, and Article 34, is in a concise, transparent, comprehensible and easily accessible form and is presented in a clear and unambiguous manner.

7.2 Right to access

The data subject is entitled to receive feedback from the data controller as to whether his or her personal data is being processed and, if such data is being processed, has access to personal data and the following information: the categories of personal data concerned, the categories of recipients with whom or which personal data will be communicated, including, in particular, third country recipients or international organizations; the intended duration of the storage of personal data; the restriction of rectification, deletion or data handling and the right of protest; the right to file a complaint addressed to the supervisory authority; data sources; the fact of automated decision making, including profiling, as well as the logic used and the understandable information on the significance of such data management and the likely consequences for the data subject. The data controller shall provide the information within a maximum of one month from the submission of the application. This information is free of charge.

7.3 Right of Correction

ABBÁZIA will correct any inaccurate personal data to ensure it holds the right personal information. The person concerned may request rectification of the inaccurate data processed by ABBÁZIA and the incomplete data.

Methods of this:

In our newsletter list, our partners can automatically change their information within the newsletter.
By personal contract; by post, signed letter; or electronically delivered in a pdf document containing two witnesses' signature, name and address.

7.4 Right to Cancellation

You may at any time request the deletion of your personal information except if data management is required:

• for the purpose of exercising the right to freedom of expression and information;
• the fulfilment of an obligation to comply with the law of the Union or of the Member States applicable to the data controller for the processing of personal data and the performance of a task carried out in the exercise of public authority exercised in the public interest or data controller;
• for public health or for archival, scientific and historical research purposes or for statistical purposes on the public interest;
• to present, enforce or protect legal claims.

7.5 Right to Restrict Data Management

At ABBÁZIA request, ABBÁZIA will restrict the processing of data if one of the following conditions is met:

• the person concerned challenges the accuracy of personal data. In this case, the restriction refers to the time period that allows the accuracy of personal data to be verified.
• data processing is illegal and the data subject is opposed to the deletion of the data and instead calls for their use to be restricted;
• the data controller no longer needs personal data for data management but the data subject requires it to submit, enforce or protect legal claims;
• the person concerned objected to data handling. In this case, the restriction applies to the period when it is not established whether the data controller's legitimate reasons prevail over the legitimate reasons of the party concerned.

If data management is restricted, personal data may be handled only with the consent of the person concerned or with the submission or legal claim of the legal person or with the public interest of the Union or of a Member State except for storage.

7.6 Right to data storage

The data subject shall have the right to receive the personal data that he or she has accessed to the data controller in a fragmented, widely used machine-readable format and transmit such data to another data controller.

7.7 Right to protest

The person concerned is entitled to object, at any time, to the processing of personal data of a public interest or for the exercise of a public authority exercised on the data controller for the purposes of his or her own situation, or the treatment of the data controller or a legitimate interest of a third party, including those provisions based on profiling.
In the event of protest, the data controller may not process the personal data unless it is justified by compelling reasons of legitimate interest in the interests of the person concerned, their rights to freedom, or relating to the submission, enforcement or defence of legal claims.

7.8 Automated decision-making in individual cases, profiling

The person concerned has the right not to include any effect on a decision based solely on automated data processing, including profiling, which would have a legitimate effect on them or would significantly affect the concerned party.

7.9 Right to Court

The person concerned has the right to withdraw his consent at any time.

7.10 Privacy Policy Procedures

In case of breach of rights, the data subject may turn to the court.

7.11 Privacy Policy Procedures

ABBÁZIA will compensate for any damage caused to others by unlawful handling of the data concerned or breach of the requirements of data security. The data controller is exempted from liability if the damage is caused by an unavoidable phenomenon outside the scope of data management. It does not compensate for damage insofar as it is due to the intentional or gross negligence of the injured party.
An appeal can be lodged with the National Data Protection and Freedom Authority:

Name: National Data Protection and Freedom Authority
Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22 / C
Postal address: 1530 Budapest, Pf 5.
Phone: +36 1 3911400
Telefax: +36 1 3911410
e-mail: ugyfelszolgalat@naih.hu
website: http://www.naih.hu

8. Other provisions

We inform our clients that, for the purpose of providing information, transmitting information or submitting documents, other bodies may be contacted by the courts, the prosecution office, the investigating authority, the offender authority, the administrative authority, the National Data Protection and Information Security Authority, controller.
ABBÁZIA for the authorities - provided the authority has indicated the exact purpose and scope of the data - issues personal data only to and to the extent that it is indispensable to achieve the purpose of the request.

Keszthely, May 24, 2018