Privacy Policy

1. Introduction

1.1. Purpose of the Privacy Policy

This Privacy Policy (hereinafter: “Policy”) aims to transparently and in detail explain how personal data is processed during the activities of Duna-Gerecse Turisztikai Nonprofit Kft. (hereinafter: “Data Controller”), and to provide information about the rights of the data subjects and how they can exercise them.

1.2. Legal Compliance (GDPR, Act CXII of 2011)

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR): establishes uniform EU rules for the protection of personal data.
  • Act CXII of 2011 (Infotv.): the law that forms the basis of Hungarian data protection regulation, concerning the right to informational self-determination and freedom of information.
This Policy aims to comply with the requirements set forth in the above laws.

2. Data Controller Information

2.1. Name and Contact Information of the Data Controller

  • Name: Duna-Gerecse Turisztikai Nonprofit Kft.
  • Headquarters: 2800 Tatabánya, Fő tér 4.
  • Company Registration Number: 11-09-018928
  • Tax Number: 23452783-2-11
  • Representative: Giber Dániel Lajos
  • Email: info@duna-gerecse.hu

2.2. Access to the Privacy Policy

This Policy is available in electronic format on the nyugatiturisztika.kevoh.hu website.

3. Definitions

3.1. Basic Concepts under GDPR

  • Personal Data: any information relating to an identified or identifiable natural person (“data subject”).
  • Data Controller: a natural or legal person who determines the purposes and means of processing personal data.
  • Data Processor: a natural or legal person who processes personal data on behalf of the Data Controller.
  • Consent: the voluntary and explicit declaration of will by the data subject to consent to the processing of personal data relating to them.
  • Data Subject: any identified or identifiable natural person to whom the personal data relates.

3.2. Definition of Data Protection Incident

A data protection incident is any event that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

4. Principles of Data Processing

4.1. Legal Grounds and Principles

  • Lawfulness, fairness, and transparency: We process data for specified, legitimate purposes only.
  • Purpose limitation: We process data only for pre-determined purposes and to the extent necessary to achieve those purposes.
  • Data minimization: We collect and process only the personal data necessary for achieving the purpose.
  • Accuracy: We ensure that the personal data we process is accurate and kept up-to-date.
  • Storage limitation: Personal data is stored only for as long as necessary for the purposes of processing.
  • Integrity and confidentiality: We implement appropriate technical and organizational measures to protect personal data.

4.2. Accuracy and Security of Data

  • Both the Data Controller and the data subject are responsible for ensuring the accuracy of personal data; the data subject is required to notify us of any changes to their personal data.
  • The Data Controller takes all necessary steps to ensure the accuracy of personal data and to protect it from unauthorized access.

5. Purposes and Legal Grounds of Data Processing

5.1. Sending Newsletters

  • Purpose: Marketing communication, information about new products, offers.
  • Legal Basis: Consent (GDPR Article 6(1)(a)).
  • Processed Data: Name, email address.
  • Note: You can unsubscribe from the newsletter at any time by clicking the link at the bottom of the newsletter or by directly notifying the Data Controller.

5.2. Use of Cookies

  • Purpose: Ensuring the proper functioning of the website, improving user experience, analyzing traffic data, marketing purposes.
  • Legal Basis:
    • Consent (GDPR Article 6(1)(a)) – for non-essential cookies.
    • Legitimate interest or contract performance (GDPR Article 6(1)(f) or (b)) – for essential technical cookies.
  • Further Description: See the “Use of Cookies” section (Point 11) of this Policy.

5.3. Data Processing by Social Media Platforms

  • Purpose: Communication, sharing information (e.g., Facebook, Instagram).
  • Legal Basis: Voluntary decision, consent (GDPR Article 6(1)(a)).
  • Note: The data processing practices of social media platforms should be reviewed in their respective privacy notices.

6. Types of Processed Data

6.1. Types of Personal Data

  • Identification data: name
  • Contact data: email address
  • Technical data: IP address, browser type, cookies, login time.

6.2. Data Storage and Retention

  • Stored electronically on secure servers, protected by passwords and other security measures.
  • Retention period: until legal obligations are fulfilled or the purpose of processing is achieved, or until consent is withdrawn. After that, the data will be deleted or anonymized.

7. Rights of Data Subjects

7.1. Right to Information

The data subject has the right to request information about the purposes, legal basis, sources, duration of processing, and who has access to their personal data.

7.2. Right to Rectification

If the data subject believes their personal data is inaccurate or incomplete, they may request its rectification or supplementation.

7.3. Right to Erasure (“Right to be Forgotten”)

The data subject can request the deletion of their personal data if it is no longer necessary for the original purpose, or if they withdraw their consent and there is no other legal basis for processing.

7.4. Right to Data Portability

The data subject has the right to receive their personal data in a commonly used, machine-readable format and to request its transfer to another data controller.

7.5. Right to Object

  • The data subject may object at any time to the processing of their personal data if the legal basis for processing is the legitimate interest of the Data Controller.
  • The data subject has the right to object to the processing of their personal data for direct marketing purposes.

8. Data Security

8.1. Protection of Electronic Data

  • Multi-level authorization system.
  • Regular backups.
  • Use of antivirus software and firewalls.

8.2. Technical and Organizational Measures

  • Closed office network and secure Wi-Fi.
  • Paper documents stored in locked cabinets.
  • Regular data protection training for employees and data processors.

9. Handling Data Protection Incidents

9.1. Reporting Incidents to Authorities (72-Hour Rule)

In case of a data protection incident, the Data Controller will notify the National Authority for Data Protection and Freedom of Information (NAIH) without undue delay and, where possible, within 72 hours, unless the incident is unlikely to result in a risk to the rights and freedoms of the data subjects.

9.2. Notifying Data Subjects in Case of High Risk

If the incident is likely to result in a high risk to the rights and freedoms of data subjects, the Data Controller will inform the affected individuals without delay, explaining the nature of the incident and the measures taken.

10. Data Processors and Third Parties

10.1. Hosting Service Provider

  • Name: Rackhost Zrt.
  • Headquarters: 6722 Szeged, Tisza Lajos körút 41.
  • Contact: info@rackhost.hu
Data Processing Activities: Operating and maintaining the web server. Personal data is processed only on the Data Controller’s instructions.

10.2. Other Partners

The Data Controller may use other partners for personal data processing.
  • Marketing Agency: Creaweb Kft., activity: planning and executing marketing campaigns.
The Data Controller always enters into written agreements with these partners (data processors) in compliance with GDPR. These agreements specify that the partners can only process the data according to the Data Controller’s instructions, for the specified purpose, and for the necessary period.

11. Use of Cookies

11.1. Purpose and Types of Cookies

  • Session Cookies: essential for the operation of the website and are deleted when the browser is closed.
  • Functional Cookies: enhance the user experience, such as remembering login details or preferred language.
  • Analytical Cookies (e.g., Google Analytics): used for statistical purposes, helping to understand user behavior and improve website performance.
  • Marketing Cookies: help display relevant ads and measure the effectiveness of advertisements.

11.2. Managing User Preferences

  • Users can manage cookie settings in their browser, allowing them to block or delete cookies.
  • Changing cookie settings may result in some website features not functioning properly.
  • On the first visit to the website, users can accept or reject non-essential cookies (e.g., marketing cookies) through a pop-up window.

12. Data Protection Officer

12.1. Conditions for Appointment and Responsibilities

According to Article 37 of the GDPR, the Data Controller must appoint a Data Protection Officer (DPO) if its main activities involve:
  • the regular and systematic monitoring of data subjects on a large scale, or
  • the processing of sensitive data on a large scale.
The DPO’s responsibilities include:
  • monitoring compliance with GDPR,
  • providing advice to the Data Controller and employees,
  • liaising with the supervisory authority (NAIH) and data subjects.

12.2. Status and Contact Information

The DPO reports directly to the top management and is independent in performing their duties. If the Data Controller is not obligated to appoint a DPO but still does so, this will be properly communicated to the data subjects in this Policy.

13. Rights of Data Subjects to Enforce Their Rights

13.1. Filing Complaints with the National Authority for Data Protection and Freedom of Information (NAIH)

If the data subject believes their personal data is being processed in violation of applicable laws, they may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH):
  • Address: 1055 Budapest, Falk Miksa utca 9-11.
  • Phone: +36 (1) 391-1400
  • Email: ugyfelszolgalat@naih.hu

13.2. Judicial Remedies

In case of a violation of their rights, the data subject can seek judicial remedy. The case may be brought before the court of the data subject’s place of residence or habitual residence.

14. Legal Basis for Data Processing

14.1. GDPR (2016/679 EU Regulation)

The Regulation (EU) 2016/679 of the European Parliament and of the Council, which aims to protect natural persons with regard to the processing of personal data and to ensure the free movement of such data within the EU.

14.2. Act CXII of 2011 on Informational Self-Determination

The Hungarian law regulating the principles and limits of personal data processing in Hungary.

14.3. Other Relevant Hungarian Laws

  • Act C of 2000 on Accounting.
  • Act V of 2013 on the Civil Code (Ptk.).
  • Act XLVIII of 2008 on the Fundamental Conditions of Economic Advertising Activities.

15. Final Provisions

15.1. Validity and Amendments of the Privacy Policy

  • This Policy is valid from December 1, 2025.
  • The Data Controller reserves the right to unilaterally amend this Policy, especially in response to legal changes, new data processing activities, or recommendations from the supervisory authority.
  • Any amendments will be posted on the website, and data subjects will accept the updated rules by continuing to use the services after the policy comes into effect.
Issued: Tatabánya, December 1, 2025. Duna-Gerecse Turisztikai Nonprofit Kft. Change Cookie Settings