Privacy and Data Protection Policy

of

Tour-IT Ltd.

Before you provide any personal data, please read this Privacy Statement carefully which complies with the effective data protection laws, with special regard to Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) and Act CXII of 2011 on the right of informational self-determination and on freedom of information (“Infotv.”) Unless defined otherwise in this Privacy Statement, the terms used herein have the meaning defined in the “Definitions” sections of the GDPR.

The purpose of this Privacy Statement is to provide comprehensive rules concerning the management and – when applicable – processing of the personal data required to the use of the services offered by Tour-IT Ltd. (principal seat: 1065 Budapest, Lazar utca 9 fszt/ground floor, Hungary.) registered by the Company Registry Court of Budapest - Capital Regional Court under company registration number: 01-09-327411, tax number: 26383752-6312-113-01) by way of the web page/portal (https://tourit.online/). The effective version of the privacy statement is published on https://tourit.online/. The Data Controller reserves the right to amend this Privacy Statement, and to modify it in accordance with the changes occurred in the law of the European Union and/or Hungary.

The Data Controller makes all efforts to protect your personal data and right of informational self-determination, and to this end, it manages only the personal data specified in this Privacy Statement, on the legal bases permitted under the GDPR, and only in a manner, for the purpose and time period stated herein. The Data Controller handles the obtained personal data confidentially and implements technical measures which guarantee the safety of personal data.

This Privacy Statement constitutes information provided to you.

  1. Identity and contact details of the Data Controller

Tour-IT Ltd.

company registration number: 01-09-327411, registered by the Company Registry Court of Budapest - Capital Regional Court

Tax number: 26383752-6312-113-01

Mailing address (place of data processing): 1061 Budapest, Paulay Ede street 25-27. 2. floor, apartment 10, Hungary

Phone number: +36709787182

E-mail: tourit@tourit.online

Website: https://tourit.online/

The personal data and documents that you provided may be accessed and processed by the employees and managing directors of the Data Controller. The Company does not control data falling in the special data categories specified in Article 9 (1) of the GDPR. Should the data subject provide such data, it will be deleted without delay.

 

  1. General principles and legal bases of data processing

    • General principles

In the course of processing personal data, the Data Controller observes and acts in line with the following principles stipulated in Article 5 of the GDPR:

  1. lawfulness, fairness and transparency;
  2. purpose limitation;
  3. data minimisation;
  4. accuracy;
  5. storage limitation;
  6. integrity and confidentiality; and
    • Legal basis of data processing

The Data Controller may process data only if and to the extent that at least one of the following applies:

  1. the data subject (you) has given consent to the processing of his or her personal data for one or more specific purposes (“consent”);
  2. processing is necessary for the performance of a contract to which the data subject (you) is party or in order to take steps at the request of the data subject (you) prior to entering into a contract (“performance of the contract”);
  3. processing is necessary for compliance with a legal obligation to which the Data Controller is subject (“statutory processing”);
  4. processing is necessary in order to protect the vital interests of the data subject or of another natural person (“vital interest”);
  5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller (“exercise of public powers”); or
  6. processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (“legitimate interest”).

 

  1. Legal basis, purpose and duration of the data processing operations and scope of personal data processed by the Data Controller

    • Data processing is necessary for compliance with a legal obligation to which the Data Controller is subject (“statutory processing”): pursuant to Chapter X of Act CXVII of 2007 on value added tax

The purpose of the processing:

to issue an invoice and assess the tax

Scope of personal data, purpose of data collection, consequences of refusing to provide data:

Scope of personal data: invoicing name, address and tax number of the party using the service.

You are always free to refuse to provide your data. Please note however, that if you decide not to provide your data, the Data Controller cannot issue an invoice and in the absence of an invoice it is required to refuse to provide the service.

Duration of data processing:

Pursuant to Chapters IX and XXVI of Act CL of 2017 on Taxation: five (5) years from the last day of the calendar year in which the tax return needs to be filed.

  • Processing is necessary for compliance with a legal obligation to which the Data Controller is subject (“statutory processing”): pursuant to Act C of 2000 on Accounting

The purpose of the processing:

to enter accounting documents into the records and monitor them

Scope of personal data, purpose of data collection, consequences of refusing to provide data:

Scope of personal data: invoicing name, address and tax number of the party using the service.

You are always free to refuse to provide your data. Please note however, that if you decide not to provide your data, the Data Controller cannot issue an invoice and in the absence of an invoice it is required to refuse to provide the service.

Duration of data processing:

Pursuant to Section 169 of Act C of 2000 on Accounting, the Data Controller is required to keep the accounting documents underlying the accounting records in a legible and retrievable form for minimum 8 years after the publication of the report, taking into consideration that the deadline of publication is the last day of the 5th month after the last day of the fiscal year.

  • Processing is necessary for the performance of a contract in which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (“performance of the contract”): registration at the website https://tourit.online/, required for booking either a guided tour with one of TouriT’s registered guides or booking a ride to / from the airport to the customer׳s place of stay.

The purpose of the processing:

To register at the website https://tourit.online/ for the use of the following services: booking either a guided tour with one of TouriT’s registered guides or booking a ride to/from the airport to the customer׳s place of stay.

Scope of personal data, purpose of data collection, consequences of refusing to provide data:

Scope of personal data: password, title; last name; first name; phone number, fax number, e-mail address; age; any other personal details that you may provide voluntarily during registration or handling of any complaint ( e.g., special requests or comments classifying as personal data).

Providing these data is the pre-condition of signing the contract. You are always free to refuse to provide your data. Please note however, that if you decide not to provide your data, the Data Controller cannot conclude a contract with you or complete your registration. The above data is needed in this scope particularly because (in order to optimise our service for the customer׳s need).

 

Duration of data processing:

The Data Controller processes the personal data for 5 years after the last service provided by the Data Controller, or the date of registration, whichever is the latest (i.e., until the end of the limitation period), or, in the case of a legal dispute, until the conclusion of the legal dispute.

  • Processing is performed based on the consent of the data subject (you) granted for one or more specific purposes (“consent”): Taking and using images of participants attending events, and publishing them at the https://tourit.online/

The purpose of the processing:

Taking and using images of participants attending events, and publishing them at the website https://tourit.online.

Scope of personal data, purpose of data collection, consequences of refusing to provide data:

Images of participants, not considered to be pictures or recordings taken of a crowd.

Providing these data is not a pre-condition of signing the contract (using the service); such images are taken at the specific locations. You are always free to refuse to provide your data. Please note however, that if you do not consent to taking and using such images, the Data Controller cannot conclude a contract with you.

Duration of data processing:

The Data Controller processes the personal data for 5 years after the last event organised by the Data Controller and attended by you (i.e., until the end of the limitation period), or, in the case of a legal dispute, until the conclusion of the legal dispute.

  1. Data processing, data transfer, joint data processing, recipients

With a view to achieving the aims specified in chapter 3, the Data Controller engages various service providers, data processors and joint data controllers, as recipients. Such data processors are the persons performing accounting services for the Data Controller; persons participating in the organisation and arrangement of events organised by the Data Controller (persons providing for the location, transfer, organisation, catering, accommodation, technical background). The Data Controller ensures that data processors always process personal data in compliance with the effective data protection laws – with special regard to the GDPR – and at the highest possible level of data protection and data security through its contracts concluded with the data processors. The joint data controller is an entity responsible for [insert a description of the organization to whom the data are transferred] to whom the data are transferred.  Beyond data processors and joint data controllers, data is not transferred to any third party, unless it is required by law.

As a consequence of business decisions made by the Data Controller the scope of data processors or joint data controllers may change. At your request, the Data Controller informs you directly of the current list of data processors and joint data controllers. We encourage you to periodically review it regularly so that you can exercise your rights of informational self-determination protection of personal data.

Similarly to several other websites, https://tourit.online uses cookies to enable the proper use of the website, to enhance the user experience and to optimise marketing communications. When you first visit this website, the Data Controller requests your express prior consent to the use of cookies. Please read our cookie notice carefully before you give your consent.

Cookies are data stored by your web browser temporarily on the device you use for browsing and may sent to your device while you visiting https://tourit.online. These data include your IP address, the type of browser, the characteristics of the operational system you use on your device, the length of your visit, the page and subpage you visited, the function you used and the time you spent on the website. Cookies do not contain personal data, are not suitable for your identification as an individual user and will not be combined with personal data. Cookies are small files which do not damage your device and contain no virus or malware. A part of the cookies is automatically deleted when you close the website, while others will be stored on your device for a longer time, depending on your browser settings.

The website https://tourit.online only uses such own cookies which are temporary and needed for the operation of the website. In addition, the website also uses third-party partner cookies operated by our various service providers for the purposes of website analytics and personalised marketing communications. https://tourit.onlineuses the following third-party partner cookies and other similar programs:

It is not compulsory for you to allow and accept the use of cookies: you are free to limit or even block them. However, this might prevent you from using certain functions of https://tourit.online. You can allow or block cookies on the website you visited by changing your browser settings. If you wish to block cookies, please review the instructions or “Help” for using your browser and act accordingly.

  1. Security of processing

The Data Controller takes all reasonable measures to ensure the security of the personal data and an appropriate level of protection, in particular against the risk of accessing, altering, transferring, disclosing, deleting, destroying or accidentally destroying or damaging the personal data, and the risk of their becoming inaccessible due to the change in the applied technology. The Data Controller ensures the security of data by implementing appropriate technical and organisational measures.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and its Data Processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical and technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, with special regard to those arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The Data Controller and the data processor shall take steps to ensure that any natural person acting under the authority of the Data Controller or the data processor who has access to personal data does not process them except on instructions from the Data Controller, unless he or she is required to do so by European Union or Member State law.

In the case of a personal data breach, the Data Controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Hungarian National Authority for Data Protection and Freedom of Information, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The Data Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subjects without undue delay. The communication to the data subject shall not be required if any of the following conditions are met:

  1. the Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subject is no longer likely to materialise;
  3. it would involve a disproportionate effort.
  4. Your rights and remedies related to data processing

In connection with data processing, you have the right of information, access to and rectification or erasure of your personal data, the right to data portability and the right to object.

  • Right of information

Where personal data relating to you are collected from your, the Data Controller, at the time when personal data are obtained, provide you with all of the following information:

  1. the identity and the contact details of the Data Controller;
  2. the contact details of the data protection officer (where applicable);
  3. the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  4. where the processing is based on the legitimate interests pursued by the Data Controller or by a third party;
  5. where applicable, the recipients or categories of recipients of the personal data, if any;
  6. where applicable, the fact that the Data Controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission.
  7. the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period;
  8. the existence of your right to request from the Data Controller access to and rectification or erasure of personal data or restriction of processing concerning you, or to object to processing as well as the right to data portability;
  9. where processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  10. the right to lodge a complaint with a supervisory authority;
  11. whether the provision of personal data is a statutory or contractual requirement, or a required pre-condition necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  12. the existence of automated decision-making, including profiling (where applicable).

    • Right to access

You have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of your right to request from the Data Controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
  6. the right to lodge a complaint with a supervisory authority;
  7. where the personal data are not collected from the data subject, any available information as to their source;
  8. the existence of automated decision-making, including profiling, and, at least in those cases, information about the logic involved, as well as understandable information of the significance and the envisaged consequences of such processing for the data subject.

    • Right to rectification

You have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed.

  • Right to erasure (‘right to be forgotten’)

You have the right to obtain from the Data Controller the erasure of personal data concerning you without undue delay and the Data Controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. You withdraw your consent underlying the data processing (if this is the legal base) and the processing has no other legal base;
  3. You exercise your right to object to data processing;
  4. the personal data have been controlled unlawfully;
  5. the personal data have to be erased for compliance with a legal obligation in the European Union or Member State law to which the Data Controller is subject;
  6. the personal data have been collected in relation to the offer of information society services.

    • Right to restriction of processing

You have the right to obtain from the Service Provider restriction of processing where one of the following applies:

  1. If you contest the accuracy of the personal data, for a period enabling the Service Provider to verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. the Service Provider no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
  4. You have objected to processing; in such a case restriction applies pending the verification whether the legitimate grounds of the Service Provider override those of yours.

    • Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the Service Provider, in a structured, commonly used and machine-readable format and have the right to transmit those data to another service provider without hindrance from the Service Provider to which the personal data have been provided, where:

  1. processing was based on a consent or a contract; and
  2. the processing is carried out by automated means.

    • Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on section (e) or (f) of Article 6(1) of the GDPR (“exercise of public powers” and/or “legitimate interest”), including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or connected with the establishment, exercise or defence of legal claims.

  • You can exercise the above rights of data subjects as follows:

Contact the Data Controller using any of the following points of contact:

Mailing address (place of data processing): 1061 Budapest, Paulay Ede street 25-27. 2. floor, apartment 10, Hungary

E-mail: tourit@tourit.online

The Data Controller shall provide information on action taken on a request under Articles 15 to 22 of the GDPR to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Controller will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If you make the request by electronic means, the information shall be provided by electronic means where possible, unless you have requested otherwise. This information is provided free of charge if you did not submit a request for information on the same issue to the Data Controller in the given calendar year. If you did make such a request for information before, the Data Controller establishes a charge.

If you have consented to data processing, but wish to withdraw or modify your consent, you may do so any time by sending a letter or an e-mail to the Data Controller

(mailing address (place of data processing): 1061 Budapest, Paulay Ede street 25-27. 2. floor, apartment 10, Hungary

 e-mail address: tourit@tourit.online

You may lodge your complaint concerning the processing of your personal data with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, 1125  Budapest, Szilágyi Erzsébet fasor 22/c, 1530  Budapest, Pf.: 5.), and further, upon the violation of your rights related to the management, processing and protection of your personal data you may apply to the court having jurisdiction and competence in the case (birosag.hu), and/or may file a claim for damages.

This document is drawn up in Hungarian and English languages, in case of any inconsistency or difference the Hungarian version prevails.

 

Check whether this description is apparoprate for your site.

 

Check and complete.