Data management

BAMBARA HOTEL KFT’s INFORMATION ABOUT DATA MANAGEMENT

1. GENERAL PROVISIONS

Bambara Hotel Szállodaüzemeltető Kft. (Hotel Operator Ltd.), always provides the lawfulness and expediency of the data handling for the personal data it manages. The purpose of this brochure is to give our guests information about the terms and conditions, the guarantees and the length of time our company handles the data of our booking guests, who give their personal information, from the period before the booking and the giving of their personal information to the time of their departure. Our company complies with everything written in this brochure during any personal data management; we consider such requirements mandatory for ourselves.

However, we reserve the right to change the content of this unilateral legal declaration, in which case we will inform the data subjects in advance. The data management by our company is based on voluntary consent, and in some cases, the data management is necessary to take actions at the request of the data subject prior to the conclusion of the contract.

Our data management practice complies with the applicable laws, in particular:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as „GDPR”).
Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Privacy Act").

Our company's data and contact details are as follows:

Name: Bambara Hotel Kft.

Head office: 1022 Budapest, Bimbó út 7. fszt. A02. 1.

Company registration number: 01-09-332870

Tax number: 26573685-2-41

Phone number: +3636 534 500

E-mail: info@bambarahotel.hu

1.2. DEFINITIONS

data subject: shall mean any natural person directly or indirectly identifiable by reference to specific personal data;

personal data: shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;

consent: shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;

data controller: shall mean the natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;

data management: shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

data transfer: shall mean ensuring access to the data for a specified third party;

disclosure: shall mean ensuring open access to the data;

data deletion: shall mean making data unrecognisable in a way that it can never again be restored;

data processing: shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;

data processor: shall mean any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions;

privacy incident: unauthorized management or processing of personal data, including unauthorized access, alteration, transmission, disclosure, deletion or destruction, and any incidental destruction or damage.

We provide the following information about our data management practice.

2. DATA MANAGEMENT RELATED TO ONLINE BOOKING

Our company offers an online booking system so that you can book a room at the Bambara Hotel quickly, conveniently and cost-free.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: to make booking easier, cost-free and more efficient.

The legal basis for data handling: the prior consent of the person booking the hotel room.

The scope of the managed personal data: greeting; surname and first name; home address (country, postal code, town, street, house number, telephone number, e-mail address; for business companies: company name and registered office, bank card number, SZÉP card data (identification number, cardholder’s name), gender.

The duration of data management: two years after the last day of the stay as booked.

Use of data processor: our company uses an information technology service provider for the online booking system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Providing the possibility of online booking through the RESnWEB system

By accepting this information about data management, the data subject gives his express consent to the Data Processor to employ additional data processors to make the service more convenient and customized, as follows:

The further data processor’s name	Registered office	Description of the data processor’s tasks
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the case of booking, giving of quotations and satisfaction surveys.
Hostware Kft.	1149 Budapest, Róna Street 120-122	Performing the client management tasks when using the Hostware Front Office hotel system.
Triptease Limited	WeWork 3 WaterhouseSquare 138-142 Holborn London EC1N 2SW United Kingdom	Online chat feature that allows the guests to contact the hotel and make their bookings quickly and efficiently.
BIG FISH Internet-technológiai Kft.	1066 Budapest, Nyugati Square 1-2	Providing data communication between the trader and the payment service provider’s system necessary for the payment transactions, ensuring the traceability of the transactions for the trader partners.
OTP Mobil Kft.	1093 Budapest, Közraktár u. 30-32.	Providing data communication between the trader and the payment service provider’s system necessary for the payment transactions, customer service assistance to the users, transaction verification, and fraud-monitoring for the protection of the users.
Barion Payment Zrt.	1117 Budapest, Infopark sétány (promenade) 1, building I.	Providing data communication between the trader and the payment service provider’s system necessary for the payment transactions, customer service assistance to the users, transaction verification, and fraud-monitoring for the protection of the users.
Creative Management Kft.	8200 Veszprém, Boksa Square 1. building “A”	Performing server hosting tasks

The possible consequences of the failure to provide data: No contract is concluded for the hotel room.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Other information related to data management: our company takes all the necessary technical and organizational measures to avoid any possible privacy incidents (e.g. damage or loss of files containing personal data, their becoming available to unauthorized persons). For any potential incident, we keep a record to check the necessary measures and inform the data subject, which includes the scope of the personal data of the data subject, the circle and number of the persons affected by the data protection incident, the date, the circumstances, and the effects of the data protection incident, and the measures taken to remedy it, and other data specified in the law that orders data management.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Ltd. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

3. DATA MANAGEMENT RELATED TO A REQUEST FOR QUOTATION

Our company offers the option to our guests to request for a quotation (RFQ) electronically. In the light of the free capacities, our company gives the quotation through an automated system.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: preliminary inquiry about the hotel's prices

The legal basis for data handling: the prior consent of the person booking the hotel room.

The scope of the managed personal data: greeting; surname and first name; telephone number, e-mail address, number of hotel guests, gender.

The duration of data management: two years after the last day of the stay as booked.

Use of data processor: our company uses an information technology service provider for the online RFQ system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Operating the request for quotation (RFQ) module

The further data processor’s name	Registered office	Description of the data processor’s tasks
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the case of booking, giving of quotations and satisfaction surveys.
Creative Management Kft.	8200 Veszprém, Boksa Square 1. building “A”	Performing server hosting tasks

The possible consequences of the failure to provide data: The hotel is unable to give a quotation.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

4. DATA MANAGEMENT CONNECTED TO THE SUBSCRIPTION TO THE NEWSLETTER

Our company keeps in touch with guests, and offers them services, and provides them with news and promotions, connected to the hotel’s operation.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: maintaining contact with the potential hotel guests

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

Indication of a legitimate interest: maintaining and developing business relations with the partners and guests

The scope of the managed personal data: name, e-mail address

The duration of data management: our company handles the e-mail addresses until the data subject unsubscribes from the newsletter.

Use of data processor: our company uses an information technology service provider for the online accommodation system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Storing the newsletter-sending database
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Operating the newsletter-sending system

The possible consequences of the failure to provide data: The data subject does not receive newsletters from our company.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

You can unsubscribe from our newsletter at any time by sending a mail to info@Bambarahotel.hu or by clicking on the unsubscribe icon in the newsletter. In this case, your email address will be deleted from our database immediately.

Our company has concluded a data processing contract for data processing tasks, in which NetHotelBooking Kft. and Creative Management Kft. undertake to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

5. MANAGEMENT OF PERSONAL DATA RELATED TO SATISFACTION SURVEYS

As a hotel, we aim to provide our guests with high-quality services, so we constantly ask our guests to give us feedback on their experiences during their stay at our hotel.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: requesting feedback from our hotel’s guests to further develop and improve our services.

The legal basis for data handling: the legitimate interest of the hotel’s operator pursuant to Article 6 (1) f) of the GDPR.

Indication of a legitimate interest: our company has a legitimate interest in receiving information to develop our services based on feedback.

The scope of the managed personal data: name, gender, e-mail address

The duration of data management: two years after the last day of the stay as booked.

Use of data processor: our company uses an information technology service provider for the online accommodation system as follows.

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Operating the Satisfaction Survey Module

The further data processor’s name	Registered office	Description of the data processor’s tasks
The Rocket Science Group, LLC	675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308, USA	The owner of the Mandrill software integrated into the booking system. This software is responsible for sending automatic emails containing confirmations and notifications in the case of booking, giving of quotations and satisfaction surveys.

The possible consequences of the failure to provide data: The data subject does not receive any satisfaction survey questionnaire from our company.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

6. COOKIE MANAGEMENT

In order to provide customized service, the Data Controller places a small data packet, a so called cookie, on the user's computer, which he reads during a later visit. If your browser returns a previously saved cookie, the service provider which manages the cookie can link the user's current visit with the previous ones, but only for its own content.

The purpose of data management: identifying and tracking the users and differentiating between them, identifying the user's current work session, storing the data given during the work session, preventing any loss of data, web analytical measurements, and customized service.

The legal basis for data handling: consent of the data subject.

The scope of the managed personal data: ID number, date, time, and the previously visited site.
The duration of data management: maximum 90 days

Data processor’s name	Registered office	Description of the data processor’s tasks
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Website operation

More information about data management: The user can delete the cookie from his own computer or disable the use of cookies in his browser. To manage the cookies, you should usually go to the Tools / Preferences menu, Privacy / History / Custom Settings menu, and find the cookies or tracing.

The possible consequences of the failure to provide data: the user will not be able to use the part of the services detailed in the above paragraphs 2-5.

Our company has concluded a data processing contract for data processing tasks, in which Creative Management Kft.undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

7. THE WEBSITE’S SERVER LOGGING

When visiting the Bambarahotel.hu website, the web server automatically logs the user activity.

The purpose of data management: During a visit to the website, the service provider checks the functionality of the services, and records the visitor data to prevent any abuse.

The legal basis for data handling: Article 6 (1) f) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

The type of the managed personal data: ID number, date, time, address of the visited website.

The duration of data management: maximum 90 days

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Recording the visitors’ data and the information necessary for the server’s operation

Data processor’s name	Registered office	Description of the data processor’s tasks
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Website operation

Further information: our company does not link the data collected during the analysis of logs with other information, and does not try to identify the user. The addresses of the visited websites, as well as the date and time data in themselves are not suitable for identifying the data subject, but linked with other data (such as those provided during registration), they are suitable to draw conclusions about the user.

Data management by external service providers connected to logging:

The portal’s html code contains links to an external server that arrive from an external server which is independent of our company. The external service provider’s server is connected directly to the user's computer. Please note that the service providers of such links are able to collect user data (e.g. IP address, browser, operating system details, cursor’s movement, address of the visited site, and time/date of the visit) due to their direct connection to the servers and their direct communication with the user's browser. The IP address is a series of numbers with which the computers and the mobile devices of the users accessing the Internet can be identified clearly.

Using the IP addresses, the visitor using a given computer can be located even geographically. The addresses of the visited websites, as well as the date and time data in themselves are not suitable for identifying the data subject, but linked with other data (such as those provided during registration) they are suitable to draw conclusions about the user.

8. HANDLING THE DATA ON THE REGISTRATION FORM

The hotel asks the guests to fill in a registration form when they arrive, which contains the guest's personal information. The information on the registration form is stored on the hotel’s software and on paper.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: maintaining contact with the guest during his stay, maintaining contact after departure, sending birthday greetings, distinguishing the guests, helping the declaration of the tourist tax, managing the regular guest (loyalty) program, ordered obligation.

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: name, e-mail address, phone number, date of birth, address, car registration number, room number, date of arrival and departure, details of accompanying guests, subscription to newsletter, payment method.

The duration of data management: The guest declares on the registration form that he consents to the storage of personal data and the hotel stores such data for 8 years after the approval.

Use of data processor: Fidelio V8 hotel software

Data processor’s name	Registered office	Description of the data processor’s tasks
HRS Magyarország \| Hospitality and Retail Systems	1138 Budapest, Madarász Viktor u. 47-49.	Storing the guests' details

The possible consequences of the failure to provide data: The data subject cannot take his hotel room.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which HRS Magyarország Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

9. MANAGEMENT OF DATA CONNECTED TO THE PURCHASE OF GIFT VOUCHERS

The hotel sells gift vouchers, and stores the details of the customer and the gift’s receiver during the sale.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: maintaining contact with the customer, sending the gift voucher to the customer.

Indication of a legitimate interest: purchase of a gift voucher

The scope of the managed personal data: name, e-mail address, phone number, home address, name of the gift’s recipient, gift voucher’s number,

The duration of data management: two years from the last date of validity of the gift voucher.

Use of data processor: Stored on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The possible consequences of the failure to provide data: The data subject is unable buy the gift voucher.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

10. MANAGEMENT OF DATA CONNECTED TO ROOM RESERVATION BY PHONE

The hotel accepts room reservations by phone, but asks the guests to send a written order, as well. The hotel records the rooms booked through the phone in the hotel’s software, along with the booking person’s details.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: recording the room booking

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: name, phone number, email address.

The duration of data management: The hotel stores such data for 8 years after the approval.

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
HRS Magyarország \| Hospitality and Retail Systems	1138 Budapest, Madarász Viktor u. 47-49.	Storing the guests' details

The possible consequences of the failure to provide data: The room is not booked.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

11. MANAGEMENT OF DATA CONNECTED TO FOUND OBJECTS

The hotel keeps a register of the items found in the room and in the community spaces after the guests depart.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: recording the found objects, notifying the guests, returning the found objects

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: room number, name, description of the found object, date

The duration of data management: the found objects are stored by the hotel for 6 months, so the data connected to them are stored for 6 months from the date they are added to the list. If the object found is received by the owner, the data will be deleted.

Use of data processor: Stored on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

12. MANAGEMENT OF DATA CONNECTED TO CORRESPONDENCE

Keeps in touch with the guests and the inquiring persons through the email addresses used by the data controller.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: maintaining contact with the guests

The legal basis for data handling: consent of the data subject – pursuant to Article 6 (1) a) of the GDPR.

The scope of the managed personal data: name, email address, content of the correspondence.

The duration of data management: 5 years

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Providing online storage space
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintenance of the email software on the workstations

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which Átme-net Kft. + Creative Management Kft. undertake to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

13. DATA MANAGEMENT DURING PAYMENT:

Our guests can pay in cash, by gift vouchers, SZÉP cards, Erzsébet vouchers or by bank cards.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: issuing an invoice for the used service

The legal basis for data handling: voluntary consent of the data subject

The scope of the managed personal data: name on the invoice, address, list of services, total amount, method of payment, invoice date, invoice’s payment date

The duration of data management: 8 years

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
K@H Bank Zrt.	1055 Budapest, Lechner Ödön fasor 9.	In case of payment by bank card, identification number, amount, date

14. ELECTRONIC SURVEILLANCE SYSTEM

Surveillance camera recordings are made in the area of the Bambara Hotel.

In the hotel’s park, car park, indoor communal areas and commercial spaces, camera recordings are made. Only the properly authorized people are allowed to view and have access to the camera recordings.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: promoting the safety of the guests and staff, to preserve the values, to prove violations, and to clarify any disputed issues.

The legal basis for data handling: voluntary consent of the data subject by entering the area.

The duration of data management: 30 days at the reception and in the business areas, and 3 days outside the above areas.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining the camera system

Our company has concluded a data processing contract for data processing tasks, in which Átme-net Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

15. MANAGEMENT OF DATA CONNECTED TO VOUCHER SALES

Our company offers the option to purchase gift vouchers with pre-booking discount, during which data are stored.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: selling gift vouchers with discount

The duration of data management: two years after the gift voucher’s validity or the last day of the stay.

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
NetHotelBooking Kft.	8200 Veszprém, Boksa Square 1/A	Through the RESnWEB system, the guests can buy gift vouchers for a fixed date.
Creative Management Kft.	8200 Veszprém, Boksa Square 1/A	Operating the sub-site on www.Bambarahotel.hu with the option of the discount

The possible consequences of the failure to provide data: no contract is concluded for the gift voucher.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

16. MANAGEMENT OF DATA CONNECTED TO VOUCHER SALES THROUGH AGENT

Our company is in contractual relationship with PK Travel Kft. which sells Maiutazas.hu gift vouchers, which, within the framework of a contract, offers gift vouchers with pre-booking discount for sale. The guests’ details are provided for the hotel by PK Travel Kft.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: identifying the guests who buy gift vouchers with discount.

The legal basis for data handling: consent of the person who books the gift vouchers

The scope of the managed personal data: greeting; surname and first name; home address (country, postal code, town, street, house number, telephone number, e-mail address; for business companies: company’s name and registered office, gender, voucher’s number.

The duration of data management: 5 years

Use of data processor:

Data processor’s name	Registered office	Description of the data processor’s tasks
PK Travel Kft.	1055 Budapest, Stollár Béla u. 22.	sells gift vouchers on Maiutazas.hu

The possible consequences of the failure to provide data: no contract is concluded for the gift voucher.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

Our company has concluded a data processing contract for data processing tasks, in which PK Travel Kft. undertakes to obligatorily provide the data protection and data management guarantees required by the data processing contract even if further data processor is employed, therefore, we guarantee the lawful management of the personal data even by the data processor.

17. MANAGEMENT OF DATA CONNECTED TO GROUP BOOKINGS AND CORPORATE EVENTS

Bambara Hotel also provides group booking and event organization, and stores the personal data connected to them.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: booking for groups and/or organization of events, identifying the guests, holding events

The legal basis for data handling: the prior consent of the person who makes the group booking and/ or reserves the event

The scope of the managed personal data: For companies: company name, tax number and registered office, name, phone number, email address of the booking person, name and date of birth of the participants, registration numbers of their cars, the list of the services in the confirmation and in the offer

The duration of data management: 5 years of the last day of the stay as booked

Use of data processor: It is recorded on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The possible consequences of the failure to provide data: no contract is concluded for the event and/or group booking.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

18. MANAGEMENT OF DATA CONNECTED TO PICTURES AND VIDEOS

Bambara Hotel takes photos and makes videos for marketing purposes.

The data controller of the personal data: Bambara Hotel Kft, 1053 Budapest, Reáltanoda utca 5. 5. em. 1.

The purpose of data management: assisting in the sales of the hotel, increasing the potential guests’ desire to stay in the hotel.

The legal basis for data handling: the prior consent of the data subject.

The scope of the managed personal data: photos, videos and sound recordings made of the guests, staff and models.

The duration of data management: 100 years

Use of data processor: It is recorded on the hotel’s own server.

Data processor’s name	Registered office	Description of the data processor’s tasks
Átme-net Kft.	3300 Eger Baktai u. 8.	Maintaining our own server

The possible consequences of the failure to provide data: the recordings cannot be made.

The rights of the data subject: the data subject (the person whose personal information is managed by our company)

may request access to the personal data relating to him;
may request their correction;
may request their erasure;
may request the restriction of the handling of the personal data under the conditions of Article 18 of the GDPR (i.e. that our company does not delete the data or destroy them until a court or authority may request them, but for a maximum of thirty days, and not to handle the data for other purposes);
may object to the handling of personal data;
may exercise his right to the portability of data. Under the latter right, the data subject is entitled to receive the personal data relating to him in word or excel format, and he is entitled to request our company to forward this information to another data controller.

19. OTHER DATA MANAGEMENT

Information about data management not listed in this brochure is provided when the data is recorded. We inform our customers that some authorities, public service bodies, and courts can contact our company for the purpose of requesting personal information. After the body concerned has indicated the exact purpose and scope of the data, our company discloses personal data to such bodies only to the extent that is absolutely necessary for the purpose of the request and if such a disclosure is required by law.

20. THE MODE OF STORING PERSONAL DATA AND THE SECURITY OF DATA MANAGEMENT

Our company’s IT systems and other data storage places are located on the premises and on the servers rented by the data processor. Our company chooses and operates the IT tools used to manage the personal data during the provision of the services so that the managed data:

a) is accessible to the authorized person (availability);

b) its authenticity and verification can be provided (authenticity of data management);

c) its unchanged condition can be verified (data integrity);

d) is protected against unauthorized access (confidentiality of data).

We pay particular attention to the security of the data; we take the technical and organizational measures and develop procedural rules which are necessary to provide the guarantees as per the GDPR. The data are protected by appropriate measures, particularly against unauthorized access, alteration, forwarding, disclosure, deletion or destruction, as well as against inaccessibility caused by accidental destruction, damage, and any change in the used technique.

The IT system and network of our company and of our partners are protected against computer-aided fraud, computer viruses, computer burglaries, and attacks leading to denial of service. The operator provides the security through server-level and application-level security procedures. The daily data backup is solved. In order to avoid any privacy incident, our company takes every possible precaution; if such an incident occurs, we take immediate measures to minimize the risks and reduce the damage – accordance with our incident management policy.

21. THE RIGHTS OF THE DATA SUBJECTS, OPTIONS FOR LEGAL REMEDIES

The data subject may request information about the management of his personal data, and he may request the correction of his personal data or, with the exception of mandatory data management, their erasure, revocation, and may exercise his right to portability of data or right to object, in the manner indicated at the data recording or on the above contact details of the data controller.

At the request of the data subject, we provide the information in electronic format without delay, but no later than within 30 days, in accordance with our applicable regulations. We meet the requests of the data subjects for the protection of the below rights free of charge.

Right to information:

Our company will take the appropriate measures to ensure that all the information on the management of personal data referred to in Articles 13 and 14 of the GDPR and the information as per Articles 15-22 and Article 34 are provided in a concise, transparent, comprehensible and easily accessible form, and in a clear and straightforward, but precise manner.

The right to information can be exercised in writing through the contact details indicated in section 1. At the request of the data subject, after verifying his identity, information may be given in words. We would like to inform our customers that if our company's employees have doubt about the identity of the data subject, they may request the information required to verify the data subject’s identity.

The data subject’s right to access:

The data subject is entitled to receive information from the data controller about whether his personal data are being processed. If personal data management is in progress, the data subject is entitled to get access to the personal information and to the below-listed information:

The purposes of data management;
the categories of the data subject’s personal data;
the recipients or categories of recipients with whom or with which personal data have been communicated or will be communicated, including, in particular, third country (non-EU) recipients and/or international organizations;
the planned duration of personal data’s storage;
right to correction, erasure or restriction and right to object;
the right to lodge a complaint addressed to the supervisory authority;
the information on data sources; the fact of automated decision-making, including profiling, as well as the logic used and the relevant understandable information on the significance of such data management and what likely consequences it may have for the data subject.

In addition to the above, if personal data are forwarded to a third country or to an international organization, the data subject is entitled to receive information on the appropriate guarantees for the forwarding.

Right to correction:

Under this law, anyone may request the correction of inaccurate personal data processed by our company, and any additions to incomplete data.

Right to erasure:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him without undue delay for one of the following reasons:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
it can be determined that the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services.

The erasure of data cannot be initiated if data management is required for the following purposes:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
or for the establishment, exercise or defence of legal claims.

Right to restriction of data processing:

At the request of the data subject, we restrict the processing where one of the following applies pursuant to Article 18 of the GDPR:

the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
the data subject has objected pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The data subject must be informed in advance of the discontinuance of the restriction of data handling.

Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. Our company can satisfy such requests in word or excel format.

Right to object

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The above right shall not apply if the data management:

is necessary for entering into, or performance of, a contract between the data subject and a data controller;
is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights
and freedoms and legitimate interests; or
is based on the data subject's explicit consent.

Right of withdrawal:

The person concerned has the right to withdraw his consent at any time. Revocation of the contribution does not affect the lawfulness of the consent based on consent, prior to the withdrawal.

Rules of the procedure:

The data controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.

Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the data controller does not take action on the request of the data subject, the data controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The data controller shall communicate any rectification or erasure of personal data or restriction of data processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The data controller shall inform the data subject about those recipients if the data subject requests it.

Compensation for damages and grievance fee:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the data controller or data processor for the damage suffered. A data processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to data processors or where it has acted outside or contrary to lawful instructions of the controller. Where more than one data controller or data processor, or both a data controller and a data processor, are involved in the same data processing and where they are responsible for any damage caused by data processing, each data controller or data processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

A data controller or data processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

Right to turn to court and Data Protection Authority Procedure:

In case of breach of his or her rights, the data subject may turn to a court. The court proceeds out of turn in the case.

Complain can be lodged to the National Authority for Data Protection and Freedom of Information:

Address of the authority: 1125 Budapest, Szilágyi Erzsébet fasor 22/C., postal address: 1530 Budapest, Pf.: 5.

Phone: +36-1-391.1400

E-mail: ugyfelszolgalat@naih.hu

contact

H-3324 FELSŐTÁRKÁNY, BÜKKERDŐ SÉTÁNY 2-4.

+36 36 534 500 |

price calculation & booking

Calculate and book your relaxation online with prompt confirmation easily just with few steps and only in 2 minutes.

Request offer

Please provide the information in the form and our colleague will send you the offer within 24 hours. Upon opening our offer you can see the available room types, prices, package offers and extra services, and you can choose those that are adequate for you. After reservation you will immediately receive our confimation.

Bambara's world

Our rooms

Gastronomy

SPA & Wellness

Experiences

Events

Data management

wellness relaxation

events

follow us