Data processing information
This Data Processing Notice (hereinafter: Notice) informs the data subject(hereinafter: Data Subject) about the personal data processed in connection with thewww.standrestaurant.huandwww.stand25.hu(hereinafter: Website) in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR).
1. The data controller and its contact details
| Name of the data controller: | 4N Gasztronómia Kft.(hereinafter: Data Controller) |
| Headquarters: | 1155 Budapest, Rákos út 102, 10th floor, 64. |
| Location: | 1061 Budapest, Király utca 30-32. Staircase C. Ground floor |
| Postal address: | 1013 Budapest, Attila út 10, ground floor |
| Email address: | info@stand25.hu,info@standrestaurant.hu |
| Phone number: | 06-30-9613262, 36 30 785 9139 |
| Website: | www.standrestaurant.hu,www.stand25.hu |
2. Processing of the data subject's data
2.1. Data subjects
The Data Controller processes the personal data of the following natural persons (hereinafter: Data Subjects): visitors to the website and subscribers to the newsletter.
2.2. Categories of personal data processed
The Data Controller processes the following personal data of the Data Subject:
(i) first and last name
(ii) email address
(iii) telephone number
(iv) billing address
The personal data processed is provided to the Data Controller by the Data Subject during a telephone reservation, in a separate written statement, by email, or via one of the above websites.
2.3. Purpose, legal basis and duration of data processing
The purpose of data processing is to maintain contact, identify the Data Subject, possibly conclude a contract, and improve the quality of services.
The legal basis for data processing is the preparation and performance of a contract, legitimate interest, legal obligation, or the consent of the Data Subject.
The period of storage (retention) of Personal Data is 2 years from the date of consent.
2.3.1. Preparation for the conclusion of a contract for the provision of services and performance of a contract for the provision of services
The processing of Personal Data is necessary for the preparation and performance of a contract for the provision of services (hereinafter: "Contract").
2.3.2. Compliance with legal obligations
The Data Controller processes the personal data of the Data Subject for the purpose of complying with the following legal obligations, for the following period of time: for 8 years for the purpose of complying with the following legal obligations.
Section 169 (2) of Act C of 2000 on Accounting, which states that "[a] accounting document directly or indirectly supporting the accounting records (including general ledger accounts, analytical and detailed records) shall be retained in a legible form for at least 8 years in a manner that allows it to be retrieved on the basis of references in the accounting records.
Given that the data processing referred to in this section is a legal obligation of the Data Controller, the provision of Personal Data is mandatory, and failure to provide such data may result in the refusal to conclude or perform the Contract.
2.3.3. Legitimate interests of the Data Controller and third parties
The Data Controller processes the personal data of the Data Subject on the basis of the following legitimate interests for the following purposes and for the following period: 8 years.
Given that the Data Processing referred to in this section is in the legitimate interest of the Data Controller, the provision of Personal Data is mandatory, and failure to provide such data may result in the refusal to conclude or perform the Contract.
2.3.4. Consent of the Data Subject
Personal data is processed on the basis of the Data Subject's consent (voluntary, specific, and based on adequate information and a clear expression of will). The Data Subject's consent shall be provided
(i) separately from other statements in the contract for the provision of services, or
(ii) in a separate statement
(iii) if the statement of consent was provided in another manner, e.g. via a specific online interface, its precise and verifiable definition is required.
The provision of consent is voluntary, and the Data Subject is entitled to withdraw their consent at any time, without restriction, by notifying the Data Controller. The Data Subject may send the notification to any of the contact addresses specified in Section 1 of the Information Notice.
Withdrawal of consent shall have no consequences for the Data Subject. However, withdrawal of consent shall not affect the lawfulness of data processing carried out on the basis of consent prior to withdrawal.
2.3.5. Submission, enforcement, and protection of legal claims arising from the Contract
The Data Controller shall retain the Personal Data of the Data Subject that has not been deleted following the failure to conclude the contract or the termination of the Contract in accordance with Section 2.3.1 for a period of five years following the failure to conclude the contract or the termination of the Contract, in accordance with the general rules of limitation set out in Act V of 2013 on the Civil Code.
The purpose of data processing under this section is to enable the Data Controller to enforce any rights and claims arising from the Agreement and to defend itself in the event of such legal claims and demands being made. Failure to process data may result in the refusal to conclude or perform the Agreement.
2.4. Right to object to automated decision-making in individual cases, including profiling
The Data Controller does not perform automated decision-making, including profiling.
3. Recipients of personal data
The Data Controller shall transfer the personal data of the Data Subject to the following persons or organizations to the extent necessary: the company entrusted with accounting and storage services.
4. Rights of the data subject
4.1. Right of access
The Data Subject has the right to obtain confirmation from the Data Controller as to whether Personal Data concerning him or her are being processed and, where such processing is taking place, the right to obtain access to the Personal Data and the following information:
(i) the purposes of the processing in relation to the Personal Data concerned,
(ii) the categories of Personal Data concerned,
(iii) the categories of recipients to whom the Data Subject's Personal Data has been or will be disclosed,
(iv) the envisaged period for which the Data Subject's Personal Data will be stored, or if that is not possible, the criteria used to determine that period,
(v) the rights of the Data Subject (right to rectification, erasure or restriction, right to data portability, and right to object to the processing of such Personal Data),
(vi) the right to lodge a complaint with a supervisory authority,
If the Data Subject has submitted their request electronically, the requested information shall be provided in a commonly used electronic form, unless the Data Subject requests otherwise.
Prior to fulfilling the request, the Data Controller may ask the Data Subject to clarify the content of the request and to specify the requested information or data processing activities.
If the Data Subject's right of access under this section adversely affects the rights and freedoms of others, in particular their business secrets or intellectual property, the Data Controller shall be entitled to refuse to comply with the Data Subject's request to the extent necessary and proportionate.
If the Data Subject requests multiple copies of the above information, the Data Controller shall be entitled to charge a reasonable fee commensurate with the administrative costs of producing the additional copies.
If the Data Controller does not process the personal data specified by the Data Subject, it shall also inform the Data Subject thereof in writing.
4.2. Right to rectification
The Data Subject has the right to request the rectification of Personal Data concerning him or her. If the Personal Data concerning the Data Subject is incomplete, the Data Subject has the right to request the completion of the Personal Data.
When exercising the right to rectification/completion, the Data Subject shall indicate which data are inaccurate or incomplete and shall also inform the Data Controller of the accurate and complete data. The Data Controller is entitled, in justified cases, to request the Data Subject to provide the Data Controller with proof of the corrected data in an appropriate manner, primarily by means of a document.
The Data Subject shall correct or supplement the data without undue delay.
After fulfilling the Data Subject's request to exercise their right to rectification, the Data Controller shall immediately inform the persons to whom the Data Subject's Personal Data has been disclosed, provided that this is not impossible or does not require a disproportionate effort on the part of the Data Controller. At the request of the Data Subject, the Data Controller shall inform the Data Subject of these recipients.
4.3. Right to erasure ("right to be forgotten")
The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
(i) the Personal Data specified by the Data Subject is no longer necessary for the purposes for which it was collected or otherwise processed by the Data Controller,
(ii) the Data Controller has processed the Personal Data on the basis of the Data Subject's consent, the Data Subject has withdrawn their consent in writing and there is no other legal basis for the Data Processing,
(iii) the Data Subject objects to the Data Processing based on the legitimate interest of the Data Controller, and there is no compelling legitimate reason for the Data Controller that takes precedence over the interests, rights, and freedoms of the Data Subject, or that is related to the submission, enforcement, or protection of legal claims,
(iv) the Data Controller has unlawfully processed the Personal Data,
(v) the data processed by the Data Controller must be erased in order to comply with a legal obligation under Union or national law to which the Data Controller is subject,
(vi) the Data Subject objects to the processing and there are no overriding grounds for the processing.
The Data Subject shall submit their request for erasure in writing and shall indicate which personal data they wish to have erased and for what reason.
If the Data Controller grants the Data Subject's request for erasure, it shall erase the Personal Data from all its records and inform the Data Subject accordingly.
In the event that the Data Controller is obliged to erase the Data Subject's personal data, the Data Controller shall take all reasonable steps, including technical measures, to inform other data controllers who have become aware of the Data Subject's Personal Data as a result of its disclosure of the mandatory deletion of the Personal Data. The Data Controller shall inform the other data controllers in its information notice that the Data Subject has requested the deletion of links to the Data Subject's personal data or copies or replicas of such Personal Data.
After fulfilling the Data Subject's request to exercise their right to erasure, the Data Controller shall immediately inform the persons to whom the Data Subject's personal data has been disclosed, provided that this is not impossible or does not require a disproportionate effort on the part of the Data Controller. At the request of the Data Subject, the Data Controller shall inform the Data Subject of these recipients.
The Data Controller shall not be obliged to erase Personal Data if the processing is necessary:
(i) the exercise of the right to freedom of expression and information,
(ii) compliance with a legal obligation to which the Data Controller is subject under Hungarian or European Union law,
(iii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,
(iv) for the implementation of a public interest in the field of public health,
(v) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, provided that the data processing is likely to become impossible or seriously jeopardized as a result of the exercise of the Data Subject's right to be forgotten,
a) for the establishment, exercise, or defense of legal claims.
4.4. Right to restriction of processing
The Data Subject has the right to request that the Data Controller restrict the processing and use of their Personal Data if any of the following reasons apply:
(i) the Data Subject disputes the accuracy of the Personal Data (in which case the restriction shall last until the Data Controller verifies the accuracy of the data),
(ii) the Data Controller has unlawfully processed the Personal Data, but the Data Subject requests restriction instead of erasure,
(iii) the Data Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims,
(iv) the Data Subject objects to the Data Processing based on the legitimate interests of the Data Controller, and there is no compelling legitimate reason for the Data Controller that takes precedence over the interests, rights, and freedoms of the Data Subject, or that is related to the submission, enforcement, or protection of legal claims; in this case, the restriction shall remain in place until it is determined whether the Data Controller's legitimate reasons take precedence over the Data Subject's legitimate reasons.
In the event of restriction, Personal Data may only be processed, with the exception of storage, with the consent of the Data Subject or for the establishment, exercise or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State of the European Union.
The Data Controller shall inform the Data Subject in advance of the lifting of the restriction on processing.
The Data Controller shall, upon fulfilling the Data Subject's request to exercise their right to restriction, immediately inform the persons to whom the Data Subject's Personal Data has been disclosed, unless this proves impossible or requires a disproportionate effort on the part of the Data Controller. At the request of the Data Subject, the Data Controller shall inform the Data Subject of these recipients.
4.5. Right to object
Given that the Data Controller does not perform data processing in the public interest and does not have public authority powers, does not conduct scientific or historical research, and does not process data for statistical purposes, the right to object may arise in the case of data processing based on legitimate interests.
If the data of the Data Subjects is processed on the basis of legitimate interest, it is an important safeguard provision that the Data Subject must be provided with adequate information and the right to object in relation to the Data Processing. The Data Subject must be expressly informed of this right at the latest when first contacting them.
On this basis, the Data Subject has the right to object to the processing of their personal data, in which case the Data Controller may no longer process the Data Subject's personal data, unless it can be demonstrated that
(i) the processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, which override the interests, rights and freedoms of the Data Subject, or
(ii) the processing is necessary for the establishment, exercise or defense of legal claims by the Data Controller.
4.5.1. Right to object in the case of direct marketing
In the case of direct marketing activities carried out by the Data Controller, the Data Subject has the right to object to the processing of their Personal Data for this purpose. However, unlike Data Processing based on other legitimate interests, following an objection, the Data Controller is not in a position to consider whether it can continue to process the data despite the Data Subject's objection.
If the Data Subject objects to data processing for direct marketing purposes, the Data Controller may no longer process the Data Subject's data for this purpose.
4.6. Right to data portability
The Data Subject shall have the right to receive the Personal Data concerning him or her, which the Data Controller processes, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller.
The right to data portability may be exercised in respect of Personal Data which the Data Subject has provided to the Data Controller and
(i) the processing is based on the Data Subject's consent or on a contractual basis, and
(ii) the processing is carried out by automated means.
If technically feasible, the Data Controller shall, at the request of the Data Subject, transfer the Personal Data directly to another Data Controller specified in the Data Subject's request. The right to data portability under this section does not create an obligation for data controllers to introduce or maintain technically compatible data processing systems.
In the context of data portability, the Data Controller is obliged to provide the data carrier to the Data Subject free of charge.
In the event that the Data Controller's right to data portability adversely affects the rights and freedoms of others, in particular their business secrets or intellectual property, the Data Controller shall be entitled to refuse to comply with the Data Subject's request to the extent necessary.
Measures taken in the context of data portability do not mean that the data will be deleted; the Data Controller will continue to store the data for as long as the Data Controller has a legitimate purpose or legal basis for processing the data.
4.7. Right to legal remedy
4.7.1. Right to lodge a complaint
If the Data Subject considers that the processing of their Personal Data by the Data Controller violates the provisions of the data protection legislation in force at any given time, in particular the GDPR, they have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information.
Contact details of the National Authority for Data Protection and Freedom of Information:
Website:http://naih.hu/
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: 1530 Budapest, Pf.: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail:ugyfelszolgalat@naih.hu
The Data Subject has the right to lodge a complaint with another supervisory authority, in particular in the European Union Member State of his or her habitual residence, place of work or place of the alleged infringement.
4.7.2. Right to appeal to the court (right to bring an action)
The Data Subject may, regardless of their right to lodge a complaint, appeal to the court if their rights under the GDPR have been violated in the processing of their Personal Data.
Legal proceedings may be brought against the Data Controller as a data controller with a domestic place of business before a Hungarian court.
The Data Subject may also bring legal proceedings before the court of their place of residence in accordance with Section 22(1) of the current Infotv. The contact details of courts in Hungary can be found at the following link: http://birosag.hu/torvenyszekek.
Given that the Data Controller is not a public authority exercising public powers in a Member State, the Data Subject may also bring the action before the court with jurisdiction and competence in the Member State of his or her habitual residence, if the Data Subject's habitual residence is in another Member State of the European Union.
4.7.3. Other options for enforcing claims
The Data Subject has the right to lodge a complaint on his or her behalf, to seek judicial review of the supervisory authority's decision, initiating legal proceedings, and enforcing their right to compensation on their behalf, to a non-profit organization or association established in accordance with the law of a Member State of the European Union and whose statutory objectives are to serve the public interest and to protect the rights and freedoms of data subjects with regard to personal data.
5. Other provisions
In the event that the Data Controller has reasonable doubts regarding the identity of the person submitting the request in accordance with the points of the Notice, the Data Controller may request additional information necessary to confirm the identity of the Data Subject.
The Data Controller reserves the right to amend the Information at any time. The Data Controller shall notify the Data Subject oftheamendment [by publication on the website, postal mail, etc.]at least 30 days prior to the amendment taking effect.
* * *
Budapest, March 22, 2024.
____________________________
4N Gasztronómia Kft.
Represented by: Ibolya Csahók, Managing Director