Privacy Policy


Gerlóczy Boutique Hotel (hereinafter referred to as the: Service Provider) carries out hotel operation tasks, and, as a result, it manages data for the performance of the services. The Service Provider manages the personal data of the inquiring persons, the persons asking for an offer, and the ones booking accommodation (hereinafter referred to as the: Data Subject) on the website (hereinafter referred to as the: Website).
Gerlòczy Kávéház Kft. (hereinafter referred to as the: Service Provider) carries out hotel operation tasks, and, as a result, it manages data for the performance of the services. The Service Provider manages the personal data of the inquiring persons, the persons asking for an offer, and the ones booking accommodation (hereinafter referred to as the: Data Subject) on the website (hereinafter referred to as the: Website).
1. Contact details of the data controller
• Name: BHG Projekt Zrt.
• Head office and mailing address: 1052 Budapest, Gerlóczy u. 1.
• Contact phone no.: +36 1501 4000
• Email address:

2. The scope of the managed personal data
We request different personal information from the users so that they can have access to different services, taking the principle of data saving into account. This Privacy Policy only covers the data of the natural persons who visit the website, as personal data can only be interpreted for natural persons.
Anonymous information that is collected by the data controller by excluding the possibility of personal identification is not considered personal data and cannot be connected to natural persons, and demographic data is not considered as personal data that is collected, but is not connected to the personal data of identifiable individuals, therefore no connection with any natural person can be established.
Listed below, the scope of managed data is as follows:
2.1 The persons asking for an offer:
• Name
• E-mail address
• Phone number
2.2 The inquiring persons:
• Name
• E-mail address
• Phone number
2.3 People making hotel booking:
• Name (surname and first name),
• Personal ID card number,
• Phone number
• E-mail address
• Citizenship,
• Date of birth
• Place of birth
• Mother’s name
• Home address
• Bank account number – for transfers
• Student ID card number – for student discount

2.4 Children
Our products and services are not intended for persons under the age of 16, and we ask the persons under the age of 16 not to provide any Personal Data for the Data Controller. If we are aware that we have collected personal information from a child under the age of 16, we will take the steps necessary to delete the data as soon as possible.

3. Cookie (anonymous user ID) handling information
The Data Controller places anonymous user ID (cookie) on the Data Subject’s computer, which in itself is in no way able to identify the Data Subject. They are only suitable for recognizing the Data Subject’s computer, however, they do not store IP address, and do not forward IP address as personal data to the Service Provider. The used cookies are simple, short, and small-sized text files. It is not required to provide personal data or information as the User does not provide personal data to the Service Provider when the solution is used, and there is data exchange only between the computers.
Own cookies required for the operation of the website
To operate the website, it is essential to place some cookies on the Data Subject’s computer to make it faster to load the website, and the own web browser can store certain information about the website and help the Data Subject so that his website’s modules work properly.
cb-enabled (day 1)
Function: Prevents further loading after accepting the Cookie bar. If the Data Subject chooses the “ACCEPT” option, his choice will be saved, and no further acceptance will be requested for 30 days.
KRID (days 1 to 7)
Function: It is important for the registration and the basket functions. It is necessary for the products to stay in the basket when the user leaves the basket and continues browsing the website, or when he enters a registered interface, the system does not signs him out while browsing the website.
Analytical cookies
In order to gain access to our website’s number of visitors and other web analytical data, the service provider uses the services of independent analytical servers, namely the Google Analytics software. These service providers can provide detailed information about the handling of the measurement data to the Data Subject.
For Google Analytics, the Service Provider has made the settings in the website’s code that the Google Analytics uses to anonymize the Data Subject’s IP address so it no longer can be identified, and will not be handed over to the Service Provider. For more information on this technology, see:
The aim is to analyze the number of visitors and the functional use of our website to improve user experience by the anonymized information provided by the above software (e.g. providing optimized navigation, sequencing information on a sub-page).
These measurements do not store information about the users that could be used to identify the user, neither the IP address, nor any personal information.
Google Inc.’s privacy policy is available at ALL/privacypolicy.html.
The affected service providers can provide more information about the used cookies:
You find here the answers how to identify and the characteristics of the Google Analytics cookies:
Cookies used for advertisements
The Service Provider can use 21st century online marketing solutions, such as the Google AdWords and the Facebook ads. These advertising solutions use cookies during their operation. These cookies help the operation of the system, so that no irrelevant advertisements appear for the Data Subject, but such that are in their current range of interest. On the Portal, the Service Provider uses the remarketing codes provided by Google Adwords, as well as by Facebook. The remarketing code also uses cookies.
The installed cookie does not transmit personal information to the Service Provider, it only helps to display the ads connected to the Service Provider’s products and the services on other Google Display network websites or on the Facebook visited by the Portal’s visitor later.
Manual override of automated preferences for ads, intervention and setting options
The user can disable the cookies at any time and personalize ads on the Google or Facebook ad setting interfaces.
The Google user account’s privacy settings can be performed here by the Data Subject:
The privacy settings of the Facebook user account can be accessed under the settings menu and the privacy and ad settings submenu.
Stopping and enabling the use of Cookies
To change the browser’s settings:
The “Help” function in the menu bar of most browsers provides information about
• how to disable cookies,
• how to accept new cookies ,or
• how to instruct your browser to set a new cookie, or
• how to turn off other cookies
in your browser.
Blocking browser plug-ins:
If the Data Subject does not want the Google Analytics to measure the above data in the manner and for the purposes described above, he can install the blocking plug-in on his browser.
Using external solution for cookie management:
Using external websites, the Data Subject can manage for which Service Providers he allows ad cookie activity on his computer. One solution is available in Hungarian: AdChoices.

4. Community media plug-ins
The plug-ins are disabled on the Portal by default. These plug-ins are also cookies. The plug-ins are only enabled if the Data Subject clicks on the proper button (e.g. likes an article, pins an image, or starts following the Service Provider’s Facebook site by clicking on the “Like” button). By enabling the plug-in, i.e. by clicking on the “like” button, the Data Subject creates a link with the community site, so he clearly indicates that he accepts that his data will be forwarded to the Facebook / Twitter / Linked-in / Pinterest / Instagram.
If the Data Subject is logged onto Facebook / Twitter / Linked-in / Pinterest / Instagram, it may happen that the given social network will associate his visit with the Data Subject’s community account.
If the Data Subject clicks on one of the above-mentioned social media buttons, his browser will forward the relevant information directly to the social network and store it there.
The information on the scope and purpose of the data collection, the further processing and use of your data on Facebook / Twitter / Linked-in / Pinterest / Instagram, and your rights and settings for the protection of your personal information can be found in the social media’s privacy notice.
The user of the website’s services acknowledges that by using the website he has approved the processing of his data by Google.

5. Technical data – log files
To use the services, the system automatically logs the following information:
– the dynamic IP address of the user’s computer
– depending on the settings of the user’s computer, the type of the browser used by the user and of the operating system
– the user’s activity related to the website
The use of these data serves, on the one hand, technical goals, such as the analysis of the servers’ safe operation, and their subsequent verification. This is an automated IT security process that is recorded in the system logs without the statement of the Data Subject.
The above data are not suitable for the identification of the user, and are not linked to other personal data by the Data Controller. The system stores the logging information for 6 months from the date of the visit.

6. The legal basis and the purpose of data management

6.1 For persons asking for offer and inquiring persons
Data handling is necessary for the steps preceding the conclusion of the contract; the purpose of the data management is to provide the Data Subject with personalized service and, at the request of the Data Subject, to send them a quotation which may serve as a basis for any subsequent contract or order.

6.2 For persons making online booking
The data management is necessary for the steps preceding the conclusion of the contract, the purpose of data management is to provide personalized service for the Data Subject and the legal basis for the contact details is the consent of the Data Subject.

7. The duration of data management

7.1 For persons asking for offer and inquiring persons
If the contract has been concluded, the data are managed for the duration of the contract and for 8 years after the year of performance, in accordance with the Accounting Act. If the contract has not been concluded, i.e. the objective has not been achieved, the data will be handled by the Service Provider until 1st March of the year following the expiration of the offer.

7.2 For persons making online booking
For contact data, your data are managed until your consent is withdrawn. For the scope of the Data Subject that is properly managed by the Service Provider after the performance of the Contract by law, the data management time required by the law is applied (such as the handling of Invoicing Information as per the Accountancy Act, for 8 + 1 years after the purchase).

8. Scope of data, data transmission, data processing
The internal staff of the Service Provider is entitled to get to know the personal data collected from the data subjects, but they must not publish it. The data is forwarded to third parties only at the request of the Data Subject to the recipient specified by the data subject for the purposes of data processing.
For the purpose of carrying out the tasks arising from the activities of the Service Provider (bookkeeping, issuing electronic invoices, sending a newsletter), a data processor may be employed.
The categories of the data processors and the addressees of the data forwarding:
Name: DBI Szoftver Kft.
Head office: 4034 Debrecen, Vágóhíd utca 2.
Category: web hosting operator
Name: Hotelsystem Kft.
Head office: 4400 Nyíregyháza, Őz köz 37.
Category: online booking, hotel software
Name: Hungary Kft.
Head office: 1054 Budapest, Szabadság tér 7.
Category: travel agency portal
Name: Szállá Kft.
Head office: 3525 Miskolc, Régiposta u. 9.
Category: travel agency portal

9. The rights of the data subject, the available remedies

9.1 The Data Subject requests the Data Manager
a) to provide information on the handling of his personal data,
b) to correct his personal data, and
c) to delete or block his personal information, except for mandatory data management.
d) the forwarding of his personal data to another data controller.

9.2 At the request of the Data Subject, the Data Controller shall provide, within 30 days of the submission of the request to do so, written information about the data, the source, the purpose, the legal basis, the duration of the data processing of the Data Subject’s data made by the data processor, the name and address of the data processor, and his activity connected to the data processing, moreover, if the data subject’s data are forwarded, the legal basis and the addressee of the data transfer.
The information is free of charge if the person requesting the information has not yet submitted any request for information for the same area during the current year to the Data Controller. Otherwise, the Data Controller determines cost reimbursement; the already paid reimbursement shall be paid back if the data has been handled unlawfully, or the request for information has resulted in correction.
The Data Controller shall keep a data transmission record to check the lawfulness of the data transmission, and inform the Data Subject, which contains the date of the personal data’s transmission he manages, the legal basis and the addressee of the data transfer, the determination of the scope of the transferred personal data, and other data specified in the law which orders data processing.
The Service Provider keeps a Data Protection Incident Record for the purpose of checking the measures related to data protection incidents, and for informing the Data Subject, which contains the scope of the Data Subject’s personal data, the scope and number of the persons affected by the data protection incident, the date, the circumstances, the effects and the measures taken to remedy the data protection incident, and other data specified in the law that prescribes data management.

9.3 The Data Subject may at any time have the right to request the correction or deletion of incorrectly recorded data. Such a request must be made in writing and sent by regular mail or electronic mail. The Service Provider will cancel the data within 3 business days of receiving the request, in which case they cannot be recovered. The deletion does not apply to the data management required by law (e.g. accounting rules); the Service Provider keeps such data for the required period of time.

9.4 The Data Subject may also request that his data should be locked and forwarded to another data controller. The Service Provider locks the personal data, if requested by the data subject, or if, based on the available information, it is assumed that the deletion would violate the legitimate interests of the Data Subject. The so locked personal data can only be handled as long as there is a data management objective that has excluded the deletion of personal data.

The Data Subject and all the persons should be informed of the correction, locking and deletion to whom the data have been previously transferred for the purpose of data handling. The notification might not be necessary if the purpose of the data processing does not violate the legitimate interests of the Data Subject.
If the Service Provider fails to comply with the Data Subject’s request for correction, locking or deletion, he shall inform the Data Subject about the factual and legal causes of the refusal of the request for the correction, locking and deletion within 30 days of the receipt of the request.
Furthermore, the Data Subject can send the following information to the Data Controller to one of the contact details indicated in sub-section 9.5:
• he may request the transfer of his data to another data controller if the data processing is based on a contract or consent, and is handled in an automated procedure by the Service Provider;
• he may have the right to revoke his previous consent for data management.
The Data Subject may object to the handling of his personal information. The Service Provider shall examine the objection within the shortest possible time, but not later than within 15 days from the submission of the request, and shall make a decision on its well-foundedness, and shall inform the requesting person about the decision in writing. In the case of refusal of the request for correction, cancellation or locking, the Data Controller informs the Data Subject about the possibility of a judicial remedy and the possibility of an appeal to an Authority.
Information about data security measures:
The Data Controller provides default and built-in data protection. To this end, the Data Controller shall apply appropriate technical and organizational measures to:
• precisely regulate the access to the data;
• allow access only to the persons who need the data to perform their tasks, and they should have access only to the data that is minimally necessary for the task;
• carefully select the data processors entrusted by him, and provide data security by concluding appropriate data processing contracts;
• ensure the integrity, credibility and protection of the processed data (data integrity).
The Data Controller shall apply reasonable physical, technical and organizational security measures to protect the Data Subject’s data, in particular against accidental, unauthorized, and unlawful destruction, loss, modification, transmission, use, access, or processing. The Data Controller shall promptly notify the Data Subject of any unauthorized access to or use of personal data, which is known to the Data Controller, and involves high security risk for the Data Subject.
The Data Controller, if it is necessary for the transmission of the Data Subject’s data, will ensure that the transmitted data are properly protected, for example by encrypting the data file. The Data Controller is fully responsible for the handling of the Data Subject’s data by third parties.
The Data Controller shall make adequate and regular backups to ensure that the Data Subject’s data is protected against destruction or loss.

9.5 The Data Subject may exercise his rights under the following contact details:
Mailing address: 1052 Budapest Gerlóczy utca 1.
E-mail address:
The Data Subject may contact the Service Provider with any questions or observations regarding the processing of his data using the contact details in sub-section 9.5.

9.6 The Data Subject, pursuant to the GDPR, the Info Act and the Civil Code (Act V of 2013),
• may turn to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Erzsébet Szilágyi fasor 22/c,, or
• exercise his rights before the Court.

9.7 In the event that the Data Subject has given any third party’s information for the use of the Service, during the registration, or when subscribing to the newsletter, or has caused any damage during the use of the Website, the Service Provider is entitled to claim damages from the Data Subject. In such a case, the Service Provider shall provide all the available assistance to the authorities for the purpose of establishing the identity of the infringing person.