By compiling and providing access to this personal data processing notice (hereinafter – the Notice), Menza Co. Limited Liability Company (Menza Co., LLC; registered office: 2 Liszt Ferenc Square, 1061 Budapest; company registration no: 01-09-714752; tax number: 13016177-2-42; hereinafter – the Company) expresses its intention to ensure compliance with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – the GDPR), and Hungary’s Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter – the Information Act).
The scope of the Notice covers all processes performed by all organisational units of the Company in the course of which personal data is processed. The Notice is valid until withdrawn. The Company reserves the right to make changes to this Notice and will notify this by publishing the amended Notice on its website.
I. DATA PROCESSING
Personal data controller: Menza Co. Limited Liability Company (Menza Co., LLC).
Registered address: 2 Liszt Ferenc Square, Budapest, 1061.
Company registration number: 01-09-714752
Tax number: 13016177-2-42
Phone: +36 (1) 413-1482
e-mail: info@menzaetterem.hu
II. GENERAL CONCEPTS
1. data subject: a natural person who is identified or can be identified on the basis of any information (a natural person who can be identified, directly or indirectly, in particular, by reference to a specific identifier, such as the name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person);
2. personal data: any information relating to an identified or identifiable natural person (data subject) (data that can be associated with a data subject includes, in particular, the name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject, and inferences that can be drawn from the data relating to the data subject);
3. special data categories: any data belonging to special categories of personal data, namely: personal data disclosing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade unions membership, genetic data, biometric data used to identify a natural person, health data and personal data relating to the sexual life or sexual orientation of a natural person;
4. data controller: a natural or legal person or an unincorporated organisation that, alone or jointly with others, determines the purposes for which data are to be processed, adopts and implements decisions on data processing (including the means used), or entrusts such processing to a data processor, within the limits established by law or a legally binding act of the European Union;
5. data processing: Any operation or set of operations performed on data, regardless of the procedure(s) used, including, but not limited to, collection, recording, registration, systematisation, storage, alteration, use, request, transfer, disclosure, alignment or combination, blocking, deletion and destruction, as well as prevention of further use of data, photography, sound or video recording, registration of physical characteristics that can be used to identify a person (fingerprints, palmprints, DNA samples, and retinal scans);
1. data processor: a natural or legal person or an unincorporated organisation that processes personal data for and on behalf of the data controller, within the limits and under the conditions established by law or a legally binding act of the European Union;
2. data breach: a data breach that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data that are transmitted, stored or otherwise processed.
Other laws and regulations referred to herein:
Act XLVIII of 2008 “On the Basic Requirements and Certain Restrictions of Commercial Advertising Activities,”
Act CXXXIII of 2005 “On the Rules of Private Security and Private Investigations,”
Act C of 2000 “On Accounting.”
III. COMPANY'S DATA PROCESSING
3.1 The Company's corporate website
The Company's website http://menzaetterem.hu does not require any personal data to be provided in order to view the information shared for public access. The Company does not collect any personal data about the website visitors.
3.2 Processing of customers’ data
The Company has the right to process personal data of its customers related to the order and the contract between the customer and the Company, namely its generation, registration and execution. The processed data include the name, telephone number and e-mail address provided during the order, i.e. the data required for issuing receipts, as well as contact information required to fulfil the order. Receipts issued to consumers when they consume in restaurants do not contain any personal data.
1. Purpose of data processing: the purpose of data processing is exclusively related to the conclusion, performance, amendment or termination of the contract.
2. Legal basis for data processing: The legal basis for data processing is the consent of the data subject [Art. 6 (1) (a) of GDPR] and the conclusion and performance of the contract between the data subject and the Company [Art. 6 (1) (b) of GDPR].
3. Duration of data processing: the duration of data processing shall be 8 (eight) years after the execution of the contract, in accordance with the legal provisions on the storage of supporting documents under the Law on Accounting.
3.3. Processing of suppliers and business partners’ data
The Company has the right to process personal data of its suppliers and business partners related to the offer and the contract between the customer and the Company, namely its conclusion, registration and execution. Scope of processed data: data provided in the request for quotation, order, contract, contact information and data required for issuance of receipts.
1. Purpose of data processing: the purpose of data processing is exclusively related to the conclusion, performance, amendment or termination of the contract.
2. Legal basis for data processing: The legal basis for data processing is the consent of the data subject [Art. 6 (1) (a) of GDPR] and the conclusion and performance of the contract between the data subject and the Company [Art. 6 (1) (b) of GDPR].
3. Duration of data processing: the duration of processing shall be 8 (eight) years after the execution of the contract, in accordance with the legal provisions on the storage of supporting documents in accordance with the Law on Accounting.
3.4. Processing of job applicants' data
The Company processes personal data contained in incoming and targeted CVs and other documents attached thereto, received directly or through a recruitment agency. Scope of processed data: personal data provided by the data subject in the CV and other submitted documents.
1. Purpose of data processing: the purpose of data processing is to inform the data subject about vacancies that best match his or her qualifications and interests, to arrange an individual interview with the data subject, and to conduct the selection procedure.
2. Legal basis for data processing: The legal basis for data processing is the voluntary consent of the data subject [Art. 6 (1) (a) of GDPR], which the data subject provides by sending his or her CV and related documents.
3. Duration of data processing: the duration of data processing is the duration of the employment relationship in case of successful application; in case of unsuccessful application, the application files of unsuccessful candidates will be deleted after the selection process is completed.
3.5. Processing of data related to video surveillance
The Company's head office operates an electronic surveillance and recording system in areas marked with a camera icon or warning information (surveillance areas). The video surveillance system monitors the restaurant territory. The video surveillance system records images and actions of persons entering the surveillance zone. The video surveillance system does not record sound. Only the authorised employees of the data controllers are entitled to view the actual images and recordings from the cameras. The camera system is operated by the Company and does not use the services of any other contractor, so the Company is the sole data controller. Scope of processed data: images of the data subject.
1. Purpose of data processing: the purpose of data processing is to protect property and persons in the building, protect trade secrets and confirm (prove) possible abuses, violations, as well as ensure safe storage of hazardous materials.
2. Legal basis for data processing: The legal basis for data processing is the voluntary consent of the data subject (upon entering the building) [Art. 6(1)(a) of GDPR], on the one hand, and the legal authorisation granted by Articles 30-31 of the Act on the Rules of Private Security and Private Investigations, on the other hand.
3. Duration of data processing: the duration of data processing shall be 30 (thirty) days from the date of recording (taking into account that the Company processes significant amounts of cash in its commercial units in connection with its activities pursuant to Article 31(3)(c) of the Act on the Rules of Private Security and Private Investigations), after which the records shall be automatically deleted.
IV. PERSONS ENTITLED TO ACCESS PERSONAL DATA
Access to personal data may be granted to employees of the Company who have access rights in connection with the relevant purpose of data processing, or to persons or organisations that process data or perform outsourced activities for our Company on the basis of service agreements, to the extent determined by our Company and within the limits necessary to perform their activities.
To process data relating to data subjects, the Company uses the services of the following data processors under service agreements designed for this purpose:
Circumstance Creative Ltd. (registered office: 1 Mikszáth Kálmán Street, 5435 Martfű; tax number: 24671550-2-16).
The above contractor develops and operates the Company's website and carries out data processing activities.
HOTEL-INFORMATIKA Vendéglátóipari Számítástechnikai Szolgáltató Korlátolt Felelősségű Társaság (IT Service Provider for the Catering Industry HOTEL-INFORMATIKA LLC (registered office: 62 Mexikói Square I/1, 1145 Budapest; tax number: 10753345-2-42).
The above contractor performs data processing activities for the development and maintenance of IT systems used by the Company.
VINPRO Számviteli Szolgáltató Betéti Társaság (VINPRO Accounting Service Provider LLC; registered office: 95 Fogarasi Street, 1141 Budapest, tax number: 21591442-1-42).
The above company provides accounting and payroll services to the Company, and thus it carries out data processing activities in relation to the data processed in connection with the receipts (invoices) issued by the Company (and the personal data processed therein) and payroll accounting.
V. DATA SECURITY
While operating our IT systems through the use of access control, internal organisation and technical solutions, we ensure that data of the data subjects cannot be accessed by unauthorised persons and that unauthorised persons cannot delete, extract from the system or edit (modify) the data.
We keep records of any data protection breaches and, if necessary, inform the data subject of any data protection breaches, if required by the GDPR and the Information Act.
VI. RIGHTS RELATED TO DATA PROCESSING AND THEIR IMPLEMENTATION
6.1. RIGHT TO REQUEST INFORMATION AND RIGHT OF ACCESS
The data subject may submit a written request for information from the Company regarding
1. what personal data,
2. on what legal basis,
3. for what purpose,
4. from what source,
5. for how long are processed,
6. to whom, when, on which legal basis, to which personal data the Company has provided access or to whom the Company has transferred his/her personal data.
The Company will respond to the data subject's request within a maximum of 15 (fifteen) days by sending a letter by e-mail or regular mail to the contact address provided by the data subject.
Before granting the request, the Company may ask the data subject to clarify the content of the request and specify the requested information or data processing activities.
If the right of access of the data subject provided for in this clause adversely affects the rights and freedoms of other persons, in particular, the trade secrets or intellectual property of other persons, the Company shall be entitled to refuse to satisfy the request of the data subject within the necessary and commensurate limits.
If the data subject requests more than one copy of the above information, the data controller has the right to charge a reasonable fee proportionate to the administrative costs of making additional copies.
If the Company does not process the personal data provided by the data subject, it is obliged to notify this in writing to the data subject.
6.2. RIGHT TO RECTIFICATION
The data subject may apply to the Company with a written request to rectify inaccurate, incorrect or incomplete personal data. In this case, the Company shall, without undue delay, but no later than within 5 (five) days, correct or clarify the said personal data, or, if compatible with the purposes of processing, supplement them with additional personal data provided by the data subject or a declaration of the data subject on the personal data being processed. The Company shall notify this to the data subject by e-mail or regular mail to the contact address provided by the data subject.
The Company shall be released from the obligation to rectify in cases where:
1. accurate, correct or complete personal data are not available to the Company and are not provided by the data subject; or
2. the accuracy of the personal data provided by the data subject cannot be unequivocally established.
6.3. RIGHT TO DATA DELETION
The data subject may apply to the Company with a written request to delete his or her personal data. The data subject must submit his or her request for deletion in writing and state the reasons why he or she wishes to have his or her personal data deleted.
The Company shall reject the deletion request if the Company is obliged by law to continue to store personal data. If there is no such obligation, the Company will satisfy the data subject's request within a maximum of 15 (fifteen) days and notify this to the data subject by e-mail or regular mail to the contact address provided by the data subject.
6.4. RIGHT TO DATA BLOCKING
The data subject may apply to the Company with a written request to block his or her personal data. The blocking shall last as long as the reason stated by the data subject requires the data to be stored. The data subject may request data blocking, for example, if he or she believes that his or her personal data have been unlawfully processed by the Company, but for the purposes of official or judicial proceedings initiated by the data subject, it is necessary that the personal data are not deleted by the Company. In this case, the Company will continue to store the personal data until the authority or court demands them, after which it will delete the data and notify this to the data subject by e-mail or postal mail to the contact address provided by the data subject.
6.5. RIGHT TO RESTRICT DATA PROCESSING
The data subject may apply to the Company with a written request to restrict the processing of his or her personal data in writing. During the period of restriction, the Company or a data processor acting therefor or on behalf thereof may carry out processing operations, except for the storage of personal data subject to the restriction, solely for the purpose of realising the legitimate interests of the data subject or in cases provided for by law. A restriction of processing may be requested by the data subject when and for as long as necessary,
1. if the data subject disputes the accuracy, correctness or completeness of personal data processed by the Company or the data processor, and the accuracy, correctness or completeness of the processed personal data cannot be unequivocally established (for the period of time necessary to eliminate the doubts),
2. if the data should be deleted, but there are sufficient grounds to believe, based on a written statement of the data subject or on information available to the Company, that the deletion of the data would violate the legitimate interests of the data subject (not to delete the data for the period of validity of the legitimate interest),
3. if the data could be subject to deletion, but it is necessary to preserve them as evidence in proceedings conducted by or with the participation of a state body (until the investigation or proceedings are completed).
In the case of restriction, personal data may be processed, with the exception of storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural person or legal entity, or for the protection of important public interests of the [European] Union or a Member State of the European Union.
The Company shall inform the data subject in advance of the lifting of the restriction on processing.
The Company shall, without undue delay after fulfilling the data subject's request to exercise his or her right to restriction, notify it to the persons to whom the data subject's personal data was disclosed, provided that this is not impossible or involves disproportionate efforts on the part of the Company. At the request of the data subject, the Company will advise him or her of such recipients.
6.6. RIGHT TO OBJECT
If the processing of data subjects' data is based on a legitimate interest, the data subject shall be provided with adequate information and the right to object to the processing. This right must be clearly communicated to the data subject at the time of first contact at the latest.
The data subject shall have the right to object on this ground to the processing of his or her personal data, in which case the Company shall no longer process the personal data of the data subject unless it can be proved that:
1. the processing is justified by compelling legitimate grounds on the part of the Company which override the interests, rights and freedoms of the data subject, or
2. the processing is related to the establishment, exercise or defence of legal claims by the Company.
6.7. RIGHT TO LEGAL DEFENCE
6.7.1. Settlement of disputes with the Company
Data subjects may submit their objections or requests regarding the processing of their personal data to the Company orally (in person) or in writing (in person or by means of a document delivered by another person, or by post or e-mail), using the contact details specified in Section I, to the Data Controller.
6.7.2. Right to lodge a complaint
If your objections, complaints or requests regarding your personal data have not been satisfactorily resolved with the Company, or if you believe that at any time there has been or is an imminent risk of a violation of your rights in connection with the processing of your personal data, you have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.
Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:
Office address: 22/c Szilágyi Erzsébet Alley, 1125 Budapest.
Postal address: 1530 Budapest, PO Box 5.
Telephone: +36 (1) 391-1400
Telefax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu
Web: http://naih.hu
6.7.3. Right to recourse to court (right of suit)
Regardless of right to lodge a complaint, data subjects may recourse to court if their rights pursuant to the GDPR or the Information Act were violated when their personal data were processed.
A lawsuit may be filed in a Hungarian court against the Company as a data controller registered in Hungary.
The data subject may also file a lawsuit in the court of his or her place of residence. Contact details of the courts in Hungary are available at the following link: http://birosag.hu/torvenyszekek.
VII. OTHER INFORMATION
7.1. EXERCISE OF RIGHTS REGARDING PERSONAL DATA AFTER THE DATA SUBJECT'S DEATH
Within five years after the data subject's death, the rights to which the deceased person was entitled during his or her lifetime may be exercised by a person authorised by the data subject by means of an administrative order or a declaration made to the data controller (in a public or private evidentiary document). If the data subject has not made such a statement, the deceased person's rights during his/her lifetime may be exercised by his/her close relative within the meaning of the Civil Code within five years after the data subject's death (in case of several close relatives, such rights may be exercised by the first person to exercise them).
7.2. SPECIAL PROVISIONS FOR VIDEO RECORDINGS
7.2.1. The right to request information
The data subject has the right, within 3 (three) days from the date of recording, to request information about what is shown on the recording in relation to the data subject. The request must specify where the record was made, at what time and how the data subject can be identified. The Company shall satisfy the request within 15 (fifteen) days.
7.2.2. The right to block
Within 3 (three) days from the date of recording, the data subject may request that his or her data not be destroyed or erased by the data controllers (blocking), justifying his or her right or legitimate interest. The request must specify where the record was made, at what time, how the data subject can be identified and the reason for the blocking. Simultaneously with the blocking, it is advisable for the data subject to initiate the necessary official or judicial proceedings, as the Company will only disclose records in response to a request from an authority or court.
7.2.3. Right of access
The data subject may request access to the records made about him or her within 3 (three) days from the date on which the record was made. The request must specify where and when the record was made, how the data subject can be identified, and on what day the data subject wishes to access the record. The Company will be able to provide access on working days from Monday until Friday from 9 am until 3 pm.