PRIVACY POLICY

Regarding the USE of the Website of Look-up Média Limited Liability Company (06-09-017247)

Effective: from August 2, 2021 until revoked

Introduction

1.1. Look-up Média Limited Liability Company (Company registration number: 06-09-017247; Tax number: 23380970-2-06; Registered office: 6722 Szeged, Püspök utca 11.; electronic contact: info@noirhotel.com) (hereinafter: the “Service Provider” or the “Controller”) hereby adopts this Privacy Policy (hereinafter: the “Policy”), which applies to the provision of information services, in particular but not limited to the services defined in Section 2 (23) of Act CLXIV of 2005 on Trade (hereinafter: the “Service”).

1.2. The Data Subject is the user of the website operated by the Service Provider and accessible online at http://www.noirhotel.hu (hereinafter: the “NoirHotel Website”).

1.3. The purpose of this Policy is to define the scope of data processed by the Service Provider regarding Users of the Service, the method, purpose, and legal basis of processing, as well as to ensure the enforcement of constitutional principles of data protection and the requirements of data security, to prevent unauthorized access to Users’ data, alteration of data, and unauthorized disclosure or use.

Data protection legislation

2.1. Laws of particular relevance to this Policy:

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: the “GDPR”)
The Fundamental Law of Hungary
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: the “Info Act”)
Act V of 2013 on the Civil Code (hereinafter: the “Civil Code”)
Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (hereinafter: the “Private Security Act”)
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (in particular Sections 13/A–13/B)
Act CXIX of 1995 on the Management of Name and Address Data for Research and Direct Marketing Purposes
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities
Act C of 2003 on Electronic Communications
Act XC of 2017 on Criminal Procedure
Act C of 2012 on the Criminal Code

as well as the applicable data protection laws of the countries where the Service Provider’s Partners are established—except where such laws would conflict with the Hungarian legal order.

Definitions

Data Subject: any identified or identifiable natural person, directly or indirectly, by reference to personal data;

User: a Data Subject who initiates a booking on the Service Provider’s Website, who concludes a contract with the Service Provider for the Service, and any person(s) designated by the foregoing as beneficiary(ies) of the Service.

Consent: any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them—either fully or for specific operations;

Personal data: any information relating to the Data Subject, in particular their name, identification mark, and one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity, as well as any inference that can be drawn from the data relating to the Data Subject;

Controller: the natural or legal person, or an entity without legal personality, which alone or jointly with others determines the purposes of the processing of data, makes and implements decisions regarding processing (including the means used), or has them implemented by a processor;

Processing: any operation or set of operations performed on data, regardless of the procedure applied, including collection, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure, and destruction, as well as preventing further use of the data; making photo, audio, or video recordings, and recording physical characteristics suitable for identifying a person (e.g., fingerprint or palm print, DNA sample, iris image);

Data transmission: making data available to a specified third party;

Data processing (technical): the performance of processing operations and technical tasks, irrespective of the method and means used and the place of application.

Disclosure: making data available to anyone.

Data erasure: making data unrecognisable in such a way that restoration is no longer possible;

Automated (machine) processing: includes the following operations when performed in whole or in part by automated means: storage, logical or arithmetic operations on data, alteration, erasure, retrieval, and dissemination.

Cookie: A cookie is a small text file stored on the hard drive of a computer or mobile device and activated upon subsequent visits. Websites use cookies to record information related to the visit (pages visited, time spent on our pages, browsing data, exits, etc.) and personal settings; these, however, are not data that can be linked to the Data Subject personally. This tool helps create user-friendly websites to enhance the online experience of Data Subjects. Most browsers automatically accept cookies; however, Data Subjects can delete or reject them. As browsers vary, Data Subjects can set their cookie preferences individually using the browser’s toolbar. If the Data Subject does not wish to allow any cookies from visited websites, they can modify their browser settings to be notified of cookies sent or simply reject all cookies or only cookies sent by certain websites. They can also delete cookies stored on their computer, notebook, or mobile device at any time. For further information on settings, consult the browser’s Help. If the Data Subject chooses to disable cookies, they must forgo certain website functions (e.g., the website will not remember that the Data Subject remained logged in). We distinguish between two types of cookies: “session cookies” and “persistent cookies.”

Session cookies: stored by the computer, notebook, or mobile device only temporarily, until the Data Subject leaves the given website; these cookies help the system remember information while the Data Subject navigates from one page to another, so they do not need to re-enter certain information.
Persistent cookies: remain stored on the computer, notebook, or mobile device after leaving the website. Using these cookies, the website—while not personally identifying the Data Subject—recognises them as a returning visitor. “Persistent” cookies are stored as files on the Data Subject’s computer or mobile device.
Flash cookies: Adobe Flash Player, used to run certain types of animated banners and various videos (YouTube, Vimeo), can store information on the computer, notebook, or mobile device. Acceptance of “Flash cookies” cannot be set through the web browser. If the Data Subject does not wish to accept Flash cookies, this must be configured on Adobe’s website: www.adobe.com/hu/privacy/cookies.html. If Flash cookies are disabled, some website functions—here, the Website—may not work, e.g., videos embedded in articles may display incorrectly.

System: the totality of technical solutions operating the pages and services accessible via the internet of the Controllers and their partners.

Otherwise, for the purposes of this Policy, terms shall have the meanings set out in the Noir Hotel GTC (General Terms and Conditions), Section 3 of the Info Act, and Article 4 of the GDPR, with the GDPR prevailing in case of discrepancies.

Voluntary consent

4.1. The Service Provider processes personal data of natural person Data Subjects contained in this Policy in connection with the use of the Website on the basis of their voluntary, informed, and explicit consent under Section 5 (1)–(2) and Section 6 (5) of the Info Act, while, during the actual use of accommodation and related services, primarily under Section 5 (1) of the Info Act, failing which under Section 6 (1) of the Info Act—including, in particular, the person(s) designated as beneficiary(ies) by the user contracting for the Service.

4.2. That is, the Service Provider lawfully processes data under points (a) (“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”), (b) (“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”), (c) (“processing is necessary for compliance with a legal obligation to which the controller is subject”), and (f) (“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”) of Article 6(1) of Chapter II of the GDPR,

and, for special categories of personal data, under Article 9(2) of Chapter II of the GDPR:
(a) (“the data subject has given explicit consent to the processing of those personal data for one or more specified purposes…”) and (f) (“processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”).

4.3. Given that personal data are, in all cases, provided to the Service Provider on the basis of voluntary, informed, and explicit consent by the registering or registered Data Subject, where the person of the Data Subject and the person providing the relevant personal data are not the same, the registered Data Subject is responsible for the veracity and processability of the personal data; except where the Service Provider’s potential bad faith would exclude such responsibility.

4.4. The Service Provider processes data until the Data Subject requests their erasure or withdraws consent, and until the relevant processing period set out in this Policy expires. Personal data provided by the registered Data Subject—even if the user does not unsubscribe from the Noir Hotel Website or, by deleting the registration, only terminates the login option, the comments stored therein and uploaded content remain—may be processed by the Service Provider until the Data Subject expressly requests in writing that processing be terminated. The Data Subject’s request to terminate processing without unsubscribing from the Noir Hotel Website does not affect the right to use the Service; however, the lack of personal data may prevent the use of certain services. The user acknowledges that sending direct advertising communications (newsletter, electronic direct marketing, e-DM letter) referred to in Section 6 of Act XLVIII of 2008 (“Grtv.”) constitutes a separate service.

4.5. In compliance with the obligation set out in Article 14(3) of Chapter III of the GDPR, if personal data were not obtained from the Data Subject—particularly where they were provided by a registered user regarding a Data Subject entitled to use the Service—the Service Provider shall inform the Data Subject, via known contact details—if known, preferably by email—without delay and at the latest within one month, of the following:

the identity and contact details of the Service Provider and, where applicable, the Service Provider’s representative;
the contact details of the data protection officer, if any;
the purposes of the intended processing of personal data as well as the legal basis for the processing;
the categories of personal data concerned;
the recipients or categories of recipients of the personal data, if any;
where applicable, the fact that the Service Provider intends to transfer personal data to a recipient in a third country or an international organisation, and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Articles 46, 47, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and how to obtain a copy of them or where they have been made available;
the period for which the personal data will be stored, or, if that is not possible, the criteria used to determine that period;
where processing is based on Article 6(1)(f) of the GDPR, the legitimate interests pursued by the controller or by a third party;
the Data Subject’s right to request from the controller access to and rectification or erasure of personal data or restriction of processing, and to object to processing, as well as the right to data portability;
where processing is based on Article 6(1)(a) or Article 9(2)(a) of the GDPR, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
the right to lodge a complaint with a supervisory authority;
the source of the personal data and, if applicable, whether it came from publicly accessible sources;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.

Purposes of processing and categories of data processed by the Service Provider

5.1. The Service Provider declares that it processes personal data solely for exercising a right or fulfilling an obligation. The processed personal data are not used for private purposes; processing always complies with the principle of purpose limitation—if the purpose of processing ceases or processing otherwise becomes unlawful, the data will be erased.

5.2. To prevent abuses, the Noir Hotel Website—the Service may be used, and abuses and security risks avoided—exclusively following registration (hereinafter: “Registration”) in accordance with the Service Provider’s then-current General Terms and Conditions (hereinafter: the “Noir Hotel GTC”). A contract for the Service is concluded by the booking (hereinafter: “Booking”) of the registered Data Subject as a user under the Service Provider’s then-current General Terms and Conditions.

5.3. The Service Provider may process the Data Subjects’ personal data for the following purposes, to the following extent, and proportionately:

Purpose of processing:

Booking; including:

identification of Data Subjects;
learning the needs of Data Subjects;
maintaining contact with Data Subjects and providing information to them.

Exact description of processes and operations:
See: Noir Hotel GTC.

Expected duration, deadline of processing:
As a main rule, until deletion of the registration; beyond this:

In view of Section 78 (3) of the Act on the Rules of Taxation (“Art.”), data are kept for 5 years.
In view of Section 169 (1)–(2) of the Accounting Act, data are kept for 8 years.
And for a longer period if so provided by law.
The Controller reserves the right to process the relevant data, to the necessary extent, beyond the above deadlines until the expiry of the limitation period for enforcing claims arising from rights and obligations stemming from the activity giving rise to processing.

Personal data – scope, types, categories
Depending on the type of Booking, data required as a condition if not provided during Registration:
a) surname and given name of the Data Subject entitled to use the Service (and birth name if different);
b) place and date of birth of the Data Subject entitled to use the Service;
c) mother’s name of the Data Subject entitled to use the Service;
d) nationality of the Data Subject entitled to use the Service;
address (or place of residence, mailing address), email address, phone number or other contact provided by the Data Subject entitled to use the Service.

Legal basis for processing
Article 6(1) (a), (b), (c), (f) of Chapter II of the GDPR.

Purpose of processing:

Provision of the Service; including:

learning the needs of Data Subjects;
maintaining contact with Data Subjects and providing information to them.

Exact description of processes and operations:
See: Noir Hotel GTC.

Expected duration, deadline of processing:
As a main rule, until deletion of the registration; beyond this:

In view of Section 78 (3) of the Act on the Rules of Taxation, data are kept for 5 years.
In view of Section 169 (1)–(2) of the Accounting Act, data are kept for 8 years.
And for a longer period if so provided by law.
The Controller reserves the right to process the relevant data, to the necessary extent, beyond the above deadlines until the expiry of the limitation period for enforcing claims arising from rights and obligations stemming from the activity giving rise to processing.

Personal data – scope, types, categories
Beyond data provided at Registration and Booking, information indispensable for exercising rights and obligations laid down in the GTC.

In this context, processing of special categories of data, such as health-related information, may also occur (see: Noir Hotel GTC Section XI), in which case processing shall take place solely to the extent and for the period provided for in Article 9(2)(c) and (e) of the GDPR, failing which under point (a).

Legal basis for processing
Article 6(1) (a), (b), (c), (f) of Chapter II of the GDPR.

Purpose of processing:

Enhancing user experience, technical development of the IT system, protection of users’ rights

Exact description of processes and operations:
Until permission is granted, the Noir Hotel Website, upon every opening, asks the visitor to consent to the use of cookies applied by the Website for the purpose of providing a better and faster user experience, and, for registered Data Subjects, for the purpose of recording data automatically for personalised advertising display, statistics, technical development of the IT system, and protection of users’ rights.
(together: cookie customization)

Expected duration, deadline of processing:
For the duration specified in the Service Provider’s cookie rules published on the Website, but no longer than until deletion of the Registration.

Personal data – scope, types, categories
Anonymised and/or encoded system data relating to Data Subjects, cookie data, orders placed during bookings, individual orders, and further consumption data.

Legal basis for processing
Article 22(2)(c) of the GDPR
/and, in view thereof, Article 9(2)(a) of the GDPR/

Legal basis of processing

6.1. The Service Provider lawfully processes personal data, including special categories of data, as set out in this Policy under Article 6(1)(a) (“consent”), (b) (“contract”), (c) (“legal obligation”), and (f) (“legitimate interests”) of Chapter II of the GDPR.

For special categories of personal data, processing is lawful under Article 9(2)(a) (“explicit consent…”) and (f) (“establishment, exercise or defence of legal claims or courts acting in their judicial capacity”) of Chapter II of the GDPR.

6.2. Special categories of data may be processed only exceptionally and to the extent and for the period under Article 9(2)(c) and (e) of Chapter II of the GDPR, failing which under point (a).

Method of data collection

7.1. The Service Provider receives and obtains the data of Data Subjects set out in Section 7 of this Policy in all cases on the basis of the voluntary consent of the registering or registered Data Subjects via the Noir Hotel Website. The registering or registered Data Subject is always responsible for the accuracy of the personal data provided. The Service Provider does not verify the personal data provided to it.

7.2. By accepting this Policy, Data Subjects are obliged to accept its provisions and consent to the Service Provider processing the data listed in Section 7.

7.3. By using the Noir Hotel Website and concluding a contract for the Service, Data Subjects expressly accept this Policy as well.

Principles of processing

8.1. Personal data may only be obtained and processed fairly and lawfully.

8.2. Personal data may only be stored for specific and legitimate purposes and may not be used in ways incompatible with those purposes.

8.3. The scope of personal data processed must be proportionate to and adequate for the purpose of storage and must not extend beyond that purpose.

8.4. Appropriate security measures must be taken to protect personal data stored in automated files to prevent accidental or unlawful destruction or accidental loss, as well as unlawful access, alteration, or dissemination.

Records of processing activities

9.1. The Service Provider and—if any—its representative shall maintain a record of processing activities under their responsibility. This record contains the following information:

the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
where applicable, information on transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation, and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Upon request, the Service Provider shall make the record available to the supervisory authority.

Data protection officer

10.1. In view of the mandatory case set out in Article 37 of Chapter IV of the GDPR—processing of special categories of data, regular and systematic monitoring of data subjects on a large scale—a data protection officer was appointed on August 2, 2021.

The Service Provider hereby informs Data Subjects that if they identify any procedure, incident, or other circumstance related to the Service that is questionable from a data protection perspective or otherwise unlawful and/or objectionable on technical or organisational grounds, or at least warrants investigation, they may, in addition to informing the Service Provider’s competent employee or manager, contact the data protection officer using the following contact details:

Data Protection Officer name and contact details: Zoltán Hamar,
info@noirhotel.com

Data transfers

11.1. The Service Provider is entitled and obliged to transmit all personal data available to it and lawfully stored by it to the competent authorities when transmission is required by law or by a final and binding administrative order. The Service Provider shall not be liable for such transmission or any resulting consequences.

11.2. The Service Provider also transmits data to its Partners connected with the Service Provider, but only to such Partner who bears contractual obligations regarding the Data Subject for the Service; accordingly, the Service Provider transfers data to a Partner solely for the purpose and to the extent necessary to perform the Service.

11.3. In connection with the above and otherwise, if the Service Provider assigns the operation or exploitation of content services available on the Noir Hotel Website, in whole or in part, to a third party—including Partners—the Service Provider may transfer the data it processes to such third party for further processing without requesting separate consent.

11.4. The Service Provider also transmits data to its processors with which it has a contractual relationship, but only to those bound by contractual obligations regarding the Noir Hotel Website and the systems serving it; accordingly, the Service Provider transfers data to third parties solely for the purposes set out in this Policy and to the extent necessary. Such data transmission may not put the Data Subject in a worse position than the data processing and data security rules specified in the current version of this Policy.

Processors of the Service Provider

Processor	Scope of data	Purpose(s) of processing	Physical location(s) of processing
Amazon Web Services, Inc. Registered office: 410 Terry Avenue North, Seattle, WA 98109-5210 USA. Contacts: Mailing address: Box 81226 Seattle, WA 98108; Tel: (206) 266-4064; Fax: (206) 266-7010; E-mail: abuse@amazonaws.com; https://aws.amazon.com	Data Subject’s name, email address, address, billing address, room type(s) concerned by booking(s), room number(s) concerned by booking(s), hotel name concerned by booking(s)	Management of customer contracts	Automated cloud servicing of the Noir Hotel System; execution of backup operations of the Noir Hotel System
Clock Software Ltd. (Company Reg. # 08008667, VAT: GB 171901910). Registered office: 27 Redcliffe Gardens, London, SW10 9BH, UK. Contacts: +44-203-3-979-671; +1-844-244-0165; https://www.clock-software.com/company-aboutus/contact-us.html	Data Subject’s name, email address, address, billing address, room type(s) concerned by booking(s), room number(s) concerned by booking(s), hotel name concerned by booking(s)	Management of customer contracts	Cloud-based hotel management (PMS) service

11.5. As a general obligation, the Service Provider undertakes that any data transmission carried out by it may not put the data subject user in a worse position than the data processing and data security rules specified in the current version of this Policy.

11.6. The Service Provider does not transfer the personal data of Data Subjects to a foreign third country or an international organisation (outside the European Union, to a non-EEA state), except with the Data Subject’s express approval and under conditions laid down in a written statement by the parties, ensuring appropriate safeguards in accordance with the GDPR.

The foregoing restriction does not apply to cases under Article 45 of the GDPR, whereby if the destination state and/or international organisation is subject to a valid adequacy decision issued by the Commission, no special permission is required for such transfer. As of the date of this document, adequacy decisions are in force for the following third countries: Andorra, Argentina, Faroe Islands, Guernsey, Israel, Jersey, Canada, Isle of Man, Switzerland, Uruguay, USA (Privacy Shield), New Zealand—procedures were ongoing for Japan and South Korea.

Security of processing

12.1. In compliance with Article 32 of the GDPR, and regarding it as an obligation, the Service Provider takes all measures to ensure the security of Data Subjects’ data and takes the necessary technical and organisational measures and establishes the procedural rules needed to enforce the GDPR and other data and secrecy protection rules.

12.2. The Service Provider primarily processes data by automated means—via the Noir Hotel Website and the systems serving it—and only exceptionally and to the required extent may any processing involving human intervention occur. The activities of the Service Provider and its contracted processors comply with requirements relating to organisational security, employee-related security, security relating to external persons and environments, asset classification and control, communication and operations management, access control, business continuity management, and system development and maintenance.

12.3. The System serving the Noir Hotel Website (see: the Service Provider’s then-current and effective General Terms and Conditions) includes so-called cloud-based applications. The Service Provider selects cloud service partners with utmost care—see: processors indicated in Section 11.4—and takes all generally expectable measures to conclude contracts that also consider Data Subjects’ data security interests, ensure transparency of their data processing principles, and regularly audit data security. Data of Data Subjects are stored physically in the cloud. By accepting this Privacy Policy, the Data Subject expressly consents to the data transfer necessary for using cloud-based applications.

12.4. Partners may process personal data only exceptionally, following prior information, solely for the provision of the Service and/or the fulfilment of legal obligations—for example, in the context of retaining invoices—such processing being subject to this Policy as appropriate; otherwise, Partners perform only data processing activities in connection with performing the Service.

12.5. The Service Provider protects data in particular against unauthorized access, alteration, transmission, disclosure, erasure, or destruction, as well as accidental destruction and damage. Data automatically recorded during the operation of the Service Provider’s system(s) are stored in the System for a period justified by the need to ensure the operation of the System from the time of their generation. The Service Provider ensures that such automatically recorded data cannot be linked with other personal data—except in cases required by law. If the Data Subject withdraws their consent to the processing of personal data or unsubscribes from the Noir Hotel Website, thereafter their person cannot be identified from technical data—excluding investigating authorities and their experts.

12.6. Links: The Noir Hotel Website may contain references or links to sites maintained by other service providers or financial enterprises (including buttons and logos pointing to login and sharing options), over which the Service Provider has no influence regarding personal data processing practices and to which the Service Provider does not share/transfer data. The Service Provider draws the Data Subjects’ attention to the fact that by clicking such links they may be redirected to other providers’ or financial enterprises’ sites. In such cases, the Service Provider recommends that Data Subjects read the privacy rules applicable to those sites. If the Data Subject modifies or deletes any of their data on an external website, this will not affect processing by the Service Provider; such modifications must also be made on the Noir Hotel Website.

In this context, the Service Provider specifically draws the Data Subjects’ attention to the fact that, when paying or initiating payment for the consideration of Services, via a pop-up window or link on the Noir Hotel Website, the Data Subject will be redirected to the website of Wirecard Central Eastern GmbH (Reininghausstraße 13a | 8020 Graz, Austria; Tel.: +36 1 255 03 36; Fax: +43 316 813681-1203; E-mail: kapcsolat@wirecard.com; hereinafter: Wirecard), a financial enterprise separate and independent from the Service Provider; payment can be initiated and made there, in relation to which the Service Provider does not process any data and has no influence over the processing performed by Wirecard during the procedure.

Duration of processing

13.1. For registered Data Subjects: until deletion of the registration.

13.2. For non-registered Data Subjects: their data are deleted upon closure of the relevant Service in the Service Provider’s system.

13.3. Data provided for newsletter subscription and direct marketing are deleted without delay upon the Data Subject’s unsubscription or termination of registration.

13.4. Otherwise, the Service Provider deletes the processed data at the Data Subject’s request, except for data whose continued processing is necessary due to a settlement dispute between the parties, other legal dispute—until its conclusion—and/or due to legal requirements. In particular, but not exclusively:

In view of Section 78 (3) of the Act on the Rules of Taxation, data are kept for 5 years.
In view of Section 169 (1)–(2) of the Accounting Act, data are kept for 8 years.
And for a longer period if so provided by law.

13.5. The Service Provider reserves the right to process the relevant data, to the necessary extent, beyond the above deadlines until the expiry of the limitation period for enforcing claims arising from rights and obligations stemming from the activity giving rise to processing.

Source of data

14.1. The processed data are obtained directly from the registered Data Subject; accordingly, the Service Provider commences processing the data provided to it—these are recorded in its system—only if, in connection with individual bookings, the registered Data Subject declares, assuming criminal liability, that the data of the Data Subject designated as entitled to the given Service were provided with their knowledge and explicit consent for the purpose of identification and use of the Service.

Possibility of amending the Privacy Policy

15.1. The Service Provider reserves the right to unilaterally amend this Policy for the future. The new Policy will be published on the Noir Hotel Website.

Information, right to object, erasure, restriction of processing

16.1. The Data Subject may request information regarding the processing of their personal data and may request the rectification and—except for processing prescribed by law—erasure of their personal data under this Policy, in particular via the above contact details.

16.2. Upon the Data Subject’s email request, the Service Provider provides information on the data it processes, the purpose, legal basis, and duration of processing, the name and address (registered office) of the processor and its activities related to processing, as well as who receives or has received the data and for what purpose. The Controller shall provide information in writing, in an intelligible form, free of charge within the shortest possible time, but no later than fifteen (15) days from submission of the request—costs may be charged by the Service Provider only in exceptional cases (if the requester has not submitted a request for information to the controller concerning the same set of data in the current year; in other cases, a fee may be set. The fee may be recorded in the contract between the parties. Fees already paid must be refunded if the data were processed unlawfully or the request for information led to rectification).

If the Data Subject’s information may not be refused by law, the Service Provider provides information on the data processed by it or by a processor acting on its behalf or under its instructions, their source, the purpose, legal basis, and duration of processing, the name and address of the processor and its activities related to processing, the circumstances and effects of any data protection incident and measures taken to remedy it, and—in the case of transfer of the Data Subject’s personal data—the legal basis and recipient of the transfer. Otherwise, the information covers the details set out in Articles 13–14 of Section 2 of the GDPR.

16.3. The Service Provider is obliged to rectify inaccurate personal data. The Controller shall erase personal data if processing is unlawful, if requested by the Data Subject—in which case within a maximum of five (5) days—if the data are incomplete or incorrect—and this state cannot be lawfully rectified—provided that erasure is not precluded by law, if the purpose of processing has ceased, the statutory storage period has expired, or if ordered by a court or by the National Authority for Data Protection and Freedom of Information. The Service Provider shall notify the Data Subject and all those to whom the data were previously transmitted for processing purposes of the rectification and erasure. Notification may be omitted if it does not harm the Data Subject’s legitimate interest in view of the purpose of processing.

16.4. If the Data Subject uses personal data unlawfully or in a misleading manner, or commits a criminal offence, the Service Provider reserves the right, in the event of such use, to retain the relevant data for the purpose of evidence in any judicial or non-judicial proceedings until their conclusion. The foregoing applies mutatis mutandis where the Data Subject requested erasure of personal data in order to frustrate or at least hinder the enforceability of the Service Provider’s legitimate claim.

16.5. The Data Subject may object to the processing of their personal data, in particular:

if processing or transmission of personal data is necessary solely for compliance with a legal obligation applicable to the Service Provider or for the enforcement of the legitimate interests of the Service Provider, the data recipient, or a third party, except in the case of mandatory processing;
if the personal data are used or transmitted for direct marketing, public opinion polling, or scientific research purposes; and
in other cases specified by law.

16.6. The Service Provider shall examine the objection within the shortest possible time from submission of the request, but no later than fifteen (15) days, make a decision on whether it is justified, and inform the applicant in writing of its decision. During the examination period, but for no more than five (5) days, the Service Provider will suspend processing. If the objection is justified, the head of the organisational unit processing the data shall proceed as set out in the GDPR. Furthermore, the Data Subject may exercise the right to object by automated means based on technical specifications, through cancellation of the Service as provided in the Noir Hotel GTC, deletion of registration, or other applicable option available in the Noir Hotel System (GDPR Article 21(6)).

16.7. If the Service Provider establishes that the Data Subject’s objection is well-founded, it shall terminate processing—including further data collection and transfer—and block the data, and notify all those to whom the personal data affected by the objection were previously transmitted and who must take action to enforce the right to object. If the Data Subject disagrees with the Service Provider’s decision or if the Service Provider fails to meet the deadline, the Data Subject may turn to a court within thirty (30) days from the notification of the decision or the last day of the deadline.

16.8. The Service Provider shall compensate for any damage caused to others by unlawful processing of the Data Subject’s data or by breaching the requirements of technical data protection. The Service Provider is exempt from liability if it proves that the damage was caused by an unavoidable reason beyond the scope of processing. No compensation is payable to the extent that the damage resulted from the injured party’s intentional or negligent conduct.

16.9. Information to Data Subjects may be omitted/refused or restricted, with detailed reasoning, in accordance with Article 13(4) and Article 14(5) of the GDPR, if:

the Data Subject already has the information;
providing the information proves impossible or would involve a disproportionate effort, in particular for processing for archiving in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards of Article 89(1) of the GDPR, or where the obligation to provide information is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the Service Provider must take appropriate measures—including making the information publicly available—to protect the Data Subject’s rights, freedoms, and legitimate interests;
obtaining or disclosure of the data is expressly laid down by Union or Member State law applicable to the Service Provider, which provides appropriate measures to protect the Data Subject’s legitimate interests; or
personal data must remain confidential under a professional secrecy obligation laid down in Union or Member State law, including a statutory duty of confidentiality.

16.10. Furthermore, the Data Subject has the right to obtain access to personal data concerning them and the following information:

a copy of the personal data (additional copies may bear a fee);
purposes of processing;
categories of data;
data related to automated decision-making and profiling;
information on the source in the case of data acquisition;
recipients to whom the data have been or will be disclosed;
information and safeguards relating to transfers to third countries;
storage period and its criteria;
the Data Subject’s rights;
the right to lodge a complaint with a supervisory authority.

16.11. Method of exercising the right of access: If the Data Subject submits the request by electronic means, the information shall be provided in a commonly used electronic form unless otherwise requested by the Data Subject.

16.12. The right to obtain a copy must not adversely affect the rights and freedoms of others.

16.13. If the Service Provider has made the data public and is obliged to erase it, it shall, taking account of available technology and the cost of implementation, take reasonable steps to inform other controllers processing the data that the Data Subject has requested erasure of links to, or copy or replication of, that personal data.

16.14. The Data Subject may not exercise the right to erasure and to be forgotten where processing is necessary: for exercising the right of freedom of expression; for compliance with a legal obligation or performance of a task carried out in the public interest or in the exercise of official authority; for reasons of public interest in the area of public health; for archiving in the public interest, scientific or historical research purposes; or for the establishment, exercise, or defence of legal claims.

16.15. The Service Provider shall restrict processing at the Data Subject’s request if:

the Data Subject contests the accuracy of the personal data;
processing is unlawful and the Data Subject opposes erasure of the data;
the Service Provider no longer needs the personal data, but the Data Subject requires them for the establishment, exercise, or defence of legal claims;
the Data Subject has objected to processing and the Service Provider is still verifying the objection.

Duty to notify

17.1. The Service Provider shall notify each recipient to whom the personal data have been disclosed of any rectification, erasure, or restriction, unless this proves impossible or involves disproportionate effort.

Data portability

18.1. The Data Subject has the right to receive the data provided to the Service Provider:

in a structured, commonly used, machine-readable format;
has the right to transmit those data to another controller;
may request direct transmission of the data to another controller—
if technically feasible,

except for processing carried out in the public interest or in the exercise of official authority.

Legal remedies

19.1. In the event of a breach of their rights, Data Subjects may enforce their legal remedies against the Service Provider before the arbitration court specified in the Service Provider’s then-current and effective General Terms and Conditions, and may also turn to the National Authority for Data Protection and Freedom of Information (mailing address: 1534 Budapest, Pf.: 834; address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.) under the Info Act and relevant legislation. The court shall proceed in the case as a matter of priority.

I hereby adopt and bring this Policy into force as of today.

Dated: Szeged, 2021.08.02.

Look-up Média Limited Liability Company