I. Fundamental Provisions

1. The purpose and scope of the notice

We respect your privacy, and we are committed to protecting the privacy, security of the personal data you provide to us or that we collect about you when you use our website. This policy was prepared in compliance with legislation relevant to the General Data Protection Regulation 2016/679 (hereinafter: GDPR) and the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Infotv. Or Privacy Act) 
Present Privacy Policy (hereinafter: Policy or Privacy Policy) explains our personal data practices, how your personal data is used and protected, what choices you have relating to your personal data. 
The controller reserves the right to change present policy at anytime unilaterally, any changes to this privacy policy will be posted to our website. The scope of the present Policy covers the data managements performing  by the data controller.
This Privacy Policy is written in the Hungarian language and may be translated into other languages. In the event of any inconsistency between the Hungarian version and the translated version of it, the Hungarian version shall prevail. 
The Hungarian law may require us to include and abide by certain clauses in our Privacy Policy. We give information about the privacy policy which is not in this guide at the start of the service. 
If you have any questions about our policy or the cookies used on our website, please contact us at iroda@ikonrestaurant.hu

2. The controller and its contact information
Data controller: IKON Gasztronómia Kft.
Address: 4031 Debrecen, Szotyori Street 82. VAT Number: 23590461-2-09
Telephone: +36 30 299 0374, email: iroda@ikonrestaurant.hu
Our company does not require a Data Protection Officer to be appointed.

3. Definitions

The terms used in this Policy shall have the following meaning  in accordance with the GDPR and Info tv.: 
- personal data: any data that can be related to the Customer – especially the name, username of the customer and any knowledge characteristic for one or more physical, physiological, mental, economic, cultural, or social identity of the Customer – and any conclusion related to the Customer drawn from the data; 
- the contributor concerned: a voluntary, specific and appropriate informed and explicit statement of the will of the person concerned by which he or she expresses the statement or confirmation by means of an inadvertent act of affirmation that he or she has consented to the processing of personal data concerning him or her; 
- data management: the totality of any operation or operations carried out in an automated or non-automated manner on personal data or data files, such as collecting, recording, organizing, tagging, storing, modifying or modifying, querying, inspecting, using, communicating, distributing or otherwise making available, aligning or linking, limiting, deleting or destroying; 
- data controller: means any natural or legal person, public authority, agency or any other body that determines the purposes and means of handling personal data individually or with others, where the purposes and means of data management are defined by Union or national law, the data controller or the particular aspects of the designation of the data controller may also be defined by Union or national law; 
- data processor: means any natural or legal person, public authority, agency or any other body that manages personal data on behalf of the data controller; 
- dataprotection incident: a security breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise treated. 
Article 5 of the GDPR sets forth the major principles that have to be complied with when processing personal data.

4. Principles Relating to Processing of Personal Data
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); 
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes ('purpose limitation'); 
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'); 
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); 
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ('storage limitation'); 
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality'). 
The data management principles apply to the entire data management process, including data collection, choice of legal basis, inform the data subjects.

5. Data processing legislation
The company take into account the relevant existing legislation with particular regard to General Data Protection Regulation (EU) 2016/679, CXII of 2011 law on Informational Self-Determination and Freedom of Information Law. Act CXII of 2011. (Infotv) and Act V of 2013 Civil Code (CC.).

II. Rights of the Data Subjects

In connection with its personal rights, Data Subject may request from the controller information of the data process related to it at any time, and may request from the controller rectification or erasure of personal data.
The data subject also has rights under the GDPR., these consist of:
- The right to be informed - transparency (Article 13- 14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure (Article 17)
- The right to restrict processing (Article 18 )
-  Notification obligation regarding rectification or erasure of personal data or restriction of processing (Article 19)
- Right to data portability  (Article 20)
- The right to object  (Article 21)
- Rights in relation to automated decision making and profiling.  (Article 22)

III. Details of data managements

Data Controller must only process Personal Data on the basis of one or more of the lawful bases set out in the GDPR, which can be the consent of the data subject, performance of a contract and compliance with a legal obligation. Our website can be visited without providing any personal information, failure to give consent may lead to a change in the functioning of the website. 
The lack of the data presentation we can't get in touch with the data subject, process the request or to execute an order.
The aim of the data management is to ensure our services (make contact, execute an order, send newsletter). The data controller only handles and stores personal data for a specific purpose. In certain cases the legal basis of the data processing is the accordance of legal obligation (court action, police investigation, legal procedure, oder legal infringement or in case of reasonable suspicion).

1. Table reservation
Purpose of data management: Controller allows guests to make table reservations at the restaurant directly via telephone, electronic mail, and through the website. We require this information to understand your needs and provide you with a better service, to fulfill the table reservation and to the effect of contact. When you don't give the necessary datas we may not manage the reservation.
Areas of personal data processed: family and surname, email address, phone number, number of guests, any other information from the guests 
Aim of data processing: table reservation on the premises of the Restaurant operated by the Controller 
Legal base of data management: to fulfill contractual obligations in accordance with (GDPR 6. (1) b) 
The range of customers: Everyone who is making a reservation for a table with the online form. 
Duration of data management: At the end of table reservation or the commencement of obligatory erasure (revocation of consent, practicing the right to object)
In the case of accounting documents, the data controller keeps the data for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.
The data controller uses an online booking software for table reservation. (easytablekooking.com)

2. Newsletter
Should you wish to receive up to date information about our latest news and promotions, you may sign up to our online newsletter. The data controller can send him/her advertisement and other consignment via the addresses given at registration. Customer can unsubscribe the sending of advertisement by clicking on the link in the message. 
Aim of data processing:  sending electronic messages 
Areas of personal data processed: name, email address
The range of customers: All customers subscribing for the newsletter. 
Legal base of data management: consent of the affected person in accordance with (GDPR 6. (1) a) 
The time period of data management and the deadline of deletion of data: until the withdrawal of the consent, i.e. unsubscribing from the newsletter.
The data is handled by the Data Controller and the internal staff, in some cases, third parties (such as technical service providers, postal carriers, hosting providers, IT companies, communication agencies) may access to your data.
If the newsletter is sent on the legal basis of a legitimate interest, the data controller will perform an interest weighing test, based on which, it determined that the interests, rights and freedoms of the Data Subject do not have priority over the above mentioned legitimate interest.

3. Social media
The Controller is available on social networking sites. (Facebook, Instagram)
When you follow our social media account or page we can collect information regarding your interactions with the content we post and statistical information regarding all our followers’ activities.
Aim of data processing:  The data controller can launch personalized advertisement and share content about the products and services.
Legal base of data management: voluntary consent of the affected person in accordance with (GDPR 6. (1) a) 
The time period of data management: Until you stop following our social media account or page.
This website uses the so-called Facebook Pixel of the social network Facebook to follow the usage of persons and display interest-based advertisements.
More information on how Facebook uses data to personalize the Facebook experience: (https://hu-hu.facebook.com/business/help/952192354843755?helpref=faq_content)

4. Connection
If you have question during using some of the services of the data controller or the customer has some problem you can get in contact with the data processor (on the website, on phone, e-mail, community sites, etc.). The data management is required for identification and communication.
Areas of personal data processed: Name, email, any personal data given by the user. 
Legal base of data management: voluntary consent 
The range of customers: A Who makes contact us by email.
The time period of data management: Till we achieve the  goals or for maximum 1 year from last request.
The method of data storage: electronic
Data processor: website provider, email provider

IV. Data transfer

The data controller may share your personal data with third parties to performance of orders and solutions. The company may forward the data to a third party on the basis of the relevant legislation
In case of data transfer, the third party manages the personal data in accordance with its own policy.
The data controller is entitled and obliged to transfer the personal data to the authority under the legislation or binding authoritiy’s decision.
Our company does not transmit your personal information to any third country or international organisation.
The personal data might have to be shared with law firm to exercise the right.(eg. letters of formal notice, litigation or other procedure)
The data controller keep a record of the data management, to ensure the right of information of the data subject and control the legality of data transfer.

V. Data processors and recipients

We may also disclose your personal information to third party  recipients to manage personal data if the policy of third parties are comply with provision of GDPR. Your personal data will only be transmitted to third parties if this is legally permitted or if you have given your prior consent.
The processor, as well as any person acting under his authority who has access to personal data, must not process them except on instructions from the controller. The data controller decides how long data shall be stored or who shall have access to the data processed.
The following processor (s) shall be used for data management:

1. Newsletter provider
The Rocket Science Group, LLC. Címe: 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA, website: https://mailchimp.com/contact
Activity: The Rocket Science Group LLC as the MailChimp software operator assists in the management of newsletters we send. Mailchimp’s servers are in the United states. The Rocket Science Group guarantees that it will follow the EU's data protection regulations when processing data in the United States. MailChimp has been joined by the “Privacy Shield” Convention between the European Union and the US. 

2. Transaction letter provider
The Rocket Science Group LLC (Mandrill)
Headquarters: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA, Telephone: +1 (404) 806-5843 , E-mail: @Privacy Policy: https://mailchimp.com/legal/privacy/
Activity: to send confirmation email.

3. Website-provider 
Contact of the data processor:  PW Studio Kft. - info@pwstudio.hu, Telephone: +3670 383 3708
Data Processor Activity: Storage and server services.

4. Accountant
Data Processor Activity: Issuing invoices and to keep certified copies of them.
Areas of personal data processed: name, billing address, tax identification.
Legal basis: fulfill the legal obligation. Data processing is established in the Act C. of 2000 about accounting, paragraph 169. 
Period of data processing: 8 years from issuing the invoice
Adressis of provided personal data: Only those employees of the Data Controller treat the personal data whose functionality concerns responsibility is the administration.

5. Invoicing system
The Service Provider issues its invoices with an online billing system. Data processing is performed in order that invoices are issued in conformity with the legislation and fulfillment of the obligation to keep accounting records. The personal data are processed in accordance with Accounting Act.
Számlázz.hu / KBOSS.hu Kft.
Contact of the data processor: 1034 Budapest, Bécsi út 126-128., email: @, +36204694994,  www.szamlazz.hu
Privacy: https://www.szamlazz.hu/adatvedelem
Areas of personal data processed:name, address, VAT of the data subject 
Period of data processing: 8 years from issuing the invoice

VI. Security of data management

The data controller and the data processor shall take appropriate technical and organizational measures to take into account the state of science and technology and the costs of implementation, the nature, scope, circumstances and objectives of data management and the risk of varying probability and severity of natural persons' rights and freedoms to guarantee an adequate level of data security.
To protect your information, shall be used computer safeguards such as firewalls, current anti-virus software. We may hold your personal information in either electronic or hard copy form. We also enforce physical access controls to our buildings and files to keep personal data safe. The documents shall be stored in an adequately closed room. 
Only authorised employees have access who need it to carry out their job responsibilities. 
We make back-ups of the databases to ensure that personal data is protected against accidental destruction, loss. 
The Data Controller does not transfer the personal data of the affected to third country or to any international organisation.

VII. Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies that are used by this website are necessary in order for us to improve our website for all the users. Cookies are not shared with any third parties. 
The range of data processed: Unique identification number, dates, times. The following cookies will be set:

- Google Analytics
The Google Analytics uses so called „cookies”, textiles, which are saved on your computer, and they help the analysis of the website usage of the Users. The cookies of the websites are sent and stored on one of the Google’s servers. With the use of cookies the service provider does not manage personal data. The visitors can prevent Google from collecting datas about the website usage habits in the Tools/Settings menu of the browser generally at the menu item Data protection. 
The range of customers: All the people who visiting the website.
Aim of data management: Identifying users and tracking visitors.
Term of data management, deadline for deletion of data depends on the type of the cookies.
Type of cookie: Session cookies
Legal basis for data handling: In accordance with the CVIII Act of 2001 on certain aspects of electronic commerce services and information society services law 13 / A. § (3) 
Duration of data management: The relevant session until the end of a visitor's session
Treated data: connect.sid 

VIII. Compliant opportunity

If a data subject find out about unauthorized data processing you can also go to court because of the Data Management activities. This procedure falls within the scope of regional courts. The civil procedure may be initiated at the regional court competent. (the list and contact information of the regional courts via the following link: http://birosag.hu/torvenyszekek) It depends on the choice of the data subject. Every data subject is entitled to lodge complaints with a single supervisory authority if the data subject considers that the processing of his or her personal data is in violation of the GDPR. In addition to the official appeals to you, you can also go to court because of the Data Management activities. Apply to the lawsuit the conditions of the GDPR, the Infotv, and the Ptk. and the Pp. The assessment of trial falls under the competence of the tribunal. The lawsuit may be brought before the tribunal of the place of residence of the subject in matter according to his or her choice.
Complaint regarding the possible breaching of the law by the data manager can be made to the Hungarian National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c, email: ugyfelszolgalat@naih.hu, tel: +36 (1) 391-1400, web: www.naih.hu, Online initiation of cases: http://wwwnaih.hu/online-uegyinditas.html )

IX. Privacy incident

If the privacy incident is likely to pose a high risk to the rights and freedoms of natural persons, the data controller shall inform the data subject of the privacy incident without undue delay.
The data protection incident shall be reported to the supervisory authority under Article 55 without undue delay and, if possible, no later than 72 hours after the data protection incident becomes known, unless the data protection incident is unlikely to pose a risk to the rights of natural persons and freedom. If the notification is not filed within 72 hours, the reasons for proving the delay must also be enclosed. 

X. Closing remarks

We reserve the right to change, amend or modify this Privacy Policy at any time. Any changes we may make to our privacy policy in the future will be posted on this page or by email. We do not use automated decision-making and profiling regarding personal data. We welcome questions and comment about our privacy policy and privacy practices If you have any question, please contact us. 
On questions not specified in the current Policy, the regulations of Infotv, the GDPR agreement and the data protection rules of the Company should be apply.

If you like more info from us please sign up for our newsletter.