Effective: from the 18th day of February, 2021 till withdrawal
TMRW Applications Limited Liability Company (Company registration number: Cg. 01-09-294779; tax number: 25892295-2-42; registered seat: 1077 Budapest, Wesselényi utca 28; electronic contact details: info@tmrw.life; (hereinafter: „Service Provider, or Controller, respectively”) produces the present Data Management Policy (hereinafter: „Policy”) concerning the provision of advertising space and information, specifically but not exclusively the mediation of services (hereinafter „Services”) specified in clause 23 of Section 2 of Act CLXIV of 2005 on commerce.
The Data Subject is the registered user of the online accessible websites http://www.tmrw.life, http://www.tmrwhotels.life (hereinafter: „TMRW Homepage”) and the registered user of the mobile applications
„TMRW Hotels, TMRW Hostels, TMRW Apartments (hereinafter: „TMRW Application”) or the party concluding a contract for Services with the Service Provider and its Partner – see: General Contractual Conditions of the Service Provider – respectively, or the beneficiary indicated in the said contract (hereinafter the „Data Subject”).
The purpose of the Policy is to specify for the Users of the Service the scope of data processed by the Service Provider, the method, purpose and legal grounds of data processing, as well as to ensure that the constitutional principles of data protection and the requirements of data security are enforced, to prevent unauthorized access to Users' data, the alteration of the data and the unauthorized disclosure or usage of the data.
Legal regulations with special significance from the aspect of the Policy:
The Decree of the European Parliament and Council (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and the free flow of such data, as well as on the rescission of decree 95/46/EC (hereinafter: „GDPR”) |
Hungary’s Basic Law |
Act CXII of year 2011 on the Right of Informational Self-Determination and on Freedom of Information (Info Act) |
Act V on Civil Code of 2013 (hereinafter: „Ptk”) |
Act CXXXIII of year 2005 on the rules of the protection of persons and property as well the private investigation activity (hereinafter: „Property protection law”) |
Act CVIII of year 2001 on certain issues of electronic commercial services and information society services (specifically Sections 13/A-13/B) |
Act CLXIV of 2005 on commerce |
Government Decree No. 239/2009. (X. 20.) on the detailed conditions of engagement in accommodation service activities and the procedure for the issuance of accommodation licences |
Government Decree No. 237/2018. (XII. 10.) on the implementation of Act CLVII of 2016 on the State’s Responsibilities Regarding the Development of the Tourism Regions |
Act CLVII of 2016 on the State’s Responsibilities Regarding the Development of the Tourism Regions |
Act XCVII of 2018 on the amendment of Act CLVII of 2016 on the State’s Responsibilities Regarding the Development of the Tourism Regions and Related Rules of Law |
Act CXIX of year 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing |
Act XLVIII of year 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities |
Act C of 2003 on electronic news release |
Act XC of 2017 on criminal procedures |
Act C of 2012 on the Criminal Code |
as well as the data protection legal regulations in conformity with the seats of the Partners of the Service Provider, unless these violate the Hungarian law and order. |
Data Subject: any specified natural person, identified by the personal data or a natural person who can be identified directly or indirectly;
User: the Data Subject who registers on Service Provider’s Website and/or Application and who concludes a contract for the Service with the Service Provider and its Partner, and furthermore who was specified as the beneficiary of the Service by the above person(s);
Consent: voluntary and express declaration of the Data Subject based on appropriate information and by which he/she provides his/her unambiguous consent to process the personal data concerning himself/herself fully or covering certain operations;
Personal data: data that can be connected to the Data Subject, specifically the Data Subject’s name, ID, as well as knowledge typical to his/her one or several physical, physiological, mental, economic, cultural or social identity, and the conclusion concerning the Data Subject that can be drawn from the data;
Controller: the natural or legal entity or organisation without legal entity who or which independently or together with others specifies the purpose of managing the data, makes the decisions and executes them concerning data processing (including the tool used) or has the decision executed by the data processor;
Data processing/processing: irrespective of the applied procedure any operation or the aggregate of operations carried out on the data, in particular collection, recording, organization, storage, alteration, usage, retrieval, forwarding, disclosure, coordination or combination, blocking, erasure and destruction as well as preventing the further use of the data, taking photos, voice or image recordings and recording the physical characteristics suitable to identify a person (e.g. finger-or palmprints, DNA sample, iris image);
Data transmission: making the data accessible to a specified third person, in particular the Partner to the contract as per clause 1;
Data processing: carrying out data processing operations, irrespective of the method and tool used to carry out the operations and the location of the application;
Partner, Partners: contracted partners of the service provider, accommodation, hotels, hostels and apartments according to the concept laid down in act CLXIV of year 2005, Section 2 Clause 23 on trading and in VM decree No. 62/2011. (VI. 30.) on the food safety conditions of the production and distribution of catering products that actually perform the mediated services laid down in clause 1;
Disclosure: making the data accessible to anybody
Erasing data: making the data unrecognizable in such a way that it is not possible to restore it;
Automatic processing: it includes the following operations if they are carried out in whole or in part with automated tools: data storage, logical or arithmetical operations on the data, alteration, erasure, retrieval and distribution of the data; Cookie: A cookie is a small text file stored on the hard drive of the computer or the mobile device and is activated at later visits. Webpages use cookies with the purpose to record the information connected to the visit (pages visited, time spent on the page, browsing data, exits etc.) and the personal settings; however, these data cannot be related to the Data Subject. This tool helps to design a user-friendly webpage in order to increase the online experience of the Data Subject. Most of the internet browsers automatically accept cookies; however, the Data Subjects have the opportunity to delete or reject them. As all browsers are different the Data Subjects can set their preferences regarding cookies individually, through the toolbar of the browser. If the Data Subject does not want to enable any cookie from the websites visited, he/she can modify the settings of the browser so that he/she receives a notification about the cookies that have been sent or he/she may simply reject all cookies or only cookies sent by certain websites. At the same time the user may delete the cookies stored on his/her computer, notebook or mobile device at any time. For further information concerning settings please refer to the Help of the browser. If the Data Subject decides to disable the cookies, he/she must renounce certain functions of the website (e.g. the website would not remember that the Data Subject remained logged in). There are two types of cookies: “session cookies” and “persistent cookies”.
Session cookies: these are stored by the computer, notebook or mobile device only temporarily until the Data Subject leaves the given website; these cookies help the system to remember information while the Data Subject makes a visit from one page to another, so the Data Subject must not repeatedly enter or complete the given information.
Persistent cookies: these are stored on the computer, notebook or mobile device even after leaving the website. With these cookies the website will recognize – although personally would not identify – the Data Subject as a returning visitor. The persistent cookies are stored on the computer or mobile device of the Data Subject as files.
Flash cookies: Adobe Flash Player that is used to run certain types of animated banners and different types of videos (youtube, vimeo) is able to store information on the computer, notebook or mobile device. The acceptance of „Flash cookies” cannot be set through the Web browser. If the Data Subject does not want to receive Flash cookies it must be set on the website of Adobe: www.adobe.com/hu/privacy/cookies.html. If the Data Subject disables Flash cookies it is possible that he/she would not be able to use certain functions of the websites – in this case the Homepage – e.g. the videos attached to the articles would play incorrectly.
System: the entirety of the technical solutions operating the pages and services of the Controllers and their partners accessible through the internet.
Otherwise under the concepts used in the present Policy the contents of the explanations made of the concepts in the TMRW GTC of the Service Provider as well as in section 3 of the Info Act and Article 4 of the GDPR shall be understood with the condition that in case of deviations the contents laid down in the GDPR shall be governing.
Service Provider declares that it processes personal data only for exercising rights or fulfilling obligations. It does not use the personal data processed for private purposes and data processing always complies with the purpose limitation principle – if the purpose of data processing has terminated or data processing is otherwise unlawful the data will be erased.
In order to prevent abuse, the TMRW Homepage and the TMRW Application can only be used after registration
(hereinafter: „Registration”) in accordance with the prevailing general contractual terms and conditions (hereinafter
„TMRW GTC”) of the Service Provider, in order to ensure Services, prevent abuse and avoid safety hazards. Contract aiming at
Services is established through the booking (hereinafter: „Booking”) of the Data Subject as user, registered in
accordance with the prevailing general contractual terms and conditions of Service Provider.
Service Provider may process the personal data of the Data Subjects for the following purposes, in the following scope and proportion:
Specification of the purpose of data processing: | 1. Registration; specifically |
Description of the processes and operations: | See: TMRW GTC item V |
Expected duration and deadline of data processing: | As a general rule till the deletion of the registration, in cases exceeding that The controller retains the right to process the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data processing |
Personal data - scope, type and categories | Data to be provided as a condition of the Registration: surname and first name (if different, name at birth also), place and date of birth, mother’s name, tax identification code, nationality, personal identification number, identification card number, home address (or residence, notification address), email address, phone number or other contact possibility of the registering Data Subject |
Location of data processing | At the controllers, see below. |
Legal grounds of data processing | GDPR, Chapter II, Article 6 (a), (b), (c) |
the identification of the Data Subjects;
Communication with the Data Subjects and providing information to them
for 5 years for the data concerned with regard to Section 78 paragraph (3) of the Act on the Rules of Taxation
for 8 years for the data concerned with regard to Section 169 (1)-(2) of the Accounting Act
In addition, for a longer period if it is provided by law
Specification of the purpose of data processing: | 2. Booking; specifically |
Description of the processes and operations: | See: Clause VI of TMRW GTC |
Expected duration and deadline of data processing: | As a general rule till the deletion of the registration, in cases exceeding that The controller retains the right to process the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data processing. |
Personal data - scope, type and categories | Data to be provided depending on the type of Booking if these were not provided during Registration: surname and first name (if different, name at birth also) place and date of birth, mother’s name, nationality, home address (or residence, notification address), email address, phone number or other contact possibility of the Data Subject entitled to use the Service |
Location of data processing | At the controllers, see below. |
Legal grounds of data processing | GDPR, Chapter II, Article 6 (1) (a), (b), (c) |
Specification of the purpose of data processing: | Provision of Service; specifically |
Description of the processes and operations: | See: Clauses VI-XX of TMRW GTC |
Expected duration and deadline of data | As a general rule till the deletion of the registration, in cases exceeding that |
the identification of the Data Subjects;
Getting acquainted with the requirements of the Data Subjects;
Communication with the Data Subjects and providing information
for 5 years for the data concerned with regard to Section 78 (3) of the Act on the Rules of Taxation
for 8 years for the data concerned with regard to Section 169 (1)-(2) of the Accounting Act
In addition, for a longer period if it is provided by law
Getting acquainted with the requirements of the Data Subjects;
Communication with the Data Subjects and providing information to them
processing: | The controller retains the right to process the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data processing. |
Personal data - scope, type and categories | Information essential to exercise rights and obligations laid down in the GTC, over and above the data provided during Registration and Booking. In this scope, special data, thus data concerning health, could also be processed (See: Clause XI of TMRW GTC). |
Location of data processing | At the controllers, see below. |
Legal grounds of data processing | GDPR, Chapter II, Article 6 (1) (a), (b), (c) GDPR, Chapter II, Article 9 (2) (a), (c), (e) |
for 5 years for the data concerned with regard to Section 78 (3) of the Act on the Rules of Taxation
for 8 years for the data concerned with regard to Section 169 (1)-(2) of the Accounting Act
In addition for a longer period if it is provided by law
Specification of the purpose of data processing: | 4. Newsletter subscription; subscription for Direct Marketing |
Description of the processes and operations: | The Registered Data Subjects have the opportunity to subscribe to the Service Provider’s newsletter as per Section 6 of the Grtv on the specifically dedicated interface on the TMRW Homepage and TMRW Application, and when making Booking to subscribe also to the newsletter forwarded through the given Partner Service Provider (hereinafter: „Subscription to Newsletter”). Service Provider may deliver online newsletters and electronic direct marketing messages containing novelties, news and offers to the Data Subjects subscribed to the newsletter(s). |
Expected duration and deadline of data processing: | Until user unsubscribes, otherwise by the cancellation of the Registration. |
Personal data - scope, type and categories | Data to be provided as a condition of Direct Marketing Subscription if they were not provided during Registration or when the Data Subject intends to give different data: name; email address; social media profiles of the subscribing Data Subject The possibility of unsubscribing is provided by a direct link in all newsletters. |
Location of data processing | At the controllers, see below. |
Legal grounds of data processing | GDPR, Chapter II, Article 6 (1) (a) |
Specification of the purpose of data processing: | 5. Preparation of an anonymised database; preparation of statistics; specifically |
Description of the processes and operations: | Registered Data Subjects have the opportunity to allow Service Provider through their express consent on the dedicated interface of the on the TMRW Homepage and in the TMRW Application to obtain authorisation for collecting anonymised data of the Data Subjects about their habits of using the Service, in order to better serve them. Within this scope Service Provider is furthermore entitled to evaluate registered Data Subjects in its prize program or within another initiative with similar purpose based on Data Subject’s bookings, orders and consumption data and grant discounts, price reductions, exclusive offers and promotions in accordance with the evaluation. Service Provider records information in any of its databases referred to above in such a way that the information itself is not suitable to identify Data Subjects in case of unauthorized access. The registered Data Subject may request Service Provider through email to take a view of the data collected related to his/her user ID and may request that Service Provider deletes the connected information and data. |
to better understand users’ demands;
in order to improve TMRW services
Expected duration and deadline of data processing: | Until the deletion requested by the Data Subject; otherwise until the Registration is cancelled. The Controller retains the right to process the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well- founded by rights and obligations arising from activities giving cause for data processing. |
Personal data - scope, type and categories | The anonymised and/or encoded system data, cookie data, orders submitted during bookings, specific orders and additional consumption data concerning the Data Subjects. |
Location of data processing | At the controllers, see below. |
Legal grounds of data processing | GDPR, Chapter II, Article 6 (1) (a) GDPR, Article 22 (2) (c) |
Specification of the purpose of data processing: | 6. To increase customer experience, technically improve the IT system, protection of users’ rights |
Description of the processes and operations: | Until the permission is granted the TMRW Homepage requests a permission from the visitor of the TMRW Homepage every time the page is opened for using the cookies applied by the TMRW Homepage, for the following purposes: to provide better and faster customer experience, to display tailor-made advertisements based on the automatically recorded data of the registered Data Subject, to prepare statistics, to technically improve the IT system and to protect the rights of the users. (The above jointly referred to: customizing cookies.) |
Expected duration and deadline of data processing: | Until the period provided for the application of the cookies by Service Provider – published on the TMRW Homepage – but not more than cancelling the Registration. |
Personal data - scope, type and categories | The anonymised and/or encoded system data, cookie data, orders submitted during bookings, specific orders and additional consumption data concerning the Data Subjects. |
Location of data processing | At the controllers, see below. |
Legal grounds of data processing | GDPR, Article 22 (2) (c) (In consideration of which Article 6 (1) (a) of Chapter II; Article 9 (2) (a) of the GDPR) |
Specification of the purpose of data processing: | Providing data to the Tourism Data Supply Centre relating to the registration of users of accommodation services |
Description of the processes and operations: | The National Tourism Data Supply Centre (Centre) is a new, digital data supply system enabling us to see in real time the traffic and statistical data of all accommodations in the country: that is how many adults and how many children arrived, where they came from, how much time they spent, what services they used, and how much the domestic and foreign guests spent. |
Expected duration and deadline of data processing: | One year from the time of recording, pursuant to Section 9/H (2) of Act XCVII of 2018 on the amendment of Act CLVII of 2016 on the State’s Responsibilities Regarding the Development of the Tourism Regions and Related Rules of Law |
Personal data - scope, type and categories | Pursuant to Section 9/H (1) of Act XCVII of 2018 on the amendment of Act CLVII of 2016 on the State’s Responsibilities Regarding the Development of the Tourism Regions and Related Rules of Law: family and last name, family and last name at birth, date and place of birth, gender, mother’s family and last name at birth, ID data in the document or passport suitable for personal identification of the person using the services, address of the accommodation site, start and expected end date of using the accommodation service. |
Location of data processing | By means of the accommodation management software specified in Section 9/I of Act XCVII of 2018 on the amendment of Act CLVII of 2016 on the State’s Responsibilities Regarding the Development of the Tourism Regions and Related Rules of Law, in the storage space provided by the hosting service provider designated in the government decree, which, for the purposes of this Policy, shall mean the PMS-provider designated by the data processors |
Legal grounds of data processing | GDPR, Chapter II, Article 6 (1) (c) |
Service Provider processes the personal data lawfully, in accordance with the following clauses of Article 6 (1) of Chapter II of the GDPR:
(a) – “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” - , | I/N |
(b) – “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” - , | I/N |
(c) – “processing is necessary for compliance with a legal obligation to which the controller is subject” - , | I/N |
(d) – “processing is necessary in order to protect the vital interests of the data subject or of another natural person” - , | I/N |
(e) – “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” - , | I/N |
(f) – “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child” - , | I/N |
and, in the case of special categories of personal data, in accordance with the following clauses of Article 9 (2) of Chapter II of the GDPR:
(a) – “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 11 may not be lifted by the data subject” - , | I/N |
(b) – “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject” - , | I/N |
(c) – “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent” - , | I/N |
(d) – “processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects” - , | I/N |
(e) – “processing relates to personal data which are manifestly made public by the data subject” - , | I/N |
(f) – “processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity” - , | I/N |
(g) – “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” - , | I/N |
(h) – “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 32” - , | I/N |
(i) – “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy” - , | I/N |
(j) – “processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1)3 based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”. | I/N |
The data of the Data Subjects according to clause 7 of the present Policy are received and obtained by Service Provider through its TMRW Homepage and/or TMRW Application in every case, based on the voluntary consent of
1 (1) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
2 “Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.”
3 “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place”
the registering party or the registered Data Subjects, respectively. For the authenticity of the personal data provided it is always the registering entity and the registered Data Subject, respectively, responsible. Service Provider does not verify the personal data given to him.
By accepting the present Policy, the Data Subjects are obliged to accept the provisions of the present Policy and give their consent that Service Provider processes the data included in clause 7.
By using the TMRW Homepage and/or the TMRW Application, and by concluding the contract for the Services, respectively, the Data Subjects expressly accept the present Policy.
Personal data may only be obtained and processed in a fair and lawful manner.
Personal data may only be stored for specified and lawful purposes and may not be used in any different way.
The scope of the Personal Data processed must be proportionate to the purpose of their storage, must meet this goal and may not extend beyond it.
Appropriate safety measures must be taken to protect the personal data stored in the automated data files to prevent accidental or wrongful destruction or accidental loss as well as unauthorized access, alteration or distribution.
Service Provider and, where applicable, the Service Provider's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
the purposes of the processing;
a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
where possible, the envisaged time limits for erasure of the different categories of data;
where possible, a general description of the technical and organisational security measures referred to in Article 32 (1). Service Provider shall make the record available to the supervisory authority on request.
With respect to the fact that the obligatory event laid down in Article 37 of Chapter IV of the GDPR subsists –processing of special categories of personal data, regular and systematic monitoring of data subjects on a large scale –, a data protection officer was appointed on 1 July 2018.
Service Provider hereby informs the Data Subjects that in case they observe disquieting procedures, incidents or any other circumstances from the aspect of data protection the lawfulness of which is otherwise objectionable from a legal and/or technical, organisational point, or the investigation of which is at least justified, the Data Subjects can make announcement and get in touch with the data protection officer by informing the competent employee or manager of the Service Provider, but independently of him/her, at the following contact details.
Name and contact details of the Data Protection Officer: Gergely Tálasi, dataprotection@tmrw.life
Service Provider is entitled and obliged to transfer to the competent authorities all personal data available to it and regularly stored by it the transfer of which is made obligatory by legal regulation or legally binding enforcement notice. Service Provider may not be held responsible for such transfer and for the resulting consequences.
In addition to the above, the Service Provider may transfer data exclusively to the Partners related to the Service Provider, and, within them, exclusively to Partners who have contractual obligation to provide Services with respect to the Data Subject; accordingly, the Service Provider may transfer data to a Partner exclusively for the purpose and to the extent of performing Services. The data of individual Partners are available in the booking menu item of the TMRW Homepage and TMRW Application; however, the Service Provider will send the relevant data of the Partner concerned as the data processor of Service Provider – name, registered seat, contact details, scope of data to be transferred by indicating the purposes of data processing, the physical locations of data processing if outside the system – to the Data Subject when confirming the booking.
In relation to the above and otherwise, if the Service Provider transfers the operation or utilization of the content services on the TMRW Homepage and TMRW Application in whole or in part – including the Partners as well – than it can transfer the data processed by it to this third person in full, without requesting specific consent for further processing.
Service Provider transfers data, in addition to the above, exclusively to processors in contractual relationship with it, and, within them, only to those who are bound by contractual obligation in connection with the TMRW Homepage and/or TMRW Application and the system(s) serving them; accordingly, the Service Provider transfers data to third persons exclusively and to the extent of fulfilling the purposes indicated in the present Policy. This data transfer may not bring the Data Subject concerned into a position more disadvantageous than the data processing and data security rules indicated in the prevailing text of the present Policy.
Processors of the Service Provider | scope of data affected | purpose(s) of data processing affected | Physical location(s) of data processing |
Amazon Web Services, Inc. Registered office: 410 Terry Avenue North Seattle, WA 98109-5210 USA Contact details: Mailing address: Box 81226 Seattle, WA 98108 | Name of Data Subject, email address of Data Subject, invoicing address of Data Subject, room type affected by the booking(s), room number affected by the booking(s), name of hotel affected by the booking(s) | Data processing of Customer contracts Automated cloud service of the TMRW System; performing backup operations of the TMRW System | Amazon Web Services (AWS) EC2 cloud-based service provider |
Telephone: (206) 266- 4064 Fax: (206) 266-7010 | |||
Clock Software Ltd. (Company Reg.# 08008667 VAT Registered: GB 171901910) Registered office: 27 Redcliffe Gardens, London, SW10 9BH, UK Contact details: +44-203-3-979-671 +1-844-244-0165 https://www.clock- software.com/company-aboutus/contact-us.html | Name of Data Subject, email address of Data Subject, invoicing address of Data Subject, room type affected by the booking(s), room number affected by the booking(s), name of hotel affected by the booking(s) | Data processing of Customer contracts Cloud-based hotel management (PMS) service | data processing is cloud-based, the affected service provider is Amazon WEB services (AWS) EC2 (https://aws.Amazon.com/?nc2 =h_lg) |
Service Provider undertakes as a general obligation that any transfer carried out by the Service Provider may not bring the user concerned into a position more disadvantageous than the data processing and data security rules indicated in the prevailing text of the present Policy.
Service Provider does not transfer the personal data of the Data Subjects to third countries and international organisations (outside the EU, non-EEA countries) except when the Data Subject provided its specific consent and according to the conditions laid down in a written declaration issued by the parties by providing appropriate guarantees that suit the provisions of the GDPR.
The above stipulation does not extend to cases laid down in Article 45 of the GDPR according to which if the purpose of a transfer is a governmental and/or international organisation for which a valid, so-called „adequacy decision” issued by the Committee is in force no separate consent is required for such a transfer. At the date of the present instrument, accepted adequacy decision is in force for the following third countries: Andorra, Argentina, Faroe Islands, Guernsey, Israel, Jersey, Canada, Isle of Man, Switzerland, Uruguay, U.S.A. (Privacy Shield), New Zealand – in case of Japan and South Korea the adequacy procedure is in progress.
In accordance with the obligation of Section 32 of the GDPR, the Service Provider – by keeping in mind as its obligation – does its utmost so as to ensure the security of the data of the Data Subjects; furthermore it takes the necessary technical and organisational measures and develops the rules of procedure that are required to enforce the rules of the GDPR and other rules of data and secret protection.
Service Provider processes data primarily in the frame of automatic processing – TMRW Homepage and TMRW Application as well as the systems serving them – and processing any data requiring human intervention may only take place exceptionally and to the extent justified. The activities of the Service Provider and the processors involved by it suits the following requirements: organisational security, security connected to employees, external persons and security connected to the environment, classification and verification of assets, communication and operational management, access control, operational continuity management, systems engineering and maintenance.
The so-called cloud-based applications are also part of the System serving the TMRW Homepage and the TMRW Application (see: Service Provider’s prevailing general contractual terms and conditions). Service Provider chooses its partners providing cloud services with the utmost possible care – see among the processors indicated – and takes all generally expected measures to conclude contracts with them that keep in view the data security interests of all concerned and the data processing principles of which are transparent to it, and to regularly check data security. Physically, the data of the Data Subjects are stored in the cloud. By accepting the present Data Processing Policy, the Data Subject expressly agrees to the transfer required for making use of the cloud-based applications.
Partners can process personal data in exceptional cases only, following prior notice and exclusively for providing Services and/or for fulfilling legal obligations – e.g. storage of invoices – for which data processing the present Policy must be applied in an appropriate manner; otherwise the Partners may only carry out data processing activities in connection with performing Services.
Service Provider protects the data in particular against unauthorized access, alteration, transmission, disclosure, cancellation or destruction as well as against accidental destruction and damages. The data automatically and technically recorded in the course of the operation of the Service Provider’s system(s) are stored in the System calculated from the generation of such data for a period justified by the aspect of ensuring the operation of the System. Service Provider ensures that these automatically recorded data cannot be connected to other personal data with the exception of cases made mandatory by the law. If the Data Subject terminated its consent to process his/her personal data or has unsubscribed from the TMRW Homepage and the TMRW Application, his/her person will not be identifiable from the technical data thereafter, not including the investigating authorities and their experts.
Links: It is possible that reference or link can be found on the Service Provider’s TMRW Homepage or TMRW Application pointing to sites maintained by other service providers and financial enterprises (including buttons and logos pointing to login and share options), where the Service Provider has no influence on the experience of processing personal data and where Service Provider does not carry out data sharing/transfer, respectively. Service Provider draws the attention of the Data Subjects to the fact that by clicking on such links they may reach the sites of other service providers and financial enterprises. In such cases Service Provider recommends that the Data Subjects by all means read the data processing policies concerning the use of these sites. If the Data Subject modifies or deletes any of his/her data on an external website, this would not affect the Service Provider’s data processing, such modification must be made also on the TMRW Homepage and/or on the TMRW Application.
In case of registered Data Subjects until the registration is cancelled.
The data of not registered Data Subjects are cancelled when the related Service is closed in the system of the Service Provider.
The data provided for the newsletter subscription and Direct Marketing are deleted without delay when the Data Subject unsubscribes or when the registration expires.
Otherwise, the Service Provider deletes the data processed upon the request of the Data Subject except for the data the continued processing of which is necessary for settlement disputes or other legal disputes between the parties -until they are settled – and/or due to legal regulations. Within the latter, in particular, but not exclusively:
the data concerned with regard to Article 78 (3) of the Act on the Rules of Taxation, for 5 years
the data concerned with regard to Article 169 (1)-(2) of the Accounting Act In addition, for a longer period, if it is provided by the laws.
Service Provider retains the right to process the relevant data to the extent necessary for the deadlines exceeding the above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from activities giving cause for data processing.
The data processed are obtained directly from the registered Data Subject; in consideration of that, the Service Provider only starts processing the data provided to it – the data are recorded in its system only then – when the registered Data Subject makes a declaration by undertaking criminal liability during the bookings that the data were provided with the knowledge and explicit consent of the Data Subject designated as qualified for the given Service with the purpose of identification and making use of the Service.
Service Provider retains the right to unilaterally modify the present Policy in the future. It will publish the new Policy on the TMRW Homepage and TMRW Application.
The Data Subject may request information about the processing of his/her personal data and may also request the rectification of these personal data and – with the exception of data processing ordered by legal regulation – the deletion of them based on the present Policy, in particular on the contact details provided above.
Upon the request of the Data Subject submitted by email, the Service Provider provides information about the data processed, the purpose of data processing, its legal grounds, the period of processing, the name and address (seat) of the processor and its activities related to data processing, and, in addition, who shall receive or have received the data and for what purpose. The controller is obliged to respond within the shortest time possible but within maximum fifteen (15) days counted from the submission of the request in an easy to understand manner and free of charge –refunding of costs is charged by the Service Provider in exceptional cases only (if the party requesting the information has not yet submitted a request to the controller concerning the same scope of data in the current year. In other cases, refunding of costs may be established. The rate of refunding may be laid down in the contract concluded between the parties. The already paid cost refunding must be reimbursed, if the data was processed unlawfully or the request for information has led to rectification.
If the provision of information to the Data Subject cannot be refused according to the law, the Service Provider gives information about the data of the Data Subject processed by it or by the processor commissioned according to its instructions, the sources of these data, the purpose of data processing, the legal grounds, duration, name and address of the data processing entity and its activities related to data processing, the circumstances of the data protection incident, its effects and the actions taken to prevent them, and furthermore – in case of transmitting the personal data of the Data Subject – about the legal grounds of data transmission and the addressee of it. Moreover, the information covers the information specified in Articles 13 and 14 of Chapter II of the GDPR.
Service Provider is obliged to rectify the personal data not corresponding to the facts. The controller erases the personal data if processing of them is unlawful, the Data Subject requests it – in this case within maximum five (5) days –, if it is incomplete or incorrect – and this status cannot be rectified legitimately – provided that erasure is not excluded by law, if the purpose of data processing has discontinued, the period of storing the data specified by the law has expired or the Court or the National Authority for Data Protection and Freedom of Information has ordered it. Service Provider shall inform the Data Subject as well as all other entities to whom it transferred the data for data processing purposes about the rectification and erasure. This notification may be ignored, if it does not hurt the rightful interests of the Data Subject in consideration of the purpose of data processing.
If the Data Subject uses personal data unlawfully or deceptively, or commits a crime, the Service Provider retains the right to preserve the relevant data in case of using them in this manner for demonstration in the incidental litigious and non-litigious procedure until the procedure is concluded. The latter shall be applied appropriately to the case when the Data Subject requested the erasure of the personal data in order to prevent or at least render more difficult the enforceability of the rightful claim of the Service Provider and/or Partner.
The Data Subject may object to the processing of his/her personal data, specifically
if the processing or transfer of the personal data is necessary only for compliance with a legal obligations to which the Service Provider is subject or the enforcement of the rightful interests of the Service Provider, the receiver of the data or a third person, except for mandatory data processing;
if the personal data are used or transferred for direct marketing purposes and for the purposes of opinion polling or scientific research, and
in other cases specified by law.
Service Provider shall examine the objection within the shortest possible period but maximum within fifteen (15) days, makes a decision regarding its grounds and informs the applicant about the decision in writing. Service Provider suspends data processing for the period of the investigation but for maximum five (5) days. If the objection is justified, the head of the organisational unit processing the data shall proceed in accordance with the provisions specified by the GDPR. In addition, the Data Subject may exercise the right to object using automated devices based on technical specifications by renouncing the Service included in the TMRW GTC, cancelling the registration and applying other related options available in the TMRW System (Article 21 (6) of the GDPR).
If the Service Provider establishes that the objection of the Data Subject is well-founded, terminates data processing –including further data recording and transfers –, blocks the data, and notifies all to whom it previously transferred the personal data affected by the objection about the objection and the actions taken, and who are obliged to take measures in order to enforce the right to object. If the Data Subject does not agree with the decision of the Service Provider, or if the Service Provider neglects the deadline, the Data Subject may go to law within thirty (30) days counted from the date of communicating the decision or the last day of the deadline, respectively.
Service Provider shall compensate for the damages caused to other parties by the unlawful processing of the data of the Data Subject or by violating the requirements of technical data protection. Service Provider shall be exempted from liability, if it demonstrates that the damage was caused by force majeure outside the scope of data processing. No compensation for the damage is due if it originates from the deliberate or negligent behaviour of the aggrieved party.
Information to the Data Subjects can be omitted/rejected or restricted for reasons set forth in the provisions of Article 13 (4) and Article 14 (5) of the GDPR and by providing a detailed justification, if
the Data Subject already has the information;
the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;
obtaining or disclosure is expressly laid down by Union or Member State law to which the Service Provider is subject and which provides appropriate measures to protect the data subject's legitimate interest; or
where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
Otherwise, the Data Subject is entitled to get access to the personal data concerning him/her as well as to the following information:
Copies of the personal data (for additional copies costs are charged)
The purposes of data processing;
The categories of data;
Data related to automatic decision making and profiling;
Information concerning the source in case of taking over data;
Recipients to whom the data have been or will be disclosed;
Information and guarantees related to transfers to third countries;
The period and aspects of storage,
Rights of the Data Subjects
Right to contact the authorities.
Complying with its obligation specified in Article 14 (3) of Chapter III of the GDPR, the Service Provider, if the personal data has not been obtained from the Data Subject, in particular, if it has been provided by a registered user in relation to the Data Subject entitled to use the Service, the Service Provider shall inform the Data Subject without delay, but within one month at the latest, of all information the knowledge of which is contained in this Policy, via the contact details known by the Service Provider.
The way of exercising the right to access: If the Data Subject submitted the application electronically, the information must be made available in a widely used electronic format unless the Data Subject requests otherwise.
The right to request a copy may not affect negatively the rights and freedom of others.
If the Service Provider has made the data public and is obliged to erase them in such a way that it makes reasonably expected steps by taking into account available technology and the costs of implementation in order to inform other processors in connection with the deletion of the relevant links, copies and duplicates.
Data Subject may not avail itself of the right of deletion and to be forgotten, if data processing is necessary: for the freedom of expression, to perform a legal obligation or to exercise public power, for reasons of public interest in the areas public health, for archiving purposes in the public interest, for scientific and historical research purposes and for the exercise of legal claims.
Service Provider shall restrict data processing upon the request of the Data Subject if
the Data Subject disputes the accuracy of the personal data
data processing is unlawful, and the Data Subject opposes the erasure of the data
the Service Provider no longer needs the data any more but they are required by the data subject for the establishment, exercise or defence of legal claims;
the Data Subject has objected to processing and the Service Provider is still carrying out an investigation.
Service Provider shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
The Data Subject is entitled to receive his/her data made available to the Service Provider:
in a structured, commonly used and machine readable format
have the right to transmit those data to another controller
may request that the personal data shall be transmitted directly from one controller to another –
where technically feasible
Except when the processing is for the performance of a task carried out in the public interest or in the exercise of official authority.
In case of violating the rights of the Data Subjects, remedies against the Service Provider can be sought at the court of arbitration specified in the Service Provider’s prevailing general terms and conditions in force, and may appeal to the National Authority for Data Protection and Freedom of Information based on the provisions of the Privacy Act and the relevant legal regulations (mailing address: 1363 Budapest, P.O.Box: 9; address: 1055 Budapest, Falk Miksa u.9-11). The case shall be given priority by the court.
Dated: Budapest,18 February 2021