HomePrivacy policy

Gyulai Turisztikai
Nonprofit Kft.

Privacy and data management policy

Gyula Tourism Non-profit Kft. (Registered office: 5700 Gyula, Kossuth Lajos utca 7., hereinafter referred to as "Data Controller") informs data subjects in this policy about the processing of data in connection with its activities, including the website https://www.visitgyula.com/ ("Website").

The Data Controller shall at all times process the personal data that comes to its knowledge in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Info Act.), Act V of 2013 on the Civil Code (Civil Code), Act 2008. Act XLVIII of 2001 on certain aspects of electronic commerce services and information society services (Act on electronic commerce services and information society services), Act C of 2000 on accounting (Act on Accounting) and this Information Notice, only to the extent strictly necessary for the purpose of the processing.

The Data Controller reserves the right to change the provisions of this Notice. The Data Controller will notify the data subject of any changes by means of a short notice on the Website or directly, depending on the nature of the change. If the data subject continues to use the services of the Data Controller following the notification, this shall be deemed to constitute acceptance of the amended provisions of this Notice.

This Policy does not cover the processing of data of websites to which a link on the Website leads or of data of persons to whom the Controller transfers personal data.

The Data Controller will also process personal data collected directly from data subjects and received from other data controllers in accordance with this Policy.

Terms used in this Policy shall at all times have the meaning given to that term in the GDPR.

Accordingly, the following terms have the following meanings:

Personal data means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The personal data shall retain that quality during processing for as long as the natural person can be identified on the basis of that information.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

A controller is a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

1.Data of the Data Controller

Name: Gyulai Turisztikai Nonprofit Kft

Headquarters: 5700 Gyula, Kossuth Lajos street 7.

Contact: adatvedelem@visitgyula.com

Tax No: 12418507-2-04

Represented by: Aliz Komoróczki (executive director)

2. Storage of personal data managed by the data controller

The personal data processed by the data controller is stored on paper and in electronic form.

3. The scope of the personal data processed by the Data Controller, purpose of processing, legal basis and storage period

3.1. Personal data of business partners and their intermediaries

The Data Controller processes the personal data of business partners and their employees, contact persons, natural persons acting on their behalf and contractors in accordance with this Policy.

The data processed include: name, position, workplace, contact details (e-mail address, telephone number, address, etc.)

Purpose of data processing: maintaining contact in connection with the establishment and implementation of cooperation, performance of contract, sending business offers.

Legal basis for processing: voluntary, specific, and appropriate informed consent of the data subject (Article 6(1)(a) GDPR), or the performance of a contract or the legitimate interests of the Data Controller (Article 6(1)(b) and (f) GDPR).

The user has the right to withdraw his consent to the processing of all or part of his personal data at any time by sending an e-mail to adatvedelem@visitgyula.com. Such consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.

Where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, the data subject may object to the processing of his or her personal data. In such a case, the Controller may no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Duration of data processing: until 30 days after the withdrawal of consent or, failing that, until 5 years after the termination of cooperation.

3.2. Personal data provided in connection with requests sent to the Data Controller

The Data Controller shall process personal data not falling under the category set out in point 3.1 which are communicated orally or in writing by the data subject to the Data Controller (including all employees of the Data Controller and persons acting on behalf of the Data Controller) in accordance with this Notice.

The data processed include: the name of the data subject, contact details (e-mail address, telephone number, address), other personal data necessary for the processing of the matter in respect of which the request has been made.

The purpose of the processing: to identify the data subject, to contact the data subject, to fulfil the request or to handle the matter requested.

Legal basis for the processing: the data subject's voluntary, specific, and informed consent (Article 6(1)(a) GDPR), given by the data subject when making the request.

The user has the right to withdraw his consent to the processing of all or part of his personal data at any time by sending an e-mail to adatvedelem@visitgyula.com. Such consent shall not affect the lawfulness of the processing based on consent prior to its withdrawal.

Failure by the data subject to provide the Controller with the data requested by the Controller and necessary for the purposes of the processing may result in the Controller being unable to comply with the request.

Duration of processing: until consent is withdrawn or, in the absence of consent, for 1 year after the closure of the case in which the request was made. In the former case, the deletion of personal data will take place within 30 days of the receipt of the withdrawal of consent by the Controller. Even in the case of withdrawal of consent, the Controller is entitled to process the personal data of the data subject where it has another legal basis for the processing (e.g. processing necessary for compliance with a legal obligation or for the purposes of the exercise of a legitimate interest).

3.3 CVs

Scope of data processed: according to CV (e.g. name, address, telephone number, e-mail address)

Purpose of processing: The data is processed solely for the purpose of providing support and advice to the Applicant on the basis of his/her application, voluntary disclosure of data, in relation to his/her future employment, and to examine the possibility of employment of the Applicant for the indicated positions, to invite him/her for an interview and to interview him/her.

Legal basis for processing: voluntary, specific and informed consent of the data subject (Article 6(1)(a) GDPR). Possible legal consequences of not providing the data: the Data Controller cannot employ the Candidate without the consent, given that it cannot make an informed decision on the employment in the absence of a CV.

Duration of processing: personal data contained in the CV of the Applicant, whether obtained directly from the Applicant or from the Human Resources Centre, will be processed by the Data Controller until the date of the decision to establish the employment relationship or, in case of the establishment of the relationship, until the termination of the relationship. In case of an unsuccessful application, the CV will be returned to the Applicant or deleted/destroyed. In case of withdrawal of consent, the CV will be deleted/destroyed within 30 days of receipt of the withdrawal by the Data Controller. The Data Controller shall store the CV for 1 year after the unsuccessful application for the purpose of contacting the applicant in relation to a possible future job offer if the applicant explicitly requests and consents.

3.4. The Data Controller shall process the images taken by the cameras monitoring the entire entrance of the buildings at 5700 Gyula, Kossuth Lajos utca 7. as follows:

The data processed: images of persons in the camera's field of view and other personal data that may be recorded by the camera.

Purpose of the processing: traffic counting, which can be used to measure the traffic in the area under investigation, and to produce statistics.

Legal basis for processing: the legal basis for the use of the image is the legitimate interests of the Data Controller or a third party (Article 6(1)(f) GDPR).

Duration of data processing: 3 working days from the date of recording of the image or other personal data unless the recordings are used. In the case of use, the recordings are stored for the shortest period necessary to achieve the purpose for which they were made, after which they are destroyed. Use is understood to mean the use of the recordings as evidence in judicial or administrative proceedings. Accordingly, the data subject may notify the Data Controller within 3 working days of the recording of the image or other personal data if he or she requests a copy of the recording or if the further storage of the recordings is necessary for the establishment, exercise or defence of legal claims by the data subject.

At the request of a court, prosecutor's office, investigative authority, body conducting a preparatory procedure or other authority, or upon request for data, the recorded image and other personal data shall be sent to the court or authority without delay. If no such request or request for data is made within thirty days of the request not to destroy, the recorded image and other personal data shall be destroyed or erased.

Access to the recording and other personal data recorded by the camera shall be granted to the Data Controller's administrator or a person designated by him or her. The data subject may view only the images of him or her, may request a copy of the images without giving reasons, and may request the restriction of the processing of the images for the purpose of lodging, exercising or defending legal claims.

3.5 Prize draw

By participating in the Game, the Players give their express and voluntary consent to

the processing of the personal data provided in accordance with the applicable data protection legislation to the Organiser, for the purposes of the Game, in accordance with the currently applicable laws and regulations and as set out in this Information Sheet.

Scope of controlled data: surname, first name, date of birth, gender, address, telephone number, email address

Purpose of data processing: to run the Game, to deliver prizes.

Legal basis for the processing: voluntary, specific and appropriate information from the data subject (Article 6(1)(a) GDPR)

The user is entitled to withdraw their permission to control all or some of their personal data at any time by sending a letter in an email to: adatvedelem@visitgyula.com

The consent does not affect the legality of data processing based on consent prior to withdrawal.

Duration of data management: until the withdrawal of consent, or, failing that, for 1 year after the end of the prize draw.

Data transfer: The database will not be transferred to third parties.

3.6 Newsletter (Information sheet, Questionnaire)

The Data Controller manages the personal data of the data subjects to send newsletters, information sheets, questionnaires and other inquiries.

Scope of processed data: name, e-mail address

Legal bases of the data control: the data subject agreed to receive specific information, voluntarily (GDPR Article 6 (1) point a)

The data subject is entitled to withdraw their permission to control all or some of their personal data at any time by sending a letter in an email to: adatvedelem@visitgyula.com

The consent does not affect the legality of data processing based on consent, prior to withdrawal.

Duration of data storage: the Data Controller stores the above personal data of the data subjects for 30 days after unsubscribing from the newsletter or withdrawing consent.

Furthermore, the Data Controller shall also cease to keep records of the data subject if the processing purpose indicated in this Information Sheet has ceased.

In the case of withdrawal of consent, the personal data will be deleted within 30 days of the receipt of the withdrawal of consent by the Data Controller.

In its newsletters, the Data Controller contacts those concerned with news, information, and questionnaires. The data subject is entitled to unsubscribe from the newsletter at any time, without justification or legal consequences, by sending a letter to the e-mail address adatvedelem@visitgyula.com.

3.7 Photo and a sound recording taken at the event

Data processed: image recording, audio recording, video recording, other personal data that may be recorded by camera.

Purpose of data control: publication on a website, media and documentation of the events

Legal bases of the data control: the data subject agreed to receive specific information, voluntarily (GDPR Article 6 (1) point a)

The events organized by the institution are considered mass events, where, in some cases, the consent of those affected is not required.

According to The Civil Code 2:48 § (2), the consent of the data subject is not required for preparation, recording and use of images of participation in public appearances and/or for mass recording. If, in the completed photo, the representation is not individualistic, and does not highlight a specific person or a small group of them, then obtaining consent is not necessary.

The user is entitled to withdraw their permission to control all or some of their personal data at any time by sending a letter in an email to: adatvedelem@visitgyula.com

The consent does not affect the legality of data processing based on consent, prior to withdrawal.

Where processing is necessary for the legitimate interests of the controller or a third party the data subject may object to the processing of their personal data. In this case, the Data Controller may no longer process your personal data, unless it proves that there are compelling legitimate grounds for not processing the data overriding legitimate interests and rights of the data subject, freedoms, or for the establishment of legal claims, exercise or defence of legal claims.

Duration of data management: until the withdrawal of consent, failing which, for 5 years after termination of cooperation. In the former case, the personal data will be deleted within 30 days after the data controller receives the withdrawal of consent.

Even in the case of withdrawal of consent, the Data Controller is entitled to process the data subject's personal data if it has another legal basis for the data management (e.g. data management is necessary to fulfill a legal obligation or assert its legitimate interest).

3.8 Bike rental

Scope of controlled data: Name, date of birth, ID card number, telephone number

Purpose of the data control: Provision of bicycle rental service

Legal basis for data management: (GDPR Article 6 (1) point b) - performance of the contract

Duration of data management: throughout the day of closing the transaction.

3.9. Data management related to invoicing (fulfillment of invoicing obligations, invoicing)

Scope of data handled: Bill payer's name and billing address, total amount, tax number in the case of a business organization.

Purpose of data management: Fulfillment of products and services sold by the Data Controller, collection of the consideration, issuing invoices, keeping financial records.

Purpose of data management: Fulfillment of products and services sold by the Data Controller, collection of the consideration, issuing invoices, and keeping financial records.

Legal basis for data management: Legal basis for legal obligation (Act C of 2000 on Accounting; Act CXXVII of 2007 on VAT).

Duration of data processing: Act on Value Added Tax (CXXVII Act of 2000 on Accounting (Act on Accounting), CXXVII Act of 2007 on VAT), for a period of 8 years.

Data transmission: National Tax and Customs Administration

4. Rights of data subjects

4.1 Right to information: the Data Controller shall take appropriate measures to provide data subjects with the information on the processing of personal data referred to in Articles 13 and 14 of the GDPR and to provide them with the information referred to in Articles 15 to 22 and 34 of the GDPR. Data subjects may request information about the processing of their personal data by the Controller by sending a letter to the contact details of the Controller indicated in point 1.

4.2. Right of access: the data subject has the right to obtain from the Controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the personal data have been or will be disclosed; the period for which the personal data are stored; the rights which the data subject may exercise (rectification, erasure, objection, restriction of processing); the right to lodge a complaint with a supervisory authority; information on the data sources and the fact of automated decision-making.

At the request of the data subject, the Controller shall provide the data subject with a copy of the personal data processed in relation to him or her, initially free of charge, and subsequently for a reasonable fee.

4.3 Right to rectification: the data subject has the right to obtain from the Data Controller, at his or her request, the rectification of inaccurate personal data relating to him or her or the completion of incomplete personal data. Where the data subject is unable to carry out these operations independently, he or she may send his or her request to the contact details of the Controller as set out in point 1.

4.4 Right to erasure: The Data Controller shall erase personal data relating to the data subject within 30 days of receipt of the request, if the data subject so requests on the grounds set out in Article 17(1) of the GDPR (e.g. the purpose of the processing has ceased; the data subject has withdrawn his or her consent and there is no other legal basis for the processing; the processing is unlawful; the data subject objects to the processing and there are no overriding legitimate grounds for the processing; the personal data must be erased on the basis of a legal obligation). The Controller may refuse erasure on the grounds set out in Article 17(3) of the GDPR (e.g. processing necessary for the exercise of the right to freedom of expression and information or for compliance with a legal obligation or for the establishment or defence of legal claims).

4.5. Right to restriction of processing: where the data subject challenges the accuracy of personal data relating to him or her, he or she may request the Controller to restrict the processing of the personal data concerned while the accuracy of the data is being verified.

The data subject may also request the restriction of processing where the processing is unlawful, but the data subject opposes the erasure of the personal data or where the Controller no longer needs the personal data for processing purposes, but the data subject requires them for the exercise of his or her legal rights. The data subject shall also have the right to request the restriction of processing where he or she has objected to the processing; in such cases, the restriction shall apply for the period necessary to determine whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject. During the restriction period, personal data may be processed, except for storage, only in exceptional cases.

4.6 Right to data portability: the data subject shall have the right to obtain from the Controller personal data concerning him or her in a structured, commonly used, machine-readable format and to have those data transmitted by him or her or, where technically feasible, by the Controller to another controller, where the processing is based on consent or a contract and the processing is carried out by automated means.

4.7 Right to object: where the processing is necessary for the legitimate interests of the Controller or a third party, the data subject may object to the processing of his or her personal data. In such a case, the Controller may no longer process the personal data, unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

4.8. Enforcement: data subjects may address their complaints and objections directly to the Data Controller by sending a letter to the contact details indicated in point 1, who will do its utmost to eliminate and remedy any possible infringements. In the event of a breach of his/her rights, the data subject may bring the matter before the competent court or lodge a complaint with the National Authority for Data Protection and Freedom of Information.

5. Method of data management, data transfer, data security

5.1. The Data Controller will not disclose the data of the data subjects without the prior written consent of the data subject and will not transfer it to a third party, unless it is obliged to do so based on a court or official decision or a legal provision, or if the Data Controller outsources the performance of the given activity to a third party in whole or in part.

5.2. The Data Controller shall not be liable to the data subject or any other third party in connection with the untruthfulness, misrepresentation or omission of data provided by the data subject, unless the Data Controller is obliged to verify the personal data concerned under a legal provision. If any third party asserts a claim against the controller in relation to the untruthfulness of the personal data provided, the data subject shall be liable for the satisfaction of the claim on behalf of the Data Controller. When providing his contact information, the data subject also assumes responsibility for the fact that only he communicates or uses any service from the given email address or phone number.

5.3. The Data Controller does not provide information society related services offered directly to children. The consent of children under the age of 16 regarding data processing is only legal if the consent was given or authorized by the person exercising parental supervision over the child. The consent giver guarantees that the consent complies with the above legality condition. If the Data Controller becomes aware that, based on the above regulations, consent to data processing is considered illegal, it will immediately take measures to delete the personal data, unless it has other legal grounds for processing them.

5.4. For the purpose of fulfilling its obligations under the law and the contracts with contractual partners, and to the extent necessary for this, the data controller may transfer the personal data of the data subjects to the agents and subcontractors of the collaborators involved in the performance, who, as data processors, manage the data on behalf of the data controller. Data processors may not process personal data independently, but only according to the instructions of the Data Controller.

5.5. The Data Controller only uses a data processor that undertakes to handle the personal data received from the Data Controller in accordance with the GDPR, the above Hungarian legislation and the instructions of the Data Controller, and during its data processing, the

in order to protect personal data and enforce the rights of the data subjects, it provides guarantees at least in accordance with this Information Sheet.

5.6. The Data Controller does not wish to forward the personal data of the data subjects to third countries or international organizations.

5.7. Where the controller is entitled to do so by law, the Data Controller may take a decision concerning the data subject which is based on automated processing of the data subject's personal data.

5.8. The data controller shall take all appropriate security, technical and organizational measures, taking into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data management, the risk to the rights and freedoms of natural persons. These measures will guarantee the security of the data, and ensure an adequate level of protection, especially against unauthorized access, alteration, transmission, disclosure, deletion or destruction, and against accidental destruction, damage, and eventual inaccessibility.