Booking

Nr. of guests
Vendégek száma és kódok
X 1. Room
Adults - 1 +
Children - 0 +

To find the right room type and the right prices, we would like to know how old your children will be during your stay.

Gyermekek életkora
Please type in the age(s) of your child(ren).
Special rate codes Added
Special rate codes Close

Whistleblowing privacy

PRIVACY NOTICE

INTERNAL WHISTLEBLOWING SYSTEM

Last update:24/07/2023

1. Data Controller

Danubius Hotels Zrt.

registered office: 1051 Budapest, Szent István tér 11.

represented by: Balázs Kovács, Chief Executive Officer

e-mail: data@danubiushotels.com

(hereinafter referred to as „Data Controller”)


2. Data processing

Your identity will be kept confidential at all stages of the investigation. If you do not provide your personal data, you can file a report, but it may not be investigated.

The internal whistleblowing system is designed to ensure that the personal data of the whistleblower and the person concerned by the whistleblowing cannot be disclosed to anyone other than the authorised person. Pending the conclusion of the investigation or the initiation of formal action as a result of the investigation, the persons investigating the report may, in addition to informing the person concerned, share information with other departments or staff of the employer on the content of the report and the person concerned to the extent strictly necessary for the conduct of the investigation.

Data subject and data

Purpose of processing

Retention time

Legal basis

Rights

The person who made the report and who has substantive information about the subject matter of the report

Personal data provided in the report: e.g.: name, e-mail address, telephone number, voice

Investigate the report, remedy, or end the conduct that is the subject of the report.

Until the end of the investigation. Where justified by the remedying or cessation of the conduct that is the subject of the report, for a maximum of 5 years after the investigation is closed.

Fulfilling a legal obligation. The rules on the processing of data are governed by the law on complaints. If you do not provide your personal data, you can make a report, but an investigation may not be carried out. [Article 6(1)(c) and 9(2)(g) GDPR]

4.2., 4.3., 4.5.,

The person who gave rise to the report.

Personal data provided in the report: e.g.: name, position

Source: The whistleblower or the person who has substantial information about the subject matter of the report provides the data necessary for identification.

Investigate the report, remedy, or end the conduct that is the subject of the report.

Until the end of the investigation. Where justified by the remedying or cessation of the conduct that is the subject of the report, for a maximum of 5 years after the investigation is closed

Fulfilling a legal obligation. The rules on the processing of data are governed by the law on complaints. [Article 6(1)(c) and 9(2)(g) GDPR]

4.2., 4.3., 4.5.

Recording the voice of a telephone caller

Voice recording

Investigate the report, remedy, or end the conduct that is the subject of the report.

Until the end of the investigation. Where justified by the remedying or cessation of the conduct that is the subject of the report, for a maximum of 5 years after the investigation is closed. If it happens sooner, until the consent is withdrawn.

Consent, which you give by submitting the report on the recorder. Consent may be withdrawn at any time by contacting us at one of the contact details indicated in point 1. Such withdrawal shall not affect the lawfulness of the processing that preceded it.[Article 6(1)(a) and 9(2)(a) GDPR ]

4.1.,

4.2., 4.3.,

4.4.,

4.5.,

4.6.

Co-worker accessing the platform and involved in the investigation

name, e-mail, telephone number, username, password

Ensuring restricted access and documenting the investigation

Until being in this position

Fulfilling the employment contract with the employee. Providing the personal data requested by us is obligatory, otherwise we will not be able to employ you in this position. [Article 6(1)(b) GDPR].

4.2., 4.3.,

4.4.,

4.5.,

4.6.

3. Recipients (Processors and other data controllers):

Data processors:

  • Whisly Korlátolt Felelősségű Társaság (registered office: 7953 Királyegyháza, Rigó utca 13.) is the operator of the internal whistleblowing system's platform.
  • We use Microsoft Ireland Operations Limited (registered office One Microsoft Place, South County Business Park, Leopardstown, Dublin 18 D18 P521) as our data processor for reports made by email, telephone, in person and via Teams online meeting.

Data controller:

  • Correspondence relating to reports sent by post will be delivered by Magyar Posta Zártkörűen Működő Részvénytársaság (registered office: 1138 Budapest, Dunavirág utca 2-6.).

Other possible data transfers:

  • Personal data may be transferred to an external organisation involved in the investigation of the report.
  • The whistleblower's personal data may only be transferred to the body that may be competent to investigate the report, if that body is entitled to process it by law or if the whistleblower has consented to the transfer of his/her data.
  • If it has become apparent that a whistleblower has provided false data or information in bad faith and that there are indications that a criminal offence or irregularity has been committed, his or her personal data must be disclosed to the body or person responsible for the proceedings, or, if there are reasonable grounds to believe that he or she has caused unlawful damage or other legal harm to another person, to the body or person responsible for the initiation or conduct of the proceedings, upon request.


4. Rights

During data processing, you are entitled to the rights detailed in Sections 4.1-4.7. If you wish to exercise your rights, you can reach out to us using any of the contact details specified in Section 1.

Identification

Before complying with your request, we will always have to check your identity. If we cannot identify you, we will be unable to comply with your request.

Responding to a request

After identification, we will provide you with information concerning your request in writing, electronically or, if you so wish, orally. Please note that if you submitted your request electronically, we would respond electronically. Obviously, even in this case you may request another form of communication.

Deadline for handling your request

We will inform you on the action taken on your request no later than within one (1) month after submission of the request. That period may be extended by two (2) further months where necessary, taking into account the complexity and number of the requests, and we shall inform you thereof within the one (1) month deadline.

We are also obliged to inform you within the one-month deadline if we do not take any action. You may lodge a complaint against this with NAIH (Hungarian National Authority for Data Protection and Freedom of Information) (Section 5.1.) or seek judicial remedy (Section 5.2).

Administrative fee

The requested information and measures are free of charge. An exception is made, however, for cases where the request is manifestly unfounded or excessive, in particular because of its repeated character. In this case, we charge you a fee or may refuse to comply with your request.


4.1. You may withdraw your consent

For data processing carried out based on your consent, you may withdraw your consent at any time. In such cases, we immediately erase your personal data related to the data processing in question. We hereby inform you that the withdrawal does not affect the lawfulness of the data processing carried out before on the basis of the consent.


4.2. You may request information (access)

Where the report concerns a natural person, in exercising his or her right of information and access under the provisions on the protection of personal data, the personal data of the whistleblower shall not be disclosed to the person requesting the information.

You may request information as to whether personal data concerning you are processed, and if so:

  • For what purposes?
  • Exactly what data are being processed?
  • To whom do we transfer such data?
  • For how long do we store such data?
  • What rights and legal remedies are available to you with respect to such data processing?
  • Who transferred your data to us?
  • Do we make automated decisions concerning you by using your personal data? In such cases, you may also request information on the logics (method) involved as well as the significance and the envisaged consequences of such processing.
  • If you have found that your data are transferred to an international organisation or to a third country (non-EU member state), you may request a guarantee concerning the appropriate processing of your personal data.
  • You may request a copy on your personal data processed by us. (For extra copies, we may charge you a fee based on the administrative costs.)

4.3. You may request rectification

You may request us to rectify or complete incorrect or incomplete personal data concerning you.


4.4. You may request erasure of your personal data (‘right to be forgotten’)

You may request us to erase your personal data if:

  • The personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them;
  • For data processing carried out based on your consent;
  • If it is established that the personal data have been unlawfully processed;
  • If your objection is successful;
  • If required by EU or national law;
  • Data was collected within the framework of IT service provision for children.

We cannot erase personal data if they are necessary for the following purposes:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest;
  • for reasons of public interest in the area of public health;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  • for the establishment, exercise, or defence of legal claims.


4.5. You may request restriction of the data processing

You may request restriction of the data processing where one of the following applies:

  • The accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
  • The processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
  • We no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
  • You have objected to processing pending the verification whether the legitimate grounds of the Controller override yours.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. We shall inform you of the eventual lifting of such restriction.


4.6. You may request us to transfer your personal data (right to data portability)

You have the right to receive your personal data processed by us in a machine-readable format, and you have the right to transfer such data to another controller or request us to do so, if the data processing is based on your consent or a contract concluded with you or in your interest, and takes place in an automated manner.

That right shall not apply to data processing necessary for the performance of a task carried out in the public interest. The above right may not adversely affect the rights and freedoms of others.


4.7. You may object to the processing of your personal data

You may object to the processing of your personal data if the data processing is based on legitimate interest or is necessary for direct marketing purposes (such as sending newsletters) or the performance of a task in the public interest. In this case we shall erase the personal data, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

You may also object to the processing of your personal data if the processing takes place for scientific or historic studies or statistic purposes. In this case, we erase the personal data, unless the data processing is necessary for the performance of a task in the public interest.

5. Remedies

5.1. You may lodge a complaint with NAIH

If you believe that the processing of your personal data conflicts with the provisions of the GDPR, you may lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).

NAIH

chair: dr. Attila Péterfalvi

mailing address: H-1363 Budapest, Pf. 9.

address: 1055 Budapest, Falk Miksa utca 9-11.

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

web: http://naih.hu

email: ugyfelszolgalat@naih.hu


5.2. You may seek judicial remedy

If you believe that the processing of your personal data conflicts with the provisions of the GDPR, or your rights under this GDPR are infringed, you may seek judicial remedy.

In Hungary, such cases fall within the competence of regional courts (törvényszék). The proceeding may be initiated at the regional court of the data subject’s home address or place of habitual residence – at the choice of the data subject. People otherwise without capacity to be a party to legal proceedings may also be parties to these proceedings. The Authority may only be involved in the proceeding in order to ensure success of the data subject. In addition to the provisions of the GDPR, court proceedings shall be governed by the Second Book, Third Part, Title XII of Act V of 2013 on the Civil Code (Sections 2:51-2:54), and other legal provisions relevant to court proceedings.


5.3. Compensation for damages

If the Controller causes damage with the unlawful processing of the data subject’s data, or violates the data subject’s personality rights, compensation for damages may be claimed from the Controller. The Controller shall be exempted from liability for the damage caused and from compensation for damages, if it can demonstrate that the damage or the violation of the data subject’s personality rights was caused by an unpreventable cause falling outside the scope of data processing.


6. Security of personal data

Taking into account the current state of science and technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

We process personal data in a confidential manner, with restricted access, encryption and maximising our resilience to the extent possible, and ensuring their recoverability in case of any problem. We regularly test our system in order to guarantee its security. In assessing the appropriate level of security, we take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

We shall take steps to ensure that any natural person acting under our authority who has access to personal data does not process them except in line with our instructions, unless he or she is required to do so by Union or Member State law.


7. Miscellaneous

The Controller is entitled to modify this Privacy Notice at any time. Modifications shall enter into force upon their publication.

 

Back to the whistleblowing policy >>