Privacy Policy

Hotel Orion Budapest

1) Regarding quotations and bookings, invoicing, and guest management records.

This information notice informs the guest about the personal data processed during quotations, their preparation, bookings, and invoicing, based on Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

The data controller and its contact details:

2) Processing of the data of the data subject:

2.1. The scope of data subjects.

The data controller processes the personal data of the following natural persons (hereinafter: Guests) during the quotation process.

2.2. Categories of personal data processed.

The Data Controller processes the following personal data of the Data Subject during the quotation process:

  • first name and surname
  • e-mail address
  • phone number
  • age
  • nationality
  • address
  • identification document number
  • service requirements

The personal data processed is provided to the Data Controller by the guest via telephone, e-mail, in person, or in writing (contract, registration form). The Data Controller obtains the processed data from additional sources: travel agencies, booking systems.

2.3. Purpose and legal basis of data processing.

2.3.1. For the purpose of preparing, concluding, and fulfilling the contract for accommodation and related services.

In order to provide the services under the Contract, the processing of personal data related to the room reservation is carried out in order to:

  • enable the Data Controller to verify the performance of this contractual obligation,
  • analyze personal data to determine the amount of remuneration,
  • identify the guest based on personal data,
  • ensure contact,
  • monitor for marketing purposes.

The duration of this data processing is the same as the duration of the preparation of the Contract, or, if it is concluded, the duration of the Contract.

Given that the Data Controller cannot prepare, conclude, and fulfill the contract without the provision of the above personal data, the Guest is obliged to provide the personal data to the Data Controller. In the event of failure to provide data, the data controller is entitled to refuse to conclude a contract with the guest or to perform the Contract. In the event of failure to conclude a contract or termination of the Contract, the Data Controller does not delete the personal data, but retains it for the purpose and legal basis specified in point 2.3.5. An exception is made for data that is not required later for the purpose specified in point 2.3.5 and is deleted upon failure to conclude the contract or termination of the contractual relationship.

2.3.2. Fulfillment of legal obligation

The Data Controller processes the Guests’ data for the purpose of fulfilling the following legal obligations:

  • maintaining a guest book with the data of third-country nationals staying at the accommodation, pursuant to Section 73 (2) of Act II of 2007 on the entry and residence of third-country nationals
  • local municipal tourism tax decree
  • Section 169 (2) of Act C of 2000 on accounting, which states that “accounting documents directly and indirectly supporting accounting (including general ledger accounts, analytical and detailed records) must be kept in legible form for at least 8 years, in a manner that is retrievable based on references to accounting records.”

2.3.3. Legitimate interest of the Data Controller and third parties

The hotel operates a camera system at its entrance for the following purpose: The Data Controller has a legitimate interest in ensuring personal and property protection in the premises open to Guests.
Legal basis: Act CXXXIII of 2005.

Exact location of cameras:

  • hotel entrance

Retention of recordings: 3 days after recording.

2.3.4. Consent of Guests

The processing of personal data is based on the consent of the Guests, which is voluntary, specific, and based on informed and unambiguous expression of will. The consent is given by the Guest separately from other declarations in the quotation or contract for the provision of accommodation, catering, and other services. Consent is voluntary. The Guest is entitled to withdraw their consent at any time, without restriction, by notifying the Data Controller. The notification may be sent by the Guest to the contact address specified in point 1 of the Information Notice. The withdrawal of consent does not have any consequences for the Guest. However, the withdrawal of consent does not affect the lawfulness of the data processing carried out on the basis of consent prior to the withdrawal, as stipulated in the legal regulations.

2.3.5. Submission, enforcement, and protection of legal claims arising from the Contract

The Data Controller stores the Buyer’s personal data, which has not been deleted following the failure to conclude the contract or the termination of the Contract, as defined in point 2.3.6., for five years following the failure to conclude the contract or the termination of the Contract, in accordance with the general limitation rules of Act V of 2013 on the Civil Code.

3) Recipients of personal data

The Data Controller forwards the Guests’ personal data to the following organizations:

  • Orion Hotel Kft. server management support host
  • Immigration Office data processor
  • Previo Kft. hotel integrated IT system support host

4) Rights of the Guest

4.1. Right of access

The Guest is entitled to receive feedback from the Data Controller as to whether their personal data is being processed, and if such data processing is in progress, they are entitled to access the personal data and the following information:

  • 4.1.1. the purpose of the data processing in relation to the given personal data,
  • 4.1.2. the categories of personal data concerned,
  • 4.1.3. the categories of recipients to whom the Guest’s personal data have been or will be disclosed,
  • 4.1.4. the planned duration of the storage of the personal data concerned, or, if this is not possible, the criteria for determining this duration,
  • 4.1.5. the rights of the Guest, such as the right to rectification, erasure, or restriction, the right to data portability, and the right to object to the processing of such personal data,
  • 4.1.6. the right to lodge a complaint with a supervisory authority,
  • 4.1.7. If the Data Subject has submitted the request electronically, the requested information must be provided in a widely used electronic format, unless the Guest requests otherwise.

The Data Controller may request the Guest to clarify the content of the request and to specify the requested information or data processing activities before fulfilling the request. If the Guest’s right of access under this point adversely affects the rights and freedoms of others, in particular the business secrets or intellectual property of others, the Data Controller is entitled to refuse to fulfill the Guest’s request to the extent necessary and proportionate. In the event that the Guest requests the above information in multiple copies, the Data Controller is entitled to charge a reasonable fee proportionate to the administrative costs of preparing the additional copies. If the Data Controller does not process the personal data specified by the Guest, it is also obliged to inform the Guest in writing.

4.2. Right to rectification

The guest has the right to request the rectification of personal data concerning them. If the personal data concerning the Guest is incomplete, the Guest is entitled to request the completion of the personal data. When exercising the right to rectification / completion, the data subject is obliged to indicate which data are inaccurate or incomplete, and is also obliged to inform the Data Controller of the accurate, complete data. The data controller is entitled, in justified cases, to draw the Guest’s attention to the fact that the corrected data must be duly proven to the Data Controller – primarily by means of a document.

4.3. Right to erasure (“right to be forgotten”)

The Guest is entitled to initiate that the Data Controller erase the personal data concerning them without undue delay if one of the following reasons exists:

  • 4.3.1. the personal data specified by the Guest is no longer necessary for the purpose for which the Data Controller collected or otherwise processed it,
  • 4.3.2. the Data Controller processed the personal data on the basis of the Guest’s consent, the Guest has withdrawn their consent in writing, and there is no other legal basis for the data processing,
  • 4.3.3. the Guest objects to the data processing based on the Data Controller’s legitimate interest, and there is no compelling legitimate reason for the Data Controller that takes precedence over the Guest’s interests, rights, and freedoms, or that relates to the submission, enforcement, or protection of legal claims,
  • 4.3.4. the Data Controller has unlawfully processed the personal data,
  • 4.3.5. the data processed by the Data Controller must be erased in order to fulfill a legal obligation prescribed in Union or national law applicable to the Data Controller,
  • 4.3.6. the Guest objects to the data processing and there is no overriding reason for the data processing.

The Guest is obliged to submit their request for erasure in writing and is obliged to indicate which personal data they wish to have erased and for what reason. Following the fulfillment of the Guest’s request to exercise their right to erasure, the Data Controller shall immediately inform the Guest, the other Data Controllers, and the persons with whom the personal data has been disclosed, provided that this is not impossible or does not require disproportionate effort from the Data Controller. At the Guest’s request, the Data Controller shall inform them of these recipients.

The Data Controller is not obliged to erase personal data if the data processing is necessary:

  • 4.3.7. to fulfill an obligation to process personal data imposed on the Data Controller by Hungarian or European Union law,
  • 4.3.8. for the submission, enforcement, or protection of legal claims.

4.4. Right to restriction of processing

The Guest is entitled to initiate that the data controller restrict the processing and use of personal data concerning them if one of the following reasons exists:

  • 4.4.1. the Guest disputes the accuracy of the personal data, in which case the restriction lasts until the Data Controller verifies the accuracy of the data,
  • 4.4.2. the Data Controller has unlawfully processed the personal data, but the Guest has requested restriction instead of erasure,
  • 4.4.3. the purpose of the data processing has ceased for the Data Controller, but the Guest requires them for the submission and enforcement of legal claims,
  • 4.4.4. the Guest objects to the data processing based on the Data Controller’s legitimate interest, and there is no compelling legitimate reason for the data controller that takes precedence over the Guest’s interests, rights, and freedoms, or that relates to the submission, enforcement, or protection of legal claims. In this case, the restriction remains in effect until it is established that the data controller’s legitimate grounds take precedence over the Guest’s legitimate grounds.

In the event of restriction, personal data may be processed, with the exception of storage, only with the Guest’s consent or for the submission, enforcement, or protection of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest of the Union or of a Member State of the European Union. The Data Controller shall inform the Guest in advance about the lifting of the restriction on data processing.

4.5. Right to object

If the processing of the guest’s data by the Data Controller is based on a legitimate interest, it is an important guarantee provision that the Guest must be provided with adequate information and the enforcement of the right to object in connection with the data processing. Attention must be drawn to this right specifically during the first contact with the Guest. Following the Guest’s objection, the Data Controller may no longer process the Guest’s personal data, unless it can be proven that:

  • 4.5.1. the data processing is justified by compelling legitimate reasons on the part of the Data Controller that take precedence over the Guest’s interests, rights, and freedoms,
  • 4.5.2. the data processing is related to the submission, enforcement, or protection of the Data Controller’s legal claims.

The Guest is entitled to object to the processing of their personal data for this purpose in the case of direct marketing (direct marketing) carried out by the Data Controller. In contrast to other data processing based on legitimate interest, the Data Controller is not in a position to consider whether it can continue the data processing even if the Guest objects. If the Guest objects to the data processing for direct marketing purposes, the Data Controller may no longer process the data for this purpose.

4.6. Right to data portability

The Guest is entitled to receive the personal data concerning them, which is processed by the Data Controller, in a structured, widely used, machine-readable format, and is also entitled to transmit this data to another data controller without being hindered by the Data Controller. In the context of data portability, the Data Controller is obliged to provide the data carrier to the Guest free of charge. The measure taken in the context of data portability does not mean the deletion of the data, the Data Controller keeps them on record as long as it has a suitable purpose and legal basis.

4.7. Right to legal remedy

4.7.1. Right to lodge a complaint

If the Guest considers that the processing of their personal data by the Data Controller violates the provisions of the data protection laws in force at all times, in particular the GDPR, they have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information.

Contact details:

4.7.2. Right to appeal to the court

Regardless of their right to lodge a complaint, the Guest may appeal to the court if their rights under the GDPR have been violated during the processing of their personal data. A lawsuit can be initiated against the Data Controller, as a data controller with a domestic place of business, before a Hungarian court. According to Section 22 (1) of the current Info Act, a lawsuit can also be initiated before the court of the place of residence.

4.7.3. Other means of enforcing claims

The Guest has the right to entrust a non-profit organization or association, which has been established in accordance with the law of a European Union Member State and whose statutory objectives are to serve the public interest and to protect the rights and freedoms of data subjects, with the judicial review of the supervisory authority’s decision, the initiation of a lawsuit, and the enforcement of their right to compensation in their name.

The Data Controller reserves the right to modify the Information Notice at any time. The Data Subjects will be notified of the modification by publication on the website.

RESERVATION+ Booking Engine online booking and quotation system

Previo Booking Engine online booking system

1. Online booking
Name of data processing activity: Online booking
Name of the data controller: Orion Hotel Kft.
Contact details of the data controller: Registered office: 1023 Budapest, Bécsi út 3-5.
Purpose of data processing: Simplifying the room booking process, making online booking smooth and convenient.
Legal basis of data processing: The express and voluntary, prior consent of the person initiating the online booking.
Name of personal data processed: Personal data of the person booking as follows:

  • name
  • e-mail address
  • phone number
  • address (country, postal code, city, street, house number)
  • IP address (online identifier)
Intended duration of personal data processing: Until the withdrawal of consent.
Necessity of personal data provided by the data subject: The online room booking process initiated by the data subject, or the completion of the transaction in the case of online payment.
Is it necessary to use data processors for the data processing activity: Yes
Name, address and purpose of processing of data processors:
    • Previo.hu Kft. (1119 Budapest, Petzvál József u. 4/A)
      Providing and operating the hotel’s online booking and gift voucher sales module, storing incoming bookings and data in a closed, cloud-based system, and confirming bookings.
2. Online gift voucher order
Name of data processing activity: Online gift voucher order
Name of the data controller: Orion Hotel Kft.
Contact details of the data controller: 1023 Budapest, Bécsi út 3-5.
Purpose of data processing: Simplifying and making the online gift voucher ordering process more convenient.
Legal basis of data processing: The express and voluntary, prior consent of the person initiating online payment in the online gift voucher ordering process.
Name of personal data processed: Personal data processed for gift voucher ordering as follows:

  • buyer’s name
  • buyer’s e-mail address
  • buyer’s phone number
  • buyer’s mailing address (country, postal code, city, street, house number)
  • buyer’s billing address (country, postal code, city, street, house number)
  • buyer’s IP address (online identifier)
  • name(s) of the recipient(s)
Intended duration of personal data processing: Until the withdrawal of consent.
Necessity of personal data provided by the data subject: The possibility of a simple, convenient realization of the gift voucher ordering process initiated by the data subject.
Is it necessary to use data processors for the data processing activity: Yes
Name, address and purpose of processing of data processors:
    • Previo.hu Kft. (1119 Budapest, Petzvál József u. 4/A)
      Providing and operating the hotel’s online booking and gift voucher sales module, storing incoming bookings and data in a closed, cloud-based system, and confirming bookings.
3. General information and Data Subject rights
Recipients of data: The company; the company’s employees; agents for the purpose of fulfilling the contract – including the enforcement of claims arising from the contract.
Data transfer to a third country or international organization: YES
Automated decision-making / profiling: NONE
The rights of the data subject: The data subject may request from the data controller access to, rectification, erasure or restriction of processing of personal data concerning them, object to the processing of such personal data, and has the right to data portability. In the case of consent-based data processing, the right to withdraw consent at any time, which does not affect the lawfulness of the data processing carried out on the basis of consent prior to withdrawal.
Possible consequences of failure to provide data: The data subject cannot use the service provided by the company.
Complaint to the supervisory authority: Can be submitted as set out in the Data Management Information and Data Management Policy. You can contact the Data Controller with any questions, comments, or problems related to data management at the contact details provided above. In the event of a violation of the data subject’s rights, they may appeal to the court.

The data subject may also contact the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11; phone: +36-1-391-1400; e-mail: ugyfelszolgalat@naih.hu; website: www.naih.hu) directly with their complaint regarding data management.

 

Budapest, February 1, 2026
Orion Hotel Kft.