1. DATA CONTROLLER’S DETAILS

Name: Sun & Fun Holidays Limited Liability Company
(hereinafter: “Data Controller” or “Company”)
Registered Office: 1138 Budapest, Meder u. 8/D, ground floor
Company Registry No.: Cg. 01‑09‑890130
Contact Person: Lilla Kovács
Complaint Handling:
E‑mail: marketing@sunfun.hu
Phone: +36 1 354 2939

2. PURPOSE OF THIS DATA PROCESSING NOTICE

The purpose of this Notice is to define the rules on the processing, disclosure and deletion of personal data by the Data Controller, ensuring compliance with applicable GDPR and related Hungarian laws.

3. LEGAL BASES FOR DATA PROCESSING

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Info Act”);
• Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR);
• Act V of 2013 on the Civil Code;
• Act C of 2000 on Accounting (“Accounting Act”).

4. DEFINITIONS

Definitions based on the GDPR:
Data Controller: Entity determining purposes and means of personal data processing.
Processing: Any operation on personal data.
Processor: Entity processing data on Controller’s behalf.
Supervisory Authority (NAIH): Hungarian Data Protection Authority.
Personal Data: Any information relating to an identified or identifiable natural person.
Client: Natural person inquiring about or entering into travel or related service contracts with the Company.

5. PRINCIPLES OF DATA PROCESSING

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality

6. DATA PROCESSED, PURPOSE, LEGAL BASIS AND RETENTION

6.1 Inquiry about Services

Data: Name; date of birth if minor; e‑mail; travel preferences...

Purpose: Sending quote, contact before contract.

Legal basis: GDPR Art. 6(1)(b)

Retention: Until contract conclusion or expiry.

Processors: SAN Tourism Software Group, travel agents.

Recipients: Travel service providers, insurers.

6.2 Travel Contract Performance

Data: Personal ID and travel details, contacts...

Purpose: Travel service delivery.

Legal basis: GDPR Art. 6(1)(b)

Retention: 5 years from contract fulfilment.

Processors: SAN Tourism, SPARKLE.

Recipients: Airlines, accommodation, insurers, etc.

6.3 Invoicing

Data: Name, address, tax ID.

Purpose: Billing and accounting.

Legal basis: GDPR Art. 6(1)(c)

Retention: 8 years (Accounting Act).

Processors: SAN Tourism, SPARKLE.

Recipients: Accountant Duo Balance Kft.; Hungarian Tax Authority (NAV).

6.4 Complaint Handling

Data: Name, contact, complaint details, dates.

Purpose: Investigating complaints.

Legal basis: GDPR Art. 6(1)(f)

Retention: 5 years if client; otherwise 1 year.

Processors: SAN Tourism, SPARKLE.

Recipients: Authorities when legally required.

6.5 Newsletter Subscription

Data: Name, e‑mail, preferences.

Purpose: Marketing newsletter.

Legal basis: GDPR Art. 6(1)(a)

Retention: Until consent withdrawal.

Processors: SAN Tourism, SPARKLE.

7. RECIPIENTS OF PERSONAL DATA

Data may be shared with:

• Service providers (hotels, insurers, accountants);
• Travel partners;
• Authorities (NAV, NAIH).

Clients may request details at marketing@sunfun.hu or +36 1 354 2939.

8. INTERNATIONAL DATA TRANSFER

Personal data may be transferred to non‑EEA countries if:

• The European Commission has recognized the country’s data protection level (GDPR Art. 45); or
• Appropriate safeguards exist under GDPR Art. 46 (e.g. standard contractual clauses, binding codes, certifications).

If no adequacy decision exists, transfer is allowed only if:

• Necessary for contract performance; or
• Explicit consent is given by the client (GDPR Art. 49).

8.1 Adequacy Countries

• Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, United States (limited to Privacy Shield participants).

Transfers to other countries require contract necessity or explicit consent.

9. CLIENT ACCESS RIGHTS

Clients may request confirmation whether their personal data is processed, as well as access to it. This includes pseudonymized data. A copy will be provided, and reasonable fees may apply for repeated requests.

10. RIGHT TO RECTIFICATION

Clients can request correction or supplementation of inaccurate personal data. Recipients notified unless impossible or disproportionate.

11. RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”)

Clients may request deletion of their personal data if processing is no longer necessary, consent withdrawn without other legal bases, processing unlawful, legal obligation to delete, or for information society services. Recipients notified unless impossible or disproportionate.

12. RIGHT TO RESTRICTION OF PROCESSING

Clients may request limitation of processing where accuracy is disputed, unlawful processing, data needed for legal claims, or objection to processing. While restricted, data may only be processed for storage, with consent, legal claims, or defense. Direct marketing and profiling disallowed.

13. RIGHT TO DATA PORTABILITY

Clients can receive their data in a structured, commonly used, machine-readable format and have it transferred to another controller (when processing is automated and based on consent or contract).

14. RESPONSE TIMES FOR CLIENT REQUESTS

15. RIGHT TO LODGE A COMPLAINT

If a client believes their rights were violated, they should contact Lilla Kovács first. If unsatisfied, they may turn to a court or NAIH. NAIH contact: 1125 Budapest, Szilágyi Erzsébet fasor 22/C; Tel: +36 1 391 1400; Fax: +36 1 391 1410; E‑mail: ugyfelszolgalat@naih.hu; Website: www.naih.hu.

16. AMENDMENTS TO THIS NOTICE

This Notice entered into effect on 25 May 2018. The Data Controller reserves the right to amend it unilaterally. Clients will be notified by e‑mail and all updates will be published on www.sunfun.hu.

Annex 1 – Adequacy Countries

• Andorra
• Argentina
• Canada (commercial organizations only)
• Faroe Islands
• Guernsey
• Israel
• Isle of Man
• Jersey
• New Zealand
• Switzerland
• Uruguay
• United States (Privacy Shield organizations only)