PRIVACY POLICY AND DATA PROCESSING NOTICE

Application of the Privacy Policy and Data Processing Notice

Name of the organisation: Lagúna Panzió Kft.
Registered office of the organisation: Siófoki út 1., 8622 Szántód, Hungary

Effective date of this policy: 01.09.2024.

This policy sets out the rules relating to the protection of natural persons with regard to the processing of personal data and to the free movement of such data. The provisions of this policy shall be applied during specific data processing activities, as well as when issuing instructions and information governing data processing.

The obligation to appoint a Data Protection Officer applies to all public authorities or other bodies performing public tasks (regardless of the type of data processed), as well as to other organisations whose core activities consist of the large-scale, systematic monitoring of individuals, or which process special categories of personal data on a large scale.

The organisation does not employ a Data Protection Officer.

Scope of the Policy

This policy shall remain in force until revoked and shall apply to the officers, employees, and the Data Protection Officer of the organisation.

Purpose of the Policy

The purpose of this policy is to harmonise the provisions of the organisation's other internal regulations concerning data processing activities in order to protect the fundamental rights and freedoms of natural persons and to ensure the proper handling of personal data.

In the course of its activities, the organisation intends to fully comply with the legal requirements relating to the processing of personal data, in particular with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council.

An important purpose of issuing this policy is also to ensure that, by becoming familiar with and complying with it, the employees of the organisation are able to carry out the processing of natural persons' data lawfully.

Important Terms and Definitions

GDPR (General Data Protection Regulation): the European Union's data protection regulation.
Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may also be determined by Union or Member State law.
Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Third party: a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Consent of the data subject: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.
Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identified or identifiable natural person.
Filing system: any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Principles of Data Processing

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Personal data shall be collected only for specified, explicit and legitimate purposes.

The processing of personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data must be erased or rectified without delay.

Personal data shall be stored in a form which permits identification of data subjects only for as long as is necessary. Personal data may be stored for longer periods only if processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The principles of data protection shall apply to any information relating to an identified or identifiable natural person.

Employees of the organisation involved in data processing are subject to disciplinary, civil, administrative and criminal liability for the lawful handling of personal data. If an employee becomes aware that the personal data they process is incorrect, incomplete or outdated, they are obliged to correct it or initiate its correction with the responsible colleague.

Processing of Personal Data

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as IP addresses and cookie identifiers. When combined with other information, these identifiers may be used to create profiles of natural persons and identify them.

Personal data shall only be processed if the data subject has given clear consent through a statement or a clear affirmative action, such as a written (including electronic) or oral declaration.

Consent may also be given when the data subject ticks a box when visiting a website. Silence, pre-ticked boxes or inactivity do not constitute consent.

Consent is also deemed to be given if the user makes technical settings or takes actions that clearly indicate their agreement to the processing of personal data.

Health-related personal data includes information concerning the physical or mental health of a natural person, including:

registration for healthcare services;
identification numbers or symbols assigned for healthcare purposes;
data derived from testing or examination of a body part or biological sample, including genetic data;
information about diseases, disabilities, medical history or clinical treatments.

Genetic data refers to personal data relating to inherited or acquired genetic characteristics resulting from the analysis of a biological sample.

Children's personal data require special protection, as they may be less aware of risks and their rights.

Personal data must be processed in a way that ensures appropriate security and confidentiality, including protection against unauthorised access.

All reasonable steps must be taken to correct or delete inaccurate personal data.

Lawfulness of Processing

The processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of their personal data for one or more specific purposes;
• processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Accordingly, data processing is considered lawful if it is necessary in the context of a contract or the intention to conclude a contract.

Where processing is carried out to comply with a legal obligation or for the performance of a task in the public interest, it must have a legal basis in Union or Member State law.

Processing shall also be considered lawful where it is necessary to protect the vital interests of the data subject or another natural person.

In certain cases, data processing may serve both important public interests and vital interests of the data subject, for example in humanitarian situations such as monitoring epidemics or natural disasters.

The legitimate interests of the controller or a third party may provide a legal basis for processing, particularly where there is a relevant and appropriate relationship between the data subject and the controller (e.g. customer relationship).

Processing personal data for fraud prevention purposes is also considered a legitimate interest.

Direct marketing activities may also be based on legitimate interest.

When determining whether a legitimate interest exists, careful consideration must be given to whether the data subject can reasonably expect such processing.

The data subject's interests and rights may override the interests of the controller if the processing is unexpected.

Processing for network and information security purposes is also considered a legitimate interest.

Personal data may only be processed for purposes other than those for which they were originally collected if the new purpose is compatible with the original purpose.

Processing carried out by public authorities or officially recognised religious organisations may also be considered in the public interest.

Consent of the Data Subject – Conditions

• Where processing is based on consent, the controller must be able to demonstrate that the data subject has given consent.

• If consent is given in a written declaration that also concerns other matters, the request for consent must be clearly distinguishable.

• The data subject has the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

• It must be as easy to withdraw consent as to give it.

• When assessing whether consent is freely given, account shall be taken of whether the performance of a contract is conditional on consent to processing that is not necessary for the contract.

• For services offered directly to children, processing is lawful if the child is at least 16 years old.
For children under 16, consent must be given by a parent or guardian.

Processing of special categories of personal data (e.g. ethnic origin, political opinions, religious beliefs, health data, genetic data, biometric data, sexual orientation) is prohibited unless the data subject has given explicit consent.

Processing of personal data relating to criminal convictions and offences may only be carried out under official authority.

Information of the Data Subject and Their Rights

The principle of fair and transparent processing requires that the data subject be informed about the fact and purpose of data processing.

Where personal data are collected from the data subject, they must also be informed whether they are obliged to provide the data and what the consequences are if they fail to do so.

This information may also be provided using standardised icons to ensure it is easily understandable and clearly visible.

Information relating to the processing of personal data must be provided at the time of data collection, or within a reasonable period if the data were not collected directly from the data subject.

The data subject has the right to access their personal data and to verify the lawfulness of processing at reasonable intervals.

The data subject also has the right to know:

the purpose of data processing;
the duration of data processing (where possible).

The data subject has the right to have their personal data erased where:

the data are no longer necessary;
the consent has been withdrawn.

If personal data are processed for direct marketing purposes, the data subject has the right to object at any time, free of charge.

Review of Personal Data

To ensure that personal data are not stored longer than necessary, the organisation establishes deadlines for deletion or regular review.

The review period determined by the organisation is: 1 year.

Rights Related to Data Processing

Right to Request Information

Any person may request information about what personal data the organisation processes, on what legal basis, for what purpose, from what source, and for how long.

The organisation must respond without delay, but no later than within 30 days.

Right to Rectification

Any person may request the correction of their personal data.

The organisation must take action without delay, but no later than within 30 days.

Right to Erasure

Any person may request the deletion of their personal data.

The organisation must comply without delay, but no later than within 30 days.

Right to Restriction of Processing

Any person may request the restriction of processing of their data.

Restriction applies as long as the reason justifies the storage of the data.

Right to Object

Any person may object to data processing.

The organisation must examine the request within 15 days and inform the data subject of the decision.

Legal Remedies

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: 1530 Budapest, Pf.: 5.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: https://naih.hu

The data subject may also take legal action before a court.

Responsibilities of the Data Controller

The controller shall implement appropriate internal data protection rules to ensure lawful data processing.

The controller is responsible for implementing appropriate and effective measures and must be able to demonstrate compliance with applicable data protection laws.

These measures must take into account:

the nature, scope and purpose of processing,
the risks to the rights and freedoms of natural persons.

The controller shall regularly review and update internal regulations where necessary.

The controller and processor must maintain records of processing activities and cooperate with the supervisory authority.

Data Security

Personal data must be protected by appropriate measures, particularly against:

unauthorised access,
alteration,
transmission,
disclosure,
deletion or destruction,
accidental loss or damage.

Technical solutions must ensure that stored data cannot be directly linked to individuals without proper authorisation.

When designing data security, the current state of technology must be considered, and the highest level of protection must be applied where reasonably possible.

Data Protection Officer

The appointment of a Data Protection Officer (DPO) is required if:

• data processing is carried out by public authorities;
• the organisation's core activities involve large-scale systematic monitoring;
• the organisation processes special categories of data on a large scale.

The organisation does not appoint a Data Protection Officer.

If appointed, the DPO must:

have expert knowledge of data protection law,
act independently,
report directly to top management,
be bound by confidentiality.

Personal Data Breach

A personal data breach is a security incident that results in:

accidental or unlawful destruction,
loss,
alteration,
unauthorised disclosure,
or access to personal data.

Such incidents may result in physical, financial or reputational damage.

The controller must report a data breach to the supervisory authority within 72 hours, unless it is unlikely to result in risk to individuals.

If the risk is high, affected individuals must be informed without delay.

Administrative Data Processing

The organisation may process personal data for administrative and record-keeping purposes.

Such processing may include:

employee data (legal obligation),
contractual partners' data,
contact details of business partners.

Data processing is based on:

legal obligation, or
voluntary consent of the data subject.

Documents containing personal data (e.g. CVs, applications) are considered to have implicit consent.

After the purpose is fulfilled, documents must be deleted unless further consent is given.

Data must be reviewed regularly and deleted if no longer necessary.

Other Data Processing

If the organisation intends to carry out new types of data processing not covered by this policy, the policy must be updated accordingly.

Legal Background

Regulation (EU) 2016/679 (GDPR)
Hungarian Act CXII of 2011
Relevant Hungarian and EU legislation on data protection and electronic services