Log in

Terms and Conditions

PRIVACY POLICY
CONCERNING THE HOMEPAGE OF TMRW HOTELS LIMITED LIABILITY COMPANY (13272668)
AND THE USE OF THE SERVICES OF FLOW PMS SYSTEM
Effective: from the 1st day of June, 2023 till withdrawal
1. Introduction
1.1. TMRW Hotels Limited Liability Company (Company registration number: 13272668; tax number:
UTR:4844717529; registered seat: Bm Centre, 11 St. Martins Close, Winchester, United Kingdom, SO23 0HD;
electronic contact details: info@flowpms.life; (hereinafter: „Service Provider, or Controller, respectively”)
produces the present Data Management Policy (hereinafter: „Policy”) concerning the provision of advertising
space and information, specifically but not exclusively the mediation of services (hereinafter „Services”)
specified in clause 23 of Section 2 of Act CLXIV of 2005 on commerce.
1.2. The Data Subject is the registered user of the online accessible website http://www.flowpms.life, (hereinafter:
„FLOW Homepage”) or the party concluding a contract for Services with the Service Provider and its Partner
– see: General Contractual Conditions of the Service Provider – respectively, or the beneficiary indicated in the
said contract (hereinafter the „Data Subject”).
1.3. The purpose of the Policy is to specify for the Users of the Service the scope of data processed by the Service
Provider, the method, purpose and legal grounds of data processing, as well as to ensure that the constitutional
principles of data protection and the requirements of data security are enforced, to prevent unauthorized access to
Users’ data, the alteration of the data and the unauthorized disclosure or usage of the data.
2. 2.1. Legal regulations of data protection
Legal regulations with special significance from the aspect of the Policy:
The Decree of the European Parliament and Council (EU) No. 2016/679 on the protection of natural persons with
regard to the processing of personal data and the free flow of such data, as well as on the rescission of decree
95/46/EC (hereinafter: „GDPR”)
3. Definitions
Data Subject: any specified natural person, identified by the personal data or a natural person who can be identified
directly or indirectly;
User: the Data Subject who registers on Service Provider’s Website and/or Application and who concludes a contract
for the Service with the Service Provider and its Partner, and furthermore who was specified as the beneficiary of the
Service by the above person(s);
Consent: voluntary and express declaration of the Data Subject based on appropriate information and by which he/she
provides his/her unambiguous consent to process the personal data concerning himself/herself fully or covering
certain operations;
1
Personal data: data that can be connected to the Data Subject, specifically the Data Subject’s name, ID, as well as
knowledge typical to his/her one or several physical, physiological, mental, economic, cultural or social identity, and
the conclusion concerning the Data Subject that can be drawn from the data;
Controller: the natural or legal entity or organisation without legal entity who or which independently or together with
others specifies the purpose of managing the data, makes the decisions and executes them concerning data processing
(including the tool used) or has the decision executed by the data processor;
Data processing/processing: irrespective of the applied procedure any operation or the aggregate of operations carried out
on the data, in particular collection, recording, organization, storage, alteration, usage, retrieval, forwarding, disclosure,
coordination or combination, blocking, erasure and destruction as well as preventing the further use of the data, taking
photos, voice or image recordings and recording the physical characteristics suitable to identify a person (e.g. finger-
or palmprints, DNA sample, iris image);
Data transmission: making the data accessible to a specified third person, in particular the Partner to the contract as per
clause 1;
Data processing: carrying out data processing operations, irrespective of the method and tool used to carry out the
operations and the location of the application;
Partner, Partners: contracted partners of the service provider, accommodation, hotels, hostels and apartments according to the
concept laid down in act CLXIV of year 2005, Section 2 Clause 23 on trading and in VM decree No. 62/2011. (VI. 30.) on
the food safety conditions of the production and distribution of catering products that actually perform the mediated services
laid down in clause 1;
Disclosure: making the data accessible to anybody
Erasing data: making the data unrecognizable in such a way that it is not possible to restore it;
Automatic processing: it includes the following operations if they are carried out in whole or in part with automated tools:
data storage, logical or arithmetical operations on the data, alteration, erasure, retrieval and distribution of the data;
Cookie: A cookie is a small text file stored on the hard drive of the computer or the mobile device and is activated at
later visits. Webpages use cookies with the purpose to record the information connected to the visit (pages visited,
time spent on the page, browsing data, exits etc.) and the personal settings; however, these data cannot be related to
the Data Subject. This tool helps to design a user-friendly webpage in order to increase the online experience of the
Data Subject. Most of the internet browsers automatically accept cookies; however, the Data Subjects have the
opportunity to delete or reject them. As all browsers are different the Data Subjects can set their preferences regarding
cookies individually, through the toolbar of the browser. If the Data Subject does not want to enable any cookie from
the websites visited, he/she can modify the settings of the browser so that he/she receives a notification about the
cookies that have been sent or he/she may simply reject all cookies or only cookies sent by certain websites. At the
same time the user may delete the cookies stored on his/her computer, notebook or mobile device at any time. For
further information concerning settings please refer to the Help of the browser. If the Data Subject decides to disable
the cookies, he/she must renounce certain functions of the website (e.g. the website would not remember that the
Data Subject remained logged in). There are two types of cookies: “session cookies” and “persistent cookies”.
Session cookies: these are stored by the computer, notebook or mobile device only temporarily until the Data Subject
leaves the given website; these cookies help the system to remember information while the Data Subject makes a visit
from one page to another, so the Data Subject must not repeatedly enter or complete the given information.
Persistent cookies: these are stored on the computer, notebook or mobile device even after leaving the website. With
these cookies the website will recognize – although personally would not identify – the Data Subject as a returning
visitor. The persistent cookies are stored on the computer or mobile device of the Data Subject as files.
Flash cookies: Adobe Flash Player that is used to run certain types of animated banners and different types of videos
(youtube, vimeo) is able to store information on the computer, notebook or mobile device. The acceptance of „Flash
cookies” cannot be set through the Web browser. If the Data Subject does not want to receive Flash cookies it must
be set on the website of Adobe: www.adobe.com/hu/privacy/cookies.html. If the Data Subject disables Flash cookies
it is possible that he/she would not be able to use certain functions of the websites – in this case the Homepage – e.g.
the videos attached to the articles would play incorrectly.
System: the entirety of the technical solutions operating the pages and services of the Controllers and their partners
accessible through the internet.
Otherwise under the concepts used in the present Policy the contents of the explanations made of the concepts in the
TMRW GTC of the Service Provider as well as in section 3 of the Info Act and Article 4 of the GDPR shall be
understood with the condition that in case of deviations the contents laid down in the GDPR shall be governing.
4. 4.1. 4.2. Purposes of data processing and the scope of data processed by the Service Provider
Service Provider declares that it processes personal data only for exercising rights or fulfilling obligations. It does not
use the personal data processed for private purposes and data processing always complies with the purpose limitation
principle – if the purpose of data processing has terminated or data processing is otherwise unlawful the data will be
erased.
In order to prevent abuse, the Flow Homepage can only be used after registration
(hereinafter: „Registration”) in accordance with the prevailing general contractual terms and conditions (hereinafter
„TMRW GTC”) of the Service Provider, in order to ensure Services, prevent abuse and avoid safety hazards. Contract aiming at
2
4.3. Services is established through the booking (hereinafter: „Booking”) of the Data Subject as user, registered in
accordance with the prevailing general contractual terms and conditions of Service Provider.
Service Provider may process the personal data of the Data Subjects for the following purposes, in the following
scope and proportion:
Specification of the
purpose of data
processing:
1. Registration; specifically
– the identification of the Data Subjects;
– Communication with the Data Subjects and providing information to them
Description of the
processes and
operations:
See: TMRW GTC item V
Expected duration
and deadline of data
processing:
As a general rule till the deletion of the registration, in cases exceeding that
• for 5 years for the data concerned with regard to Section 78 paragraph (3) of the Act
on the Rules of Taxation
• for 8 years for the data concerned with regard to Section 169 (1)-(2) of the
Accounting Act
• In addition, for a longer period if it is provided by law
The controller retains the right to process the relevant data to the extent necessary for the
deadlines exceeding the above deadlines till the deadline open to enforce the demands well-
founded by rights and obligations arising from activities giving cause for data processing
Personal data
– scope, type and
categories
Data to be provided as a condition of the Registration: surname and first name (if different,
name at birth also), place and date of birth, mother’s name, tax identification code,
nationality, personal identification number, identification card number, home address (or
residence, notification address), email address, phone number or other contact possibility
of the registering Data Subject
Location of data
processing
At the controllers, see below.
Legal grounds of
data processing
GDPR, Chapter II, Article 6 (a), (b), (c)
Specification of the
purpose of data
processing:
2. Booking; specifically
– the identification of the Data Subjects;
– Getting acquainted with the requirements of the Data Subjects;
– Communication with the Data Subjects and providing information
Description of the
processes and
operations:
See: Clause VI of TMRW GTC
Expected duration
and deadline of data
processing:
As a general rule till the deletion of the registration, in cases exceeding that
• for 5 years for the data concerned with regard to Section 78 (3) of the Act on the
Rules of Taxation
• for 8 years for the data concerned with regard to Section 169 (1)-(2) of the
Accounting Act
• In addition, for a longer period if it is provided by law
The controller retains the right to process the relevant data to the extent necessary for the
deadlines exceeding the above deadlines till the deadline open to enforce the demands well-
founded by rights and obligations arising from activities giving cause for data processing.
Personal data
– scope, type and
categories
Data to be provided depending on the type of Booking if these were not provided during
Registration: surname and first name (if different, name at birth also) place and date of
birth, mother’s name, nationality, home address (or residence, notification address), email
address, phone number or other contact possibility of the Data Subject entitled to use the
Service
Location of data
processing
At the controllers, see below.
Legal grounds of
data processing
GDPR, Chapter II, Article 6 (1) (a), (b), (c)
Specification of the
purpose of data
processing:
Provision of Service; specifically
– Getting acquainted with the requirements of the Data Subjects;
– Communication with the Data Subjects and providing information to them
Description of the
processes and
operations:
See: Clauses VI-XX of TMRW GTC
Expected duration
and deadline of data
As a general rule till the deletion of the registration, in cases exceeding that
3
processing: Personal data
– scope, type and
categories
Location of data
processing
Legal grounds of
data processing
Specification of the
purpose of data
processing:
Description of the
processes and
operations:
Expected duration
and deadline of data
processing:
Personal data
– scope, type and
categories
Location of data
processing
Legal grounds of
data processing
Specification of the
purpose of data
processing:
Description of the
processes and
operations:
• for 5 years for the data concerned with regard to Section 78 (3) of the Act on the
Rules of Taxation
• for 8 years for the data concerned with regard to Section 169 (1)-(2) of the
Accounting Act
• In addition for a longer period if it is provided by law
The controller retains the right to process the relevant data to the extent necessary for the
deadlines exceeding the above deadlines till the deadline open to enforce the demands well-
founded by rights and obligations arising from activities giving cause for data processing.
Information essential to exercise rights and obligations laid down in the GTC, over and
above the data provided during Registration and Booking.
In this scope, special data, thus data concerning health, could also be processed (See:
Clause XI of TMRW GTC).
At the controllers, see below.
GDPR, Chapter II, Article 6 (1) (a), (b), (c)
GDPR, Chapter II, Article 9 (2) (a), (c), (e)
4. Newsletter subscription; subscription for Direct Marketing
The Registered Data Subjects have the opportunity to subscribe to the Service Provider’s
newsletter as per Section 6 of the Grtv on the specifically dedicated interface on the
Flow Homepage , and when making Booking to subscribe also to the newsletter
forwarded through the given Partner Service Provider (hereinafter:
„Subscription to Newsletter”). Service Provider may deliver online newsletters and
electronic direct marketing messages containing novelties, news and offers to the Data
Subjects subscribed to the newsletter(s).
Until user unsubscribes, otherwise by the cancellation of the Registration.
Data to be provided as a condition of Direct Marketing Subscription if they were not
provided during Registration or when the Data Subject intends to give different data:
name; email address; social media profiles of the subscribing Data Subject
The possibility of unsubscribing is provided by a direct link in all newsletters.
At the controllers, see below.
GDPR, Chapter II, Article 6 (1) (a)
5. Preparation of an anonymised database; preparation of statistics; specifically
– to better understand users’ demands;
– in order to improve TMRW services
Registered Data Subjects have the opportunity to allow Service Provider through their
express consent on the dedicated interface of the on the Flow homepage to obtain
authorisation for collecting anonymised data of the Data Subjects about their habits of
using the Service, in order to better serve them. Within this scope Service Provider is
furthermore entitled to evaluate registered Data Subjects in its prize program or within
another initiative with similar purpose based on Data Subject’s bookings, orders and
consumption data and grant discounts, price reductions, exclusive offers and promotions
in accordance with the evaluation. Service Provider records information in any of its
databases referred to above in such a way that the information itself is not suitable to
identify Data Subjects in case of unauthorized access.
The registered Data Subject may request Service Provider through email to take a view of
the data collected related to his/her user ID and may request that Service Provider deletes
the connected information and data.
4
Expected duration
and deadline of data
processing:
Until the deletion requested by the Data Subject; otherwise until the Registration is
cancelled.
The Controller retains the right to process the relevant data to the extent necessary for the
deadlines exceeding the above deadlines till the deadline open to enforce the demands well-
founded by rights and obligations arising from activities giving cause for data processing.
Personal data
– scope, type and
categories
The anonymised and/or encoded system data, cookie data, orders submitted during
bookings, specific orders and additional consumption data concerning the Data Subjects.
Location of data
processing
At the controllers, see below.
Legal grounds of
data processing
GDPR, Chapter II, Article 6 (1) (a)
GDPR, Article 22 (2) (c)
Specification of the
6. To increase customer experience, technically improve the IT system, protection of users’
purpose of data
rights
processing:
Description of the
processes and
operations:
Until the permission is granted the Flow homepage requests a permission from the
visitor of the Flow homepage every time the page is opened for using the cookies
applied by the Flow homepage, for the following purposes: to provide better and faster
customer experience, to display tailor-made advertisements based on the automatically
recorded data of the registered Data Subject, to prepare statistics, to technically improve
the IT system and to protect the rights of the users.
(The above jointly referred to: customizing cookies.)
Expected duration
and deadline of data
processing:
Until the period provided for the application of the cookies by Service Provider –
published on the Flow homepage – but not more than cancelling the Registration.
Personal data
– scope, type and
categories
The anonymised and/or encoded system data, cookie data, orders submitted during
bookings, specific orders and additional consumption data concerning the Data Subjects.
Location of data
processing
At the controllers, see below.
Legal grounds of
data processing
GDPR, Article 22 (2) (c)
(In consideration of which Article 6 (1) (a) of Chapter II; Article 9 (2) (a) of the GDPR)
5. Sumary of the legal grounds of data processing
5
5.1. Service Provider processes the personal data lawfully, in accordance with the following clauses of Article 6 (1) of
Chapter II of the GDPR:
(a) – “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” –
, I/N
(b) –
“processing is necessary for the performance of a contract to which the data subject is party or in order to take steps
at the request of the data subject prior to entering into a contract” –
,
I/N
(c) –
“processing is necessary for compliance with a legal obligation to which the controller is subject” –
, I/N
(d) –
“processing is necessary in order to protect the vital interests of the data subject or of another natural person” –
, I/N
(e) –
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official
authority vested in the controller” –
,
I/N
(f) –
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a child” –
,
I/N
and, in the case of special categories of personal data, in accordance with the following clauses of Article 9 (2) of
Chapter II of the GDPR:
(a) – “the data subject has given explicit consent to the processing of those personal data for one or more specified
purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 11 may not be
lifted by the data subject” –
,
I/N
(b) –
“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller
or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by
Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards
for the fundamental rights and the interests of the data subject” –
,
I/N
(c) –
“processing is necessary to protect the vital interests of the data subject or of another natural person where the data
subject is physically or legally incapable of giving consent” –
,
I/N
(d) –
“processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation,
association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition
that the processing relates solely to the members or to former members of the body or to persons who have regular contact
with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of
the data subjects” –
,
I/N
(e) –
“processing relates to personal data which are manifestly made public by the data subject” –
, I/N
(f) –
judicial capacity” –
“processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their
,
I/N
(g) –
“processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which
shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and
specific measures to safeguard the fundamental rights and the interests of the data subject” –
,
I/N
(h) –
“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working
capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health
or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health
professional and subject to the conditions and safeguards referred to in paragraph 32”

,
I/N
(i) –
“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious
cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or
medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard
the rights and freedoms of the data subject, in particular professional secrecy” –
,
I/N
(j) –
“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1)3 based on Union or Member State law which shall be proportionate
to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to
safeguard the fundamental rights and the interests of the data subject”.
I/N
6. Method of data collection
6.1. The data of the Data Subjects according to clause 7 of the present Policy are received and obtained by Service
Provider through its Flow homepage or in every case, based on the voluntary consent of
1 (1) Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
2 “Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those
data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or
Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy
under Union or Member State law or rules established by national competent bodies.”
3 “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be
subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those
safeguards shall ensure that technical and organisational measures are in place”
6
the registering party or the registered Data Subjects, respectively. For the authenticity of the personal data provided it
is always the registering entity and the registered Data Subject, respectively, responsible. Service Provider does not
verify the personal data given to him.
6.2. By accepting the present Policy, the Data Subjects are obliged to accept the provisions of the present Policy and give
their consent that Service Provider processes the data included in clause 7.
6.3. By using the Flow homepage or and by concluding the contract for the Services, respectively, the Data Subjects
expressly accept the present Policy.
7. Principles of Data processing
7.1. Personal data may only be obtained and processed in a fair and lawful manner.
7.2. Personal data may only be stored for specified and lawful purposes and may not be used in any different way.
7.3. The scope of the Personal Data processed must be proportionate to the purpose of their storage, must meet this goal
and may not extend beyond it.
7.4. Appropriate safety measures must be taken to protect the personal data stored in the automated data files to prevent
accidental or wrongful destruction or accidental loss as well as unauthorized access, alteration or distribution.
8. Registering data processing activities
8.1. Service Provider and, where applicable, the Service Provider’s representative, shall maintain a record of processing
activities under its responsibility. That record shall contain all of the following information:
– the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative
and the data protection officer;
– the purposes of the processing;
– a description of the categories of data subjects and of the categories of personal data;
– the categories of recipients to whom the personal data have been or will be disclosed including recipients in third
countries or international organisations;
– where applicable, transfers of personal data to a third country or an international organisation, including the
identification of that third country or international organisation and, in the case of transfers referred to in the second
subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
– where possible, the envisaged time limits for erasure of the different categories of data;
– where possible, a general description of the technical and organisational security measures referred to in Article 32 (1).
Service Provider shall make the record available to the supervisory authority on request.
9. Data Protection Officer
9.1. With respect to the fact that the obligatory event laid down in Article 37 of Chapter IV of the GDPR subsists –
processing of special categories of personal data, regular and systematic monitoring of data subjects on a large scale –, a data protection
officer was appointed on 1 June 2022.
Service Provider hereby informs the Data Subjects that in case they observe disquieting procedures, incidents or any
other circumstances from the aspect of data protection the lawfulness of which is otherwise objectionable from a legal
and/or technical, organisational point, or the investigation of which is at least justified, the Data Subjects can make
announcement and get in touch with the data protection officer by informing the competent employee or manager of
the Service Provider, but independently of him/her, at the following contact details.
Name and contact details of the Data Protection Officer: Gergely Tálasi, info@flowpms.life
10. Transfer of data
10.1. Service Provider is entitled and obliged to transfer to the competent authorities all personal data available to it and
regularly stored by it the transfer of which is made obligatory by legal regulation or legally binding enforcement notice.
Service Provider may not be held responsible for such transfer and for the resulting consequences.
10.2. In addition to the above, the Service Provider may transfer data exclusively to the Partners related to the Service
Provider, and, within them, exclusively to Partners who have contractual obligation to provide Services with respect to
the Data Subject; accordingly, the Service Provider may transfer data to a Partner exclusively for the purpose and to
the extent of performing Services. The data of individual Partners are available in the booking menu item of the
Flow homepage; however, the Service Provider will send the relevant data of the Partner concerned as the data
processor of Service Provider – name, registered seat, contact details, scope of data to be transferred by indicating the purposes
of data processing, the physical locations of data processing if outside the system – to the Data Subject when confirming the
booking.
7
10.3. 10.4. In relation to the above and otherwise, if the Service Provider transfers the operation or utilization of the content
services on the Flow homepage in whole or in part – including the Partners as well – than it can transfer the data
processed by it to this third person in full, without requesting specific consent for further processing.
Service Provider transfers data, in addition to the above, exclusively to processors in contractual relationship with it,
and, within them, only to those who are bound by contractual obligation in connection with the Flow homepage or
and the system(s) serving them; accordingly, the Service Provider transfers data to third persons exclusively and to
the extent of fulfilling the purposes indicated in the present Policy. This data transfer may not bring the Data Subject
concerned into a position more disadvantageous than the data processing and data security rules indicated in the
prevailing text of the present Policy.
Processors of the Service
Provider
scope of data affected purpose(s) of data
processing affected
Physical location(s) of data
processing
Amazon Web Services,
Inc.
Registered office: 410
Terry Avenue North
Seattle, WA 98109-5210
USA
Contact details:
Mailing address: Box
81226 Seattle, WA 98108
Telephone: (206) 266-
4064
Fax: (206) 266-7010
E-mail:
abuse@amazonaws.com
https://aws.amazon.com
Name of Data Subject,
email address of Data
Subject, invoicing
address of Data Subject,
room type affected by
the booking(s), room
number affected by the
booking(s), name of
hotel affected by the
booking(s)
Data processing of
Customer contracts
Automated cloud
service of the TMRW
System; performing
backup operations of
the TMRW System
Amazon Web Services (AWS)
EC2 cloud-based service
provider
More information:
https://aws.amazon.com/about
-aws/global-
infrastructure/?hp=tile&tile=gi
map
10.5. Service Provider undertakes as a general obligation that any transfer carried out by the Service Provider may not bring
the user concerned into a position more disadvantageous than the data processing and data security rules indicated in
the prevailing text of the present Policy.
10.6. Service Provider does not transfer the personal data of the Data Subjects to third countries and international
organisations (outside the EU, non-EEA countries) except when the Data Subject provided its specific consent and
according to the conditions laid down in a written declaration issued by the parties by providing appropriate
guarantees that suit the provisions of the GDPR.
The above stipulation does not extend to cases laid down in Article 45 of the GDPR according to which if the
purpose of a transfer is a governmental and/or international organisation for which a valid, so-called „adequacy
decision” issued by the Committee is in force no separate consent is required for such a transfer. At the date of the
present instrument, accepted adequacy decision is in force for the following third countries: Andorra, Argentina, Faroe
Islands, Guernsey, Israel, Jersey, Canada, Isle of Man, Switzerland, Uruguay, U.S.A. (Privacy Shield), New Zealand – in
case of Japan and South Korea the adequacy procedure is in progress.
11. The security of data processing
8
11.1. In accordance with the obligation of Section 32 of the GDPR, the Service Provider – by keeping in mind as its
obligation – does its utmost so as to ensure the security of the data of the Data Subjects; furthermore it takes the
necessary technical and organisational measures and develops the rules of procedure that are required to enforce the
rules of the GDPR and other rules of data and secret protection.
11.2. Service Provider processes data primarily in the frame of automatic processing – Flow homepage as well as the
systems serving them – and processing any data requiring human intervention may only take place exceptionally and to
the extent justified. The activities of the Service Provider and the processors involved by it suits the following
requirements: organisational security, security connected to employees, external persons and security connected to
the environment, classification and verification of assets, communication and operational management, access
control, operational continuity management, systems engineering and maintenance.
11.3. The so-called cloud-based applications are also part of the System serving the Flow homepage (see: Service
Provider’s prevailing general contractual terms and conditions). Service Provider chooses its partners providing cloud services
with the utmost possible care – see among the processors indicated – and takes all generally expected measures to
conclude contracts with them that keep in view the data security interests of all concerned and the data processing
principles of which are transparent to it, and to regularly check data security. Physically, the data of the Data Subjects
are stored in the cloud. By accepting the present Data Processing Policy, the Data Subject expressly agrees to the
transfer required for making use of the cloud-based applications.
11.4. 11.5. 11.6. Partners can process personal data in exceptional cases only, following prior notice and exclusively for providing
Services and/or for fulfilling legal obligations – e.g. storage of invoices – for which data processing the present Policy must
be applied in an appropriate manner; otherwise the Partners may only carry out data processing activities in
connection with performing Services.
Service Provider protects the data in particular against unauthorized access, alteration, transmission, disclosure,
cancellation or destruction as well as against accidental destruction and damages. The data automatically and
technically recorded in the course of the operation of the Service Provider’s system(s) are stored in the System
calculated from the generation of such data for a period justified by the aspect of ensuring the operation of the
System. Service Provider ensures that these automatically recorded data cannot be connected to other personal data
with the exception of cases made mandatory by the law. If the Data Subject terminated its consent to process his/her
personal data or has unsubscribed from the Flow homepage, his/her person will not be identifiable from the
technical data thereafter, not including the investigating authorities and their experts.
Links: It is possible that reference or link can be found on the Service Provider’s Flow homepage pointing to sites
maintained by other service providers and financial enterprises (including buttons and logos pointing to login and
share options), where the Service Provider has no influence on the experience of processing personal data and
where Service Provider does not carry out data sharing/transfer, respectively. Service Provider draws the attention
of the Data Subjects to the fact that by clicking on such links they may reach the sites of other service providers and
financial enterprises. In such cases Service Provider recommends that the Data Subjects by all means read the data
processing policies concerning the use of these sites. If the Data Subject modifies or deletes any of his/her data on an
external website, this would not affect the Service Provider’s data processing, such modification must be made
also on the Flow homepage.
12.
13. 13.1. 13.2. 13.3. 13.4. The period of data processing
In case of registered Data Subjects until the registration is cancelled.
The data of not registered Data Subjects are cancelled when the related Service is closed in the system of the Service
Provider.
The data provided for the newsletter subscription and Direct Marketing are deleted without delay when the Data
Subject unsubscribes or when the registration expires.
Otherwise, the Service Provider deletes the data processed upon the request of the Data Subject except for the data
the continued processing of which is necessary for settlement disputes or other legal disputes between the parties –
until they are settled – and/or due to legal regulations. Within the latter, in particular, but not exclusively:
the data concerned with regard to Article 78 (3) of the Act on the Rules of Taxation, for 5 years
9
the data concerned with regard to Article 169 (1)-(2) of the Accounting Act
In addition, for a longer period, if it is provided by the laws.
13.5. Service Provider retains the right to process the relevant data to the extent necessary for the deadlines exceeding the
above deadlines till the deadline open to enforce the demands well-founded by rights and obligations arising from
activities giving cause for data processing.
14. The source of data processing
14.1. The data processed are obtained directly from the registered Data Subject; in consideration of that, the Service
Provider only starts processing the data provided to it – the data are recorded in its system only then – when the
registered Data Subject makes a declaration by undertaking criminal liability during the bookings that the data were
provided with the knowledge and explicit consent of the Data Subject designated as qualified for the given Service
with the purpose of identification and making use of the Service.
15. 15.1. 16. 16.1. 16.2. 16.3. 16.4. 16.5. Possibilities of modifying the Data Processing Policy
Service Provider retains the right to unilaterally modify the present Policy in the future. It will publish the new Policy
on the Flow homepage.
Providing information, right to object, erasing data, data processing restrictions
The Data Subject may request information about the processing of his/her personal data and may also request the
rectification of these personal data and – with the exception of data processing ordered by legal regulation – the
deletion of them based on the present Policy, in particular on the contact details provided above.
Upon the request of the Data Subject submitted by email, the Service Provider provides information about the data
processed, the purpose of data processing, its legal grounds, the period of processing, the name and address (seat) of
the processor and its activities related to data processing, and, in addition, who shall receive or have received the data
and for what purpose. The controller is obliged to respond within the shortest time possible but within maximum
fifteen (15) days counted from the submission of the request in an easy to understand manner and free of charge –
refunding of costs is charged by the Service Provider in exceptional cases only (if the party requesting the information
has not yet submitted a request to the controller concerning the same scope of data in the current year. In other cases,
refunding of costs may be established. The rate of refunding may be laid down in the contract concluded between the
parties. The already paid cost refunding must be reimbursed, if the data was processed unlawfully or the request for
information has led to rectification.
If the provision of information to the Data Subject cannot be refused according to the law, the Service Provider gives
information about the data of the Data Subject processed by it or by the processor commissioned according to its
instructions, the sources of these data, the purpose of data processing, the legal grounds, duration, name and address
of the data processing entity and its activities related to data processing, the circumstances of the data protection
incident, its effects and the actions taken to prevent them, and furthermore – in case of transmitting the personal data
of the Data Subject – about the legal grounds of data transmission and the addressee of it. Moreover, the information
covers the information specified in Articles 13 and 14 of Chapter II of the GDPR.
Service Provider is obliged to rectify the personal data not corresponding to the facts. The controller erases the
personal data if processing of them is unlawful, the Data Subject requests it – in this case within maximum five (5)
days –
, if it is incomplete or incorrect – and this status cannot be rectified legitimately – provided that erasure is not
excluded by law, if the purpose of data processing has discontinued, the period of storing the data specified by the law
has expired or the Court or the National Authority for Data Protection and Freedom of Information has ordered it.
Service Provider shall inform the Data Subject as well as all other entities to whom it transferred the data for data
processing purposes about the rectification and erasure. This notification may be ignored, if it does not hurt the
rightful interests of the Data Subject in consideration of the purpose of data processing.
If the Data Subject uses personal data unlawfully or deceptively, or commits a crime, the Service Provider retains the
right to preserve the relevant data in case of using them in this manner for demonstration in the incidental litigious
and non-litigious procedure until the procedure is concluded. The latter shall be applied appropriately to the case
when the Data Subject requested the erasure of the personal data in order to prevent or at least render more difficult
the enforceability of the rightful claim of the Service Provider and/or Partner.
The Data Subject may object to the processing of his/her personal data, specifically
– if the processing or transfer of the personal data is necessary only for compliance with a legal obligations to which
the Service Provider is subject or the enforcement of the rightful interests of the Service Provider, the receiver of
the data or a third person, except for mandatory data processing;
– if the personal data are used or transferred for direct marketing purposes and for the purposes of opinion polling
or scientific research, and
– in other cases specified by law.
10
16.6. Service Provider shall examine the objection within the shortest possible period but maximum within fifteen (15)
days, makes a decision regarding its grounds and informs the applicant about the decision in writing. Service Provider
suspends data processing for the period of the investigation but for maximum five (5) days. If the objection is
justified, the head of the organisational unit processing the data shall proceed in accordance with the provisions
specified by the GDPR. In addition, the Data Subject may exercise the right to object using automated devices based
on technical specifications by renouncing the Service included in the TMRW GTC, cancelling the registration and
applying other related options available in the TMRW System (Article 21 (6) of the GDPR).
16.7. If the Service Provider establishes that the objection of the Data Subject is well-founded, terminates data processing –
including further data recording and transfers –
, blocks the data, and notifies all to whom it previously transferred the
personal data affected by the objection about the objection and the actions taken, and who are obliged to take
measures in order to enforce the right to object. If the Data Subject does not agree with the decision of the Service
Provider, or if the Service Provider neglects the deadline, the Data Subject may go to law within thirty (30) days
counted from the date of communicating the decision or the last day of the deadline, respectively.
16.8. Service Provider shall compensate for the damages caused to other parties by the unlawful processing of the data of
the Data Subject or by violating the requirements of technical data protection. Service Provider shall be exempted
from liability, if it demonstrates that the damage was caused by force majeure outside the scope of data processing. No
compensation for the damage is due if it originates from the deliberate or negligent behaviour of the aggrieved party.
16.9. Information to the Data Subjects can be omitted/rejected or restricted for reasons set forth in the provisions of
Article 13 (4) and Article 14 (5) of the GDPR and by providing a detailed justification, if
– the Data Subject already has the information;
– the provision of such information proves impossible or would involve a disproportionate effort, in particular for
processing for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes, subject to the conditions and safeguards referred to in Article 89(1) of the GDPR or in so far as the
obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing. In
such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and
legitimate interests, including making the information publicly available;
– obtaining or disclosure is expressly laid down by Union or Member State law to which the Service Provider is
subject and which provides appropriate measures to protect the data subject’s legitimate interest; or
– where the personal data must remain confidential subject to an obligation of professional secrecy regulated by
Union or Member State law, including a statutory obligation of secrecy.
16.10. Otherwise, the Data Subject is entitled to get access to the personal data concerning him/her as well as to the
following information:
– Copies of the personal data (for additional copies costs are charged)
– The purposes of data processing;
– The categories of data;
– Data related to automatic decision making and profiling;
– Information concerning the source in case of taking over data;
– Recipients to whom the data have been or will be disclosed;
– Information and guarantees related to transfers to third countries;
– The period and aspects of storage,
– Rights of the Data Subjects
– Right to contact the authorities.
16.11. Complying with its obligation specified in Article 14 (3) of Chapter III of the GDPR, the Service Provider, if the
personal data has not been obtained from the Data Subject, in particular, if it has been provided by a registered user in
relation to the Data Subject entitled to use the Service, the Service Provider shall inform the Data Subject without
delay, but within one month at the latest, of all information the knowledge of which is contained in this Policy, via the
contact details known by the Service Provider.
16.12. The way of exercising the right to access: If the Data Subject submitted the application electronically, the information
must be made available in a widely used electronic format unless the Data Subject requests otherwise.
16.13. The right to request a copy may not affect negatively the rights and freedom of others.
16.14. If the Service Provider has made the data public and is obliged to erase them in such a way that it makes reasonably
expected steps by taking into account available technology and the costs of implementation in order to inform other
processors in connection with the deletion of the relevant links, copies and duplicates.
11
16.15. Data Subject may not avail itself of the right of deletion and to be forgotten, if data processing is necessary: for the
freedom of expression, to perform a legal obligation or to exercise public power, for reasons of public interest in the
areas public health, for archiving purposes in the public interest, for scientific and historical research purposes and for
the exercise of legal claims.
16.16. Service Provider shall restrict data processing upon the request of the Data Subject if
– the Data Subject disputes the accuracy of the personal data
– data processing is unlawful, and the Data Subject opposes the erasure of the data
– the Service Provider no longer needs the data any more but they are required by the data subject for the establishment,
exercise or defence of legal claims;
– the Data Subject has objected to processing and the Service Provider is still carrying out an investigation.
17. Notification obligation
17.1. Service Provider shall communicate any rectification or erasure of personal data or restriction of processing to each
recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate
effort.
18. Data portability
18.1. The Data Subject is entitled to receive his/her data made available to the Service Provider:
– in a structured, commonly used and machine readable format
– have the right to transmit those data to another controller
– may request that the personal data shall be transmitted directly from one controller to another –
– where technically feasible
Except when the processing is for the performance of a task carried out in the public interest or in the exercise of
official authority.
19. Remedies
These conditions are governed by UK law. The court in the district where the controller has its place of business has
the sole jurisdiction if any dispute regarding these conditions may arise, save when a legal exception applies.
Dated: 1. June 2023
TMRW Hotels Ltd
…………………………….
represented by Csaba Kató managing director
12