BILANX 

Privacy Policy

Calimocho Kft., as the operator of Bilanx Restaurant, provides the following information regarding data processing related to the use of the services provided by Bilanx Restaurant and the websites operated by the corporate group, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: “GDPR”).

DATA CONTROLLER AND CONTACT DETAILS:

Data Controller: Calimocho Kft.
Registered Address: 1051 Budapest, Mérleg utca 10.
Company Registration Number: 01-09-412664
Representative: Balázs Jobbágy, Managing Director
Operated Website: https://bilanxbudapest.hu
Operated Restaurant: Bilanx Restaurant
E-mail: hello@bilanxbudapest.hu

DEFINITIONS:

• “Personal data”: Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• “Processing”: Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• “Data controller”: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• “Data processor”: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• “Recipient”: A natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.
• “Data subject’s consent”: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
• “Data breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

INFORMATION ON THE PROCESSING OF PERSONAL DATA:

1. Processing of data of contracting natural person partners – customer and supplier records

1.1 Purpose of data processing: The processing of personal data of natural persons who have contracted with the Company as customers or suppliers for the purpose of concluding, performing, and terminating contracts, as well as providing contractual discounts.

1.2 Legal basis for data processing: The processing is necessary for the performance of a contract to which the data subject is a party.

1.3 Scope of data subjects: Natural persons who have contracted with the Company.

1.4 Recipients of processed data: Employees of the Company involved in customer service, accountants, and tax service providers.

1.5 Processed data:

• Name
• Birth name
• Date of birth
• Mother’s name
• Address
• Tax identification number
• Tax number, entrepreneur number
• Headquarters, business premises address
• Phone number, email address, website
• Bank account number

1.6 The processing of personal data is also considered lawful if it is necessary to take steps at the request of the data subject prior to entering into a contract.

1.7 The data subject shall be informed before the processing begins that the processing is based on the legal basis of contract performance, which can also be stated in the contract. The data subject shall be informed about the transfer of their personal data to data processors.

1.8 Retention period of personal data: Data necessary for identification and contact shall be retained until the expiration of the legal rights and obligations arising from the relevant legal relationship. Data included in accounting documents shall be retained for at least 8 years in accordance with Section 169(2) of Act C of 2000 on Accounting.

1.9 Mode of processing: Electronic.

1.10 Data Processors:

• KBOSS.hu Kft. (Invoicing service provider)
  Address: 1031 Budapest, Záhony utca 7.
  Representative: Balázs Ángyán, Managing Director
  Company Registration Number: 01-09-303201
  Tax Number: 13421739-2-41
  E-mail: info@szamlazz.hu
  Data Protection Officer: Dr. Éva Istvánovics, Attorney
  Contact: dpo@kboss.hu
• Account-Trix Hungary Kft. (Accounting service provider)
  Representative: Beatrix Tóthné Oláh
  Contact: iroda@a-trix.hu
  Address: 2143 Kistarcsa, Király Andor utca 18.
  Company Registration Number: 13-09-206594
  Tax Number: 27985302-2-13

2. Processing of contact details of natural person representatives of legal entities

2.1 Purpose of data processing: Performance of contracts concluded with the Company’s legal entity partners and business communication.

2.2 Legal basis for data processing: Processing is necessary for the performance of a contract to which the data subject is a party.

2.3 Scope of data subjects: Natural person representatives of legal entity clients, customers, and suppliers.

2.4 Recipients of processed data: Employees involved in customer service, accounting, taxation, and data processors.

2.5 Processed data:

• Name
• Address
• Phone number
• Email address

2.6 Retention period of personal data: Upon termination of the contract or change of the contact person, the data shall be deleted immediately.

2.7 Mode of processing: Electronic.

2.8 Data Processor: Name: KBOSS.hu Commercial and Service Limited Liability Company (KBOSS.hu Ltd.) (invoicing service provider) Registered Office: 1031 Budapest, Záhony utca 7. Representative: Balázs Ángyán, Managing Director Company Registration Number: 01-09-303201 Tax Identification Number: 13421739-2-41 E-mail: info@szamlazz.hu Data Protection Officer: Dr. Éva Istvánovics, Attorney Contact: dpo@kboss.hu

3. Data processing related to images, video, and audio recordings made of individuals and employees during events

3.1 The Data Controller shall create audio, image, and video recordings of the data subject or involving the data subject exclusively with the prior consent of the individual concerned, in compliance with Article 2:48(1) of the applicable Civil Code. The Data Controller shall undertake only those actions (e.g., transmission, publication) to which the data subject has explicitly consented in the relevant declaration.

3.2 Data processing may only take place upon voluntary and explicit consent provided by the data subject.

3.3 Purpose of data processing: enhancing the Company’s image and brand through marketing activities, specifically the creation and use of photographic recordings taken during events.

3.4 Legal basis for data processing: consent-based handling of personal data.

3.5 Scope of data subjects: event participants and employees.

3.6 Recipients of the processed data: individuals responsible for marketing tasks.

3.7 Data processed: the audio and visual likeness of the data subject and any other information obtainable from the photographic recordings.

3.8 Duration of personal data storage: until consent is withdrawn.

3.9 The Data Controller may occasionally engage a data processor for creating and processing images, video recordings, and audio recordings.

4. Visitor data processing on the Company’s website – Information on the use of cookies

4.1 Cookies are short data files placed on the user’s computer by the visited website. Their purpose is to facilitate and enhance the convenience of a given infocommunication or internet-based service. There are several types of cookies, generally categorized into two major groups: temporary (session) cookies, which the website places on the user’s device only during a specific session (e.g., for security authentication during internet banking), and permanent (persistent) cookies (e.g., language settings of a website), which remain on the computer until the user deletes them. According to European Commission guidelines, cookies (except those strictly necessary for using a service) may only be placed on a user’s device with the user’s permission.

4.2 For cookies that do not require user consent, information must be provided upon the user’s first visit to the website. It is not necessary to display the entire text of the cookie notice on the website; it is sufficient if the website operators provide a brief summary of the information and include a link to the full notice.

4.3 In cases where cookies require user consent, the information may also be provided upon the user’s first visit to the website if data processing related to the use of cookies begins immediately upon accessing the site. If the cookie is associated with a function explicitly requested by the user, the information can also be provided in connection with the use of that function. Even in such cases, it is not necessary to display the complete cookie notice text on the website; a brief summary with a link to the full notice is sufficient.

4.4 The Cookie Notice available on the website provides information to visitors about the use of cookies. Through this notice, the Company ensures that visitors can be informed at any time—both before and during their use of the website’s information society services—about which types of data the Company processes and for what purposes, including the processing of data that cannot directly identify the user.

5. Social Media Platforms / Data processing on the Company’s Facebook and Instagram pages

5.1 The Data Controller is available on the social media platform Facebook, as well as on other social media platforms (TripAdvisor, YouTube, Instagram, Google).

5.2 The use of social media platforms, particularly Facebook and Instagram, including contacting the Data Controller, maintaining contact, or performing other actions permitted by these platforms, is based on voluntary consent.

5.3 Purpose of data processing: Maintaining contact with Bilanx followers through social media and presenting Bilanx’s services, activities, and events.

5.4 Scope of data subjects: Individuals who voluntarily follow, share, or like the Data Controller’s social media pages or content, especially those available on facebook.com and instagram.com.

5.5 The Data Controller does not process personal data posted by visitors on its Facebook or Instagram pages. Visitors are subject to Facebook’s and Instagram’s Privacy Policies and Terms of Service.

5.6 In case of publishing unlawful or offensive content, the Company may remove the individual from the page members or delete their comments without prior notice.

5.7 The Company shall not be responsible for any unlawful data content or comments posted by Facebook users. Furthermore, the Company shall not be liable for any errors, malfunctions, or issues arising from the operation or any changes in the operation of Facebook or Instagram.

6. Table Reservation and Appointment Scheduling

6.1 The Data Controller allows data subjects to make table reservations related to Bilanx services, and to discuss additional reservation-related questions by providing the personal data detailed below.

6.2 Legal basis for data processing: Processing personal data based on consent.

6.3 Purpose of data processing: Facilitating table reservations and maintaining communication with data subjects.

6.4 Scope of data subjects: Any natural person making a reservation by providing their personal data.

6.5 Recipients of personal data: Employees of the Data Controller and the employees of the company operating the restaurant at which the reservation is made.

6.6 Personal data processed:
The natural person initiating a reservation provides:

• Full name,
• Mobile phone number,
• Email address,
• Reservation details (date and time, duration, number of guests, dietary preferences or allergies, event).

6.7 Process of data management:

• Data subjects may schedule reservations via the contact phone number or email address provided by the Data Controller, or by submitting a reservation request through the website.
• During scheduling, the Data Controller records provided data in an electronic registration system and confirms the reservation verbally and/or in writing.
• By clicking the “Table Reservation” link on the website, data subjects can submit their reservation requests through the DinnerBooking system by providing necessary details and payment information required at the time of reservation. Confirmation is provided via the DinnerBooking system, but the Data Controller may also contact the data subject by phone prior to the reservation to clarify details. The Data Controller does not access or process the bank card data provided during reservation.
• Ideally, data subjects appear in person at the reserved time to utilize the restaurant’s services.
• Data subjects voluntarily consent, in line with the data processing purpose, that if they provide contact information, the Data Controller may use it to notify them about any potential cancellations or changes, to address complaints, or to take further actions related to complaints.

6.8 Duration of personal data storage: Until the purpose is achieved or consent is withdrawn.

6.9 Method of data processing: Electronic.

6.10 Data Processor:
DinnerBooking
Lyongade 21, 1.
2300 Copenhagen S
Denmark

https://biz.dinnerbooking.com/en-gb/privacy-policy/

7. Newsletter Distribution

7.1 The Data Controller sends advertising materials, notifications, offers, and/or newsletters related to the activities and services of the restaurant operated by the Data Controller to data subjects who have explicitly consented to receive such communications.
Data subjects may withdraw their consent at any time by clicking on the unsubscribe link provided in the emailed newsletter, or by sending an email directly to the Data Controller’s email address.

7.2 Legal basis for data processing: Processing of personal data based on consent.

7.3 Purpose of data processing: Sending newsletters and maintaining contact with data subjects.

7.4 Scope of data subjects: Any natural person who explicitly consents to receiving newsletters either during table reservation or by subscribing to the newsletter.

7.5 Recipients of personal data: Employees of the Data Controller and employees of the company operating the restaurant where the data subject has made a reservation.

7.6 Personal data processed:
Natural persons subscribing to the newsletter:

• Full name,
• Email address.

7.7 Duration of personal data storage: Until consent is withdrawn.

7.8 Method of data processing: Electronic.

7.9 Data Processor:
Intuit Mailchimp General Information
405 North Angier Avenue North East
Atlanta, GA 30308
United States
https://mailchimp.com/gdpr/

8. Data Processing Related to Consent Declarations

8.1 The Data Controller requests paper-based or electronic consent declarations from data subjects to access, process, and, where applicable, transfer their personal data.

8.2 Legal basis for data processing: Processing of personal data based on consent.

8.3 Purpose of data processing: Managing consent declarations to ensure proof of the legal basis for data processing, fulfilling the requirements of consent (accountability principle), and maintaining contact.

8.4 Scope of data subjects: Any natural person who provides the Data Controller with a declaration of consent for processing their personal data for a specific purpose.

8.5 Recipients of personal data: Employees involved in the relevant data processing activities and data processors.

8.6 Personal data processed: Data provided in the specific consent declaration relevant to the particular data processing activity.

8.7 Duration of personal data storage: Until the withdrawal request by the data subject or until the end of the specific data processing activity.

8.8 Method of data processing: Paper-based or electronic.

DATA SECURITY
The Data Controller and the data processors acting on its behalf shall implement appropriate technical and organizational measures to guarantee a level of data security appropriate to the risk, considering the state of technology, the cost of implementation, the nature, scope, context, and purposes of data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons.

RIGHTS OF DATA SUBJECTS
The data subject is entitled to receive concise, transparent, comprehensible, and easily accessible information from the Data Controller, presented clearly and in plain language, regarding the following:

1. The identity and contact information of the Data Controller and any Data Processors.
2. In the event of data processing based on legitimate interest, the legitimate interests pursued by the Data Controller or a third party.
3. Where applicable, the contact details of the Data Controller and the recipients of personal data.
4. The fact that data processing is based on the legitimate interests of the Data Controller or a third party, where applicable.
5. Where applicable, the recipients of personal data.
6. Where applicable, the fact that the Data Controller intends to transfer personal data to a third party.
7. The planned duration of personal data storage.
8. The right of the data subject to request from the Data Controller access to personal data, correction, deletion (in specific cases based on certain legal grounds), restriction of processing, or to object to the processing of their personal data, in specific cases.
9. In cases where data was not collected from the data subject, the source of the data and whether the data originated from publicly accessible sources.
10. The right to withdraw consent to data processing at any time when processing is based on consent, without affecting the lawfulness of processing carried out prior to withdrawal.
11. The right to lodge a complaint with a supervisory authority.
12. Information about whether providing personal data is based on legal or contractual obligations, or is a requirement necessary to enter into a contract, and whether the data subject is obligated to provide personal data.

At the request of the data subject, information can also be provided orally, provided the identity of the data subject has been verified by other means.

The Data Controller shall provide the requested information without undue delay and, in any case, within one month from receipt of the request. Considering the complexity and number of requests, this period may be extended by an additional two months if necessary. The Data Controller shall inform the data subject of the extension and the reasons for the delay.

If a data subject’s request is clearly unfounded or excessively repetitive, the Data Controller may charge a reasonable fee for providing the requested information or refuse to act on the request.

If the Data Controller intends to process personal data for purposes other than the original purpose of data collection, it must inform the data subject in advance about the new purpose and all other relevant information outlined previously.

Right of Access
The data subject has the right to obtain confirmation from the Data Controller about whether or not their personal data is being processed. If such data processing is taking place, the data subject has the right to access the following information:

1. The personal data being processed;
2. The categories of personal data involved;
3. The recipients or categories of recipients to whom personal data have been or will be disclosed;
4. Where applicable, the planned storage period of the personal data;
5. The right of the data subject to request rectification, deletion, restriction of processing, or object to processing under certain conditions;
6. The right to lodge a complaint with a supervisory authority;
7. Available information regarding the source of personal data if it was not collected directly from the data subject;
8. Information about automated decision-making, including profiling, the logic used in these processes, and the significance and expected consequences of such processing for the data subject.

Upon request, the Data Controller shall provide a copy of the personal data subject to processing. The Data Controller may charge a reasonable fee based on administrative costs for additional copies requested by the data subject.

If the request was submitted electronically, the information should be provided in a commonly used electronic format unless otherwise requested by the data subject. The right to request a copy shall not adversely affect the rights and freedoms of others.

Right to Rectification
Upon request by the data subject, the Data Controller shall rectify inaccurate personal data concerning the data subject without undue delay. The data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

Right to Erasure (Right to be Forgotten)
The data subject has the right to request from the Data Controller the deletion of their personal data.
The Data Controller is obligated to erase personal data concerning the data subject without undue delay if one of the following grounds applies:

1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. The data subject withdraws consent on which the processing is based (in cases where data processing is based on consent), and there is no other legal basis for processing;
3. The data subject objects to processing based on legitimate interests, and there are no overriding legitimate grounds for processing;
4. The personal data have been unlawfully processed;
5. The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject.

The Data Controller shall inform any recipients to whom the personal data were disclosed about the deletion request.

The Data Controller is not obligated to delete personal data if the processing is necessary for:

1. Exercising the right of freedom of expression and information;
2. Compliance with a legal obligation under Union or Member State law;
3. Performance of a task carried out in the public interest;
4. Reasons of public interest in the area of public health;
5. Archiving purposes in the public interest;
6. Scientific or historical research purposes, or statistical purposes; or
7. The establishment, exercise, or defense of legal claims.

Right to Restriction of Processing
The data subject has the right to obtain from the Data Controller restriction of processing where one of the following applies:

1. The accuracy of the personal data is contested by the data subject; in this case, restriction applies for a period enabling the Company to verify the accuracy of the personal data;
2. Processing is unlawful, and the data subject opposes the erasure of personal data and requests restriction instead;
3. The Data Controller no longer requires the personal data for processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;
4. The data subject has objected to processing based on legitimate interests, pending verification whether the legitimate grounds of the Data Controller override those of the data subject.

If data processing is restricted based on the above, the affected personal data—except for storage—may only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims.

The Data Controller shall notify all recipients to whom the personal data have been disclosed regarding any restriction of processing.

Right to Object
The data subject has the right, based on reasons related to their particular situation, to object at any time to the processing of their personal data. In this case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

If personal data are processed for direct marketing purposes, the data subject has the right at any time to object to processing for such purposes. In this case, personal data shall no longer be processed for direct marketing purposes.

Right to Data Portability
The data subject has the right to data portability. Upon the data subject’s request, the Data Controller shall provide the personal data provided by the data subject in a structured, commonly used, and machine-readable format. The data subject also has the right to transmit these data directly to another data controller without hindrance from the Data Controller, provided this is technically feasible.

Exercising the right to data portability does not adversely affect the right to erasure. The right to data portability shall not apply to processing necessary for the performance of tasks carried out in the public interest or in the exercise of official authority vested in the Data Controller.

The right to data portability shall not adversely affect the rights and freedoms of others.

Right to Lodge a Complaint

If the data subject believes that the Data Controller has violated the provisions of the GDPR or applicable Hungarian laws in processing their personal data, the data subject is entitled to lodge a complaint with the Hungarian supervisory authority (National Authority for Data Protection and Freedom of Information – NAIH) at the following contact details, without prejudice to any other administrative or non-judicial remedy:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, Pf.: 9.
Website: http://naih.hu
E-mail: ugyfelszolgalat@naih.hu

Without prejudice to other administrative or non-judicial remedies, the data subject has the right to an effective judicial remedy against a decision of the NAIH concerning them.

The data subject also has the right to effective judicial remedy if the NAIH does not handle their complaint or fails to inform the data subject within three months about the progress or outcome of the submitted complaint.

Without prejudice to other administrative or non-judicial remedies—including the right to lodge a complaint with the supervisory authority—the data subject is entitled to effective judicial remedy if they consider that their rights under the GDPR have been infringed due to improper processing of their personal data.

The Data Controller or its appointed Data Processor is responsible for demonstrating compliance with data processing requirements under the GDPR.

The data subject may initiate legal proceedings at the court competent according to their place of residence or habitual residence.