Annex III/c to the “Privacy Policy for internal use”:
Fundus Invest Kft.
Privacy Notice for the public
(published at the www.villacuvee.hu website)
The Data Controller, who is Fundus Invest Kft. (legal seat: 4200 Hajdúszoboszló, József Attila u. 5-7. , company registry number: 09-09-019876, VAT No.: 22990136-2-09, phone numbers: Tuba tanya: +36 21/350-0444, +36 30/300-2988; Villa Cuvée: 21/350-0222, Hotel Délibáb: +36 21/350-0777, +36 52/360-366; Mirage restaurant : +36 52/898-151, e-mail addresses: info@tubatanya.hu, info@villacuvee.hu, info@hoteldelibab.hu, info@mirage-etterem.hu, authorised representative: Éva Czene, Managing Director, with sole signatory right), hereby provides the following brief summary information about the data processing activities it carries out.
The Data Controller would like to notify the Data Subjects on the following:
Summary table for data processing activities related to one-off information requests and supply |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data categories |
Duration |
Method |
Source |
to supply proper information to the Data Subject, and the related communica-tion |
voluntary consent or compliance with a mandatory obligation, or based on an Agreement, or legitimate interest, or vital interest |
any natural person, including those acting on behalf of an organisation, who contacts the Data Controller, and requests/ receives information from the Data Controller |
for more details, please check the detailed information/ description related to the given data processing activity |
until the purpose is reached, or the request is cancelled, or for the mandatory duration, or for the statutory period, or while the legitimate interest exists |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processed as part of on-going, regular contact with the Data Subjects |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
liaising with the Data Subject, to reply or resolve any questions, requests, or other inquiries arising |
voluntary consent or compliance with a mandatory obligation, or based on an agreement, or legitimate interest, or mandatory obligation, or vital interest |
any natural person, including those acting on behalf of an organisation, who has a regular contact with the Data Controller, in addition to a one-off information request filed |
for more details, please check the detailed information/ description related to the given data processing activity |
until the purpose is reached, or the request is cancelled, or for the mandatory duration, or for the statutory period, or while the legitimate interest exists |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to Requests for Proposals issued by the Data Subject, and the related Proposal submitted by the Data Controller |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to submit a proper Proposal to the Data Subject, and the related communi-cation |
voluntary consent granted, or Article 6(1), point b) of the GDPR |
any natural person, including those acting on behalf of an organisation, who has requested a Proposal from the Data Controller, by supplying his/her personal data |
for more details, please check the detailed information/ description related to the given data processing activity |
while the Proposal is valid, or if the Proposal was accepted, until the end of the statutory period applicable to the related legal relationship, or if the data processing took place based on a legitimate interest, while such interest exists |
electronically and/or in a hard copy format, but mostly electronically, and manually |
the Data Subjects |
Data processing activities carried out in relation to a Request for Proposals issued by the Data Controller, and the related Proposals received |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to submit a Proposal for the Data Controller’s Request for Proposals issued, and the related communi-cation |
the Data Subject’s voluntary consent granted, or the Data Controller’s legitimate interest, or compliance with a mandatory obligation |
for more details, please check the detailed information/ description related to the given data processing activity |
for more details, please check the detailed information/ description related to the given data processing activity |
if the Proposal is accepted, for a period of 8 years, if the Proposal is not accepted, for the Proposal’s validity period, or for the mandatory duration, or for the duration specified in the Request for Proposals |
electronically, in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to entering into Agreements |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to enter into the Agreement, to fulfil the same, to supervise fulfilment, and the related communi-cation |
entering into an Agreement (Article 6(1), point b) of the GDPR), the processing of the data of the authorised represen-tative and the contact person is based on legitimate interest |
any natural person, including those acting on behalf of an organisation, who enters into an Agreement with the Data Controller - by supplying their personal data - in their own name, or acts as an authorised representative or contact person nominated in an Agreement |
for more details, please check the detailed information/ description related to the given data processing activity |
for the statutory period, or the duration specified in the Agreement, or cannot be erased, as this is stipulated by the law |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to appointment bookings |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to fulfil an appointment reservation made by the Data Subject, and the related communi-cation |
voluntary consent granted |
any natural person, including those acting on behalf of or representing an organisation, who makes a reservation, by supplying his/her data |
for more details, please check the detailed information/ description related to the given data processing activity |
until the specific purpose is reached, or for the general statutory period, or while the legitimate interest lasts |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to the Data Subjects’ consent granted |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to be able to evidence the legitimacy of the data processing activities taking place, to provide the consent, and the related communi-cation |
voluntary consent granted |
any natural person, who grants a consent to the Data Controller to process his/her data for a particular purpose |
for more details, please check the detailed information related to the given data processing activity |
until the consent granted is revoked/ cancelled, the consents granted will be erased when the related statutory period set, for after the revocation, has elapsed |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities performed in relation to the photos, video footages and sound recording made of the Data Subject, with the Data Subject’s consent granted |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
the specific purpose specified in the Data Subject’s related consent given |
voluntary consent granted |
any natural person, whom has granted his/her prior consent to the fact that photos, video footages and/or sound recordings are made of him/her |
for more details, please check the detailed information related to the given data processing activity |
until the recording is deleted, based on the Data Subject’s request |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of complaint handling related data processing activities |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to identify the Data Subject and the complaint filed, to handle the complaint, and the related communi-cation |
starts upon a voluntary consent granted, but also necessary pursuant to section 17/A(7) of Act CLV of 1997 on Consumer protection, in order to comply with the Data Controller’s obligation, in line with Article 6(1), point c) of the GDPR |
any natural person, who has filed a complaint with regards to the services rendered, products purchased, and/or the Data Controller’s conduct shown, or activities performed, or a failure to perform something |
for more details, please check the detailed information/ description related to the given data processing activity |
the Data Controller will process the official Minutes taken of the complaint filed, and the related reply sent, for a period of 5 years upon being taken, in line with the Consumer protection law |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to the registration system maintained about the Data Subjects (Clients and Business Partners) |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to indentify the Data Subject, the related communi-cation, to monitor fulfilment of the related Agreement (if any) |
voluntary consent granted, or based on an Agreement, or required to comply with a mandatory obligation, or legitimate interest |
any natural person, or the authorised representative of a legal entity, who intends to become a Partner/Client or Employee of the Data Controller |
for more details, please check the detailed information/ description related to the given data processing activity |
erased based on the Data Subject’s request, or erased due to the mandatory follow-up data verification being unsuccessful, or erased due to the Data Subject’s death, or when it is based on the Data Controller’s interest, until such interest persists. The Data Controller may qualify the related registration system to be of permanent value, therefore the data cannot be erased |
electronically (in a hard copy format), manually |
the Data Subjects, or a Business Partner |
Summary table related to the registration system maintained about the Data Subjects (as regular Guests) |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to identify the Data Subjects, to grant an authorisation level and later checks, to grant benefits, to inform the Data Subjects about discounts solely provided to regular Customers/ Guests, or about special offers or other, and the related communi-cation |
based on voluntary consent, or based on an Agreement, or based on legitimate interest (when the Data Subject is stated to be the contact person/ authorised representative in the relevant Agreement signed with the Data Controller) |
any natural person, including any natural person acting on behalf of an organisation (authorised representative, contact person), whom managed to meet the pre-conditions to become a regular Guest, and got listed as such in the related registration system |
for more details, please check the detailed information/ description related to the given data processing activity |
for the time period stipulated in the relevant Regular Guests Policy, or until erased based on the Data Subject’s request, or erased due to the mandatory follow-up data verification being unsuccessful, or erased due to the Data Subject’s death, or when it is based on the Data Controller’s interest, until such interest persists. The Data Controller may qualify the related registration system to be of permanent value, therefore the data cannot be erased |
electronically (in a hard copy format), manually |
the Data Subjects |
Summary table of data processing activities taking place related to taped phone conversations |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
for quality improvement, to monitor the related communi-cation, to document all needs and problems raised by the Data Subjects or users, finding a more efficient resolution |
voluntary consent granted |
any natural person, including a natural person acting on behalf of, or as a representative of an organisation, who wishes to contact or liaise with the Data Controller via a customer service telephone line, where recording takes place |
for more details, please check the detailed information/ description related to the given data processing activity |
for a period of 6 months, or if any related complaint is filed, for a period of 5 years, pursuant to Act CLV of 1997 |
electronically, automated |
the Data Subjects |
Summary table of data disclosure (to third parties) |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
specific purpose |
consent granted, to comply with a mandatory obligation, an Agreement, legitimate interest |
any natural person, including any natural person acting on behalf of, or as a representative of a legal entity, whose data is disclosed by the Data Controller to any third party |
for more details, please check the detailed information/ description related to the given data processing activity |
until the specific purpose is reached, or for the statutory period, or for the duration specified by the law, or until the legitimate interest ceases to exist |
electronically and/or in a hard copy format, manually, in full compliance with the principles of data security and non-disclosure |
the Data Subjects, the Data Processor, any public register |
Summary table of data processing activities related to bookings (room reservations) |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to process the booking, to make the room reservation by connecting the given accommo-dation provider and the Data Subject, and the related communi-cation with the Data Subject |
voluntary consent granted |
any natural person, who makes a booking at any accommo-dation provider facility operated by the Data Controller, by supplying his/her personal data |
for more details, please check the detailed information/ description related to the given data processing activity |
in case of no show, the data get immediately deleted, otherwise kept for the statutory period |
electronically, in a hard copy format, manually |
the Data Subjects, or Business Partners (travel agency/tour operator) |
Summary table of data processing activities related to check-ins, check-in forms, the guest registration system, and the tourism administration system |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to ensure full compliance with the law, to enter into an Agreement for accommo-dation provider services, to be able to evidence its fulfilment, possible claim enforcement, and the related communi-cation with the Data Subject |
to comply with a mandatory obligation, legitimate interest, voluntary consent granted, an Agreement entered into |
any natural person, who checks in at any of the accommo-dation facilities operated by the Data Controller, by supplying his/her personal details, and fills in the check-in form/guest registration book |
please see the check-in form/guest registration book |
for more details, please check the detailed information related to the given data processing activity |
electronically, in a hard copy format, manually, |
the Data Subjects, or Business Partners (travel agency/tour operator) |
Accommodation booking on behalf of any third party, by the Data Controller |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to order a taxi for the Data Subject, for a specific place and timing, and the related communi-cation with the Data Subject |
voluntary consent granted |
any natural person, for whom the Data Controller orders a taxi service |
for more details, please check the detailed information related to the given data processing activity |
for more details, please check the detailed information related to the given data processing activity |
electronically, manually |
the Data Subjects, or Business Partners |
Summary table of data processing activities performed in relation to restaurant table bookings |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to book a table in a restaurant, to identify the Data Subject, and the related communi-cation |
voluntary consent granted |
any natural person, who intends to book a restaurant table, by supplying his/her personal data |
for more details, please check the detailed information/ description related to the given data processing activity |
until the specific purpose is fulfilled |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities performed in relation to organised camp programs |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
the specific purpose is to identify the Data Subjects, to establish their entitlement to the given services, to sign the related Agreement, to render the related services, to fulfil the Agreement, and the related communi-cation |
voluntary consent granted, or an Agreement being signed (Article 6(1), point b) of the GDPR), when processing the data of an authorised represen-tative/ contact person, it is a legitimate interest |
any natural person, whose personal data is supplied by the Data Subject to the Data Controller in relation to ordering services related to an organised camp program, and to sign the related Agreement, the Data Subjects are particularly being children, and their legal representatives |
for more details, please check the detailed information/ description related to the given data processing activity |
until the specific purpose is reached, or for a period of 5 years
|
electronically, in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities carried out related to health status |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to properly provide the services to the Data Subjects, and the related communi-cation |
voluntary consent granted |
any natural person, who supplies a health related data to the Data Controller |
for more details, please check the detailed information related to the given data processing activity |
until the primary goal is reached, or until revoked, or for the statutory period |
electronically, in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to banking details and bank transfers |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to facilitate and verify financial payments |
to comply with a mandatory obligation and/or based on an Agreement, or voluntary consent granted |
any natural person, to whom the Data Controller sends any bank transfer, and any natural person, who wishes to pay the Data Controller via bank transfer |
for more details, please check the detailed information/ description related to the given data |
for the statutory period, or for any duration specified by the law |
electronically, manually or automated |
own registration system, the Data Subjects |
Summary table of invoicing related data processing activities |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to comply with a mandatory obligation |
to comply with a mandatory obligation, pursuant to Act CXXVII of 2007 on the Value Added Tax, and various decrees issued based on an authorisation given by the same law |
any natural person, including sole entrepreneurs, whose data is indicated on any invoices (or any equivalent accounting certificate) issued by the Data Controller (even if only in the comments, notes section, etc.) |
the specific data categories defined by sections 169-170 and 176 of Act CXXXVII of 2007 |
for a period of 8 years |
in a hard copy format/ electronically, manually |
the Data Subjects, occasionally public registration systems |
Summary table of data processing activities related to invoices received |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to fully comply with the relevant mandatory obligations, and to properly store the invoices (and other equivalent) documents, pursuant to section 179 of Act CXXVII of 2007 |
to comply with a mandatory obligation (section 179 of Act CXXVII of 2007) |
any natural person, whose data is indicated on any invoice (or any other equivalent accounting certificate) or any attachments to the same, received and accepted by the Data Controller |
the specific data categories defined by sections 169-170 and 176 of Act CXXXVII of 2007 |
for a period of 8 years |
in a hard copy format/ electronically, manually |
the invoice issuer |
Summary table of CCTV system operation |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
the specific purposes defined in the related CCTV Policy, such as property security, personal and physical security, etc., to properly identify the Data Subjects |
the Data Controller’s legitimate interests |
any natural person, who enters or stays in an area under CCTV surveillance |
for more details, please check the detailed information/ description related to the given data processing activity |
for 8 days upon the recording being made |
electronically, automated |
the Data Subjects |
Summary table of the data processing activities related to operating an electronic access card system |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to identify the Data Subjects, to grant and verify access levels, personal and property safety and security |
the Data Controller’s legitimate interests |
any natural person, whom is provided with an access tool (e.g. swipe card) by the Data Controller |
for more details, please check the detailed information/ description related to the given data processing activity |
to be deleted within 180 days upon the regular access authorisation being terminated, or if it was a one-off access authorisation provided (guest card), within 1 day after the person has left the premises |
electronically, automated |
the Data Subjects |
Summary table of data processing activities related to sending Newsletters |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to provide full scope general, or individually tailored and regular information to the recipients about the Data Controller’s latest special offers, events and news |
voluntary consent granted |
any natural person, who intends to receive news, or updates about the Data Controller’s special offers and benefits granted, therefore signs up to the Newsletter, by supplying his/her personal data |
for more details, please check the detailed information/ description related to the given data processing activity |
until the person unsubscribes |
subscription can be made electronically, or in a hard copy format, or manually, the Newsletters to be sent electronically, automated, unsubscription is possible electronically, or in a hard copy format, or manually
|
the Data Subjects |
Summary table of data processing activities related to organising special draws |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to enable participation, to identify the Data Subjects during the draw, and the related communi-cation |
voluntary consent granted |
any natural person, who intends to participate in a special draw organised by the Data Controller, by supplying his/her data |
for more details, please check the detailed information/ description related to the given data processing activity |
until the special purpose is fulfilled, or for the statutory period |
the intention to participate can be indicated electronically/in a hard copy format, or manually, the drawing is done automated or manually (depending on the given type of drawing) |
the Data Subjects |
Summary table of special event organising |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to carry out all tasks related to organising a special event, and the related communi-cation with the Data Subjects |
based on voluntary consent granted, or based on an Agreement, or legitimate interest |
any natural person, who attends the special event, or receives any of the special event organising services offered |
for more details, please check the detailed information/ description related to the given data processing activity |
for the statutory period |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to gift vouchers (coupons) |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to enable customers to buy and redeem gift cards/ vouchers for the Data Controller’s services/ products, and the related communi-cation |
voluntary consent granted, legitimate interest, or Agreement |
any natural person, who intends to buy a gift card/voucher, or redeem the same for any of the Data Controller’s services/ products |
for more details, please check the detailed information/ description related to the given data processing activity |
as long as it is valid, if redeemed, for the statutory period, if an official receipt, for 5 years |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to customer satisfaction surveys |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to improve the quality of services, products and the Data Controller’s conduct, to investigate any complaints, and the related communication |
the Data Controller’s legitimate interests |
any natural person, who participates in any customer satisfaction survey, as part of the Data Controller’s quality assurance process |
for more details, please check the detailed information/ description related to the given data processing activity |
until the specific purpose is reached, or in case of complaints, for a period of 5 years |
electronically and/or in a hard copy format, manually |
own in-house registration system about the Data Subjects |
Summary table of data processing activities performed in relation to social media marketing efforts |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
the Data Controller’s marketing activities |
voluntary consent granted |
any natural person, who follows, shares or likes the contents displayed on the Data Controller’s social media platforms, on a voluntary basis |
for more details, please check the detailed information/ description related to the given data processing activity |
until erased based on the Data Subject’s request, or until the legitimate interest ceases to exist |
electronically, manually |
the Data Subjects |
Summary table of data processing activities related to the Guest Book |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to enable the Data Subject to express his/her opinion about the Data Controller’s services rendered, to improve the Data Controller’s service quality, to inform others, and to liaise with the Data Subject, if any complaint arises |
voluntary consent granted, in case of complaint |
any natural person, who wishes to share his/her personal opinion via a Guest Book entry with the Data Controller and others |
for more details, please check the detailed information/ description related to the given data processing activity |
until erased based on the Data Subject’s request, or in case of a complaint, for a period of 5 years (pursuant to Act CLV of 1997) |
electronically and/or in a paper format, manually |
the Data Subjects |
Summary table of data processing activities performed related to the Job Applicants’ data |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to enable applications to be made, and the related communi-cation |
voluntary consent granted |
any natural person, who applies for any job opening advertised by the Data Controller, or sends his/her application without a formal advert placed |
for more details, please check the detailed information/ description related to the given data processing activity |
for the specific time period defined in the Data Subject’s related consent granted, or until the legitimate interest ceases to exist |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities performed in relation to aptitude tests (examinations) |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to exercise the right established in the regulation applicable to the given legal relationship, to check the professional suitability required to comply with the obligations (competen-cies) |
voluntary consent granted, or legitimate interest |
any natural person, who participates in an aptitude test |
for more details, please check the detailed information/ description related to the given data processing activity |
until the Data Subject requested it to be erased, or for the time period specified in the related consent given, or for the statutory period |
electronically and/or in a hard copy format, manually |
the Data Subjects |
Summary table of data processing activities related to language skill tests |
||||||
Purpose |
Legitimacy |
Data Subjects |
Data category |
Duration |
Method |
Source |
to determine the applicable language group, for the most optimal language learning practices, for any Data Subject applying |
voluntary consent granted |
any natural person, who participates in a language skill test |
for more details, please check the detailed information related to the given data processing activity |
until the specific purpose is reached, or until the data is erased based on the Data Subject’s request, or if the Data Subject is determined to belong to a certain group, based on legitimate interest, the duration is the total duration of the language training provided - due to later comparisons, or confirmation on progress - or for the statutory period |
electronically, in a hard copy format, manually |
the Data Subjects |