Data processing and privacy policy

CONTROLLER: BREEZE LAKE ZRT. (HEREINAFTER REFERRED TO AS: BREEZE LAKE ZRT., OR HOTEL)
REGISTERED OFFICE: 8600 SIÓFOK, ERKEL FERENC U. 2/C
TAX NO.: 25292743214

WEBSITE: WWW.HOTELAZUR.HU
E-MAIL ADDRESS: INFO@HOTELAZUR.HU
PHONE NO.: +36 84 501 400
MAIN ACTIVITY OF CONTROLLER: HOTELS AND SIMILAR ACCOMMODATION

Preamble

Breeze Lake Zrt. (8600 Siófok, Erkel Ferenc u. 2/C, tax No.: 25292743214, hereinafter referred to as: Breeze Lake Zrt., or Hotel) is a private limited company, the main activity of which is Hotels and Similar Accommodation.

With respect to data processing, Breeze Lake Zrt. hereby informs its clients, guests and visitors to its website of the personal data processed by it, the principles and practices followed by it in the processing of personal data, and the rights of the data subjects and the means to exercise those rights.

The Hotel is committed to protecting the personal data of its users and partners, and considers it essential to respect the right of its clients to informational self- determination. Breeze Lake Zrt. declares that it respects the personality rights of its partners, clients and visitors to its website. It treats the collected personal data confidentially, in compliance with the data protection laws and the international recommendations, in accordance with this data processing policy, and takes all necessary security, technical and organizational measures that guarantee the security of data.

Information related to the data processing activity of Breeze Lake Zrt., the current version of the policy is available at all times at www.hotelazur.hu.

The Hotel reserves the right to change this policy at any time. Naturally, it will notify its clients, partners and guests of any changes in a timely and appropriate manner.

Any partner entering into a client relationship with the Hotel shall accept the following, and shall consent to the data processing specified below.

1./ Purpose of the Policy

The purpose of this Policy is to ensure that Breeze Lake Zrt. complies with the applicable data protections laws, in particular:

- Act No. CXII of 2011 - on the right of informational self-determination and the freedom of information;
- Act No. XLVII of 2008 - on the prohibition of unfair business-to-consumer commercial practices;

- Act No. XLVIII of 2008 - on the basic requirements and certain restrictions of commercial advertising activities;
- Act No. CXXXIII of 2005 - on the rules of personal and property protection and the activities of private investigators;

- Act No. CVIII of 2001 - on certain issues of electronic commerce activities and information society services;

2./ Scope of the Policy

2.1 Temporal scope

This Policy shall be effective from 01st January 2012 until further notice, or until revoked.

2.2 Personal scope

The scope of this Policy shall extend to Breeze Lake Zrt., to the persons whose data is processed under this Policy, as well as to the persons whose rights or legitimate interests are affected by the processing.

2.3 Material scope

The scope of this Policy shall extend to all processing of personal data performed by any organizational unit of Breeze Lake Zrt.

3./ Terms

The following terms shall have the following meanings for the purposes of this Policy: data protection: a set of principles, rules, procedures, data processing tools and methods to ensure the lawful processing of personal data and the protection of the data subjects.

personal data: any information relating to an identified or identifiable natural person [data subject], as well as conclusions drawn from the data in regard to the data subject. In the course of processing, data shall retain their personal character as long as their connection with the data subject can be restored. The connection with the data subject shall, in particular, be considered restorable if the controller is in possession of the technical means necessary for the restoration.

data subject: a natural person identified or otherwise identifiable, directly or indirectly, by reference to any specific personal data. A person shall be considered identifiable if he can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, or to one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person.

sensitive data: personal data revealing racial or ethnic origin, political opinion or any affiliation with political parties, religious belief or worldview, or trade-union membership, personal data concerning sex life or sexual orientation, health status, pathological passions, and criminal convictions.

criminal personal data: personal data related to the data subject and to a criminal record, generated by organs authorised to conduct criminal proceedings or to detect criminal offences, or by the prison service during or prior to criminal proceedings, in connection with a criminal offence or criminal proceedings.
processing: any operation or set of operations that is performed on data, regardless of the procedure applied; in particular collecting, recording, registering, organising, storing, modifying, using, retrieving, transferring, disclosing, synchronising or connecting, blocking, erasing and destroying the data, as well as preventing their further use; taking photos and making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples and iris scans).

controller: a natural person or organisation, who/which determines the purposes of data processing, makes decisions concerning data processing (including the means used) and implements such decisions or has them implemented by a processor. technical processing: the performance of technical tasks in connection with the processing operations (irrespective of the method and means used for executing the operations, as well as the place of execution).

processor: a natural person or organisation, who/which processes the data on the grounds of a contract concluded with the controller, including contracts concluded pursuant to legislative provisions.
rights of the data subject: before processing operations are carried out, but also at any time upon request, the data subject shall be clearly informed of all aspects concerning the processing of his personal data. The data subject shall have the right to request the rectification or, in certain cases, the erasure of his personal data, and to object to the processing of his personal data in the cases specified by law.

legal basis of processing: as a general rule, the consent of the data subject or mandatory processing required by law.
consent: any freely and expressly given specific and informed indication of the wishes of the data subject by which he signifies agreement to personal data relating to him being processed fully or to the extent of specific operations. For sensitive data a written form is required.

adequate information: before processing operations are carried out, the data subject shall be informed whether his consent is required or processing is mandatory, and shall be clearly and elaborately informed of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, and the persons to whom his data may be disclosed. Information shall also be provided on the rights and remedies available to the data subject.

objection: a declaration made by the data subject objecting to the processing of his personal data and requesting the termination of processing, or the erasure of the data processed.
data security: a system of technical and organizational solutions to prevent the unauthorized acquisition, modification and destruction of data.

principles of processing: the requirement of purpose limitation (see below), and the requirement of data quality. The latter includes the need for accurate, complete and up-to-date data and the fairness and lawfulness of collection and processing. processing limited to the intended purpose: personal data shall be processed only for specified purposes, for the exercise of certain rights and the fulfilment of obligations. The purpose of processing shall be met in all stages of processing, data shall be collected and processed fairly and lawfully. Only personal data that is essential and suitable for achieving the purpose of processing may be processed. Personal data may be processed only to the extent and for the period of time necessary to achieve its purpose. The accuracy and completeness, and, if deemed necessary with respect to the purpose of the processing, the up-to-date status of the data shall be ensured throughout the processing; the identification of the data subject shall be possible for no longer than necessary for the purpose of the processing.

data transfer: providing access to the data for a designated third party;
data transfer to foreign countries: the transfer of personal data to a processor engaged in processing in any third country outside the EEA (European Economic Area: the countries of the European Union, and Iceland, Norway and Lichtenstein). freedom of information: a fundamental right to access and disseminate data of public interest and data accessible on public interest grounds, which promotes democratic control over the exercise of public power and the transparency of public institutions. data of public interest: information or data other than personal data, recorded through any method or in any form, pertaining to the activities of and processed by an organ performing state/local government duties, or other public duties defined by law, or generated in the course of performing their public duties, irrespective of the method of processing and regardless of its singular or collective nature (in particular, data concerning material competence, territorial competence, organisational structure, professional activities and the evaluation of their performance, the type of data held and the laws governing its operation, as well as data concerning financial management and concluded contracts).
data accessible on public interest grounds: any data, other than data of public interest, the disclosure, availability or accessibility of which is prescribed by an Act for the benefit of the general public. (e.g. the Act on Real Property Registration, the Companies Act and the Act on Accounting classify a wide range of data as data accessible on public interest grounds in order to protect the interests of creditors, and the security of market transactions)
third party: any natural or legal person, or organisation without legal personality other than the data subject, the controller or the processor;
disclosure: making the data accessible to anyone;
data erasure: making the data unrecognisable in such a way that its restoration is no longer possible;
tagging of data: marking the data with a special ID tag to differentiate it;
blocking of data: marking the data with a special ID tag to indefinitely or definitely restrict its further processing;
data destruction: complete physical destruction of the data carrier recording the data; cookies: short data files placed on the computer of the user by the website visited. The purpose of cookies is to make the given info-communication and internet service easier and more convenient. There are many varieties of cookies, but they can generally be classified into two major categories. The first category is session cookies, which are placed on the device of the user by the website for the particular session (e.g.: during security authentication for internet banking), the other category is persistent cookies (e.g.: the language settings for the website), which remain on the computer until they are deleted by the user. According to the guidelines of the European Commission, cookies may only be placed on the device of the user with the permission of the user [except if they are absolutely necessary for the use of the given service]. This is because cookies raise numerous privacy concerns, for example, they can be used to track the browsing habits of the user.
cloud computing: (cloud-based services): a common feature of the many, ever- expanding IT services covered by this concept is that they are not provided by the computer/corporate computer centre of the user, but by a remote server/a server centre located anywhere in the world. The most common cloud-based services are Internet mail systems, hosting, development environments, and virtual workstations. For example, the Internet e-mail systems used by millions (e.g. Gmail) or online repositories (e.g. Dropbox) are cloud-based services. An important advantage is that the customer can access the IT system in an economical and customized manner, without the need to make expensive investments and to employ the staff necessary for maintaining the system. Cloud computing, however, raises numerous privacy concerns. This is because the data uploaded by the user are constantly moving around, of which the user is not notified. In the case of several services, the service provider uses the personal data of the customer also for its own purposes, mainly for marketing purposes. The service provider uses subcontractors all over the world to process the data of customers without their knowledge. In the case of multiple (more complex corporate) applications, it is difficult to save data from the cloud, so the user can only get rid of a cloud-based service at a high cost.

CCTV (Closed-Circuit Television): a closed-circuit television surveillance system consisting of several cameras for the continuous surveillance of a given area for security purposes. Unlike publicly broadcast "open-circuit" television, CCTV footage can only be viewed by a closed group (usually the security staff).

internal data protection officer: an employee within the organization of the controller/processor, directly under the supervision of the head of the given body, who is responsible for compliance with the data protection regulations, the protection of personal data on behalf of the organization.

Council of Europe Data Protection Convention: Convention for the protection of individuals with regard to automatic processing of personal data, dated in Strasbourg on 28th January 1981 (Council of Europe Convention 108). It was the first major international instrument in the field of data protection that was binding on the signatory states. It was promulgated in Hungary by Act No. VI of 1998 on 27th February 1998.

EU data protection directive: Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The general data protection directive of the European Union, which was adopted on 24th October 1995, and which, among other things, set up the so called Article 29 Data Protection Working Party (see below).

4./ Principles of processing

Personal data may be processed if

a) the data subject has consented thereto, or
b) it is prescribed in an Act or, based on the authorisation of an Act, within the limits set forth therein, in a local government decree for purposes in the public interest (mandatory processing).

Personal data may also be processed if obtaining the consent of the data subject is impossible or would give rise to disproportionate costs, and the processing of personal data is necessary for compliance with a legal obligation pertaining to the controller, or for the purposes of legitimate interests pursued by the controller or by a

third party, and enforcing these interests is considered proportionate to the limitation of the right to the protection of personal data.

The statement of persons having no legal capacity and minors under the age of 16 with limited legal capacity shall require the consent of their legal representatives, except for those parts of the service where the statement is intended for mass data processing practised in everyday life and does not require special consideration.

If the data subject is unable to give his consent on account of lacking legal capacity or for any other reason beyond his control, the processing of his personal data is allowed to the extent necessary and for the length of time such reasons persist, to protect the vital interests of the data subject or of another person, or in order to prevent or avert an imminent danger posing a threat to the lives, physical integrity or property of persons.

Where personal data is recorded with the consent of the data subject, the controller shall, unless otherwise provided by law, be able to process the data recorded where this is necessary:
a) for compliance with a legal obligation pertaining to the controller, or

b) for the purposes of legitimate interests pursued by the controller or by a third party, if enforcing these interests is considered proportionate to the limitation of the right to the protection of personal data, without further consent from the data subject, or after the data subject has withdrawn his consent.

Personal data shall be processed only for specified purposes, for the exercise of certain rights and the fulfilment of obligations. The purpose of processing shall be met in all stages of processing, and data shall be collected and processed fairly and lawfully.

Only personal data that is essential and suitable for achieving the purpose of processing may be processed, and only to the extent and for the period of time necessary to achieve its purpose.
Personal data may be processed only on the basis of informed consent.

Before processing operations are carried out, the data subject shall be informed whether his consent is required or processing is mandatory. The data subject shall be informed in a clear, comprehensive and detailed manner of all aspects concerning the processing of his personal data, such as the purpose for which his data is required and the legal basis, the person entitled to control the data and to carry out the processing, the duration of the proposed processing operation, whether the personal data of the data subject are processed by the controller with the consent of the data subject and for the purpose of compliance with a legal obligation pertaining to the controller, or for enforcing the legitimate interests pursued by a third party, and the persons to whom his data may be disclosed. Information shall also be provided on the rights and remedies available to the data subject.

The accuracy, completeness and up-to-date status of the data shall be ensured throughout the processing; the identification of the data subject shall be possible for no longer than necessary for the purpose of the processing.
Employees performing data processing at the organizational units of Breeze Lake Zrt. shall be obliged to treat the obtained personal data confidentially as business secrets. Persons processing and having access to personal data shall be obliged to sign a Confidentiality Statement.

5./ The scope of personal data, the purpose, legal basis and duration of processing

The Controller shall process personal data only for specified purposes, for the exercise of certain rights and the fulfilment of obligations. The purpose of processing shall be met in all stages of processing. Data shall be collected and processed fairly and lawfully. The Controller strives to ensure that only personal data that is essential and suitable for achieving the purpose of processing are processed. Personal data shall be processed only to the extent and for the period of time necessary to achieve its purpose.

Data providers providing data to Breeze Lake Zrt. are advised that if the data provided by them is not their own personal data, the data providers shall be obliged to obtain the consent of the data subject.

5.1 Processing on the website

a) Legal basis of processing on the website: the consent of the User, or subsection (3) of Section 13/A of Act No. CVIII of 2001 on certain issues of electronic commerce activities and information society services.

b) Scope of processed data: the date and time of visit, the IP address of the computer of the visiting user, the type of the browser, name, phone number, e-mail address, date and time, number of adults, number and age of children, type of care, and other personal data provided by the User.

c) Time limit for erasing data: 5 years from the date of booking, if a quote is requested and no contract is concluded, immediately; in the case of consents to receiving newsletters, until the consent is withdrawn. According to subsection (2) of Section 169 of Act No. C of 2000 on accounting, accounting documents shall be retained for 8 years by the Service Provider.

d) The erasure or rectification of personal data may be initiated in the following ways:

• -  by mail sent to Breeze Lake Zrt. to the address: 8600 Siófok, Vitorlás utca 11, or

• -  by e-mail sent to the address: info@hotelazur.hu.

e) Users are hereby informed that courts, prosecutors, investigating authorities, law enforcement authorities, administrative authorities, the data protection supervisor, or other bodies authorized by law may request the Service Provider to provide information, to disclose or transfer data, or to provide documents.

f) Breeze Lake Zrt. shall disclose to the authorities, provided that the authority has specified the exact purpose and the scope of data to be provided, only the personal data requested and to the extent indispensable for achieving the purpose of the request.

g) Breeze Lake Zrt. shall process the data and information provided by the guests and necessary for the performance of the Service in accordance with the provisions of Act No. CXII of 2011 on the right of informational self-determination and on freedom of information.

h) Breeze Lake Zrt. shall process the personal data of Users for the purpose of providing a service (full use of the website, e.g. booking, receiving newsletters), only to the extent and for the period of time necessary to achieve its purpose. The purpose of processing shall be met in all stages of processing.

i) It shall also process personal data that are technically indispensable for the provision of the service. Where personal data is collected with the consent of the User, Breeze Lake Zrt. shall, unless provided otherwise by law, be able to process the data collected where this is necessary

i) forcompliancewithalegalobligationpertainingtothecontroller,or
ii) for the purposes of legitimate interests pursued by the Hotel or by a third party, if enforcing these interests is considered proportionate to the limitation of the right to the protection of personal data, without further consent from the data subject, or after the data subject has withdrawn his consent.

j) Inaddition,BreezeLakeZrt.shallcollectonlyinformation(IP-address,dateofuse, viewed pages, browser, and one or more cookies that uniquely identify the browser) that are used solely for the purpose of developing and maintaining the Services, and for statistical purposes. The Service Provider shall only use the data processed for such statistical purposes in a form in which identification of the data subject is no longer possible. In order to improve the quality of the Services, Breeze Lake Zrt. places a file containing a string of characters, so called cookie on the computer of the User, if the User consents to it. If the User does not consent to it, he shall indicate this in advance using the contact details specified in par. d) of the section on „Processing on the website".

k) Breeze Lake Zrt. shall transfer the personal data processed by it to third parties only for the purpose of developing and/or operating certain services of the Hotel used by the User. The Hotel shall not use for the purposes of third parties, or otherwise misuse the personal data processed by it.

l) The pages include links to external servers (not managed by Breeze Lake Zrt.), and the websites accessible through such links may place their own cookies or other files on the computer, collect data or request personal data. Breeze Lake Zrt. excludes all liability for these.

m)By using the service, the User consents to Breeze Lake Zrt. collecting and processing his personal data as described in this privacy policy for the purpose of providing the service of the Hotel in its entirety.

5.2 Processing of business cards

a) Legal basis of processing: the freely given consent of the User through the act of transferring a business card containing the personal data of the User to the Hotel.

b) Scope of processed data: name, phone number, address, e-mail address, place of work, address of place of work, other personal data shown on the business card.

c) Purpose of processing: to build relationships, to facilitate people-to-people contacts.

d) The provisions of this Privacy Policy shall apply accordingly to the transfer of business cards and their processing.

e) Time limit for erasing data: until the withdrawal of the consent, that is until an instruction to destroy the business card.

5.3. Newsletter, DM activity

a) Pursuant to Section 6 of Act No. XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities, the User shall in advance and expressly consent to being contacted by the Hotel with advertising offers and other mailings at the contact details provided at the time of registration (e.g. e-mail address or phone number).

b) In addition, the Customer shall, subject to the provisions of this Policy, consent to the processing of his personal data by the Hotel for the purpose of sending advertising offers.

c) Breeze Lake Zrt. shall not send unsolicited advertising messages, and the User shall be able to unsubscribe from receiving offers without any restriction and without giving any reason, free of charge. In that case, the Hotel shall erase all personal data necessary for sending advertising messages from its records, and shall not contact the User with further advertising offers. The User shall be able to unsubscribe from the advertising messages by clicking on a link in the message.

d) Purpose of processing: sending electronic newsletters containing commercial advertising messages to the User, informing him about current information and products.

e) Legal basis of processing: the freely given consent of the data subject and subsection (5) of Section 6 of Act No. XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities.

f) Scope of processed data: name, e-mail address, phone number, date, time.

g)Time limit for erasing data: until the withdrawal of consent, that is until unsubscription.

6./ Data security

a) Breeze Lake Zrt. shall take all necessary security steps, organizational and technical measures in order to ensure the highest level of security for personal data, and to prevent the unauthorized modification, destruction and use thereof.

b) The Hotel shall take all necessary measures in order to ensure the integrity of data, that is the accuracy, completeness, and up-to-date status of personal data processed and/or technically processed by it.

c) Breeze Lake Zrt. shall protect the data by means of suitable measures against unauthorized access, modification, transfer, public disclosure, deletion or destruction, as well as accidental loss and damage, and shall also ensure that the data cannot be corrupted and rendered inaccessible due to changes in or modification of the applied technique.

d) The Hotel, therefore, reserves the right to inform its clients and partners if it identifies any security gap in their system, and at the same time to limit their access to the system, services of the Service Provider, or to certain functions thereof, until the security gap is closed.

e) In order to ensure the security of the data stored on the network, Breeze Lake Zrt. shall prevent the loss of data by continuous server mirroring.

f) The Hotel performs daily backups of the active data in the databases containing personal data.

g) Breeze Lake Zrt. shall provide continuous virus protection on the network processing personal data.

h) Access to the data and data files processed on the network of Breeze Lake Zrt. shall be secured by user name and password.

7./ Information on processing

a) The User may request information about the processing of his personal data, and may request the rectification or erasure of his personal data, except for data processing ordered by law, in the manner indicated when the data was collected, or at the contact details provided by the Controller.

b) Upon the request of the User, the Hotel shall provide information on the data processed by it, the sources thereof, and the purpose, legal basis and duration of processing. Breeze Lake Zrt. shall comply with the request for information and provide the information requested in an intelligible form, in writing, in the shortest possible time, but no later than within 30 days from the request.

c) Where personal data is deemed inaccurate and the correct personal data is at the disposal of the data controller, the Hotel shall rectify the personal data in question.

d) Breeze Lake Zrt. shall block personal data instead of erasing if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the User. Blocked data shall be processed only for the purpose which prevented their erasure.

e) The Hotel shall erase any personal data if it is processed unlawfully, it is requested by the User, the processed data is incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by law, the purpose of processing no longer exists or the legal time limit for storage has expired, or it is so ordered by court or by the National Authority for Data Protection and Freedom of Information.

f) The controller shall have 30 days to erase, block or rectify the personal data. If the Hotel refuses to comply with the request of the User for rectification, blocking or erasure, it shall communicate the reasons for refusal within 30 days.

g) When data is rectified or erased, the Hotel shall notify the Client and all recipients to whom it was transferred for the purpose of processing. Notification is not required if, in view of the purpose of processing, it does not prejudice the legitimate interests of the User.

8./ Monitoring

a) Compliance with the data protection regulations, and in particular the provisions of this policy shall be continuously monitored by the head of the data processing organizational unit of Breeze Lake Zrt.

b) The Hotel and Operations Director and the Data Protection Officer appointed by him shall check the monitoring of the processing of data at Breeze Lake Zrt. once a year.

c) Breeze Lake Zrt. accepts and respects the recommendations of the National Authority for Data Protection and Freedom of Information on the „basic requirements of electronic monitoring systems at the workplace" (30/01/2013).

9./ Data Protection Officer and data protection regulations

a) Breeze Lake Zrt. shall appoint an internal data protection officer who shall report directly to it, and who shall:
i. Participate and assist in the decision-making process with regard to processing and enforcing the rights of data subjects.

ii. Monitor compliance with the provisions of this Act and other regulations on processing, as well as with the provisions of the data processing and privacy policy, and the data security requirements.
iii. Investigate complaints conveyed to him and, if he detects any unauthorized data processing operations, call on the controller or processor in question to cease such operations.

iv. Maintain internal data protection records.
v. Organise training sessions on the subject of data protection.

10./ Remedies

a) The User shall have the right to object to the processing of data relating to him
ii. if the processing or transfer of personal data is necessary solely for the purpose of compliance with a legal obligation pertaining to the Service Provider, or for enforcing the legitimate interests pursued by the Service Provider, the recipient or a third party, unless the processing is required by law;
iii. if personal data are used or transferred for the purposes of direct marketing, public opinion polling or scientific research; and
iv. in other cases prescribed by law.

b) The Hotel shall investigate the objection in the shortest possible time, make a decision on whether it is justified and inform the data subject of its decision in writing no later than within 15 days. If the Hotel finds that the objection of the data subject is justified, it shall cease the processing of data, including further collection and transfer, and block the data, and shall notify of the objection and the measures taken on the basis thereof all recipients to whom the personal data affected by the objection has previously been transferred, who shall also take measures in order to enforce the right to object.

c) If the User disagrees with the decision made by the Hotel, he shall have the right to turn to court within 30 days from the receipt thereof.

d) In the event of any infringement of his rights, the data subject may turn to court against the Hotel. The court shall hear such cases in priority proceedings. A remedy may be sought or a complaint may be lodged with the National Authority for Data Protection and Freedom of Information:

National Authority for Data Protection and Freedom of Information 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Mailing address: 1530 Budapest, Postafiók: 5.
Phone: +36 -1-391-1400

Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

Information on the camera system of Breeze Lake Zrt.

An electronic monitoring and recording system is in operation on the area of Breeze Lake Zrt.

Cameras forming part of the electronic monitoring system have been installed and directed at the outdoor areas of Breeze Lake Zrt., the parking lot and the beach. Inside the buildings, cameras have been installed in the internal corridors of the hotel, in the wellness area, in the pool area, in the function rooms, in the dining rooms and at the reception desks.

Controllers of personal data: Breeze Lake Zrt. (8600 Siófok, Erkel F utca 2. C. ép.), and H-FUTURE Kft. (8600 Siófok, Rákóczi Ferenc u. 36.) a company providing live guard service.
Purpose of processing: in order to protect human life, physical integrity and property, the prevention and detection of offences, catching perpetrators in the act, providing proof of the offences, identifying persons unauthorized to enter the area of Breeze Lake Zrt., recording the fact of entry, documenting the activities of persons unauthorized to be on the area, investigating the circumstances of any occupational or other accidents.

Legal basis of processing: the consent of the data subject given by entering the area of Breeze Lake Zrt., and Section 30 of Act No. CXXXIII of 2005 on the rules of personal and property protection and the activities of private investigators (Personal and Property Protection Act).

Scope of processed data: the image and other personal data of persons entering the area of Breeze Lake Zrt.

Duration of processing: three working days unless used, or thirty days in the case of cameras directed at the transport route or storage area of significant amounts of cash [par. c) of subsection (3) of Section 31 of the Personal and Property Protection Act].

VIDI-COMP Kft. (1211 Budapest, Kiss János Altábornagy utca 50. 2. em. 35.), a company performing the maintenance of the electronic monitoring and recording system, also participates in the operation of the system as processor.

Controller registration No.: NAIH-72601/2014.

A person included in the recording may request information about the processing of data relating to him, and may request the erasure or blocking of recordings made about him, or may object to the processing of his data.

The data subject may make a complaint to Breeze Lake Zrt., and may enforce his rights in court under Act No. CXII of 2011, or notify the National Authority for Data Protection and Freedom of Information.
If you have any complaint about the processing by Breeze Lake Zrt., please contact our data protection auditor at: www.ppos.hu/audit