Name of data controller: Dryvit Profi Kft.
Company registration number of the data controller: 09-09-025799
Tax number of the data controller: 24880521-2-09
Data controller’s registered office: 4030 Debrecen, karabély utca 3.
Contact details of the Data Controller: info@dryvitprofi.hu
Website of the data controller: www.stay-loft.hu
Phone number of the data controller: +36 52 782 994
Fax number of the data controller: +36 52 782 994
Data Protection Officer: dr. Kristóf Bana
The purpose of this Privacy Policy is to set out the processing principles applied by Dryvit Profi Ltd. (hereinafter referred to as the “Data Controller”) and set out in its Privacy and Data Security Policy, which the Data Controller acknowledges as binding upon itself and undertakes to ensure that its processing of data related to its services and the operation of the website complies with the provisions set out in this Policy and the applicable legislation.
The scope of the Data Management and Privacy Policy extends to all departments of the Data Controller and the contracted data processors involved in data management, who carry out data management on behalf of Dryvit Profi Ltd.
The Data Controller considers it important to ensure that in all areas of the services it provides, all guests are guaranteed that their rights and fundamental freedoms, in particular their right to privacy, are respected when their personal data are processed.
The purpose of the Policy is to ensure that data subjects are properly informed about the legal basis of the data held and processed by the data controller, the purposes for which the data are processed and the sources of the data.
controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements the decisions concerning the processing (including the means used) or implements them with the processor, within the limits set by law or by a legally binding act of the European Union;
joint controller: a controller who, within the limits set by law or by a legally binding act of the European Union, determines the purposes and means of processing jointly with one or more other controllers, takes decisions on processing (including the means used) jointly with one or more other controllers and carries out or has carried out the processing with the processor;
data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and physical features which can be used to identify a person (e.g. fingerprints, palm prints, DNA samples, iris scans);
transfer: making data available to a specified third party;
indirect transfer: the transfer of personal data to a controller or processor in a third country or to a controller or processor in another third country or to a processor in an international organisation by transferring the personal data to the controller or processor in a third country or to a processor in an international organisation;
international organisation: an organisation governed by public international law and its subsidiary organs, and any other organ which is established by or under an agreement between two or more States;
erasure: making data unrecognisable in such a way that it is no longer possible to recover it;
restriction of processing: blocking of stored data by marking it for the purpose of restricting its further processing;
data marking: the marking of data with an identification mark to distinguish it;
data blocking: the marking of data with an identification mark for the purpose of limiting its further processing permanently or for a limited period of time;
data destruction: the complete physical destruction of the data medium containing the data;
processing: the totality of processing operations carried out by a processor acting on behalf of or under the authority of the controller, in particular the performance of technical tasks related to processing operations, irrespective of the method and means used to carry out the operations and the place of application, provided that the technical task is carried out on the data;
data processor: a natural or legal person or an unincorporated body which processes personal data on behalf of or under the instructions of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;
data controller: the public sector body which has produced the public interest data subject to mandatory disclosure by electronic means or in the course of whose activities the data were generated;
data provider: a public sector body which, if the data controller does not publish the data itself, publishes the data submitted to it by the data controller on a website;
dataset: the set of data managed in a single register;
data breach: a breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed;
criminal personal data: personal data relating to the criminal offence or the criminal proceedings, obtained in the course of or prior to criminal proceedings, by the authorities authorised to conduct criminal proceedings or to investigate criminal offences, by the law enforcement authorities, which can be linked to the data subject, and personal data relating to the criminal record;
EEA State: a Member State of the European Union and another State party to the Agreement on the European Economic Area, and a State whose nationals enjoy the same status as nationals of a State party to the Agreement on the European Economic Area under an international treaty between the European Union and its Member States and a State not party to the Agreement on the European Economic Area;
data subject: any natural person who is identified or can be identified, directly or indirectly, on the basis of personal data;
‘identifiable natural person’ means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person
Consent: a freely given, explicit and properly informed indication of the data subject’s wishes by which he or she signifies, by means of a statement or other conduct unambiguously expressing his or her wishes, his or her agreement to the processing of personal data relating to him or her. Silence or inaction shall not be considered as consent;
third party: any natural or legal person or unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are carrying out operations relating to the processing of personal data;
third country: any state that is not an EEA state;
personal data: any information relating to the data subject, any data which can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and any inference relating to the data subject which can be drawn from the data;
special categories of personal data: any data which fall within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons,
health data: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of the natural person;
Genetic data: any personal data relating to the inherited or acquired genetic characteristics of a natural person which contain specific information about the physiology or state of health of that person and which result primarily from the analysis of a biological sample taken from that natural person;
biometric data: personal data relating to the physical, physiological or behavioural characteristics of a natural person obtained by means of specific technical procedures which allow or confirm the unique identification of the natural person, such as facial image or dactyloscopic data;
criminal personal data: personal data relating to the criminal offence or the criminal proceedings, obtained in the course of or prior to criminal proceedings, by the authorities authorised to conduct criminal proceedings or to investigate criminal offences, by the law enforcement authorities, which can be linked to the data subject, and personal data relating to the criminal record;
data of public interest: information or knowledge, in whatever form or by whatever means, which is held by a body or person performing a State or local government function or other public function as defined by law and which relates to its activities or arises in the course of the performance of its public function, but which is not personal data, irrespective of the way in which it is handled, whether or not it is of a specific or collective nature, in particular data concerning the powers, competences, organisation, structure, professional activities, including an assessment of their effectiveness, the types of data held and the legislation governing their operation, as well as data concerning management and contracts concluded;
objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the deletion of the processed data;
disclosure: making the data available to anyone;
filing system: a set of personal data, structured in any way, which is accessible on the basis of specific criteria;
profiling: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, state of health, personal preferences or interests, reliability, behaviour, location or movements;
recipient: the natural or legal person or unincorporated body to whom or which personal data are disclosed by the controller or processor;
pseudonymisation: the processing of personal data in a way that makes it impossible to identify the data subject without further information, stored separately from the personal data, and ensures that the personal data cannot be linked to an identified or identifiable natural person by technical and organisational measures;
Authority: National Authority for Data Protection and Freedom of Information
Dryvit Profi Ltd. carries out data management activities with regard to personal data related to this interface on the basis of its Privacy and Data Management Policy. The scope of the Policy covers all processes carried out by all departments of the Data Controller.
Personal data may only be processed for clearly specified, legitimate purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.
Personal data may only be processed for the exercise of a right or to comply with a regulation and in compliance with the regulations. The use of personal data processed by the controller for private purposes is prohibited. The processing must always comply with the purpose limitation principle.
At all stages of processing, it must be fit for purpose – and if the purpose of the processing is no longer fulfilled or the processing is otherwise unlawful, the data must be deleted.
The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.
The Data Controller shall ensure the appropriate security of personal data by applying appropriate technical or organisational measures during processing, in particular measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage.
The respective manager of the data controller, taking into account the complex activities of the accommodation service, shall define the system of data protection and the relevant tasks and responsibilities. All employees of the Data Controller and partners entrusted with data management shall, in the course of their work, ensure that personal data cannot be accessed by unauthorised persons and that personal data are stored in such a way that they cannot be accessed by unauthorised persons.
Personal data can be processed if
Specific data may only be processed if
The Data Protection Officer and the current Chief Executive are responsible for overseeing the data management system of the controller.
Right to prior information
Right to information and access
Right to rectification
Right to restriction of processing
Right to erasure
Right to withdraw consent
Right to object
Right to legal redress
The data subject may lodge a complaint about the processing of data by the Data Controller:
Name: National Authority for Data Protection and Freedom of Information
Location: 1024 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf. 5.
Email address: ugyfelszolgalat@naih.hu
Phone: +36 1/391-1400
Website: www.naih.hu
The data subject may take legal action against the controller or processor if he or she considers that the controller or a processor to whom the controller or processor has delegated the processing of his or her personal data infringes the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union. It is for the controller or processor to prove that the processing is in compliance with the standards for the processing of personal data laid down by law or by a legally binding act of the European Union. The data subject may bring the action before the courts for the place where he or she resides or is domiciled, at his or her choice. A person who does not otherwise have legal capacity may also be a party to the action. The Authority may intervene in the proceedings in order to ensure that the person concerned is successful.
If the data controller infringes the provisions on the processing of personal data laid down by law or by a legally binding act of the European Union and causes damage to another person, the data controller must compensate the damage. If the controller acts in breach of the privacy rights of another person whose privacy has been violated, the controller may claim damages.
The controller shall be exempted from liability for the damage caused and from the obligation to pay compensation if it proves that the damage or the harm caused by the infringement of the right relating to personality was caused by an unforeseeable cause outside the scope of the processing, and shall also be exempted in the case of, if he or she proves that, in the processing operations which he or she has carried out, he or she has acted in compliance with the obligations relating to the processing of personal data laid down by law or by a legally binding act of the European Union specifically imposed on processors and with the lawful instructions of the controller.
No compensation or damages may be claimed if the damage or injury was caused by the intentional or grossly negligent conduct of the victim or the person who suffered the personal injury.
For more information about the processing of your personal data, please contact our Data Protection Officer:
dr. Bana Kristóf
Address for correspondence: 4030 Debrecen, Karabély utca 3.
E-mail address: info@dryvitprofi.hu
Phone number: +36 52 782 994
Website data management
The Data Controller operates websites at www.stay-loft.hu.
Anyone may access the websites operated by the Data Controller without revealing their identity or providing personal data, and may obtain information freely and without restriction on the websites and the pages linked to them. However, non-personally identifiable information about visitors is collected automatically and without limitation by the website. However, no personal data can be extracted from this data, and therefore no processing is carried out within the scope of the Infotv.
In case of request for quotation, visitors also have the possibility to provide personal data (name, e-mail address, telephone number) for the purpose of requesting quotation, which will be processed by the Data Controller in accordance with the provisions of the Rules.
The website uses the web analytics service Google Analytics. Google Analytics uses “cookies”, which are text files placed on the website visitor’s computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (your IP address) will be transmitted to and stored by Google on servers in the United States of America. Google does not associate the information generated by the cookies with any other data – therefore, it does not process personal data in accordance with the applicable data protection legislation (at the time of writing, the Infotv., at the time of amendment of the Code, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 [hereinafter “GDPR”] and the Infotv. The website visitor may refuse the use of cookies by selecting the appropriate settings on his/her browser. By using the website, the website visitor consents to the processing of his/her data in the manner and for the purposes set out above.
Google will use the information collected for the purpose of analysing the use made of the website by the data subject and compiling reports on website activity.
Purpose of processing: to analyse the activity of visitors to the website, to make electronic services available
scope of data processed: starting and ending time of the user’s visit, type of browser and operating system of the user’s computer, other data recorded (cookies) in the case of the website’s menu items requiring login: name, e-mail address, telephone number
legal basis for processing: consent of the data subject
storage period: until the purpose of the processing is fulfilled, up to a maximum of 2 years
method of data storage: electronic
In the course of its activities, the Data Controller provides accommodation services.
When checking into the hotel, the person concerned will fill in a registration form (Check-in form). Data provided for the purpose of requesting a quote will be processed by the Data Controller in accordance with the Rules.
On the registration form, you will be asked to provide the following personal data: name, date and place of birth, nationality, permanent address, identity card or passport number, method of payment, arrival, travel time, reservation number, room number, car registration number if applicable, other contact details: telephone number, e-mail address. On the registration form, the data subject may give his/her consent to receive circulars and newsletters for marketing purposes.
purpose of processing: to ensure check-in to the hotel, to rent rooms to customers, marketing activities,
data processed: date of arrival and departure, reservation number, name, date and place of birth, nationality, address, identity card or passport number, method of payment, other contact details: telephone number, e-mail address (in case of e-mail address, possibility to subscribe to marketing circulars).
legal basis for processing: consent of the data subject
data retention period: 8 years according to the Accounting Act
method of data processing: electronic and paper-based
Pursuant to the provisions of Act II of 2007 on the entry and residence of third-country nationals, the persons concerned from a non-EEA country are required to fill in the registration form in Annex 26. Pursuant to Article 3 of the Act, a person who uses a valid travel document issued by a third country as proof of his/her nationality or a person who does not establish a prima facie presumption of the right of free movement and residence as defined by a special law shall be considered a third-country national unless proven otherwise. Pursuant to Article 73(2), the accommodation provider shall keep a record of the data of a third-country national staying in a commercial accommodation or other accommodation provided by a legal person in accordance with the prescribed form. The guest book shall be submitted to the territorially competent Regional Directorate of the Office for Immigration and Asylum in Northern Alföld by 31 March following the end of the year in question. The data on the form is recorded in the CTS hotel programme and then stored on paper in a locked cabinet for a period of 8 years.
Purpose of processing: to ensure check-in to the hotel, to provide rooms to customers, to comply with legal obligations
the type of data processed: name, date of birth, nationality, address, identity card or passport number, method of payment, arrival and departure times, visa number
legal basis for processing: legal authorisation, consent of the data subject
data retention period: at least 8 years according to the Accounting Act
method of data processing: electronic and paper-based
The controller keeps a record of the personal data of the data subjects for the purposes of paying tourist tax or proving exemption from tourist tax. The personal data shall be provided by the data subjects to the controller on the declaration in Annex 25.
the purpose of the processing: to ensure the conditions for tax liability, exemption, controllability, compliance with legal obligations
the type of data processed: name, date and place of birth, permanent address, arrival and departure times, tax exemption
legal basis for processing: legal authorisation, consent of the data subject
data retention period: at least 8 years according to the Accounting Act
method of data processing: electronic and paper-based
The room reserver (hereafter referred to as the data subject) has the possibility to book a room at Stay-Loft. This can be done via: the online booking interface, e-mail, telephone, fax, letter. When booking a room, in addition to the data relating to the stay, the Data Subject provides the Data Controller with the following data: name, e-mail address, telephone number, payment method, billing address, nationality and, in special cases (ifa exemption), age.
purpose of data processing: administration of room reservations, contact management, registration and fulfillment of reservations,
data processed: name, e-mail address, telephone number, payment method, billing address, nationality, age,
legal basis for processing: voluntary consent of the data subject
data storage period: 8 years according to the Accounting Act,
method of data processing: electronic and paper-based
The Data Controller shall handle complaints in accordance with the provisions of Act CLV of 1997 on Consumer Protection (hereinafter: the “Act on Consumer Protection”) in force on the date of the complaint, and the related data processing shall be carried out in accordance with Articles 17/A-C of the Act on Consumer Protection.
How customers and guests can report complaints:
A complaint made in person:
Oral complaints may be made in person at the Data Controller’s headquarters at 3 Karabély utca, 4030 Debrecen, Hungary.
If the data subject does not agree with the handling of the complaint or if it is not possible to investigate the complaint immediately, a record of the complaint must be made. A copy of the record shall be provided by the Data Controller to the person lodging the complaint.
The record of the complaint includes the following:
the name of the customer;
the customer’s address, registered office and, where applicable, postal address;
where, when and how the complaint was lodged;
a detailed description of the customer’s complaint, with a separate record of the objections raised in the complaint, in order to ensure that all the objections contained in the customer’s complaint are fully investigated;
a list of documents, records and other evidence produced by the client;
the signatures of the person taking the minutes and the client;
the place and time of recording of the minutes.
Not a complaint made in person:
Ways to make a complaint:
by phone: +36 52 782 994
by post: 4030 Debrecen, Karabély utca 3.
by e-mail: info@dryvitprofi.hu
In accordance with the provisions of Act CLV of 1997 on Consumer Protection (hereinafter referred to as the “Act on Consumer Protection”), the Data Controller shall in all cases put its actions regarding the complaint in writing and send it to the complainant within 30 days of receipt of the complaint, unless the guest communicates the complaint orally and the Data Controller complies with the complaint immediately.
The verbal complaint should be investigated immediately and remedied as necessary. If the consumer does not agree with the handling of the complaint or if it is not possible to investigate the complaint immediately, the undertaking must immediately take a record of the complaint and its position on it and give a copy of the record to the consumer on the spot in the case of an oral complaint made in person, or in the case of an oral complaint made by telephone or other electronic communications service, provide the consumer with a substantive reply in writing within thirty days at the latest and send the record at the same time.
Oral complaints made by telephone or by electronic communication services must be given a unique identification number by the undertaking.
The record of the complaint must include the following:
The Data Controller shall give reasons for its position rejecting the complaint. If the complaint is rejected, the undertaking must inform the consumer in writing of the authority or conciliation body to which he or she may refer the complaint, depending on its nature. The information shall also include the location, telephone and Internet contact details and the postal address of the competent authority or conciliation body in the place where the consumer resides or is staying. The information should also include whether the business will use the conciliation body to resolve the consumer dispute.
The undertaking must keep a record of the complaint and a copy of the reply for five years and present it to the supervisory authorities at their request.
purpose of processing: recording, investigating and handling complaints
data processed: the name, address or registered office of the customer, postal address, place and time of the complaint, the manner in which it was lodged, a detailed description of the complaint, a list of the documents and other evidence presented, the signature of the person who took the minutes and, in the case of an oral complaint made in person, the signature of the customer, the place and time of the taking of the minutes, the e-mail address and telephone number of the contact person
legal basis for processing: legal authorisation, consent of the data subject
data retention period: the Data Controller keeps the record of the complaint and a copy of the reply for 5 years
method of processing: electronically and on paper
A privacy notice on data processing in the context of complaint handling is set out in Annex 13. The data processors and recipients of data transfers that may be involved in this processing are listed in Annex 1.
The Data Controller operates an electronic surveillance system consisting of 36 cameras and 2 data recorders, as set out in the Annex to the Rules on CCTV surveillance, owned by the Data Controller, recording the common areas of the accommodation. The Data Controller shall operate the electronic surveillance system in accordance with the relevant provisions of the Civil Code, Act CXXXIII of 2005 on the Rules of Personal and Property Protection and Private Investigation (hereinafter referred to as the “Act on the Rules of Private Investigation”) and the provisions of Annex 19 to the Rules.
In accordance with the provisions of Section 31 of the Act, the electronic surveillance system is used for the protection of human life, physical integrity and personal freedom, the safeguarding of dangerous substances, the protection of business, payment, banking and securities secrecy, and the protection of property.
purpose of data processing: surveillance with cameras for the purpose of work and property protection
scope of the data processed: the image of the data subject, data that can be obtained from the camera image (location and time)
legal basis for processing: the data subject’s consent through spontaneous conduct [Szvtv. § 30 (2)]
time limit for data storage: in the absence of use, the recording will be deleted after 3 working days from the date of recording [Section 31 (2) of the Act on the Protection of Personal Data (Szvtv.)], in the absence of a request, if the recording has been requested by the Data Controller not to be destroyed by justifying a right or legitimate interest, it will be deleted after 30 days from the date of the request [Section 31 (6) of the Act on the Protection of Personal Data (Szvtv.)] [Szvtv .31.§(6)]
method of data storage: electronic
The Data Controller has taken all necessary steps to ensure the highest possible level of security of the data held during the processing procedure, in compliance with the regulations. The data will be stored on the premises of the hotel.
The data recorder is located in a separate room – protected against theft and damage, air-conditioning to ensure constant humidity and temperature, uninterruptible power supply to the servers in case of power failure, fire alarm system, connected to the 24-hour reception, access to the room is restricted to authorised persons.
The data recorder ensures data protection and retention through active virus protection, external access blocking, active firewalls and the use of a security access code.
Data management activities: website operation and software and hardware maintenance of data media. Data transfers not related to this processing
The data subject may lodge a complaint with the NAIH regarding the data processing procedure of the Data Controller:
Name: National Authority for Data Protection and Freedom of Information
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, P.O. Box 5.
Phone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Built in 2025, the STAY -LOFT Hotel*** offers a unique loft-style environment with modernly furnished and fully equipped hotel rooms, designed to our guests’ highest standards.
