Detailed privacy policy

of

the CEAS GROUP

 

 

 

Budapest, 24th May 2018

 

Contents

Name and contacts of the controller 3
Regulations serving as the basis of data processing 3
Definitions 3
The principles of processing 4
The data processed by the CEAS, the purpose, the legal basis and the period of data processing 4
Recipients or categories of recipients of the personal data 6
International data transfer to third countries 7
Right of access of the client 7
The right to rectification of the client 8
The right to erasure of the client 8
The right of the client to the restriction of processing 9
The right to data portability of the client 10
Administration deadline of the request of the client as data subject 10
Right to submit a complaint 11
Modifications of this privacy policy 11

 

1. Name and contacts of the controller

Company name:

CEAS LTD,
CEAS CHARTER LTD,
CEAS AIRPORT SERVICES LTD.

Registered seat:
1088 BUDAPEST, RÁKÓCZI ÚT 1-3].

cégjegyzékszám:
CEAS KFT: 0109561251 //
CEAS AIRPORT SERVICES KFT.: 0109922771 //
CEAS CHARTER KFT: 0109674059 //

Contact person in data protection issues: Csaba BÁLINT e-mail address and phone number of the contact person:
e-mail:
phone number: +36-30-9513122

hereinafter referred to as CEAS is the controller of the personal data of its current, previous and future clients.

2. Regulations serving as the basis of data processing

 

- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information

- Regulation 2016/679/EU on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation)

 

3. Definitions

Data controller: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Processing: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

GDPR: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27th April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation)

Supervisory authority or NAIH: Hungarian National Authority for Data Protection and Freedom of Information.

Personal data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Special categories of personal data: ‘special categories of personal data’ mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Client: Any person showing interest about the products and services of the CEAS personally, via the website, via phone or by any other means or having concluded an agreement with the CEAS.

4. The principles of processing

The CEAS shall take appropriate measures to ensure that the personal data of its clients are any time

(a) processed lawfully, fairly and with an appropriate legal basis (lawfulness, fair procedure and transparency);

(b) collected only for a defined, unambiguous and lawful purpose and not treated in a way incompatible with these purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) precise and if necessary up-to-date; and if possible, the inaccurate personal data should be deleted or corrected without delay (precision);

(e) stored in a form making possible the identification of the clients only until the time necessary to reach the purposes of the processing of personal data; the storage of the personal data for a longer time shall take place only for statistical purposes by using the appropriate technical and organisational measures (storage limitation);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

5. The data processed by the CEAS , the purpose, the legal basis and the period of data processing

For the listed data processing purposes, the CEAS processes the following personal data of its clients:

 

I. Inquiry about a service via the website, personally, via phone or via other ways

(a) name;

Data of key importance for the identification of the client

(b) e-mail address and phone number

Data of key importance for the future contact of the client

(c) Subject to the inquiry (e.g. season, destination, classification of the accommodation);

Data necessary for the specification of the inquiry of the client and for the appropriate, personalised reply to such enquiry, based on the own communication of the client.

(d) Correspondence address

Data necessary for correspondence

The legal basis of the data processing is the consent of the inquiring person. The consent to data processing shall be valid until the period indicated by the inquiring person or until the withdrawal of such consent.

II. Subscription for newsletter

(a) name;

Data of key importance for the identification of the client

(b) e-mail address and phone number

Data of key importance for the future contact of the client

(c) Subject of inquiry (if applicable);

Data necessary for the specification of the subject of the newsletter / other eDM tool, based on the own communication of the client.

(d) Correspondence address

Data necessary for correspondence

The legal basis of the data processing is the consent of the inquiring person. The consent to data processing shall be valid until the period indicated by the inquiring person or until the withdrawal of such consent.

III. Unique request for quotation

(a) name;

Data of key importance for the identification of the client

(b) e-mail address and phone number

Data of key importance for the future contact of the client

(c) Subject to the inquiry (e.g. season, destination, classification of the accommodation);

Data necessary for the specification of the inquiry of the client and for the appropriate, personalised reply to such enquiry, based on the own communication of the client.

(d) Correspondence address

Data necessary for correspondence

The legal basis of the data processing is the consent of the inquiring person. The consent to data processing shall be valid until the period indicated by the inquiring person or until the withdrawal of such consent.

IV. Conclusion of an agreement

(a) name;

Data of key importance for the identification of the client

(b) e-mail address (phone number)

Data of key importance for the future contact or the client

(c) Subject of the agreement (e.g.: season, destination, classification of the accommodation, number and date of birth of children, dietary requirements, relevant health data);

Determination of the subject of the agreement.

(d) Correspondence address

Data necessary for correspondence

The legal basis of the data processing is the performance of the agreement and ensuring the possibility of the settlement of any legal disputes incidentally arisen regarding the agreement. The period of data processing is the performance of the agreement and additional 5 years (general deadline of bringing an action according to the Civil Code).

V. Sales of flight tickets and other travel tickets

(a) name;

Data of key importance for the identification of the client

(b) e-mail address (phone number)

Data of key importance for the future contact or the client

(c) Subject of the agreement (e.g.: season, destination, classification of the accommodation, number and date of birth of children, dietary requirements, relevant health data);

Determination of the subject of the agreement.

The legal basis of the data processing is the performance of the agreement and ensuring the possibility of the settlement of any legal disputes incidentally arisen regarding the agreement. The period of data processing is the performance of the agreement and additional 5 years (general deadline of bringing an action according to the Civil Code).

 

VI. Other data processing

 

Intentionally left blank, currently our companies do not perform other data processing activity.

 

VII. Profiling

 

(a) The summary of the data processed regarding the activities in the items I-VI about the given client

The data necessary for the identification of the client and for sending personalised offers to be made on the basis of his/her prior consent.

 

The legal basis of the data processing is the expressed consent of the client to profiling. The consent to data processing shall be valid until the period indicated by the inquiring person or until the withdrawal of such consent.

6. Recipients or categories of recipients of the personal data

Generally, on a controller to controller basis, the CEAS shares the personal data of its clients with the following third parties:

(a) within the CEAS group, including the parent and subsidiary companies of the CEAS;

(b) with the companies performing services for the CEAS or the clients (e.g. insurance company, IT services provider, company performing marketing campaign);

(c) with third parties taking part in the performance of the agreement (hotel, airlines etc.);

(d) with the supervisory authority and other regulatory authorities and bodies.

The clients may request personalised information about the processing of their personal data by the CEAS (about the purpose and the legal basis of data processing, the scope of the data processed, the transmission of data, the period of data processing, the logic of profiling) via the following contact point:

7. International data transfer to third countries

The personal data of the clients may be transferred to controllers and processors in a country out of the European Economic Area as well, if it is necessary for the performance of the agreement, or if the traveller gave his/her explicit and well-informed consent thereto (article 49 of the GDPR).

Before the conclusion of the agreement, the CEAS shall notify the traveller about that the appropriate protection of the data transferred to a recipient out of the European Union is ensured:

a) by standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in the Article 93(2) of the GDPR;

b) by standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in the Article 93(2) of the GDPR;

c) by an approved code of conduct pursuant to the Article 40 of the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

d) by an approved certification mechanism pursuant to the Article 42 of the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights. As regards the ones above, the CEAS shall endeavour to get the contractual data protection sample clauses approved by the European Commission / NAIH be accepted by its partners in third countries.

8. Right of access of the client

The client shall have an access to his/her personal data.

If the client requests a feedback from the CEAS whether it processes his/her personal rights, the CEAS shall inform the client.

The right of the client to get feedback whether the CEAS processes his/her personal data (or not) shall cover

(a) the personal data related to him/her;

(b) shall not cover the anonymous data;

(c) shall not cover the personal data not related to him/her; and

(d) shall include the pseudonymised data unambiguously linked to the client.

For the request of the client, the CEAS shall ensure access to and provide a copy about his/her personal data. If the client requests further/repeated copies about his/her personal data, the CEAS may charge a reasonable fee to cover the administrative costs arisen regarding the performance of the request, which fee shall be borne by the client.

9. The right to rectification of the client

The client shall be eligible to rectify his/her personal data. This rights

(a) shall not cover the anonymous data;

(b) shall cover the personal data related to him/her;

(c) shall not cover the personal data not related to him/her; and

(d) shall include the pseudonymised data unambiguously linked to the client.

For the request of the client, the CEAS shall appropriately rectify or amend the personal data of the client. The CEAS shall notify the recipients of these personal data (if any) about the rectification of the personal data of the clients. However, the CEAS may not notify the recipients about the rectification of the personal data, if the notification of the recipient proves to be impossible or it would require disproportionately high effort.

10. The right to erasure of the client

Among certain conditions, the client shall be eligible for the erasure of his/her personal data.

The CEAS shall erase the personal data of the client without undue delay, if

(a) these personal data are processed by the CEAS and

(b) the client requests the erasure of his/her personal data and

(c) The personal data are not necessary in relation to the purposes for which the CEAS processes the personal data.

The CEAS shall erase the personal data of the client without undue delay, if

(d) the personal data of the client are processed by the CEAS and

(e) the client requests the erasure of the personal data and

(f) the client withdraws consent on which the processing of his/her data is based and

(g) there is no further legal ground for the further processing of the data of the client.

The CEAS shall erase the personal data of the client without undue delay, if

(h) data processing is necessary for the enforcement of the due interests of the CEAS or a third party and

(i) the client objects to the processing of his/her personal data by the CEAS and

(j) the lawful ground serving as the basis of the processing of these personal data does not override the object of the client.

The CEAS shall erase the personal data of the client without undue delay, if

(k) the client requests the erasure of his/her personal data and

(l) the processing of these data by the Company is not unlawful or

(m) pursuant to the effective law, erasure shall be obligatory or

(n) the data of the client are collected regarding information society services.

The CEAS shall notify the recipients of these personal data (if any) about the erasure of the personal data of the clients. However, the CEAS may not notify the recipients about the erasure of the personal data, if the notification of the recipient is impossible or it would require disproportionately high effort.

11. The right of the client to the restriction of processing

The client shall be eligible to request the restriction of his/her personal data.

The right of the client to request the restriction of his/her personal data

(a) shall not cover the anonymous data;

(b) shall cover the personal data related to him/her;

(c) shall not cover the personal data not related to him/her; and

(d) shall include the pseudonymised data unambiguously linked to the client.

The CEAS shall restrict the processing of the personal data of the client for the period during which it can check the accuracy of these data, if the client requests the restriction of the processing of his/her personal data and the client objects the accuracy of these data.

The CEAS shall restrict the processing of the personal data of the client, if the client requests the restriction of the processing of the data the processing of which is unlawful and the client objects the erasure of these data.

The CEAS shall restrict the processing of the personal data of the client, if

(a) the client requests the restriction of his/her personal data and

(b) these data are no longer necessary for the CEAS regarding data processing and

(c) the client claims for his/her data for the establishment, exercise or defence of legal claims.

The CEAS shall restrict the processing of the personal data of the client, if

(a) the client objects against the processing of his/her personal data necessary for the legitimate interest of the CEAS and

(b) the client is waiting for the confirmation whether there are legitimate grounds for the processing of the personal data of the client by the CEAS, which does not have a priority over the objection of the client.

The CEAS shall notify the recipients of these personal data (if any) about the restriction of the processing of the personal data of the clients. However, the CEAS may not notify the recipients about such restriction, if the notification of the recipient is impossible or it would require disproportionately high effort.

If the CEAS restricts the processing of the personal data of the client,

(a) the CEAS may store these personal data,

(b) it may process these personal data on the basis of the consent of the client,

(c) it may process the personal data for the establishment, exercise or defence of legal claims or to protect the right of any person.

The CEAS shall not use the data of the client for direct marketing purposes, including profiling or the automated decision-making in specific cases.

12. The right to data portability of the client

The client shall have the right to receive the personal data concerning him/her, which he/she has provided to a controller, in a structured, commonly used and machine-readable format and he/she shall have the right to transmit those data to another controller without hindrance (if technically possible) from the controller to which the personal data have been provided, if data processing is based on consent or it is necessary for the performance of an agreement and data protection is performed in an automated way.

The right to data portability of the client

(a) shall not cover the anonymous data;

(b) shall cover the personal data related to him/her;

(c) shall not cover the personal data not related to him/her; and

(d) shall not cover the pseudonymised data unambiguously linked to the client.

13. Administration deadline of the request of the client as data subject

The CAS shall respond to the requests of the client regarding his/her following rights within the deadlines below.


Request of the data subject

Deadline

Right of information

When the data are collected (if the data subject delivers the data) or within a month (if not the data subject delivers the data)

Right of access

One month

Right to rectification

One month

Right to erasure

Without undue delay

Right to restriction of processing

Without undue delay

Right to data portability

One month

Right to object

Upon the receipt of the objection

 

14. Right to submit a complaint

If the client thinks that his/her rights were violated, the CEAS recommends to start a negotiation with the controller in a way to directly contact the contact person indicated above. If such negotiation is without any result or if the data subject does not intend to take part in this activity, he/she may contact the court or the NAIH. In case of the initiation of a court procedure, the data subject may decide to initiate the procedure in the court having the jurisdiction at his/her home address or domicile.

The contact data of the NAIH are as follows: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.; phone: +36 1 391 1400; fax: +36 1 391 1410; e-mail: ; website: www.naih.hu.

15. Modifications of this privacy policy

The CEAS reserves the right to any time modify this privacy policy. If applicable, the CEAS shall notify the clients about such modification via post or e-mail and by all means according to the relevant law.

Budapest, 25th May 2018

Contact Us