PRIVACY NOTICE

1. Data Controller information, data protection contact person

Data Controller information:

The https://bazaarbudapest.com/ website (hereinafter referred to as the “website”) is operated by Dob 18 HORECA Limited Liability Company.

Short name: Dob 18 HORECA Kft.
Company registration number: 01-09-354408 – Company Court of the Metropolitan Court of Budapest
Tax number: 27331648-2-42
Registered seat: 1072 Budapest, Dob utca 18.
Representative: Áron Kercsik, Managing Director
Website: https://bazaarbudapest.com/
E-mail: reservation@bazaarbudapest.com

(hereinafter: Data Controller)

The Data Controller is not obliged to appoint a Data Protection Officer; however, it responds to data protection-related inquiries at the following contact address:

E-mail: management@bazaarbudapest.com

↑ Back to top

2. Scope of data processing, principles and possible legal bases

This Privacy Notice applies to data processing activities carried out by the Data Controller through, or in connection with, the website in the course of providing its services. This Privacy Notice also contains information related to events organized by the Data Controller.

The personal scope of this Notice extends to visitors of the website, persons contacting the Data Controller, subscribers to the Data Controller’s newsletter, purchasers of gift cards, persons initiating restaurant reservations (in the latter case the contact persons designated within the reservation), as well as guests entering the restaurant, as natural persons whose personal data are processed (hereinafter: “You” or “Data Subject”).

With respect to events held at the catering premises operated by the Data Controller but organized by third parties, the third-party organizer shall provide separate information on data processing, for which the Data Controller shall not be responsible.

The Data Controller is entitled to unilaterally amend or supplement this Notice. The version available on the website shall always contain the information applicable at the time on data processing.

Principles relating to the processing of personal data:

Personal data shall be,

• processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
• collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

The Data Controller shall act in accordance with the above principles in all its processing activities and shall take the necessary measures to demonstrate compliance with the principles of data processing (“accountability”).

Legal bases of data processing:

Processing may only be carried out if an appropriate legal basis exists. In the absence of a legal basis, data processing is unlawful.

Possible legal bases include:

• if the processing is based on a legal obligation, i.e. necessary for compliance with legal obligations applicable to the Data Controller (e.g., compliance with invoicing obligations);
• if the data subject has given consent to the processing of his or her personal data for one or more specific purposes (e.g., consent to be contacted during inquiries);
• if the processing is based on the legitimate interests of the Data Controller (e.g., cookie management where cookies are placed before consent is granted);
• if the processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract (e.g., contact details of an event organizer);
• if processing is necessary in order to protect the vital interests of the data subject or of another natural person (e.g., measures taken in connection with accident prevention).

↑ Back to top

3. Applicable laws

The following laws primarily apply to the Data Controller’s activities in connection with the processing of personal data:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR);
• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Info Act);
• Act V of 2013 on the Civil Code (hereinafter: Civil Code);
• Act CLV of 1997 on Consumer Protection (hereinafter: Consumer Protection Act);
• Act CXXVII of 2007 on Value Added Tax (hereinafter: VAT Act);
• Act C of 2000 on Accounting (hereinafter: Accounting Act);
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: E-Commerce Act).
•  

↑ Back to top

4. Definitions

Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processing: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller.

Data Processing: the performance of technical tasks related to data processing operations, irrespective of the method and tools used for carrying out the operations and the place of application, provided that the technical task is performed on the data.

Data Protection Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Pseudonymisation: the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person.

Consent of the Data Subject: any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.

Identifiable natural person: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Recipient: a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Data Subject: an identified or identifiable natural person.

Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, the Data Controller, the Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process Personal Data.

Special Category Data: Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, or data concerning a natural person’s sex life or sexual orientation.

The Data Controller may, on an occasional basis, process health data concerning food intolerances explicitly shared by the Data Subject during contact, meal ordering or table reservation. Such data are not stored, not transmitted and are used exclusively for the provision of the service.

Profiling: any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Personal Data: any information relating to an identified or identifiable natural person. Personal Data means any information by which a natural person can be identified – either by itself or in combination with other data.

↑ Back to top

5. Cookie management

The Data Controller uses cookies for the operation of the website and for the collection of technical data relating to visitors of the website.

The Data Controller provides separate information regarding the data processing implemented by cookies, which is available on the website under the “Cookie Policy” menu item.

↑ Back to top

6. Electronic surveillance system

Restaurants operated by Dob 18 HORECA Kft. are equipped with an electronic surveillance and recording system, including cameras placed at the entrances, counters and guest areas. Further information regarding the exact locations of the cameras and the monitored areas can be found in the camera information notice displayed in the restaurant.

The Data Controller stores the recordings on a central server with enhanced data security measures, ensuring that unauthorised persons cannot access the recordings.

The current images of the cameras and the recorded footage may be viewed by the Managing Director, the General Manager, and the Financial Manager of the Data Controller.

Recordings are transferred only in the context of administrative offence or criminal proceedings to the competent authorities or courts conducting such proceedings.

↑ Back to top

7. Automated decision-making and profiling

No automated decision-making is carried out in the course of the processing of personal data.

The Data Controller does not carry out profiling activities.

↑ Back to top

8. Social media presence

For the purpose of promoting the restaurant, sharing events and offers, and responding to messages and comments, the Data Controller maintains social media pages. On these platforms, it is possible to post comments, send messages and reactions at the following links:

• Facebook: https://www.facebook.com/bazaar.budapest
• Instagram: https://www.instagram.com/bazaar_budapest/
• TikTok: https://www.tiktok.com/@bazaar_budapest
• Tripadvisor: https://www.tripadvisor.com/Restaurant_Review-g274887-d26343980-Reviews-Bazaar_Budapest-Budapest_Central_Hungary.html

↑ Back to top

9. Processed personal data

↑ Back to top

10. Recipients of data processing, processors

The online platforms provided by processors may contain information originating from third parties not related to the Data Controller. Such third parties may place content, cookies, or web beacons on the user’s computer, or use similar technologies to collect data. In such cases, the data processing is subject to the data protection rules determined by those third parties, and the Data Controller assumes no responsibility in this regard.

↑ Back to top

11. Data security measures

The Data Controller, in connection with its activities, ensures the necessary authorisation management, internal organisational and technical solutions to prevent unauthorised persons from gaining access to your data, from deleting, exporting or modifying them from the system.

The Data Controller maintains records of any possible data protection incidents and, where necessary, provides information regarding such incidents.

On the computers used by its employees, the Data Controller applies password protection and installs firewall protection on its IT devices.

Computers owned by the Data Controller are equipped with appropriate passwords and antivirus software, and servers are stored in locked premises with regulated access, air conditioning and additional safeguards. The Data Controller performs regular backups of its servers and carries out the disposal of IT equipment when necessary.

In the event of data transfers, the Data Controller records the reason and time of access in minutes and maintains records of its data processing activities in accordance with the requirements set forth in the GDPR.

↑ Back to top

12. Rights of the data subjects

You are entitled at any time to request information by post, electronically, or by telephone, through the contact details indicated in this Notice, about the personal data concerning you that we process.

Upon your request, we will inform you of:

• the data processed,
• the purpose of the processing,
• the legal basis of the processing,
• the duration of the processing,
• who receives or has received your data and for what purpose.

The information shall be provided in writing within 30 days from the submission of the request, primarily by electronic means, unless you request otherwise.

The provision of information is free of charge. If your request is manifestly unfounded or excessive (e.g., repetitive within a short period), the Data Controller may, taking into account the administrative costs arising from providing the requested information or taking the requested action, charge a reasonable fee or refuse to act on the request.

You may object to the processing of your personal data at any time. The objection will be examined within the shortest possible time, but not later than 30 days, and a decision will be made regarding its merits, of which you will be notified.

You are entitled to request the erasure of the personal data we process concerning you, which the Data Controller shall comply with without undue delay if any of the following apply:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• you withdraw the consent on which the processing is based, and there is no other legal ground for the processing;
• you object to the processing, and there are no overriding legitimate grounds for the processing (among the processing activities covered by this Notice, this applies only to those based on legitimate interest);
• the personal data have been unlawfully processed;
• the personal data must be erased for compliance with a legal obligation under European Union or Member State law to which the controller is subject.

You are entitled to request the rectification of inaccurate personal data concerning you. Upon such a request, the Data Controller shall correct or supplement your data.

You may also request that the Data Controller restrict the processing of your personal data (by clearly marking the processing as restricted and ensuring that the data are processed separately from other data) if:

• you contest the accuracy of the personal data (in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data);
• the processing is unlawful, and you oppose the erasure of the data and request the restriction of their use instead;
• the Data Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims; or
• you have objected to the processing (in this case, the restriction applies until it is determined whether the legitimate grounds of the Data Controller override those of the data subject).

Through the contact details provided in this Notice, you are entitled to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used, machine-readable format, if the processing is based on your consent and carried out by automated means. You also have the right to transmit those data to another controller without hindrance from the Data Controller.

The Data Controller will comply with requests for access, erasure, rectification, restriction, portability or transfer as soon as possible, but no later than within 30 days, and will inform you accordingly. If your request cannot be granted, you will also be informed within 30 days.

If the processing of your personal data is based on your consent, you are entitled to withdraw your consent at any time. Consent may be withdrawn by contacting the Data Controller or the data protection contact person at the contact details specified in this Notice. The Data Controller shall also ensure, where applicable, that consent may be withdrawn in simpler ways (e.g., via the “Unsubscribe” link provided in newsletters). You may unsubscribe from the newsletter at any time by using the “Unsubscribe” option in the newsletter, or by written or e-mail statement, which constitutes withdrawal of your consent.

If you are visually impaired or elderly, you may request from the Data Controller – through the contact details provided in this Privacy Notice or via the data protection contact person – that the content of this Privacy Notice be communicated orally or provided in a large-print version.

Furthermore, you are entitled to lodge a complaint with the:

National Authority for Data Protection and Freedom of Information
1055 Budapest, Falk Miksa u. 9-11.
www.naih.hu
Telephone: +36 (1) 391-1400
Telefax: +36 (1) 391-1410
E-mail: ugyfelszolgalat@naih.hu

or to enforce your rights concerning the processing of personal data before the court with jurisdiction under Act III of 1952 on the Code of Civil Procedure.

The competent courts can be found at the following link:
https://birosag.hu/birosag-kereso

The rights listed in this Notice may be exercised at any time by contacting the Data Controller or the designated data protection contact person via the contact details specified. In relation to your request, you may be required to identify yourself or provide data relating to you, serving the purpose of verifying your entitlement.

The Data Controller may be contacted at the e-mail address specified in this Notice (management@bazaarbudapest.com), as well as through the designated data protection contact person.

↑ Back to top