Privacy Policy
Effective: January 1, 2025
I. Introduction
Hilltop Winery & Restaurant (hereinafter: Data Controller) is committed to protecting your personal data. The purpose of this privacy policy is to provide detailed information on what personal data we process, for what purpose, on what legal basis, for how long, and in what manner, as well as to inform you of your rights and remedies.
The data controller particularly considers the provisions of the following laws regarding the processing of personal data:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
- Act CXII of 2011 – on the right to informational self-determination and freedom of information (Infotv.)
- Act XLVIII of 2008 – on the basic conditions and certain restrictions of economic advertising activities
- Act CVIII of 2001 – on electronic commerce services
- Act C of 2000 – on accounting
II. Data Controller’s Details
- Name: Nagy Gasztro Kft. (Hilltop Winery & Restaurant)
- Headquarters: 2897 Dunaszentmiklós, Petőfi Sándor Street 34.
- Company registration number: 11-09-026500
- Tax number: 26563662-2-11
- Email: etterem@hilltopborbirtok.hu
- Phone: +36-70/774-6663
III. Definitions
- “Personal data”: any information relating to an identified or identifiable natural person.
- “Data subject”: the natural person to whom the personal data relates.
- “Data processing”: any operation performed on personal data.
- “Data processor”: a person who processes personal data on behalf of the data controller.
- “Consent”: the data subject’s voluntary, clear, and informed statement.
IV. Purposes, Legal Bases, Scope of Processed Data, and Retention Periods
- Accommodation and event booking, table reservation
- Processed data: name, email, phone number, address
- Legal basis: GDPR Article 6(1)(b) – performance of a contract
- Retention period: until the contract is fulfilled, then 8 years according to the accounting law
- Handling of inquiries
- Processed data: name, email, phone number
- Legal basis: GDPR Article 6(1)(b) – preparation of a contract
- Retention period: until the contract is concluded, but no more than 1 year
- Marketing and newsletter sending
- Processed data: name, email
- Legal basis: GDPR Article 6(1)(a) – consent of the data subject
- Retention period: until withdrawal
- Statistical analysis, website usage (cookies)
- Processed data: IP address, browsing data
- Legal basis: GDPR Article 6(1)(a) – consent
- Retention period: until withdrawal
- Legal obligation (invoicing, taxation, NTKA reporting)
- Processed data: name, address, billing data
- Legal basis: GDPR Article 6(1)(c) – compliance with a legal obligation
- Retention period: for the period prescribed by law (accounting: 8 years)
V. Scope of Data Subjects
The data processing applies to natural persons who:
- initiate accommodation or event bookings, table reservations,
- submit inquiries,
- consent to marketing or newsletter sending,
- visit the website and accept the use of cookies.
VI. Data Processors and Data Transfers
The data controller uses the following data processors:
- MiniCRM Zrt. – customer relationship management system (CRM)
- RESnWEB – accommodation booking system
- ReservOurs – table reservation management system
- Google Ireland Ltd. – Google Analytics
The data controller does not transfer personal data to third countries (outside the EU).
VII. Cookies
The website uses cookies to ensure a better user experience.
- Necessary cookies: essential for the operation of the website. Legal basis: GDPR Article 6(1)(f) – legitimate interest.
- Statistical cookies: Google Analytics – with anonymous IP address. Legal basis: consent.
- Marketing cookies: targeted advertising, remarketing. Legal basis: consent.
The data subject can regulate their consent through the cookie banner.
VIII. Rights of Data Subjects
The data subject is entitled to the following rights under GDPR Articles 13-22:
- Right to information
- Right of access
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right to withdraw consent
Requests can be sent by the data subject to etterem@hilltopborbirtok.hu. The data controller fulfills requests without undue delay, but no later than within 30 days.
IX. Data Security Measures
The data controller applies appropriate technical and organizational measures to ensure the security of personal data, particularly:
- Use of SSL encryption on the website,
- Access restrictions and password protection measures,
- Regular security backups,
- Data processing agreements with partners,
- Internal data protection protocol.
X. Handling of Data Breaches
The data controller records incidents and notifies the National Authority for Data Protection and Freedom of Information (NAIH) within 72 hours of detection, and if necessary, the data subject as well.
Remedies
If the data subject believes that the processing of their personal data is unlawful, they may exercise the following remedies:
- Submit a complaint to the National Authority for Data Protection and Freedom of Information (NAIH)
- Address: 1055 Budapest, Falk Miksa Street 9-11.
- Email: ugyfelszolgalat@naih.hu
- Initiate court proceedings before the competent court.
XI. Camera Surveillance
The Data Controller operates an electronic surveillance system in guest areas.
Purpose of data processing: property protection, personal and life protection, prevention of violations.
Scope of processed data: image and sound recordings captured by cameras.
Legal basis: GDPR Article 6(1)(f) – legitimate interest of the data controller. The data controller has conducted a legitimate interest assessment.
Storage duration: recordings are retained for up to 7 days, unless required for legal proceedings.
Access: exclusively by the Data Controller’s senior staff, in case of violations, by authorities.
Data transfer: only in case of legal obligation (e.g., police, court).
Information: clearly visible warning signs are placed in areas under camera surveillance.
XIII. Final Provisions
The data controller reserves the right to amend this policy. The amended text will be published on the data controller’s website.