Lake temperature
26ºC
24-11-21
Lake temperature

Privacy Notice

PRIVACY NOTICE

Valid as of 01.10.2023

This Privacy Notice is intended to provide information on the processing of personal data performed by St. Andrew Hospital for Rheumatology and Medicinal Spa of Hévíz in accordance with Section 13 of the General Data Protection Regulation of the European Union (hereinafter referred to as: GDPR) in its online ticket sales system, including the processing of personal data related to online ticket selling. 

  1. Name and contact details of the Data Controller

Name:

St. Andrew Hospital for Rheumatology and Medicinal Spa of Hévíz

Registered seat:

H-8360 Hévíz, Dr. Schulhof Vilmos sétány 1.

Registration number:

813727

Registrar:

Hungarian State Treasury

VAT number

15813729-2-20

E-mail:

titkarsag@spaheviz.hu

hereinafter referred to as:     Data Controller or Institution.

 

Contact details of the Data Protection Officer:
E-mail: adatvedelem@spaheviz.hu
Mailing address: H-8380 Hévíz, Dr. Schulhof Vilmos sétány 1. - please indicate on the envelope: “Data Protection Officer”.

With respect to other data processing related to the provision of services (e.g. verification of ticket validity), the Data Controller cannot define the purpose of the processing on its own, but rather performs it on behalf of the service provider(s) (e.g. by transferring data), and is therefore considered to be a data processor in this regard.

 

  1. Name and contact details of the Data Processor

Name: InteliArt Online Marketing Korlátolt Felelőségű Társaság

 

Registered seat: H-2440 Százhalombatta, Csalogány utca 19

 

VAT number: 23160277-2-13

 

E-mail: info@inteliart.hu

 

hereinafter referred to as:       Data Processor:

The Data Processor provides the Data Controller with comprehensive IT services based on a Service Contract concluded by and between the Data Controller and the Data Processor, which includes the operation and development of the website and software required for selling tickets and providing hosting services for data storage.

 

  1. Information related to certain processing activities

3.1. Ticket purchase through the online ticket selling platform with or without registration

Data subject: any natural person who purchases a spa ticket after registration on the spaheviz.hu website through his or her user profile or without registration.

Purpose of data processing: to allow the purchase of a spa ticket under the name of the person entitled to use the services of the Data Controller and to forward the ticket to the buyer electronically. 

Legal basis of data processing: processing is necessary for the performance of a contract concluded by and between the Data Controller and the data subject for rendering and using services pursuant to Section 6(1)(b) of the GDPR.

Scope of personal data processed and the actual purpose of data processing:

Scope of personal data processed upon the purchase of spa tickets and season tickets as well as the purpose of data processing

Scope of personal data processed

Purpose of processing

Full name and date of birth of the data subject

To issue a registered e-ticket

E-mail address of the data subject

To send the e-ticket electronically

Date of birth of the data subject

To provide potential discounts based on the age of the data subject

Extent and title of available discounts

Provide a discount on the spa ticket price

Proof of entitlement to the discount (card number)

To prevent unauthorised use of discounted spa tickets

Invoicing details [invoice name and address
(country, zip code, city, street address, house number, floor/door)]

To issue an invoice in case of purchasing any products

Ticket data contained in the QR code printed on the ticket (data visually displayed on the ticket at the time of purchase)

To prevent abuse of electronic spa tickets

Duration of data processing:

  1. for spa tickets until the services are used.
  2. additional data required for the purchase of season tickets are assigned to the user profile and are processed until such data or the profile is deleted by the user (data subject).

 

Recipient of the data transferred: OTP Mobil Szolgáltató Kft. (registered seat: Budapest, Hungária krt. 17-19., company registration number: 01-09-174466, e-mail: ugyfelszolgalat@simple.hu). 

 

For invoicing purposes:

KBOSS.hu Kft

H-1031 Budapest, Záhony utca 7/D.

VAT number: 134217-2-41

Company registration number: 01-09-303201

For ticket purchasing purposes:

ASSA ABLOY Opening Solutions Hungary Korlátolt Felelősségű Társaság

Mailing address: H-8000 Székesfehérvár, Palánkai u. 5.

Phone: (+36) 22 510 170

E-mail: sales.seawing@assaabloy.com

Company registration number: 07-09-001285

VAT number: 10271731-2-07

 

Purpose of data transfer: to pay the purchase price of the e-ticket, to provide reliable client authentication, to analyse frauds and to inform clients. Legal basis of data transfer: To perform a contract concluded by and between the Data Controller and the data subject pursuant to Section 6(1)(b) of the GDPR as well as the reporting requirements provided for in the PSD2 directive and the SCA regulation.

3.2. Verification of eligibility for access to spa services

Data subject: any natural person who accesses the premises with a spa ticket purchased from the Data Controller and whose eligibility for the discount is verified by the person(s) authorised to perform verification on behalf of the Data Controller. 

Purpose of data processing: to verify eligibility for the use of services at a discounted price. The ticket inspector (Information Desk) who acts on behalf of the Data Controller during the verification of identity checks the spa ticket and scans the QR code on the ticket with his/her device, and the device displays the data of the ticket valid at the time of purchase (validity, type, discount applied, etc.). If the customer purchased a discounted ticket, the ticket inspector will also ask for an identification document to verify the identity of the customer. 

Legal basis of data processing: processing is necessary for the performance of a contract concluded by and between the Data Controller and the data subject for rendering and using services pursuant to Section 6(1)(b) of the GDPR.

Personal data processed to achieve the purpose of data processing: ticket details and the customer's personal details (name, date of birth and, if a discount is applied, the title thereof) as well as the name, date of birth, ID card number and image (photo) of the customer. 

Duration of data processing: until the ticket is verified.

 

3.4. Data processing pursued for purposes other than indicated in Points 3.1. and 3.2. (compilation of statistical data)

Purpose of data processing: the Data Controller may generate statistical data from personal data processed expressly in the context of selling and/or verifying tickets based on various aspects, which data may be used to substantiate decisions related to the sales activities, or the provision of services of the Data Controller, or to assess the consequences of previous decisions. However, taking into consideration that the Institution is a public body, if the Data Controller receives a request for data of public interest, whose fulfilment can be achieved by compiling statistical data from personal data processed in connection with selling and/or verifying tickets, it may also be entitled to use such personal data for this purpose, in accordance with the relevant provisions of the Privacy Act. Statistical data are always compiled in a format that is unsuitable for the subsequent identification of the data subject.

Legal basis of data processing: 

  1. pursuant to Section 6(1)(f) of the GDPR, the legitimate interest of the Data Controller, which means that the Data Controller has a legitimate interest in obtaining statistical data from the personal data processed during its ticket selling and verification activities in order to support and substantiate decisions related to the development of its sales and verification activities and the provision of services. 
  2. if statistical data shall be compiled, because such data is also deemed to be data of public interest, and shall be disclosed to fulfil a data claim provided for in the Privacy Act, the legal basis of data processing shall be the performance of a task carried out in the public interest pursuant to Section 6(1)(e) of the GDPR.

3.5. Issuance and retention of invoices on ticket purchases

Data subject: any and all natural persons who purchase a product on the online ticket selling platforms operated by the Data Controller.

Purpose of data processing: issuance and lawful retention of invoices issued by the Data Controller on the payment of the consideration for the services provided and, where applicable, of a rectifying invoice or similar document. 

Legal basis of data processing: pursuant to Section 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation provided for in Section 169 to 170 of Act CXVII of 2007 on the Value Added Tax.

Personal data processed to achieve the purpose of data processing: invoicing name and address (country, zip code, city, street address, house number, floor/door), details of the invoice.

Duration of data processing: 8 years after the publication of the particular annual report pursuant to Section 169, paragraph (2) of Act C of 2000 on Accounting, and, if requested by the supervisory body, the financial information service, the investigation authority, the prosecutor's office and the court pursuant to Section 58, paragraph (1) of Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter referred to as: Money Laundering Act) as indicated in Section 5 thereof for the period specified in the request, but not longer than ten years from the termination of the business relationship or the performance of the transaction.

Recipient of data transfer: tax authority in Hungary (National Tax and Customs Administration) Purpose of data transfer: to comply with a reporting obligation imposed by law. Legal basis of data transfer: pursuant to Section 6(1)(c) of the GDPR, processing is necessary for compliance with a legal obligation provided for in Act CXXVII of 2007 and Decree No. 23/2014 (30 June) of the Ministry for National Economy.

3.6. Operation of a monitoring system associated with online ticket selling

Data subject: any and all natural persons who pursue any activities on the online ticket selling platforms operated by the Data Controller.

Purpose of data processing: to record sales and invoicing data and any potential errors arising during the sales activities performed by the Data Controller in a log file to monitor and analyse the errors and to eliminate any errors identified and to assess any claim made by the data subject for any reason whatsoever.

Legal basis of data processing: processing is necessary for the purposes of the legitimate interests pursued by the Data Controller pursuant to Section 6(1)(f) of the GDPR. 

Scope of personal data processed: e-mail address used for login, notification e-mail address used for purchases without registration, activities pursued in the online ticket selling system during the purchase and the times of the purchase, IP address of the connected device.

Duration of data processing: personal data will be automatically erased within a maximum of 15 days from the date of purchase if the online ticket selling system works flawlessly or if no customer comments are received on the particular transaction. In case of a complaint or comment received regarding an error or a specific transaction, the monitoring system will retain the relevant monitoring data until the comment or complaint is investigated or the error is corrected.

3.7. Additional data processing activities related to online ticket selling transactions

The following data processing activities are closely associated with the online ticket selling activities of and the services provided by the Data Controller, and the Data Controller independently provides information required by Section 13 of the GDPR. 

 

  1. Rights of data subjects and the exercise thereof

The data subject may exercise his or her rights primarily by submitting a request through the contact details of the Data Controller indicated in Point 1. We hereby inform data subjects that they may submit a request to exercise their rights as data subject using any of the contact details of the Data Controller, but we recommend the use of one of the contact details indicated in Point 1.

The Data Controller shall provide information within the shortest period upon the submission of the request in writing, but within a maximum of one month. If necessary, and taking into consideration the complexity and the number of requests, this deadline may be extended by an additional two months. The Data Controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, stating the reasons for the delay. The Data Controller shall primarily fulfil the data subject's request in the form requested. If the request is submitted electronically, the Data Controller shall, unless the data subject otherwise requests, provide the response electronically.

The Data Controller shall allow data subjects to exercise their rights free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Data Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to act on the request. The Data Controller shall be entitled to refuse to act upon the request on the exercise of rights of the data subject until it can clearly confirm the identity of the data subject.

4.1.  Right to access and request copies

The data subject may request feedback from the Data Controller on whether his or her personal data is being processed. Pursuant to the right to access, the data subject shall have the right to access personal data and the following information related to personal data concerning him or her being processed, the purposes of the processing, the categories of personal data concerned, the duration of processing, who receive(d) the personal data of the data subject and for what purposes, other rights of the data subject related to the processing, the right to lodge a complaint with a supervisory authority.  

The Data Controller shall provide a copy of the personal data undergoing processing, if it does not adversely affect the rights and freedoms of others. The Data Controller may charge a fee for additional copies requested by the data subject.

4.2. Right to amendment, rectification and addition 

The data subject may request the amendment (rectification) of inaccurate personal data concerning him or her or the addition of incomplete personal data through the contact details specified in Point 1. The data subject will be informed of the rectification of personal data by the Data Controller.

If the data subject owns a user account in the online ticket selling systems of the Data Controller, the data subject may also amend the personal data recorded in the user account on his or her own.

4.3. Right to withdraw consent

The data subject shall be entitled to withdraw its consent provided pursuant to Section 6(1)(a) without a limitation in time by sending a request to the Data Controller using any of its contact details, however, such request will not affect the lawfulness of processing based on consent before its withdrawal. If the consent of the data subject to the processing of his or her personal data is withdrawn, the Data Controller shall erase such data without undue delay and provide information to the data subject on the action taken.

The data subject may withdraw his or her consent granted under Point 3.1 [registration on the online ticket selling platforms] at any time by deleting his or her user profile. 

4.4. Right to erasure (“right to be forgotten”)

The data subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her if the personal data are no longer necessary in relation to the purposes for which they were collected, the data subject withdraws consent on which the processing is based, the personal data have been unlawfully processed, the retention time of personal data has expired, or, if it has been ordered by a court or authority. The data subject will be informed of the erasure of personal data by the Data Controller. The Data Controller shall not erase personal data if they are required for the performance of legal obligations, or for the establishment, exercise or defence of legal claims.

We hereby inform the data subject that the e-mail address and registration data provided during a registration that remains non-activated will be automatically erased after 72 hours upon sending out the activation e-mail.

4.5. Restriction of processing

The data subject shall have the right to obtain from the Data Controller restriction of processing using any of its contact details if one of the following applies:

  • the accuracy of the personal data is contested by the data subject, in this case restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data; 
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of data processing instead;
  • the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

Processing shall be restricted for as long as necessary for the reasons specified by the data subject. In such cases, personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. A data subject who has obtained restriction of processing shall be informed by the Data Controller before the restriction of processing is lifted.

4.6. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Data Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where the processing is based on a contract pursuant to Section 6(1)(a) or Section 6(1)(b) and the processing is carried out by automated means.

4.7. Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on Section 6(1)(e) and (f) of the GDPR. This right can be exercised in case of data processing indicated in Point 3.4 and 3.6 of this Privacy Notice. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If the data subject objects to the processing contained in this Privacy Notice, the Data Controller shall assess compliance with the request on an individual basis.

4.8. Remedies

4.8.1. Right to contact the Data Controller

If the data subject has any comments or objections regarding the processing of his or her personal data, or intends to request information on the processing thereof, it shall send an e-mail to adatvedelem@spaheviz.hu

4.8.2. Right to lodge a complaint

If the data subject does not agree with the data processing performed by the Data Controller or considers and any of his or her rights have been infringed by the Data Controller, it may lodge a complaint at the Hungarian National Authority for Data Protection and Freedom of Information using one of the following contact details:

Name:

Hungarian National Authority for Data Protection and Freedom of Information

Registered seat:

H-1055 Budapest, Falk Miksa utca 9-11.

Mailing address:

H-1363 Budapest, Pf. 9.

Phone:

+36 (1) 391 1400 / +36 (30) 683 5969 / +36 (30) 549 6838

Fax:

+36 (1) 391 1410

E-mail:

ugyfelszolgalat@naih.hu

Website:

www.naih.hu

4.8.3. Right to judicial remedy

If the data subject does not agree with the data processing performed by the Data Controller or considers that any of his or her rights have been infringed by the Data Controller, he or she may lodge a direct complaint against the Data Controller, which shall be submitted to the court competent based on the registered seat of the Data Controller or the address or place of stay of the data subject. The court shall act on the case without delay.

 

  1. Laws applied and referred to during the processing of personal data

The Data Controller shall apply the following laws in the course of its data processing activities specified in Point 4 of this Privacy Notice: 

  • Act C of 2000 on Accounting (hereinafter referred to as: Accounting Act);
  • Act V of 2013 on the Civil Code (hereinafter referred to as: Civil Code);
  • Act CXXVII of 2007 on Value Added Tax (hereinafter referred to as: VAT Act)
  • Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter referred to as: Money Laundering Act);    
  • Decree No. 23/2014 (30 June) of the Ministry for National Economy on the tax administration of invoices and receipts, and the verification of electronically stored invoices by the tax authority;
  • Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD2 directive);

Commission Delegated Regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA regulation).