PRIVACY POLICY

 

Information on data processing of INTERSPUTNIK Kft.

 

provided in order to explain the detailed rules of data processing with regard to the personal data of natural persons in accordance with the provisions of the regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as: ‘GDPR’) in the course of visiting the homepage https://spartybooking.com/ of INTERSPUTNIK Kft. (registration number: 01-09-899370, registered seat: 1148 Budapest Lengyel u. 33. Fszt. 1. ) a hereinafter referred to as: ‘Controller’) and in the course of purchasing the tickets via our online web store necessary for the participation in the events organized by us in the spas of Budapest.

The present information leaflet shall be displayed by the Controller on the above homepage visited by the purchaser of the Controller interested in events of the Controller in a place clearly visible. The information leaflet enters into force on the day of the disclosure and shall remain in force until the day when the Controllers discloses new Information on data processing. The Controller reserves the right to unilaterally amend the present Information on data processing. In the case of unilateral amendment of the present Information on data processing the former information leaflet shall prevail regarding web browsing, purchasing tickets and processing data in the course of such activities commenced but not finished before the disclosure of the amended information leaflet. In the interest of transparency and customer-orientation the Controller shall display separate notification on its homepage on the eventual amendments of the present information leaflet.

  1. The legislation concerning your personal data includes, but is not limited to the following:

– Act CXII of 2011 on Informational Self-Determination and Freedom of Information

– Act CVIII of 2001 on certain issues of electronic commerce services and information society services

– Act V of 2013 on the Civil Code

– Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators

– the aforementioned GDPR

  1. Definitions:

personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means (i.e. manually), such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; and executes tasks of a purely technical nature related to the processing operations (e.g. data recording);

personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted or otherwise processed;

recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not;

third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

III. Principles of processing data

It is a particularly important aspect to the Controller to process, safely use and record the personal data provided by the users of its services and buyers of its products pursuant to the applicable laws and other regulations, to fully secure the right of informational self-determination of the visitors and to provide detailed information about the processing of personal data.

The Controller processes your data in accordance with the principles of lawful, fair and transparent processing, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability. The Controller ensures that its employees and personnel observe these principles.

The principle of purpose limitation is observed in the course of the processing data for clear and defined purposes set forth below, whereas data minimisation means that the Controller only processes data that are absolutely necessary in order to achieve the purpose in accordance with the principle of storage limitation, i.e. personal data may not be stored longer than it is absolutely necessary.

The Controller informs you that your personal data will be irrevocable erased after the expiry of term defined below or when the aspects of the determination of the term are no longer valid and – only for the purpose of statistical analyses and calculation and development efforts – such data will be kept which cannot be associated with you and which cannot identify you in any form.

 

  1. The lawfulness of our processing – the legal basis for the processing in accordance with Article 6 of the GDPR:

 

1./ Processing based on consent: The consent of the Visitor/Guest establishing a freely given, specific, informed and unambiguous indication of his or her agreement to the processing of personal data by the Controller relating to him or her;

 

2./ processing for the purpose of the performance of a contract: the performance of a contract to which the Visitor/Guest is party;

 

3./ processing for the compliance with a legal obligation: processing is necessary for compliance with a legal obligation to which the Controller is subject (e.g. fulfilment of accounting obligations);

 

4./ Processing for legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party; The conditions of this legal basis are laid down in the data privacy code of the Controller which contains the circumstances taken into account when using the Balancing test and the used procedure.

 

5./ Data processing based on the Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services: The Controller may process natural identification data of the Visitor/Guest, suitable for the identification thereof, for the purpose of drawing up the contract for the information society service, determining and modifying the contents thereof, monitoring the performance thereof, billing the charges arising therefrom as well as enforcing the claims related thereto. For the purpose of billing the charges arising under the contract for the information society service, the Controller may process natural identification data, address related to the use of such service and the data regarding the time, duration and place of using the service.

 

  1. Information map

 

We inform you about your personal data processed by us and the lawfulness and purpose limitation of the processing as follows:

 

The data subjects – classified in the following two categories – may visit our homepage and use the services of the web store through which they can purchase the tickets for our events. These categories of the processed and recorded personal data are as follows:

 

  1. Users’ category – visitors:

 

In case you search and collect information on our homepage, you use our homepage service as a visitor (hereinafter referred to as “Visitor”) until you do not register on our homepage. If you use our homepage service as a visitor, we do not obtain any personal data based on which you can be identified and we do not store any data related to you in such case. However, when you visit our homepage, we create a small piece of data, a so called cookie, which does not collect information related to you but transmits information to us about usage patterns regarding the computer on which you are logged in. That means that we receive information about the pages opened, the browser used on such computer and the visits made with the help of such computer, however, these pieces of information are linked not to you but only to the computer used by you at a particular moment. The cookie is meant to make the use of our homepage more comfortable, effective and enjoyable and to send you special offers and advertisements. You do not give us the data necessary for the creation of the technical identifier but – in the light of the foregoing – we gather these data in the course of the usage of the homepage. Indeed, the data is automatically exchanged on the basis of the communication between the computers.

The legal basis of the use of the cookie is your consent, as when visiting the homepage – by clicking on the ‘accept’ button on the popup page – you grant your consent to the lawful use of the above. You can also delete the cookie from your computer or you can block the use of cookies in your browser at any time. Generally, you can manage cookies in the Tools/Settings page of the browsers under Data protection by naming the cookie. We consider the blocking of the cookies as the withdrawal of you your consent.

 

We hereby inform you that our company concluded a contract with the Google Analytics (GA). Based on this contract the GA compiles and presents detailed statistics with regard to the visitors of our homepage. The objectives and tasks of the GA is to assist our company in building, developing our business strategy, in optimizing our publicity campaigns by showing from which homepage our visitors clicked through, how much time do they spend on the homepage and showing their location. The GA essentially works as the aforementioned cookie, i.e. it only provides information related to the computer used by you and not information related to you.

 

  1. Users’ category – guests:

 

In case you intend to purchase tickets for our events in the web store on our homepage, you can do it by registering or not registering on the homepage and by providing your following personal data.

 

 

Categories of data Source of data Purpose of processing

 

The lawfulness of processing

(Legal grounds)

period for which the personal data will be processed

 

1. Family name and first name* Given by the Guest Registration and identification of the Guest

 

Performance of the contract (Clause IV/2)

 

Until the deletion of accounts
Ensuring communication

 

Performance of the contract (Clause IV/2)

 

Until the termination of the contract
Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) And Performance of the contract (Clause IV/2) Until the termination of the contract
In case the contractual relationship is created, the invoicing the fees (e.g. purchase price) arising from such relationship

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) and the fulfilment of legal obligation (IV.3./)

 

Based on Article 169 of the Act C of 2000 For 8 eight years following the issue of the invoice
Eventual claim and fraud prevention legitimate interest (IV.4./) Until the expiry of the limitation period
2. Date of birth*

(Given that persons below the age of 18 years cannot participate in the events)

Given by the Guest Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) And Performance of the contract (Clause IV/2)

 

Until the termination of the contract
Registration and identification of the Guest

 

Performance of the contract (Clause IV/2)

 

Until the deletion of accounts
For the purpose of preventing eventual criminal offences or irregularities legitimate interest (IV4./) and the fulfilment of legal obligation (IV.3./) Until the expiry of the limitation period
3. email address* Given by the Guest Registration and identification of the Guest, alike enable the communication with him/her

 

Consent of the Guest (IV/1./)

 

until the deletion of accounts, i.e. the withdrawal of the consent
Ensuring communication and the delivery, the confirmation of the purchased ticket, providing information prior to the event, and thanking for the participation  following the event

 

Performance of the contract (Clause IV/2)

 

Until the termination of the contract
Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Performance of the contract (Clause IV/2)

 

Until the termination of the contract
Eventual claim and fraud prevention legitimate interest (IV.4./) Until the expiry of the limitation period
4. Phone number Given by the Guest Ensuring communication Performance of the contract (Clause IV/2)

 

Until the termination of the contract
5. Sex of the Guest* Given by the Guest Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof (due to the number of the separated changing rooms and lockers provided for the event)

 

Performance of the contract (Clause IV/2)

 

Until the termination of the contract
6. password Given by the Guest Registration and identification of the Guest consent of the Buyer in both cases (Clause IV/1)

 

Until the deletion of accounts
For communication purposes
7. Billing address* Given by the Guest Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) and Performance of the contract (Clause IV/2)

 

Until the termination of the contract
Eventual claim and fraud prevention legitimate interest (IV.4./) Until the expiry of the limitation period
In case the contractual relationship is created, the invoicing the fees (e.g. purchase price) arising from such relationship

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) and the fulfilment of legal obligation (IV.3./)

 

Based on Article 169 of the Act C of 2000 For 8 eight years following the issue of the invoice
8. Amount of the purchase, type and number of the purchased tickets (=the number of the participants on the event) Given by the Guest Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) and Performance of the contract (Clause IV/2)

 

Until the termination of the contract
In case the contractual relationship is created, the invoicing the fees (e.g. purchase price) arising from such relationship

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) , Performance of the contract (Clause IV/2) and the fulfilment of legal obligation  (IV.3./)

 

Based on Article 169 of the Act C of 2000 For 8 eight years following the issue of the invoice
Eventual claim and fraud prevention legitimate interest (IV.4./) Until the expiry of the limitation period
9. Date of purchase Given by the Guest during the purchase Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Article 13/A of the Act CVIII of 2001 on certain issues of electronic commerce services and information society services (Clause IV.5) and Performance of the contract (Clause IV/2)

 

Until the termination of the contract
Eventual claim and fraud prevention legitimate interest (IV.4./) Until the expiry of the limitation period
10. Order ID Generated automatically in our system simultaneously with the purchase Eventual claim and fraud prevention legitimate interest (IV.4./) Until the expiry of the limitation period
11. Picture and video of you taken and recorded on the event Made via Controller Drawing up the contract, determination and amendment of the content thereof, and monitoring the performance thereof

 

Performance of the contract (Clause IV/2)

 

until 10 years after termination of the contract

 

We kindly inform our Guests that – in order to purchase tickets in our web store – it is strictly necessary for the conclusion of the contract to provide the data in the above table indicated with *, these data are the preconditions of the conclusion of the contract, therefore, the provision thereof is obligatory. In the absence of the above personal data, we cannot conclude any contract with you.

 

 

 

  1. Operation of the camera systems

 

We inform our Guests that cameras are operated by the Budapest Gyógyfürdői és Hévízei Zrt. (registration number: 01-10-043152, registered seat: 1034 Budapest, Szőlő utca 38., tax number: 12165814-2-44) at the event site, in the Széchenyi Gyógyfürdő és Uszoda (1146 Budapest, Állatkerti krt. 9-11.) in the spa areas. The Controller has no access to such operation and the videos recorded by these cameras. You are kindly requested to contact the aforementioned company in order to receive information regarding these cameras and the related the data protection rules.

 

However, we inform you that during the events we install three surveillance cameras in the lobby, which cover the ticket counters and the surroundings, thereby recording and processing your likeness. Detailed description is placed next to the cameras, which informs you the data protection related to the used method.

The purpose of the instalment of these cameras is to secure life and physical integrity, the protection of personal freedom and the protection of property. The basis of the data processing is the legitimate interest of the Controller, i.e. to document in a retraceable way who, when entered the event site and what objects did the entering person had on him or her and to detect unauthorised persons and troublemakers, and to prevent eventual claims and fraud. The legal basis of the legitimate interest can be found in the Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators.

The camera recordings are stored at the registered seat of the Controller for 5 business days. The managing directors, the system administrator and the security company are entitled to view to recordings.

In case we perceive the violation of the aforementioned or any report or complaint is received related thereto, the persons entitled to view the recordings check the recordings without delay but within not later than 24 hours and thereafter they will take the further necessary measures.

The recordings are stored in a separate room not open to the Guest and other person entitled to view the recordings and we ensure that unauthorized persons have no access to these recordings.

 

VII. The use of photographs and videos taken and recorded on the event

 

Pursuant to the provisions of the General rules and regulations photographs and video recordings (hereinafter referred to as likeness) are taken of you on the event to which you unconditionally grant your consent with the ticket purchase based on the General rules and regulation. We hereby inform you that the legal basis of the processing of your likeness by the Controller is the performance of the contract, and the likeness processed until 25 years after the termination of the contract. With regard to the large number of the participants of the event and due to the fact that we cannot identify you during the event, you acknowledge in the General rules and regulations that your likeness can be recorded on the event which can be – for marketing reasons – published by the Controller on its homepage, posters, advertisement in all sorts and the data processor JURO MÉDIA Kft., indicated in clause VIII on Facebook, alike all media and advertising networks. The aforementioned is the prerequisite of the contract. The likeness is processed by the Controller for 10 years and irrevocably erases it following the elapse of this term.

 

VIII. Controller and processors

 

A.) Controller

 

Your personal data indicated in clause V are processed by our company as controller:

 

INTERSPUTNIK KFT.

Company data: registration number: 10-09-899370, registered seat: 1091 Budapest, Üllői út 115/b 3. floor, door number 1, tax number: 14335941-2-43, represented by György Klinkó and László L.Laki managing directors

 

Contact information of the customer service of our company:

 

Email address: [email protected]

phone no.: + 3630 395 8581

 

We kindly inform you that the Controller and its employees have access to your data indicated in clause V and such processing is governed by inner data protection regulations and all the employees of our company are obliged to comply with these regulations.

 

In accordance with the GDPR no data protection officer is designed in our company.

 

B.) Processors:

 

Your personal data indicated in clause V are transferred by our company to the following undertakings and these undertakings have access to the data recorded by us and necessary to achieve the following purposes:

 

eClick Apps Kft. (registration number: 13-09-177492, registered seat: 2161 Csomád, Verebeshegy utca 11., tax number: 23884137-2-13), performing the development, maintenance works of the homepage of our company on a case-by-case basis and operating our homepage.

KBOSS.hu Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság (registration number: 01-09-303201, registered seat: 1031 Budapest, Záhony utca 7., tax number: 13421739-2-41, homepage: www.szamlazz.hu) performing tasks following the ticket purchase related to the invoicing (issues the e-invoice to you and sends it electronically to the given email address or sends the hard copy of the invoice to you billing address).

OTP Bank Nyrt. (registration number: 01-10-041585, registered seat: 1051 Budapest, Nádor u. 16., tax number: 10537914-4-44), operating the online payment card system.

JURO MÉDIA Kft. (registration number: 01-09-870387, tax number: 13732730-1-43, registered seat: 1112 Budapest, Spanyolrét utca 2., responsible for the campaign management of our company who based on your email address posts the link on its Facebook profile containing the photos/videos taken on our events.

Kvartilis Kft. (registration number: 01-09-994445, registered seat: 1157 Budapest, Zsókavár u. 29. fsz. 3.,  tax number: 24182823-2-42) accountant firm keeping the accounts of our company.

We have concluded data processing contracts with all of the above listed service providers in which they guarantee the safety of your personal data. However  our company does not warrant and specifically limits its liable for the data protection regulations of the data processors.

  1. Email marketing – newsletters

We kindly inform you that in case you given us your e-mail address on our homepage for any reason whatsoever (in particular in the course of the registration or ticket purchase), we will occasionally send you newsletters containing ads, offers and other information ensuring thereby that You will be promptly notified about our products and services provided by us. The legal ground for processing your personal data indicated in the present clause is the legitimate interest of the Controller bearing in mind that for direct marketing purposes we have the right to send marketing materials based on the above. Your data given in such manner are processed for the operation of the newsletter service used by the Controller, however, in case you protest against it and the conditions set out in the GDPR exist, we will erase the personal data indicated in the present clause and we will not send you newsletters to you in the future.

  1. Your rights in connection with the processing of your personal data

Right to access: You have the right to request information about the purpose of the data processing, in which category is the data classified, about the categories of the recipients, i.e. about the persons to whom your personal data is or will be disclosed – including in particular the recipients from third countries or international organisation, the period for which the personal data will be stored or the criteria used to determine that period. You can request copy of your data processed by us free of charge in one occasion, we charge fee for requesting further copies.

rights to rectification, to erasure (to be forgotten): You are entitled to request from the Controller the rectification, modification, supplement of personal data related to you in case you  become aware that the recording thereof is not appropriate or these data are changed. Your company shall be obliged to comply with this request without any delay. The erasure of the data can be requested in cases defined under law which will be performed by us if the conditions set out in article 17 of the GDPR exist. In such case your data will be permanently and irrevocable erased from our records.

Right to restriction of processing: in cases set out in article 18 of the GDPR you have the right to obtain from us the restriction of processing.

Furthermore, we kindly inform you in connection with the aforementioned rights that in case of such requests, all the recipients with whom your personal data has been disclosed have to be informed about such acts, in case it is not disproportionately costly.

Right to data portability: According to Article 20 of the GDPR you have the right to request the personal data concerning you which you have provided to us based on your consent or the performance of any contract or to request from us to directly transmit those data to another controller.

Right to object: You have the right to object, on grounds of legitimate interest, at any time the processing of personal data related to you.

Withdrawal of consent: If our data processing is based on your consent, you are entitled to withdraw such consent at any time. Please also note that the withdrawal has no retroactive effect, thus it does not affect the lawfulness of our prior data processing.

Right to complain: If you notice that the processing of your data does not comply with the law or your rights have been prejudiced in connection with our processing, you are entitled to file a complaint to the supervisory authority or take legal actions before the competent court.

 

Contact information of the supervisory authority:

 

Hungarian National Authority for Data Protection and Freedom of Information

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Tel.: +36(1) 391-1400

fax number: +36(1) 391-1410

Email address:  [email protected]

homepage: https://naih.hu/

 

  1. Ensuring data security

 

If we notice any personal data breach, we, without undue delay and not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority indicated in clause VIII. If we conclude that the personal data breach is likely to result a high risk to your rights and freedoms, we communicate the personal data breach to you within not later than 72 hours.

We kindly inform you that we have data protection regulations complying with the applicable laws and take measures which -according to the above – ensure the safe processing of your personal data in our organisational and technical systems.

 

XII. Warranties of the Buyer

 

In case the Buyer does not or not only buy the tickets for our events for himself or herself, by the ticket purchase the Buyer warrants that third persons, whose behalf he is acting, or for whom he or she buys the ticket, have become fully familiar with the General rules and regulations of the Controller and the present declaration on data protecting, and have expressed their consent to be unconditionally bound by these regulations. The Buyer warrants that he or she presents the appropriate consent from these third persons. The Buyer is solely liable for any damages, claims, demands arising from the absence of the consent of third persons.