Data protection policy

Valid from 13 July 2021

You can browse through this data protection policy using the hyperlinks found in the contents below. Click on the hyperlinks to download a PDF document of the relevant section.

Within the limits of the complexity of the information we wish to provide, we have tried to make this data protection policy easy to use and understand. If you have any questions regarding this data protection policy, or any comments or suggestions for improvement, please contact us at the following email: info@gundel.hu

You can browse through this data protection policy by clicking on the individual parts of the contents below. The first two parts are the most important; they cover the following topics:

Your rights under the GDPR
Data processing activities carried out at GUNDEL
Legal references (including how to access them)
Expressions and abbreviations used in this data policy

Contents

1) The legal rights of natural persons (”data subjects”) in accordance with the GDPR

1.1. Transparent information

1.2. Access to your data

1.3. Rectification of inaccurate data

1.4. Right to deletion (right to be forgotten)

1.5. Withdrawal of consent

1.6. Request to restrict processing

1.7. Objecting to data processing

1.8. Not being subject to automated decision making

1.9. Data portability

1.10. Making a complaint to the Supervisory Authorityisory Authority

1.11. Right to an effective judicial remedy against a data processor or data controller

1.12. Contact GUNDEL regarding the GDPR

2) Data processing

2.1. Book a table

2.2. Event management and requesting a quote

2.3. Newsletter

2.4. GUNDEL gift vouchers

2.5. Social media (Facebook, Instagram)

2.6. Contact

2.7. Record of complaints

2.8. Job advertisements

2.9. Business-to-business communications

2.10. CCTV

3) Legal notice (including contact details)

4) Expressions and abbreviations used in this data policy

According to the GDPR, a “data subject” is a natural person living anywhere, who has a relationship with any “data controller” in the EU, or a natural person living in the EU who has a relationship with any data controller outside the EU. The “data controller” is a legal person which determines the means of the processing of personal data. “Personal data” means any information relating to the data subject.

According to the explanation given below, under the GDPR, the data subject has the following specific rights to:

Transparent information
Access to their data
Rectification of inaccurate data
Deletion (right to be forgotten) under certain circumstances
Withdrawal of consent
Request data processing to be restricted
Object to data processing
Not being subject to automated decision making
Data portability
Complain to the Supervisory Authority
Right to an effective judicial remedy against a data processor or data controller

This data protection policy applies to all these rights as a whole. In accordance with any of these rights, we will respond to your request without undue delay and in any event within one month, and make every effort to resolve even complex cases within three months. The response will be provided by electronic means, or by other means upon your request. We will not charge any fee for the first request, but we reserve the right to charge an administrative fee for a repeat request made within one year, or where a request is clearly unfounded or excessive.

Please note: In order to act upon your request, we will need to confirm your identity.

If we do not consider it necessary to take action on your request, we shall inform you in writing of the reasons for not taking action and your options for seeking a judicial remedy.

Apart from these rights, if you believe that GUNDEL has acted improperly in relation to your personal data or data protection, please contact us so that we can remedy the situation and improve the service we provide to our guests. You can make a complaint by email or post; please see the contact details under Section 1.12 Contact GUNDEL regarding the GDPR.

We will endeavour to respond to you without undue delay and within one month at the latest.

1.1. Transparent information

We provide any information required by the GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This information shall be provided in writing or by electronic means. At your request, we can also provide the information orally.

We shall help you exercise your rights as explained under Section 1.

You can find our email and postal addresses under Section 1.12 Contact GUNDEL regarding the GDPR.

1.2. Access to your data

You have the right to obtain confirmation from GUNDEL about whether we are processing personal data relating to you and if so, you can request access to the data and to the following information:

The purpose of the processing;
The categories of personal data concerned;
The recipients to whom the personal data have been or will be disclosed, in particular recipients not based in EU member states;
The period for which the personal data will be stored;
That you have the right to request from the controller rectification or deletion of personal data or restriction of processing of personal data, or to object to such processing;
That you have the right to complain to a supervisory authority;
Where the personal data are not collected from the data subject, the source of the data;
Whether there is automated decision-making, and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
Where personal data are transferred to a country outside the EU, we shall provide an appropriate guarantee that your rights are protected.

1.3. Rectification of inaccurate data

If we are storing personal data which is inaccurate or incomplete, upon receiving a request from you, we shall rectify it without undue delay.

1.4. Right to deletion (right to be forgotten)

You have the right to have your personal data deleted and to ask us to comply with your request without undue delay if any of the following grounds apply:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
You have withdrawn consent and thus there is no legal ground for the processing;
Our legitimate interests provide the legal basis for processing your data and you assert that there are no compelling legitimate grounds for the processing which override your interests, rights and freedoms;
Your data is being processed for direct marketing purposes and you object to this;
We have unlawfully processed your personal data;
The personal data must be deleted to comply with a legal obligation imposed on us by EU or Member State law;
The legal basis for our processing of a child’s data is consent given by a holder of parental responsibility and either i. You are the child’s parent or guardian and the child in question has not yet reached the age required to consent to their data being processed, or ii. You are the child who has reached the age required to consent to their data being processed. (In Hungary, a person has to be 18 or above to consent to their personal data being processed.)

Please note: We shall not delete your personal data if data processing is necessary for one of the reasons given below:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires the data to be processed;
for reasons of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the request is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.

If you have consented to our processing of your data, you may withdraw that consent at any time. You can withdraw consent by sending a request to the email address given under Section 2. (Activities), which lists the activities for which we process personal data. Another option is to write to us via the email address given under Section 1.11.

Please note: withdrawal of consent shall not affect the lawfulness of data processing already undertaken.

1.6. Request for data processing to be restricted

You can request that GUNDEL restrict processing of your personal data, where one of the following applies:

You contest the accuracy of the personal data;
Our processing of your personal data is unlawful, but you oppose the deletion of the personal data and request that their use be restricted instead;
We no longer need your personal data for processing purposes, but you require them for the establishment, exercise or defence of legal claims;
You have objected to our processing of your personal data because we have given “our legitimate interests” as the legal basis for that processing, and you assert that your interests, rights and freedoms override our legitimate grounds;

If the processing of your personal data has been restricted based upon your objection, such personal data shall, with the exception of storage, only be processed with your consent; or

for the establishment, exercise or defence of legal claims or for the protection of
the rights of another person, or
for reasons of important public interest of the EU or of a Member State.

Where data processing has been restricted, we will inform you before the restriction of processing is lifted.

In practice, operational issues may prevent us from restricting the processing of your data in exactly the manner required in the GDPR, but in such cases, we will work with you to find an acceptable solution.

1.7. Objecting to data processing

You have the right to object to our processing of your personal data if:

The legal basis for that processing is “our legitimate interests”, but you assert that your interests, rights and freedoms override those interests;
We process your data for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing. (Profiling means such automated processing to analyse or predict aspects relating to economic situation, personal preferences, or location.) If you make such an objection, we shall no longer process your personal data for such purposes.

1.8. The right not to be subject to automated decision making

You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you.

However, this shall not apply in cases where:

the decision is necessary for entering into, or performance of, a contract; or
is authorised by EU or Member State law which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests.

In case (a), we must take suitable measures to safeguard your rights, freedoms and legitimate interests, including at least the right to request human intervention on our part, to express your point of view and to contest the decision.

1.9. Data portability

In accordance with the GDPR, the data subject shall have the right, in certain circumstances, to receive the personal data concerning him or her in a structured, commonly used and machine-readable format. The data subject shall also have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

If you request access to your personal data on the basis of Section 1.2 above, we shall place them at your disposal in a commonly used electronic format, unless you expressly request that we send your personal data to you in printed form.

1.10. Making a complaint to the Supervisory Authority

If you believe that we have infringed your rights or treated you unfairly under the rules of the GDPR, you can complain to the Data Protection Supervisory Authority. If your main country of residence is a EU member state other than Hungary, you have the right to complain to the Supervisory Authority in that member state. You can find the names and contact information of the data protection authorities via the link below:

http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

If your main country of residence is Hungary, or a country outside the EU, then you can complain to the Hungarian authorities:

Nemzeti Adatvédelmi és Információszabadság Hatóság
H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
Hungarian language e-mail address: ugyfelszolgalat@naih.hu
Web: https://naih.hu

1.11. Right to an effective judicial remedy against a data processor or data controller

You have the right to an effective judicial remedy if you consider that your rights in accordance with the GDPR have been infringed as a result of your personal data being processed in non-compliance with the GDPR.

Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor carries out their activity. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.

In Hungary, judgement in such proceedings falls under the competence of the courts. The data subject may choose whether to bring the proceedings before the court where they are domiciled or the court at their habitual place of residence.

In addition to the provisions of the GDPR, the provisions of Act V of 2013 on the Hungarian Civil Code Second Volume Part Three Title XII (Section 2:51 – 2:54) shall apply to court proceedings, as well as other legal regulations and procedures on court procedures.

You can also find separate contact information for specific requests under the sections referring to our individual activities in Chapter 2. Otherwise, in the interests of exercising the rights described above, either if you wish to make a complaint directly to GUNDEL, or if you have a general request relating to the GDPR or data protection, you can contact us by email or post as follows:

Email: info@gundel.hu
Address: GBR Event Kft., 1146 Budapest, Ajtósi Dürer sor 5. 1/1
Gundel Étterem; 1146 Budapest, Gundel Károly út 4.

Data processing

2.1. Book a table

You can book a table at GUNDEL online, in person, or by phone. A record is made of your booking in the reservation system provided by PG Info Kft.

The purpose of the processing: The purpose of collecting this data is so that we can identify the guest making the booking if they make reservations at a later date, and so that we can record the information for the reservation.

The legal basis for processing the data: Your consent You can withdraw your consent at any time, however this shall not affect the lawfulness of previous data processing. Please be informed that if you do not consent to our processing of your data, we will not be able to process your booking.

Data processing period: We shall retain your data for 1 (one) year after the year it was collected.

2.2. Event management and requesting a quote

In order to provide a quote and while organising an event, we process the personal data necessary for providing the quote or organising the event (e.g. name, position, food allergies).

The purpose of the processing:

In the case of a request for a quote, drawing up a quote;
In the case of events which have been booked, organising the event and thus fulfilling the order.

The legal basis for processing the data:

When a quote has been requested, we process the data necessary for maintaining the business relationship and for sending the quote, based on your consent. You can withdraw your consent at any time, however this shall not affect the lawfulness of previous data processing.
In the case of event management:

We store the personal data we need for invoicing based on the Hungarian Accounting Act C. of 2000 Section 169(2). We need the data in order to be able to provide the service.

In the case of corporate orders, we process the data of contact persons based on our legitimate interests related to fulfilling the order.

In the case of orders from private persons, we process the data necessary for communication in the interests of fulfilling the order (contract). We need the data in order to be able to provide the service.

We process the necessary personal data of other private persons based on our legitimate interests related to fulfilling the order.

Data processing period:

We store the personal data we have been given for 1 (one) year from the event, in case of complaints.
We store the personal data we need for invoicing for 8 (eight) years after the invoicing year, in accordance with the provisions on invoicing in the Act C. of 2000 on accounting Section 169(2).

Your name and email in order to send you a newsletter.

The purpose of the data processing: To inform you of current opportunities and news.

The legal basis for processing the data: Your consent Please note that if you do not consent to our processing of your data, we will not be able to send you our newsletter.

Data processing period: We shall only send you our newsletter for as long as you wish to receive it. If you no longer wish to receive our newsletter, you can unsubscribe at any time via the link at the bottom of the newsletter, or by sending an email to info@gundel.hu Withdrawal of consent shall not affect the lawfulness of previous data processing.

Data processor: When sending you our newsletter, we use the Mailchimp mailing system (The Rocket Science Group, LLC; registered office: 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA; Privacy Shield active).

2.4. GUNDEL Gift Vouchers

When you buy GUNDEL gift vouchers, in addition to processing any data which may be necessary for invoicing, at your request we process the name of the recipient.

The purpose of the data processing: Communication in order to deliver the gift voucher and for invoicing purposes.

The legal basis for processing the data:

The legal basis for processing the invoicing data is the legitimate interest of fulfilling the contract for issuing a gift voucher, as well as compliance with the provisions on invoicing. We need the data in order to be able to provide the service.
Processing the recipient’s name takes place based on the legitimate interest of issuing a gift voucher in your name.

Data processing period:

We store the invoicing data for 8 (eight) years after the invoicing year, in accordance with the provisions on invoicing in Act C. of 2000 on accounting Section 169(2).
We delete the name of the recipient once it has been recorded on the gift voucher card and do not process it in our internal records.

We are present on the social media pages of Facebook and Instagram. You can follow us by clicking on the “like” and “follow’” links on the newsfeed published on our message wall; you can also unfollow us using the “dislike” link in the same place or by using the message wall settings to remove any unwanted news from your wall. We have access to our followers’ profiles, but we do not store them or process them in our own internal system.

The purpose of the data processing: To inform you of current information and news about Gundel.

The legal basis for processing the data: Your consent, which you can withdraw at any time by unfollowing us. Withdrawal of consent shall not affect the lawfulness of previous data processing. If you unfollow us, you will not receive notifications from our newsfeed and our news will not appear on your newsfeed. However, you will still be able to access our newsfeed because our pages are public.

Data processing period: The data will be processed until you unfollow us.

Data processor: Our Facebook page is edited by Marketing Director Mariann Pintér, an employee of GBR Event Kft.

Social media companies are data controllers in their own right; you can find the data protection policy for the companies in question here:

Facebook: Facebook Ireland Ltd. (székhely: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland)

data protection policy: https://www.facebook.com/privacy/explanation

Instagram: Facebook Ireland Ltd. (registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland)

data protection policy: https://www.facebook.com/help/instagram/155833707900388/

When you follow us, we have access to your profile, but we do not manage or record any data from it in our internal systems. We do not use it for any other purpose than sharing our news. Facebook also forwards aggregated statistical information to us, which enables us to understand how Facebook users use our Facebook page.

2.6. Contact

You can contact us through any of our channels (email, Facebook, telephone, post or via our website). When you contact us with a question or request, you consent to us processing the personal data shared with us.

The purpose of the data processing: Communication with the person who has contacted us and responding to or addressing the question/request.

The legal basis for processing the data: Since you have contacted us, the legal basis for data processing is your consent. You may withdraw your consent at any time, however in that case, we will be unable to respond to your request. Withdrawal of consent shall not affect the lawfulness of previous data processing.

Data processing period: We shall delete your messages and the personal data received one year after the year in which we responded to your request, question or complaint. If however – due to the nature of the correspondence – there is a need for tax or accountancy reasons, or possibly to protect our rights or interests or those of the person contacting us, we consider on a case-by-case basis whether to archive it and store it for as long as necessary.

2.7. Complaint handling records

In the course of a consumer complaint, if you disagree with the way your complaint is being handled, or if it is not possible to investigate your complaint immediately, we are obliged to immediately make a record of the complaint and the points of view relating to it.

These records contain the following data:

The consumer’s name and address;
The place, time and manner in which the complaint arose;
A detailed description of the complaint, a note of written materials, documents and other evidence shown by the consumer;
Our statement about the consumer’s point of view regarding the complaint, if it is possible to investigate the complaint immediately;
The signature of the person making a record of the complaint and – except where complaints are made by telephone or electronically – that of the consumer;
The place and time that the record was made;
Where the complaint is made by telephone or electronically, a unique identification number for the complaint.

The purpose of the data processing: To investigate the complaint and communicate with the person making the complaint.

The legal basis for processing the data: The Hungarian Act CLV of 1997 on Consumer Protection Section 17/A. (7), which obliges us to process the above data.

Data processing period: 5 (five) years from the time the record is made.

2.8. Job advertisements

You have the option of responding to our job advertisements by email, on paper, or in person.

The purpose of the data processing: To provide job seekers with information about the job advertisements posted, to select the appropriate candidates and to communicate with applicants during the application process.

The legal basis for processing the data: Your consent You can withdraw your consent at any time, by email or letter. Withdrawal of consent shall not affect the lawfulness of previous data processing. Please be informed that the submission of data is voluntary, but should you withdraw your consent or choose not to submit a document we have requested, we will be unable to consider your application due to a lack of data.

Data processing period: After a candidate has been selected for a specific position, we shall process the curriculum vitae and uploaded or otherwise submitted documents and personal data of people who have applied for the position, as follows:

we will ask unsuccessful applicants via email, via an electronic message or in printed form, whether they would like us to keep their application on file for one year. If we receive a negative answer or no answer within 30 (thirty) days, we shall delete the application and information about the applicant from our system.
We will transfer the successful candidate’s data to our employee database and delete their data from the applicant database.

Unsolicited applications are processed as follows:

Those that arrive by post or email are stored in our database for 1 (one) year; After one year, curriculum vitae and data received in this way are deleted.

Independently of the above, you may request deletion of your personal data at any time; on receiving such a request, we shall immediately delete your personal data from our database.

We may receive your application documents from a headhunter or HR platform. Such companies are separate data controllers, so please consult their company website for their data processing policy.

2.9. Business-to-business communication

Like most companies, we maintain business relationships with individual employees of other organisations, whose names, positions and contact information we store.

The purpose of the data processing: In any event, we store such data solely in order for our companies to be able to communicate for the purpose of working together.

The legal basis for processing the data: The legal basis for our data processing activity is our legitimate interests relating to communication between companies. We store this contact data for our business contacts solely for the purpose of making it easier to arrange and maintain business relationships. For example, we do not use data from our business contacts for marketing activities, and we do not share this data with third parties.

Data processing period: We regularly review the contact data for our business contacts and remove any information from the systems which is no longer up to date.

The same applies when we are processing personal data from members of the press.

2.10. CCTV

There is a CCTV system operating on the restaurant premises in the interests of security for both guests and property. Camera surveillance is indicated by a pictogram and signs.

We can provide information at our premises about the processing of data related to the CCTV system.

3, Legal notice (including contact details)

As data controller of the personal data which it uses, GUNDEL is obliged under the GDPR to publish its official name, contact details and other data related information. This section contains all the information required in accordance with the GDPR, as well as additional legal information.

The name of the legal entity running this website:

Full official name: GBR EVENT, Üzemeltető és Kereskedelmi Korlátolt Felelősségű Társaság
Short name: GBR Event Kft.
Registered office: 1146 Budapest, Ajtósi Dürer sor 5. 1/1
Commercial court: Budapest Capital Regional Court Commercial Court
Company registration number: 01-09-371905
Tax number: 28741844-2-42
Represented by: Jenő Magyari Managing Director
Data Protection Officer’s email address: info@gundel.hu
Business activities: Restaurant and mobile catering

4, Expressions and abbreviations used in this data policy:

Most of the definitions are based on the EU General Data Protection Regulation (GDPR). The GDPR is a legal document and so it is not possible to convey the same content simply and concisely. Our purpose here is to give a straightforward explanation, which will make it easier to understand the text; this sometimes precludes the need to go into the details of the full legal definition. In terms of our policy, our company is in complete compliance with the requirements of the GDPR and the fact that we are providing a simplified explanation here does not restrict your rights.

Expression or abbreviation: explanation

Controller: The legal body determining the processing of personal data.

Data subject: The person living inside or outside the EU, who has a relationship to the body operating in the EU. Such an individual is considered a “data subject” and has rights under the GDPR when their data is being processed.

EU: The European Union

GDPR: The EU’s General Data Protection Regulation, which came into force on 25 May 2018.

Personal data: Any information relating to the individual, which enables them to be identified with the help of a number of means, including but not restricted to the following:

The individual’s name, identity number, mother’s maiden name, or
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data processing: Any operation or set of operations which is performed on personal data, whether or not by automated means, such as but not confined to the following: data collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, deletion or destruction.

Data processor: The legal person which processes personal data on behalf of the controller

Profiling: Automated processing which uses personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Pseudonymisation: Codifying or otherwise maintaining personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information. The additional information has to be kept separately and protected from unauthorised use with technical and organisational measures.

Special categories of personal data: Very strict restrictions apply to the processing of personal data belonging to “special categories”. These restrictions apply to the following:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
The processing of genetic and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; or
Data concerning criminal convictions.

Supervisory authority: An independent public authority which is established by a Member State for monitoring the application of the GDPR and – where necessary – intervening to protect the rights of the individual in accordance with the GDPR.

Third country: Any country outside the EU.

Data transfer: The transmission of personal data from a data controller or data processor in the EU to a legal person outside the EU.