Privacy policy

Data Processing and Data Security Policy (GDPR POLICY) 

Garzon Plaza Ltd., Hotel Garzon Plaza**** 

Office: 9024 Győr, Vasvári Pál utca 1. B. ép. 
Company registration number: 08 09 015113 
Tax number: 13995803-2-08 
Website: www.garzonplaza.hu 

Date of entry into force: 1 June 2026. 

This Data Protection and Data Security Policy (hereinafter: „Data Protection Policy”) applies to the Hotel operated by Garzon Plaza Kft. (hereinafter: „Data Controller”) and the website and related services operated by the Data Controller. 

The purpose of the Data Protection Policy is to provide data subjects with information on the methods, purposes, legal basis and duration of the processing of personal data, as well as on data security measures and the rights to which data subjects are entitled. 

When processing personal data, the Data Controller complies with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), Act CXII of 2011 on the Right to Self-Determination in Information and Freedom of Information (Infotv.), and other relevant Hungarian and European Union legislation. 

I. THE PURPOSE OF DATA PROCESSING

The Data Controller processes personal data for the following purposes: 

  • the provision of the Hotel, Garzon and Plaza**** services, and the management, amendment and confirmation of accommodation bookings;  
  • maintaining contact with guests, providing them with information and communicating with them;  
  • the drawing up, fulfilment and documentation of accommodation service contracts;  
  • checking guests in and out, and managing their stay at the hotel;  
  • compliance with the legal obligations regarding the recording of guest data, data reporting and record-keeping, in particular the provision of data to the VIZA system and the National Tourism Data Centre (NTAK);  
  • compliance with invoicing, accounting and tax obligations;  
  • the administration of salaries and the processing of salary transactions;  
  • the provision of additional services offered by the hotel (such as wellness, parking, conference and event services, and catering services);  
  • meeting any special requirements indicated by guests;  
  • carrying out complaint handling and customer service duties;  
  • ensuring the personal safety and security of property of the hotel and its guests, including the operation of the electronic surveillance system (CCTV system);  
  • the operation and development of the website, maintaining its security, and analysing visitor statistics;  
  • marketing activities, sending newsletters and other commercial offers, provided the data subject has given their prior consent;  
  • improving the quality of services, measuring guest satisfaction and developing services;  
  • to safeguard the Data Controller’s legitimate interests, and to bring, enforce and defend legal claims.  

The Data Controller processes only such personal data as is necessary to fulfil the specific purpose of the data processing, and processes such data in accordance with the relevant legislation and the principles of the GDPR. 

II. SCOPE OF THE REGULATIONS

The scope of this Privacy Notice extends to all natural persons whose personal data are processed by the Data Controller in the course of its activities, and in particular: 

  • Guests using the Hotel, Garzon and Plaza**** services;  
  • the Parties responsible for paying for the Services;  
  • persons arriving with the Guest and using the Services (Persons Accompanying the Guest);  
  • persons requesting a quote, initiating a booking or finalising a booking;  
  • visitors to the hotel’s website and users of its online services;  
  • people who have subscribed to the newsletter;  
  • persons submitting a complaint, application or other enquiry;  
  • persons entering the hotel premises, where the processing of their personal data becomes necessary, in particular for the operation of the CCTV system, security measures or other legitimate data processing purposes.  

For the purposes of this Notice, unless otherwise specified, the term „Guest” also includes Persons Accompanying the Guest, provided that the nature of the data processing in question permits this. 

III. LEGAL BASIS FOR DATA PROCESSING 

The Data Controller shall process personal data only where the legal bases set out in the GDPR apply. The legal basis for each data processing activity may, in particular, be as follows: 

III.1. Performance of the contract

(Article 6(1)(b) of the GDPR) 

Data processing is necessary for the performance of a contract to which the data subject is a party, or is necessary for taking steps at the data subject’s request prior to entering into a contract. This includes, in particular: 

  • quotation and booking management;  
  • the provision of accommodation services;  
  • communication regarding the booking;  
  • payroll management;  
  • the provision of additional services requested by the Guest.  

III.2. Compliance with a legal obligation 

(Article 6(1)(c) of the GDPR) 

The Data Controller is obliged to comply with the legal obligations applicable to it and is therefore required to process certain personal data. This includes, in particular: 

  • compliance with invoicing and accounting obligations;  
  • compliance with tax obligations;  
  • data recording relating to the Closed Guest Information Database (VIZA) system;  
  • the provision of data to the National Tourism Data Centre (NTAK);  
  • complying with requests from the authorities;  
  • other record-keeping and data reporting obligations prescribed by law.  

III.3. Legitimate interest 

(Article 6(1)(f) of the GDPR) 

Data processing based on the legitimate interests of the Data Controller or a third party may be carried out, in particular, for the following purposes: 

  • the protection of the personal safety and property of the hotel, its guests and staff;  
  • operation of an electronic surveillance system (CCTV system);  
  • the security of the hotel’s IT systems;  
  • the prevention and investigation of fraud, misconduct and damage;  
  • the submission, enforcement and defence of legal claims;  
  • monitoring and improving the quality of services.  

Prior to commencing such data processing operations, the Data Controller shall in all cases carry out the necessary data protection impact assessment. 

III.4. Consent 

(Article 6(1)(a) of the GDPR) 

The Data Controller processes data on the basis of the data subject’s voluntary, specific, informed and unambiguous consent, in particular: 

  • for the purpose of sending newsletters and marketing communications;  
  • to send out promotional offers and discounts;  
  • when using non-essential cookies and tracking codes for marketing purposes;  
  • in the case of data which is not required to be processed under legislation or a contract.  

The data subject may withdraw their consent at any time, without giving any reason. Such withdrawal does not affect the lawfulness of any data processing carried out on the basis of that consent prior to the withdrawal. 

IV. SCOPE OF DATA PROCESSED

In the course of providing accommodation services, fulfilling its legal obligations and carrying out its operations, the Data Controller may process the following personal data: 

  • identification details: name, place and date of birth, nationality (where required by law);  
  • contact details: telephone number, email address, postal address;  
  • booking and accommodation details: date of booking, arrival and departure dates, room number, number of guests, services used;  
  • invoicing details: billing name, address, tax number (where applicable), billing and payment details;  
  • document details: the type, number and expiry date of the identity document, as well as the recording of the data required by law, for the purposes of complying with the VIZA system and the NTAK data reporting requirements (using an official document reader);  
  • parking details: vehicle registration number, duration of parking (where a parking service is used);  
  • payment details: payment method, transaction identifiers, and, in the case of payment by bank card, data processed by the payment service provider (the Data Controller does not store full bank card details);  
  • communication details: the content of communications via email, telephone, online platforms or other channels;  
  • Data recorded by the CCTV system: photographs and video recordings taken in the hotel’s communal areas;  
  • complaints-handling data: the content of complaints, the date of submission, documents produced during the investigation, and the responses.  

The Data Controller processes only such data as is necessary to achieve the specific purpose of data processing and which complies with the relevant legal requirements. 

 V. NTAK AND COMPLIANCE WITH LEGISLATION

In order to fulfil its obligations under the relevant legislation, the Data Controller may transfer personal data to the following organisations: 

  • National Tourism Data Centre (NTAK) for the purpose of reporting guest and transaction data, as required by law, in connection with the use of accommodation services;  
  • National Tax and Customs Administration (NAV) for the purpose of fulfilling invoicing, accounting and tax obligations;  
  • competent authorities and courts in the event of an official request, a legal obligation or a legal dispute.  

The Data Controller carries out all data transfers exclusively in accordance with the relevant legal provisions, to the extent necessary and in accordance with the principle of purpose limitation. 

VI. DATA RETENTION

The Data Controller shall retain personal data for as long as is necessary to fulfil the purpose for which it was collected, and for the period prescribed by the relevant legislation. The retention periods applicable to the various categories of data processing are, in particular, as follows: 

  • accounting and tax data: at least 8 years in accordance with Act C of 2000 (the Accounting Act);  
  • Contract and booking details: 5 years from the date of performance of the contract or the termination of the legal relationship (civil law limitation period);  
  • NTAK data: for the period and in the manner specified in the legislation in force at any given time, in accordance with the regulations of the National Tourism Data Centre;  
  • Data relating to the VIZA system: in accordance with the retention and deletion periods specified in the legislation;  
  • CCTV footage: 3–30 days from the date of recording, depending on the purpose of the recording and the need to investigate security incidents;  
  • data for marketing purposes: until the data subject withdraws their consent or the purpose ceases to apply.  

The Data Controller shall delete or anonymise personal data once the retention period has expired. 

VII. CAMERA SYSTEM 

An electronic surveillance system (CCTV) is in operation in the Hotel’s communal areas – in particular at reception, the main entrances, corridors, the wellness area, the car park, the bicycle storage area and the garden. 

The purpose of operating the CCTV system is: 

  • the protection of the lives, physical safety and property of persons on the hotel premises;  
  • the protection of the Hotel’s property;  
  • preventing infringements and, where necessary, providing evidence of them retrospectively;  
  • to prevent unauthorised access and misuse.  

Key rules governing the operation of the CCTV system: 

  • the camera system does not work in guest rooms, nor in areas intended for their direct, intimate use;  
  • the camera system Does not work in bathrooms, toilets, changing rooms or other private areas 
  • the CCTV system operates exclusively in communal areas, not in private areas;  
  • The positioning and operation of the cameras are not intended to impose any unjustified or disproportionate restrictions on privacy.  

Only authorised persons may access the recorded footage, and it is processed in accordance with the relevant data protection legislation. 

The Hotel stores the recordings in accordance with the relevant data retention period (3–30 days), after which they are automatically deleted, unless retention is justified on the grounds of a legal infringement or official proceedings. 

By using the Accommodation’s services, the Guest acknowledges the operation of the CCTV system, about which the Hotel provides information via clearly visible notices. 

Data protection amendment form

VIII. GUESTS’ RIGHTS 

Data subjects are entitled to the following rights under Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR): 

  • Right of access: 
    The data subject is entitled to request confirmation as to whether their personal data is being processed and, if so, is entitled to request information about it and a copy of it.  
  • Right to rectification: 
    The data subject has the right to request the rectification of inaccurate personal data concerning them and the completion of incomplete data.  
  • Right to erasure („right to be forgotten”): 
    The data subject may request the erasure of their personal data provided that certain conditions are met. Erasure cannot be requested if the processing of the data is necessary to comply with a legal obligation (e.g. accounting or NTAK/VIZA obligations).  
  • Right to restriction of processing: 
    The data subject is entitled to request the restriction of data processing, for example in the case of disputed data or in order to assert legal claims.  
  • Right to data portability: 
    The data subject is entitled to receive the data relating to them, which they have provided, in a structured, commonly used, machine-readable format, and may request that such data be transmitted to another data controller, provided that this is technically feasible.  
  • The right to protest: 
    The data subject has the right to object to the processing of their personal data where such processing is based on a legitimate interest. In such cases, the Data Controller shall cease processing the data, unless it can demonstrate that there are compelling legitimate grounds for the processing.  
  • The right to withdraw consent: 
    Where data processing is based on consent (e.g. for marketing purposes), the data subject has the right to withdraw their consent at any time; this does not affect the lawfulness of the data processing carried out prior to the withdrawal.  

The data subject may exercise their rights by contacting the Data Controller. 

IX. DATA SECURITY

In order to protect the personal data it processes, the Data Controller implements technical and organisational measures commensurate with the level of risk, particularly in the following areas: 

  • preventing unauthorised access to personal data;  
  • to prevent the unauthorised alteration, transmission, disclosure or deletion of data;  
  • preventing the accidental loss, damage or destruction of data;  
  • the protection of IT systems and databases against malicious attacks (e.g. data theft, unauthorised access).  

To ensure data security, the Data Controller employs, amongst other measures, access control systems, password protection, encrypted data connections, regular backups, as well as internal organisational rules and access restrictions. 

The aim of these measures is to ensure the confidentiality, integrity and availability of personal data. 

 X. DATA TRANSFER

The Data Controller may transfer personal data to the following recipients only to the extent necessary and for lawful purposes: 

  • accountancy and financial service providers for the purpose of fulfilling accounting, tax and financial obligations;  
  • payment service providers and banking partners on its behalf (e.g. for the processing of credit card payments, SZÉP cards and online payment systems);  
  • online accommodation booking platforms (OTAs) to third parties, such as Booking.com, Expedia and other booking platforms, for the purpose of managing and fulfilling bookings;  
  • authorities specified in legislation to relevant authorities (e.g. the National Tax and Customs Administration, NTAK, the police, the courts), in order to comply with a legal obligation or in response to an official request;  
  • IT and systems operations service providers to those who are responsible for the operation, maintenance and development of the hotel and web systems, acting solely in the capacity of data processors.  

The Data Controller ensures compliance with the principles set out in the GDPR (in particular the principles of purpose limitation, data minimisation and necessity) in all data transfers, and transfers data only where there is an appropriate legal basis. 

XI. MARKETING DATA PROCESSING

Marketing communications (including the sending of newsletters, promotional offers and other advertising messages) are sent solely on the basis of the data subject’s prior, voluntary and explicit consent. 

The data subject is entitled to withdraw their consent at any time, without giving any reason, for example by using the unsubscribe link in the newsletter or by sending a request to the Data Controller. 

The withdrawal of consent does not affect the lawfulness of data processing carried out prior to the withdrawal, and does not entail any adverse consequences with regard to the use of the services.  

XII. COMPLAINTS AND REMEDIES 

Data subjects may submit their comments, questions or complaints regarding data processing using the contact details below: 

To the Data Controller 

  • E-mail: hotel@garzonplaza.hu  

The Data Controller shall examine any enquiries received without undue delay and respond in accordance with the relevant legislation. 

To the supervisory authority 

If the data subject considers that the processing of their personal data infringes the relevant data protection regulations, they are entitled to lodge a complaint with the supervisory authority: 

National Authority for Data Protection and Freedom of Information (NAIH) 
Address: 9–11 Falk Miksa Street, 1055 Budapest. 
Website: https://naih.hu 

The data subject is also entitled to seek judicial redress in the event of an infringement of their rights in relation to data processing. 

XIII. DATA PROCESSORS 

The Service Provider is entitled to engage data processors for the provision of services and the performance of data processing activities. 

Data processors act on behalf of the Data Controller and in accordance with its instructions, and may process personal data only to the extent necessary. 

The Service Provider may engage data processors in the following areas in particular: 

  • accounting and financial services (for the purpose of complying with accounting and tax obligations)  
  • IT services (system operation, maintenance, hosting services, IT support)  
  • accommodation booking and hotel management systems (PMS, booking systems)  
  • payment service providers and banking partners (processing online and in-person payments)  

The Data Controller enters into a written contract with each data processor to ensure that data processors comply with the provisions of the GDPR and process personal data solely in accordance with the Data Controller’s instructions. 

XIV. FINAL PROVISIONS 

The Service Provider reserves the right to amend this Privacy Notice unilaterally, in particular in the event of changes to legislation, official guidelines, the introduction of new data processing activities or technological changes. 

The amended Terms and Conditions shall come into force upon publication on the Service Provider’s official website. The Service Provider shall ensure that the current version is available at all times. 

Where the amendment significantly affects the rights of the data subjects, the Service Provider may also provide separate notification of the change.