incognito.hu

Privacy Policy

Dear Website user!

Allow us to inform you, as a visitor to our website, as well as a customer using our services, about the protection of your personal data.

This information was prepared in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR).

Contents

Data protection and data management information Bio Gasztro Trade and Catering Limited Liability Company

(hereinafter: Ltd.)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, as well as on the repeal of Regulation 95/46/EC (hereinafter: Regulation), stipulates, that the Data Controller takes appropriate measures in order to provide the data subject with all information related to the processing of personal data in a concise, transparent, understandable and easily accessible form, clearly and comprehensibly formulated, and that the Data Controller facilitates the exercise of the rights of the data subject. CXII of 2011. is also required by law.

Ltd., as a data controller, determines the purposes and means of handling personal data independently or together with others, and as a data processor, it manages personal data on behalf of the data controller.

Data management is any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying.

The data processing is a technical data management, and does not have the right of disposal or decision over the data.

Any information relating to an identified or identifiable natural person (“data subject”) is considered personal data. A natural person can be identified directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.

Definitions

  1. “personal data”: any information relating to an identified or identifiable natural person (“data subject”); a natural person can be identified directly or indirectly, in particular on the basis of an identifier such as name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person identifiable;
  2. “data management”: any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or otherwise by making available, coordinating or connecting, limiting, deleting or destroying;
  3. “restriction of data management”: designation of stored personal data for the purpose of limiting their future management; 4. “profiling”: any form of automated processing of personal data, during which personal data is used to evaluate certain personal characteristics of a natural person, in particular work performance, economic situation, state of health, personal preferences, interests, reliability, behavior, location or used to analyze or predict motion-related characteristics;
  4. “pseudonymisation”: processing of personal data in such a way that, without the use of additional information, it is no longer possible to determine which specific natural person the personal data refers to, provided that such additional information is stored separately and secured by technical and organizational measures that this personal data cannot be linked to identified or identifiable natural persons;
  5. “registration system”: the file of personal data in any way – centralized, decentralized or divided according to functional or geographical aspects – which is accessible based on specific criteria;
  6. “data controller”: the natural or legal person, public authority, agency or any other body that determines the purposes and means of processing personal data independently or together with others; if the purposes and means of data management are determined by EU or member state law, the data controller or the special aspects regarding the designation of the data controller may also be determined by EU or member state law;
  7. “data processor”: the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller;
  8. “recipient”: the natural or legal person, public authority, agency or any other body to whom or to which the personal data is communicated, regardless of whether it is a third party. Public authorities that have access to personal data in accordance with EU or Member State law in the context of an individual investigation are not considered recipients; the management of said data by these public authorities must comply with the applicable data protection rules in accordance with the purposes of data management;
  9. “third party”: the natural or legal person, public authority, agency or any other body that is not the same as the data subject, the data controller, the data processor or the persons who, under the direct control of the data controller or data processor, are authorized to process personal data they got;
  10. “consent of the data subject”: the voluntary, specific and clear declaration of the will of the data subject based on adequate information, with which the data subject indicates by means of a statement or an act clearly expressing the confirmation that he gives his consent to the processing of personal data concerning him;
  11. “data protection incident”: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise handled.

I. Chapter: 
Ltd. ON THE BASIS OF ARTICLE 13 of the GDPR, THE FOLLOWING INFORMATION IS PROVIDED TO THE PERSONS CONCERNED:

Data controller details:

  • Company name: Bio Gasztro Trading and Catering Industry Limited Liability Company
  • Headquarters: H-1061 Budapest, Liszt Ferenc Square 3. 
  • Company registration number: 01 09 993636
  • Tax number: 24166812-2-42
  • Representative: Ferhat Hamdi Güray
  • Phone number: +36 70 639 0094
  • E-mail address: info@incognito.hu
  • Website: https://incognito.hu
  • Facebook page: https://www.facebook.com/

Data processing:

The natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller; (Regulation, Article 4, 8) Using a data processor does not require the prior consent of the data subject, but it is necessary to inform them.

1) Storage data processor:
  • Company name: DotRoll Kft.
  • Headquarters: H-1148 Budapest, Fogarasi Road 3-5.
  • Phone number: +36-1-432-3232
  • E-mail address: support@dotroll.com
  • Website: https://dotroll.com
2) Bookkeeping service provider:

In order to fulfill its tax and accounting obligations, the Ltd. uses an external service provider with an accounting service contract, who also manages the personal data of natural persons in the Ltd.’s contract or payment relationship, for the purpose of fulfilling the tax and accounting obligations of the Ltd.

  • Company name: Kovács Julianna self-employed
  • Headquarters: 1191 Budapest, Simonyi Zsigmond u. 11. 1/3.
  • Registration number: 315884
  • Tax number: 62375159-1-43
  • Representative: Kovács Julianna
  • Phone number: 06703641244
3) Our card acceptor data processors:
  • Company name: OTP Bank Nyrt.
  • Headquarters: 1051 Budapest, Nádor u. 16.
  • Phone number: 06-1-3666-100
  • E-mail: adatvedelem@otpbank.hu
  • Website: www.otpbank.hu

In the case of payment by bank card, the data will be transferred to the card acceptor in order to fulfill the contract. The data management of our card-accepting partner, as a data manager, is subject to its own data management information and rules, therefore the Kft. is not responsible. Data transmission: In the case of payment by bank card, the payer’s ID, the amount, date and time of the transaction are sent to the data processors.

The data processor may only execute instructions that are recorded in writing.
A written contract must be concluded between the data controller and the data processor, which must contain the data transferred by the data controller to the data processor and the data processor’s activities with them.

Employees dealing with the management of personal data are bound by confidentiality. In order to guarantee data security, the data processor implements organizational and technical measures. The data processor helps the data controller to fulfill its obligations. Based on the decision of the data controller, the data processor returns all personal data to the data controller or deletes or deletes the existing copies, with one exception if national or EU law requires the storage of data. The data processor facilitates and enables audits and on-site inspections carried out by the data controller or with the help of an inspector commissioned by the data controller.

If the data processor uses the help of another data processor, the same obligations apply to her as those originally established by the contract between the data processor and the data controller.

Data Protection Officer:

– Ltd. is not obliged to appoint a data protection officer based on Article 37 of the GDPR.

Data protection requests:

If you have any requests or questions regarding data management, send your request by post to H-1061 Budapest, Liszt Ferenc Square 3. or send it electronically to info@incognito.hu. We will send our answers to the address specified by you without delay, but within 30 days at most.

Foreign data transfer:

– no data is transferred abroad

II. Chapter: 
Ltd. purpose, legal basis and duration of data processing:

Data management purposes:

Ltd. performs data management for the following purposes in accordance with the legislation:

  • 5610’08 In connection with the provision of restaurant and mobile catering activities, we process the data of the users of the service for the purpose of fulfilling legal obligations and maintaining customer relations;
  • marketing to potential customers;
  • handling the data of employees and applicants (with conditions specified in separate regulations);
  • managing the contact details of contractual partners for the purpose of fulfilling the contract;
  • fulfillment of customer orders;
  • for the purpose of fulfilling an obligation defined by law

Legal basis for data management:

  • Article 6, paragraph (1) point a) of the GDPR: consent of the data subject
  • Article 6 (1) point b) GDPR: necessary for the performance of a contract
  • Article 6 (1) point c) GDPR: necessary to fulfill a legal obligation
  • Article 6 (1) point a) GDPR: legitimate interest, a consideration of interests is always required

The legal basis for individual data management activities:

  • issuing an invoice in accordance with accounting legislation: legal basis: Article 6 (1) point c) GDPR
  • contact: legal basis (in the case of the data of the partners’ employees, data management) legal basis: Article 6 (1) point f) GDPR. The legitimate interest of the data controller: business continuity.
  • management of employees’ data: GDPR Article 6 (1) points b), c)
  • e-mail account use, computer, laptop, tablet use, data management related to the use of company mobile phones GDPR Article 6 (1)
  • processing of the data of contractual partners: legal basis GDPR Article 6 (1) point b).
  • marketing activity: legal basis: GDPR Article 6 (1) point a) A Facebook page is also in operation for marketing purposes: however, no separate database or profile is created. Ltd. does not manage the personal data published by visitors on Ltd.’s Facebook page.)
  • online registration takes place on the website of the Kft., legal basis: GDPR Article 6 (1) point a)
  • operation of a security camera legal basis: GDPR Article 6 (1) point f). The legitimate interest of the data controller: asset protection, in the case of employees, the employer’s legitimate interest as defined in Mt.

In the case of handling the personal data of the data subject based on legitimate interests, we carry out an interest assessment, during which:

  • we identify and record the legitimate interest
  • we identify and record the interests and rights of the data subject
  • consideration based on the principles of necessity and proportionality, purpose-boundness, data saving, and limited storage capacity
  • we inform the person concerned about the consideration of interests

The data subject has the right to object, based on which the personal data will no longer be processed, unless the data processing is justified by a compelling reason (e.g. in the case of data that must be processed in connection with an employment relationship)

There is no compelling reason in the case of direct marketing, the data must be deleted in case of objection. (Direct marketing includes advertisements that reach out to potential customers directly. This can be done electronically, by phone call, by post, etc. Special rules apply to each method.

Here, the person concerned will be the recipient of the advertisement, i.e. the person to whom the advertisement reaches or is directed. The personal data of the person concerned, e.g. can be managed by the operator of a website or online store.)

Duration of data management:

  • Accounts are kept for at least 8 years due to legal obligations.
  • The retention period of the documents on which the invoice is based is 8 years.
  • Retention period of the documents that form the basis of the employment relationship: They are always handled in accordance with the laws in force. (Act on Taxation)
  • Retention period for data required to determine social insurance, pension: unlimited.
  • Retention period for data required to establish tax law and accounting obligations: 8 years.
  • The retention period of the data provided for the purpose of contact is 1 year after the termination of the contact.
  • Retention of data related to the performance of the contract: 5 years.

III. Chapter:
Affected rights

In relation to her/his personal data, the data subject has the rights defined in the legislation:

  • right of access (knowledge of data, the fact of whether data is being processed);
  • if a data is outdated or incorrect, its adjustment;
  • deletion (only in the case of consent-based data management);
  • restriction of data processing;
  • prohibiting the use of personal data for direct marketing purposes;
  • the transfer of your personal data to a third-party service provider, or the prohibition of this;
  • request a copy of any personal data managed by the data controller; obsession
  • objection to the use of personal data

IV. Chapter:
Data protection incident

A breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data.

Ltd. ensures data security corresponding to the degree of risk associated with data management, in the event of a breach of which, without delay, but no later than 72 hours after becoming aware of it, our data protection officer, or failing that, the data manager/data processor or his representative, will notify the supervisory authority and inform the data subject as well.

Ltd., upon becoming aware of the data protection incident, immediately takes the necessary security measures in order to eliminate and restore the damage that is the basis of the data protection incident.

The person concerned will be notified of the measures taken and their results.

V. Chapter: 
Remedial information

In Hungary, the data protection supervisory authority is: National Data Protection and Freedom of Information Authority (hereinafter: NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, e-mail address: ugyfelszolgalat@naih.hu). The data subject may submit a complaint to the NAIH if, in his opinion, the processing of his personal data does not comply with the legal obligations. A judicial review can be initiated against the NAIH’s decision

VI. Chapter:
Information about records

Ltd. manages and processes data in a legal, transparent and verifiable manner, and in order to achieve these goals, it keeps the following records:

1. record of data transmission

content:

  • serial number
  • date
  • addressee
  • data transfer to a third country
  • scope of personal data
  • data handling,
  • purpose of processing
  • data handling,
  • legal basis for processing
  • name and contact information of data controller
  • name and contact information of data protection officer
  • technical and organizational measures
  • deadline for data deletion
  • other data defined by law (e.g. auditor’s chamber identifier)

2. content of the record of termination of data processing:

  • serial number
  • date of application
  • name and identification data of the person concerned
  • request content
  • name of measure
  • date of action
  • name and contact information of data controller

3. contents of the data protection incident register:

  • serial number
  • time of incident
  • incident name
  • range of stakeholders
  • personal data concerned
  • impact of incident
  • provisions
  • name and contact information of data controller

4. the contents of the register of stakeholder and authority inquiries and the responses thereto:

  • serial number
  • subject and time of request
  • range of stakeholders
  • personal data concerned
  • provisions
  • name and contact information of data controller

5. contents of the register of “lost” data and inquiries:

  • serial number
  • arrival time
  • subject of request
  • action (e.g. return)
  • name and contact information of data controller

6. contents of the preliminary data protection impact assessment register:

  • serial number
  • impact assessment time
  • description of operations, data management purpose, legitimate interest
  • examination of necessity and proportionality
  • analysis and management of risks
  • name and contact information of data controller
  • opinion of data controller

If the scope of the managed data and the other circumstances of the data management change, this data management information will be modified and published on the https://incognito.hu/ website within 30 days in accordance with the provisions of the GDPR.

Dated: Budapest, September 1, 2023.

Downloadable data management information:

Information regarding data management on the website

Downloadable data management information:

Asztalfoglalás

book a table

Nyitvatartás / Opening: 12.00-24.00      Konyha nyitvatartás / Kitchen operates between: 12.00-23.30