Privacy Policy

1. Purpose of the Policy

The purpose of this Data Protection Policy is to introduce and consistently apply measures that ensure the accurate and secure processing of the personal data of Employees (hereinafter: Data Subjects), in compliance with the applicable European Union and Member State data protection regulations, uniformly implemented at the level of Hotel BasiliQ (hereinafter: the Company).

At the same time, this Data Protection Policy provides concise, transparent, and easily accessible information for the Data Subjects regarding access to their personal data processed by the Company, and sets out and provides information on the rules applied by the Company to ensure the rights of the Data Subjects.

2. Scope of the Policy

Personal scope

The scope of this Policy extends to the Company and to those natural persons to whom its data processing activities relate. The data processing activities set out in this Policy concern the personal data of natural persons. The scope of the Policy does not extend to the processing of personal data relating to legal persons, nor in particular to undertakings established as legal persons, including the name and legal form of the legal person and data relating to the contact details of the legal person. Legal persons include associations, business entities, cooperatives, alliances, and foundations.

Temporal scope

The temporal scope of this Policy shall apply from the date of its adoption until further notice or until the date of withdrawal of the Policy.

3. Principles of Data Processing

Prior to commencing the processing of personal data, it must in all cases be carefully assessed whether such processing is genuinely necessary. The processing of personal data may only be commenced if it can be unequivocally justified that the purpose of the data processing cannot be achieved by other means.

The Company is obliged to process the personal data of the Data Subjects lawfully, fairly, and in a transparent manner. No person shall suffer any disadvantage as a result of having initiated a procedure, legal remedy, or complaint with the Company or with another authority specified in this Policy, or as a result of having refused or withdrawn consent in the case of consent-based data processing.

The collection of the personal data of the Data Subjects may only take place for specified, explicit, and lawful purposes. The Company is obliged to avoid from the outset, or subsequently terminate, any data processing that is carried out in a manner incompatible with the purpose relating to the given personal data. The Company is entitled to process personal data only to the extent necessary and is obliged to delete any personal data for which the purpose of the data processing has ceased or for which the legal basis of the data processing cannot be substantiated.

The Company is obliged to introduce control mechanisms that are suitable to ensure, both preventively and subsequently as a filtering measure, that

1. personal data comply with the purposes of the data processing already at the time of collection and throughout the entire duration of the data processing, and
2. the extent of the data processing is limited to what is necessary with regard to both the scope of the data and the duration of the processing.

The personal data processed by the Company must be accurate and kept up to date. The Company is obliged to take all reasonable measures to ensure that accurate personal data are processed, including that

3. personal data that are unnecessary for the purposes of the data processing or that become unnecessary over time are deleted without delay;
4. inaccurate personal data are rectified or erased.

Personal data must be stored in a form that permits the identification of the Data Subjects only for the period necessary to achieve the purposes of the processing of the personal data.

The processing of personal data must be carried out in such a manner that, through the application of appropriate technical or organisational measures, the appropriate level of security of personal data is ensured, including all steps that serve to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

4. Lawfulness of Data Processing

The correct determination of the legal basis for data processing and the fulfilment of the additional conditions relating to the selected legal basis are prerequisites for lawful data processing. Accordingly, the requirement of lawfulness, in a narrower sense, presupposes the existence of an appropriate legal basis for data processing, while in a broader sense it means that personal data may only be processed in compliance with the legislation applicable to the given legal basis for data processing.

In light of the activities carried out by the Company, with regard to the personal data of the Data Subjects, the Company may choose from the following main legal bases, depending on the nature and circumstances of the data processing. The main legal bases listed in the first subsection apply to all personal data except for special categories of personal data, while the second subsection sets out specific provisions relating to the legal bases applicable to special categories of personal data.

4.1 Personal data, excluding special categories of data

The Company may process the personal data of the Data Subject – excluding special categories of data – in particular on the following legal bases:

Consent:
The Data Subject may give consent to the processing of their personal data, provided that the voluntary nature of the consent can be demonstrated. Where, in connection with information society services offered directly to children under the age of 16, the Company processes the personal data of a child under the age of 16, as a general rule the processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. The Data Subject provides their consent on a voluntary basis and is entitled to withdraw it at any time. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal.

1. Preparation of a contract and/or performance of a contract:
   This legal basis may be applied in the case of data processing necessary for the performance of a contract (e.g. a contract for the provision of services, an employment contract, a study contract) to which the Data Subject is a party, or where the processing is necessary in order to take steps at the request of the Data Subject prior to entering into a contract.

2. Compliance with a legal obligation:
   Data processing required by European Union or national law.
3. Legitimate interest:
   This includes data processing necessary for the purposes of the legitimate interests pursued by the Company or by a third party. The legitimate interest of the Company or of a third party is set out in the data protection notice relating to the specific purpose of the data processing.

4. [Other legal bases specific to the given data processing purpose may include:
   the vital interests of the Data Subject or of another natural person, processing carried out in the public interest, or processing related to the performance of a task carried out in the exercise of official authority vested in the Company.]**

If the Company collects the data directly from the Data Subject and the Data Subject does not provide the data processed on the legal bases listed above, a possible consequence of the failure to provide the data may be the refusal of, or the impossibility of, the preparation or performance of a contract (e.g. the failure to establish an employment relationship). If the Data Subject fails to provide only part of the required data, it must be assessed on the basis of the incomplete data provided whether the failure to supply the data may result in, for example, the impossibility of concluding or maintaining the contract. In the case of data processing based on a contract, the Company may apply the legal consequences of such impossibility only if it demonstrates that, without the data provided, it is unable to perform the contract concerned.

4.2 Special categories of data

Due to the fundamental rights and freedoms afforded to natural persons, special categories of data are, by their nature, sensitive and high-risk data that require enhanced protection. The Company may process the special categories of data of the Data Subject – including, in particular, health data – especially for the following purposes and on the following legal bases:

1. Article 9(2)(a) GDPR:
   The Data Subject may give consent to the processing of their personal data, provided that the voluntary nature of the consent can be demonstrated. The Data Subject provides their consent on a voluntary basis and is entitled to withdraw it at any time. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal.
2. Article 9(2)(b) GDPR:
   For example, where authorised by Union or Member State law, or by a collective agreement pursuant to Member State law, the Company may carry out data processing for the purposes of fulfilling its obligations and exercising its specific rights in the field of employment, social security, and social protection law.

3. Article 9(2)(f) GDPR:
   This legal basis may be applied where the processing of special categories of data is necessary for the establishment, exercise, or defence of legal claims.

5. The Company’s Information Obligations and Measures

The Company is obliged to provide the Data Subject with certain information in a concise, transparent, and easily accessible form, clearly and understandably, and to inform the Data Subject of their rights. Furthermore, upon request of the Data Subject, the Company may take measures in accordance with certain procedural rules.

5.1 Data Protection Information

Depending on whether the Company collects personal data directly from the Data Subject or not, it is obliged to provide the Data Subject with certain information regarding the data processing. The common and specific rules of such data protection information are summarized in the following subsections.

5.1.1 Common rules

Under its information obligations, the Company is required to inform the Data Subject about:

1. The identity and contact details of the Company and, where applicable, the Company’s representative;
2. The purposes for which the personal data are intended to be processed and the legal basis for the processing;
3. In the case of processing based on Article 6(1)(f) GDPR, the legitimate interests of the Company or a third party;
4. Where applicable, the recipients or categories of recipients of the personal data, if any;
5. Where applicable, the fact that the Company intends to transfer personal data to a third country or an international organisation, and the existence or absence of an adequacy decision by the European Commission, or in the case of transfers pursuant to Articles 46, 47, or the second subparagraph of Article 49(1) GDPR, the appropriate or suitable safeguards, as well as the means to obtain a copy of or access to such safeguards;
6. The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
7. The Data Subject’s right to request access to, rectification, deletion, or restriction of processing of their personal data, and to object to such processing, as well as the right to data portability;
8. In the case of processing based on Article 6(1)(a) or Article 9(2)(a) GDPR, the right to withdraw consent at any time, which does not affect the lawfulness of processing carried out prior to withdrawal;
9. The right to lodge a complaint with the supervisory authority;
10. The existence of automated decision-making, including profiling, referred to in Articles 22(1) and (4) GDPR, and, at least in such cases, meaningful information about the logic involved and the significance and expected consequences of such processing for the Data Subject.

5.1.2 Information to be provided when data are collected from the Data Subject

Where the Company collects personal data from the Data Subject, in addition to the above, it is obliged to inform the Data Subject whether the provision of personal data is required by law or by a contract, or is a prerequisite for entering into a contract, and whether the Data Subject is obliged to provide the personal data, as well as the possible consequences of failing to provide such data.

This information must be provided at the time the personal data are obtained. However, if the Data Subject already has the above information, there is no need to provide it again.

5.1.3 Information to be provided when data are not collected from the Data Subject

Where the Company does not collect personal data from the Data Subject, in addition to the above, it is obliged to inform the Data Subject of the categories of personal data concerned, the source of the personal data, and, where applicable, whether the data originate from publicly accessible sources.

The Company must provide this information:

1. Within a reasonable period after obtaining the personal data, taking into account the specific circumstances of the processing, but no later than one month;
2. If the personal data are to be used for communication with the Data Subject, at the latest on the first contact with the Data Subject; or
3. If the data are expected to be disclosed to another recipient, at the latest when the personal data are first disclosed.

It is not necessary to provide the above information if:

1. The Data Subject already has the information;
2. Providing the information proves impossible or would require a disproportionate effort, in particular for purposes of public interest archiving, scientific or historical research, or statistical purposes, provided the conditions and safeguards in Article 89(1) GDPR are observed, or if compliance with the obligation mentioned in paragraph 1 of this Article is likely to render the processing impossible or seriously impair the achievement of its objectives. In such cases, the data controller must take appropriate measures, including making the information publicly available, to protect the rights, freedoms, and legitimate interests of the Data Subject;
3. The provision or disclosure of the data is expressly required by Union or Member State law applicable to the data controller, which also provides for appropriate safeguards for the protection of the Data Subject’s legitimate interests; or
4. Personal data must remain confidential under professional secrecy obligations provided for by Union or Member State law, including statutory secrecy obligations.

5.2 Persons entitled to access the data

Personal data may be accessed by employees of the Company with access rights linked to the relevant data processing purpose, as well as by individuals or organisations performing data processing activities for the Company under service contracts, within the scope and to the extent necessary to perform their activities.

5.3 Rights of the Data Subject

The Data Subject may request from the Company access to their personal data, rectification, erasure, or restriction of processing, and may object to such processing. The Data Subject is also entitled to the right to data portability, the right to legal remedy, and, in individual cases, the right to decisions based on automated processing, including profiling.

The Company is obliged to provide information regarding certain Data Subject rights as part of the information referred to in section 5.1.

5.4 Procedural rules

In fulfilling its information obligations and taking measures as described above, the Company must act in accordance with the provisions set out therein. Beyond the specific rules established above, the Company shall act in compliance with the following provisions.

6. Restrictions

Union or Member State law applicable to the data controller or processor may, by legislative measures, restrict the scope of the rights and obligations set out in Article 5 in relation to the provisions and the rights and obligations specified in Articles 12–22 and Article 34, provided that such restriction respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for the protection of:

1. national security;
2. defense;
3. public security;
4. the prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal sanctions, including the protection against and prevention of threats to public security;
5. other important objectives of general public interest of the Union or a Member State, in particular important economic or financial interests of the Union or a Member State, including monetary, budgetary, and taxation issues, public health, and social security;
6. the independence of the judiciary and the protection of judicial procedures;
7. in the case of regulated professions, the prevention, investigation, detection of ethical breaches and the conduct of related procedures;
8. in the cases referred to in points (a)–(e) and (g), inspection, investigation, or regulatory activities related to the exercise of official authority, whether on a one-off or ongoing basis;
9. the protection of the Data Subject or the rights and freedoms of others;
10. the establishment, exercise, or defense of civil law claims.

The legislative measures referred to in paragraph (1) shall, where applicable, lay down detailed provisions at least on:

1. the purposes of the processing or the categories of processing;
2. the categories of personal data;
3. the scope of the restrictions introduced;
4. safeguards to prevent abuse, or unlawful access or disclosure;
5. the identification of the data controller or categories of data controllers;
6. the storage periods of the data and applicable safeguards, taking into account the nature, scope, and purposes of the processing or categories of processing;
7. the risks to the rights and freedoms of Data Subjects; and
8. the right of Data Subjects to be informed of the restriction, unless this would likely adversely affect the purpose of the restriction.

7. Data Transfers

The Company may transfer the personal data of Data Subjects for specific purposes—such as the performance of a contract with a third party or to fulfil a statutory obligation, including employer obligations arising from employment relationships.

In the case of a data transfer—except for transfers required by law—the Company shall only transfer the personal data of the Data Subject to recipients located within the European Union or to recipients who provide appropriate guarantees that their processing of the data will comply with the GDPR requirements.

If the Company transfers personal data to a third country (i.e., a country outside the European Union) or to an international organization, or makes the data accessible to a data controller in a third country or an international organization, the Company must ensure that the recipient in the third country or the international organization provides a level of protection equivalent to that provided by the Company under Chapter V of the GDPR.

If the transfer is made to a third country or international organization that cannot provide an adequate level of protection as per Chapter V GDPR (e.g., certain Asian or African countries), the transfer may only take place without the Data Subject’s consent if it complies with Article 49 GDPR; otherwise, the explicit consent of the Data Subject is required for the transfer.

8. Data Protection Incidents

In the event of a data protection incident, the Company is obliged to comply with the following rules and act according to the procedures set out below.

8.1 Notification to the supervisory authority

The Company shall notify the supervisory authority of a data protection incident concerning the data it processes without undue delay and, if feasible, no later than 72 hours after becoming aware of it, including at least the following information:

1. Description of the nature of the data protection incident, including the categories and approximate number of Data Subjects affected, and the categories and approximate number of personal data affected;
2. The name and contact details of any other contact point providing further information;
3. The likely consequences of the data protection incident;
4. Measures taken or planned by the data controller to address the data protection incident, including any measures to mitigate potential adverse effects.

If it is not possible to provide all the above information at the same time, it may be submitted in phases without undue delay. If notification is not made within 72 hours, reasons justifying the delay must be provided.

Notification is not required if the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons. The likelihood and severity of risk must be assessed objectively, taking into account the nature, scope, circumstances, and purposes of the processing. Risk may include, for example, discrimination, identity theft, financial loss, damage to reputation, or other significant economic or social disadvantage resulting from the incident.

8.2 Notification of the Data Subject

If a Data Subject, particularly an employee of the Company, becomes aware of a data protection incident, they must immediately notify the Company’s representative.

In all cases where the data protection incident is likely to result in a high risk to the rights and freedoms of a Data Subject and the Company becomes aware of the incident, the Company shall notify the Data Subject without undue delay. The notification must clearly and understandably include:

1. The nature of the data protection incident;
2. The name and contact details of any other contact point providing further information;
3. The likely consequences of the data protection incident;
4. Measures taken or planned by the Company to address the data protection incident, including, where applicable, measures to mitigate any potential adverse effects.

Notification to the Data Subject is not required if any of the following conditions are met:

1. The Company has implemented appropriate technical and organizational protection measures applied to the personal data affected by the incident, in particular measures such as encryption that render the data unintelligible to unauthorized persons;
2. The Company has taken additional measures after the data protection incident to ensure that the high risk to the rights and freedoms of the Data Subject is unlikely to materialize;
3. Notification would require disproportionate effort. In such cases, the Data Subjects shall be informed publicly, using means customarily used locally, or by a similar measure ensuring equally effective communication.

If the Company has not yet informed the Data Subject of the incident, the supervisory authority, after assessing whether the incident is likely to result in a high risk, may order notification of the Data Subject or determine that one of the above conditions is met, and therefore that notification is not required.

9. Records of Data Processing

9.1 Record of Processing Activities

The Company and its representative shall maintain a written record, including electronic form, of the data processing activities carried out under their responsibility, in accordance with Article 30 GDPR, containing the following information:

1. The name and contact details of the Company;
2. The purposes of the processing;
3. A description of the categories of Data Subjects and personal data;
4. The categories of recipients to whom personal data are or will be disclosed, including recipients in third countries or international organizations;
5. Where applicable, information regarding transfers of personal data to third countries or international organizations, including the identification of the third country or international organization, and in the case of transfers under the second subparagraph of Article 49(1) GDPR, a description of the appropriate safeguards;
6. Where possible, the envisaged deadlines for erasure of the different categories of data;
7. Where possible, a general description of the technical and organizational measures referred to in Article 32(1) GDPR.

The Company and its representative shall make the record available to the supervisory authority upon request.

9.2 Record of Data Protection Incidents

The Company shall maintain a record of data protection incidents, including:

1. Facts related to the data protection incident;
2. Its effects; and
3. Measures taken to remediate it.

The supervisory authority may inspect this record to verify compliance with Article 33 GDPR.

10. Data Protection Impact Assessment (DPIA)

For processing likely to result in a high risk to the rights and freedoms of natural persons, the Company shall carry out a Data Protection Impact Assessment. The assessment shall include at least the following:

a) A systematic description of the intended processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the data controller;
b) An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) An assessment of the risks to the rights and freedoms of Data Subjects;
d) Measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and demonstrate compliance with the GDPR, while taking into account the rights and legitimate interests of Data Subjects and other persons.

11. Rules Concerning Data Processing

11.1 General Rules on Data Processing

For the personal data it processes, the Company may engage external data processors for tasks including:

1. Operating and maintaining its website;
2. Fulfillment of tax and accounting obligations;
3. Performance of contracted services.

The rights and obligations of the data processor in relation to processing personal data are determined by law and under the relevant legislation on data processing by the data controller.

The Company declares that the data processor has no authority to make substantive decisions regarding data processing, may process personal data only according to the instructions of the data controller, may not process data for its own purposes, and must store and retain personal data in accordance with the data controller’s instructions.

The Company is responsible for the lawfulness of instructions given to the data processor.

The Company is obliged to provide information to Data Subjects regarding the identity of the data processor and the location of processing.

The Company shall not authorize the data processor to engage another sub-processor.

Data processing agreements must be in writing. Organizations that have a vested business interest in the personal data to be processed may not be entrusted with processing.

11.2 Data Processing Activities Performed by the Company

The Company, as a data processor, undertakes to ensure that the processing activities comply with the requirements of the GDPR and that appropriate technical and organizational measures are implemented to protect the rights of Data Subjects.

The Company shall immediately inform the data controller if it believes that any instruction violates the GDPR or applicable national or EU data protection laws.

The Company processes data according to the data controller’s instructions and in accordance with data protection rules and principles, taking into account contractual obligations known to the data processor.

The Company may not modify, delete, copy, or combine the data with other databases, nor use it for purposes other than those specified in the contract, except to the extent expressly instructed by the data controller for the purpose of processing.

The Company has no authority to represent the data controller or make legal statements on its behalf, unless expressly authorized by agreement or other documentation.

The Company acknowledges that the data controller exclusively determines the purpose and manner of processing the data provided to the data processor.

As a data processor, the Company is responsible for data security, taking all necessary technical and organizational measures to enforce data protection rules, including protection against unauthorized access, alteration, disclosure, deletion, destruction, accidental loss, damage, or inaccessibility due to technical changes.

The Company fully complies with the data security provisions of this Policy during processing activities.

The Company shall only provide access to data to employees who require it for processing activities and shall inform them of security and confidentiality obligations.

The Company shall cooperate with the data controller to enable compliance with its legal obligations, particularly regarding the exercise of Data Subject rights such as access, rectification, and erasure.

The Company undertakes to modify, supplement, correct, lock, or delete the processed data as instructed by the data controller.

The Company shall immediately notify the data controller of any events or risks affecting data security and take necessary measures while fully cooperating with the data controller.

The Company shall fully cooperate with the data controller and its representatives during audits or inspections of systems, records, data, information, and procedures related to data processing, ensuring complete access to all records, data sets, and procedures used in processing.

12. Scope and Review

This Data Processing Policy shall enter into force on December 1, 2025, and remain in effect until withdrawal. Upon entry into force, all previously effective internal regulations and employer instructions governing the processing of personal data shall be superseded.

The Policy shall be reviewed at least once annually. If necessary, the Company shall amend the Policy to reflect changes in legislation or internal organization, ensure its implementation and publication, and ensure that all persons subject to the Policy are informed of the changes.

All representatives, officers, and agents of the Company are required to be familiar with and comply with this Policy.

In the event of legal amendments or other changes to this Policy, the information notice must be updated accordingly and communicated to the Data Subjects.

Company Name: Hotel Innovation Ltd.

Adress: 10–12 Sas Street, 1051 Budapest, Hungary

Tax Number: 32385894-2-42

Company Registration Number: 01-09-421360

Budapest, October 21, 2025.