Data Protection Information
Accepted by EFOTT Kultúr Pub Korlátolt Felelősségű Társaság (registered office: 1053 Budapest, Ferenciek tere 7-8., company registration number: 01-09-387635, tax number: 14039827-2-41, tel.: +36 30 130 0324, email address: info@efott.hu, represented by: Pál Megyesi, Managing Director) (hereinafter referred to as: Data Controller) on May 30, 2024.
1./ General Provisions
The subject of this data protection notice is the handling of personal data obtained by the Data Controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as: GDPR), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as: Infotv.), and other applicable legislation.
This Notice sets out the data protection and data management principles applied by the Data Controller, ensuring that the personal data of natural persons in contact with the Data Controller are not compromised.
The Data Controller reserves the right to unilaterally amend its data protection policy and the content of this Notice in the event of changes to the services it provides or in line with current legislation. The Data Controller will inform affected persons of any changes to this Notice simultaneously on the website www.fiktivrestaurant.hu.
2./ Legal Background
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information
- Act V of 2013 on the Civil Code
- Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
- Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services
3./ Definitions
- Personal Data/Data Subject: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Data Processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Data Processor: A natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller.
- Data Controller: A natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Destruction: The complete physical destruction of the medium containing the data.
- Data Transfer: Making data accessible to a specific third party.
- Data Erasure: Making data unrecognizable in such a way that it can no longer be restored.
- Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- EEA State: A Member State of the European Union and any other state party to the Agreement on the European Economic Area, as well as any state whose nationals enjoy the same legal status as those of the Member States of the European Union under an international agreement between that state and the Member States of the European Union.
- Third Party: A natural or legal person, public authority, agency, or other body other than the Data Subject, Data Controller, Data Processor, and persons authorized to process personal data under the direct authority of the Data Controller or Data Processor.
- Third Country: Any country that is not an EEA State.
- Consent: Any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
- Disclosure: Making data accessible to anyone.
4./ Scope of Data Subjects
Data processing applies to personal data provided by prospective guests during table reservations (hereinafter referred to as: reservations) made on the website of Fiktív GasztroGaléria restaurant operated by the Data Controller (address: 1085 Budapest, Horánszky u. 27.), by phone, or by email.
The prospective guests are hereinafter collectively referred to as: Data Subject(s).
This Notice applies to all data processing activities carried out by the Data Controller involving personal data, regardless of the nature of the personal data.
5./ Source of Data
Data voluntarily provided by the Data Subjects.
6./ Principles of Data Processing
In the course of data processing, the Data Controller adheres to the following principles regarding the handling of personal data:
- Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the Data Subject.
- Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data processing must be limited to what is necessary for the purposes for which the personal data are processed (“data minimization”).
- The processed data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”).
- Personal data must be stored in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”).
- Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (“integrity and confidentiality”).
7./ Scope of Processed Data, Purpose, Duration, and Legal Basis of Data Processing
Processed Data | Purpose of Data Processing | Duration of Data Processing | Legal Basis of Data Processing |
First and last name of the guest requesting the reservation | Ensuring table reservation – identification by name, communication | Until the end of the reservation period, or until withdrawal | GDPR Article 6(1)(a) – consent of the Data Subject |
Date and duration of the reservation | Recording the date and duration of the reservation | Until the end of the reservation period, or until withdrawal | GDPR Article 6(1)(a) – consent of the Data Subject |
Number of guests registered for the reservation | Recording the number of guests for the reservation | Until the end of the reservation period, or until withdrawal | GDPR Article 6(1)(a) – consent of the Data Subject |
Phone number of the guest requesting the reservation | Communication during the reservation | Until the end of the reservation period, or until withdrawal | GDPR Article 6(1)(a) – consent of the Data Subject |
Email address of the guest requesting the reservation | Communication during the reservation | Until the end of the reservation period, or until withdrawal | GDPR Article 6(1)(a) – consent of the Data Subject |
Number of guests with food intolerance reported by the guest requesting the reservation (without name and other personal data), type of food intolerance | Advance notification to the Data Controller to consider food intolerance in ingredient selection | Until the end of the reservation period, or until withdrawal | GDPR Article 6(1)(a) and Article 9(2)(a) – consent of the Data Subject |
The Data Controller specifically draws attention to the fact that “food intolerance” as data belongs to a special category of personal data, which can be processed as described above because the Data Subject has explicitly consented to the processing of these personal data for the specific purpose mentioned (GDPR Article 9(2)(a)). |
8./ Data Transfer
The Data Controller does not transfer the personal data it processes to any recipient.
10./ Technical Implementation of Data Processing
The Data Controller stores the personal data of the Data Subjects either in paper form or electronically on Hungarian servers; the personal data are not transferred to data controllers or data processors located either domestically or in third countries.
The Data Controller ensures the security of personal data through appropriate technical and organizational measures. The Data Controller provides appropriate protection (passwords, firewalls) for the IT equipment used for processing and storing personal data; and ensures that only authorized persons can access this equipment.
The Data Controller also ensures that personal data are not compromised, destroyed, or made accessible in the event of force majeure.
11./ Rights of Data Subjects Regarding Data Processing
In the course of data processing, the Data Controller ensures the Data Subjects’ right to data protection. Data Subjects have the right to:
- Right to information: The Data Subject has the right to be informed about the data processing activities before they begin.
- Right of access: The Data Subject has the right to receive confirmation from the Data Controller as to whether or not personal data concerning him or her are being processed, and if so, to access the personal data and relevant information (purpose of data processing, personal data processed, duration of storage, data transfers, etc.).
- Right to rectification: The Data Subject has the right to request the Data Controller to correct inaccurate personal data concerning him or her.
- Right to erasure: The Data Subject has the right to request the Data Controller to delete personal data concerning him or her without undue delay, provided that the legal conditions are met.
- Right to restrict processing: The Data Subject has the right to request the Data Controller to restrict processing if the accuracy of the personal data is contested, the processing is unlawful, or the Data Subject has objected to the processing.
- Right to data portability: The Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided.
- Right to object: The Data Subject has the right to object at any time to the processing of personal data concerning him or her for reasons relating to his or her particular situation.
12./ Enforcement of Rights, Remedies
If the Data Subject considers that his or her rights under the GDPR have been infringed, he or she may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) or seek legal redress in the competent court.
Contact details of the Authority:
- Address: 1055 Budapest, Falk Miksa utca 9-11.
- Postal address: 1363 Budapest, Pf.: 9.
- Phone: +36 (1) 391-1400
- Email: ugyfelszolgalat@naih.hu
The Data Controller is responsible for demonstrating that the data processing is in compliance with the law.
The Data Controller does not charge a fee for requests to exercise the rights of the Data Subject, unless the request is manifestly unfounded or excessive, particularly due to its repetitive nature.
13./ Notification of Data Breaches
The Data Controller shall notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours after becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
14./ Amendments to the Notice
The Data Controller reserves the right to amend this Notice at any time. The amended Notice shall be effective upon publication on the website www.fiktivrestaurant.hu.
This data protection notice was drafted and approved by the Data Controller on May 30, 2024.