Data protection

I. The Data of the Service Provider as Data Controller

(the “Company”, “Data Controller” or “Böczkös kft.”)

Legal Rights of Natural Persons under the GDPR:

Individuals in questions are natural persons living anywhere in the EU who are in contact with a controller.

The Company respects the personal rights of its Guests and has therefore prepared the following Privacy Policy (hereinafter referred to as the "Notice"), the latest version of which is available at the headquarter of Böczkös Ltd. in Zsanett Hotel, and on the hotel's website on

The Company, as data controller, declares that in the course of data management, Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information shall act in accordance with the provisions of Act. In this context, it shall contribute, in full compliance with the applicable legislation in force, to the provision of secure internet access for those concerned.

This Prospectus provides general information on data management in connection with the services provided by the Company. The Company will provide information on any data handling that may not be included in this Prospectus prior to such processing.

Personal data will only be processed by the Company for a predetermined purpose for the time necessary to exercise its rights and fulfill its obligations. The Company handles only such personal data as is necessary for the fulfillment of the purpose of data management and is suitable for the purpose.

The validity of a legal statement containing the consent of a minor under the age of sixteen must be approved or subsequently approved by his or her legal representative.

Personal data obtained by the Company during the course of data management may be disclosed only to persons who have been commissioned by or employed by the Company and who have duties related to such data management.

II. Glossary

 ‘Personal data’ shall mean data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;

"Data management" means any operation or combination of operations, whether automated or not, carried out on personal data or data files, such as collection, recording, systematization, classification, storage, transformation or alteration, retrieval, access, use, communication, transfer, distribution or any other by making available by any means, coordination or interconnection, restriction, deletion or destruction;

"Restriction of data management" means the marking of stored personal data with the aim of limiting their processing in future;

"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of data processing are determined by Union or Member State law, the controller or the specific criteria for designating the controller may be defined by Union or Member State law;

"Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

"Restriction of data management" means the marking of stored personal data with the aim of limiting their processing in future;

"Profiling" shall mean any form of automated processing of personal data for the purpose of assessing personal data relating to a natural person, in particular with regard to work performance, economic situation, health, personal preference, interest, reliability, behavior, whereabouts or movement. used to analyze or predict related characteristics;

"Pseudonymisation" means the processing of personal data in such a way that it is no longer possible to ascertain, without further information, which specific individual is the individual, provided that such additional information is stored separately and by technical and organizational measures; it is ensured that such personal data cannot be linked to identified or identifiable natural persons;

"Filing system" means a collection of personal data, in whatever form centralized, decentralized or functional or geographical, accessible according to specified criteria;

"Recipient" shall mean any natural or legal person, public authority, agency or any other body to whom or to whom personal data are disclosed, whether a third party or not. Public authorities which have access to personal data in the framework of an individual investigation in accordance with Union or Member State law shall not be considered as recipients; the processing of such data by such public authorities must comply with the applicable data protection rules in accordance with the purposes of the processing;

"Third party" means any natural or legal person, public authority, agency or any other body which is not the data subject, the controller, the processor or any person authorized to process personal data under the direct control of the controller or processor; they got;

"Consent of the data subject" means the voluntary, explicit and unambiguous expression of the will of the data subject, by which the data subject, by means of a statement or act of unequivocal confirmation, indicates his or her consent to the processing of personal data concerning him or her;

"Data incident" means a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

data subject: any natural person identified or identified, directly or indirectly, on the basis of personal data;

special data:

a) personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs or trade-union membership, and personal data concerning sex life

B) personal data concerning health, pathological addictions, or criminal record;

‘criminal personal data’ shall mean personal data relating to the data subject or that pertain to any prior criminal offense committed by the data subject and that is obtained by organizations authorized to conduct criminal proceedings or investigations or by penal institutions during or prior to criminal proceedings in connection with a crime or criminal proceedings.

‘data of public interest’ shall mean information or data other than personal data, registered in any mode or form, controlled by the body or individual performing state or local government responsibilities, as well as other public tasks defined by legislation, concerning their activities or generated in the course of performing their public tasks, irrespective of the method or format in which it is recorded, its single or collective nature; in particular data concerning the scope of authority, competence, organisational structure, professional activities and the evaluation of such activities covering various aspects thereof, the type of data held and the regulations governing operations, as well as data concerning financial management and concluded contracts;

‘data public on grounds of public interest’ shall mean any data, other than public information, that are prescribed by law to be published, made available or otherwise disclosed for the benefit of the general public;

‘the data subject’s consent’ shall mean any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;

‘the data subject’s objection’ shall mean a declaration made by the data subject objecting to the processing of their personal data and requesting the termination of data processing, as well as the deletion of the data processed;

 ‘controller’ shall mean natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the processing of data; makes and executes decisions concerning data processing (including the means used) or have it executed by a data processor;

‘data’ processing’ shall mean any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

‘data transfer’ shall mean ensuring access to the data for a third party;

‘disclosure’ shall mean ensuring open access to the data;

 ‘data deletion’ shall mean making data unrecognisable in a way that it can never again be restored;

‘tagging data’ shall mean marking data with a special ID tag to differentiate it;

‘blocking of data’ shall mean marking data with a special ID tag to indefinitely or definitely restrict its further processing;

‘data destruction’ shall mean complete physical destruction of the data carrier recording the data;

‘data process’ shall mean performing technical tasks in connection with data processing operations, irrespective of the method and means used for executing the operations, as well as the place of execution, provided that the technical task is performed on the data;

‘data processor’ shall mean any natural or legal person or organisation without legal personality processing the data on the grounds of a contract, including contracts concluded pursuant to legislative provisions;

‘data source’ shall mean the body responsible for undertaking the public responsibility which generated the data of public interest that must be disclosed through electronic means, or during the course of operation in which this data was generated;

‘data disseminator shall mean the body responsible for undertaking the public responsibility which uploads the data sent by the data source it has not published the data;

‘data set’ shall mean all data processed in a single file;

‘third party’ any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor;

‘EEA Member State’ any Member State of the European Union and any State which is party to the Agreement on the European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States which are parties to the Agreement on the European Economic Area, based on an international treaty concluded between the European Union and its Member States and a State which is not party to the Agreement on the European Economic Area;

‘third country’ any State that is not an EEA State.


III.1. Use of hotel services

The management of all data related to the data subject in the provision of services is based on voluntary contributions and is intended to ensure the provision of the service and to maintain contact. Subject to the exceptions contained in the individual sub-clauses, the Personal Data contained in this section will be retained by the Company for a period consistent with applicable tax and accounting regulations and will be deleted after such time.

Additional information is available for each service, which helps to fully understand the Guest's needs, but is not a prerequisite for making a reservation or using other services.

The Guest may also decide to sign up for the newsletter during the use of each service. Data handling related to the newsletter is described in Section III.7. points.

III.1.1. Reservation / Inquiry

In the case of online, personal (paper based) or telephone bookings, the Company may request / request the following information from the Guest:

The activities and processes involved in data management are as follows:

The Data subject has a Booking and Request Form on the Website where you can enter the details specified in Section III.1.1, as well as accept the terms and conditions of booking and cancellation and this Privacy Policy. Once the data subject has been provided, after accepting the terms and conditions and the rules, you can submit the named data to the Data Controller by pressing the "Next" button.

The data sent to the Data Controller will be handled by the Data Controller's employees in an authorized position, the data received will be recorded and an offer will be made to the data subject, which will be sent to him or her by e-mail.

For more information on booking information, please contact

III.1.2. Hotel Application Form

When using the hotel services, the Guest fills in a hotel application form, whereby the Company agrees that the Company must provide the following mandatory information, including the fulfillment of its obligations under applicable legislation (including, in particular, the law on tourism and tourism tax) and For the purpose of identifying a guest, treat as long as the competent authority is able to verify the fulfillment of obligations under applicable law:

This information from third-country nationals are required to handle by law:

Third-country national: Any person, other than a Hungarian national, who is not a member of a Member State of the European Economic Area, including stateless persons.

Member States of the EEA:

The provision of mandatory information by the Guest is a condition of using the hotel service.

By signing the Application Form, the Guest agrees that the Company will process and archive any personal data submitted to them by completing the Application Form for the purpose of concluding the Contract or proving its fulfillment or fulfillment within the time limit specified above.

By providing the email address on the Application Form, guests have the opportunity to subscribe to the company newsletter. For further information on the newsletter, see Annex III. Section 7 shall apply.

The company will send information about the data processed in connection with the notification form to the request sent to

III.2. Loyalty Program

The Company's Customer Loyalty Program is an exclusive service for hotel guests - natural persons - designed to provide discounts for returning guests.

Those who subscribed to the program agree that the Company process their personal data provided for this purpose and to handle for the purpose of operating the Company’s Loyalty Program or for sending newsletters specifically designed for Loyal Customers. Based on this consent, the process of the offered personal data will continue as long as the data subject participates in the program.

If the data subject objects to the data transfer, it will make it impossible for him or her to participate in the program and thus entail his or her deletion from the program.

The personal data of the Member shall be stored by the Company for the period specified in the applicable tax and accounting regulations and shall be deleted after the deadline.

The personal data we manage in the programs are for keeping in touch. In the programs, the Company may manage the following personal information:

In the case of a natural person:

Additional personal information may be required to participate in the programs, in which case the Company will inform the data subject at the same time as the request for information of the purpose, manner and duration of the data management.

The data processed by the Customer Loyalty program will be deleted by the Company upon the Guest's request to

III. 3. Guest questionnaire, rating system

The hotel features an online and paper based guest questionnaire and a rating system for guests to express their opinion. When completing the questionnaire, the Guest may provide the following personal information:

However, you are not obliged to give any personal information, it serves only the accurate investigation of any complaints and the Company's response to the guest.

The Company may also use the opinions received, and any related data provided, which cannot be traced back to the given Guest and cannot be linked to the Guest's name, for statistical purposes.

The provided personal data is stored in a separate data file by the Data Controller, separately from the other data entered. This file is accessible only to authorized employees of the Company.

The Employee shall not transfer any or all of the data to a third party and shall take all precautionary measures to prevent any unauthorized disclosure of such data.

The e-mail address and username provided for the use of the rating system will be deleted by the Company upon the Guest's request to

III. 4. Facebook Page

The purpose of data management is to share content from the Zsanett Hotel website. The Facebook page allows the guest to stay informed about the latest promotions.

By clicking on the "like" button on the Company's Facebook page, the person will consent that the Company's news and offers may appear on his/her Newsfeed.

The provisions of Section III.7 apply to the newsletter.

In case of reservation, the Guest will be automatically redirected to the Company's website. Data management is governed by Chapter III.1. above.

The Company will also post pictures / videos on its Facebook Page of various events / hotels / restaurants, swimming pools, etc. The Company will always seek written consent from the data subject prior to publishing the images, except for mass shootings.

For information about managing the Facebook page, see the Privacy Policy and Policies on the Facebook page at

III. 5. Contact

It is possible for anyone to contact the Company by email. Messages will be handled by the Company until the request / question is resolved / answered, archived, and retained for 5 (Five) years upon completion of the request / question.

III.6. Website visit information

III.6.1. Analytics, cookies

The Company uses an analytical tool to track its websites, which creates a series of data and monitors how visitors use the websites. Cookies are important for the proper functioning of the site. In order to enhance the user experience, the Company uses cookies on its website to remind the user of his / her booking details and to ensure secure booking of rooms, requesting quotes, collecting statistics to optimize the functions of the site and displaying content tailored to the user's interests. When you view a page, a cookie is created to record information about the visit (pages you visit, time spent on our pages, browsing data, exits, etc.), but which is not related to the visitor's identity. This tool helps to improve the ergonomics of the website, to create a user-friendly website and to enhance the online experience of the visitors. The Company does not use analytical systems to collect personal information. Most Internet browsers automatically accept cookies, but visitors have the option to delete them or reject them automatically. Because each browser is different, you can individually set your cookie preferences using the browser toolbar. You may not be able to use certain features on our website if you choose not to accept cookies.

III.7. Newsletter

The Company sends newsletters to natural persons only with the consent of the data subject. By subscribing to the newsletter (on the website, by e-mail or on paper), the data subject consents that the Company will send an electronic newsletter to the e-mail address provided by the Company by providing their name and e-mail address. By providing a home address, you can also consent to get relevant advertising material.

Scope of data processed:

The Company shall only send newsletters with the consent of the data subject.

The Company shall store the personal data provided on a separate list, separate from the data provided to the Company for other purposes, and this list shall be accessible only to authorized employees and data processors of the Company. The list or data will not be forwarded to a third party as unauthorized and will take all precautionary measures to prevent unauthorized disclosure.

The purpose of data management related to newsletter sending is to provide the recipient with full general or personalized information about the latest promotions, news, offers, events of the Company.

For the Zsanett Hotel data processor newsletter:

Data Processor Name: Mailgun Technologies, Inc.

The data processor's address is 535 Mission St., 14th Floor, San Francisco, California 94105

The purpose of processing data on behalf of the Controller is to provide an electronic mailing function for mailing through Mailgun Technologies, Inc. mail servers.

The Controller shall not forward the list or the data to any third party as unauthorized, and shall take all precautionary measures to prevent any unauthorized disclosure of such list or information.

The Data Controller shall only process personal data collected for this purpose until the data subject has unsubscribed from the newsletter list.

The person concerned may unsubscribe from the newsletter at any time by sending a cancellation request at the bottom of the emails and to the e-mail address

The Service Provider shall be entitled to the data management indicated above until the User declares in writing that he / she withdraws his / her consent to the management of his / her data.

You can unsubscribe from the feed posted on the Facebook wall by clicking on the “like” link on the page and clicking the “dislike” link on the page, or by deleting the message wall settings unwanted news feeds.

The Facebook icon can be found on the Data Controller website.

III. 8. Gift certificate

The Hotel allows the Guest to purchase gift vouchers that can be used at a given value to provide the Hotel.

Ordering and using the gift certificate is voluntary.

Ordering the gift certificate and the scope of data management:

The person concerned can order the voucher of the amount specified by the Hotel personally or by phone at with the following information:

For personal order:

The Data Controller will issue an invoice for the agreed and ordered voucher amount and issue a numbered voucher upon receipt of the sum and deliver it to the specified address.

The Company shall store the personal data provided in a separate data file separately from the other data provided. This data file shall be accessible only to authorized employees of the Data Controller.

The Employee shall not transfer any or all of the data to a third party and shall take all precautionary measures to prevent any unauthorized disclosure of such data.

The Data Controller shall store the data for a period consistent with the applicable tax and accounting regulations and delete such data after such time.

The Data Controller will provide further information about the data management of the Gift Voucher to Deletion from the file can also be requested here.

III. 9. Management of job applicant data

Any processing of personal data contained in CVs transmitted to the Company in any form for job search purposes shall be subject to the consent of the data subject. If the data subject explicitly prohibits the processing of such personal data, the company will delete such data.

For further information on job applicants' data managed by the company, please write to

III.10. Guestbook

You can leave a  comment on the Guestbook or on web site guestbook with the following details:

The data entered will be stored in a separate data file by the Data Controller, separately from other data entered. This data file shall be accessible only to authorized employees of the Data Controller.

The Employee shall not transfer any or all of the data to a third party and shall take all precautionary measures to prevent any unauthorized disclosure of such data.


The purpose of data management: contact and communication with the stakeholder, marketing, increasing the level of service that fits the profile of the Company, conducting market research and surveying consumer habits.


Legal basis for processing the data: voluntary consent of the data subject, subject to prior notification to the company.


Duration of data processing: 15 business days from the date of termination of the customer relationship, unless it is required to use the rights and obligations arising out of the customer relationship, or upon request by the data subject until his or her data have been deleted


Modifications and deletions of personal data, withdrawal of voluntary consent and requests for information on the management of personal data are possible by sending a notice to


The Company ensures the IT environment used for the management of personal data in the provision of the service by linking the personal data provided by the data subject only to the data and in the manner specified in these policies, and ensuring that such data is only accessible to those who are indispensable for the performance of their duties, any change to the data shall be indicated by the date of the change.

Inaccurate data will be deleted within 24 hours upon request of the data subject.

Data is backed up.

The Data Controller shall provide the required level of protection in the handling of the data, in particular their storage, rectification and erasure, when requesting or protesting the information concerned.

Other unidentifiable data, which are not directly or indirectly related to the data subject and are no longer anonymous, shall not be considered as personal data.


The Zsanett Hotel operated by the Data Controller operates cameras for the personal and financial security of the data subjects and for other purposes. For the operation of these, information boards are called to the attention of the stakeholders.

Please be advised that CXXXIII of 2005 on the rules governing the recording, use and preservation of sound and image recordings and the activities of private investigators and the Act CXII of 2011 on the Right of Information Self-Determination and Freedom of Information. (Info tv.) Shall apply. For the operation of the electronic monitoring system, the Act On the basis of the explicit consent, as detailed below, to prevent and detect violations and accidents in the interests of the protection of human life, bodily integrity and property, to clarify the (legal) dispute, investigation, verification, guest complaint investigation, and infringement.

Please note that it is an explicit consent to data management if you enter the camera surveillance room with the knowledge of this information

Stakeholders: Any natural person entering or staying in the Hotel's units affected by the surveillance system.

 The range of data handled includes the image, voice, and other personal information of guests appearing on the video and audio recordings.

 The location of the recording is the office of Data Controller at 8648 Balatonkeresztúr Berényi utca 9.

The electronic monitoring system operates 24 hours a day, seven days a week, and the recordings are stored on the server for approx. Store for 10 days.

To ensure the secure management of your personal information, the personal data stored on the server is protected by a personal username and password that identifies who has access to the data and when it was accessed.

Zsanett Hotel, Böczkös kft. authorized executives. The managing director of Böczkös Kft. Or, in the case of impediment, the respective on-call manager of the hotel are entitled to view the recording of the cameras.

The camera surveillance and recording system operated by Zsanett Hotel may be accessed by authorized persons only for the purpose of proving violations of human life, physical integrity and property and identifying the perpetrator, as well as for detecting other events or accidents affecting life or physical integrity. .

The transfer of data is possible only in the case of ongoing proceedings with regard to unlawful conduct or breach of obligations, to the authorities and courts conducting them.

The data transmitted may include recordings of relevant information by the camera system, as well as the names of the persons who may be included in the recordings.

Please be advised that those whose rights or legitimate interests are affected by the recording of the image and sound recordings may request a copy of the recordings made with them by the electronic monitoring system and may request the deletion of the recordings in accordance with the relevant legal provisions. Furthermore, those whose rights or legitimate interests are affected by the recording of the image and sound may, within 3 working days of the recording of the image and sound, request that Zsanett Hotel not erase or delete the data.

We would also like to inform you that you may request information about the processing of your personal information at any time from Böczkös Kft. You may also request that your personal data be rectified or blocked in accordance with the applicable legal provisions. You may also object to the handling of your personal information.

Please be advised that in the event of a violation of your rights, you may seek legal redress in accordance with the provisions of the applicable law and that anyone may file an inquiry with the National Freedom of Information Authority alleging that there has been or may be an imminent breach of personal data processing.

The cameras focus on the following areas:

Main entrance, courtyard, parking (building A), swimming pool. Camera location: DNY corner of Building "A"

Reception room. The camera is located on the D and K wall, ceiling corner

Restaurant, beverage store. Camera location: The northern wall of the restaurant

Kitchen and food warehouse. Camera location: Kitchen corridor

Car park and entrance B, beverage store, vegetable store, staff entrance. Camera location: Northwest corner of Building "B".

Clean clothes warehouse, dirty clothes warehouse, yard. Camera location: no. wooden house roof.

V. Transfer

Data shall be transmitted with the consent of the data subject, without prejudice to his or her interests, on a confidential basis and with a fully compatible IT system, while respecting the purpose, legal basis and principles of the data processing. The Data Controller shall not transfer or make available to any third party the personal data of the data subject without his / her consent, unless required by law.

VI. Rights and remedies

VI.1. information

The data subject may request information about the management of his / her personal data, as well as request the rectification, deletion or blocking of his / her personal data, except as provided by law, for or for certain data processing activities as stated therein.

Upon the request of the data subject sent to the e-mail address of each chapter or to the name and address of the Company (Böczkös kft. 8648 Balatonkeresztúr Berényi u. 9) within 30 days of the submission , the duration of the data processor, the data processor, if any, the circumstances, the effects of the data protection incident and the measures taken to rectify it, as well as the legal basis, purpose and destination of the data transfer.

VI.2. Correction and deletion

The Data Controller will correct or delete personal data that are inaccurate if:

its management is unlawful;

b. the person concerned requests;

c. incomplete or erroneous - which cannot be legally remedied - unless cancellation is excluded by law;

d. the purpose of data management has ceased to exist or the statutory time limit for the storage of data has expired;

e. ordered by a court or the National Data Protection and Freedom of Information Authority.

The Data Controller shall notify the data subject of the rectification and deletion, as well as anyone to whom the data have previously been transmitted for data management purposes. Notification may be dispensed with if this is not contrary to the legitimate interests of the data subject, having regard to the purpose of the processing.

The data subject may object to the processing of their personal data if

the processing (transfer) of personal data is necessary only for the enforcement of the rights or legitimate interests of the data controller or the data recipient, except in case of mandatory data processing;

b. the use or communication of personal data is for the purpose of direct marketing, opinion polling or scientific research;

c. otherwise, the right to object is permitted by law.

The Data Controller shall, with the simultaneous suspension of the data processing, examine the objection as soon as possible after filing the application, but within a maximum of 15 working days, and inform the applicant in writing of the result. If the applicant's objection is well founded, the Data Controller shall terminate the data processing, including further data collection and transfer, and shall block the data and inform anyone to whom the personal data subject to the objection have previously been transmitted of the objection and who are required to take action to enforce the right of protest.

If the data subject does not agree with the decision of the Data Controller, or if the Data Controller fails to comply with the time limit, he or she shall have the right to apply to the court within 30 days of its notification.

VI.3. Judicial enforcement

The person concerned may take legal action in the event of a breach of his rights. The court will deal with the matter out of turn. The Data Controller shall prove that the data management complies with the provisions of the law.

If you violate your right to self-determination, you may file a complaint with the National Data Protection and Freedom of Information Authority and the Court of Justice.

VII. Other provisions

The Company assumes no responsibility for the accuracy of the information provided by the visitors of the websites or the Guests.

The Company reserves the right to amend this Prospectus.

This Policy shall enter into force on May 25, 2018.

You can always ask the National Data Protection and Freedom Authority for help with privacy issues:

Guest reviews
  • "We spent New Year's Eve in 2019 at the hotel. It was excellent. Great program, fantastic food, and very nice staff."
  • "We stayed for 4 days at the hotel and everything was excellent especially the traditional pig killing event. New Year's Eve was also pleasant, including baking chestnut on the next day."
    István Gallai
  • "We can only thank the staff in the hotel for making our stay and New Year's Eve memorable and fun. Helpful staff, polite service, great kitchen."
    Jenő Gábor Pintér
  • "Dear Zsanett Hotel, thank you very much for the 4 days we spent at the hotel."
    Schmidtné Pálmai Ibolya
  • "The free beach was very close, you could walk down from the end of the garden. The pool was very inviting, but in the end, Balaton won, maybe if we had more days to stay .."