Privacy policy

The protection of personal data is extremely important to us, therefore, in this Privacy Policy, we describe what personal data we collect about you, for what purpose and on what legal basis we process it. The Privacy Policy also includes your rights.

 

1. Data of the Data Controller

Data controller: Creative Waves International Kft. (hereinafter: Data Controller)

Registered office: H-9200 Mosonmagyaróvár, Lajtaszer 5/A

Branch office: H-9200 Mosonmagyaróvár, Hold utca 4. A. building Fsz. 1. door

Tax number: 32244395-1-08

Community tax number: HU32244395

Company registration number: 08-09-035671

Bank HUF: 11737076-23735655

Bank EUR: 11763378-68597883

 

Website: leisurelocator.com

Contact details of the data protection officer: info@creativewaves.eu

 

2. General legal regulations on which data processing is based

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR)

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)

• Act V of 2013 on the Civil Code (Civil Code)

• Act CXXVII of 2007 on Value Added Tax (VAT Act)

• Act C of 2000 on Accounting (Accounting Act)

• Act CLV of 1997 on Consumer Protection (Consumer Protection Act) • Act CLIV of 1997 on Health Care (Health Care Act)

• Act XLVII of 1997 on the Processing and Protection of Health Data and Related Personal Data (Health Data Act)

• Act CXXII of 2019 on Social Security Benefits and the Financing of These Benefits (Social Security Act)

• Act LXXXIII of 1997 on Mandatory Health Insurance Benefits (Health Insurance Act)

• Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (Eker tv.)

• Act XLVIII of 2008 on the fundamental requirements and certain restrictions of economic advertising activities (Grt.)

 

3. Terms

Personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Typical personal data includes: name, address, place and date of birth, mother's name.

 

Data processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

Data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

 

Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

 

Recipient: a natural or legal person, public authority, agency or other body to whom or which the personal data are disclosed, whether a third party or not.

 

4. Principles

When processing personal data, the Data Controller shall adhere to the following principles, namely that personal data shall be:

1. processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency)

2. collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes (purpose limitation)

3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization)

4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)

5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (storage limitation)

6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (integrity and confidentiality)

7. the Data Controller shall be responsible for, and be able to demonstrate compliance with, the above principles (accountability)

5. Data processing activity

 

1. Contacting via email.

Purpose of data processing	Contacting via email
Legal basis for data processing	Legal basis: GDPR Article 6(1)(b): necessary for the performance of a contract or for taking steps at the request of the data subject prior to entering into a contract.
Categories of data subjects	Data subjects: Interested parties
Scope of personal data	Personal data processed: Name, phone number, email address
Data retention period	Retention period: Until the end of the first year following the contact
Data transfer	Data transfers: No data transfer will take place under GDPR Articles 44-49.
Recipients	Recipients: The Data Controller uses Data Processors, including a mail system service provider, Nethely Kft. (1115 Budapest, Halmi u. 29. tax number: 23358005-2-43.)
Source of data	Data source: The interested party
Method and consequences of data provision	Providing personal data is necessary. If you do not provide the requested personal data, the Data Controller will not be able to contact you via email.

 

2. Contact via website (menu item: "Contact us")

 

Purpose of data processing	Contacting and Keeping in Touch
Legal basis for data processing	Article 6(1)(b) of the GDPR: necessary steps at the request of the data subject prior to entering into a contract or for the performance of a contract
Categories of data subjects	Interested party
Scope of personal data	Name, phone number, email address, declaration of being at least 16 years old
Data retention period	Until the end of the first year following contact initiation
Data transfer	Data transfer is carried out in accordance with Articles 44-49 of the GDPR.
Recipients	The Data Controller uses Data Processors: Hosting and server provider: ErdSoft doo. (registered office: Somborski put 33a, Vojvodina, 24000 Szabadka, Serbia)
Source of data	The source of personal data is the interested party.
Method and consequences of data provision	Providing personal data is necessary. If you do not provide personal data, the Data Controller will not be able to contact you.

 

 

3. Using a World Wide Web portal service.

 

Purpose of data processing	Ensuring Appearance
Legal basis for data processing	Article 6(1)(b) of the GDPR: necessary steps at the request of the data subject prior to entering into a contract or for the performance of a contract
Categories of data subjects	Customer
Scope of personal data	Name, address, email address, tax identification number (in case of a taxable customer)
Data retention period	Based on Sections 169(1)-(2) of the Accounting Act, for 8 years
Data transfer	No data transfer is carried out in accordance with Articles 44-49 of the GDPR.
Recipients	The Data Controller uses Data Processors: Hosting and server provider: ErdSoft doo. (registered office: Somborski put 33a, Vojvodina, 24000 Szabadka, Serbia)
Source of data	The source of personal data is the customer.
Method and consequences of data provision	Providing personal data is necessary. If you do not provide personal data, the Data Controller will not be able to provide you with accommodation.

 

4. Invoicing (service)

 

Purpose of data processing	Issuing an invoice
Legal basis for data processing	GDPR Article 6 (1) (c): compliance with a legal obligation: Section 159 (1) of the Value Added Tax Act
Categories of data subjects	Customer
Scope of personal data	Name, address, tax identification number (in case of corporate clients), email address
Data retention period	Based on Section 169 (1) and (2) of the Accounting Act, data must be kept for 8 years
Data transfer	No data transmission is carried out according to GDPR Articles 44-49
Recipients	The Data Controller uses Data Processors for: • accounting: SZK Consulting Limited Liability Company (registered office: 9200 Mosonmagyaróvár, Fészek utca 8., tax identification number: 23469703-1-08)
Source of data	The Data Controller provides data to the National Tax and Customs Administration (NAV) according to point 1 of Annex 10 of Act CXXVII of 2007 on Value Added Tax (VAT)
Method and consequences of data provision	The source of personal data is the customer

 

5. Payment of service fee

Purpose of data processing	Payment of service fee
Legal basis for data processing	GDPR Article 6(1)(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Categories of data subjects	Customer
Scope of personal data	Name, company name (in case of corporate customers), bank account number, payment amount, payment time
Data retention period	Retention period according to Sections 169(1) and (2) of the Accounting Act: 8 years
Data transfer	No data transfer is carried out in accordance with GDPR Articles 44-49.
Recipients	The Data Controller uses a Data Processor. • SimplePay online bank card acceptance system by OTP Mobil Szolgáltató Kft. (Registered office: 1143 Budapest, Hungária krt. 17-19.; Company registration number: 01-09-174466; tax identification number: 24386106-2-42) The Data Controller's bank, acting as a separate Data Controller, has access to the personal data.
Source of data	The source of personal data is the customer.
Method and consequences of data provision	Providing the data is necessary. If you do not provide your personal data, you will not be able to pay for the service.

 

5. a.) SimplePay data transfer statement

I acknowledge the following personal data stored in the user account of Creative Waves International Kft. (adress: 9200 Mosonmagyaróvár, Lajtaszer u. 5/a) in the user database of leisurelocator.com will be handed over to OTP Mobil Ltd. and is trusted as data processor. The data transferred by the data controller are the following: name, e-mail adress, billing data. The nature and purpose of the data processing activity performed by the data processor in the SimplePay Privacy Policy can be found at the following link: https://simplepay.hu/vasarlo-aff/

6. Sending newsletters

Purpose of data processing	Sending newsletters
Legal basis for data processing	falls under GDPR Article 6(1)(a) which requires the data subject's consent.
Categories of data subjects	Subscribers to the newsletter
Scope of personal data	Name, email address
Data retention period	Data retention period: until the withdrawal of consent or until 30 days after unsubscribing from the newsletter.
Data transfer	Data may be transferred according to GDPR Articles 44-49.
Recipients	The Data Controller uses Data Processors: Hosting service provider: ErdSoft doo. (registered office: Somborski put 33a, Vojvodina, 24000 Subotica, Serbia) Newsletter software: MEDIACENTER HUNGARY Kft. (registered office: 6000 Kecskemét, Erkel Ferenc Street 5, company registration number: 03-09-114492)
Source of data	The source of personal data is the subscriber who signs up for the newsletter.
Method and consequences of data provision	Providing personal data is voluntary. If you do not provide personal data, the Data Controller will not be able to send you newsletters.

 

 

7. Contractual communication

The Data Controller communicates and maintains business relationships with its contracted Partners (suppliers) through the contact person specified in the contract.

Purpose of data processing	The data controller maintains communication and carries out cooperation with the designated contact person of the Partner (individual entrepreneur, Ltd., general partnership, corporation) for the purposeful implementation of the contract between the Data Controller and the Partner.
Legal basis for data processing	Legal basis: GDPR Article 6 (1) (f) - legitimate interest
Categories of data subjects	Personal data processed: Name, job title, phone number, email address of the contact person designated by the Partner.
Scope of personal data	Data retention period: Until the end of the fifth year following the performance or termination of the contract.
Data retention period	No data transfer is made pursuant to GDPR Articles 44-49.
Data transfer	No data processors are used by the Data Controller.
Recipients	Source of personal data: The contact person designated by the Partner.
Source of data	The provision of personal data is necessary. If you do not provide the personal data, the Data Controller cannot coordinate with the Partner.
Method and consequences of data provision	The data controller maintains communication and carries out cooperation with the designated contact person of the Partner (individual entrepreneur, Ltd., general partnership, corporation) for the purposeful implementation of the contract between the Data Controller and the Partner.

 

8. Handling complaints

Purpose of data processing	Handling complaints related to any service
Legal basis for data processing	GDPR Article 6(1)(c): Compliance with a legal obligation: Act CLV of 1997 on Consumer Protection
Categories of data subjects	Complainant
Scope of personal data	Name, address, place, time and manner of submitting the complaint, detailed description of the complaint, list of documents and other evidence submitted by the consumer
Data retention period	According to Section 17/A(7) of Act CLV of 1997 on Consumer Protection, 3 years
Data transfer	No data transfer will take place according to GDPR Articles 44-49
Recipients	The Data Controller does not use Data Processors
Source of data	The source of the personal data is the complainant
Method and consequences of data provision	Providing personal data is voluntary. If you do not provide the personal data, the Data Controller may not be able to investigate your complaint.

 

6. Website data management

 

The Website uses cookies.

 

A cookie is a file that is placed on your computer when you visit a website. The cookie is a package of information that the server sends to the browser, and then each time the browser sends it back to the server with the data content determined by the server for each request. The purpose of this is to save the internet settings of the website you visited, so that if you revisit the same website from the same device, the page will remember the set parameters.

 

Cookies have many functions. Cookies are most commonly used for personalization of advertisements, services, and analysis of website traffic.

 

Under current legislation, a cookie can only be stored on your device if it is absolutely necessary, that is, it is essential for the operation of the website, these are called "necessary cookies". For all other types of cookies, your consent is required. The cookies currently used on the Website can be viewed and set in the pop-up window that appears when you log in to the website.

 

Modern browsers allow you to modify cookie settings. Some browsers automatically accept cookies by default, but this setting can also be changed to prevent automatic acceptance in the future. If you change your settings, your browser will always offer you the option to choose cookie settings.

 

Considering that the purpose of cookies is to support and facilitate website usability and processes, disabling cookies cannot guarantee that you will be able to use all the website's functions to their full extent. The website may not function as intended in your browser in this case. For more detailed information on cookie settings for the following browsers:

1. Google Chrome

2. Firefox

3. Microsoft Internet Explorer 11

4. Microsoft Internet Explorer 10

5. Microsoft Internet Explorer 9

6. Microsoft Internet Explorer 8

7. Microsoft Edge

8. Safari

 

 

7. Social media

The Data Controller is available on the following social media platforms with a corporate profile.

 

The operator of the social media platform qualifies as an independent Data Controller, and information about data processing can be accessed through the following links:

 

Social media platform	Name of Data Controller	Name of Data Controller
Facebook	Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour Dublin 2, Írország)	https://www.facebook.com/privacy/explanation
Instagram	Meta Platforms Ireland Ltd. (4 Grand Canal Square, Grand Canal Harbour Dublin 2, Írország)	help.instagram.com/519522 … 25107875/?helpref=hc_fnav
Twitter	Twitter, Inc. (1355 Market Street, Suite 900 San Francisco 94103, Kalifornia)	https://twitter.com/en/privacy
TikTok	TikTok Technology Ltd., (10 Earlsfort Terrace, Dublin, D02 T380, Írország)	tiktok.com/legal/privacy-policy-eea?lang=hu
Pinterest	Pinterest Europe Ltd. (Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Írország)	policy.pinterest.com/hu/privacy-policy
Google+ Youtube	Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)	policies.google.com/techn … ies/product-privacy?hl=hu

 

The Data Controller does not record and process personal data about the user of the given social media platform in its internal database and system.

 

8. Access to data

 

The competent employees of the Data Controller may access personal data to the necessary extent for the performance of their tasks.

 

9. Data security measures

The Data Controller ensures appropriate IT, technical, and personal measures to protect the personal data it processes, including against unauthorized access or unauthorized modification.

 

10. Data Subject Rights Related to Data Processing and Their Content

 

Data Subject Rights Related to Data Processing	Content of Data Subject Rights Related to Data Processing
Right to be informed /GDPR Article 13-14/	You are entitled to receive information about the fact and purposes of the data processing at the time of acquiring your personal data. The Data Controller shall provide you with additional information necessary to ensure fair and transparent data processing, taking into account the specific circumstances and context of the personal data processing. You should also be informed about the fact and consequences of profiling.
Right of access /GDPR Article 15/	You have the right to request information on whether your personal data is being processed, and if so, you have the right to know: • what personal data is being processed • on what legal basis • for what purpose • how long it will be processed • to whom, when, and under what legal basis your personal data was granted access or transmitted to • the sources of your personal data (if it was not provided by you to the Data Controller) • if automated decision-making is being used, including profiling, and the logic behind it.
Right to rectification /GDPR Article 16/	You are entitled to request the Data Controller to correct inaccurate personal data concerning you or to complete incomplete personal data. Therefore, you can request the Data Controller to modify any personal data (for example, you can change your email address or other contact information at any time).
Right to erasure (‘right to be forgotten’) /GDPR Article 17/	You have the right to request the Controller to erase your personal data if any of the following reasons apply: • your personal data is no longer necessary for the purposes for which it was collected or otherwise processed • you withdraw your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) and there is no other legal ground for the processing • you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) • your personal data has been unlawfully processed • your personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject • your personal data was collected in relation to the offer of information society services referred to in Article 8(1).
Right to restriction of processing /GDPR Article 18/	You are entitled to request that the Data Controller limits the processing of your personal data if one of the following reasons applies: • You dispute the accuracy of your personal data (in this case, the restriction applies for the duration that allows the Data Controller to verify the accuracy of the personal data) • The processing of the data is unlawful, and you oppose the erasure of the data and instead request the restriction of their use • The Data Controller no longer needs the personal data for processing purposes, but you require them for the establishment, exercise, or defense of legal claims You have objected to the processing of your data pursuant to Article 21(1) (in this case, the restriction applies for the duration until it is determined whether the legitimate grounds of the Data Controller override your legitimate interests).
Right to data portability /GDPR Article 20/	You have the right to receive your personal data provided to a Data Controller in a structured, commonly used and machine-readable format, and to transmit these data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where: • the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a), or on a contract pursuant to Article 6(1)(b), and • the processing is carried out by automated means. You have the right to request the direct transfer of your personal data between Data Controllers, if technically feasible.
Tiltakozáshoz való jog /GDPR 21. cikk/	You have the right to object at any time, for reasons related to your particular situation, to the processing of your personal data based on points (e) or (f) of Article 6(1), including profiling based on those provisions. In this case, the Data Controller may no longer process your personal data, unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes, including profiling to the extent that it is related to such direct marketing.
Hozzájárulás visszavonásának joga /GDPR 7. cikk (3) bekezdés/	You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You must be informed of this before giving your consent. The withdrawal of consent should be made as easy as giving it.

 

11. Data subject rights and remedies concerning data processing

 

Remedies	Content of remedies
Right to lodge a complaint with the supervisory authority /GDPR Article 77/	If you feel that your right to the protection of your personal data has been violated, you may file a complaint with the following authority: Hungarian National Authority for Data Protection and Freedom of Information address: 9-11 Falk Miksa Street, Budapest H-1055, Hungary mailing address: P.O. Box 9, Budapest H-1363, Hungary phone: +36 (1) 391-1400 email: ugyfelszolgalat@naih.hu website: naih.hu
Right to an effective judicial remedy against the controller or processor /GDPR Article 79/	You have the right to take legal action against the controller or processor if you discover that the processing of your personal data is illegal. The court will deal with the matter without delay. You can freely decide whether to file your claim with the court that has jurisdiction over your residence or your place of stay. Contact information for courts can be found at birosag.hu/torvenyszekek.

 

12. Updating the Privacy Notice

 

The Data Controller reserves the right to unilaterally modify this Privacy Notice. The modification of this Notice may be necessary in particular due to changes in legislation, data protection supervisory authority practice, business needs, or other circumstances. Upon request of the Data Subject, the Data Controller shall provide them with a copy of the currently effective Privacy Notice in the agreed format.

 

Mosonmagyaróvár, May 1, 2023.