1. Purpose of data processing:
This Information note aims at laying down the data protection and processing principles applied by CER Kft. (hereinafter: “Controller”) as well as its data protection and processing policy with obligations acknowledged by the Controller as binding upon it.
CER Kft. maintains the right to modify the provisions of this Information at any time, with the obligation of notifying its Clients and Partners without delay on any modification.
CER Kft. guarantees to handle in confidence all personal data it may obtain and to take all the security, technical and organisational measures necessary for granting the secure processing and the full security of the data during the complete term of Processing.
In the absence of any information to the contrary, the scope of this Information note shall not be extended to the services and processing connected to the promotions, prize games, services, other campaigns and the content published by third parties other than the operator of the relevant website or the Controller, placing advertisements in this Information or on the websites of the Company or otherwise appearing there. Similarly, in the absence of any information to the contrary, the scope of this Information shall not be extended to the services and processing by websites and service providers found under the links placed on the websites to which this Information is applicable. The provisions of the personal data processing information made by the third party operating the services shall be applicable to such services and the Controller shall undertake no responsibility whatsoever for such processing.
CER Kft. shall process, store and transfer personal data according to and in compliance with the applicable law, in particular:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing
- Regulation 95/46/EC (27 April 2016) (General Data Protection Regulation, GDPR)
- Act CXII of 2011 on Informational Self-determination and Freedom of Information (Information Act)
- Act I of 2012 on the Labour Code
- Act V of 2013 on the Civil Code
- Act CLV of 1997 on Consumer Protection
- Act XIX of 1998 on the Criminal Procedure
- Act C of 2000 on Accounting
- Act CVIII of 2001 on certain aspects of Electronic Commerce Services and Information Society Services (E-commerce Act)
- Act C of 2003 on Electronic Communications
- Act CXXXIII of 2005 on the rules of Personal and Property Protection activities and Private Investigation (PPP Act)
- Act XLVIII of 2008 on Certain Limitations to Business Advertising
2. Scope of the personal data processed:
2.1. If the User visits any service surface, the Controller’s system shall automatically record the User’s IP address.
2.2. According to the User’s decision, the Controller may process the following data in the context of using the services: name, nickname, gender, place of residence, place of stay, ZIP code, place of birth, date of birth, phone number, e-mail address, secondary e-mail address, introduction, IP address of last access, time of last access.
2.3. When the Users sends an e-mail (e.g. message, request for quotation etc.) for any of the services, the Controller shall record the User’s e-mail address and it shall process such e-mail address to the extent and for the duration necessary for providing the service.
2.4. Should the User decide voluntarily to associate his/her Facebook account with Controller’s Facebook account, the Controller shall also be authorised to process the following personal data of the User in addition to the ones mentioned above: Facebook profile name, Facebook profile URL, Facebook profile identifier, Facebook profile picture, Facebook e-mail address, place of residence entered on Facebook, gender entered on Facebook, birthday, introduction, marital status and website url.
2.5. Notwithstanding the above, the service provider technically connected to operating the service may also be engaged in a data processing activity on any of the websites without informing the Controller. Since activities of this kind and similar ones do not qualify as processing by the Controller, it shall make all efforts to prevent and detect such processing activities.
3. The scope of further data processed by the Controller:
3.1. The Controller shall place so called cookies for the purpose of providing customized services. Cookies serve the purpose of granting high level website services with customized services to enhance user experience. The User shall be able to delete the cookies from his/her own computer or to block in the browser the application of cookies.
3.2. The data to be technically recorded during operating the system: data of the User’s logging-in computer created during using the service and recorded by Controller’s system as the automatic result of the technical processes. The automatically recorded data shall be automatically logged by the system upon logging in and logging out, without the user’s express declaration or action.
4. Details of the scope of data processed by the Controller:
4.1. Data processing in the restaurant:
4.1.1. Guest data:
Purpose of data processing: Purchase in CER restaurant, issuing invoice, registry of guests, documenting purchase and payment, compliance with accounting obligations, maintaining contact with guests, and sending newsletters.
Legal basis of processing: data processing is necessary for meeting contractual obligations
Type of the personal data processed: name, address, service used, price, method of payment, time of using the service
Duration of processing: 8 years in accordance with the provision of the Act on Accounting
In the case of payment by card, the data of the bank card and of the card payment transaction shall be processed by Raiffeisen Bank Zrt. Implementation of data transfer: in case of card payment, the identifier of the payer, transaction amount, date, time of transfer towards the Bank.
Legal basis of data transfer: data processing is necessary for performing the contract in accordance with the provisions of GPRS.
Purpose of data processing: organisation, management, coordination and monitoring of events by CER Kft.
Legal basis of processing: data processing is necessary for performing the contract in accordance with the provisions of GPRS.
Scope of the data processed: booking ID number, date of the order and of the event, name, phone number, e-mail address of the booking party, number of participants, name and age of the affected party, any special request, data related to food allergy, other data entered in the course of ordering
Duration of processing: one month after the event.
Data processing is necessary for performing the contract.
4.1.3. Quality complaints, handling complaints:
Purpose of data processing: Handling quality complaints raised in the context of the services provided by CER Kft.
Legal basis of processing: data processing is necessary for performing the contract
Type of the personal data processed: individual complaint ID number, consumer’s name, place of residence, venue, date and method of making the complaint, list of documents and other receipts submitted by the consumer, description of the complaint, place and date of taking the minutes, name and signature of the person taking the minutes,
Duration of processing: 5 years, in accordance with the Act on Consumer Protection, with regard to the minutes taken on the complaint, and the copies and sending receipts of the replies given to written complaints
2 years with regard to the copies of entries made in book of complaints.
No data transfer shall take place.
4.1.4. Exceptional incidents:
Purpose of data processing: handling the exceptional incidents occurring in the restaurant and taking minutes on it.
Legal basis of processing: the legitimate interests of the Controller or of other persons require the handling of exceptional incidents.
Scope of the data processed: name, address, phone number of the injured party, date and time of the accident, description of the injury, accident, description of the measure taken, name of the person providing first aid, name, address, phone number, contact details of any witness.
Duration of processing: 5 years with regard to the minutes on guest accident.
4.1.5. Handling lost and found objects:
Purpose of data processing: keeping a registry lost and found in the restaurant, notification of the owner or the finder.
Legal basis of processing: according to the Civil Code.
Type of the personal data processed: date and time of finding, personal data of the finding person, description of the object found, the fact whether the owner has been notified, place of storage, name and signature of the finder, the persons handing it over and taking it over
Duration of processing: the data shall be deleted, destroyed after the found object has been taken by the owner.
4.1.6. Wifi services in the restaurant:
By accessing the wifi network the guests shall approve to CER Kft. monitoring the access on the basis of the equipment’s individual network identifier.
CER Kft. shall not record the wifi network traffic.
4.2. Marketing and market survey database:
4.2.1. Marketing database:
CER Kft. shall process the data of the persons who give consent to direct marketing contacting.
Purpose of data processing: building a business database, sending e-mail newsletters including business advertising to the data subjects, preparing customized offers by using online analytics data, forwarding the offers made by Controller and its partners.
Only persons over the age of 16 may give consent to contacting for the purpose of direct marketing.
Legal basis of processing: voluntary consent of the data subject in accordance with the Act on Business Advertising.
The scope of the data processed: ID number, name, address, e-mail address, phone number, consent given to contacting for the purpose of direct marketing, the system shall store the data connected to sending, delivering, opening messages and the data on the online activity of the data subjects.
Duration of processing: until the revocation of the consent given by the data subject.
The consent given to sending direct marketing messages may be revoked and the deletion or the modification of the personal data may be requested at the central e-mail address of CER Kft.
4.2.2. Market survey database:
CER Kft. shall process the data of the persons affected by the market survey.
Purpose of data processing: keeping a registry of the data of the persons participating in the market survey, segmenting the data, sending research invitations, coordinating and managing market surveys.
Legal basis of processing: voluntary consent of the data subject. Only persons over the age of 16 may participate in a market survey.
Type of the data processed: ID number, name, address, e-mail address, phone number, other data provided.
Duration of processing: until the revocation of the consent given by the data subject.
4.3. Property protection:
4.3.1. Electronic surveillance system:
An electronic surveillance and recording system is in operation in the restaurant of CER Kft. including cameras installed all over the guest area. The exact location of the cameras as well as the description of the surveillance areas are posted in the premises at a visible place and the guests entering the restaurant also receive the relevant information.
The controller of personal data: the competent manager of CER Kft.
Purpose of data processing: preventing and detecting breaches of the law for the purpose of protecting human life, physical integrity and rights to property, catching perpetrators in the act, providing proof of breaches of the law, identifying persons entering the territory of the restaurant without authorisation, recording the fact of entry, documenting the activity of the persons staying in the premises without authorisation, investigating any labour accident and other accidents.
Legal basis of processing: in case of guests, consent is deemed to be given by entering the territory of the restaurant, in case of employees, CER Kft. has a legitimate interest of property protection on the basis of the Labour Code.
Type of the personal data processed: the face-image of the persons entering the territory of the restaurant as seen in the recording and their other personal data recorded by the surveillance system.
Duration of processing: 30 days unless used (PPP Act)
Using the recordings:
Persons authorised to watch the current image of the cameras: authorised employees of CER Kft.
Persons authorised to watch the recordings made by the cameras: authorised employees of CER Kft.
Persons authorised to save to a data medium the recordings made by the cameras: authorised employees of CER Kft.
The recordings stored in the camera surveillance and recording system operated by CER Kft. may only be observed by the authorised persons in the interest of proving breaches of the law against human life, physical integrity and property and for the purpose of identifying the perpetrator.
The data subjects whose rights or legitimate interests may be affected by the video recording may request the controller, upon verifying their right or legitimate interest, not to destroy the recording or not to delete it until contacting the court or the authority, but for not more than 30 days. The person appearing in the recording may request information about the surveillance system’s recording made on him/her, he/she may ask for a copy of the recording, or if there is another person appearing in the recording, he/she may watch the recording. The data subject may request the deleting of the recording made on him/her, the modification of the data connected to the recording and he/she may raise an objection against the data processing.
The controller shall take minutes on the fact of observing the recording, the name of the observing person, the reason for accessing the data and its time.
Data transfer: in the case of a misdemeanour or criminal procedure, towards the authorities, courts in charge.
Scope of the data transferred: recordings made by the surveillance system and containing relevant information.
Legal basis of data transfer: Act on the Criminal Procedure Sztv.
4.4. Data processing by www……..hu:
4.4.1. Logging of the www……..hu server
Processing shall be performed by CER Kft. and visiting the website shall not result in the recording of user data by the server.
Processing by external service providers:
The html code of the portal contains links from and to external servers independent from CER Kft. The server of the external service providers is directly connected to the user’s computer; please note that for this reason they are able to collect users’ data.
Any customized content for the users shall be provided by the server of the external service providers and information on relevant data processing may be requested from the competent controllers. (Server of Google Analytics).
The service provider’s code accessible under facebook.com is placed on the website.
4.5. Mobile application:
Personal data may be collected from the data subject when he/she uses the mobile application of CER Kft. or otherwise contacts the company.
The data collected can be classified into two categories:
- data provided by the data subject
- data collected by automated method.
The data subjects may provide the following information:
- name, email address, date of birth,
- login password
- legal statements connected to using the application
The following information can be collected by using an automated method:
- IP address used by the data subject
- date of registering for the application
- date of redeeming offers
- the type of the browser and the operational system running on the data subject’s computer or mobile device
- type, identifier, advertisements of the affected mobile device,
- using Wifi, GPS, Bluetooth,
- activities connected to using the application.
CER Kft. may use the data collected for the following purposes:
- fulfilment of the requests made by the data subject, processing the arrangement of services
- sending information on the services, offers, promotions or events of CER Kft. and its business partners
Personal data of the data subjects will only be shared with third parties for the purpose of their direct marketing purposes with the data subject’s consent.
4.6. Application for jobs:
Job applications may be submitted via the website operated by CER Kft. The controller of personal data is CER Kft.
The employer as the controller shall process the personal data provided by the data subject for the purpose of workforce selection during the selection procedure and for a period of one year thereafter.
Purpose of data processing: application for a job vacation at CER Kft., participation in the selection procedure.
Legal basis of processing: voluntary consent of the data subject.
Type of the personal data processed: name, permanent place of residence, place of stay, phone number, e-mail address, place and date of birth, picture uploaded or sent, curriculum vitae, motivation letter.
Data deletion deadline: one year from the submission of the application.
4.7. Other data processing:
We shall provide information at the time of data collection about any data processing not listed herein.
5. Principles and methods of processing:
5.1. The Controller shall process the personal data according to the principles of good faith, fairness and transparency as well as the provisions of applicable law of this Information note.
5.2. The Controller shall use the personal data absolutely necessary for using the services on the basis of the data subject User’s consent and only for the designated purpose.
5.3. The Controller shall only process the personal data for the purpose specified in this Information note and in the applicable law. In any case when the Controller intends to use the personal data for any purpose other than the original purpose of data collection, the User shall be notified about it by asking for his/her express prior consent and offering him/her a chance to prohibit such use.
5.4. The Controller shall not verify the personal data provided to it.
5.5. The personal data of a data subject under the age of 16 shall only be processed with the consent of an adult exercising parental responsibility over him/her. As the Controller has no means to verify the eligibility of the consenting person or the content of his/her statement, the User or the person exercising parental responsibility over him/her shall guarantee that the consent is in accordance with the law.
5.6. The Controller shall not transfer the personal data processed by it to third parties other than the Processors specified in this Information note and external service providers in specific cases.
In certain cases – official requests made by the court or the police, legal procedure in the case of actual or suspected copyright, proprietary or other infringement, violation of the Controller’s interests, posing a risk to securely provide the services etc. – the Controller shall provide for a third-party access to the available personal data of the data subject user.
5.7. The Controller’s system may collect data about the users’ activity and such data shall not be associated with other data provided by the users upon registration or with the data generated by using other websites or other services.
5.8. The Controller shall notify the data subject user, and all the other parties to whom personal data were transferred earlier for the purpose of processing, on the rectification, restriction or deleting of the personal data processed by the Controller The notification may be dispensed with if this would violate the lawful interests of the data subject with due regard to the purpose of processing.
5.9. The Controller shall provide for the security of the personal data and take the technical and organisational measures and develop the rules of procedure to guarantee the protection of the data entered, stored and processed as well as to prevent the unintentional loss, unlawful destruction, unauthorised accessing, unauthorised use, unauthorised modification and unauthorised dissemination of such data.
6. User’s rights and the ways of their enforcement:
6.1. The User may request information from the Controller whether it processes any personal data of the User and if it does, access may be requested by the User to the personal data processed by the Controller.
6.2. The User may request the rectification or the modification of his/her personal data processed by the Controller.
6.3. The User may request the deleting of his/her personal data processed by the Controller.
Deleting can be refused on the basis of exercising the right to the freedom of expression and the right to information, or when the processing of the personal data is authorised under the law as well as when it is necessary for filing, enforcing or defending legal claims.
The Controller shall in each case notify the user on refusing the request for deletion by identifying the reason of refusal.
Newsletters sent by the Controller can be unsubscribed via the link provided in the newsletters or by sending an e-mail. In case of unsubscribing, the controller shall delete the user’s personal data from the newsletter database.
6.4. If the User challenges the accuracy of the data processed, he/she may ask for restricting the processing of his/her personal data by the Controller. This restriction shall apply to the period allowing the Controller to have the accuracy of the personal data verified.
The User may ask for the restriction of processing of his/her personal data if the collection of data is unlawful and also when the purpose of processing has been completed but the User demands the processing of data by the Controller for the purpose of filing, enforcing or defending legal claims.
6.5. The User may request the Controller to provide in a structured, widely used and machine-readable format the personal data provided by user and processed by the user in an automated manner, or to transmit such data to another controller.
6.6. The User shall have the right to object to the processing of his personal data, if it is only necessary for carrying out a legal obligation binding the Controller or for the enforcement of a justifiable interest on the part of the Controller, an operator of a service or a third party.
7.0. The processing of data
7.1. The Controller shall use Processors to perform its duties.
7.2. The Processors shall make no individual decisions, they shall act only on the basis of the contract concluded with the Controller and the instructions received. The Processors shall record, handle and process in accordance with the provisions of GDPR the personal data transferred to them by the Controller after 25.05.2018, and they shall make a declaration on it to the Controller.
7.3. The Controller shall control the Processors’ work.
7.4. The Processors may only involve further processors with the Controller’s consent.
8.0. Data transfer options:
8.1. The Controller shall be entitled and obliged to transfer to the competent authorities all available personal data stored properly by the Controller if the law or the final decision of an authority requires the transfer to be made. The Controller shall not be made liable for any consequence resulting from such transfer.
8.2. If the Controller assigns to any third party the full or partial operation or the utilisation of the content provision or web hosting on the websites of the services, then the personal data processed by the Controller may be fully or partially transferred to such third party, as the new operator, without requesting the User’s specific consent, but by providing appropriate prior notice to the User, however this transfer of data should not put the User in a position less favourable than the one he/she enjoys under the data processing rules described in this Information note.
The Controller should provide an opportunity to the User to prohibit the data transfer.
9.0. Modification of the Data Processing Information:
9.1. The Controller maintains the right to modify the Data Processing Information at any time with the Controller’s unilateral decision.
9.2. With his/her next login the User shall accept the current provisions of the Information note without the need to request any further consent from individual Users.
10.1. Questions or comments related to data processing may be addressed to the data protection officer of the Company at firstname.lastname@example.org
10.2. The User may file complaints related to data processing directly to the Hungarian National Authority for Data Protection and Freedom of Information (1125. Budapest, Szilágyi Erzsébet fasor 22/C).
10.3. The User may turn to the court if his/her rights are violated. Regional courts shall have competence to judge upon the case. The claim may be filed at the regional court with territorial jurisdiction according to either the data subject’s place of residence or his/her place of stay, as chosen by the data subject.