Data Management Notice
Under Regulation 2016/679 (hereinafter: GDPR) of the European Parliament and of the Council (EU), this Data Management Notice (hereinafter: the Notice) informs the data subject (hereinafter: the Data Subject) about the personal data (hereinafter: the Personal Data) processed in connection with the www.standrestaurant.hu website.
1. Data controller and contact details
| Company name of the data controller: | 4N Gastronomy Ltd. (hereinafter: Data Controller) |
| Registered address: | H-1155 Budapest, Rákos út 102., 10th floor 64. |
| Business premises: | H-1061 Budapest, Székely Mihály utca 2. |
| Postal address: | H-1061 Budapest, Székely Mihály utca 2. |
| E-mail address: | info@standrestaurant.hu |
| Telephone: | +36 30 785 9139 |
| Website: | www.standrestaurant.hu |
2. Controlling of data subject's data
2.1. Affected parties
The Data Controller manages the personal data of the following natural person(s) (hereinafter: the Data Subject): visitors to the website and subscribers to the newsletter.
2.2. Categories of Personal Data managed
The Data Controller manages the following personal data of the Data Subject:
(i) names and forenames
(ii) e-mail address
(iii) phone number
(iv) billing address
During a reservation made over the phone, the Data Subject shall provide the processed personal data to the Data Controller by telephone, in a separate written statement, by e-mail or via one of the above internet interfaces.
2.3. Purpose, legal basis and duration of the data management
The purpose of Data Control is to maintain contact, identify the Data Subject, possibly enter into a contract, and improve the quality of the service.
The legal basis of Data Management is the preparation, performance, legitimate interest, legal obligation or consent of the Data Subject.
The period of storage (retention) of Personal Data is two years from the date of granting the Consent.
2.3.1. Preparing for the conclusion of a service contract and performance of the contract for the provision of the service
The management of Personal Data is necessary for the preparation and fulfilment of the conclusion of the contract for the provision of the service (hereinafter: “Contract”).
2.3.2. Fulfilment of a legal obligation
The Data Controller manages the personal data of the Data Subject for the purpose of fulfilling the following legal obligations for the following period of time: for the fulfilment of the following legal obligations for eight years.
Section 169 (2) of Act C of 2000 on Accounting provides that "[the] accounting documents underlying the accounting records directly or indirectly (including ledger accounts, analytical records and registers) shall be retained for minimum eight years, shall be legible and retrievable by means of the code of reference indicated in the accounting records."
Considering that the data management according to this section is the legal obligation of the Data Controller, the provision of Personal Data is obligatory; the non-provision of data may result in the refusal to enter into the Contract or to perform the Contract.
2.3.3. Legitimate interest of the Data Controller and third parties
The Data Controller manages the personal data of the Data Subject on the basis of the following legitimate interests for the following purpose and for the following period: eight years.
Considering that the data management according to this section is the legal obligation of the Data Controller, the provision of Personal Data is obligatory; the non-provision of data may result in the refusal to enter into the Contract or to perform the Contract.
2.3.4. Data Subject's Consent
The processing of personal data is based on the Consent of the Data Subject (voluntary, specific and duly informed and clear declaration of intent). The Data Subject may make
(i) the consent separately from other statements in the contract for the provision of
(ii) the service or in a se
(iii) parate statement [if the statement of Consent was given otherwise, e.g. through a certain online interface, its exact and verifiable definition is required].
The Consent is voluntary, and the Data Subject has the right to withdraw their Consent at any time without restriction by notifying the Data Controller. The notification may be sent by the Data Subject to any of the contact addresses specified in Section 1 of the Notice.
Withdrawal of Consent has no consequences for the Data Subject. However, the withdrawal of Consent shall not affect the lawfulness of the pre-withdrawal data management carried out on the basis of the Consent.
2.3.5. Submission, enforcement and protection of legal claims arising from the Contract
According to the general rule of limitations of Act V of 2013 on the Civil Code and pursuant to Section 2.3.1 of this Notice, the Personal Data of the Data Subject not deleted after the failure of entering into a contract or after the termination of the Contract shall be retained by the Data Controller for five years following the failure of entering into a contract or the termination of the Contract.
The purpose of the Data Management pursuant to this clause is to enable the Data Controller to enforce any rights and claims arising from the Contract or to defend itself in the event of the submission of such legal claims or demands. Failure if handling the data may result in the refusal to enter into the Contract or to perform the Contract.
2.4. The right to decide on automated decision-making in individual cases, including profiling
The Data Controller does not perform automated decision making, including profiling.
3. Recipients of the Personal Data
The Data Controller transmits the personal data of the Data Subject to the following persons or organisations to the necessary extent: a company entrusted with accounting and hosting services.
4. Rights of the Data Subject
4.1. Right of access
The Data Subject shall have the right to obtain confirmation from the Data Controller as to whether or not personal data concerning them are being managed, and, where that is the case, access to the personal data and the following information:
(i) the purposes of the Data Management in relation to the given Personal Data,
(ii) the categories of Personal Data concerned,
(iii) the categories of recipients to whom the personal data of the Data Subject have been or will be communicated,
(iv) the intended period of storage of the Personal Data concerned or, if this is not possible, the criteria for determining this period,
(v) the Data Subject's rights (right of rectification, erasure or restriction, as well as right to data portability and right to object to the processing of such Personal Data),
(vi) the right to lodge a complaint with a supervisory authority;
If the Data Subject submitted the request electronically, then the requested information shall be made available in widely used electronic format, unless the Data Subject expressly requested otherwise.
Prior to the execution of the request, the Data Controller may request the Data Subject to clarify its content and to accurately specify the requested information and data management activities.
If the Data Subject's right of access under this section adversely affects the rights and freedoms of others, in particular the trade secrets or intellectual property of others, the Data Controller shall be entitled to refuse the Data Subject's request to the extent necessary and proportionate.
In the event that the Data Subject requests the above information in several copies, the Data Controller is entitled to charge a fee that is proportionate and reasonable to the administrative costs of making the additional copies.
If the personal data indicated by the Data Subject is not managed by the Data Controller, then the Data Controller shall inform the Data Subject in writing.
4.2. Right to rectification
The Data Subject has the right to request the correction of the Personal Data relating to them. If the Personal Data of the Data Subject is incomplete, the Data Subject is entitled to request the supplementation of the Personal Data.
During the exercise of the right related to the correction/supplementation, the Data Subject is obliged to indicate which data are inaccurate or incomplete and is also obliged to inform the Data Controller about the accurate and complete data. In justified cases, the Data Controller is entitled to call on the Data Subject to provide evidence on the specified data to the Data Controller in an appropriate manner, primarily by a document.
The Data Subject shall correct and supplement the data without undue delay.
The Data Controller shall immediately inform the persons with whom the Data Subject has communicated their Personal Data after the fulfilment of their request to exercise their right to rectification, provided that it is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the Data Subject, the Data Controller will inform them of these recipients.
4.3. Right to deletion (“the right to forget”)
The Data Subject shall have the right to propose that the Data Controller delete their personal data(s) without undue delay if any of the following reasons exist:
(i) the personal data provided by the Data Subject are not required for the purpose for which they were collected or otherwise managed by the Data Controller,
(ii) the Data Controller has processed the personal data on the basis of the Data Subject's Consent, the Data Subject has withdrawn their Consent in writing, and there is no other legal basis for the Data Management,
(iii) the Data Subject objects to Data Management based on the legitimate interest of the Data Controller, and there is no compelling legitimate reason for the Data Controller to take precedence over the interests, rights and freedoms of the Data Subject or related to the filing, enforcement or defence of legal claims,
(iv) the Data Controller has unlawfully processed the Personal Data,
(v) the data managed by the Data Controller must be deleted in order to comply with any legal obligation under EU or national law applicable to the Data Controller,
(vi) the Data Subject objects to the data handling, and there is no overriding reason for the Data Management.
The Data Subject shall submit a request for the deletion in writing and shall indicate the reason for which the personal data are to be deleted.
If the Data Controller accepts the Data Subject's request for deletion, it shall delete the personal data managed from all of its records and shall inform the Data Subject accordingly.
In the event that the Data Controller is obliged to delete the Personal Data of the Data Subject, the Data Controller shall take all reasonable steps, including the use of technical measures, necessary to inform the data controllers who have the Personal Data of the Data Subject because of them having been disclosed of the obligatory deletion of the personal data. The Data Controller shall inform the other Data Controllers in its notice that the Data Subject has requested the deletion of links to the personal data of the Data Subject or of a copy or a duplicate copy of such personal data.
The Data Controller shall immediately inform the persons with whom the Data Subject has communicated their Personal Data after the fulfilment of their request to exercise their right to rectification, provided that it is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the Data Subject, the Data Controller will inform them of these recipients.
The Data Controller shall not be obliged to delete personal data if such data processing is necessary for the following:
(i) the exercise of the right to freedom of expression and information,
(ii) to comply with any obligation placed on the Data Controller under Hungarian or European Union law to manage personal data,
(iii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller,
(iv) the pursuit of general interest in the field of public health,
(v) kfor archiving in the public interest, for scientific and historical research or for statistical purposes, provided that the exercise of the Data Subject's right to forget is likely to render impossible or seriously compromise the processing of data,
a) for the filing, enforcement or defence of legal claims.
4.4. Right to restrict data management
The Data Subject is entitled to propose that the Data Controller restrict the handling and use of their Personal Data if any of the following reasons exist:
(i) the Data Subject disputes the accuracy of the personal data (in which case the restriction will continue until the Data Controller verifies the accuracy of the data),
(ii) the Data Controller has unlawfully managed the personal data, but the Data Subject requests a restriction instead of a deletion,
(iii) the purpose of the Data Management for the Data Controller has ceased to exist, but the Data Subject requires them for the purpose of submitting, asserting or defending legal claims,
(iv) the Data Subject objects to data management based on the legitimate interest of the Data Controller, and there is no compelling legitimate reason for the Data Controller to take precedence over the interests, rights and freedoms of the Data Subject or related to the filing, enforcement or defence of legal claims; in this case, the restriction shall continue to apply until it is determined that the Data Controller's legitimate reasons take precedence over those of the Data Subject.
In case of a restriction, with the exception of storage, personal data may only be processed with the Consent of the Data Subject or for the purpose of asserting, enforcing or defending legal claims, or protecting the rights of any other natural or legal person, or for important public interest purposes of the European Union or any member state of the European Union.
The Data Controller shall inform the Data Subject in advance of the lifting of the restriction of data management.
The Data Controller shall immediately inform the persons with whom the Data Subject has communicated their Personal Data after the fulfilment of their request to exercise their right to rectification, provided that it is not impossible or does not require a disproportionate effort from the Data Controller. At the request of the Data Subject, the Data Controller will inform them of these recipients.
4.5. Right to objection
Due to the fact that the Data Controller does not carry out data management in the public interest and does not have public authority rights, it does not carry out scientific or historical research, nor does the data management take place for statistical purposes; thus, if the data management is based on a legitimate interest, the right to protest may be exercised.
If the management of the data of the Data Subject(s) is based on a legitimate interest, an important guarantee provision is that the Data Subject shall be provided with appropriate information and the right to object in relation to the Data Management. This right must be expressly brought to the attention of the Data Subject at the latest at the time of the first communication.
Based on this, the Data Subject has the right to object to the management of their personal data, in which case the Data Controller may not further manage the personal data of the Data Subject unless it can be proved that:
(i) the data management carried out by the Data Controller is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the Data Subject, or
(ii) the Data Management is related to the filing, validation or defence of the Data Controller's legal needs.
4.5.1. The right to protest in the case of a direct business acquisition
In the case of direct marketing activities carried out by the Data Controller, the Data Subject has the right to protest against the processing of their Personal Data for this purpose. However, unlike in the case of Data Management based on other legitimate interests, following the protest, it will not be possible for the Data Controller to consider whether it may continue to manage the data in the event of a Data Subject's objection.
If the Data Subject objects to the data management for direct marketing purposes, the Data Controller may no longer process the Data Subject's data for this purpose.
4.6. Right to data portability
The Data Subject has the right to receive the Personal Data concerning them managed by the Data Controller in a structured, widely used, machine-readable format, and they have the right to transfer this data to another data controller without the Data Controller's interference.
The right to data portability may be exercised in respect of the Personal Data provided by the Data Subject to the Data Controller, and
(i) the data management is based on the Data Subject's Consent or on a contractual basis, and
(ii) the Data Management is automated.
If it is otherwise technically feasible, at the request of the Data Subject, the Data Controller shall transfer the Personal Data directly to another Data Controller indicated in the Data Subject's request. The right to data portability under this point does not create an obligation for data controllers to implement or maintain technically compatible data management systems.
Within the scope of data portability, the Data Controller is obliged to make the data carrier available to the Data Subject free of charge.
In the event that the Data Controller's right to data portability adversely affects the rights and freedoms of others, in particular the business secrets or intellectual property of others, the Data Controller is entitled to refuse to comply with the Data Subject's request to the extent necessary.
AThe measure taken within the scope of data portability does not mean the deletion of data; they are registered by the Data Controller as long as the Data Controller has an appropriate purpose or legal basis for the management of the data.
4.7. Right to legal remedies
4.7.1. Right to complain
If the Data Subject considers that the management of personal data carried out by the Data Controller violates the prevailing data protection laws, in particular the GDPR, he has the right to submit a complaint to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság).
Contact details of the National Authority for Data Protection and Freedom of Information:
Home page: http://naih.hu/
Address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Postal address: H-1530 Budapest, Pf.: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
The data subject has the right to file a complaint to a supervisory authority in another member state of the European Union, in particular in a member state different from the one of their habitual residence, place of work or the place of alleged infringements.
4.7.2. Right to apply to the courts (right of action)
Regardless of their right to complain, the Data Subject may apply to the courts if their personal data have been violated under the GDPR.
The Data Controller, as a data controller with a place of activity in Hungary, may be sued before a Hungarian court.
The Data Subject may also bring the case before the court at the place of their residence, according to the Act on Information Technology, Section 22, Paragraph (1). The contact details of the Hungarian courts can be found at the following link: http://birosag.hu/torvenyszekek.
Given that the Data Controller is not a public authority of any member state, acting by exercising its public authority rights, the Data Subject may also bring an action before the competent court having jurisdiction in the member state of their habitual residence if the Data Subject's habitual residence is in another member state of the European Union.
4.7.3. Other claim options
The Data Subject has the right to entrust a non-profit organisation or association with filing a complaint on its behalf, reviewing the decision of the supervisory authority, bringing an action and enforcing their right to compensation; the non-profit organisation or association has to be one that was established in accordance with the law of a member state of the European Union, and its statutory objectives are to serve the public interest and to protect the rights and freedoms of data subjects with regard to personal data.
5. Other Provisions
In the event that the Data Controller has a reasonable doubt as to the identity of the person making the request under sections 4.1 - 4.6 of the Notice, the Data Controller may request the provision of additional information necessary to confirm the identity of the Data Subject.
The Data Controller reserves the right to modify the Notice at any time. The Data Controller shall notify the Data Subject of the modifications by [publication on the website, postal correspondence, etc.] at least 30 days before the modifications enter into force.
* * *
Budapest, March 22nd, 2024.
____________________________
4N Gastronomy Ltd.
Represented by: Ibolya Csahók, managing director
