Privacy Policy
Privacy policy of the hotels in Hungary
Last updated: 1 November 2022This Privacy Policy sets out how Danubius Hotels Zrt. (“Danubius” or “we”) uses and protects your personal data. In the course of its business activity, Danubius requests, obtains and processes personal data from guests, prospective guests, business partners, employees and other individuals. Our goal is to provide the appropriate level of service while processing as little personal data as possible.
This Privacy Policy contains details on how we assure the protection of personal data. If you have any questions in relation to the content of this Policy or any comments or suggestions as to how we might improve it, please contact us at:
adat(at)danubiushotels.com
data(at)danubiushotels.com
You can find your way through this Policy by clicking on the various points of the following table of contents.
Table of contents:
1) Legal rights of individuals (“data subjects”) under GDPR
1.1 Right to receive transparent information
1.2 Right of access to your own data
1.3 Right to rectify inaccurate data
1.4 Right to erasure (“Right to be forgotten”)
1.5 Right to withdraw consent
1.6 Right to request restriction of processing
1.7 Right to object to processing
1.8 Right not be subject to automated decisions
1.9 Data portability
1.10 Right to complain to a “Supervisory Authority”
1.11 Right to an effective judicial remedy against a controller or processor
1.12 Contacting Danubius regarding GDPR
2) Data processing activities
2.1 Booking
2.2 Check-in form and data recording related to check-in
2.3 Gym
2.4 Guest survey and evaluation scheme
2.5 Video surveillance system
2.6 Newsletter
2.7. Business (corporate) newsletter
2.8 Loyalty Programme (Danubius EuroPoints and Bubbles Club) and Danubius Corporate Programme (Collectme)
2.9 Danubius Gift Card and Voucher
2.10 Credit card / Debit card data
2.11 Social media (e.g. Facebook, Instagram)
2.12 Web store
2.13 Contact
2.14 Complaint managemenrecord
2.15 Danubius Blog
2.16 Automatically recorded data, cookies and “remarketing codes”
2.16.1 Automatically recorded data
2.16.2. Cookies and similar technologies
2.16.3. Web links
2.17 Business contacts
2.18 Prices subject to registration
3) Joint data processing
3.1 Ensana Hotels in Hungary
3.2 Hilton Budapest
3.3 Radisson Blu Béke Hotel
4) Legal reference information (including contact details)
5) Terms and abbreviations used in this Policy
1) Legal rights of individuals (“data subjects”) under GDPR
Data subjects have the following rights under the GDPR:
a) Right to receive transparent information
b) Right of access to your own data
c) Right to rectify inaccurate data
d) Right to erasure (“right to be forgotten”) in specific circumstances
e) Right to withdraw consent
f) Right to request restriction of processing
g) Right to object to processing
h) Right not be subject to automated decisions
i) Right to data portability
j) Right to complain to a “Supervisory Authority”
k) Right to effective judicial remedy against a controller or processor
We will respond to your requests related to any of these rights without undue delay but within a month at the most, and we will do our utmost to resolve even complicated cases within no more than three months. We will send the response to you via an electronic channel or by any other means requested by you. We will not charge a fee for the first request, but we reserve the right to charge an administrative fee for handling a request sent to us within a year, or in the case of any clearly unfounded or exaggerated request.
Note that we will need to verify your identity to be able to act on any request.
If we believe that we should not act on your request, we will write to inform you of the basis for our decision, and also of your options for legal remedy.
Separately from these rights, if you believe that Danubius has mistreated you with regard to your personal data or your privacy, please contact us so that we can rectify the situation and improve our service to all guests. You can send a formal complaint to us by email or by post to the address given in section 1.12 “Contacting Danubius regarding GDPR” below.
We will aim to respond without undue delay and in any case within in a month.
1.1 Right to receive transparent information
We will provide all information required by the GDPR to you in a concise, transparent, intelligible and easily accessible form, using clear and plain language. We will provide the information in writing or by electronic means. If you request, we can also provide this information verbally.
We will facilitate your exercising your rights as described in the rest of section 1 below.
Section 1.12 “Contacting Danubius regarding GDPR” below gives email and postal addresses for contacting us. Certain sections on individual activities in section 2 give dedicated addresses for specific enquiries.
1.2 Right of access to your own data
You have the right to obtain from Danubius confirmation as to whether personal data on you is being processed, and, if so, to access the data and the following information:
a) the purpose of the processing
b) the categories of personal data concerned
c) the recipients to whom we have disclosed or will disclose the personal data, in particular recipients in countries outside the EU
d) the period for which the personal data will be stored
e) the existence of your right to request us to rectify or erase personal data or to restrict processing of personal data or to object to such processing
f) your right to lodge a complaint with a Supervisory Authority
g) where the personal data are not collected directly from you, information as to their source
h) whether there is any automated decision-making from the data, and, if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
i) Where we transfer your personal data to a country outside the EU, the appropriate safeguards we have in place to protect your rights.
1.3 Right to rectify inaccurate data
If we hold inaccurate or incomplete personal data on you, you may request the rectification of such data. After receiving your request, we will correct such personal data without undue delay.
1.4 Right to erasure (“Right to be forgotten”)
You have the right to request us to erase your personal data and for us to act on the request without undue delay, where one of the following grounds applies:
(a) Your data are no longer necessary in relation to the purposes for which they were originally processed
(b) You withdraw consent and we have no other legal basis for processing your data
(c) Our basis of lawfulness for processing is our legitimate interests, and you claim that we have no legitimate grounds for the processing which override your interest, rights, and freedoms
(d) The processing is for direct marketing, and you object to this
(e) We have been unlawfully processing your data
(f) We have to erase your data for compliance with a legal obligation in EU or Member State law to which we are subject
(g) Our basis of lawfulness for processing the data is consent given by a guardian for a child, and either (I) you are the guardian and the child is still under the age of consent, or (II) you are the child now older than the age of consent.
Please note that we cannot erase your personal data to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing;
(c) for reasons of public interest in the area of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the request is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
(e) for the establishment, exercise or defence of legal claims
Your data will continue to exist temporarily on backup files after this deletion, but we use IT security techniques to ensure that these are accessible only for the purpose of restoring the database in the event of a loss of data and that they cannot be copied to reveal data. We destroy backup files on a rotating basis within [N MONTHS].
1.5 Right to withdraw consent
Where you have given us consent for any processing, you have the right to withdraw consent at any time. You can do this by sending a request to the email address given in the relevant subsection of section 2 below, which lists the different activities for which we manage personal data. Alternatively, you can write to us at the address in section 1.12 below.
Note that the withdrawal of your consent does not affect the lawfulness of any processing we have already carried out.
1.6 Right to request restriction of processing
You can request that Danubius restricts the processing of your personal data where one of the following applies:
- You contest the accuracy of the personal data
- We no longer have a basis of lawfulness for processing, but you oppose us erasing the data and you request that we restrict their use instead
- We no longer need the data for the original purpose, but you require them for the establishment, exercise, or defence of legal claims
- You object to our processing on the grounds that we state our legal basis as “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these.
If the data processing is restricted based on your objection, such personal data may only be processed with your consent, with the exception of storage, or:
a) for the establishment, exercise or defence of legal claims
b) for the protection of the rights of another person, or
c) for reasons of important public interest of the EU or of a Member State.
Where we restrict processing, we shall inform you before we lift the restriction.
Operational practicalities may prevent us restricting processing precisely as envisaged by GDPR, but in such a case we will work with you to try to find a satisfactory resolution.
1.7 Right to object to processing
You have the right to object to our processing your personal data where:
- Our basis of lawfulness for processing is “our legitimate interests” but you claim that your “interests, rights, and freedoms” override these
- We process your data for direct marketing purposes, including “profiling” to the extent that it is related to such direct marketing. (Profiling is automated decision making which analyses or predicts aspects such as your economic situation, personal preferences, behaviour, or location.) Where you make such an objection we shall no longer process your data for such purposes.
1.8 Right not be subject to automated decisions
You have the right not to be subject to a decision based solely on automated processing, if this produces legal effects on you or similarly significantly affects you.
However, this does not apply:
(a) if the decision is necessary for us to perform a contract with you or if we have your explicit consent, or
(b) if the automated process is authorised by a EU or Member State law which also defines measures we have to follow which safeguard your rights, freedoms, and legitimate interests.
In case a), we must implement appropriate measures to protect your rights, freedoms and legitimate interests, including at least your right to request human intervention on our part, to express your point of view and to submit an objection to the decision.
1.9 Data portability
GDPR gives a data subject the right in certain circumstances to receive the personal data concerning him or her “in a structured, commonly used and machine-readable format”. The right includes having the personal data transmitted directly from one controller to another, where technically feasible.
Where you apply under 1.2 above for access to your own personal data, we will normally supply this in a commonly-used electronic format, unless you specifically ask us to send you a written copy.
1.10 Right to complain to a “Supervisory Authority”
If you believe that we have treated you unfairly or unlawfully under GDPR, you can complain to a Supervisory Authority for data protection. If you are normally resident in an EU country other than Hungary, you have the right to raise a complaint with the Supervisory Authority of that country. This link will give you the name and contact details:
http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
If you are normally resident in Hungary or outside the EU, you can complain to the Hungarian Authority:
The Hungarian National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf. 9.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail address for correspondence in English: privacy(at)naih.hu
E-mail address for correspondence in Hungarian: ugyfelszolgalat(at)naih.hu
Website: http://naih.hu
1.11 Right to an effective judicial remedy against a controller or processor
If you believe that your rights under GDPR have been infringed as a result of the processing of your personal data in non-compliance with GDPR, you have the right to an effective judicial remedy.
Proceedings against a controller or a processor shall be brought before the courts of the EU Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the EU Member State where your habitual residence is.
In Hungary, regional courts shall have jurisdiction in handling the case. Data subjects can also choose to bring actions at regional courts of their domicile or residence. Even individuals with no locus standi can be parties to the proceedings. The Authority has the option to intervene for the data subject to succeed in the proceedings.
Court proceedings shall be governed by GDPR, by the provisions of Act V of 2013 on the Civil Code, Book Two, Part Three, Title XII (Sections 2:51 to 2:54), as well as by other legislative provisions applicable to court proceedings.
1.12 Contacting Danubius regarding GDPR
Certain sections on individual activities in section 2 give dedicated contact addresses for specific enquiries. Otherwise, to exercise one of the rights described above, or to make a complaint directly to Danubius or to contact us with a general enquiry regarding GDPR or privacy, the email and postal addresses are:
Email: in Hungarian: adat(at)danubiushotels.com or in English: privacy(at)danubiushotels.com
Address: Danubius Hotels Zrt.; H-1051 Budapest, Szent István tér 11. Hungary
2) Data processing activities
A separate document attached to this Policy contains the list of intra-EU data transfers and data controllers; data transfers to third countries and certain data controllers outside the EU are also referred to in this Policy.
2.1 Booking
In the case of a room reservation made online, in person at the hotel or by telephone, we may request one or all of the following items of personal data:
- Full name
- Title
- Arrival date
- Departure date
- Number of adults staying in one room
- Type of room
- Details of the credit or debit card used to secure the booking or needed for online payment (see section 2.10.)
- Email address
- Address
- Time of arrival
- Notes – including, for example, any preferences
Purpose of data processing:
The purpose of the data processing is to be able to identify the guest who made the booking, to provide the room to the right person on check-in, and to register the means of payment, in order to cover us in case the guest does not check into the hotel.
- We use your email address in the following cases
- if we need to notify you of a change affecting your booking;
ii. three days before your planned arrival, to remind you of details such as the hotel address and check-in time; and
iii. three days after your departure, to ask that you share your comments about your stay with us so that we can provide you and other guests with an even better service in the future.
- We process the data on the invoice for the purpose of fulfilling the related legal obligation
- After your departure, we will keep the data for the purpose of asserting claims or managing complaints within the limitation period stipulated under civil law.
Legal basis of data processing:
- The legal basis of the data processing is that we need the data to fulfil a contract for room reservation. [GDPR Article 6(1)(b)]
- We process your name and your email address for up to the third day following the end of your stay in order that we can send you a post-stay email for the purpose of the “legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject”. Our legitimate interests here are to maintain a high quality of service, and we believe that sending you the post-stay email does not affect your fundamental rights. [GDPR Article 6(1)(f)];
- We process the data on the invoice (name, address) based on our legal obligation. [GDPR Article 6(1)(c)]
- After your departure, we will retain the data based on our legitimate interest associated with the assertion of claims and the managing of complaints. [GDPR Article 6(1)(f)]
If you do not give us the data requested, we will either be unable to reserve a room for you or be unable to contact you if there is a problem.
Transfer of data outside the EU:
When you make a booking on our website you are entering data into an software application run by Sceptre Hospitality Resource, a US company. Your personal data is therefore transferred to a third country (i.e. a country outside the EU). The adequacy of such data transfers is safeguarded through the application of the standard contractual clauses for international transfers. https://eur-lex.europa.eu/legal-content/HU/TXT/HTML/?uri=CELEX:32010D0087&from=en.
Period of data processing:
- Where information is needed for issuing an invoice or for other tax records, we have a legal obligation to retain this for 8 years from the end of the calendar year. Thus if we issue you the invoice when you check out on 30 June 2021, we must keep the data until 31 December 2029.
- The hotel has a legal obligation to report to the local council the details of all guests who check in, and it must also report to the police the details of all guests from outside the EU who check in. We have a legal obligation to keep the data in these reports for 5 years following the year concerned.
- After your departure, we will keep the data for the period of limitation stipulated under civil law, i.e. for 5 years following the year concerned.
We erase the data after the longest of the relevant data retention periods mentioned above.
If you wish to exercise any of your rights referred to in section 1 in relation to the data recorded as mentioned above, or you wish to contact us for any other reason in connection with the above, please let us know by sending an email to privacy(at)danubiushotels.com or adat(at)danubiushotels.com.
2.2 Check-in form and data recording related to check-in
Personal data that must be provided (i.e. the guest must provide these in order to be able to use the hotel services):
- Based on the provisions of the Tourism Act, in order to fulfil the legal obligation, we record and store the family name and first name of all our guests, their surname and first name at birth, their place and date of birth, their sex, their mother’s surname and first name at birth, the identification data of their personal ID document or travel document, their country of citizenship, any visa or entry permit numbers, and the place and time of their entry into the country. [GDPR Article 6(1)(c)]
- A local council regulation may prescribe that additional data be retained. [GDPR Article 6(1)(c)]
- In order to provide the requested services, e.g. accommodation and/or spa services (in accordance with the contract), we also process the following data: contact details, loyalty programme reference number, mode of payment, credit/debit card details, room number, number of guests. [GDPR Article 6(1)(b)]
- On the basis of the Company’s legitimate interest associated with the improving of its services, for three days after you leave we process your name and email address in order to ask you for your opinion on our services and thus to improve them. [GDPR Article 6(1)(f)]
- We process the data on the invoice (name, address) based on our legal obligation. [GDPR Article 6(1)(c)]
- After your departure, we will retain the data based on our legitimate interest associated with the assertion of claims and the managing of complaints. [GDPR Article 6(1)(f)]
Non-compulsory statistical data:
For statistical purposes, we treat the following data separately from personal data: business trip, holiday.
Most of the data is completed based on the booking and the rest at the time of check-in using an ID document reader. We ask you to please always check the accuracy of your data.
Purpose of data processing:
- Provision of hotel services, including communications and the improvement of services.
- The purpose of recording and storing data specified by the Tourism Act, the Accounting Act and the local council regulation is to ensure legal compliance.
- After your departure, we will keep the data for the purpose of asserting claims or managing complaints within the limitation period stipulated under civil law.
Period of data processing:
- Where information is needed for issuing an invoice or for other tax records, we have a legal obligation to retain this for 8 years from the end of the calendar year. Thus if we issue you the invoice when you check out on 30 June 2021, we must keep the data until 31 December 2029.
- The hotel has a legal obligation to report to the local council the details of all guests who check in, disclosing the items of data specified in the relevant local council regulation, and it must also report to the police the details of all guests from outside the EU who check in. We have a legal obligation to keep the data in these reports for 5 years following the year concerned, counted from the day of check-in.
- After your departure, we will keep the data for the period of limitation stipulated under civil law, i.e. for 5 years following the year concerned.
- Personal data recorded based on the provisions of the Tourism Act will be stored in the designated central repository until the end of the following year.
If you wish to exercise any of your rights referred to in section 1 in relation to the data recorded during check-in, or you wish to contact us for any other reason in connection with data recorded during check-in, please let us know by sending an email to szervezes(at)danubiushotels.com.
At the Fitness Centres the following data must be provided for gym passes to be issued:
- Name
- Address
- Phone number
- Email address
Purpose of the data processing:
Provision of gym services (including identification, maintaining contact, billing) and complaints management. Providing these contact details is not compulsory, but it is necessary if you want us to be able to contact you.
Legal basis of the data processing:
- Performance of the contract concluded for the provision of gym services. [GDPR Article 6(1)(b)].
- The legal basis of retaining the complaints management data is our legitimate interest associated with managing complaints [GDPR Article 6(1)(f)]
- The legal basis of retaining the data on the invoice is compliance with the law[GDPR Article 6(1)(c)]
Period of the data processing:
- We process your personal data for 1 year from the end of the year in which your gym membership expired or from the end of the year of your one-time entry (trial visit) to the gym, for the purpose of complaints management.
- The data on the invoice (name, address) will be kept for 8 years.
If you wish to exercise any of your rights referred to in section 1 in relation to the data recorded for the purpose of the provision of this service, or you wish to contact us for any other reason, please let us know by sending an email to info.fitness(kukac)danubiushotels.com.
2.4 Guest survey and evaluation scheme
As part of the quality assurance process within the Company, Guests can express their opinion on the services provided by hotels of Danubius Hotels through an email-based or paper-based guest survey, as well as through the evaluation scheme. When completing the survey, you can enter the following personal data:
- Name
- Date of visit
- Room number
- Contact details (address, e-mail address, phone number, home address)
Data provision is not compulsory, these data merely help us investigating any possible complaints, and ensure giving feedback.
Opinions obtained this way and eventual data linked to such opinions, that cannot be traced back to the Guest, and cannot be combined with Guest’s name, can be used by the Company for statistical purposes.
If you provide your opinion in an anonymous way, we will not process any personal data. If you require a feedback, our colleague will contact you on one of the contact details provided (email, postal address, telephone), within 30 days at the latest.
Purpose of data processing:
Communication with the person expressing the opinion and handling of complaints.
Legal basis of data processing:
Your implied voluntary consent. Please note that if we do not receive your consent to the processing of your data or if you withdraw such consent, we will not be able to answer your question. The withdrawal of consent shall not affect the lawful processing before such withdrawal.
Period of data processing:
After answering the relevant request, question or complaint, the messages and the personal data obtained in this context shall be deleted after the year following the given year. E-mail address and user name provided for the evaluation scheme will be deleted upon your request.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to quality.management(at)danubiushotels.com.
2.5 Video surveillance system
Cameras are used on the premises of the hotels operated by the Company, in order to assure the safety of Guests and their personal belongings. Guests are reminded of the presence of these cameras through signs featuring a picture of a camera and an accompanying text.
You can ask for more information about the data processing related to the video surveillance system from the front-desk staff at the hotel concerned. We will send you the Privacy Policy of such video surveillance systems at your request. Please send your request to the hotel’s general email address or postal address.
2.6 Newsletter
When sending you newsletters, we process your name, e-mail address and occasionally, your home address. When setting your newsletter preferences, you can specify the topic of the newsletter, and also the region it applies to.
Purpose of data processing:
The purpose of processing your data is to be able to notify you of our special offers and news.
Legal basis of data processing:
Your voluntary consent. Please note that if we do not receive your consent to the processing of your data we will not be able to send you newsletters.
Period of data processing:
We will only send you newsletters as long as you request them. If you no longer wish to receive newsletters, you can unsubscribe at any time either by using the dedicated link at the end of each newsletter or by notifying us at hirlevel(at)danubiushotels.com or newsletter(at)danubiushotels.com-ra. The withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal.
Transfer of data:
Data is transferred within Danubius Hotels. Please note that Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. can also be indicated as senders of the newsletter. For more information please refer to Section 3. As regards the processing of data in the framework of newsletters, the above mentioned hotels proceed in accordance with this Policy.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to hirlevel(at)danubiushotels.com or newsletter(at)danubiushotels.com.
2.7. Business (corporate) newsletter
The latest news and promotions are sent to our key corporate partners. Access to the contact person is provided by the data subject, his supervisor or his employer.
The purpose of data processing:
Promotion of our hotels and sale of hotel rooms.
The legal basis of data processing:
It is in our legitimate interest to promote our hotels and sell hotel rooms.
The period of data processing:
You may object to data processing any time. In such cases we shall not continue sending you such newsletters. Data processing shall be carried out until your objection or the notice about the termination of the contact person status.
2.8 Loyalty Programme (Danubius EuroPoints and Bubbles Club) and Danubius Corporate Programme (Collectme)
The Company’s Loyalty Programme is an exclusive service provided for Guests of the Hotel—natural persons—with the purpose of providing discounts to returning guests. Within the Loyalty Programme, the Bubbles Club is for Guests who arrive with their families and its purpose is to offer unique discounts and children’s programmes for returning Guests arriving with their families.
The Company's Corporate Programme is an exclusive service provided for the hotels' corporate partners—legal persons—with the purpose of providing discounts to returning guests.
Within the programmes, the Company processes the following personal data:
In case of a natural person:
- Name
- Gender
- Postal address
- Address
- Phone number
- E-mail address
- Date of birth (minors under eighteen years of age may not participate in the programme)
For Bubbles Club:
Data given by the parent/guardian who is already registered in the Loyalty Programme are the following:
- Child’s name
- Child’s data of birth (children under eighteen years of age may participate in the Bubbles Club programme)
- The parent’s/guardian’s consent to data processing.
Giving the name and data of birth of the child enables us to send a birthday surprise to the e-mail address of the parent/guardian for the child’s birthday.
Personal data managed in the case of a legal person:
- Name of contact person
- Postal address
- Phone number
- E-mail address
Furthermore, we process your Loyalty card number and password.
Purpose of data processing:
Providing discounts for the participants. Sending notifications about the discounts.
Legal basis of data processing:
Your voluntary consent. You may withdraw your consent and may request the deletion of your data by sending an e-mail to dep(at)danubiushotels.com or a letter to the Company’s postal address (Danubius Hotels Zrt. 1051 Budapest, Szent István tér 11.), with the proviso that this shall not affect the lawful processing based on consent before its withdrawal. Please note that without giving your consent you may not participate in the Loyalty Programme.
Period of data processing:
The personal data shall be processed for as long as the data subject participate in the given programme. The data given on the application form shall be processed until your child’s 18th birthday. Membership status in the Loyalty Programme shall become inactive within 3 (three) years after the date of the last hotel service used. Membership status of natural/legal persons in the Corporate Programme shall become inactive within 2 (two) years after the date of the last hotel service used. The Company shall retain the members' personal data for the period of time defined in the provisions of the relevant tax and accounting laws, and shall delete them after that period.
Joint data processing:
Please note that regarding the Loyalty Programme, for the sake of interoperability, Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. shall be joint controllers. For more information on the hotels, please refer to Section 3. As regards the processing of data the joint controllers proceed in accordance with this Policy.
Participation in the programmes may occasionally require the provision of further personal data, in which case the Company may request the given data and inform the data subject about the purpose, manner and duration of data processing.
For Frequent Guests signing up to the newsletter or contributing to promotional activities, the Company shall further handle the data listed above according to the provisions in Section 2.7 in this Policy.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to dep(at)danubiushotels.com.
2.9 Danubius Gift Card and Voucher
When purchasing a Danubius Gift Card or Voucher, you are requested to provide the following personal data:
In case of a personal purchase:
- Name
- Billing name and address
In case of an online order, via the Company's official websites:
- Name
- E-mail address
- Phone number
- Billing name and address
- Delivery name and address
You can inquire about the balance and the expiry date of the Gift Card at our website www.danubiushotels.com/hu/online-ajandekkartya-vasarlas, or at the accepting hotels any time.
Purpose of data processing:
Maintaining contact for the sake of the delivery of the gift card or voucher, and billing.
Legal basis of data processing:
The performance of the contract entered into for the issuance of the gift card or voucher. Giving the data is mandatory, it is the requirement for the provision of the service.
Period of data processing:
Personal data obtained this way shall be retained by the Company for 8 years, in accordance with the provisions of the prevailing tax and accounting laws.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to ajandekkartya(at)danubiushotels.com.
2.10 Credit card / Debit card data
In the case of room booking and online payment, we request the following credit/debit card details:
- Name on the card
- Card number
- Expiry date
- CVC (only in the case of payment)
Purpose of the data processing:
To secure the payment or the booking, and to be able to charge the total price of the booking or a part of it, depending on the conditions of the booking.
Legal basis of the data processing:
Fulfilment of the contract concluded for the purpose of room booking as a service. [GDPR Article 6(1)(b)] Giving the data is compulsory; it is a precondition for the provision of the service.
Period of the data processing:
The card data is encrypted; release of the data is only possible for the purpose of the transaction, and only to the person authorised in this regard. After the guest has left the hotel, the data can no longer be released, and access to the data is no longer possible. The data will be deleted after 8 years.
Processor:
The service is provided by Adyen N.V. (registered office: Adyen N.V.; Simon Carmiggeltstraat 6-50, 1011 DJ in Amsterdam, the Netherlands.) and the BIG FISH PAYMENT SERVICES ltd. (1066 Budapest, Nyugati square 1-2.) as data processor.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to szervezes(at)danubiushotels.com.
2.11 Social media (e.g. Facebook, Instagram)
The Company and the hotels/restaurants//fitness clubs/etc. operated by the Company can also be contacted individually via Facebook and Instagram social media portals. By clicking the “like” and “follow” buttons on the given page, Facebook users may subscribe to the newsfeed published on the wall, by clicking the “dislike” button they may unsubscribe and, by adjusting the newsfeed settings, news they don’t wish to follow may also be deleted from their Facebook wall. The Company is able to access its “followers’” profiles, however, it does not record or process them in its own internal system.
Purpose of data processing:
Sharing the contents on the website of the Company and of the hotels/restaurants//fitness clubs/etc. operated by the Company, sharing other news and offers, maintaining contact. You may reserve rooms, participate in prize drawings and learn about the latest offers via the Facebook page.
Legal basis of data processing:
Your consent, which can be withdrawn at any time by unsubscribing. [GDPR Article 6(1)(a)] The withdrawal of consent does not affect the lawful processing that preceded it. In the case of withdrawal, you will not receive notifications on your newsfeed; our news will no longer appear on your newsfeed, though you will still be able to access the Company’s newsfeed, since our website is public.
Period of the data processing:
The data processing lasts until you unsubscribe.
Facebook and Instagram are separate data controllers, independent of us. You can find information about the data processing of the site from the data protection guidelines and regulations on the Facebook website, at the following links:
You can find information on Instagram’s data processing at the following link:
In the event of a room reservation, the system automatically redirects the guest to the Company’s website. The data processing takes place in accordance with the provisions of section 2.1.
If you wish to exercise any of your rights referred to in section 1 in relation to the data thus provided, or you wish to contact us for any other reason in connection with the above data processing, please let us know by sending an email to adat(at)danubiushotels.com.
2.12 Web store
Bubbles Club gift products, hotel restaurant voucher and tickets, daily tickets for the use of different fitness and spa services, different passes and day spa programmes may also be purchased in the form of vouchers via the online system (web store), by filling out the online order form for which you shall be requested to give the following data:
- Last name
- First name
- E-mail address
- Phone number
- Billing data (name, country, postcode, city, street, house number)
In addition to the above, the Company processes the date and time of purchase, the description and price of the service, the total amount of purchase and the IP address of the customer.
Purpose of data processing:
Maintaining contact with the customers, the provision of service, the processing of the purchase and the fulfilment of the relevant accounting obligations.
Legal basis of data processing:
The performance of the contract, Article 13/A of Act CVIII of 2001 on certain issues of electronic commerce services and information society services and Article 169(2) of Act C of 2000 on accounting. Giving the data is mandatory, it is the requirement of the purchase.
Period of data processing:
Personal data shall be deleted after the provision of services, data on the certificate of purchase shall be retained for 8 years from the purchase.
For online payment with credit card / debit card you shall automatically be redirected to the website of the following data controller:
OTP Mobil Kft. (Address: 1143 Budapest, Hungária körút 17-19.; Company registry no: 01-09-174466; website: https://simplepay.hu/)
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to adat(at)danubiushotels.com.
2.13 Contact
You can contact us (e.g. to ask for a quote) at any of our contact details (email, Facebook, phone, post or through the forms designed for this purpose).
Purpose of the data processing:
Maintaining contact with the requester, answering and resolving the question/request.
Legal basis of the data processing:
Since it is you who is contacting us, the legal basis for data processing is your consent. [GDPR Article 6(1)(a)] You can withdraw your consent at any time, but in this case we will not be able to respond to your request. Withdrawal does not affect the lawfulness of the data processing that preceded it.
Please note that the data fields on the various forms were created based on our experience, and involve requesting the minimum of data that we need to answer the request concerned. Mandatory fields are marked with a red asterisk.
Period of data processing:
After answering the relevant request, question or complaint, the messages and the personal data obtained in this context shall be deleted after the year following the given year. However, for tax and accounting purposes or if it is necessary to protect the applicant’s rights and interests, these data are archived and retained for as long as necessary which period is individually defined in each case.
Transfer of data:
The inquiry regarding a particular hotel shall be forwarded to the relevant member of the Danubius Hotels.
2.14 Complaint management record
During the management of a verbal consumer complaint, if you do not agree with the way the complaint has been handled, or if it is not possible to investigate the complaint promptly, the Company is obliged to draft, without delay, a report on the complaint and, if it has been able to formulate one, its position regarding it.
The report must contain the following data:
- The name and address of the customer
- The place, time and mode of submitting the complaint
- The detailed description of the complaint of the customer, the list of documents and other evidences provided by the customer
- The Company’s declaration of its position regarding the complaint of the consumer, if immediate investigation of the complaint is possible
- The signature of the person issuing the protocol and—except for verbal complaints communicated by phone or e-mail—of the customer
- The place and time of the issuance of the protocol
- In case of a verbal complaint communicated by phone or e-mail, the unique identification number of the complaint
Purpose of data processing:
Investigation of the complaint and maintaining contact with the complainant.
Legal basis of data processing:
Provisions of Section 17/A (7) of Act CLV of 1997 on consumer protection, which makes the above data processing mandatory. [GDPR Article 6(1)(c)]
Period of data processing:
3 years from issuing the protocol.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to adat(at)danubiushotels.com.
The Company regularly publishes new articles in their online travel magazine. If you wish to receive notifications of the new articles, please subscribe to our mailing list by providing us with your name and e-mail address.
Purpose of data processing:
The purpose of processing your data is to be able to notify you of the new articles.
Legal basis of data processing:
Your voluntary consent. Please note that if we do not receive your consent to the processing of your data we will not be able to send you notifications.
Period of data processing:
We will only send you the requested notifications as long as you request them. If you no longer wish to receive notification e-mails you can unsubscribe at any time either by using the dedicated link at the end of each notification e-mail or by notifying us about unsubscribing at adat(at)danubiushotels.com. The withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal.
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to adat(at)danubiushotels.
2.16 Automatically recorded data, cookies and “remarketing codes”
2.16.1 Automatically recorded data
When you open our website on a device (such as a laptop or desktop computer, a smartphone or a tablet) select data of that device will be automatically recorded. The data automatically recorded include the IP address of your device, the date and time of your visiting our website, the browser type and the domain name and address of your Internet provider. The recorded data will be automatically logged by the web server of the website, without requiring your consent or any dedicated activity on your part. The system uses the recorded data to automatically generate statistical data. These data cannot be associated with other personal data except where such an association is mandated by law. These data will exclusively be used in an aggregated and processed form, to correct errors and improve the quality, of our services, and for statistical purposes.
Purpose of data processing:
The technical development of the informatics system, to monitor of the service, and to generate statistical data. In case of fraudulent activities these data can also be used – in co-operation with the user’s Internet provider and the law enforcement authorities – to determine the source of such fraudulent activities.
Legal basis of data processing:
The requirement of the provision of the service as per Act CVIII of 2001 on certain issues of electronic commerce services and information society services, Article 13/A Section (3).
Period of data processing: 30 days from your opening our website.
2.16.2. Cookies and similar technologies
What are cookies?
Cookies are small, text-based files which are stored on the hard disk drive of computers or smart devices until their validity end date set within the cookie file, and is activated (sending a notification to the web server of the website) every time the website is opened in a browser on the device. Websites use cookies for the purpose of recording information regarding the use of the website (pages visited, time spent on the pages, browsing information, logouts etc.) and personal settings – but these data cannot be associated with the visitor’s identity. Cookies allow the websites’ operators to maintain user-friendly sites and enhance the user experience their websites offers to their visitors.
On platforms where cookies are not available or cannot be used, other technologies are applied to achieve goals similar to those of using cookies – examples include the ad-IDs used on Android-based mobile devices.
Cookies come in two types: “session cookies” and “persistent cookies”.
• “Session cookies” are only stored on the computer or smart device temporarily while the visitor is using the website; these cookies allow the system to “remember” certain information, so the visitor will not have to provide them every time they open the website. The validity period of session cookies is limited to the duration of the use of the website; the purpose of the use of session cookies is to prevent the loss of data (for example when filling in a longer form). At the end of each use of the website – each session – as well as when the browser is closed cookies of this type are automatically deleted.
• “Persistent cookies” will remain stored on the computer or smart device after the website is closed. Cookies of this kind are used to allow the website to identify returning visitors. Persistent cookies identify returning visitors by associating the server-side ID with the user, therefore they are an essential part of the functionality of websites which require the users to be authenticated – for example on web stores, netbanking websites and webmail sites. The persistent cookies do not contain personal data, they can only be used for the unique identification of users by associating them with the proper item in the database stored on the web server of the website. The inherent risk of using persistent cookies is that they can only identify the web browser as opposed to the user themselves, so if a user uses a public access point – such as a computer in an Internet café or a public library – to log in to a web store and fails to log out of the store at the end of their session another person can have unauthenticated access to the web store, being falsely identified by the system as the original (and therefore authenticated) user.
How can I allow and disable cookies?
Most Internet browsers automatically allow cookies, but the users can delete or reject them. As every browser is different you can set your cookie preferences manually in the Settings section of your browser. If you do not want to allow any cookies of our website on your device you can modify your browser settings so you are notified of cookies sent to your device, or you can simply reject all cookies. You can also delete the cookies stored on your computer or mobile device, any time. For more information on modifying the browser settings please consult the Help function of your browser. Please note that if you choose to disable cookies you limit the functionality of the website.
What cookies do we use?
1. Cookies essential for the operation of the website:
These cookies are essential for the proper functionality of the website, so in their cases the legal basis of data processing is the requirement of the provision of the service as per Act CVIII of 2001 on certain issues of electronic commerce services and information society services, Article 13/A Section (3). No transfer of data occurs.
a.) Fill-in guide
Purpose of data processing: To facilitate the filling in of the forms by automatically providing the user with the data deemed correct by the system.
Period of data processing: the duration of the visit to the website
b) Search aid
Purpose of data processing: Aids search sessions to minimalize search time
Period of data processing: the duration of the visit to the website
c) Spell check
Purpose of data processing: Automatic notification regarding suspected typing errors
Period of data processing: the duration of the visit to the website
d) Language setting identification:
Purpose of data processing: The system uses the normal cookie to uniquely identify the visitor while they are using the website, to be able “remember” the visitor’s language settings.
Period of data processing: This cookie is stored for 29 days.
e) Social network cookie (Facebook, Instagram, Google+, Youtube)
Purpose of data processing: This cookie allows the sharing of content of the website, on social media.
Period of data processing: This cookie is stored for the duration of sharing the content.
Regarding Facebook please read Section 2.
f) Multimedia player (YouTube)
Purpose of data processing: This cookie allows the playing of videos on the website.
Period of data processing: This cookie is stored for the duration of playing the video.
2. Cookies to obtain statistical data
The sole function of these cookies is to obtain statistical data, which means they do not involve personal data. They monitor the visitor’s use of the website, which topics they prefer, what they click on, how they scroll on the website, what pages they visit. It is important to note that these cookies strictly obtain anonymous data. These cookies let us know, for example, how many visitors has our website per month. The obtained statistical data allow us to improve our website so they reflect the preferences of our users even more. Google Tag Manager (and Google Analytics) and Hotjar help us obtaining such statistical data.
3. Marketing cookies
The purpose of using marketing cookies is to create and send personalised ads.
Legal basis of data processing: Using these cookies always require the recipient’s consent which the recipient may grant us in a pop-up window on the website. The user may withdraw their consent any time, however, the withdrawal of consent shall not affect the lawful processing based on consent before its withdrawal. Upon the withdrawal of consent the personalised ads created for the user will not be published on other sites.
a) Categorisation based on the location of the visit
Period of data processing: 269 days
b) Personalised offers on Facebook
Period of data processing: a maximum of 180 days
c) Monitoring clicks on Company ads
Period of data processing: 2 years
If you wish to exercise any of your rights referred to in Section 1, regarding the data recorded in the course of the above activities, or if you wish to contact us for any other reasons, please, inform us by sending an e-mail to adat(at)danubiushotels.com.
Joint data processing:
Regarding the processed data Arisende s.r.o., CP Regents Park Two Ltd., Slovenske liecebne kupele Piešťany, a.s., SC Balneoclimaterica SA and Léčebné lázně Mariánské Lázně a.s. are joint controllers. For more information please refer to Section 3.
As regards the processing of data the joint controllers proceed in accordance with this Policy.
2.16.3. Web links
Our website may contain web links to sites which are not managed and operated by the Company, and are linked to our site for the purpose of providing information to the users. The Company has no influence over, and therefore may not be hold responsible for, the content and the safety situation of the websites managed by its partner companies. Please, consult their privacy policies before providing any information on such websites you visit.
2.17 Business contacts
In common with most companies, we deal with individuals at other organisations and store their name, business function, and business contact details.
Purpose of data processing:
This is done by mutual agreement in order to enable our two companies to communicate with a view to working together.
Legal basis of data processing:
The legal basis of our data processing activity is our legitimate interest associated with the performance of the contract or with maintaining contact between the companies [GDPR Article 6(1)(f)].
Period of the data processing:
- We check the contact information of our business contacts at least once a year and remove those that are no longer up-to-date from the system. The details of contacts are therefore kept until the contact person changes or the relationship ends.
- We keep the details of contact persons specified on the contracts for 8 years after the contract is terminated, due to the accounting regulations.
We apply the same procedure when processing the personal data of press contacts.
2.22 Prices subject to registration
Booking at certain prices that offer an extra discount (e.g. Secret Price, Smart Price) is subject to registration. The direct booking discount applies to many public deals, however, it cannot be combined with other coupons or percent (e.g. corporate) discounts.
During registration, it is compulsory to provide your email address and possibly your name. By registering for the discounted price, you consent to us sending newsletters to the email address that you provide. You may naturally unsubscribe from the newsletter at any time.Purpose of the data processing:
Provision of information about discounts and special offers.
Legal grounds for the data processing:
Your voluntary consent. You may withdraw your consent at any time, but this will not affect the legitimate data processing that occurred before the withdrawal of consent. Please note that if you do not consent to the processing of the data, we will not be able to keep you informed about our special offers.
Duration of the data processing:
Until withdrawal of the consent.
If you wish to exercise any of your rights described in section 1 in relation to the data thus provided, or if you would like to contact us for any other reason regarding the data processing described above, please let us know by sending an email to newsletter(at)danubiushotels.com
3.1 Ensana Hotels in Hungary
In respect of Ensana s.r.o.’s hotels in Hungary, Danubius Hotels Zrt. and Ensana s.r.o. (formerly Arisende s.r.o.) are the joint data controllers in accordance with the provisions of the Privacy Policy available on the ensanahotels.com website: https://www.ensanahotels.com/hu/rolunk-ensana/adatvedelem
For the hotels in Hungary, in respect of data processing related to the operation of the hotels, Danubius Hotels Zrt. is the independent data controller, while in respect of the Ensana loyalty programme Ensana s.r.o. is the independent data controller.
The Hilton Budapest hotel is operated by Danubius Hotels Zrt. in accordance with Hilton's international standards. Danubius Hotels Zrt. is the joint data controller for room reservations and complaints management, and the data processor for the loyalty programme. You will find more information on Hilton's data processing at: http://hiltonhonors3.hilton.com/en/promotions/privacy-policy/english.html
3.3 Radisson Blu Béke Hotel
The Radisson Blu Béke Hotel is operated by Danubius Hotels Zrt. in accordance with Radisson's international standards. In respect of the processing of room reservation, complaints management and contact data, Danubius Hotels Zrt. is the joint data controller, and in relation to the Radisson newsletter and loyalty programme, it acts as the data processor. You will find more information on Radisson’s data processing at: https://www.radissonhotels.com/en-us/privacy
4 Legal reference information (including contact details)4)
As the data controller of the personal data it uses, Danubius is obliged, under the GDPR, to publish information regarding its official name, contact details and other data. This section contains all the information required by the GDPR, as well as additional legal information.
The juridical persons (companies) operating our hotels:
Name: Danubius Hotels Zrt.
Registered office: 1051 Budapest, Szent István tér 11.
Court of registration: Metropolitan Court of Budapest as Court of Registration
Company registration number: 01-10-041669
Tax number: 10594702-2-41
Represented by: Balázs Kovács CEO
Legal associate responsible for data protection is available at 06/1-8894172
Or by E-mail: adat(at)danubiushotels.com
Danubius hotels have been grouped into two divisions for the purpose of profile cleaning: The City division comprises the city hotels, while the SPA division manages the health spa & wellness hotels. The City hotels continue to be operated by Danubius Hotels Zrt., while the operation of health spa & wellness hotels has been taken over by Ensana s.r.o. (formerly Arsiende s.r.o.) of Prague.
Name of company: Ensana s.r.o.(formerly Arisende s.r.o.)
Registered office of the company: Masarykova 22, 353 01 Mariánské Lázně
Name of court of registration: Krajský soud v Plzni
Company registration number: C 33301
ID number: 05456274
The owners of the hotels operated by Ensana s.r.o., (formerly Arisende s.r.o.) besides Danubius Hotels Zrt., are the following companies:
Name of company: CP Regents Park Two Ltd.
Registered office: CP House, Otterspool Way, Watford WD25 7JP, UK
Registration number: 5307946.
EU tax number: GB 848957555
Company name: Slovenske liecebne kupele Piešťany, a.s.
Abbreviated name: SLKP, a.s.
Registered seat: Winterova 29, 921 29 Piešťany, Slovakia
Registration number: Obch. reg. KS Trnava, odd. Sa, vlozka č. 181/T
EU tax number: SK2020389668
Company name: Balneoclimaterica SRO Sovata
Registered seat: Str, Trandafirilor nr. 99, Cod.545500, Romania
EU tax number: RO1245068
Registration number: J26/266/1991
Company name: Léčebné lázně Mariánské Lázně a.s.
Registered seat: Masarykova 22, 353 29 Mariánské Lázně, Czech Republic
Registration number: B 196
EU tax number: CZ45359113
The above companies are jointly deemed the Danubius Hotels.
Hotels involved in joint data processing are the following:
Danubius Hotels Zrt:
Ensana Thermal Margitsziget
Ensana Grand Margitsziget
Ensana Thermal Sárvár
Ensana Thermal Aqua
Ensana Thermal Hévíz
Léčebné lázně Mariánské Lázně a.s.:
Ensana Nové Lázně
Ensana Centrální Lázně
Ensana Hvězda
Ensana Pacifik
Ensana Butterfly
Ensana Vltava
Ensana Svoboda
Slovenske liecebne kupele Piešťany, a.s:
Ensana Thermia Palace
Ensana Esplanade
Ensana Splendid
Ensana Vila Trajan
Ensana Jalta
Ensana Pro Patria
Ensana Smrdáky
Balneoclimaterica SRO Sovata:
Ensana Bradet
Ensana Sovata
Ensana Ursina
CP Regents Park Two Ltd.
Danubius Hotel Regents Park
5) Terms and abbreviations used in this Policy
Most of the definitions refer to the EU’s General Data Protection Regulation (GDPR). This is a legal document, and it is not possible to give a short definition in simple language which is fully exact. The aim here is to give a clear explanation which will facilitate the reader’s understanding; this may sometimes exclude detail of the full legal definition. Our policy is to comply with the full requirement of GDPR, and your rights are not affected by any simplification in the explanations here.
Term or Abbreviation | Explanation |
Controller | The legal entity which determines the purposes and means of the processing of personal data; |
Data subject | A live individual inside or outside the EU dealing with an organisation in the EU. Such an individual is a “data subject” and under GDPR has rights over the processing of his or her personal data. |
EU | The European Union |
GDPR | The General Data Protection Regulation of the EU, which came into force 25 May 2018. |
Personal data | Any information relating to an individual who is or can be identified through a wide variety of methods, including but not limited to:
|
Processing | Any operation or set of operations which is performed on personal data, whether or not automatically means, including but not limited to: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction. |
Processor | A legal entity which processes personal data on behalf of a controller. |
Profiling | Automated processing which uses personal data in order to analyse or predict aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements of an individual |
Pseudonymisation | Encrypting or otherwise holding personal data in a way in which it cannot be linked to a specific data subject without additional information. The additional information has to be kept separately and protected by technical and organisational measures to prevent its unauthorised use. |
Special categories of data | There are very strict restrictions on processing of personal data within “special categories”. These are:
|
Supervisory Authority | An independent public body set up by an EU state to monitor the application of GDPR and, as necessary, to intervene to protect the rights of individuals under GDPR |
Third Country | Any country outside the EU |
Transfer | Sending of personal data from the controller or processor to a legal entity outside the EU. |