Privacy Policy

Mandala Day Spa is observing the latest European Union law regarding data protection. In our operation we are strictly observing all the private information what our customers gives with confidentiality.

Privacy Policy

Mandala Day Spa complies with the obligations of newly introduced European Union laws in the field of data protection and uses the information we receive from guests in strict confidentiality in strict compliance with the law.

Information you provide at Mandala Day Spa

  • They are treated honestly and lawfully.
  • They may only be used for specific purposes.
  • They are kept only for the time absolutely necessary.
  • They shall be processed taking into account the rights of persons belonging to the data.
  • Under no circumstances can they be released from the company’s systems to third parties.

Your consent

When registering or purchasing vouchers in the Mandala Day Spa webshop, as well as visiting and managing the site, you consent to the collection and processing of your personal data, to use your personal data provided to execute your order, and to send you informational material, commercial offers and newsletters to the contact details provided.

If we change our data management procedure, we will immediately indicate the changes in our webshop and send you an information email. This way, you will always be aware of any changes to our privacy policy or relationship, including what information we collect, how we use it, and to whom we make it available.

Mandala Day Spa assures you that your information will be treated confidentially in accordance with applicable personal data protection law. Without your authorization, your data will not be passed on to third parties.

We strive for a high level of protection of your data and its correct handling, please contact the data controller with any questions:

Mandala Day Spa-Spa Operator Ltd., 1133, Budapest, Ipoly utca 8.
Phone: +36 1 491 0078

Email: reservation@mandaladayspa.hu

 

What personal data do we collect?

We store the data you provide during the registration process.  You can use our website without registering, but if you want to use certain features, such as newsletter sign-up and shopping functions, you will need to create a personal account. In addition, we may ask for your personal information when you contact our Customer Service, which allows us to personally identify our guests if they wish to use our services.

Your personal data collected during your visit to Mandala’s Day Spa and any special categories of data will be stored in our central database. What kind of information do we collect during the visit? We list the personal data of our guests, possible minimum health data, guests’ preferences, evaluations of treatments and spa, and based on the collected data, we can send a promotional offer in the future to the email address you provided.

In case of personal, phone or email bookings, we ask for the name, phone number, email address of our guests, and if the value of the treatment exceeds HUF 40,000, we ask for a 50% deposit from the value. The information obtained in this way is used to finalize the treatment.

How do we use your personal data?

  • The data we collect may be used in the future:
  • When selecting, fulfilling, confirming the dates of bookings and treatments
  • To assess visitor satisfaction
  • To send you emails related to your visit to us
  • We can contact you with special and personalized offers

Who do we share your personal data with?

Under no circumstances will we transfer the personal data stored by us to third parties without the prior permission of our guests. We reserve the right to disclose personal data if required by court proceeding, decision or regulation, or if we feel it is necessary to protect our rights. We may also share lists of data, which do not contain personal information, with third parties for statistical or demographic purposes.

What are your rights?

The Data Subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and may object to processing of such personal data and exercise his or her right to data portability in accordance with the provisions of the GDPR.

Mandla Day Spa does not make decisions based on automated data processing and does not perform profiling. Mandala Day Spa will not transfer the data subject to the processing contained in this policy to third countries outside the EEA.

You may lodge a complaint with the National Authority for Data Protection and Freedom of Information regarding the data processing, data processing and data transfer described in this prospectus. Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, PO box: 5. Phone: +36 -1-391-1400 Fax: +36-1-391-1410 E-mail: ugyfelszolgalat@naih.hu

In addition, in case of unlawful processing of your data, you may also turn to the competent court.

Contact details of the Data Protection Officer Data Protection Officer (DPO): dr. Veronika Francis-Hegedus, e-mail: veronika.hegedus@gmail.com.

Budapest, 26.09.2024

 

Spa Operator Ltd.

About the operation of the security camera system and the use of recorded images

The rules governing electronic image surveillance at Mandala Day Spa (1138 Budapest, Ipoly utca 8) are governed by the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”), Act I of 2012 on the Labour Code (“Labour Code”), as well as the Personal and Property Protection Act,  and within the framework of Act CXXXIII of 2005 on the Rules of Private Investigator Activities (“Szvtv.”), bearing in mind the guiding recommendations of the former Data Protection Commissioners and the National Authority for Data Protection and Freedom of Information, as follows:

  1. Purpose and content of the policy

1.1. The purpose of this policy (hereinafter: “Policy”) is to ensure that Mandala Day Spa, as data controller and employer (hereinafter referred to as “Spa”), has installed an electronic image surveillance system at its headquarters (including employees of Spa and persons with other employment relationships with Spa, hereinafter referred to as “Employees”; persons subject to camera surveillance hereinafter collectively:  “Data subjects”) in accordance with European Union and Hungarian legal regulations on the right of informational self-determination, transparently and in full respect of the constitutional and personal rights of the Data Subjects.

  1. Purpose of camera surveillance

The purpose of the camera surveillance within the building: · protection of the life, physical integrity and personal liberty of persons residing in the area of the data controller’s property, · protection of business and payment secrets, · protection of persons residing in the area of the property and assets owned or used by the data controller (property protection).

The Data Controller shall implement an electronic surveillance system in the properties affected by its activities. It achieves the following objectives: to detect infringements, to catch the perpetrator in the act, to prevent these unlawful acts, and to use them as evidence in connection with them in official proceedings. Scope of processed data: video and/or audio recording. The behaviour of the person concerned by the surveillance and the data that can be obtained with the camera image (location, length of stay) are considered processed data.

 

  1. Purpose limitation of camera placement, surveillance and use of image recordings

3.1 The Spa shall place each camera in a place and angle of view that is consistent with the personal and property protection purpose set out in Section 2.

Camera location

Day Spa

1 – Checkout

2- Corridor 1

3 – Small Office

4 – Laundry

5 – Teahouse

6 -Door to car park

7 -Reception

8 – Beauty room

9 – Employees’ room

10 – Main entrance from outside

11 – Kitchen
12 – Reception Product section

13 – Tea house, snack bar

14 – Main front door inside

15 – Side reception

Swimming pool section

1 – Hot pool

2 – Kitchen

3 – Main pools

4 – Main pools

5 – Orient swing section

6 – Orient seating area

7 – Orient entrance

8 – Saunas

9 – VIP room

10 – Massage chairs

11 – Orient kitchen

12 – Bath, computer room 1

13 – Bathroom, computer room 2

 

3.2 It is forbidden to install cameras in rooms or at viewing angles designated for the purpose of spending the Employees’ working hours, nor to install cameras in changing rooms, toilets, showers and all places where visual surveillance may violate human dignity.

3.3 Camera surveillance and the recorded image recording may only be used for the purpose specified in the Policy, provided that the use is essential and suitable for achieving the purpose.

3.4 No proceedings related to his/her work may be initiated against the Employee on the basis of video recordings, unless the labour law dispute was based on the conduct of the Employee that violates or endangers the financial interests of Spa, and the recorded video recording is suitable for proving this conduct.

  1. Legal basis for camera surveillance

4.1 Camera surveillance of Data Subjects is based on the legitimate interest of the Spa and – in the case of Employees as part of the control of employment-related conduct – on the statutory authority set out in Section 11/A (1) of the Labour Code.

4.2 Balancing interests: the purpose of data processing based on legitimate interest is set out in Section 2 of this Policy. The right of Data Subjects limited by data processing is the right to image and privacy. The Spa has determined the position of the cameras in such a way that the angle of view of the camera is always directed at a person, event or property to be protected. In the areas monitored by the cameras, the purpose of camera surveillance (point 2) could not be achieved by a measure involving minor restrictions. Considering that Spa always informs the Data Subjects about the fact and essential circumstances of camera surveillance, therefore data processing does not come unexpectedly to the Data Subjects, the duration of data processing is in accordance with the legal requirements (Section 6), only the persons specified in this policy can view the data described
are entitled to procedures (Section 5), review and use may only take place in cases specified in this policy (Section 5), Spa considers that data processing meets the requirement of necessity and proportionality.

4.3 Data subjects shall be informed in writing about the fact of camera surveillance and video recording and the details of data processing. As part of its obligation to provide information, the Spa is obliged to place a warning sign and the most important information about the operation of the cameras in a clearly perceptible place and manner in the monitored areas.

  1. Right to Access and Review

5.1 The Spa conducts real-time, direct monitoring.

5.2 The managing director and the spa manager are entitled to review the recorded images in the presence of the police. The recorded video recordings may only be viewed retrospectively in justified cases, in order to enforce the legitimate interest of the Spa (see Section 2 of the Regulations) or to exercise the rights of the Employee or other Data Subject (see Section 8 of the Regulations).
If the reason for entitlement ceases to exist, access to stored images shall be terminated immediately.

5.3 Spa is obliged to record the fact, reason and time of non-automatic data processing operations related to the image recordings (review, saving on data carrier, forwarding, individual deletion), as well as the person performing the data processing operation and getting to know the recordings. An electronic register containing this information in a verifiable manner shall also be considered a protocol.

  1. Place and duration of retention of image recordings

6.1 The image recordings are stored by the Spa on its own internal server.

6.2 The recorded image recordings are stored by Spa for a maximum of 14 days from the date of recording in the absence of use within 3 days, as no special reason arises for the data controller that would justify longer data retention compared to general personal and property protection purposes. In the absence of use, recordings
are automatically deleted 14 days after recording.

  1. Data security requirements

7.1 Spa processes the personal data of the Data Subjects in an IT system and environment that is suitable for protecting the data against unauthorized access, alteration, transmission, disclosure, deletion or destruction, accidental destruction or damage, and unavailability.

7.2 The IT contractual partner is responsible for protecting the security of personal data processed in connection with the operation of the camera system within the Spa. Within the framework of this task, the IT contractual partner:

  • takes the network, hardware and software protection measures necessary to establish and maintain the security of the camera system (assigning, validating and registering access rights, password protection, virus protection, etc.);
  • ensures continuous and uninterrupted operation of the camera system.

7.3 Spa shall immediately inform the Data Subject if the integrity of the data stored in or outside the IT system has been compromised and there are grounds for believing that third parties may have had unauthorized access to the image recordings made of the Data Subject.

  1. Rights of the Data Subject and their enforcement

8.1 Upon request, Spa shall provide information to the Data Subject about the personal data processed about him or her as a result of camera surveillance. The Spa is obliged to provide the requested information immediately, but no later than within 30 days. The Data Subject is entitled to know the content of the protocol prepared pursuant to Section 5.3 of the Regulations concerning him.

8.2 Within 14 days of the recording of the image recording, the Data Subject may request that the image recording not be deleted by Spa, if the Data Subject wishes to exercise his or her right of access regulated in Article 15 of the GDPR or if the non-deletion or restriction of processing is necessary for the establishment, exercise or defence of the Data Subject’s legal claim pursuant to Articles 17 and 18. At the request of a court or other authority, the recorded video recording, as well as other personal data, must be sent to the court or authority without delay. If the request is not made within three days of the request not to be erased, the recorded image and other personal data shall be destroyed or deleted. A record shall be drawn up of the transfer or of any cancellation or destruction in such cases.

8.3 The Data Subject may request from the controller access to, rectification, erasure or restriction of processing of personal data concerning him or her, and may object to processing of such personal data and exercise his or her right to data portability in accordance with the provisions of the GDPR.

8.4 Spa does not make decisions based on automated data processing and does not perform profiling. Spa will not transfer the data involved in the data processing contained in this policy to third countries outside the EEA.

8.5 You may lodge a complaint with the National Authority for Data Protection and Freedom of Information regarding the data processing, data processing and data transfer described in this prospectus. Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, PO box: 5. Phone: +36 -1-391-1400 Fax: +36-1-391- 1410 E-mail: ugyfelszolgalat@naih.hu.

8.6 In addition to the above, you may also turn to the competent court in case of unlawful processing of your data.

  1. Contact details of the data controller Name: Spa Operator Kft, 1138 Budapest, Ipoly utca 8., Phone: +36 1 491 0079

E-mail: reservation@mandaladayspa.hu

  1. Contact details of the Data Protection Officer Data Protection Officer (DPO): dr. Veronika Francis Hegedűs, e-mail: veronika.hegedus@gmail.com
  2. Please, arrive at least 15 minutes before your scheduled appointment to ensure the comfortable check in. please provide us with your health conditions, allergies, injuries that could affect your spa experience. Please, notify us if you are pregnant, or if you have any concerns regarding your health or body. Please, consider in case of any kind of extant health problem you can apply for treatments that are recommended by the Reception. For gift card visit our website: https://www.mandaladayspa-ajandek.hu/ .

 

Budapest, 26.09.2024