Consumer Privacy Policy

I. Introduction

The Miskolci Diákotthon Kft. UNI-HOTEL Diákotthon (its seat: 3515 Miskolc-Egyetemváros, Hrsz: 40591/4/A, tax: 13385149-2-05, hereinafter: UNI-HOTEL) as data manager will act upon the following policy (hereinafter: Policy) when dealing with data. The effective Policy can be checked on www.uni-hotel.hu. UNI-HOTEL reserves the right to change this Policy unilaterally. The UNI-HOTEL will answer all questions, sent to direktor@uni-hotel.hu, concerning this Policy via e-mail.

The UNI-HOTEL will inform its customers, guests and anyone checking its website about processing personal data, its policies and practice, and the legal ways of applying your rights regarding the personal information the UNI-HOTEL collects from you. Some of these rights only apply in certain circumstances. The UNI-HOTEL is committed to protecting the privacy of its users and partners. It considers important to respect its customers’ right to self-determination. It respects the rights of its partners, customers and anyone checking its website. The privacy of your personal information is managed confidentially in accordance with privacy policies, international policies and this Policy. The UNI-HOTEL will ensure that it uses appropriate technical and organisational security measures in order to ensure that your data remains secure. It will inform its customers, partners and guests about any changes in the Policy in due time.

The UNI-HOTEL Student’s Hostel registration number is NAIH- 122076/2017.
By providing your personal data to us you acknowledge that it will be processed in accordance with this policy.

The aim of the Policy:

The aim of the Policy is determine the legal process of dealing with personal information recorded at the UNI-HOTEL as well as ensure the predominance of the requirements of privacy policy and data security and prevent unauthorized access or change of data or making data public.

The scope of the Policy:

1. Duration – This Policy is of legal force from 1 March 2018 until further action, cancellation.
2. Personal scope – This Policy covers the UNI-HOTEL, the people whose personal information is managed under this Policy, and the people whose rights are concerned by the data management.
3. Factual scope – This Policy covers data management of all the personal information at the UNI-HOTEL.

The legal basis for processing your data:

1.) (EU) 2016/679 Regulation of the European Parliament and Committee (hereinafter: Regulation)
2.) Act 108 of 2016 on some questions of electronic commercial services and services relating to the information society (hereinafter: Elker Tv.)
3.) Act 48 of 2008 on the basic terms and limits of economic advertising activities (hereinafter: Advert.tv.)
4.) Act 47 of 2008 on prohibiting unfair commercial practices

II. Information on private data management

He person concerned is to be informed about all details and facts of data management in accordance with this Policy. The person concerned is informed about the aim of the data management, legal basis, the people who have the right to manage and process data, the duration of the data management and sharing personal information with third party with the approval of the person concerned. the UNI-HOTEL gives information to the person concerned on who it may share the personal information with. The information covers the rights of the person concerned relating data management and legal remedy. The content of the Information is to be learnt by the staff of the UNI-HOTEL. The UNI-HOTEL will take reasonable measures to protect personal information from unauthorized access, disclosure, alteration or destruction, and keep personal information accurate and up-to-date as appropriate.

III. Legal basis of data management

In case of hotel services the legal basis of data management is Article 6 Paragraph 1 Item b of the Regulation. In case of the places rented by the University of Miskolc, the lessee (guest) shall fill in a form of personal data, when using the services of the hotel the guest shall fill in a registration form, in case of booking for a group the organizer/contracting party shall send the personal data of the members of the group to the UNI-HOTEL. If the data sender gives somebody else’s personal data it is the informant’s duty to let that person know about the data management. The people incapable of acting and people under 16 will need their legal representative’s consent to make a declaration.

IV. Duration of the personal data management

The UNI-HOTEL manages and records the data for 5 years to prove the contract, its completion, and for incidental assertion. Invoices are to be kept for 8 years in accordance with the Act C. of 2000, paragraph 169 on Accountancy.

V. The aim of the personal data management

The UNI-HOTEL manages the data given by its guests, in accordance with the Act Info, with the following purposes:

• To deliver your bookings. When you book with us we will use your information to confirm your booking and any payments you have made and to send a follow up email for your valued feedback.
• To deliver products that you purchase. When you buy from our online stores, we will use your information to deliver your purchases, confirm your order and payments you have made and to send a follow up email for your valued feedback.
• To keep you informed of our products, services, offers and promotions. We may send you marketing communications about our food, drink, hotel rooms, events and unique Fuller’s experiences if you have indicated that you are happy to receive these (e.g. when you opt in to marketing when you book from us).
• We will monitor opens / clicks and offer redemption on marketing emails to assess engagement.
• To personalise and improve your customer experience. We may use your personal data in order to tailor our services to your needs and preferences and to provide you with a personalised customer experience.
• To optimise the performance of our websites. We may also collect information on how you use our websites including the pages that you visit and the search criteria that you perform in order to optimise the performance of the website and personalise content that you see.
• To meet our legal obligations. We are required to keep certain records for legal reasons – for example invoices that we issue. We will keep and use this data in line with our legal requirements.
• We use CCTV to deter and detect crime and civil offences, to support court action and comply with our legal licensing requirements. We also use CCTV to provide a safe environment for our staff and customers. We use CCTV to facilitate entry / exist from buildings and improve customer service.
• For market research and to deliver business insight to help us ensure that our products and services remain relevant.

The UNI-HOTEL determines other purposes in the chapter of OTHER DATA MANAGEMENT.

VI. The scope of data managed

1. Booking rooms:– When you book a room online, in person or on the telephone the UNI-HOTEL may ask you for the following data: title, surname, first name, address (settlement, postal code, country), e-mail address, telephone number, payment information (cash, bank card, Széchenyi Pihenőkártya).
You have to give the following data on the registration form for students: photo, name, place and date of birth, ID card number, mother’s name, address, faculty, Neptun number, student card number, telephone, e-mail address, signature.
You have to give the following data on the registration form (for guests): surname, first name, place and date of birth, nationality, ID card number, Student card number, address, date of check-in, date of check-out, declaration on IFA exemption (Tourist Tax), signature.
Foreigners will also have to give the following data: in addition to personal data they have to give their passport number, the address of accommodation, first and last day of the use of accommodation, signature.
Without these data you may not use the services of the hotel!

2. In case of groups you have to give your name, nationality, date of birth, address, telephone, date of check-in, date of check-out, signature.

3. The UNI-HOTEL remembers neither the IP address of the user nor other data when visiting its website (www.uni-hotel.hu).

4. The UNI-HOTEL may use cookies on its website to sustain and develop its services. These cookies can be deleted on your computer or can be banned in your browser.

5. The html number of the UNI-HOTEL’s website may contain references to outer servers to make independent web analytical measures. The web analytical service provider only manages data on how you use the browser. These data are unable to identify the user.

6. The UNI-HOTEL determines other purposes in the chapter of OTHER DATA MANAGEMENT.

VII. The way personal data are stored and the security of data management

The UNI-HOTEL manages data at its seat and protects all personal data with appropriate measures against unauthorized access, disclosure, alteration or destruction.

The UNI-HOTEL will keep data accurate and up-to-date and retain personal information about you for the period necessary to fulfill the purposes outlined in this Policy. All the workers managing data at the UNI-HOTEL have to keep persona data in secret and they have to sign a Declaration of Privacy.

The IT system used by the UNI-HOTEL provides the expected protection, it is protected against phishing, espionage, sabotage, vandalism, fire and flooding, viruses and hacking. The IT system is capable of restricting the access to the data managed so all data are protected against unauthorized third parties. In case of the modification of data the date of modification is recorded as well as the name of the person who modified them, faulty data are to be deleted.

The UNI-HOTEL is careful about the protection of data in its servers and applications. The safety of data is ensured by password and firewall. The UNI-HOTEL reserves the right to inform its customers and partners about any risk in its safety system and restrict the access to their data until the risk is abolished.

The website of the UNI-HOTEL contains references to outer servers (not operated by the UNI-HOTEL). The websites reached on these links may use their own cookies or other files on the computer, they may collect data or ask for personal data. The UNI-HOTEL takes no responsibility for them.

VIII. The rights of the people concerned and their enforcement

Right to Object or Restrict Processing

The person concerned has the right to protest against managing their personal information any time. In such cases the personal information may not be managed any longer except if the Manager proves that there are imperious righteous reasons taking priority over the interests, rights of the person concerned or linking to submittal, enforcement or protection of legal claims.

The person concerned has the right to ask the UNI-HOTEL to restrict data management in case of any of the followings:
• the person concerned argues about the accuracy of personal data, in the case of which there is a restriction until the UNI-HOTEL checks the data in question;
• the data management is against the law and the person concerned is against the deleting of the data but asks for restriction;
• the UNI-HOTEL do not need the data any more but the person concerned asks for them for submittal, enforcement or protection of legal claims; or
• the person concerned protested against data management, but the legal interest of the data manager may base data management and in this case until it is determined if the UNI-HOTEL has a priority over the person concerned, data management has to be restricted.

If data management is restricted, the data may be managed with the approval of the person concerned or for submittal, enforcement or protection of legal claims or the protection of the rights of other natural person or legal person or for the interest of the European Union or a member of the EU. The UNI-HOTEL shall inform the person concerned about the cancellation of the restriction in due time.

Right of Access to personal data:

The person concerned has the right to get informed about the process of the data management. They are also have the right to get access to personal data and the following information:

the aims of the data management;
categories of the personal data concerned;
categories of the addressees who the personal data have been or will be shared with;
in certain cases the planned duration of the storage of personal data or the aspects which determine this duration;
the person concerned may ask the data manager to change, delete or restrict data, and may protest against managing such data;
the right to make a complaint to authority ;
if the data has not been collected from the person concerned, all information on their sources;
information on the importance of data management and its consequences.

The claim may be focused on determining and checking the rightfulness of the data management. In case of asking for information several times, the UNI-HOTEL may charge the person concerned some allowance for giving information.

Right of Correction or Erasure:

If the data collected is inaccurate you have the right to update it. The person concerned has the right to ask the UNI-HOTEL to correct the inaccurate personal data without delay.

Right of Erasure:

The person concerned has the right to ask the UNI-HOTEL to delete all the personal data without delay if any of the following reasons happens:

the personal data are no longer needed in the purpose they have been collected or they have been managed for other purposes;
the person concerned cancels the approval and the data management has no other legal claim;
the person concerned protest against data management and there are no legal reasons with priority or other legal claims for data management;
the personal data have been misapplied;
to complete some legal privity in the law of the EU or other member state, the personal data have to be deleted.

If the UNI-HOTEL has made the data public and has to delete them, it has to make the necessary actions to inform the data managers that the person concerned has asked them to delete all the links referring to the personal data or the copies of the personal data.

The personal data will not be deleted if the data management is necessary:

to practise the right of deliverance and get information;
for legal reasons to meet the requirements of the EU or a member state
to practise the right given to the data manager;
for public interest in connection with public health;
for scientific and historic research, statistical analysis, to archive data for public utility if the erasure of data made this kind of data management impossible or risked it; or
for submittal, enforcement or protection of legal claims.

It is also needed to be taken into consideration that if the personal data are related to more than one data managers, their right to get personal data may not be violated. If the data are needed to investigate offence or crime, the personal data will not be deleted.

Right of Legal Remedy:

The person concerned has the right to make a complaint at the Nemzeti Adatvédelmi és Információszabadság Hatóság (Authority of National Data Protection and Freedom of Information) (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; www.naih.hu,  Telephone: +36 (1) 391-1400, Telefax: +36 (1) 391-1410, E-mail: ugyfelszolgalat@naih.hu) or in accordance with Act 3 of 1952 on Civil rules and regulations of court, the person concerned has the right to practise their rights at Court of Justice.

Management of incidents concerning data protection:

The UNI-HOTEL makes all the necessary arrangements to avoid incidents relating data protection. In case of an incident:

The person responsible for data protection shall contact the Root of the IT system. The following categories are used in case of incidents relating to data protection:

Low-level incident: change, deletion or destruction of unimportant personal data on purpose or by accident.
Middle-level incident: change, deletion or destruction of a small range of personal data on purpose or by accident or other misapplication of data management.
High-level incident: change, share, publicize, delete or destroy a wide range of personal data on purpose or by accident or other misapplication of data management and
independently of the range of data, every case when the incident may have a disadvantageous impact on the person concerned or the size of the disadvantageous consequence is certain.
independently of the range of data, publicizing or sharing the data unwillingly.

In case of low-level incident the person responsible for data protection:

shall determine how to deal with the incident with the help of the Root, and call for the person entitled to manage the incident,
shall record the incident in the registration of incidents.

In case of middle-level incident:

the person responsible for data protection shall call for a group (the root, person or people entitled by the UNI-HOTEL) immediately, but in 12 hours the latest,
the group shall determine how to deal with the incident, and call for the person entitled to manage the incident,
the person responsible for data protection shall record the incident in the registration of incidents.

In case of high-level incident:

the person responsible for data protection shall call for a group (the root, person or people entitled by the UNI-HOTEL) immediately, but in 12 hours the latest,
the group shall determine how to deal with the incident, and call for the person entitled to manage the incident, furthermore, if necessary, the group shall determine how to inform the person/people/others concerned, the content of this notice and inform everybody concerned without delay,
the person responsible for data protection shall record the incident in the registration of incidents.

The UNI-HOTEL shall register all details of all incidents with the help of the person responsible for data protection. This register contains the range of personal data involved in the incident, the details of people or companies involved in the incident, the date of the incident, the circumstances and effects of the incident, actions against the incident, and other data determined in the act on data management.

If the person concerned asks, the person responsible for data protection shall give information on the incidents.
The person responsible for data protection shall inform the supervisory authority about the incident in 72 hours, except if the incident does not risk the rights and freedom of the person concerned or others. The person responsible for data protection shall inform everybody involved in the incident if the incident may have a high risk of effect on their rights or freedoms.

IX. Sharing your personal data

The data of people employed by the UNI-HOTEL may be linked in the different modules of the computer system. In the computer system there are personal data in the invoicing modules.

Data sharing beyond the UNI-HOTEL and data linking are possible only if:

the person concerned has accepted them and given approval,
the law allows them,
the terms of data management cover all personal data.

According to Act 19 of 1998 paragraph 71 on Criminal action, the court of justice, a prosecutor and the investigating authority may ask the UNI-HOTEL for data or documents . The UNI-HOTEL shall share the personal data with authorities to the extent it is absolutely necessary for their purpose.

X. Rules concerning the privacy of information of bank cards – PCI – DSS

Other data management by the Uni-Hotel Student’s Hostel:

The PCI DSS (Payment Card Industry Data Security Standards) is a special standard of safety which is created and updated by the PCI Security Standards Council founded by all major bankcards (American Express, Discover, JCB, MasterCard and Visa). The safety requirements of the PCI DSS relate to all the organizations that use, share or store bank card details.

Requirements of the PCI DSS
The PCI DSS has the following security policies:

Security system is to be established and maintained:

Firewall shall be installed and operated to protect the data of the bankcard owner
Automatic passwords and other security parameters may not be used
The data of the bankcard owner shall be protected
The data of the bankcard owner shall be protected during storage
The data of the bankcard owner shall be encrypted in case of sharing
Defect management programme shall be operated
Regularly updated virus protection system shall be used
Safe systems and applications shall be developed and operated
Strong access system shall be developed
Access to the data of the bankcard owner shall be minimized
Physical access to the data of the bankcard owner shall be restricted
The system shall be tested and monitored
All accesses to the data of the bankcard owner or system resources shall be recorded
Systems and processes shall be tested regularly
A system of IT security rules shall be operated
A system of rules relating to data security shall be set up and maintained.

The UNI-HOTEL will take all reasonable measures to meet these policies.

XI. Electronic monitoring system

Manager of personal data: Miskolci Diákotthon Kft.
The aim of data management: to protect life, body, possessions and assets from violation of rights, notice such violations, catch the violator and prove violation.
The legal basis of data management: In accordance with the Policy Article 6 the rightful interest of the UNI-HOTEL to protect its guests.
The range of data managed: photos and personal information of the people entering the area of the UNI-HOTEL.
Duration of data management: 3 business days
The registration number of data management: NAIH 122076/2017

The use of records:
The records of video cameras shall be checked by: executive manager of the Miskolci Diákotthon Kft., employees of the Jánosik és Társa Kft., and the person whose right or rightful interest is concerned by the data.
The records of video cameras may be recorded in a data medium by the executive manager of the Miskolci Diákotthon Kft.

The records of the video cameras may be checked by the people entitled to prove the violation of rights, injury of somebody’s life or body and identify the violator. The people whose right or rightful interest is involved in the records may ask for a copy or erasure of such records. The manager of data shall record all details of viewing the records, such as the name of the person viewing, the reasons for viewing and the date of viewing.

Proof of rightful interest:
Hotel service is an activity where the UNI-HOTEL shall ensure the protection of the assets and personal protection of the people accommodated and may not allow:

unauthorized people to stay in the area of the student’s hostel,
if unauthorized person gets to the area of the student’s hostel, the UNI-HOTEL shall have information about it,
if offence or crime has been committed on the are of the student’s hostel, the UNI-HOTEL shall have information about it to protect its guests.

To control the situations mentioned above, the UNI-HOTEL has decided:

– to provide stronger protection of person and assets by using video cameras,
– to help the work against offences and crimes with its video cameras.

Interests scaling:
The UNI-HOTEL is aware that assets and personal protection coincides the interest that the personal data of the people concerned appear. However, the UNI-HOTEL has determined the interests introduced above are in scale of the aims of such actions and do not restrict the personal rights of the people concerned in such an extent that would not be in scale in the purposes of data management.

XII. Data management relating to quality complaints

The aim of data management: the management of quality complaints relating to the services offered by the UNI-HOTEL.
The legal basis of data management: According to the Article 6 of the Regulation, paragraph (1) item b), data management relating to the completion of the contract.
The range of data managed: serial number, guest’s name, address, the service complained about, description of the complaint, the claim of the complainer, the method of compensation.
The duration of data management:

the records written in the book of customers shall be kept for 2 years
the copies of the responds to written complaints shall be kept for 3 years

XIII. The electronic card system used at the UNI-HOTEL Student’s Hostel

The legal basis of data management: According to the Regulation paragraph 6 item (1) f), on the rightous interests relating to assets and personal protection of the guests of the UNI-HOTEL.
The aim of data management: The main assets and personal protection aim of the card system to identify everybody entering the area, check the authority of staying there and prevent unauthorized entering.
The range of data managed: card number, validity, date of check-in, photo in case of permanent permission for entering, signature, date of check-out. a

The duration of data management: the UNI-HOTEL ensures safe data storage for a year at most in case of permanent permission for entering. After this duration the data will be deleted automatically.

The data recorded in the card system may only be shared with Jánosik és Társai Kft.

The UNI-HOTEL shall protect the database managing the data recorded with passwords from unauthorized management, change, publication, erasure or destruction. The UNI-HOTEL continually checks the actions relating to protection.

Applied rules:
The UNI-HOTEL and the Jánosik és Társa Kft. will act upon the Act 133 of 2005 (hereinafter: Szvtv.) paragraph 25. § items (1)-(2), paragraph 26. § items (1) a)-c) and e)-f) and paragraph 32. § items (1) on management, storage, record and share of personal data, personal and assets protection and private investigation.

Proof of rightous interest:
Hotel service is an activity where the UNI-HOTEL shall ensure the protection of the assets and personal protection of the people accommodated and may not allow:

unauthorized people to stay in the area of the student’s hostel,
if unauthorized person gets to the area of the student’s hostel, the UNI-HOTEL shall have information about it,

if offence or crime has been committed on the are of the student’s hostel, the UNI-HOTEL shall have information about it to protect its guests.

So the UNI-HOTEL has decided:

– to provide stronger protection of person and assets by using video cameras,
– to help the work against offences and crimes with its video cameras.

Interests scaling:

The UNI-HOTEL is aware that assets and personal protection coincides the interest that the personal data of the people concerned appear when applying the entering system. However, the UNI-HOTEL has determined that the interests introduced above are in scale of the aims of such actions and do not restrict the personal rights of the people concerned in such an extent that would not be in scale in the purposes of data management.