Check-in date
Rooms
Check-out date
Adults

IMPRINT

GDPR

Privacy Notice on the Processing of Personal Data

for Customers of CPI Hotels Hungary Kft.

 

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – the “GDPR”), this document provides key information on your personal data that is processed by CPI Hotels Hungary Kft., Registration No. 01 09 191857, with its registered office at 1063 Budapest, Munkácsy Mihály utca 5-7 (“CPI Hotels“ or “we“).

CPI Hotels is represented in the market by the brands Mamaison Hotels & Residences and Starlight Suiten.

 

  1. Which Personal data do we process?

 

The purpose of, the legal basis for, the processed data and the period of personal data processing are summarized in the following table.

 

The purpose of data processing

 

Processed data

 

Legal grounds for data processingDuration of data processing[1]
The performing of the contract related to your stay (e.g. arranging orders and bookings, and entering into and performing contracts concerning the accommodation, catering and related services that we offer.)Identification and contact details: (i) full name, (ii) permanent address, and where applicable (iii) telephone number, and (iv) e-mail address

 

Information on the purpose of your stay, or note that you are not subject to charges for a spa or leisure stay

 

License plate number (for guest using our hotel park)

 

Services used and method of payment for services provided (for cashless payments, we process your bank account number or payment card details (name of card owner, card number, validity date, CVV code)

 

Loyalty program membership (yes or no)

 

Processing is necessary for performing a contract

(GDPR Article 6 point b) )

The limitation period (5 years from termination of the contract)

 

 

 

 

 

 

 

Sending you Direct marketing materials and commercial correspondence in terms of news and sales[2]E-mail address

 

 

 

 

 

Your consent to data processing

(GDPR Article 6 point a) and

Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities 6. § (1)

 

The processing of data will last until the withdrawal of consent.
Your name, information on your stay

 

Our legitimate interest (GDPR Article 6 point f) )

 

Sending you satisfaction surveys and evaluating the surveys: to assess how far you are satisfied with our services and to improve our servicesE-mail address

 

Your consent to data processing

(GDPR Article 6 point a) ) and

Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities 6. § (1)

 

The processing of data will last until the withdrawal of consent.

 

 

Data contained in the survey

 

Our legitimate interest (GDPR Article 6 point f) )

 

The data processing will last until an objection is raised against it or until the surveys have been evaluated (a maximum of 1 month after your stay)
The fulfilment of our statutory obligations relating to financial documentsThe data that are necessary for the tax assessment and  the personal data that the invoice containsThe data processing is necessary for the fulfilment of or compliance with a legal obligation of the data controller

(GDPR Article 6 point c) )

 

and

 

Act C of 2000 on Accounting, and Act 2003 XCII on the Rules of Taxation

5 years (tax) and 8 years (accounting)
Fulfilling our obligation to pay the tax on tourismFull name and maiden name

 

Place and date of birth

 

Permanent address

 

Identification card or passport number

 

Student card number (if applicable)

 

Purpose of your stay

 

Signature

 

The data processing is necessary for the fulfilment of or compliance with a legal obligation of the data controller

(GDPR Article 6 point c) )

 

and

 

Act C of 1990 on Local Taxes and Municipality Decree 38/2010 (XII.21.) of Terézváros to process these data to fulfil our obligation to pay the tax on tourism.

 

 

5 years

 

Fulfilling the obligation to register Third-Country Nationals (Guest book)

until 01/01/2019

Full name (also previous name)

 

Place and date of birth

 

Gender

 

Mother’s name

 

Citizenship

 

Travel document identity number

 

Visa or residence permit number

 

The data processing is necessary for the fulfilment of or compliance with a legal obligation of the data controller

(GDPR Article 6 point c) )

 

and

 

Act II of 2007 on the Admission and Right of Residence of Third-Country Nationals and 114/2007 Government Decree

1 year from the registering of  the data
Fulfilling the obligation to register guests

from 01/01/2019

Full name (also previous name)

 

Place and date of birth

 

Gender

 

Mother’s name

 

Citizenship

 

Travel document identity number

 

The date of arrival and date of departure

The data processing is necessary for the fulfilment of or compliance with a legal obligation of the data controller

(GDPR Article 6 point c) )

 

and

 

Act CLVI of 2016 on State responsibilities relating to developing touristic regions

1 year from the registering of  the data
Book of complaintFull name

 

Address

 

The personal data you share with us in the book

The data processing is necessary for the fulfilment of or compliance with a legal obligation of the data controller (GDPR Article 6 point c) )

and

Act  CLV of 1997 on Consumer Protection Article 17/A (5)

 

5 years
Your photographs at organized events

 

Your photographYour consent to data processing

(GDPR Article 6 point a) and Act V of 2013 on the Civil Code Article 2:48.

 

 

Events are marked with a camera pictogram to advise guests in advance that photographs will be taken and our photographers are visibly distinguishable. In addition, photographs are only taken in the main event areas and visitors can always stay in areas where photographs are not taken. If the visitor stays in an area where photographs can be taken, then the visitor gives automatic consent to it by staying there.

The processing of data will last until the withdrawal of consent.

 

[1] Once the period of processing has expired, we will delete your personal data both in paper and electronic form.

[2] We offer wi-fi services to our customers, who can choose between a paid connection option and a free connection option. When you choose a free connection, you are informed in advance that CPI Hotels will use your e-mail address only for the purposes of sending marketing communications to you. By choosing the free wi-fi option, you give automatic consent to processing your data.

As for cookies please see our website (https://www.cpihotels.com/cs/cookies/).

As for the cameras operating in our hotel please see the pictograms and ask for more information on the reception.

 

  1. Data possibly processed in the future

 

In case of any other data processing (not listed in the table above) we will inform you about the purpose of, the legal basis for, the processed data and the period of personal data processing before we start to process your data.

 

Such data processing may occur in case of dispute resolution. Our guests do not doubt our services provided at our hotels. If such a case occurred, we would be forced to process data regarding the services that we provide insofar as this is necessary for dealing with any dispute, solely for the purpose of protecting our rights in such a dispute. Similarly, we would also be forced to process all necessary data in the event of failure to pay for our services or any damage caused to us. In the above cases, processing is necessary for our legitimate interests based on GDPR Article 6 point f).

 

  1. Consequences of failing to provide data

 

Failure to provide the data that are necessary for the performing of a contract or fulfilment of a legal obligation means that we cannot provide you with our accommodation services. We do not require your personal information to provide board and other services and therefore we do not obtain or process your personal data for this purpose.

 

  1. Withdrawing your consent

You can withdraw your consent at any time by sending express notice by post (CPI Hotels Hungary Kft., 1063 Budapest, Munkácsy Mihály utca 5-7), by e-mail to info@cpihotels.com or by filling in our contract form at www.cpihotels.com. (Alternatively, you can withdraw your consent by changing your browser settings in case of cookies). The withdrawal of your consent will take effect once CPI Hotels receive delivery of this notice. Under the GDPR, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Moreover you can write to us at dp.hu@cpihotels.com.

5. Source of personal data

We obtain all of the above information from you directly as part of contract negotiations and through the provision of accommodation and board services.

 

Where another person has booked our services on your behalf (for business trips, this is usually an employer), we obtain your basic identification and contact details (including your full name and telephone number or email address) from that person directly.

 

Where your booking is made through a bookings site, your basic identification and contact details (including your full name and telephone number or email address) are passed to us by that booking site.

 

  1. Processing of your data by automated means

 

We never perform automated decision making or otherwise process your personal data by any automated means that could produce legal effects for you or substantially affect you in any other way.

 7. To whom do we transfer or disclose your personal data?

 A) Transfer to third parties

We do not transfer or disclose your personal data to any third parties save for public authorities in relation to which we have a statutory disclosure obligation (we typically process data under the Act C of 1990. on Local Taxes or the Act II of 2007. on the Residence of Foreigners).

 

B) Processors

We use the services of processors which provide certain support services (e.g. sending marketing materials, improving communication and offer segmentation, providing online hotel bookings and processing cookies). This work is always carried out exclusively for our company based on our own guidelines. In selecting each processor, we take care as to their credibility and quality of service, as well as the security of personal data processed. Processing may only be performed within the framework of contract between CPI Hotels and a processor that commits the processor to the same degree of personal data protection as is provided by CPI Hotels. At your request, we will inform you of all processors that we currently work with.

C) Transfer abroad

Our processors have their headquarters and process personal data in Hungary or in another EU country. We do use processors in the territory of the USA, albeit only for sending and evaluating satisfaction surveys and for some booking systems. These are always renowned companies that belong to international hotel, booking or similar networks that provide services to hotels on a global scale.

 

In Commission Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, the European Commission, together with the governing bodies of the United States of America, defined the “Privacy Shield” system as a special tool to ensure an adequate level of protection for personal data transferred to recipients in the United States of America. On the basis of this decision, U.S. companies that have committed to comply with the Privacy Shield Principles are adjudged to ensure an adequate level of protection for personal data. The above-mentioned U.S. processors have committed to comply with the Privacy Shield Principles. For more information, visit the programme’s official site at https://www.privacyshield.gov. The Privacy Shield Programme remains valid following the entry into force of the GDPR.

 

We do not transfer personal data outside of the EU in any other cases.

8. How does CPI Hotels guarantee data privacy?

All persons coming into contact with personal data at our end are duty-bound to maintain confidentiality over the personal data processed and over the security measures used for their protection. This obligation will continue even if their legal contract with CPI Hotels or the processor is terminated.

9. Your statutory rights

In accordance with the legislation in force as regards personal data protection, you have the following rights:

  • the right to access your personal data that we process, including the right to obtain the following information from CPI Hotels:
    • confirmation as to whether CPI Hotels processes your personal data;
    • access to these personal data;
    • information on the purposes of the processing;
    • the categories of personal data processed;
    • information on the recipients or potential recipients to whom your personal data will be disclosed;
    • planned storage period and the criteria for establishing such period;
    • the existence of the right to request the rectification or erasure of personal data or restriction of processing of personal data;
    • the right to object data processing that is based on GDPR Article 6 point e) (public interest or exercise of official authority) or f) (legal interest) processing;
    • where the personal data are not collected from the data subject (from you), all available information as to their source;
    • the appropriate safeguards when transferring personal data outside the EU;
    • a copy of personal data, where these do not adversely affect the rights and freedoms of others.
  • the right to correct your personal data if it is in any way incorrect, inaccurate or incomplete; CPI Hotels will correct your data within its technical capabilities without undue delay;
  • the right to request the erasure of your personal data where provided for by the GDPR – e.g. if you have withdrawn your consent or objected to processing, if the personal data is processed unlawfully or where the personal data are no longer necessary in relation to the purposes for which they were processed. In such an event, you may request the erasure of your personal data. However, this option does not apply if the processing is necessary to fulfil legal obligations and under certain other cases provided for by the GDPR;
  • the right to request the restriction of the processing of your personal data where provided for by the GDPR – e.g. where you contest the accuracy of the personal data, object to the processing, etc.
  • the right to the portability of the data you have provided to us, which we process by automated means on the basis of your consent, or because their processing is necessary for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request. In such cases, we will allow you to obtain your personal data and the contract in a structured, commonly used and machine-readable format or, if technically feasible, we will transmit them directly to the new controller determined by you;
  • the right to object to the processing of your personal data where such processing is deemed necessary for the purposes of legitimate interests, including processing for direct marketing purposes. If we do not demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, then we shall no longer process your personal data.
  • the right to withdraw consent to the processing of personal data at any time by sending us express notice by post (CPI Hotels Hungary Kft., 1063 Budapest, Munkácsy Mihály utca 5-7), by email to hu@cpihotels.com, or by filling in our contact form at www.cpihotels.com. (Alternatively, you can withdraw consent by changing your browser settings in case of cookies). The withdrawal of your consent will take effect once CPI Hotels receives delivery of this notice. Under the GDPR, withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
  • the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except for the above-mentioned cases expressly stated in the GDPR;
  1. Supervisory authority and legal remedy

Where you feel that the processing of your personal data has been breached under the GDPR, you have the right to file a complaint with the supervisory authority, which is the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság), 1125 Budapest, Szilágyi Erzsébet fasor 22/c., postal address: 1530 Budapest, Pf.: 5, website: www.naih.hu, tel.: +36 (1) 391-1400, fax: +36 (1) 391-1410, central e-mail address: ugyfelszolgalat@naih.hu).

 

Otherwise you have the right to file a lawsuit at the Capital Regional Court (in Hungarian: Fővárosi Törvényszék).

 

We guarantee that during these procedures we will cooperate with the respected authority.

11. Our contact details

If you have any queries or questions as regards the processing of your personal data, please write to us at any time at CPI Hotels Hungary Kft., 1063 Budapest, Munkácsy Mihály utca 5-7., or email dp.hu@cpihotels.com. Alternatively, you can fill out our contact form at www.cpihotels.com.