Data policy

HU EN DE

Data Policy

HUNGARORAFT LIMITED LIABILITY COMPANY
PRIVACY AND DATA PROCESSING POLICY AND NOTICE

("Notice")

1. PURPOSE AND SCOPE OF THE NOTICE
1.1 The purpose of this Notice is to set out the data processing and data protection principles applied by Hungaroraft Limited Liability Company (registered office: 1028 Budapest, Honvéd utca 15.) ("Company" or "Data Controller"), as well as the Company's data protection and data processing policy, which the Company, as data controller, acknowledges as binding upon itself in relation to, and during, the operation of the Company.
1.2 This Notice contains the principles governing the processing of the Personal Data (as defined below) provided by Contracting Parties (as defined below). The Company's main activity is travel organization.
1.3 When preparing the provisions of this Notice, the Company took into account, in particular but not exclusively, the following legislation: Regulation (EU) 2016/679 of the European Parliament and of the Council ("General Data Protection Regulation"), Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Info Act"), Act V of 2013 on the Civil Code, and Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Commercial Advertising Activities.
1.4 The scope of this Notice extends to data processing operations related to the Services provided by the Company. During these data processing operations, the Company acts in accordance with this Notice.
1.5 The purpose of this Notice is to standardize the Company's activities with regard to data processing operations in order to protect the fundamental rights and freedoms of natural persons, to process the data of natural persons lawfully, and to ensure the proper processing of Personal Data.
1.6 This Notice remains valid until withdrawn. The Data Controller reserves the right to amend this Notice at any time by unilateral decision.

2. DEFINITIONS
Data Processing: any operation or set of operations performed on Personal Data, regardless of the procedure applied, including in particular the collection, recording, organization, structuring, storage, adaptation, alteration, use, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, publication, alignment or combination, restriction, erasure and destruction of Personal Data.
Data Controller: the person who determines the purposes and means of Data Processing, alone or jointly with others.
Data Processor: the service provider that processes Personal Data on behalf of the Data Controller. In relation to the services referred to in this Notice, Data Processors may be the natural and legal persons specified in Section 9.2 below.
Personal Data or data: any data or information by which a natural person Contracting Party can be identified, directly or indirectly.
Contracting Party: the natural person who uses or participates in the service provided by the Company and, within this framework, provides the data listed in Section 7 below. For the purposes of this Notice, in the case of a minor Contracting Party, both the minor using the service provided by the Company and their legal representatives qualify as Contracting Parties.
Service(s): the services provided by the Data Controller, in particular travel organization activities.
Website: the hungaroraft.hu website operated by the Data Controller.
External Service Provider: third-party service provider partners used by the Data Controller, directly or indirectly, in connection with providing the Services, to whom Personal Data is or may be transferred in order to provide the Services, or who may transfer Personal Data to the Data Controller.

3. THE DATA CONTROLLER
With regard to the data processing covered by this Notice, the Data Controller is the following:
company name: Hungaroraft Kft.
registered office: 1028 Budapest, Honvéd utca 15.
company registration number: 01-09-909939
tax number: 14570829-2-41
telephone number: (+36) 20 9823 203
email address: info@hungaroraft.hu
website: http://hungaroraft.hu/
contact person: Gyula Takács

4. PURPOSE OF DATA PROCESSING
The Company processes Personal Data exclusively for a specified purpose. Data collection and processing are carried out fairly and lawfully. The Company strives to process only such Personal Data as is indispensable for achieving the purpose of data processing and suitable for achieving that purpose. Personal Data may be processed only to the extent and for the period necessary to achieve the purpose.
The purpose of data processing is to provide services related to travel organization activities to Contracting Parties. This includes, in particular: contacting and maintaining contact with Contracting Parties, providing and requesting information, identifying the Contracting Party, managing and tracking the services used by the Contracting Party, handling and administering individual requests, protecting the rights of Contracting Parties, and enforcing the legitimate interests of the Data Controller.

5. METHOD OF DATA PROCESSING
5.1 The Data Controller stores the Contracting Party's data on its own servers, on the Data Controller's computers, or in paper-based records. Only the Data Controller is entitled to process the Personal Data of the data subjects.
5.2 Providing data is voluntary in all cases, meaning that the data subject may freely decide whether to provide the requested Personal Data. If the data subject consents, the Data Controller processes the data in accordance with applicable law and within the limits of the data subjects' consent.
5.3 In order to prevent unauthorized use of the processed Personal Data and related abuses, the Data Controller applies security measures. The Company regularly reviews its security procedures and develops them in line with technological progress.

6. LEGAL BASIS OF DATA PROCESSING
6.1 The legal basis for data processing is Article 6(1)(a) of the General Data Protection Regulation, considering that the use of the travel organization service provided by the Company is voluntary and Contracting Parties make it possible for the Company to perform the assignment given to it and provide the travel organization service by providing their Personal Data. Within the scope of the Company's assignment, Contracting Parties consent to the processing of the Personal Data voluntarily provided by them by the Company.
6.2 The legal basis for data processing is also Article 6(1)(b) of the General Data Protection Regulation, considering that data processing is necessary for the performance of a contract to which the Contracting Party is a party, or in order to take steps at the request of the Contracting Party prior to entering into a contract.

7. SCOPE OF PROCESSED DATA
7.1 If the Contracting Party uses a travel organization service from the Company, the Data Controller records the following Personal Data of the Contracting Party, during the organization of the programs, for the purpose of fully organizing and conducting the programs and arranging the necessary insurance: name, address, place and date of birth, passport number / identity card number, email address, telephone number, height, body weight, shoe size.
The legal basis of data processing is the performance of contractual obligations. The source of the data is the Contracting Party; the place of data processing is the Company's registered office; the Company's managing director is responsible for data processing. Data are stored electronically through the TREKKSOFT software. The Data Controller transfers the data to Groupama Insurance for the purpose of arranging the necessary insurance. The Data Controller deletes the data without delay after full performance of the contractual obligations related to the given program.
7.2 If the Contracting Party uses a travel organization service from the Company, the Data Controller records the following Personal Data of the Contracting Party immediately before the start of the program, for the purpose of conducting the programs and documenting the Contracting Party's assumption of responsibility: name, place and date of birth, email address.
The legal basis of data processing is the performance of contractual obligations. The source of the data is the Contracting Party; the place of data processing is the Company's Slovenian site; the Company's managing director is responsible for data processing. Data are stored on paper. The Data Controller deletes the data 5 (five) years after full performance of the contractual obligations related to the given program.
7.3 If the Contracting Party uses a travel organization service from the Company, the Data Controller records the following Personal Data of the Contracting Party during the program, in the form of photo or video recordings, for the purpose of later promotion of its Services: image/likeness.
The legal basis of data processing is the Contracting Party's consent. The source of the data is the Contracting Party; the place of data processing is the Company's registered office; the Company's managing director is responsible for data processing. Data are stored electronically. The Data Controller deletes the data without delay after the Contracting Party withdraws their consent to data processing.
7.4 If the Contracting Party has given express consent to the Company's data processing for direct marketing purposes, the Data Controller records the following Personal Data of the Contracting Party at the time of giving consent, for the purpose of sending current newsletters, offers and other direct marketing materials: email address.
The legal basis of data processing is the Contracting Party's consent. The source of the data is the Contracting Party; the place of data processing is the Company's registered office; the Company's managing director is responsible for data processing. Data are stored on paper and electronically. Messages are sent using the MailChimp mailing system. The Data Controller deletes the data without delay after the Contracting Party withdraws their consent to data processing.
7.5 If the data subject visits the Website, the Data Controller's system automatically records the following Personal Data of the visitor for the purpose of proper operation of the website and identification of returning visitors: IP address.
The legal basis of data processing is the data subject's consent, and Section 13/A(3) of Act CVIII of 2001 on certain issues of electronic commerce services and information society services. The source of the data is the Contracting Party; the place of data processing is the Company's registered office; the Company's managing director is responsible for data processing. Data are stored electronically. Data storage lasts until termination of the agreement between the Company and the Hosting Provider, or until the data subject submits an erasure request to the Hosting Provider.

8. DURATION OF DATA PROCESSING
The Data Controller erases Personal Data if
a) its processing is unlawful: If it becomes clear that the data are being processed unlawfully, the Data Controller carries out erasure without delay.
b) the data subject requests it (except for data processing based on law): The data subject may request erasure of data processed on the basis of their voluntary consent. In this case, the Data Controller erases the data.
c) the data are incomplete or incorrect – and this situation cannot lawfully be remedied – provided that erasure is not excluded by law.
d) the purpose of data processing has ceased, or the statutory deadline for data storage has expired. The Data Controller processes the data as long as the relationship between the Data Controller and the data subject exists and as long as the Data Controller provides a Service to the data subject. The Data Controller erases all other data if it is clear that the data will not be used in the future, meaning that the purpose of data processing has ceased.
e) erasure has been ordered by a court or by the National Authority for Data Protection and Freedom of Information: If a court or the National Authority for Data Protection and Freedom of Information finally orders erasure of the data, the Data Controller carries out erasure. Instead of erasure, the Data Controller blocks the Personal Data, while informing the data subject, if the data subject requests this or if, on the basis of the information available, it can be assumed that erasure would harm the legitimate interests of the data subject. Personal Data blocked in this way may be processed only as long as the data processing purpose exists that excluded erasure of the Personal Data. The Data Controller marks the Personal Data it processes if the data subject disputes its correctness or accuracy, but the incorrectness or inaccuracy of the disputed Personal Data cannot be clearly established. In the case of data processing ordered by law, the provisions of the law govern erasure of the data. In the event of erasure, the Data Controller renders the data incapable of identifying individuals. If required by law, the Data Controller destroys the data carrier containing Personal Data.

9. USE OF DATA PROCESSORS
9.1 The Company is entitled to use Data Processors for carrying out its activities. Data Processors do not make independent decisions and are entitled to act solely in accordance with the contract concluded with the Company and the instructions received. The Company monitors the work of Data Processors. Data Processors may use additional data processors only with the Company's consent.
9.2 Data Processors used by the Company:
a) Accounting
Name of data processor: HR Training Kft. – Konstanca Járai
Registered office of data processor: 1028 Budapest, Honvéd u. 15.
Telephone number of data processor: +36 209 732 932
Email address of data processor: Konstanca Járai
The Data Processor participates in the bookkeeping of accounting documents on the basis of a written contract concluded with the Data Controller. In doing so, the Data Processor processes the data subject's name and address to the extent necessary for accounting records, for the period specified in Section 169(2) of the Accounting Act, and thereafter deletes them without delay.
b) Data processing activity related to passenger data:
Name of data processor: TrekkSoft AG
Registered office of data processor: Hauptstraße 15, 3800 Matten b. Interlaken (Switzerland)
Email address of data processor: info@trekksoft.com
The Data Processor operates the TREKKSOFT software used for managing passenger data.
c) Data processing activity related to direct marketing:
Name of data processor: The Rocket Science Group, LLC
Registered office of data processor: 675 Ponce de Leon Ave NE Suite, 5000 Atlanta, GA 30308 USA Email address of data processor: *
The Data Processor operates the MailChimp mailing system used for sending direct marketing materials.
d) Insurance
Name of data processor: Groupama Biztosító Zrt., Retail Property Insurance Department
Registered office of data processor: 1146 Budapest, Erzsébet királyné útja 1/C
Telephone number of data processor: +36 1 373 7537
Email address of data processor: barbara.brukner@groupama.hu
The Data Processor provides insurance services in respect of Contracting Parties on the basis of a written contract concluded with the Data Controller. In doing so, the Data Processor processes the name, date of birth and address of the affected Contracting Party to the necessary extent and for the necessary period, and thereafter deletes them without delay.
e) Data processing activity related to web hosting services:
Name of data processor: Integrity Kft.
Registered office of data processor: 8000 Székesfehérvár, Gyetvai utca 6.
Telephone number of data processor: +36 1 450-26-60
Email address of data processor: data_processing+2018@integrity.hu
f) Data processing activity related to website operation:
Name of data processor: TrekkSoft AG
Registered office of data processor: Hauptstraße 15, 3800 Matten b. Interlaken (Switzerland)
Telephone number of data processor: +41 31 528 03 37
Email address of data processor: info@trekksoft.com
The Data Processor maintains the Website at certain intervals on the basis of a written contract concluded with the Company and backs up its database for security reasons.

10. PERSONS ENTITLED TO ACCESS PROCESSED DATA. DATA TRANSFER
10.1 The data processed during the data processing described in this Notice may be accessed by the Company's employees. The Data Controller's employees carry out individual searches or individual operations on the data only at the request of the Contracting Party, or if this is necessary for providing the service.
10.2 Other persons may not access or become acquainted with the Personal Data processed by the Company. Apart from the Data Processors indicated in Section 9.2, the Company does not transfer the data to third parties either within the European Economic Area or to third countries outside it.
10.3 Irrespective of the above, the Company transfers Personal Data to a third party only if the data subject has clearly consented to this – being aware of the scope of the transferred data and the recipient of the data transfer – or if the data transfer is authorized by law. The Company documents all data transfers in every case and keeps records of data transfers.

11. DATA SECURITY AND DATA PROTECTION INCIDENT
11.1 The Data Controller ensures the security of the data, takes the technical and organizational measures, and establishes the procedural rules necessary to enforce the applicable laws and data and confidentiality protection rules. The Data Controller protects the data with appropriate measures against unauthorized access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction and damage, and against becoming inaccessible due to changes in the applied technology.
11.2 A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, transmitted, stored or otherwise processed Personal Data. The prevention and handling of data protection incidents and compliance with the relevant legal requirements are the responsibility of the Company's managing director. The Company's employees are obliged to report to the Company's executive officer and managing director if they detect a data protection incident or an event indicating one.
A data protection incident may be reported to the Company's central email address or telephone number, through which employees, contractual partners and data subjects can report the underlying events and security weaknesses. In the event of a data protection incident report, the Company's managing director, with the involvement of the executive officer, examines the report without delay, identifies the incident, and decides whether it is a real incident or a false alarm. The following must be examined and established:

the time and place of the incident;
the description, circumstances and effects of the incident;
the scope and number of data compromised during the incident;
the group of persons affected by the compromised data;
the description of measures taken to remedy the incident;
the description of measures taken to prevent, remedy or reduce the damage.
If a data protection incident occurs, the affected systems, persons and data are identified and isolated, and the Company's managing director ensures that evidence supporting the occurrence of the incident is collected and preserved. Thereafter, the restoration of damage and the re-establishment of lawful operation may begin. Records must be kept of data protection incidents. Data relating to data protection incidents included in the records must be retained for 5 years.
If the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Company must inform the data subject about the data protection incident without undue delay. The information must describe the nature of the data protection incident clearly and in plain language, and must include the following information and measures:

the name and contact details of the contact person providing the information;
the likely consequences resulting from the data protection incident;
the measures taken or planned by the Company to remedy the data protection incident.
The data subject does not have to be informed individually, but must be informed through publicly disclosed information if
the Company has implemented appropriate technical and organizational protection measures and applied those measures to the data affected by the data protection incident;
the Company has taken further measures following the data protection incident that ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialize;
providing individual information would require disproportionate effort.

12. RIGHTS RELATED TO DATA PROCESSING, PRINCIPLES OF DATA PROCESSING
12.1 Personal Data must be processed lawfully, fairly and in a transparent manner for the data subject.
12.2 Personal Data may be collected only for specified, explicit and lawful purposes.
12.3 The purpose of processing Personal Data must be appropriate and relevant, and processing may only be to the necessary extent. The Data Controller processes Personal Data only for the purposes specified in this Notice and in the applicable laws. The scope of processed Personal Data is proportionate to the purpose of data processing and may not extend beyond it.
12.4 Personal Data must be accurate and up to date. Inaccurate Personal Data must be erased without delay.
12.5 Personal Data must be stored in a form that permits identification of data subjects only for the necessary period. Personal Data may be stored for longer only if storage is carried out for public-interest archiving purposes, scientific or historical research purposes, or statistical purposes.
12.6 Right to request information: Any person may request information at any time, through the provided contact details, about what data of theirs the Company processes, on what legal basis, for what data processing purpose, from what source, and for how long. Information must be sent to the provided contact details without delay, but no later than within 30 (thirty) days of the request.
12.7 Right to rectification: Any person may request, at any time through the provided contact details, the modification or rectification of any of their data processed by the Company. Action must be taken on this request without delay, but no later than within 30 (thirty) days, and information must be sent to the provided contact details.
12.8 Right to erasure: Any person may request in writing, at any time, free of charge and without limitation, through the provided contact details, erasure of their data, or may withdraw their previously given consent to data processing. This must be done without delay, but no later than within 30 (thirty) days of the request; the data of the data subject processed by the Company must be erased from the Company's records, and information must be sent to the provided contact details.
12.9 Data that must be stored due to a legal, statutory or contractual obligation for the preservation of commercial records are blocked instead of erased.
12.10 Right to blocking/restriction: Any person may request blocking of their data through the provided contact details. Blocking lasts as long as the indicated reason makes storage of the data necessary. This must be done without delay, but no later than within 30 (thirty) days of the request, and information must be sent to the provided contact details.
12.11 Right to object: Any person may object to data processing through the provided contact details. The objection must be examined as soon as possible, but no later than within 30 (thirty) days of submission of the request; a decision must be made on its merits, and information about the decision must be sent to the provided contact details.
12.12 The Personal Data indispensable for using the Services are used by the Data Controller on the basis of the consent of the affected Contracting Party and exclusively for the specified purpose.
12.13 In all cases where the Data Controller intends to use Personal Data for a purpose other than the original purpose of data collection, it informs the Contracting Party, obtains their prior express consent, and provides them with the opportunity to prohibit such use.
12.14 The Data Controller does not verify the Personal Data provided. The person providing the Personal Data is solely responsible for the correctness of the Personal Data provided. When providing an email address or telephone number, any Contracting Party also assumes responsibility that only they use services from the provided email address or telephone number. In view of this assumption of responsibility, all liability related to the provided data rests exclusively with the Contracting Party who provided the data.
12.15 Personal Data of a data subject under the age of 16 may be processed only with the consent of an adult exercising parental authority over them. The Data Controller is not able to verify the entitlement of the consenting person or the content of their declaration; therefore, the Contracting Party or the person exercising parental authority over them warrants that the consent complies with the law. In the absence of a consent declaration, the Data Controller does not collect Personal Data concerning a data subject under the age of 16, except for the IP address used when using the Service, which is recorded automatically due to the nature of internet services.
12.16 The Data Controller does not transfer the Personal Data it processes to third parties other than the Data Processors specified in this Notice and, in certain cases referred to in this Notice, the External Service Providers.
12.17 An exception to the provision in this section is the use of data in statistically aggregated form, which may not contain any other data suitable for identifying the affected Contracting Party in any form, and therefore does not qualify as Data Processing or data transfer.
12.18 In certain cases – such as official court or police requests, legal proceedings due to copyright, property or other infringement, or well-founded suspicion thereof, harm to the interests of the Data Controller, endangerment of the provision of the Services, etc. – the Data Controller makes the available Personal Data of the affected Contracting Party accessible to third parties.
12.19 The Data Controller notifies the affected Contracting Party, as well as all those to whom the Personal Data had previously been transferred for Data Processing purposes, about rectification, restriction or erasure of Personal Data processed by it. Notification may be omitted if this does not harm the legitimate interest of the data subject in view of the purpose of Data Processing.
12.20 The Data Controller ensures the security of Personal Data, takes the technical and organizational measures, and establishes the procedural rules that ensure that the collected, stored and processed data are protected and that prevent their accidental loss, unlawful destruction, unauthorized access, unauthorized use and unauthorized alteration or dissemination. The Data Controller calls upon all third parties to whom it transfers Personal Data to comply with this obligation.

13. ENFORCEMENT OPTIONS OF CONTRACTING PARTIES
13.1 Pursuant to Article 37(1) of the General Data Protection Regulation, the Company is not required to appoint a data protection officer with regard to the activities falling within the scope of this Notice.
13.2 The Contracting Party may submit a complaint at any time regarding data processing to the Company's contact person indicated in Section 3 of this Notice. The contact person investigates the complaint within 30 (thirty) days of receipt, takes measures if necessary, and informs the complaining Contracting Party of the result of the investigation and the measures taken.
13.3 If the Contracting Party does not agree with the result or measure of the Company's investigation, or otherwise believes that they have suffered a legal injury in connection with the processing of their Personal Data, they may turn to the National Authority for Data Protection and Freedom of Information (postal address: 1530 Budapest, Pf. 5.; address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone number: +36 1 391 1400; fax number: +36 1 391 1410; email address: ugyfelszolgalat@naih.hu; web: http://naih.hu).
13.4 In the event of infringement of their rights, the Contracting Party may apply to the court. The case falls within the jurisdiction of the regional court. The lawsuit may also be initiated, at the choice of the data subject, before the regional court of the data subject's place of residence or stay. Upon request, the Data Controller informs the Contracting Party about the possibility and means of legal remedy.

Budapest, 16 September 2018

© 2018 HungaroRaft Kft. All rights reserved
 
Book Now