I. General Provisions
1. Purpose and Scope of the Information
The Company, as a data controller, informs the visitors of the website (hereinafter referred to as the data subject) about its data processing activities based on the applicable legal provisions on the processing of personal data - in particular, the provisions of Act CXII of 2011 (hereinafter referred to as Infotv.) and Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as GDPR). The data controller is committed to protecting the personal data of its clients and partners. The data controller treats personal data confidentially and takes all security, technical, and organizational measures to ensure the security of the data. Please read this data processing information carefully. If you have any questions or comments regarding this information or the processing of personal data, please contact us.
2. Data Controller Information
Data Controller: HAJDÚ PARK Ltd.
Headquarters: 4200 Hajdúszoboszló, Mátyás király promenade 8.
Mailing address: 4200 Hajdúszoboszló, Mátyás király promenade 8.
Email:
@
Website: www.nr8restaurant.hu
Phone: +36 30 602 57 05
Tax number: 13179858-2-09
Company registration number: 09 09 010262
Registering court: Debrecen Tribunal Court of Registration
Representative: Dr. Miklós Ináncsy, Managing Director
Notarial permit: 916/2017
3. Scope of Information
This information applies to data processing related to the services available on the website (particularly: contact, newsletter service).
4. Definitions
The terms used in the Data Processing Information should be interpreted based on the definitions specified by the GDPR and Infotv.
- Personal data: any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
- Data subject/user: any natural person identified or identifiable by any information;
- Consent: any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- Data controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the data controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- Data processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction;
- Data processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
- Recipient: a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed;
- Data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
- Service(s): the services provided by the data controller, which are available through the website.
5. Principles
The data controller considers the principles listed by the GDPR during the processing of personal data. The following data protection principles apply throughout the entire data processing process:
- Purpose limitation principle: Personal data must be collected and processed only for specified, explicit, and legitimate purposes.
- Lawfulness, fairness, and transparency principle: Personal data must be processed lawfully, fairly, and in a transparent manner concerning the data subject.
- Accuracy principle: Personal data must be accurate and kept up to date.
- Storage limitation principle: Personal data must be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Data minimization principle: Personal data must be adequate, relevant, and limited to what is necessary about the purposes for which they are processed.
- Integrity and confidentiality principle: Appropriate technical or organizational measures must be applied to ensure the security of personal data.
- Accountability principle: The data controller is responsible for and must be able to demonstrate compliance with the data protection principles. The data protection principles apply to the entire data processing process, including data collection, the selection of the appropriate legal basis, and the provision of information to the data subjects.
6. Applicable Laws
The company considers the following legal provisions regarding the processing of personal data, particularly Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.), and Act V of 2013 on the Civil Code (hereinafter: Ptk.).
II. Rights of the Data Subject
The data subject may request information regarding the processing of their personal data at any time and may request the rectification, clarification, deletion, restriction of their personal data, and exercise all rights provided by law.
According to the provisions of the GDPR, the data subject has the following rights:
- the right of access (Article 15 GDPR);
- the right to rectification (Article 16 GDPR);
- the right to erasure, or the "right to be forgotten" (Article 17 GDPR);
- the right to restrict processing (Article 18 GDPR);
- the right to notification regarding rectification or erasure of personal data or restriction of processing (Article 19 GDPR);
- the right to data portability (Article 20 GDPR);
- the right to object (Article 21 GDPR).
III. Details of Data Processing
We only process personal data that is strictly necessary for the given purpose. The processing of personal data is based on voluntary consent, contract, or legal obligation.
Our website can be visited without providing personal data, but certain functions may require the processing of personal data to provide the service. Failure to provide data may prevent us from contacting the data subject, processing their request, or fulfilling their order.
The purpose of data processing on the website is to provide the available services (e.g., contact, booking, sending newsletters). The data controller processes and stores the personal data of the data subject exclusively for these purposes and cannot use it for any other purpose. Personal data may only be shared with third parties with the prior written consent of the data subject. In certain cases - official court or police requests, legal proceedings, or other legal violations or their reasonable suspicion - the processing, storage, and transmission of certain data may be mandatory by law.
1. Table Reservation
It is possible to make a table reservation online through the form provided on our website, as well as via email and phone. The data controller only processes the data necessary for fulfilling the table reservation. The purpose of data processing: recording the table reservation, confirming it, contacting, maintaining contact, arranging the time, handling complaints. Failure to provide data may prevent us from finalizing the table reservation. Processed data: Name, email address, phone number, number of adults, number of children, any other data provided by the data subject Legal basis for data processing: Contractual basis according to Article 6(1)(b) of the GDPR Scope of data subjects: Data subjects who initiate table reservations and fill out and submit the form on the website. Duration of data processing: until the purpose is achieved, but no longer than 1 year from the inquiry.
2. Newsletter Sending
Purpose of data processing: The purpose of data processing is for the data controller to send newsletters and marketing messages to the data subject. The data controller may send notifications and offers regarding its services, innovations, news, and promotions in newsletters.
Processed data: name, email address
Legal basis for data processing: consent of the data subject, Article 6(1)(a) of the GDPR
Duration of data processing: until the withdrawal of the data subject's consent or unsubscription.
Scope of data subjects: Newsletter subscribers. The data is processed by the data controller's authorized employees and the service providers involved in sending the newsletters and the technical operation of the website.
The legal basis for direct marketing data processing may be the data subject's consent or the legitimate interest of the data controller. If the newsletter is sent based on legitimate interest, the data controller will conduct a prior interest balancing test to ensure that its legitimate interest does not disproportionately restrict the interests of the data subjects.
3. Use of Social Media
The data controller may appear on various social media platforms (especially: Facebook, Instagram, YouTube).
Purpose of data processing: to display advertisements tailored to the interest of the data subject and to share content about the products and services of the website.
Processed data: Name and profile picture of the user registered on the social media platform.
Scope of data subjects: All data subjects who are registered on the given social media platform and follow the company's social media page or have contacted it.
Legal basis for data processing: the consent of the data subject according to Article 6(1)(a) of the GDPR.
Duration of data processing: until the withdrawal of consent. Details of data collection and processing can be found in the privacy policy of the respective social media platform.
4. Contact
The data subject can contact the company by sending a message to the email address available on the website, which may contain personal data. The provided data is necessary for communication and contact purposes.
Processed data: Name, email address, other data provided by the data subject
Legal basis for data processing: consent of the data subject
Scope of data subjects: Individuals who contact the company via email.
Duration of data processing: Until the purpose is achieved, but no longer than 1 year from the inquiry.
Data storage method: electronic
5. Billing
The company issues invoices in relation to the payment for the services provided, consumption, and products.
Purpose of data processing: Issuing an invoice in accordance with legal requirements and fulfilling accounting document retention obligations.
Processed data: Billing name, billing address
Legal basis for data processing: legal obligation
Duration of data processing: Issued invoices must be retained for 8 years from the date of issue. (in a readable form, retrievable based on references in accounting records)
Authorized to access personal data: employees responsible for invoicing, the head of accounting tasks, and employees.
IV. Data Transfer
We use external service providers to fulfill certain orders and provide services. In the case of data transfer, the third party processes personal data in accordance with its own data management regulations.
The data controller is entitled and obliged to transfer the personal data available to it and properly stored by it to the competent authority, as required by law or by a final official decision. In the event of legal enforcement (e.g., demand letter, litigation, or other procedures), the data controller transfers the necessary personal data to the legal office. No data transfer to third countries occurs.
The data controller maintains a data transfer register for the purpose of verifying the legality of data transfers and ensuring the information of the data subjects.
V. Data Processors, Recipients
The data controller may use the services of third parties for the processing of personal data, provided that the third party's data management practices comply with the relevant legal requirements. By accepting this Privacy Policy, the data subjects expressly consent to the data controller making the provided data available to its contracted service providers.
Data processors carry out data processing according to the instructions of the data controller and cannot make substantive decisions regarding data processing. They may only process personal data according to the data controller's instructions and must store and retain personal data as instructed by the data controller.
1. Newsletter Service Provider
The data controller uses the MailChimp software to send newsletters. Newsletter service provider details: The Rocket Science Group, LLC.
Address: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA, website: https://mailchimp.com/contact
The service provider complies with the Swiss-U.S. Privacy Shield Framework and the EU-U.S. Privacy Shield Framework, allowing personal data to be transferred to this provider. More information about Mailchimp's data management practices can be found here: https://mailchimp.com/legal/
2. IT Service Provider
The data controller stores certain data managed by it on the storage provided by its contracted IT service provider. The service provider also maintains the website according to the data controller's instructions and does not perform other data processing operations.
Company details: PW Studio Kft. - headquarters: 4032 Debrecen, Nyék utca 97. Contact:
@
3. HostWare Catering Software
The software provides order taking, invoice, and receipt printing functions for the data controller. Based on the contract with the data controller, the data processor assists in issuing accounting documents by providing an online invoicing program.
Company details: Hostware Kft., Headquarters: 1149 Budapest, Róna u. 120-122.,
@
Scope of data: Personal data necessary for order taking and invoicing (name, address, tax number).
Data processing period: For the period specified by law.
VI. Data Security
The data controller takes all security measures to protect personal data from unauthorized access. The data controller's IT systems and other data storage locations are located on its premises, as well as on its own or rented servers.
The data controller primarily stores data in electronic form. For electronically stored data, the data controller ensures protection against unauthorized access, and paper documents are stored in a locked cabinet in a secure room. The data controller implements technical, organizational, and administrative measures that support the protection of data processing security and provide an adequate level of protection against the risks associated with data processing.
Access to the personal data processed is limited to individuals whose duties require knowledge of the data, and these individuals may only process personal data according to the data controller's instructions.
In the event of a physical or technical incident, the server provider ensures the availability and restoration of the website's data through regular backups.
VII. Cookie Information
The purpose of cookies is to improve the user experience of websites, provide personalized services, and measure site traffic, ensuring proper operation. The technology assists user navigation, stores settings, and can be used to secure online transactions. A cookie is a small file containing a string of characters that the server sends to the user's computer during a website visit. Cookies generally do not contain personal information and do not identify the user. On some of our pages, we include content from external service providers such as YouTube and Facebook. According to the opinion of the EU Data Protection Working Group, users must be informed about the use of cookies that do not require consent. The user can disable or delete cookies on their computer. (Depending on the browser: Settings or Options interface) Browsers typically enable cookies by default. Cookies can be differentiated by their validity period. Some cookies only last until the browser is closed (temporary cookies) or until a specific task is completed.
Certain cookies are stored on the user's computer beyond the session (permanent cookies). These can be deleted by the user at any time. Information collected by internal cookies can only be processed and utilized by the specific website.
A website can also use external services that use their own cookies, called third-party cookies. The IT service provider maintaining the website has access to personal data collected by cookies used on the data controller's website as a data processor.
Types of Cookies Used and Their Purposes
1. Cookies Essential for the Functioning of the Website Essential cookies are necessary for the use and functioning of the website.
They do not collect information that qualifies as personal data. If these cookies are disabled, the website or certain parts of it may not function properly or may not be accessible at all.
Legal basis: Legitimate interest of the data controller under GDPR Article 6(1)(f).
Their validity lasts for the period necessary to achieve the purpose, for the minimum necessary time, covering the duration of the visit. The cookies are automatically deleted at the end of the session or when the browser is closed.
| Cookie Name | Legal Basis |
Provider | Purpose, Type | Duration |
| ci_session | legitimate interest | data controller | ensuring the functioning of the website (internal session cookie) | 2 hours |
| cookie_confirm | consent | data controller | whether the cookie policy was accepted (internal session cookie) | 30 days |
2. Statistical Cookies
Performance cookies help us understand how users interact with the website by collecting information anonymously and in aggregate. Our company uses Google Analytics and Google Tag Manager, both provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043), for independent measurement and auditing of website traffic and other web analytics data. This analytics also applies to conversion tracking. Google Analytics uses "cookies," which are text files placed on your computer, to help analyze how users use the site, providing reports to the website operator and performing other services related to website usage and internet usage.
The website uses Google Tag Manager to manage tags, which are small pieces of code that allow tracking of user interactions.
| Cookie neve | Legal Basis | Provider | Purpose | Duration |
| Google Analytics | consent | statistics | 2 years |
The information generated by cookies about the use of the website is usually transmitted to and stored by Google on servers in the USA.
Within the framework of Google Analytics, the IP address transmitted by your browser will not be merged with other data from Google. To disable anonymous Google Analytics cookies, a plugin (Google Analytics Opt-out Browser Add-on) can be installed in your browser to prevent the website from sending information to Google Analytics. The data controllers can provide detailed information to the data subjects about the handling of measurement data (contact: www.google.com/analytics).
If the data subject does not want Google Analytics to measure the above-mentioned data in the described manner and purpose, they can block it in their browser settings. However, please note that in this case, the website may not function properly. (https://tools.google.com/dlpage/gaoptout?hl=en)
3. Marketing Cookies
Advertising cookies collect detailed information about the user's browsing habits, sending this information to other websites to provide personalized advertising to the user. User consent is required for these cookies. The data controller has no influence over these external services.
If the data controller uses the "Google Ads" online advertising program, it may use Google's conversion tracking service, which allows it to evaluate the effectiveness of its campaigns and visitor data through conversion statistics. The company cannot access any information that could identify the user. Google conversion tracking is an analytics service provided by Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; "Google"). When the user reaches the website through a Google ad, a cookie necessary for conversion tracking is placed on their computer. Each Google Ads customer receives a different cookie. These cookies are limited in validity and do not contain any personal data, so the user cannot be identified by them.
| Cookie Name | Legal Basis | Provider | Purpose | Duration |
| Google Ads conversion code, remarketing code, Analytics code | consent | displaying relevant ads, creating and storing identifiers | depending on the cookie: 90 days, 18 months, or 2 years |
If you do not wish to participate in conversion tracking, you can refuse by disabling the possibility of installing cookies in your browser. After that, you will not be included in the conversion tracking statistics. The provider complies with the Swiss-US Privacy Shield Framework and the EU-US Privacy Shield Framework, under which personal data may be transferred to this provider.
For more information about Google's privacy policies, please visit: http://www.google.com/privacy.html
Cookie Settings and Disabling
Cookie settings can be changed at any time in the website's cookie settings or in the browser you use. Some browsers automatically accept cookies by default, but this setting can also be changed. Quick links: Firefox, Chrome, Safari, Internet Explorer.
VIII. Remedies
If the data subject has a complaint regarding data processing, it is recommended to first contact the data controller. The data controller will investigate and respond to the complaint within 30 days. If the data subject maintains their complaint regarding the contested data processing by the data controller, they are entitled to lodge a complaint with the supervisory authority, the National Authority for Data Protection and Freedom of Information (NAIH). Headquarters: 1024 Budapest, Szilágyi Erzsébet fasor 22/C. Contact: ugyfelszolgalat@naih.hu, +36-1-3911400, www.naih.hu
The data subject may also enforce their claim in court. The lawsuit can also be filed with the competent court of the data subject's place of residence or stay. The case falls under the jurisdiction of the court, which is exempt from fees and the court proceeds expeditiously.
IX. Data Protection Incident
A data protection incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
In the event of a data protection incident, the data controller acts in accordance with GDPR rules. If the data protection incident is likely to result in a high risk to the rights of the data subjects, the data controller will inform the data subjects without undue delay about the data protection incident and the measures taken.
If you believe that a data protection incident has occurred regarding the processing of your personal data, please contact us via email. We will investigate all reports and take necessary steps.
X. Final Provisions
The data controller aims to comply with relevant legal requirements in its activities, so this notice may need to be modified in case of changes in laws or data protection practices. The data controller reserves the right to unilaterally amend this notice at any time, simultaneously informing the data subjects. The notification will be made by publishing on the website, or, depending on the nature of the change, by direct email to the data subjects. If the details of data processing change due to the modification of this notice, the data controller will separately request the data subjects' consent.
The data controller does not perform profiling in the processing of personal data.
Data protection principles related to the data controller's data processing are continuously available on the website.
For issues not defined in this policy, the GDPR and, where applicable, the Infotv. regulations apply.