Our Company, in its capacity as a Data Controller, on its own, or in conjunction with others, sets the purposes and means of the data processing activities carried out, and in its capacity as a Data Processor, processes personal data on behalf of the Data Controller.

The term “Data Processing” shall mean any operation, or set of operations, which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The term “Data Process” shall mean technical type of data processing activities, when the Data Processor has no right to dispose over, or make decisions in relation to the data processed.

“Personal Data” shall mean any information relating to an identified or identifiable natural person (the “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

As a Data Controller and a Data Processor, our Company fully respects the privacy of all persons, on behalf of whom personal data is supplied, and is fully committed to ensure an adequate protection of such data.

I.

Pursuant to Article 13 of the GDPR, our Company provides the following information to the Data Subjects:

The Data Controller’s details:
Company name: Carnia Kft.
Legal seat: 1072 Budapest, Dohány u. 5.
Website: www.fausto.hu
Contact person: Anikó Di Vora
Phone: 36-1-269-6806
E-mail address: ristorante@fausto.hu

The data processing activities carried out:
list of persons carrying out data processing activities:
Beatrix Cservenyi (payroll accountant, bookkeeper)
e-mail address: cservenyi.b@gmail.com

The Data Processor shall solely be entitled to execute instructions given by the Data Controller in writing. It is mandatory to have a written contract in place between the Data Controller and the Data Processor, which shall specify the scope of data supplied by the Data Controller to the Data Processor, and the specific activities to be carried out by the Data Processor in relation to such data provided.

All employees processing personal data shall be bound by a confidentiality obligation.

In order to ensure proper data security, the Data Processor shall be obliged to make the necessary organisational and technical measures required.

The Data Processor shall provide support to the Data Controller in fulfilling its obligations.

As instructed by the Data Controller, the Data Processor shall be obliged to duly return all personal data to the Data Controller, or shall erase all such data, and all their duplicates made, unless the data is mandatory to be retained, by any member state or EU law.

The Data Processor shall be obliged to facilitate any audit or field review to be carried out by the Data Controller, or by any auditor mandated by the data Controller.

If the Data Processor involves a sub-Data Processor, the sub-Data Processor involved shall be bound by the same obligations stipulated by the original contract signed between the Data Processor and the Data Controller.

Data Protection Officer:
– pursuant to Article 37 of the GDPR, our Company is not obliged to nominate a Data Protection Officer.

Data protection related queries: if you have any request or questions in relation to the data processing activities carried out by our Company, please send it via regular mail to the following address: 1072 Budapest, Dohány u. 5., or via e-mail, to the following e-mail address: ristorante@fausto.hu. We will promptly send you a reply, by not later than within 30 days, to the address you specified.

Data transfer to other countries:
– our Company does not transfer any data to other countries.

II.

The purpose, legal basis, and duration of the data processing activities carried out by our Company:

Data processing purposes:
Our Company carries out data processing activities for the following specific purposes, in full alignment with the applicable laws:
a) marketing activities performed for prospective clients, and drafting quotes for special events and group bookings;
b) processing the data of employees and job applicants (subject to the specific terms stipulated by the relevant Company policy);
c) processing the contact details of the Company’s contractual partners, for the purposes of fulfilling the relevant contracts;
d) fulfilment of the customer orders, and table bookings in our restaurant;
e) operating a CCTV system, for the purposes of asset and personal security;
f) for the purposes of a proper fulfilment of the Company’s mandatory obligations stipulated by the law.

The legal basis for the data processing activities:

Article 6(1), point a) of the GDPR: the Data Subject’s consent provided
Article 6(1), point b) of the GDPR: necessary for the fulfilment of a contract
Article 6(1), point c) of the GDPR: necessary to comply with a legal obligation
Article 6(1), point a) of the GDPR: lawful interest, in which case a proper assessment of the various parties’ interests is required.

The specific legal basis for the various data processing activities carried out:
a) the issuance of invoices, in full compliance with the Accounting Act: legal basis: Article 6(1), point c) of the GDPR
b) liaising with the business partners: legal basis (in case of processing the data of the business partners’ employees): Article 6(1), point f) of the GDPR. The Data Controller’s lawful interests: the business, as on on-going concern.
c)processing the employees’ data: legal basis: Article 6(1), points b) and c) of the GDPR
d) processing the data of the Company’s contractual partners: legal basis: Article 6(1), point b) of the GDPR
e) marketing activities: legal basis: Article 6(1), point a) of the GDPR.

For the purposes of marketing activities, the Company has a Facebook profile, however, no standalone database is created, and no profiling is done.
f) online registration: legal basis: Article 6(1), point a) of the GDPR
g) operating a CCTV system for security purposes: legal basis: Article 6(1), point f) of the GDPR. The Data Controller’s lawful interests: property security. With regards to the employees, the Employer’s lawful interests, as specified by the Labour Code.

When the Data Subject’s personal data is processed based on the Company’s lawful interests, the Company shall perform a test of comparing interests, which shall include the following:
– identifying and recording the specific lawful interest
– identifying and recording the Data Subject’s interests and rights
– an assessment being made based on the principles of necessity and proportionality, being tied to a specific purpose, data minimisation, and limited storability
– the Data Subject is informed about the outcome of the assessment of the various interests being carried out.

The Data Subject shall have a right to object against the processing of his/her personal data, as a result of which his/her personal data will no longer be processed by the Company, unless the data processing activities are required for a specific purpose (such as any data mandatory to be processed in relation to the employment relationship, by the law).

In case of direct marketing purposes, no such reason exists, therefore, if the Data Subject objects to the processing of his/her data, the data shall be erased accordingly. (Direct marketing activities include any advertising, which approach prospective clients directly. This can be done electronically, by phone, via regular mail, etc. Specific rules shall apply to each individual method. In this case, the Data Subject shall be the addressee of such advertising sent, i.e. the person who receives the advertising, or to whom it was directed. The Data Subject’s personal data can be processed for example by the operator of a website or a webshop).

Duration of the data processing activities:

The Company retains all invoices for a period of minimum 8 years, to comply with the applicable mandatory obligations. The mandatory retention period for the documents, which serve as the basis for issuing invoices is 8 years.

The mandatory retention period for documents serving as the basis for employment: 50 years.

The retention period for the business partners’ contact data provided: 1 year after the business relationship ended.

The retention period for the data related to the fulfilment of contracts: 5 years.

The CCTV footages are stored for 2 weeks.

III.

The Data Subject’s rights:

Data Subjects shall have the specific rights provided to them by the law, in relation to their personal data being processed:
a) right to access the data (to learn which data is processed, and the fact, whether data processing takes place or not);
b) right to rectify the data, if the data is outdated or incorrect;
c) right for data erasure (only in case of data processing activities carried out based on the Data Subject’s previous consent provided);
d) right to restrict the data processing activities;
e) right to object the personal data being used for direct marketing purposes;
f) right to transfer the personal data to a third party provider, or to object the same;
g) right to request a duplicate of the personal data processed by the Data Controller; or
h) right to object the personal data being used.

IV.

Personal Data Breach:
shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data being processed.

The Company shall ensure an adequate level of data security required in line with the specific level of risks attached to the data processing activities carried out, and in case of a personal data breach occurring, our Data Protection Officer, or if there is no such officer, the Data Controller/Data Processor, or its authorised representative shall without undue delay, or not later than within 72 hours after having become aware of the incident, notify the personal data breach to the competent supervisory authority, and to the relevant Data Subject.

Our Company shall make all necessary security measures required when becoming aware of a personal data breach, for the purposes of eliminating the vulnerability, serving as the basis for the personal data breach to have occurred, and to restore the original condition.

The Company shall notify the Data Subject about the measures taken, and their outcome.

V.

Information on the legal remedies available:
Details of the relevant data protection authority in Hungary: The National Authority for Data Protection and the Freedom of Information (hereinafter referred to as “NAIH”, legal seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, e-mail address: ugyfelszolgalat@naih.hu). Data Subjects shall have the right to submit an official complaint to NAIH, if, in their view, the data processing activities carried out in relation to their personal data do not comply with the relevant laws.

Data Subjects shall also have the right to file for a judicial review, if the NAIH’s decision on the case is disputed.

VI.

Information about the data processing related registration systems maintained by the Company:

Our Company shall carry out the data processing activities in a lawful, fully transparent and controllable manner, for which purposes it maintains the following types of registration systems:
1. registration system about the data processing activities carried out – prior to the GDPR becoming effective, it was maintained by NAIH, pursuant to section 65 of the Infotv.
contents:
– serial number
– specific activity
– the data being processed
– data processing purpose
– the legal basis for the data processing activities carried out
– method and duration of the data being stored
– name and contact details of the Data Controller
– name and contact details of the Data Protection Officer
– data transfer, and the related recipients
– technical and organisational measures taken

the data processing related registration activities shall be carried out separately, for each specific data processing activity carried out.

2. registration system maintained about the data transfers taking place:
contents:
– serial number
– date
– name of recipient
– data transfer to third countries
– scope of personal data transferred
– purpose of the data processing activities carried out
– legal basis for the data processing activities carried out
– name and contact details of the Data Controller
– name and contact details of the Data Protection Officer
– the technical and organisational measures taken
– the deadline set for data erasure
– any other data defined by the law (e.g. the auditor’s professional association membership ID)

3. registration system about the termination of data processing activities
contents:
– serial number
– date and timing of the request filed
– name and personal identification data of the related Data Subject
– the contents of the request filed
– specification of the measures taken
– date of the measures taken
– name and contact details of the Data Controller
– name and contact details of the Data Protection Officer

4. registration system about Personal Data Breaches
contents:
– serial number
– date of the personal data breach occurring
– specification of the personal data breach
– scope of Data Subjects impacted
– scope of personal data impacted
– the effects of the personal data breach
– the measures taken
– name and contact details of the Data Controller
– name and contact details of the Data Protection Officer

5. registration system about all requests submitted by the Data Subjects and the relevant supervisory authorities, and the related replies sent
contents:
– serial number
– subject matter and date of the request submitted
– scope of the Data Subjects impacted
– scope of personal data impacted
– the measures taken
– name and contact details of the Data Controller
– name and contact details of the Data Protection Officer

6. registration system about the activities of the Data Protection Officer
contents:
– serial number
– date of the activities carried out
– list of the activities carried out
– compliance – verification
– Privacy Impact Assessment – comments
– cooperation with the supervisory authorities

7. registration system about any data or request sent to the wrong address
contents:
– serial number
– date of receipt
– subject matter of the request submitted
– measures taken (e.g. sending it back to the sender)
– name and contact details of the Data Controller
– name and contact details of the Data Protection Officer

8. registration system of the preliminary Privacy Impact Assessment carried out
contents:
– serial number
– date of the Privacy Impact Assessment carried out
– description of the operations executed, data processing purposes, lawful interest
– an assessment of necessity and proportionality
– risk assessment and management
– name and contact details of the Data Protection Officer
– the Data Protection Officer’s opinion

Dated: Budapest, 25 May 2018

ugrás fel

Kedves Vendégeink!

Éttermünk Január 6-tól Január 13-ig zárva tart.

Megértésüket köszönjük.

Dear Guests,

We would like to inform you that our restaurant
will be closed from 06th of january untill 13th of January.

Thank you for your understanding.