EKI Concept Kft. – MAGDAROSA Resort – PRIVACY POLICY

GENERAL PROVISIONS

EKI Concept Kft., as the operator of the MAGDAROSA Resort (apartment house), ensures the lawfulness and expediency of data processing in all cases with regard to the personal data it processes. The purpose of this information is to provide our guests who book accommodation and provide their personal data with appropriate information about the conditions and guarantees under which our company processes their data and for how long before making a reservation or providing their personal data. Our company adheres to the contents of this information in all cases involving personal data processing, and we consider the provisions of this information to be binding on us. However, we reserve the right to change the provisions of this unilateral legal statement, in which case we will inform the affected parties in advance. If you have any questions about the contents of this notice, please write to us at the eckert.gabor@magdarosaresort.hu e-mail address. The data processing of our company’s activities is based on voluntary consent, and in some cases the data processing is necessary to take steps at the request of the data subject prior to the conclusion of the contract.

Our data processing complies with the relevant legislation, in particular:

➢ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”)
➢ The 2011 Act on the Right to Informational Self-Determination and on Freedom of InformationAct CXII of 2008 (“Info. TV.”).

Our company’s data and contact details are as follows:

Name: EKI Concept Limited Liability Company
Headquarters: 7815 Harkány, Táncsics M. u. 50
Company registration number: 02-09-085511
Tax number: 28962191-2-02
Phone number: +36 20 204 6651
E-mail: eckert.gabor@magdarosaresort.hu, recepcio@magdarosaresort.hu

We provide the following information about each of our data processing.

DATA PROCESSING RELATED TO ONLINE ACCOMMODATION BOOKING

Our company offers the opportunity to book accommodation online and by phone in order to book an apartment in MAGDAROSA Resort in a fast, convenient and cost-free way.

Controller of personal data: MAGDAROSA Resort

The purpose of data processing: to facilitate the booking of accommodation, to make it free of charge and more efficient.

Legal basis of data processing: the prior consent of the person booking the accommodation.

Scope of processed personal data: title; surname and first name; address (country, postal code, city, street, house number; telephone number; e-mail address; in the case of a business association, company name and registered office, bank card number, SZÉP card data (identifier, name on the card).

Duration of data processing: two years after the last day of the date of stay according to the booking.

Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor name

Seat

Description of a data processing task

PREVIO s.r.o.

Kolbenova 882/5a,

190 00 Praha 9

Providing the possibility of online accommodation reservations through the Previo system

By accepting this Privacy Policy, the Data Subject expressly consents to the Data Processor using additional data processors in order to make the service more convenient and customized, as follows:

Name of additional data processor	Seat	Description of a data processing task
PREVIO s.r.o.	Kolbenova 882/5a 190 00 Praha 9	In case of using the Previo hotel system, performing customer management tasks Performing server hosting tasksonline booking data, performing server hosting tasks
OTP Mobil Kft.	1093 Budapest, Közraktár u. 30-32.	To carry out the data communication necessary for payment transactions between the merchant and the payment service provider’s system, to provide customer service assistance to users, to confirm transactions and to carry out fraud-monitoring for the protection of users.
OTA (online travel agency)		E.g.: szállás.hu, booking, szallasvadasz.hu, Expedia, HRS – guests can also book on the OTA platform in our apartment house. The booking interface (e.g.: szállás.hu) sends the parameters of the reservation and the guest’s data (name, phone, e-mail address, special request) by e-mail, with the exception of booking.com who does not provide the guest’s direct contact information.
FERLING Kft..	7621 Pécs, Mária utca 8.	Management of related social media platforms, Facebook account management, Facebook advertising, other social media platforms (e.g. Instagram)

Possible consequences of failure to provide data are the following: no contract is concluded for the hotel room.

Rights of the data subject: the data subject (the person whose personal data is processed by us)a) request access to the personal data concerning him/her,b) request their rectification,c) request their deletion,d) request the restriction of the processing of personal data if the conditions set out in Article 18 of the GDPR are met (i.e. that our company does not delete or destroy the data until a court or authority is requested), but not more than thirty days, and beyond that they may not process the data for any other purpose), e) they may object to the processing of their personal data, f) they may exercise their right to data portability. Pursuant to the latter right, the data subject is entitled to receive the personal data concerning him or her in word or excel format, and is also entitled to transmit these data to another data controller at his request.

Other information related to data processing: our company takes all necessary technical and organizational measures to avoid a possible data protection incident (e.g. damage, disappearance of files containing personal data, access to unauthorized persons). In the event of an incident that does occur, we keep a record for the purpose of verifying the necessary measures and informing the data subject, which includes the scope of the personal data concerned, the scope and number of those affected by the personal data breach, the time, circumstances, effects and measures taken to avert the personal data breach, as well as other data specified in the legislation prescribing data processing.

Our company has concluded a data processing contract for the data processing tasks, in which Previo undertakes to apply the data protection and data management guarantees prescribed by the data processing contract in the event of the use of an additional data processor, in view of which we ensure the lawful processing of personal data in the case of the data processor as well.

DATA PROCESSING RELATED TO THE RECORDING OF THE DATA OF THE GUESTS USING THE SERVICE DURING THE CHECK-IN PROCESS

Our company as an apartment house is legally obliged to record the guest’s personal data at the time of hotel guest check-in and forward it to the National Tourism Data Supply Centre’s hosting service provider through accommodation management software.

Controller of personal data: EKI Concept Kft.

Purpose of data processing: pursuant to Section 9/H * (1) of Act CLVI of 2016 on the State Tasks of the Development of Tourism Areas: protection of the rights, safety and property of the data subject and others, as well as monitoring compliance with the provisions on the residence of third-country nationals and persons with the right of free movement and residence

Legal basis of data processing: Section 9/H * (1) of Act CLVI of 2016 on the State Tasks of the Development of Tourism Areas

The scope of the processed personal data is:
a) the first and last name, surname and surname at birth, place and date of birth, gender, nationality and mother’s first and last name of birthb) the personal identification document or travel document of the user of the accommodation service, in the case of a third-country national, the number of the visa or residence permit, the date and place of entry, and c) the address of the accommodation service, the start, expected and actual end date of the use of the accommodation

Duration of data processing: the accommodation provider processes the data of the user of the accommodation service until the last day of the first year following the date of becoming aware of it.

Use of a data processor: in the course of fulfilling the above obligation, our company forwards the mandatory recorded data to the National Tourism Data Supply Centre as a hosting provider through accommodation management software. The activity of the hosting service provider – as the data processor of the accommodation provider – only covers the storage of the data in encrypted form by the provider of the encryption procedure specified in the Government decree and the provision of access to the data by the accommodation provider and the person or body authorised to do so by law through the accommodation provider and the accommodation provider. The hosting provider cannot know the data stored in the storage.

In order to protect law enforcement, crime prevention, public order, public safety, the order of the state border, the rights, safety and property of the data subject and others, and to conduct the wanted procedurea) may search the data stored at the hosting service provider by means of an IT device and, as a result of the search, may obtain information about the accommodation provider with which the person according to the search criteria specified by the host provider is listed as a user, furthermore) – by specifying the purpose of the data request – it may request the forwarding of the data managed by the accommodation provider, which shall be performed free of charge by the accommodation provider.

The hosting service provider is in accordance with Decree No. 235/2019. (X.15.) of the Decree on the Functioning of the Municipality of Szeged.

By accepting this Privacy Policy, the Data Subject gives his/her explicit consent to the Data Processor using additional data processors as follows:

PREVIO s.r.o. (Pobřežní 620/3., 186 00 Praha 8.) operates the accommodation management software supporting the above mandatory data reporting.

Possible consequences of failure to provide data: At check-in, the user of the accommodation service presents the above document to the accommodation provider for the purpose of recording the data. In the absence of presentation of the document, the accommodation provider shall refuse to provide the accommodation service.

DATA PROCESSING RELATED TO NEWSLETTER SUBSCRIPTION

Our company keeps in touch with its guests through newsletters, to whom we recommend its services, and informs them about the news and promotions related to its operation.

Controller of personal data: EKI Concept Kft.

Purpose of data processing: keeping in touch with potential hotel guests

Legal basis for data processing: consent of the data subject – Article 6(1)(a) of the GDPR.

Indication of legitimate interest: maintaining and developing business relationships with partners and hotel guests

Scope of processed personal data: name, e-mail address

Duration of data processing: our company processes e-mail addresses until you unsubscribe from the newsletter.

Use of a data processor: our company uses the help of an IT service provider for the online accommodation system as follows.

Data processor name	Seat	Description of a data processing task
Webglobe, s.r.o.	Vinohradská 190/2405 Praha 3 – Vinohrady +420 603 111 111 info@webglobe.com	Newsletter Database Storage

By accepting this Privacy Policy, the Data Subject expressly consents to the Data Processor using additional data processors in order to make the service more convenient and customized, as follows:

Name of additional data processor	Seat	Description of a data processing task
PREVIO s.r.o.	Kolbenova 882/5a, 190 00 Praha 9	Operation of a newsletter sending system

Possible consequences of failure to provide data: The data subject does not receive newsletters from our company.

You can unsubscribe from the newsletter at any time by sending an e-mail to our company at recepcio@magdarosaresort.hu address or by clicking on the unsubscribe icon in the newsletter. In this case, your email address will be deleted from our database immediately.

COOKIE MANAGEMENT

In order to provide a customized service, the Data Controller places a small data package, a so-called cookie, on the user’s computer and reads it back during a subsequent visit. If the browser returns a previously saved cookie, the provider managing the cookie has the option of linking the user’s current visit with the previous one, but only with regard to its own content.

Purpose of data processing: identification, tracking, distinguishing of users, identification of the users’ current session, storage of the data provided during the session, prevention of data loss, web analytics measurements, personalized service.

Legal basis of data processing: consent of the data subject.

The scope of the processed data: identification number, date, time, and the page previously visited. Duration of data processing: maximum 90 days

Further information on data processing: The user can delete the cookie from his own computer or disable the use of cookies in his browser. Cookies can usually be managed in the Tools/Settings menu of browsers, under the Privacy/History/Custom Settings menu, under the name Cookie, Cookie or Tracking.

Possible consequences of failure to provide data include: the impossibility of using the service with regard to the services described in points 2-6 above.

WEBSITE SERVER LOGGING

When you visit magdarosaresort.hu web page, the web server automatically logs the user’s activity.

Purpose of data processing: during the visit of the website, the service provider records visitor data in order to check the operation of the services and to prevent misuse.

Legal basis for data processing: Article 6(1)(f) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

Type of personal data processed: identification number, date, time, address of the page visited.

Duration of data processing: maximum 90 days.

Possible consequences of failure to provide data: The data subject does not receive newsletters from our company.

COOKIE MANAGEMENT

Legal basis of data processing: consent of the data subject.

The scope of the processed data: identification number, date, time, and the page previously visited. Duration of data processing: maximum 90 days

Possible consequences of failure to provide data include: the impossibility of using the service with regard to the services described in points 2-6 above.

WEBSITE SERVER LOGGING

When you visit magdarosaresort.hu web page, the web server automatically logs the user’s activity.

Purpose of data processing: during the visit of the website, the service provider records visitor data in order to check the operation of the services and to prevent misuse.

Legal basis for data processing: Article 6(1)(f) of the GDPR. Our company has a legitimate interest in the safe operation of the website.

Type of personal data processed: identification number, date, time, address of the page visited.

Duration of data processing: maximum 90 days.

Data processor name	Seat	Description of a data processing task
PREVIO s.r.o.	Kolbenova 882/5a, 190 00 Praha 9	Recording visitor data and information necessary for the operation of the server

Further information: our company does not connect the data generated during the analysis of the log files with any other information, and does not seek to identify the user’s person. The addresses of the visited pages, as well as the date and time data are not suitable for identifying the data subject in themselves, but when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

Data processing by external service providers related to logging:
The html code of the portal contains links from external servers and to external servers that are independent of our company. The server of the external service provider is directly connected to the user’s computer. We would like to draw the attention of our visitors to the fact that the providers of these links are able to collect user data (e.g. IP address, browser, operating system data, mouse cursor movement, address of the visited page and time of visit) due to the direct connection to their server and the direct communication with the user’s browser. An IP address is a series of numbers that can be used to clearly identify the computers and mobile devices of users accessing the Internet. With the help of IP addresses, the visitor using the given computer can even be geographically located. The addresses of the visited pages, as well as the date and time data are not suitable for identifying the data subject in themselves, but when combined with other data (e.g. provided during registration), they are suitable for drawing conclusions about the user.

OTHER DATA PROCESSING

Information on data processing not listed in this information will be provided at the time of data recording. We inform our clients that certain authorities, bodies performing public duties, and courts may contact our company for the purpose of disclosing personal data. Our company discloses personal data to these bodies – if the body concerned has indicated the exact purpose and scope of data – only to the extent that is absolutely necessary for the achievement of the purpose of the request and if the fulfilment of the request is required by law.

METHOD OF STORING PERSONAL DATA, SECURITY OF DATA PROCESSING

Our company’s IT systems and other data storage locations are located at the headquarters and on servers rented by the data processor. Our company selects and operates the IT tools used for the processing of personal data in the course of providing the service in such a way that the processed data:

(a) accessible to authorised persons (availability); b) its authenticity and authentication are ensured (credibility of data processing); c) its unchangedness can be verified (data integrity); d) be protected against unauthorized access (confidentiality of data).

We pay particular attention to the security of data and take the technical and organizational measures and establish the procedural rules necessary to enforce the guarantees under the GDPR. In particular, appropriate measures are taken to protect the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction, damage and inaccessibility due to changes in the technology used.

The IT system and network of our company and our partners are protected against computer-assisted fraud, computer viruses, computer break-ins and attacks leading to denial of service. The operator ensures security with both server-level and application-level protection procedures. Daily data backup is solved. In order to avoid data protection breaches, our company takes all possible measures, and in the event of such an incident, we take immediate action in order to minimize the risks and avert the damages, in accordance with our incident management policy.

RIGHTS OF DATA SUBJECTS, LEGAL REMEDIES

The data subject may request information about the processing of his or her personal data, and may request the correction of his or her personal data, or – with the exception of mandatory data processing – their deletion or withdrawal, exercise their right to data portability and objection in the manner indicated at the time of recording the data, or at the above contact details of the data controller.

At the request of the data subject, we will provide the information in electronic form without delay, but no later than within 30 days, in accordance with our relevant regulations. Requests from data subjects to fulfil the rights set out below will be complied with free of charge.

Right to information:

We take appropriate measures to provide the data subjects with all the information on the processing of personal data referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in a clear and comprehensible manner, but at the same time precisely.

The right to information can be exercised in writing, through the contact details provided in Section 1. Upon request, the data subject may also be informed orally after verifying his or her identity. We inform our clients that if our employees have doubts about the identity of the data subject, we may request the provision of the information necessary to confirm the identity of the data subject.

The data subject’s right of access:

The data subject has the right to receive feedback from the data controller as to whether the processing of his or her personal data is in progress. Where personal data are being processed, the data subject has the right to access the personal data and the following information listed.• Purposes of the processing;• Categories of personal data concerned;• Recipients or categories of recipients to whom the personal data have been or will be disclosed, including, in particular, recipients in third countries (outside the European Union) or international organisations;• Personal data processing the envisaged period for which the data are stored;• the right to rectification, erasure or restriction of processing and the right to object;• the right to lodge a complaint with a supervisory authority;• information on the sources of data; the fact of automated decision-making, including profiling, as well as comprehensible information about the logic used and the significance of such processing and the expected consequences for the data subject.

In addition, in the case of a transfer of personal data to a third country or to an international organisation, the data subject has the right to be informed of the appropriate safeguards for the transfer.

Right to rectification:

Under this right, anyone may request the rectification of inaccurate personal data processed by us and the completion of incomplete data.

Right to erasure:

The data subject has the right to have the personal data concerning him or her erased without undue delay if one of the following reasons applies:

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws his/her consent constituting the basis of data processing, and there is no other legal basis for data processing; c) the data subject objects to the data processing and there is no overriding legitimate reason for the data processing; d) unlawful processing of personal data can be established; (e) the personal data must be erased in order to comply with a legal obligation imposed on the controller by Union or Member State law; f) the personal data was collected in connection with the provision of information society services.

The deletion of data may not be initiated if the data processing is necessary for the following purposes:a) for the purpose of exercising the right to freedom of expression and information; (b) for compliance with an obligation under Union or Member State law to which the controller is to be processed, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for public health purposes, archiving, scientific and historical research or statistical purposes, in the public interest; d) or for the establishment, exercise or defence of legal claims.

Right to restriction of processing:

At the request of the data subject, we restrict the processing under the conditions of Article 18 of the GDPR, i.e. if:a) the data subject contests the accuracy of the personal data, in which case the restriction applies to the period that allows the verification of the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their usec) the data controller no longer needs the personal data for the purpose of data processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or) the data subject has objected to the processing; In this case, the restriction applies to the period until it is established whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.

Where processing is restricted, personal data may only be processed, with the exception of storage, with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the European Union or of a Member State. The data subject must be informed in advance of the lifting of the restriction of data processing.

Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used, machine-readable format and to transmit these data to another controller. Our company can fulfill such a request of the data subject in word or excel format.

Right to object:

If the processing of personal data is carried out for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him or her for this purpose, including profiling, insofar as it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data may not be processed for this purpose.

Automated decision-making in individual cases, including profiling:

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him/her. The above right shall not be applied if the processing of the data is necessary for the conclusion or performance of a contract between the data subject and the data controller; (b) it is made possible by Union or Member State law applicable to the controller, which also lays down appropriate measures for the protection of the rights and freedoms and legitimate interests of the data subject; or) is based on the explicit consent of the data subject.

Right of withdrawal:

The data subject has the right to withdraw his consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

Rules of procedure:

The data controller shall inform the data subject of the measures taken in response to the request pursuant to Articles 15 to 22 of the GDPR without undue delay, but in any event within one month of receipt of the request. If necessary, taking into account the complexity of the application and the number of applications, this deadline may be extended by a further two months. The data controller shall inform the data subject of the extension of the deadline within one month of receipt of the request, indicating the reasons for the delay.

If the data subject has submitted the application electronically, the information will be provided electronically, unless the data subject requests otherwise.

If the data controller does not take action in response to the data subject’s request, it shall inform the data subject without delay, but no later than one month from the receipt of the request, of the reasons for the failure to take action, and of the fact that the data subject may file a complaint with the supervisory authority and exercise his or her right to judicial remedy.

The controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of processing carried out by the controller, unless this proves impossible or requires a disproportionate effort. At the request of the data subject, the data controller shall inform the data subject about these recipients.

Compensation and grievances:

Any person who has suffered material or non-material damage as a result of a violation of the GDPR is entitled to compensation for the damage suffered from the data controller or data processor. The data processor shall only be liable for the damages caused by the data processing if it has not complied with the obligations set out in the law and specifically incumbent on the data processors, or if it has ignored or acted contrary to the lawful instructions of the data controller. If several controllers or multiple processors, or both the controller and the processor, are involved in the same processing and are liable for any damage caused by the processing, each controller or processor shall be jointly and severally liable for the entire damage.

The data controller or the data processor shall be exempt from liability if it proves that it is not liable in any way for the event causing the damage.

Right of recourse to the court and data protection authority procedure:

In the event of a violation of his or her rights, the data subject may turn to the court against the data controller. The court proceeds in the case out of turn.

Complaints can be filed with the National Authority for Data Protection and Freedom of Information.

Name: National Authority for Data Protection and Freedom of Information (NAIH) • Address: 1055 Budapest, Falk Miksa utca 9-11 • E-mail: ugyfelszolgalat@naih.hu • Phone: +36 (30) 683-5969+36 (30) 549-6838+36 (1) 391 1400

Harkány, 25 July 2025.