CONTINENTAL CITYGOLF CLUB
loading...
CONTINENTAL
CITYGOLF CLUB
 
 

PRIVACY POLICY

CONTINENTAL GOLF KLUB KFT. 

Privacy Policy

Related to golf course management and guests

 

This Privacy Policy (“Policy”) is to inform data subjects in compliance with  Article 13 AND 14 of Regulation (EU) 2016/679 (General Data Protection Regulation) of the EU Parliament and Commission in relation to the processing of personal data during the course of providing and preparing hotel services.

1. Data Controller’s contact details

Company name of data controller: Continental Golf Klub Kft. (hereinafter referred to as: “Controller”)

Official Seat: 1054 Budapest Kálmán Imre utca 21.

Mailing address: 1037 Budapest Perényi út 6.

Tax ID number: 27132920-2-41

Registration Number: 01-09-351217

Represented by: Rajmond Spák 

2. Processing of data subjects’ personal data

2.1 Scope of data subjects

During the pursuit of its hotel management activities the Controller shall process the personal data of the following natural persons (hereinafter referred to as: Data Subjects): club membersguests

2.2 Categories of personal data processed

The Controller shall process the following personal data relating to the Data Subject:

a) family name and first name
b) sex
c) date and place of birth
d) nationality
e) e-mail cím (own)
f) telephone number (own)
g) type of membership, validity
h) HCP (hendikep)
i) method of payment
j) amount paid, date of crediting payment

The Data Subject shall disclose the data to be processed to the Controller by the following channels:

  • registration form
  • credit card authorization form
  • consumption form

2.3 Legal grounds, purpose and duration of data processing

2.3.1        Preparation and performance of a contract for the provision of the services of the golf facility

Personal data processing is necessary for the purpose of preparing and performing a contract for the provision of golf course services (hereinafter referred to as: the “Contract”).

Purpose of personal data processing:

  • performance of obligations related to golf competitions and related services
  • record of pre-purchased and pre-paid gift certificates
  • the Data Subject’s contact details are processed for communication purposes; eg. managing issues arising during the use of the services etc.
  • invoice data are recorded for receivables management purposes
  • to ensure smooth check-out operations in case of IT problems

The duration of data processing shall be the same as the preparation and in case of concluding a contract the performance thereof, except for the following cases:

  • check-in card, invoices - paper version 8 years

With regard to the fact that the Controller is unable to prepare and perform the contract without disclosure of the above personal data the Data Subject shall be obliged to provide them to the Controller. Failure to do so may result in the Controller refusing to prepare or perform the contract with the Data Subject.

In the event of failure to conclude a contract or the termination of a contract the Controller shall not erase the personal data from its database. 

2.3.2       Performance of legal obligations:

The Controller shall control the Data Subject’s personal data defined in the applicable legistlation for the purpose of compliance with the following legal regulations for the following lengths of time:

  • Obligation to issue an invoice, correction of invoices in case of any errors upon issuing (Article 2 of § 169 of Act No. C of 2000 on accounting ) – 8 years

With consideration to the fact that the data processing described in this section is the Controller’s legal obligation, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.

2.3.3       Legitimate interests of the Controller AND/OR a third party

The Controller shall control the Data Subject’s personal data detailed above on the grounds of legitimate interests for the following purposes and for the following lengths of time:

  • Problem management 
  • Guest satisfaction development
  • Informing guests 
  • Verification of information provided by guests (e.g. golf tournament license, parent club, HCP)

The purpose of data processing under this section is to enable the Controller to exercise his legitimate interests.

The duration of data processing shall be the same as the preparation and in case of concluding a contract the validity thereof, furthermore in case of data controlling  for compliance with a legal obligation, the time period defined by law.

With consideration to the fact that the data processing described in this section is the Controller’s or third party’s legitimate interest, the provision of such personal data is mandatory and refusal to provide the data may result in refusal to conclude the Contract or execute the Contract.

2.3.4       Consent of the Data Subject

Personal data shall be processed in certain cases on the basis of the Data Subject’s consent (voluntary expression of explicit will, based on specific and proper information). The Data Subject shall give his or her consent to the Controller on the Controller’s website, the check-in card or the guest satisfaction questionnaire.

Consent shall be voluntary and the Data Subject shall have the right to revoke his or her consent at any time without restrictions via a written notification to the Controller. The Data Subject may send his or her written notification to either of the contact details contained in section 1 of the Privacy Policy.

Revoking his or her consent shall result in no consequences to the Data Subject. However, revoking his or her consent shall not affect the lawfulness of data processing on the grounds of consent prior to revoking it.

2.4 Right to decide on automated individual decision-making, including profiling

The Controller does not pursue automated decision-making, including profiling.

3. Recipients of personal data

The Controller shall transmit the Data Subject’s personal data to the following persons and organizations (data processors):

  • External IT companies for the purposes of systems operation, see guest data in 2.2
  • Guest data contained in the Billingo invoicing software, see 2.2
  • Hungarian Golf Association for the purpose of rendering services, see guest data in 2.2
  • Police, upon request (camera recordings)

4. Data Subject rights

The Controller examines any request of the Data Subjects within 72 hours from its receipt and answers it within 30 days. 

4.1        Right of access

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and if so, access to the personal data and the following information:

  • the purposes of the processing of the specific personal data,
  • the categories of personal data concerned,
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations (if personal data are transferred to a third country or to an international organization, the Data Subject shall have the right to be informed of whether the data transfer is done with the appropriate safeguards and guarantees),
  • the planned period for which the personal data will be stored, or if not possible, the criteria used to determine that period,
  • the rights of the Data Subject (rectification, erasure or restriction of processing, portability and the right to object to the processing of such personal data),
  • the right to lodge a complaint with a supervisory authority,
  • where the personal data were not collected from the Data Subject, all available information as to their source,
  • the existence of automated decision-making, including profiling; and, at least in cases where such processing is done, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Where the Data Subject makes the request by electronic means, and unless otherwise requested by the Data Subject, the information shall be provided in a commonly used electronic form.

The Controller shall have the right to request clarification or specification of the requested information or data processing activities from the Data Subject prior to responding to the Data Subject’s request.

In the event that the Data Subject’s right of access set forth in this section adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the  Data Subject’s request to the extent that is necessary and proportionate.

Where the Data Subject requests several copies of the above information, the Controller may charge a reasonable and proportionate fee based on administrative costs.

If the Controller does not process the personal data specified by the Data Subject, the former shall also inform the Data Subject of this fact in writing.  

4.2 Right to rectification

The Data Subject shall have the right to request the rectification of inaccurate personal data concerning him or her. The Data Subject shall have the right to have incomplete personal data completed.

Upon exercising his or her right of rectification/completion the Data Subject shall indicate exactly which data are inaccurate or incomplete and shall also communicate to the Controller the correct and complete data. The Controller has the right to request that the  Data Subject provide proper proof of the rectified data, primarily with proper documentation.

The Controller shall perform the rectification of inaccurate personal data without undue delay the.

Following rectification of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.

4.3 Right to erasure (“right to be forgotten”)

The Data Subject shall have the right to request that the Controller erase his or her personal data without undue delay where one of the following grounds applies:

  • the personal data specified by the Data Subject are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Controller,
  • the Data Subject withdraws consent on which the processing of his or her personal data (including special categories of personal data) was based and there is no other legal ground for the processing,
  • the Data Subject objects to the Controller processing his or her data on the grounds of its legitimate interests and the Controller has no legitimate grounds for the processing that override the Data Subject’s interests, rights or freedoms or that are relevant to the establishment, exercise or defense of legal claims,
  • the personal data was unlawfully processed by the Controller,
  • the personal data have to be erased for compliance with a legal obligation in EU or Member State law to which the Controller is subject,
  • the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing.

The Data Subject shall submit his or her request relating to erasure in writing and shall specify the reason for requesting the erasure of each personal data.

In the event that the Controller grants the Data Subject his or her request of erasure, the former shall erase the specified personal data from all databases and duly inform the Data Subject of it.

Where the Controller is obliged to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. In its communication the Controller is obliged to inform the other controllers that the Data Subject had requested the erasure of all links to or copies of his or her personal data, as well as any copies thereof.

Following erasure of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.

The Controller is not obliged to erase the personal data in cases where the processing is necessary:

  • for exercising the right of freedom of expression and information,
  • for compliance with a legal obligation arising from a Hungarian or EU legal regulation which requires processing by the Controller,
  • for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
  • for reasons of public interest in the area of public health,
  • for archiving purposes in the public interest, scientific or historical research purposes, in so far as the Data Subject’s exercising his or her right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing,for the establishment, exercise or defense of legal claims.

4.4 Right to restriction of processing

The Data Subject shall have the right to request that the Controller restrict the processing or use of his or her personal data without undue delay where one of the following grounds applies:

  • the accuracy of the personal data is contested by the Data Subject (in which cases the restriction shall apply for a period enabling the Controller to verify the accuracy of the personal data),
  • The data was unlawfully processed by the Controller, but the Data Subject requests restriction instead of erasure,
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims,
  • the Data Subject objects to the Controller processing his or her data on the grounds of its legitimate interests and the Controller has no legitimate grounds for the processing that override the Data Subject’s interests, rights or freedoms or that are relevant to the establishment, exercise or defense of legal claims; in such cases the restriction shall apply until it is established whether the legitimate interests of the Controller override the legitimate interests of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, shall only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the EU or of a Member State.

A  Data Subject who has obtained restriction of processing shall be informed by the Controller before the restriction of processing is lifted.

Following restriction of the Data Subject’s personal data the Controller shall inform the persons to whom he had transferred the data without undue delay, assuming that such communication is not impossible and does not require disproportionate effort from the Controller. The Controller shall inform the Data Subject of such recipients upon the latter’s request.

4.5 Right to object

Considering that the Controller does not perform any data processing carried out in the public interest and has no official authority, does not pursue scientific or historical research and does not process data for statistics purposes, the right to object may be exercised on the grounds of data processing on the grounds of legitimate interests.

In the event that the the personal data of the Data Subjects are processed on the grounds of legitimate interests it is an imperative guarantee that the Data Subject shall be ensured proper information regarding the data processing of his or her data and his or her right to object. The Data Subject shall be expressly informed of this right latest at the time of initial contact.

The Data Subject is entitled to object to the processing of his or her personal data on the above grounds and in such cases the Controller shall no longer have grounds to lawfully process the Data Subject’s personal data, except in cases where it can be demonstrated that:

  • the Controller has compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or
  • the processing of the data is related to the establishment, exercise or defense of legal claims by the Controller.

4.5.1 Right to object to direct marketing

The Data Subject is entitled to object to the processing of his or her personal data for direct market purposes.

Where the Data Subject objects to processing for direct marketing purposes, the Controller shall no longer process the Data Subject’s personal data for such purposes.

4.5.2 Profiling

During profiling, the personal characteristics of the Stakeholders are evaluated by some automated method. Such assessments may be used, for example, to analyze or predict the characteristics of the Data Subject related to work performance, economic situation, health status, personal preferences, interest, reliability, behavior, location or movement.

The right to protest also extends to profiling based on a legitimate interest as a specific data processing operation. If profiling is carried out for direct marketing purposes, then profiling based on your personal data must be stopped immediately following the data subject's protest.

4.6 Right to data portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Controller.

The right to data portability may only be exercised in relation to the personal data provided by the Data Subject to the Controller and

  • where data processing is based on the legal grounds of a contract and
  • data processing is performed by automated means.

Otherwise, in cases where it is technically possible, the Controller shall directly transmit the Data Subject’s personal data to another controller designated in the Data Subject’s written request. The right to portability as defined in this section does not give rise to an obligation for the controllers to introduce or maintain technically compatible data processing systems.

With regard to data portability the Controller shall provide the data media required to transfer the data to the Data Subject free of charge.

In the event that the Data Subject’s right to data portability adversely affects the rights and freedoms of other persons, especially their business secrets or intellectual properties, the Controller shall have the right to refuse the  Data Subject’s request to the extent that is necessary and proportionate.

Measures taken in relation to data portability do not mean the erasure of the data.  The Controller shall store the data up to the point that the Controller has relevant purposes and sufficient legal grounds to do so.

4.7 The right to decide on automated decision-making in individual cases, including profiling

The Data Subject shall have the right to request not to be covered by a decision based solely on automated data processing, including profiling, which would have legal effect on him/her or be similarly significantly affected.

The Data Subject shall not be entitled to request an exemption from the decision based on automated data processing if the decision is necessary for the conclusion or performance of the contract or if the decision is permitted by European Union or Member State law or with the data subject's express consent.

If the automated data processing is necessary for the conclusion or performance of a contract or is based on the data subject's consent, the Data Subject has the right to request human intervention from the Data Controller, to express his / her position and to object to the decision.

In its data management, the Data Controller makes every effort to avoid the inclusion of data belonging to special categories of personal data in automated decision-making. However, if this cannot be avoided, automated decisions on specific categories of personal data may only be taken if the processing is based on the data subject's consent or appropriate measures have been taken in accordance with European Union or Member State law and in the overriding public interest.

4.8 Right to legal remedies

4.8.1       Right to lodge a complaint

The Data Subject shall have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information if he or she considers that the processing of his or her personal data by the Controller infringes on the effective data protection legislation, especially the GDPR.

The contact details for the National Authority for Data Protection and Freedom of Information:

Website: http://naih.hu/

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Phone: +36-1-391-1400

Fax: +36-1-391-1410

Email address: ugyfelszolgalat@naih.hu

The Data Subject shall have the right to lodge a complaint with other supervisory authorities, in particular in the EU Member State of his or her habitual residence, place of work or place of the alleged infringement.

4.8.2      Right of access to the courts (Right of legal action)

Without prejudice to his or her right to lodge a complaint, the Data Subject shall have the right of access to the courts where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data.

Proceedings against the Controller shall be brought before the courts of Hungary, as its activities are based in Hungary.

Pursuant to § 22. (1) of the effective Information Act, the Data Subject may also bring proceedings before the courts where the Data Subject has his or her place of habitual residence. The contact details of the Hungarian courts are available at: http://birosag.hu/torvenyszekek.

Since the Controller does not qualify as a public authority acting as an official authority of any member state, the Data Subject may bring proceedings before the courts with jurisdiction and authority at the place of the Data Subject’s place of residence in the event that his or her habitual residence is in another EU member state.

4.8.3      Other recourse options

The Data Subject shall have the right to mandate a not-for-profit body, organization or association which has been properly established in accordance with the law of an EU Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise on his or her behalf the right to receive compensation, the right to an effective judicial remedy against a supervisory authority or to bring a legal suit in front of the courts.

5. Miscellaneous

Where the Controller has reasonable doubts regarding the identity of the person making the request relating to sections 4.1 – 4.6 of this Policy, the Controller may request that the Data Subject provide access to additional information needed to verify his or her identity.

The Controller reserves the right to modify this Policy at any time. The Controller shall notify the Data Subject of such modifications at least 8 days prior to their entering into force via publishing on its website

 

* * *

 

Budapest, January 20, 2020

 

 

____________________________

Continental Golf Klub Kft.

Represented by:

Rajmond Spák - Managing Director