Privacy Statement

Content

1. Identity and contact details of the data manager.

2. The legislation underlying the data management.

3. Definitions.

4. Principles of data management.

5. The data managed by Ardelean Tours Kft., purpose, legal basis and duration of the data management.

6. Recipients of personal data and categories of recipients.

7. International transfer of data to third countries.

8. Customer access rights.

9. The client's right to rectification.

10. The client's right to cancellation.

11. The client's right to restrict the data management.

12. the client's right to data portability.

13. Deadline for processing the client's request as an interested party.

14. The right to lodge a complaint.

15. Amendments to this prospectus.

1. Identity and contact details of the data manager

Ardelean Tours Kft. (registered office: 2030 Érd, Jusztina utca 3/A; Trade Register number: 13 09 191057; contact person for privacy issues: Ardeleanné Kavecz Mercédesz; contact person's e-mail address and phone number: , +363029229; hereinafter referred to as [the travel agency]) acts as a data operator for the personal data of current, past and potential customers.

2. The legislation underlying the data management

- Law CXII of 2011, regarding the right to self-determination of the information and freedom of information;

- Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Regulation 95/46/EC (General Data Protection Regulation)

3. Definitions

Data manager: natural or legal person, public authority, agency or any other body that individually or jointly determines the purposes and means of processing personal data; where the purposes and means of data processing are set by the law of the Union or the Member States, the operator or the specific criteria for appointing the data manager may be defined by the law of the Union or the Member States;

Data management: any operation or combination of operations, automated or non-automated, regarding personal data or files, such as collection, recording, systematization, classification, storage, transformation or modification, request, access, use, communication, distribution or making available, otherwise, by coordination or connection, restriction, deletion or destruction;

Data processor: any natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data manager;

GDPR: (EU) REGULATION no. 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC;

Supervisory Authority or NAIH: National Authority for Data Protection and Freedom of Information.

Personal data: any information relating to an identified or identifiable natural person ("interested person"); identifies a natural person who, directly or indirectly, in particular by virtue of one or more factors such as the name, number, position, online identification or physical, physiological, genetic, mental, economic, cultural or social identity of the identified natural person;

Special categories of personal data: personal data that discloses racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic and biometric data designed to uniquely identify individuals, such as personal information regarding the sexual life or sexual orientation of individuals;

Client: Any person who has an interest in the products and services of [the travel agency], on the website, by telephone or in any other way, or who enters into a travel contract with [the travel agency].

4. Principles of data management

[The travel agency] shall take the appropriate measures to ensure that the personal data relating to customers are:

(a) always kept legally and fairly and on an appropriate legal basis (legality, due process and transparency);

(b) collected only for the specified, explicit and legitimate purposes and are not managed in a manner incompatible with those purposes;

(c) adequate and relevant for the purpose of data processing and limited to what is necessary (data saving);

(d) accurate and, if necessary, updated; as far as possible, inaccurate personal data are erased or rectified without delay (accuracy);

(e) stored in a form that allows customers to be identified only for the period necessary to achieve the purposes for which the personal data are processed; the storage of personal data for a longer period of time should be for statistical purposes only, subject to appropriate technical and organizational measures (limited storage);

(f) treated in a manner that ensures the adequate security of personal data, including protection against unauthorized or illegal processing, accidental loss, destruction or damage, through appropriate technical or organizational measures (integrity and confidentiality).

5. Data managed by the travel agency, purpose, legal basis and duration of data management

In order to manage the data listed, the travel agency manages the following personal information about its clients:

1. Questions about services on the web page, personally, by telephone or by other means

(a) name;

Essential data for customer identification

(b) e-mail address (telephone);

Essential data for subsequent access to the client

(c) topic of interest (for example, period, destination, accommodation rating);

Data necessary to clarify the client's interest and to respond in a personalized way, based on the client's own communication.

The legal basis for data management is the consent of the interested party. The data management will last for the period indicated by the person concerned or until the consent is withdrawn.

1. Subscription to the newsletter

(a) name;

Essential data for customer identification

(b) e-mail address (telephone);

Essential data for subsequent access to the client

(c) topic of interest (if applicable);

Data needed to clarify the subject of the newsletter/ other eDM devices according to the client's own communication.

The legal basis for data management is the consent of the interested party. The data management will last for the period indicated by the person concerned or until the consent is withdrawn.

1. Request for a personalized offer

(a) name;

Essential data for customer identification

(b) e-mail address (telephone);

Essential data for subsequent access to the client

(c) topic of interest (for example, period, destination, accommodation rating);

Data necessary to clarify the client's interest and to respond in a personalized way, based on the client's own communication.

The legal basis for data management is the consent of the interested party. The data management will last for the period indicated by the person concerned or until the consent is withdrawn.

1. Signing a travel contract

(a) name;

Essential data for customer identification

(b) e-mail address (telephone);

Essential data for subsequent access to the client

(c) the object of the contract (for example, the period, the destination, the qualification of the accommodation, the number and date of birth of the children, meal requirements, relevant health information);

Definition of the object of the contract.

The legal basis for data management is the execution of the contract and ensuring the settlement of any disputes related to it. The duration of the data management is the execution of the contract plus five years (general period of civil execution).

V. Sale of airplane tickets, as well as other travel tickets

(a) name;

Essential data to identify the client

(b) e-mail address (telephone);

Essential data for subsequent access to the client

(c) the object of the contract (for example, the period, the destination, the qualification of the accommodation, the number and date of birth of the children, meal requirements, relevant health information);

The definition of the contract’s object

The legal basis for data management is the execution of the contract and ensuring the settlement of any disputes related to it. The duration of the data management is the execution of the contract plus five years (general period of civil execution).

1. Creating a profile

(a) the totality of the data processed in relation to the activities carried out in accordance with points I - VI, regarding the respective client

Data needed to identify the client and send personalized offers based on a prior consent.

The legal basis for data management is the explicit consent of the client when creating the profile. The data management will last for the period of time indicated by the person concerned or until the consent is withdrawn.

6. Recipients of personal data and categories of recipients

Ardelean Tours Kft. will generally share, based on the data management, the personal data of the clients with the following third parties:

(a) within the group of companies of the travel agencies, including the parent company and the subsidiaries;

(b) tourism organizations or which are providing customer services (for example, insurance companies, IT service providers, marketing companies);

(c) third parties involved in the execution of the travel contract (hotel, airline, etc.);

(d) the supervisory authority and other regulatory authorities and bodies.

The customers may request personal information about the processing of personal data managed by Ardelean Tours Kft. (purpose, legal basis, data sphere, data transfer, duration of data management, profile creation logic), by contacting:

7. International transfer of data to third countries

The customers' personal data may also be transferred to controllers and data processor located in countries outside the European Economic Area, if this is necessary for the fulfillment of the travel contract or with the express and informed consent of the traveler (art. 49 GDPR).

Prior to the conclusion of the travel contract, [the travel agency] informs the traveler that, regarding a recipient outside the European Union affected by the transfer of passenger data, the transferred data are adequately protected by:

(a) the general data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2) of GDPR;

(b) the general data protection clauses adopted by the supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93 (2) of GDPR;

(c) a code of conduct approved in accordance with Article 40 of GDPR, together with a binding and enforceable commitment by the data manager or third country processor to enforce appropriate safeguards, including the rights of the data subjects; or

(d) a certification mechanism approved in accordance with Article 42 of GDPR, together with a binding and enforceable commitment by the third-country data manager or processor to enforce appropriate safeguards, including in respect of the rights of data subjects. In this context, [the travel agency] will endeavor to adopt contractual data protection clauses approved by the European Commission/NAIH with its third-country partners.

8. Customer access rights

The client will have access to his/her personal information.

If the client requests that Ardelean Tours Kft. provide feedback on the processing or non-processing of the personal information, the travel agency is obliged to provide the necessary information.

The client's right to receive feedback on the management or non-management of the personal information by the travel agency extends to:

(a) personal data relating to the client;

(b) exclusion of anonymous data;

(c) does not cover personal data that are not customer related; and

(d) include any pseudonym information that can be clearly attributed to the client.

[The travel agency] provides, at the request of the requesting client, access to and a copy of his personal data. If the client requests an additional/duplicate copy of his personal data, Ardelean Tours Kft. may charge a reasonable fee for the administrative costs incurred to fulfill the request, which will be borne by the client.

9. The client's right to rectification

The client has the right to correct his personal data. This right:

(a) excludes anonymous data;

(b) includes personal data relating to the client;

(c) does not cover personal data that are not customer related; and

(d) include any pseudonym information that can be clearly attributed to the client.

The travel agency must correct or complete the personal information, at the client's request. The travel agency informs the recipients (if any) of the rectification of the client's personal information. However, Ardelean Tours Kft. will not inform the recipients of the rectification of the personal data if the information of the recipients becomes impossible or disproportionate.

10. The client's right of cancellation

Under certain conditions, the client has the right to delete his/her personal data.

The travel agency will necessarily delete the personal data of the client without undue delay if:

(a) the travel agency processes such personal data and

(b) the client requests the deletion of his/her personal data; and

(c) personal data are not required for the purpose for which the travel agency processes the personal data.

The travel agency will necessarily delete the personal data of the client without undue delay if:

(d) the travel agency manages the personal data of the client and

(e) the client requests the deletion of his/her personal data; and

(f) the client withdraws the consent on which his/her data management is based and

(g) there is no other legal basis for further processing of customer data.

The travel agency will necessarily delete the personal data of the client without undue delay if:

(h) the processing is necessary for the legitimate interest of the travel agency or a third party;

(i) the client opposes the handling of personal data by the travel agency and

(j) the legitimate reason for the processing of this personal data has no priority over the client's objection.

The travel agency will necessarily delete the personal data of the client without undue delay if:

(k) the client requests the deletion of his/her personal data; and

(l) the management of such data by the company is not unlawful, or

(m) the cancellation is compulsory in accordance with the applicable law, or

(n) the customer information is collected for the services of the information society.

Ardelean Tours Kft. will inform the recipients of the deletion of the client's personal information regarding this personal data (if any). However, the travel agency will not inform the recipients of the deletion of personal data if this is impossible or the information of the recipients requires a disproportionate effort.

11. The client's right to restrict the data management

The client may request restrictions regarding the management of his personal data.

The right of the client to request a restriction regarding the management of his personal data:

(a) excludes anonymous data;

(b) includes personal data relating to the client;

(c) does not cover personal data that are not customer related; and

(d) include any pseudonym information that can be clearly attributed to the client.

The travel agency restricts the processing of the personal data of a client for a period in which it verifies the accuracy of these data if the client requests a restriction on the processing of his personal data and if the client questions the accuracy of these data.

The travel agency restricts the processing of the personal data of a client if the client requests a restriction on the processing of the data that is illegal and the customer opposes the deletion of this data.

Ardelean Tours Kft. restricts the processing of the client's personal information if:

(a) the client requests a restriction on the processing of his/her personal data, and

(b) the travel agency no longer needs this information for data processing purposes, and

(c) the client requests his/her data for the purpose of filing, executing or defending a legal claim.

Ardelean Tours Kft. restricts the processing of the client's personal information if:

(a) the client opposes the processing of personal data necessary for the legitimate interest of the travel agency, and

(b) the client waits to be confirmed that there is a legitimate reason for the processing of the personal data by the travel agency, which has no priority over the client's objection.

Ardelean Tours Kft. informs the recipients of this personal data (if any) of any restrictions regarding the processing of the client's personal information. However, [the travel agency] will not inform the recipients of such a limitation if this is impossible or informing the recipients requires a disproportionate effort.

If the travel agency restricts the processing of the client's personal information, then:

(a) may store these personal information,

(b) may handle such personal data, with the client's agreement,

(c) may process personal data to propose, affirm or defend a legal claim or to defend the rights of a person.

Ardelean Tours Kft. cannot use customer data for direct marketing purposes, including profile creation or automatic decision making on individual issues.

12. The client's right to data portability

The client has the right to receive data regarding his/her person, which he/she has made available to a data manager, in a structured format, widely used, which can be read automatically and has the right to transfer these data to another data manager, without hindering (where technically possible) the data manager to whom the personal data have been made available, if such processing is based on consent or is necessary for the fulfillment of a contract and is carried out automatically.

The client's right to data portability:

(a) excludes anonymous data;

(b) includes personal data relating to the client;

(c) does not cover personal data that are not customer related; and

(d) does not include pseudonym data that are clearly attributable to the client.

13. The deadline for managing the client's request as an interested party

Ardelean Tours Kft. will respond to the client's requests for the rights mentioned above, in the following terms.

Requesting the data subject

Term

The right to information

when the data is collected (if provided by the data subject) or within one month (if not provided by the data subject)

The right of access

one month

The right to rectification

one month

The right to delete

without undue delay

The right to restrict data management

without undue delay

The right to data portability

one month

The right to object

when the objection is received

14. The right to lodge a complaint

If the client considers that his/her rights have been violated, the travel agency recommends that the client initiate a consultation with the data manager so that he/she can directly contact the contact person above. If such a consultation fails or the person concerned does not wish to participate in such an activity, he/she can address the Courts or the NAIH. If the judicial proceedings are initiated, the data subject may decide to bring the proceedings before the competent court of his domicile or residence.

The contact details of the NAIH are as follows: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; telephone: +36 1 391 1400; fax: +36 1 391 1410; e-mail: ; web page: www.naih.hu.

15. Amendments to this prospectus

Ardelean Tours Kft. reserves the right to change these information at any time. The travel agency shall inform the clients of these changes, as the case may be, by letter or e-mail and, in any case, in accordance with the applicable law.