Privacy Policy - Hotel****Garzon Plaza

Garzon Plaza Ltd.

Privacy and Data Security Policy

Date of entry into force: 25 May 2018

Table of contents

1. Purpose of the Code

2. Definitions

3. Principles of data management

4. Legal basis for processing

5. Rules on data security

6. Processing of personal data

- Admission, staff registration

- 1TP8Service rules

- Camera surveillance system operation

- Data processing on the website

- Internal records on data processing and transfers

- Data processing in connection with the establishment of an employment relationship

- Processing of data relating to health conditions

- Fitness for work assessment

- Taking photos or videos for educational or informative purposes

- Data management on social networking sites

- Processing of CVs sent by post, e-mail or in person

7. Use of a data processor

8. Transfers of data abroad

9. Rights of the data subject, legal remedies

9.1 Data breach handling

10. Annexes

1. Annex No.: Sample confidentiality statement + sample employment contract addendum for employees

2. Annex No.: IT Security Policy Statement

3. Annex No.: House Rules

4. Annex No.: Model employee information notice on the use of electronic access control systems

5. Annex No.: Authorisation mandate

6. Annex No.: Electronic Surveillance System Information Sample and Camera System Schematic

7. Annex No.: Data of persons with a right of access to the electronic surveillance system

8. Annex No.: Protocol for blocking a sample camera system recording

9. Annex No.: Protocol for viewing a sample camera system recording

10. Annex No.: Internal records on data processing and transfers

11. Annex No.: Information for employees on the establishment of employment

12. Annex No.: Consent form sample photo or video

13. Annex No.: Consent form for taking a sample photo or video + consent form of a minor child under 16

14. Annex No.: Model contract for data processing for EEA member countries

15. Annex No.: Employee consent for ad hoc data transfers to a country outside the EEA

1. Purpose of the Code

In order to ensure the necessary conditions for compliance with data protection requirements and an adequate level of security of data processing, Garzon Plaza Kft. (hereinafter referred to as the "Company"), to ensure the disclosure of data of public interest and data of public interest generated in the course of its operation, to determine the order of execution of requests for data of public interest, to determine the tasks and responsibilities for the publication of data of public interest and data of public interest, and to ensure the up-to-dateness of the information flow, I hereby determine the following.

1.2 Scope of the Code

- Scope of the Rules covers

a) to all employees of the Company, as well as to employees engaged on an ad hoc basis,

b) the data processor; and

c) in addition to the above, to any person who has any contractual relationship with the Company.

- Scope of the Rules covers

a) all data generated by the Company,

(b) data managed or processed in an IT system,

d) hardware and software used by the Company; and

(e) data of public interest or data in the public interest relating to the activities of the Company and arising in the course of its operations.

2. Definitions

- involved: any natural person who is identified or can be identified, directly or indirectly, on the basis of specific personal data.

- personal data: data that can be associated with the data subject - in particular the name, the identification mark of the data subject and one or more physical, physiological, mental, economic, cultural or social identifiers - and the inference that can be drawn from them concerning the data subject.

- special data: data revealing racial or ethnic origin, membership of a national or ethnic minority, political opinions, party affiliation, religious or philosophical beliefs, membership of political parties, health, pathological conditions, sexual life

- data file: the set of data managed in a register system

- criminal personal data: personal data relating to the offence or the criminal proceedings, obtained during or prior to the criminal proceedings, by the bodies competent to prosecute or investigate criminal offences and by the bodies responsible for the enforcement of sentences, which can be associated with the data subjects, and personal data relating to criminal records.

- Contribution: a voluntary and explicit indication of the data subject's wishes, based on appropriate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, either in full or in relation to specific operations.

- Protest: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data.

- data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements decisions regarding the processing (including the means used) or implements them through a processor on its behalf.

- data management: irrespective of the procedure used, any operation or set of operations which is performed upon the data, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data and the prevention of their further use.

- data transmission: making the data available to a specified third party.

- disclosure: making the data available to anyone

- data deletion: rendering data unrecognisable in such a way that it is no longer possible to recover it.

- data tagging: the marking of data with an identification mark to distinguish it.

- data storage: to identify the data for the purpose of limiting its further processing permanently or for a limited period of time.

- data destruction: the complete physical destruction of the medium containing the data.

- data processing: the performance of technical tasks related to processing operations, irrespective of the methods and means used to carry out the operations and the place of application, provided that the technical task is performed on the data.

- data processor: the natural or legal person or unincorporated body which carries out the processing of data on the basis of a contract with the controller, including a contract concluded on the basis of a legal provision.

- data registry system: any structured, functionally or geographically centralised, decentralised or dispersed set of personal data accessible on the basis of specified criteria

- privacy incidents: unlawful processing or processing of personal data, unauthorised access, disclosure, transmission, erasure, blocking, blocking, destruction or damage

- third party: a natural or legal person or unincorporated body other than the data subject; the controller or the processor.

- third country: any state that is not an EEA state.

3. Principles of data management

The Company's data management activities are carried out for the reasons set out in this notice. The Company's Managing Director, in consultation with the Company's management, determines the data management responsibilities of its employees. The purpose of their activities is to ensure the accuracy of the data at all stages of the processing in a lawful and fair manner, and to ensure the protection of the data subject's personal data in the event of unauthorised access, alteration, disclosure, deletion or destruction. The agents of other organisations or undertakings involved in the processing of data in relation to the Company are obliged to keep the data they receive as business secrets. These entities are required to sign a confidentiality statement / Annex 1 /

4. Legal basis for processing

Personal data can be processed if:

- with the consent of the data subject, or

- it is required by law or on the basis of a law or a local government decree for a purpose in the public interest within the scope specified by law or on the basis of a law or a local government decree / mandatory data processing /

In the case of mandatory data processing, the types of material to be processed, the purposes and conditions of the processing, the availability of the data, the duration of the processing and the identity of the controller are determined by law or by municipal decree. Personal data may also be processed where obtaining the consent of the data subject would involve an impossible or disproportionate effort and the processing of the personal data is necessary for compliance with a legal obligation to which the Company is subject or is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, and the pursuit of those interests is proportionate to the restriction of the right to the protection of personal data.

The data subject must be informed before the processing starts whether the processing is based on consent or whether it is mandatory. The data subject must be informed in a clear, plain and detailed manner of the personal data that will be processed and of all the facts relating to the processing of his or her data, in particular the purposes and legal basis of the processing, the identity of the controller, the duration of the processing and the persons who may access the data.

If the personal data are collected on the basis of the data subject's consent, the Company may process the collected data without further specific consent, unless otherwise provided by law, for the purpose of complying with a legal obligation to which the data subject is subject or for the purposes of its own or a third party's legitimate interests, where such interests are proportionate to the restriction of the right to the protection of personal data.

The Company conducts its data management activities in accordance with the following legislation:

- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information

- Act CXXXIII of 2005 on the rules of personal and property protection and private investigation

- Act V of 2013 on the Civil Code

- Act C of 2000 on Accounting

- Act CLV of 1997 on Consumer Protection

- Act CXVII of 1995 on Personal Income Tax

- XCIII Act of 1993 on Occupational Safety and Health

- Act I of 2012 on the Labour Code

- Act CVIII of 2001 on certain aspects of electronic commerce services and information society services

5. Rules on data and information security

The Company stores personal data on paper or on a computer network. Paper storage shall only be carried out in a room with an alarm system, which can be properly locked, in such a way that it cannot be accessed or known by unauthorised persons. In the case of computer storage, the provisions on the protection of personal data contained in the information security policy issued by the relevant administrator shall apply. The Company has the following policies to protect electronic information:

- IT Security Policy

The IT security policy's statement of responsibility for users is set out in the annex to the Data Security and Privacy Policy. / Annex 2/

6. Processing of personal data processed by the Company

6.1 Admission - headcount register

Purpose of the processing: Only authorised employees are entitled to enter the premises of the institutions under the supervision of the Company. The Company reserves the right to determine the persons who may enter its premises. The purpose of the processing of data is not only to keep records of the number of staff, but also to protect life and property, the criteria for which are the exact location and number of employees, businesses and individuals on the premises. The Company provides access cards for employees in the operation of the electronic staff registration system.

The information for employees on the use of the electronic access control system is set out in the annex to the Data Protection and Security Policy. / Annex 3 /

Scope of data processed in the case of employees: Name, master number, card ID, exit/entry date

Legal basis for processing: Voluntary consent of the person concerned and the provisions of Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation and the provisions of Act I of 2012 on the Labour Code.

Duration of processing: The Company shall destroy the identification data of the person concerned immediately upon termination of the right to access, and the data generated during the operation of the system and the data generated on paper no later than 6 months after the data were generated.

6.2 Hotel Processing of data of visitors requesting a service

Purpose of the processing: When using certain hotel services, the Guest shall fill in a hotel registration form in which he/she consents to the Company processing the following mandatory data for the purposes of fulfilling its obligations under the applicable legislation (in particular legislation on tourism and tourist tax), for the purpose of proving compliance and for the identification of the Guest, for as long as the competent authority is able to verify compliance with the obligations under the relevant legislation.

Scope of the data processed: Name, name at birth, place of birth, date of birth, address, passport or ID card number, student ID card number, date of entry/exit, nationality (for statistical purposes only, data processed in a non-traceable manner).

Legal basis for processing: Decree 34/2012 (XII.19) of the MYMJV on the local tourist tax

Duration of processing: For room reservations, up to 5 years from the date of reservation. In case of cancellation of the reservation, the data will be deleted immediately. In the case of an accounting document, 8 years in accordance with the provisions of the 2000 C.tv on accounting.

6.3.b. Processing of bank card data

The bank, credit card/bank account details provided during the reservation process will be used by the Company only to the extent and for the duration necessary for the exercise of its rights and the fulfilment of its obligations. The data is processed by the Company's contractual banking partners. This data processing will be notified to the relevant bank (K&H - www.kh.hu) website. For more information about the credit card data handled by some of the company's subsystems, please contact the This email address is being protected from spambots. You need JavaScript enabled to view it. To secure a reservation, the hotel may request credit card details on the basis of an authorisation order (Annex 5), which may only be used to the extent and for the duration specified by the guest. The credit card details must then be destroyed no later than 72 hours after the guest checks out.

6.4 Camera surveillance system operation

Purpose of the processing: the Company, as the data controller, operates an electronic surveillance system in its facilities in order to prevent accidents, to protect physical integrity and to prevent possible offences and crimes against property. The Company does not operate an electronic surveillance system for the purpose of monitoring its employees and does not aim to influence the employee's behaviour at work. Thus, there is no camera system in the rooms where breaks are taken, toilets and changing rooms. The management of the Company is committed to ensuring that only cameras with a public position that can be seen by employees and guests are installed on the premises. The schematic diagram of the camera placement and the information to employees on the electronic surveillance system are attached to this privacy policy / Annex 6-7-8-9/

Scope of the data processed: The facial image of persons entering the Company's premises as seen by the camera system and other conclusions that can be drawn from the images recorded by the surveillance system

Legal basis for processing: for guests, the voluntary consent of the person concerned by entering the area, for employees, the provisions of Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation and the provisions of Act I of 2012 on the Labour Code

Duration of processing: According to the provisions of Act CXXXIII of 2005 on the rules of personal and property protection and private investigation 3 days.

Garzon Plaza Ltd. will delete the camera recordings after the statutory time limit has expired if they have not been used. In case of use, saving beyond 3 days may be made if an authority orders the saving of the camera recordings in the course of the evidentiary procedure, if the person concerned requests the data controller to save the recordings concerning him/her by proving his/her legitimate interest. The Company's Data Protection Officer will assess the legitimacy of the request received and, if the request is justified, will ensure that the recording is saved and blocked in accordance with the law.

In the event of an official request, the Company will immediately hand over the exempted record to the requesting organisation. If no request is made in relation to the blocked recording, the recording will be destroyed by the Company after 30 days.

6.5 Data management on the Website

Any external visitor may access the Company's website and the information published by the Company. When visiting the website, the website does not record the user's IP address or any other personal data.

4. Contacting customers

Purpose of the processing: The Company's websites provide the opportunity for prospective partners to contact directly the Company's designated contact persons. The use of the contact point requires acceptance of the privacy statement on the website.

Scope of the data processed: Name / Company name / Phone number, e-mail address

Legal basis for processing: § 5 of Act CXII of 2011 on Freedom of Information and the Right to Informational Self-Determination. The processing of partners' data is considered customer data and is therefore not registered with the data protection authority.

Duration of processing: Until the withdrawal of the registered partner's consent.

6.6 Internal records on data management and transfers by the Company

Pursuant to Article 15 of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, the Company shall keep records on data management and data transfer processes and the related data transfer process. The documentation of the data management and transfer records is set out in the annex to the Data Security and Privacy Policy. / Annex 10 /

6.7 Data processing in connection with the establishment of an employment relationship

Purpose of the processing: The purpose of processing data relating to the employment relationship is to establish or maintain the employment relationship. When applying for a job, personal data are processed only after the person concerned has been informed in writing /Annex 11/, the sole responsibility of the HR manager. In addition to the HR Manager, only the Managing Director and the Sales Manager may have access to this personal data for the purposes of assessing the suitability of the applicant for recruitment. The Company does not make the filling of available positions conditional on the presentation of a certificate of good character and the decision to hire an employee is not influenced by the existence of such a certificate. The Company maintains payroll and labour records of its employees, which are used for payroll, social security and statistical purposes, and for the assessment of employer's tax under Act CXVII of 1995.

Legal basis for processing: The consent of the person concerned, by signing the attached information sheet and the Act I of 2012 on the Labour Code and Act CXVII of 1995.

Duration of processing: Only until the employee's employment, or if the processing is required by law or by municipal regulation, taking into account the provisions of the laws indicated in point 1.

The Company processes personal data relating to the employee in connection with the establishment of the employment relationship:

- Employee name

- Name at birth

- Place and date of birth

- Nationality

- Mother's name

- Your place of residence

- Tax identification number

- Social security number

- Bank account number

- Membership of a private pension fund

- Pensioner master number

- Current account number

- Start of employment

- Number of hours worked per week

- A copy of your school leaving certificate

- Certificate of fitness for work

- Job title

- Data, number of children

- Telephone number of persons to contact in the event of an accident

- Possession of driving licences

6.8 Data processing in relation to medical fitness

Sensitive data relating to medical fitness will be processed by the Company only to the extent necessary to achieve its purpose. The Company has contracted with a health care provider to decide on medical fitness and therefore does not process detailed health data of the employee, but only a document relating to the existence of fitness or a decision on the unsuitability of the prospective employee. If the employment relationship is terminated due to the applicant's medical unfitness, the Company will delete the data without delay.

Health care provider: Pro-San Kft. 9021 Győr, Árpád út 28-32.

6.9 Fitness for work assessment

Purpose of the processing: Employees may only be present and work in the premises of the establishments managed by the Company in a condition suitable for safe work and in compliance with the instructions and regulations relating to occupational safety. Employees must cooperate with their colleagues and carry out their work in a manner that does not endanger the safety of others or their own physical integrity.

Employees are prohibited from being under the influence of alcohol or other mind-altering substances throughout the premises of the establishments managed by the Company. Being under the influence of such mind-altering substances. Since the ability to work cannot be ensured under the influence of these mind-altering substances, the employer is obliged to ensure that employees comply with the rules on the prohibition of alcohol consumption, in accordance with Act I of 2012 on the Labour Code and Act XCIII of 1993 on Labour Protection. The employer's inspection practice must not be in violation of human dignity, so the inspection can only be carried out in accordance with the Company's instructions on occupational safety and health. The record of the employee's breathalyser test is set out in the annex to the Privacy and Data Security Policy / Annex 11 /

Scope of the data processed: Employee's name, mother's name, place and date of birth, position, result of the check

Legal basis for processing: Section 60 of Act XCIII of 1993 on Occupational Safety and Health and Section 52 of Act I of 2012 on the Labour Code

Duration of processing: Time limit for the enforcement of claims based on rights and obligations arising from the fact of the inspection.

6.10 Photographic or video recordings for educational or information purposes

Purpose of the processing: The Company may produce informative or promotional films and photographs featuring the Company's employees on the technology used in the work and event organisation, on the presentation of the work processes, and on events organised within the framework of the Company. Employees are not obliged by the Company to appear in the footage, it is solely the individual choice of the employee. The Employer declares that the purpose of the filming is not to observe the employee's activities while at work and that the employee is not portrayed in a negative light. The Company declares that the filming does not violate the employee's rights to privacy, reputation, honour or dignity. The Company's consent to the taking of a photograph or video is set out in the Annex to this information notice. /Annex 12/

Scope of the data processed: Photo, video or audio recording

Legal basis for processing: The voluntary consent of the data subject pursuant to Article 5 of Act CXII of 2011 on Freedom of Information and Informational Self-Determination.

Duration of processing: Until the event or educational purpose for which the recording was made is achieved.

6.11 Social networking sites data management

Purpose of the processing: facebook.com is a website dedicated to the Company's activities, structure, job opportunities and company news.

Legal basis for processing: Based on § 5 of Act CXII of 2011 on Freedom of Information and Informational Self-Determination, the data subject gives his or her voluntary consent by registering on the facebook.com community page and liking the website.

Duration of processing: The data is processed on facebook.com. The duration of data processing, the way in which it is carried out, and the possibilities for deleting and modifying the data are described in the privacy policy ( http://facebook.com/about/privacy )

6.12 Processing of CVs submitted by post, e-mail or in person

Purpose of the processing: The Company provides the possibility for prospective employees who are informed of current job vacancies in the course of other advertising and promotions to submit their applications to the Company's HR department by e-mail, post or in person. The purpose of the data processing is to optimise the number of employees by employing workers with the appropriate skills.

Legal basis for processing: In the case of CVs sent by e-mail or post: § 6 of Act CXII of 2011 on Freedom of Information and the Right of Informational Self-Determination. In the case of CVs submitted in person: § 5 of Act CXII of 2011 on Freedom of Information and Informational Self-Determination.

Duration of processing: Until the applicant's consent is withdrawn, but for a maximum of 1 year from the date of receipt of the CV. Candidates may withdraw their consent to the storage of their CV at any time by contacting the contact details provided in the Data Security and Privacy Policy.

7. Use of a data processor

The Company may transfer data to data processing companies and organisations for the purpose of system operation. In the case of employee data, the processing shall commence after the employee data processing declaration has been signed. The processor may not take any decision concerning the processing of data without the consent of the controller, may not process data for purposes other than those provided for by the controller, and may only perform its tasks on the basis of instructions from the controller. The Processor shall ensure the physical and software protection of the data to be processed in accordance with the rules set out in the Company's Data Protection and Security Policy.

In the course of its activities, the Company uses the following data processing companies:

- Asset protection: Patent Kft, 9024 Győr, Mécs László u 7.

- Occupational Health: Pro-San Kft, 9021 Győr, Árpád út 28-32.

- Payroll: Matusz-Vad Zrt, 9024 Győr, Vasvári Pál u. 1/b.

The legal notice on data processors is set out in the annex to the Data Security and Privacy Policy. /Annex 13/

8. Transfers of data abroad

The Company will transfer personal data to a controller in a third country only if the data subject has given his or her explicit consent and the third country ensures an adequate level of protection of personal data. Accordingly, transfers to EEA countries shall be considered as transfers within Hungary.

9. Data security rights of the data subject, legal remedies

9.1 Data breach handling

The Company acknowledges that a data breach may result in physical damage to property or non-material damage to natural persons if not addressed in an appropriate and timely manner. In order to manage data breaches, a data breach log shall be kept, in which the circumstances of the data breach shall be recorded by the Data Protection Officer within a maximum of 72 hours after the incident is reported.

9.2 General remedies

The person concerned may obtain information about the processing of his/her data and request the rectification, erasure or blocking of his/her personal data in person, after prior appointment, from Monday to Friday, 9 am to 4 pm, without the need for a recording. The controller shall investigate the complaint and provide written information within the shortest possible time from the date of the request, but not later than 15 days. If the controller registers personal data which are inaccurate, the controller shall amend them if the accurate personal data are available.

The controller will delete the personal data if:

- if its treatment is unlawful

- it is incomplete or incorrect and this condition cannot be lawfully remedied

- the person concerned requests

- the purpose of the processing has ceased to exist or the period for which the data were stored has expired

- ordered by a court or public authority

The controller shall block personal data subject to erasure instead of erasure if the data subject so requests or if, on the basis of the information available, it is likely that erasure would harm the data subject's legitimate interests. Personal data blocked in this way may be processed only for as long as the processing purpose that precludes the erasure of the personal data exists.

The Data Controller may transfer those data that are lawfully processed and are necessary for the purpose of the processing:

- for the settlement of disputes, for bodies empowered by law

- for the purposes of national security, defence, public security and the prosecution of public offences, to the competent authority

- under other legal provisions

If the data subject disagrees with the decision or the information provided by the controller on the processing of his or her personal data, or if the controller fails to respond within the time limit set by law, the data subject may, within 30 days of the notification of the decision or the failure to respond within the time limit, turn to a court or the National Authority for Data Protection and Freedom of Information. The court of law shall have jurisdiction to rule on the action. If the court upholds the application, it may order the controller to provide the information, rectify, block or erase the data, annul the decision taken by automated data processing, take into account the right of the data subject to object, or release the data.

In the event of a breach of the rights of the data subject or in the event of a comment, the data subject may make a statement using the following contact details or contact the following authorities:

- Győr Regional Court: 9022 Győr, Szent István u 6.

- National Authority for Data Protection and Freedom of Information: 1530 Budapest, Szilágyi Erzsébet fasor 22/C

- Garzon Plaza Ltd: 9023 Győr, Vasvári Pál u. 1/b.

Annexes

Annex 1: Confidentiality statement + employment contract supplement for employees

CONFIDENTIALITY STATEMENT

I, the undersigned .................................(Name, place of birth, date of birth, mother's name), by signing this confidentiality agreement, undertake to keep confidential the information that has come to my knowledge in the course of my contractual relationship and that falls under the category of trade secrets. I acknowledge that any intentional or grossly negligent breach of the rules on the protection of business secrets by the company signing this declaration may result in sanctions for breach of business secrets.

The parties understand the term "trade secret" as defined in Section 2.47 (1) of the Civil Code:

"Trade secret" shall mean any fact, information or other data relating to an economic activity, and any compilation thereof, which is not publicly known or not readily accessible to persons engaged in the economic activity concerned, the acquisition, use, disclosure or disclosure of which to unauthorised persons would harm or jeopardise the legitimate financial, economic or market interests of the right holder, provided that the right holder is not responsible for its safekeeping and the right holder is not in a position to be held liable for its disclosure."

The confidentiality agreement has been signed in our own hand after having understood and understood it:

Győr, 2018..........

............................... ............................
Trade secret debtor Trade secret holder

Employment contract supplement for employees

During employment, employees are required to treat information disclosed to them about the Company's operations in accordance with the rules set out in the Company's Data Security and Privacy Policy. If the employee does not handle any information related to the work in accordance with the data security and data protection regulations, he/she becomes an independent data controller and may be the basis for the initiation of immediate termination by the employer pursuant to Article 78 (1) of Act I of 2012 on the Labour Code.

Annex 2: IT Security Policy User Declaration

Declaration of liability

By signing this declaration, users declare that they will exercise the utmost care in the use of IT systems in the course of their work. They are aware of the IT security controls, requirements and responsibilities set out in the IT Security Policy (hereinafter referred to as the PSP). They shall make every effort to ensure that no damage or harm is caused to the Company's interests and IT systems as a result of their intentional or negligent conduct.

Declaration of liability

Name: ........................... , ........................

I, an employee of Garzon Plaza Ltd (hereinafter referred to as "the Organisation"), declare that I have the information security skills necessary to perform my duties.

I acknowledge and agree that applications, files and correspondence managed in the Company's information systems are confidential, the property of the Company and may be controlled by the IT Manager. This control may include monitoring Internet usage and electronic mail system activity. By signing this declaration, I certify that I am aware of and will comply with the Company's IT security policy.

I declare that I will keep the confidential personal, special and confidential data and information obtained in the course of my work, and I will not disclose the data I have obtained to any third party.

If I become aware of any breach of the security rules described in the DPO, I am obliged to report it in writing to my line manager and the IT Manager.

I acknowledge that if I violate the terms of this "User Statement", I will be liable under employment law, tort law and criminal law.

Győr, 20.................. hó day

Annex 3: House Rules

Annex 4: Information for employees on the use of the electronic access control system

Employee information on the operation of an access control - staff registration system

Employer name: .........................................
Birth name: .........................................
Place and date of birth: .........................................
Mother's name: .........................................

Dear Employee!

Pursuant to §§ 9-11 of Act I of 2012 on the Labour Code and § 20 of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information, I hereby inform you that Garzon Plaza Ltd. hereinafter referred to as: the Company / 9023 Győr, Vasvári Pál u. 1/b. / operates an access control - personnel registration system.

The purpose of the operation of the access control and registration system: to protect life and limb by knowing the exact number of workers in the area.

Legal basis for processing: Act I of 2012 on the Labour Code, and Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation.

Scope of the data processed: name, sort code, card number

Duration of processing: The Company shall destroy the identification data of the person concerned immediately upon termination of the right to access, and the data generated during the operation of the system and the data generated on paper, with the exception of data that are stored on a mandatory basis as accounting records, no later than 6 months after the data were generated.

The Company has prepared a Privacy and Data Security Policy on the handling of data related to the use of the electronic access control - staff registration system, which is available for inspection at the Company's reception.

Based on the policy, you may submit a request to the Company's data controller, in which you have the right to request information about the processing of your personal data, as well as the rectification, erasure or blocking of your data, in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information. Please be informed that in case of violation of your rights, you have the right to lodge a protest, to take legal action or to contact the National Authority for Data Protection and Freedom of Information using the contact details provided in the Privacy and Data Security Policy.

Győr, 2018......................

.............................................

Garzon on behalf of Plaza Ltd

I have received the information!

Győr, 2018.....................

..............................................

Employee

Annex 5

CREDIT CARD PRE-AUTHORISATION CONTRIBUTION

I, the undersigned, ___________________________________, give my consent to the HOTEL****GARZON PLAZA (Address: 9024 Győr, Vasvári Pál. u. 1/B) to pre-authorise the credit card I hold and which contains the details below to guarantee my booking:

Vendég neve: ________________________________________________

Érkezés/Utazás dátuma:_______________________________________

Foglalási szám: ______________________________________________

Card details:

Type: VISA ¨ MASTERCARD ¨ AMEX ¨

Card number: _____________________________________

Expiry date: __________________________________

Cardholder: __________________________________

Service(s) to be paid for with the card provided: ___________________________________

I hereby certify that the information provided above is true and correct.

Date: _______________________ ________________________

Cardholder signature

Please send us a copy of the front and back of the card as an attachment.

Annex 6: Sample information sheet and camera system schematic drawing for electronic surveillance

Employee information on the operation of a camera system

Dear Employee!

The purpose of operating an electronic surveillance system is: preventing, detecting and proving infringements and investigating the circumstances of any accidents at work in order to protect human life, limb and property.

Legal basis for processing: Act I of 2012 on the Labour Code, and Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation.

Scope of the data processed: the identity and actions of persons entering the premises of Garzon Plaza Ltd.

Duration of processing: 30 days, pursuant to Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation.

Where the data is stored: in the server room located at ..........................................

Please be informed that if your rights or legitimate interests are affected by the image recording recorded by the camera system, you may request Garzon Plaza Ltd. not to destroy or delete the recording within 3 days of the recording by providing evidence of your legitimate interest. Upon request by a court or other authority, the recorded image will be handed over without delay.

Garzon Plaza Ltd. has prepared a Privacy and Data Security Policy on the handling of data related to the use of the electronic surveillance system, which is available for inspection at the company's reception. Based on the policy, you may submit a written request to the data protection officer of Garzon Plaza Ltd. or to the data protection officer of the company, in which you are entitled to request information about the processing of your personal data, as well as the rectification, erasure or blocking of your data, in accordance with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.

Please note that in the event that your rights are infringed, you have the right to lodge a complaint, to take legal action or to contact the National Authority for Data Protection and Freedom of Information using the contact details provided in the Privacy and Data Security Policy.

Győr, 2018...............................

..........................................

Garzon on behalf of Plaza Ltd.

I have received the information!

Győr, 2018................................

..............................................

Employee

Annex 7: Register of persons with backup and access rights related to the operation of the monitoring system

Records of persons with access and backup rights to recordings made by electronic surveillance systems

Name of the person authorised to access	His position is	Date from which entitlement begins	Date of cessation of entitlement
Attila Horváth	security manager
Marianna Ivánkovits	sales manager

Annex 8: Protocol for the blocking of a recording made with a sample monitoring system

Protocol on the blocking of camera footage

1. Name of camera position:

2. Date and duration of the recording to be blocked:

3. Personal data of the applicant:

4. Personal data of the representative of the controller:

5. The request made by the applicant in relation to the camera footage viewed:

o Request to save a recording to initiate civil proceedings

o Request to save a recording to file a criminal complaint

o Request for the destruction of a recording

6. Brief summary of the decision taken during the event visited

..............................................................................
Applicant's signature

..............................................................................
Signature of the Data Controller's representative

..............................................................................
Date

Annex 9: Protocol for viewing a sample observation system recording

Protocol for inspection of camera recordings

1. Name of camera position:

2. Date and duration of the recording you wish to view:

3. Personal data of the applicant:

4. Personal data of the representative of the controller:

5. The request made by the applicant in relation to the camera footage viewed:

o Request to view a recording for the purpose of initiating civil proceedings

o Request to view a recording to file a criminal complaint

o Request for the destruction of a recording

6. Brief summary of the event viewed, actions taken

..............................................................................
Applicant's signature

..............................................................................
Signature of the Data Controller's representative

..............................................................................
Date

Annex 10: Internal records on data processing and transfers

Name of the controller	Address of the Data Controller
Garzon Plaza Ltd.	9023 Győr, Vasvári Pál u. 1/b.

Purpose of data processing	Legal basis for processing	Persons concerned by the processing of data	Duration of data processing
Registering the number of persons entering the company's premises during the operation of the electronic access system	MT 2012.évi I.tv, SZVTV 2005. évi CXXXXIII.tv	Employees	24 hours or 6 months according to the 2005.évi CXXXIII. Tv.
Preventing crimes against property during the operation of an electronic surveillance system, reconstructing accidents at work	MT 2012.évi I. tv, SZVTV 2005.évi CXXXXIII. Tv.	Employees	2005.évi CXXXIII. Tv alapján 3 days
Establishing and maintaining employment	MT Act I of 2012, Act CXVI of 1995	Employees	According to the provisions of Act CXVII of 1995 and Act C of 2000 on the Protection of the Rights of the Child

Name of data processor	Address of the data processor	Data processing activities	Name of the place of data processing
Pro-San Ltd.	9021 Győr, Árpád út 28-32	Occupational Health provision of services	9021 Győr, Árpád út 28-32
Patent Ltd.	9027 Győr, Mécs László u 7.	Access or camera system data processing, technical back-up support	9023 Győr, Vasvári Pál u. 1/b.
Matusz-Vad Zrt.	9023 Győr, Vasvári Pál u. 1/b.	Payroll service	9023 Győr, Vasvári Pál u. 1/b.

11. Annex No 1: Model information notice for employees on the establishment of employment

Employee information on the employment relationship
on the processing of personal data

Dear Employee!

Pursuant to §§ 9-11 of the Labour Code Act I of 2012, I hereby inform you that Garzon Plaza Ltd. / 9023 Győr, Vasvári Pál u. 1/b. / processes your personal data in accordance with its data protection and data security policy. You may request information on the processing of your personal data under the policy, request the modification of your data or, except for the data processing obligations specified by law, request the deletion of your data by contacting the contact details indicated in the policy.

Győr, 2018.....................................

..........................................

Garzon on behalf of Plaza Ltd.

I have read and understood the Privacy and Data Security Policy of Garzon Plaza Ltd.

Győr,2018......................................

..........................................

Employee

Annex 12: Sample report on fitness for work

REPORT ON THE RESULTS OF THE BREATHALYSER TEST

Time of inspection: 20.....year...................month.........day

Where to check: ........................................................................................

Name and position of the employee checked: ..............................................................

Mother's name: ..................................................................................................

Place and date of birth: .......................................................................................

Determine the title and reason for the breathalyser test:

Determine the blood alcohol level and the result of the breathalyser test:

Person checked: I accept the result of the breathalyser test - I do not accept it*

Reasons for refusing a probe under disciplinary responsibility, the opinion of the probe provider:

A description of any other circumstances, history and actions taken in relation to the probing:

...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

The report is drawn up in 2 copies, 1 copy of which is for the person inspected. The inspected person acknowledges that in the event of doubt about the results of the breathalyser test, the employer will draw up a test report in hard copy format, using a calibrated breathalyser, which will be kept as an annex to the breathalyser test report.

Signature of the person who performed the probe: .............................................

Signature of the verified person: ......................................................

Witness 1.:......................................................

Address: ....................................................

Witness 2.:......................................................

Address:......................................................

Annex 13: Consent form for taking photos or videos

Employee information and declaration video,
and taking photographs

Dear Employee!

The Civil Code of 2013, Act V of 2013 on the Civil Code, § 2:48 - a, and the Freedom of Information Act of 2011, Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information. Garzon Plaza Kft. / 9023 Győr, Vasvári Pál u. 1/b. / hereinafter referred to as: the Company / may produce educational, informative and presentation films and photos about the technology used in the work, the presentation of work processes, events organised within the company (sports days, family days), in which the Company's employees are featured. The Company does not oblige the employees to appear in the footage, but only with the written consent of the employee. As a guarantee, the Company declares that the filming does not violate the employee's rights of privacy, reputation, honour and dignity.

The Company has prepared a Privacy and Data Security Policy on the handling of data related to video and photo recordings, which is available at the Company's reception. Based on the policy, you may contact the Company's data protection officer with a request for information on the processing of your personal data, as well as for the rectification, erasure or blocking of your data, in accordance with the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information.

Győr, 2018.................................

..............................................

Garzon on behalf of Plaza Ltd.

I have read and understood the privacy and data security policy of Garzon Plaza Ltd.

I contribute I do not contribute

Győr, 2018.......................

..........................................

Employee

Annex 14: Model contract for data processing in the case of data transfers within an EEA member state

Data processing contract

From data controller Name:..........................................................
Address:.......................................................................................
Tax number:.................................................................................

and

From data processor Name:......................................................
Address:.......................................................................................
Tax number:.................................................................................

agree that, subject to the provisions of this contract, ensuring the protection of personal data and respecting the right of individuals to self-determination, the Data Controller will carry out its processing activities in relation to the activities of the Data Controller by using a Data Processor as set out in this contract.

1. Concepts

Use of this contract ,, "personal data", "specific personal data", "data controller", "data processing", "data subject" is defined in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information

2. Details of the data processing activity

Description of the controller's data management process:

- According to the applicable rules of the controller (Principal)

Data processor's role in data management:

- ..........................................................................................

Stakeholders:

- Employees

Scope of personal data processed:

- ...........................................................................................

Description of the data processor's activities related to data processing:

- ...........................................................................................

Legal basis for processing:

- ...........................................................................................

Deadline for data storage:

- ..........................................................................................

3. Applicable law

As the data controller is established in Hungary, the data processing is carried out in Hungary, and therefore the entire data processing activity and all related procedures (including in particular data processing) are governed by Hungarian law.

4. Rights and obligations of the processor and the controller

The Data Controller is responsible for the lawfulness of the instructions given by the Data Controller to the Processor. The Controller may give instructions to the Processor only in writing.

The Data Processor may use an additional Data Processor at the discretion of the Data Controller, the designation of the additional Data Processor shall be set out in Annex 1 to this contract.

The service activity shall be performed by the Processor, in accordance with the instructions of the Data Controller, only those data processing operations for which the Data Processor is authorised by the Data Controller in accordance with this contract. The Data Controller shall store the data collected and processed by the Processor as provided for in this contract, in such a way that the Processor shall, immediately after collecting the data, transmit the data to the Data Controller, which shall keep the data received on its own server or on paper in its own archives as provided for in this contract. The Data Controller is responsible for compliance with the data storage rules and the Data Processor may only transfer the data to the Data Controller or to subcontractors named in this contract.

A processor may not make any decision on the substance of the processing, may process personal data that come to his/her knowledge only in accordance with the provisions of the Controller, may not process personal data for his/her own purposes, and shall store and retain personal data in accordance with the provisions of the Controller. The Processor shall comply with the provisions of the Data Controller's Privacy and Data Security Policy and shall perform its tasks related to data processing in accordance with the provisions of the Privacy and Data Security Policy. The Processor shall comply with the data security requirements set out in the Data Controller's Data Protection and Security Policy.

5. Responsibilities of the controller and processor

If the Data Processor acts in compliance with the provisions of this Agreement in the performance of its activities, the Data Controller shall be liable for the activities of the Data Processor as if it had acted as such.

If the Data Processor causes damage to the data subject or a third party by its activities, the Data Controller shall be liable to the data subject or the third party. If the Data Processor exceeds its rights under this contract, it shall become an independent controller in respect of that excess and shall be liable for the damage caused to the Data Controller, the data subject or the third party in accordance with the general rules on damages.

6. Availability

The Parties agree that any disputes arising from this contract shall be settled primarily by amicable means, through conciliation and negotiation. In the event of this being unsuccessful, the jurisdiction of the Győr Court of Law shall be determined.

7. Final provisions

Amendments to this contract may only be made in writing and signed in writing by the person(s) authorised to enter into commitments.

This contract has been reviewed and interpreted by the contracting parties, who have signed this contract in full agreement with its contents.

By signing this contract, the data controller acknowledges that he/she has read and taken note of the data processor's privacy policy.

On behalf of the Data Controller

Name:............................................................

Post:......................................................

...............................................

Company signature, stamp

On behalf of the data processor

Name:............................................................

Post:......................................................

...............................................

Company signature, stamp

Date: 2018...............

Annex 15: Employee consent for ad hoc data transfers outside the EEA

AD HOC EMPLOYEE DECLARATION ON DATA TRANSFERS ABROAD

I, the undersigned ................., as an employee of Garzon Plaza Kft. / 9023 Győr, Vasvári Pál u. 1/b. / give my consent to the transfer of my personal data by my employer to a country outside the European Union for the purposes of ..............................

Győr, 2018.............................

.........................................................................

Employee signature

At home on the business trip too!

Hotel

Event

Contact