Privacy policy

BTS World Kft. (GoBeyond)

May 25th, 2018.

 

1. Overview

Who processes my data?

GoBeyond as Data Collector processes data collected through its website, contracts and any other channels linked with GoBeyond.

Our contact info:

• BTS World Korlátolt Felelősségű Társaság (BTS World Ltd.)
• Address: 1022 Budapest, Lóczy Lajos utca 6.
• Phone number: +36302723004
• Email: hello@gobeyond.travel

1.1. Where does the Privacy Policy take place?

The Privacy Policy applies to the GoBeyond’s website, and all other direct services. GoBeyond is an independent travel design agency.

1.2. Who collects the data, and what does it consist of?

A data administrator is the one who determines what data is collected, with which tools, and for what purposes.

Data can be any information you give to GoBeyond while using its services. Personal data includes information which can directly or indirectly identify the owner—typically being name and email.

Learn more about this athttps://www.eugdpr.org/glossary-of-terms.html.

1.3. What does this notice do for me?

Our primary goal is to make sure we offer protection for our visitors and travellers. We pay particular attention to making sure we guarantee the rights of the services we provide to everyone without discrimination of any kind. We want to make sure that we give you your right to privacy when handling personal data in any way.

The Info. (Act CXII. of informational self-determination and freedom of information law in 2011) and the EuropeanGeneral Data Protection Regulation (2016/679 The EU Regulation on the protection of natural persons with regard to the processing of personal data and such free flow of data, hereinafter referred to as “GDPR”), which came into force on May 25th, 2018, also necessitates adequate information for stakeholders.

1.4. What are the basic principles of data management?

• Legality: The legal basis for handling data is explicit and well-founded
• Fairness and Transparency: There is sufficient amount of information that can be easily understood and accessible regarding data management
• Purpose limitation: Data management is exclusively for the purposes defined and communicated in advance
• Saved data: Only the data required and relevant are requested during data processing
• Accuracy: Managed data is up to date
• Limited storage: Data management is only done for the duration of its purpose
• Integrity and confidentiality: The technical and organizational measures used in data management provide a high level of security
• Accountability: The GoBeyond procedure is aligned with the national and international standards

1.5. What else should I read?

General terms and conditions of GoBeyond

2. Data Types and Purposes

2.1. How do I find out what my data is used for?

Each time we collect data it is done with a predefined purpose. We ensure that the information requested is done in a transparent manner.When signing up for any of our trips or sending your contact info though our website, we highlight what we will use the requested information for. Your consent will be asked based on this.

If you have further questions, please contact us at hello@gobeyond.travel.

2.2. Exactly what type of data do you ask me for and where?

It depends on which of our services you’d like to use.We make sure that we have your understanding and consent for every different case by providing you with the information you need, then asking for your agreement by ticking checkboxes which express that you have read, understood, and give us permission to handle your data. Otherwise, Processing shall be lawful only if and to the extent that at least one of the following applies:

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary for the purposes of the legitimate interests pursued by the controller

The following table shows all the possible cases where we may ask for your data:

Your role	Where you enter your data	Data types and Addressees	Purpose(s) of data use and lawfulness	How long your data will be stored	How to take back your consent
Requesting for more info through our web page (I’m interested) or phone	The ‘Contact us’ or ‘I’M inteterested’ subpage of our website	Name, email address CEO and Ops	We will send you an email to answer your question (GDPR Article 6. (1) a)	2 years	You can reply to our email or call and indicate that you want to be removed from our list
We sign a contract for travel and/or for additional services (contribution to buying plane ticket or insurance)	Personaly or through email	Name, address, birth date and place, passport number, bank account number, email, phone number CEO, Ops and third parties	Performance of the contract (GDPR Article 6. (1) b); Invoicing and other legal obligations (GDPR Article 6. (1) c); Consent to data data transfer to third country data processors (GDPR Article 6. (1) a)	5 years after the termination of the contract and billing data for 8 years after the termination of the contract.	By signing the contract, you authorize us to process your personal information necessary for the performance of the contract, and it is not possible to withdraw the consent.
You are a contracted customer and you agree to that we take a picture, video and sound recording about you during your journey	In the contract	Photo and video	In addition to our travel service, we will provide you with a video, photo and audio recordings. (GDPR Article 6. (1) a)	Not later than 5 years after the termination of the contract	You can revoke your consent until the beginning of the journey
You subscribed interested in GoBeyond news	You have subscribed to our newsletter from our website or during registration	Name, email address CEO, Ops	We will send you our newsletter through email. (GDPR Article 6. (1) a)	As long as you are a subscriber	You will find the option to unsubscribe at the footer of every newsletter
You contact us through social media paltforms	Through the given social media	Name, email address CEO, Ops	We will only process your data for contact if you wish to learn more about us or to conclude a contract based on your request (GDPR Article 6. (1) a)	2 years	You can reply to our email or call and indicate that you want to be removed from our list
Your visit our website	Info collected by cookies	IP address Google	Google analytics collects and manages IP addresses anonymously. Our goal is to improve the usability of our website based on statistics (GDPR Article 6. (1) a)	5 years	You must provide your consent at the first visit of the website, which can not be withdrawn, so you can delete the installed cookies at any time from your browser.

You must provide your consent at the first visit of the website, which can not be withdrawn, so you can delete the installed cookies at any time from your browser.

In any case we wish to use your personal data for any other purpose than the original request, we will talk to you first.

3. Data management mode

3.1. What happens to my data when I sign a contract?

In all cases, your data will be processed according to our principles and will be used solely to perform the contract or to fulfill legal obligations. The contracts are stored in closed folders.

3.2. What happens to my data in other cases?

GoBeyond news

Our newsletter is sent to subscribers. The content contains mostly announcements of our trips, offerings, or other marketing invitations. Subscribers’ personal information (name, email address) is stored in a database until they sign up for our newsletter. Personal information will not be transmitted or sold to third parties in any case and will not be published anywhere.

Contact us and ‘I’m interested’

If you have a question about us or want to download content from our blog, then we will ask for your name and email address so that we can contact you with the resources or support your request. Your name and email address will be stored for two years, which means the operation of an online database that is only accessible to us.In any case, we will not forward or sell your personal data to third parties and it will not be published anywhere. Also, it’s important to know that we do not automatically subscribe you to our newsletter. To unsubscribe you can email us that you do not want to receive more messages from us.

4. Rights of the data subject

4.1. What are the rights to access my personal information?

Right of prior information

Before requesting data, we ensure to communicate accurate information to you on what the purpose of the data collection is and how it is processed, such as who can access it.

On our webpage, we visibly display an outline that highlight what we will use personal information for.

Right of withdrawal of consent

You are entitled to withdraw your consent for us to manage your data at any time.

If you do not wish to receive news from us, you can unsubscribe at any time by clicking the ‘Unsubscribe’ button at the bottom of the newsletter. If you do not want to receive any more emails from us, you can easily reply to us by email.

Right of access

Users have the right to know about the personal information of their given organization and information about the management of the organization, and to inquire about what information is kept by an organization at any time.

Through our contacts you can send this request to GoBeyond.

Right to data portability

The data subject shall have the right to receive the personal data that the data controllers have, and if technically possible, able to request the data to be forwarded to another data controller.

Through our contacts you can send this request to GoBeyond.

Right to rectification

The data subject may request to correct inaccurate information from data controller without undue delay.

Through our contacts you can send this request to GoBeyond.

The right to restriction of processing

The user has the right to request that the data controller stops processing his/her data if:

• the user disputes the accuracy of the personal data
• the data handling is illegal, and the user is opposed to the deletion of the data
• the data controller no longer needs personal data, but the user requires them to enforce legal claims

Through our contacts you can send this request to GoBeyond.

Right to object

The user has the right to object to the processing of his or her personal data for any reason relating to personal reasons if they are processed in the interest of the data controller or his public authority.

Through our contacts you can send this request to GoBeyond.

Right to erasure

The user has the right to request that data controller without delays, delete personal data if:

• personal data is no longer needed for the purpose from which they were
  collected
• the user withdraws the consent of the data controller and does not have any other legal grounds for data processing
• the user objects to the processing of his/her data because there was no prior legitimate reason for data handling
• the personal data was unlawfully processed

Deletion means hard delete.

If you receive an email from us through either the newsletter or any of the other ways detailed above and unsubscribe or do not request for more emails, your name and email address will be deleted immediately from our database. (hard delete)

Through our contacts you can send this request to GoBeyond.

Right to be forgotten

If the data controller has disclosed personal data and is obliged to delete it for some reason, he takes technical measures to take into account the available technology and the costs of implementation to inform other data controllers that the person concerned has made such a request.The other data controller is typically a search engine operator who has access to handle the personal data if requested.

GoBeyond does not disclose any personal data but on the basis of the prior consent of the traveller, at the time of the conclusion of the contract, it may publish the image, video and sound recordings made during the journey on its online surfaces or in print. However, GoBeyond does not grant any rights of use to third parties

However, if requested, we will take needed steps to ensure that an unauthorized third-party data handler can delete your personal information from its location.The expected steps are the three consecutive written inquiries, the documentation of the case, and the third data handler’s call for data, image, or any other document from the GoBeyond surfaces.

Right to complain

Through our contacts you can send this request to GoBeyond.

4.2. Where can I enforce my rights?

GoBeyond seeks to maximize your rights and prioritize any questions or requests about our data management practices.

Data protection issues are dealt by the Hungarian National Data Protection and Information Freedom Authority, based on paragraph 22 of the GDPR definition.

Hungarian National Data Protection and Information Freedom Authority

• Postal address: 1530 Budapest, Pf.: 5.
• Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
• Phone: +36 (1) 391-1400
• Fax: +36 (1) 391-1410
• E-mail: ugyfelszolgalat@naih.hu
• URL: http://naih.hu

5. Data transfer

5.1. To whom are my personal information transmitted?

Data Processor 1.

KBOSS.hu Kft. (Szamlazz.hu)

Seated at: 1031 Budapest, Záhony str. 7.

If you have a contract with us, we use billing information to bill you in an online service, called ‘Szamlazz.hu’

During our preparation for GDPR, we secured that ‘Szamlazz.hu’ guarantees the protection of personal data at least at the European level in accordance with the Regulation and has prepared all its products accordingly. You can read more about ‘Szamlazz.hu”s relevant service and the GDPR guarantee by clicking the links below:
https://www.szamlazz.hu/adatvedelem/

Data Processor 2.

E-goodwill Kft.

Seated at: 3842 Halmaj, Dózsa György utca 50

In order to be compliant with national legal obligations, we have to forward the invoices (with personal information on it) to our bookkeeper. We shall forward the contracts, too, if necessary. Our bookkeeper is subject to the ‘Data Processor Agreement’ established during our preparation for GDPR.

Data Processor 3.

Hubspot Inc.

Headquarters: 25 First Street, 2nd Floor, Cambridge, MA 02141 USA

Hubspot stores the names and email addresses of subscribers who are signing up to the newsletter as well as any other person seeking us.The Hubspot helps us generate our websites.

During our preparation for GDPR, we secured that Hubspot guarantees the protection of personal data at least at the European level in accordance with the Regulation and has prepared all its products accordingly.You can read more about Hubspot’s relevant service and the GDPR guarantee by clicking the links below:

https://www.hubspot.com/data-privacy/gdpr/product-readiness

Data Processor 4.

AGL Group Kft.

Seated at: 1066 Budapest, Jókai Str. 6

With the aim of continually developing the quality and usability of our website, we cooperate with a web designer and developer team who may view personal data. Our bookkeeper is subject to the ‘Data Processor Agreement’ established during our preparation for GDPR.

Data Processor 5.

Google LLC.

Seated at: Mountain View, Kalifornia, Egyesült államok

During our preparation for GDPR, we secured that Google guarantees the protection of personal data at least at the European level in accordance with the Regulation and has prepared all its products accordingly.You can read more about Google’s relevant service and the GDPR guarantee by clicking the links below:

https://gsuite.google.com/faq/security/

Beyond the above, GoBeyond is entitled to forward the data to third parties acting in the interest of the service in order to achieve the above objectives. Third parties acting in connection with the performance of a travel contract for the purpose of the data controller shall in particular, but not exclusively, the contractor’s contracted tour guide, accommodation, catering, personal transport and other contributor services. The range of recipients varies from one trip to another and is therefore not listed in this Privacy Notice because it would seriously compromise the requirement of transparency, but the data subject may request from the controller a list of data processors by name.

The personal data of the data subjects may also be transferred to data controllers and processors in countries outside the European Economic Area where this is necessary for the performance of the travel contract, the transfer is occasional, and the traveler has given his explicit and informed consent in the light of potential risks (Article 49 GDPR (1))) the).

Possible risks arising from data transfer – due to lack of conformity decision and appropriate guarantees: Data controller for recipients of data processing in the destination country (s) of the travel contract (in particular accommodation and catering service providers, passenger transport, tour guides, other service providers). The Data Controller shall take all possible technical measures to ensure the secure transmission of the data and shall enter into a data processing contract with the data processors including the obligations contained in the GDPR. The data processor is obliged to comply with the contract, but there is no other guarantee that this obligation will be met.

The controller keeps records of the processors.

6. Cookies

6.1. Do you use cookies on your website or app?

A cookie is a piece of information that a visited web site sends to a visitor’s browser (in the form of a variable name value) to store it and later to load the same website.

Website

During visits to our website, we send one or more cookies (a small file containing a string of characters) to the visitor’s computer, which will allow its browser to be uniquely identified. These cookies are provided by Google through GoBeyond and Google Analytics.Google Analytics generates cookies through Google AdWords. These cookies will only be sent to the visitor’s computer by visiting certain subpages—only the actual time to visit that subpage will be stored.

Google uses these cookies for statistical purposes when a user has previously visited the advertiser’s websites.

We use Facebook Pixel cookies to track conversions for ads running on Facebook. Facebook Pixel is a code snippet that is placed in the source code of the GoBeyond web site, Facebook gives you the opportunity to track the activities of (Facebook-registered) users on your website.

The cookies used are:

• Analytics, tracking cookie (Google)
• Site tracking (Google)
• Facebook ads conversion (Facebook pixel)

6.2. How do I set up cookies?

• The “Help” feature in most of the browser’s menu bar provides you with instructions:
• how to disable cookies,
• how to accept new cookies,
• how to instruct your browser to set a new cookie or
• how to turn off other cookies.

7. Social media

GoBeyond is available on Facebook and Instagram.

The use of the social networking site, and through contact with GoBeyond, contact, and other activities permitted by the community site is based on voluntary consent.

Stakeholders are natural persons who voluntarily follow, share, like, appreciate, and share the community pages of the data controller or the content appearing on it.

• name – identifying
• e-mail – contact
• action – replying

GoBeyond communicates with the people via the social network only so that the purpose of the data being processed becomes relevant when the person is searching through the community site.

The purpose of the presence on the community portals and the related data management is to share and publish the content on the website on the social network, i.e. the marketing of GoBeyond.

The person voluntarily contributes to data management under the terms of the community site, for example by following and favoring the content of GoBeyond.

The Subject may evaluate GoBeyond in a numerical and numerical way, if the community site allows it.

GoBeyond also publishes images / video clips on various events and services on the community site. In the case of non-mass recordings or public recordings (Section 2:48 of the Civil Code), GoBeyond will always seek the consent of the Participant before publishing the images.

You may get information about the data management of the given community site on the given community site.

Duration of data management: at the request of the data subject, until revoke of consent.

The way of data management: electronically, automated.

The source of the data is directly from the person.

Automated Decision Making Profiling: not happening.

GoBeyond draws attention to the fact that an organization operating a community site, such as Data Controller, can perform profiling or other automated data management, but in this case, the controller will be the organization that manages the community site.

8. Children

Are there any provisions related to age restrictions?

The applied age restrictions are the ones in the Civil Code of Hungary. Nevertheless, we are not obliged to confirm this by requesting any official document.

9. Security management and measures

GoBeyond ensures that the processing of personal data is in accordance with the rights, interests and data protection regulations of those concerned will be supported by the following technical actions and regulations:

9.1. What privacy policies are in force in the operation of GoBeyond?

• Creation of data register, in standard with the regulations
• More detailed internal data protection and data management rules, with a clear definition about accessibility
• Elaborate a process to define the steps to be taken whenever security or data protection incident occur

9.2. What steps are being taken to ensure security?

The followings are applied:

• Privacy trainings – Backup copies
• Password protected wifi – Document Shredder
• Firewall – Username and password protected laptops
• Lockable file cabinet – Mobile devices protected with password or biometric identified
• Antivirus – Audit
• Data storage only available for defined user groups

Encryption

All the personal data sent through the subpage ‘I’m interested’, is transmitted via a https (TLS cryptographic protocol) channel between the user’s browser and the cloud service provider.

Encrypting end-of-life databases is encrypted using security keys (‘Industry standard AES-256 encryption algorithm’).

Security incidents

GoBeyond maintains a policy and procedure for information security and privacy incidents that include initial response, investigation, notification and/or public disclosure. These guidelines are regularly reviewed and tested annually.

In the event of information security and/or privacy incidents, we will immediately notify the affected users with appropriate security measures and without delay and, if possible, 72 hours after the privacy incident hascome to our attention, to the competent authority. Our procedure is in line with our GDPR obligations and industry standards. We are committed to constantly informing you about issues that are relevant to the security of your account and provide you with all the information you need.

10. Changes to the Privacy Policy

The Privacy Policy may be amended unilaterally by GoBeyond but will notify the users. Any modification is valid only if it complies with applicable legislation.