DATA PROTECTION NOTICE

The purpose of this Data Protection Notice (hereinafter: Notice) is to inform you, as the data subject (hereinafter: Data Subject), about the principles, rules, and provisions of data protection and data processing applied and respected by the Data Controller in relation to the processing of personal data it performs, pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, hereinafter: GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, applicable from 25 May 2018.

I. Identity and Contact Details of the Data Controller

Name of Data Controller: HRH BUD Management Kft.
Registered seat, mailing address: 1011 Budapest, Szilágyi Dezső tér 1.
Other contact details: hc319-fb@accor.com; +36 30 138 2431

The Data Controller complies with:

  • GDPR (Regulation (EU) 2016/679),
  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info Act),
  • Act V of 2013 on the Civil Code (Civil Code),
  • Act C of 2000 on Accounting (Accounting Act),
  • Decree No. 23/2014 (VI.30.) of the Ministry for National Economy on the tax identification of invoices and receipts and on the tax authority control of invoices stored electronically (NGM Decree).

In connection with the restaurant services operated under the name “Tutto Restaurant & Bar” (1065 Budapest, Nagymező u. 38.) and activities carried out on the website www.tutto-budapest.com, the Data Controller ensures the enhanced protection of personal data of natural persons who come into contact with it, and processes such personal data in accordance with Article 5 of the GDPR.

The Data Controller is not obliged to designate a Data Protection Officer under Article 37 GDPR, and therefore does not appoint one. Likewise, the Data Controller is not required to designate a representative under Article 27 GDPR.

II. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Special Categories of Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.
  • Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Data Processing: any operation or set of operations performed on personal data by a processor on behalf of or under the instructions of the controller.
  • Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Processing: any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Recipient: a natural or legal person, public authority, agency or another body, to which personal data are disclosed. Public authorities which may receive personal data in the framework of a particular inquiry under Union or Member State law shall not be regarded as recipients.
  • Consent of the Data Subject: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • Restriction of Processing: the marking of stored personal data with the aim of limiting their processing in the future.
  • Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
  • Pseudonymisation: the processing of personal data in such a manner that they can no longer be attributed to a specific data subject without the use of additional information.
  • Destruction of Personal Data: the complete physical destruction of the data carrier containing the data.
  • Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
  • Data Transfer: making data available to a specific third party.
  • Disclosure: making data available to anyone.
  • Deletion of Data: rendering the data unrecognisable in such a way that it can no longer be restored.
  • Supervisory Authority: National Authority for Data Protection and Freedom of Information (NAIH).

III. Principles of Data Processing

Personal data shall be:

  • processed lawfully, fairly and in a transparent manner (“lawfulness, fairness, transparency”);
  • collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes (“purpose limitation”);
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
  • accurate and, where necessary, kept up to date (“accuracy”);
  • kept in a form which permits identification of data subjects for no longer than is necessary (“storage limitation”);
  • processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);
  • the controller shall be responsible for, and be able to demonstrate compliance with, these principles (“accountability”).

IV. Purpose and Legal Basis of Data Processing

All data processing carried out by the Data Controller falls within the scope of the GDPR. Processing is performed only for specific purposes and with appropriate legal bases, as follows:

  • Personal data are collected directly from the Data Subject.
  • The accuracy of data provided is the responsibility of the Data Subject.
  • Persons under 18 or otherwise incapacitated may only consent through their legal representative.
  • As a rule, the Data Controller does not process special categories of data.
  • The Data Controller provides high-quality restaurant services through Tutto Restaurant & Bar and its website www.tutto-budapest.com.

IV/A. Data Processing Related to Contact

Purpose: To enable communication when the Data Subject contacts the Data Controller via the website (email, phone, mail, or in person), and for the Controller to respond.

Data processed:

  • Name
  • Email address
  • Phone number
  • Content of message

Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.

Data are stored until the request is fulfilled and are not shared with third parties.

IV/B. Data Processing Related to Requests for Quotations

Purpose: To provide a quotation or confirm availability for bookings.

Data processed:

  • Name
  • Email address
  • Phone number
  • Content of request / booking intention
  • Content of quotation

Legal basis: Article 6(1)(b) GDPR – necessary for steps prior to entering into a contract.

Data are stored until the quotation expires, a booking is confirmed or rejected. Data are not shared with third parties.

IV/C. Data Processing Related to Reservations and Service Performance

Purpose: To manage table reservations and fulfil the resulting contract.

Data processed:

  • Name
  • Email address
  • Phone number
  • Reservation details (time, number of guests)
  • Special requests

Legal basis:

  • Article 6(1)(b) GDPR – necessary for the performance of a contract.
  • Special requests: Article 6(1)(a) GDPR – consent; if sensitive (e.g. allergies), Article 9(2)(a) GDPR – explicit consent.

Data are stored until contract fulfilment.

Data transfers: Reservation system provider (processor); OTP Bank Nyrt. for card/SZÉP card payments.

IV/D. Data Processing Related to Events

Purpose: To enable event reservations and performance of contracts for events.

Data processed:

  • Name
  • Email address
  • Phone number
  • Event details (number of participants, time, type)
  • Special requests
  • Bank transfer details (IBAN, SWIFT/BIC, payer name, bank, account number, transaction details)

Legal basis: Article 6(1)(b) GDPR – performance of a contract.

Data transfers: Reservation system provider; OTP Bank Nyrt. for payments.

IV/E. Data Processing Related to Event Administration

Purpose: To record attendees, maintain contact, and fulfil administrative and accounting obligations.

Data processed:

  • Name
  • Email address
  • Phone number

Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.

Data are stored for 5 years after the event. May be shared only with competent authorities.

IV/F. Data Processing Related to Invoicing

Purpose: To fulfil invoicing and accounting obligations.

Data processed:

  • Name
  • Billing and bank details

Legal basis: Article 6(1)(c) GDPR – legal obligation (Accounting Act, NGM Decree).

Data are stored for 8 years. Shared with accountant and invoicing software provider.

IV/G. Data Processing Related to Contract Performance and Representatives

Purpose: To identify contractual parties and representatives, maintain contact, and perform contracts.

Data processed:

  • For natural person/sole entrepreneur contracting parties: personal ID data, address, contact details, signature, banking data
  • For representatives/contact persons: name, contact details, title, signature

Legal basis:

  • Article 6(1)(b) GDPR – for natural persons/sole entrepreneurs (contract performance).
  • Article 6(1)(f) GDPR – for representatives/contacts (legitimate interest).

Data are stored for 5 years after contract termination/fulfilment.

Data may be shared with OTP Bank Nyrt. for payment processing.

IV/H. Data Processing Related to Legal Claims and Proceedings

Purpose: To enforce contractual or non-contractual legal claims, pursue debt recovery, and conduct legal proceedings.

Data processed:

  • Identification data (name, birth name, mother’s name, place and date of birth, personal ID, tax ID)
  • Address/residence
  • Contact details (email, phone)

Legal basis: Article 6(1)(f) GDPR – legitimate interest of the Controller.

The provision of the above personal data by the Data Subject is mandatory, as it is the Controller’s legitimate interest to be able to identify the Data Subject and to contact them for the purpose of enforcing its claims and demands, or to make them available during the procedure. The Controller’s legitimate interest takes precedence over the fundamental rights and interests of the Data Subject. The Data Subject may object to the processing of their personal data at any time.

The Controller stores personal data for 5 years from the termination or fulfillment of the engagement contract, or until the given procedure is legally concluded / the claim is enforced.

The Controller may forward such personal data to its legal representative and the competent authority in relation to the procedure.

IV/I. Data processing related to opinions, reviews, and satisfaction

The purpose of data processing under this subsection is for the Controller to receive feedback on its services, for the Data Subject to express their opinion, and for the Controller to provide its services at the highest possible level and improve them accordingly.

Following the use of the service, the Controller automatically sends an email in order for the Data Subject to evaluate the service.

In relation to the above activity, the Controller requires and processes the following personal data directly from the Data Subject for the purposes defined above:

  • Name (username)
  • Email address
  • Content of the review or opinion (only in case of writing an opinion)

The legal basis for processing personal data in connection with the email sent prior to the review is Article 6 (1) (f) of the GDPR, i.e. the Controller’s legitimate interest.
The provision of the above personal data by the Data Subject is mandatory, as it is the Controller’s legitimate interest to provide services at an adequate standard. The Controller’s legitimate interest takes precedence over the fundamental rights and interests of the Data Subject. The Data Subject may object to the processing of their personal data at any time.

Following the submission of a review, the legal basis for processing is Article 6 (1) (a) GDPR, i.e. the Data Subject’s consent. The Data Subject is entitled to decide whether to provide consent; submitting a review is not mandatory. The lack of consent cannot result in any disadvantage for the Data Subject. In these cases, the Data Subject provides their consent by submitting the review.

The consent given by the Data Subject may be withdrawn at any time. The Data Subject may withdraw consent on the same platform where they contacted the Controller, or by making a statement addressed to the Controller either by post or electronically using any of the above contact details.

In case of withdrawal of consent, the Controller deletes all personal data provided by the Data Subject without delay following receipt of the request. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to its withdrawal.

The Controller stores personal data for 1 month from the sending of the email requesting a review following the use of the service, or until the withdrawal of consent if a review is submitted.

The Controller forwards the data to its hosting provider, as well as the organization providing the booking system (Sevenrooms Inc.). Considering that, following the use of the service, the booking system sends an email for evaluation purposes, certain data may also be shared with Google Ireland Ltd. and Tripadvisor LLC if the review is submitted on the Google or Tripadvisor platforms.

The Controller is obliged to delete from all its records any personal data relating to a Data Subject with whom the legal relationship has ceased for any reason and where the purpose of data processing has ended, unless the retention of such personal data is required for the Controller by law.

If an event occurs that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, the transmitted, stored, or otherwise processed personal data (hereinafter: “Data Protection Incident”), the Controller undertakes to notify the National Authority for Data Protection and Freedom of Information, as the competent supervisory authority, without undue delay and, where feasible, no later than 72 hours after becoming aware of the Data Protection Incident. The notification obligation shall not apply if the Data Protection Incident is unlikely to result in a risk to the rights and freedoms of natural persons. If the Data Protection Incident is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall inform the Data Subject of the Data Protection Incident without undue delay, in a clear and plain manner describing the nature of the Data Protection Incident.

VIII. Rights of the Data Subject

Natural persons whose personal data are processed by the Controller shall have the following rights in relation to the Controller’s data processing:
a. Right to information (Articles 13–14 GDPR)
b. Right of access (Article 15 GDPR)
c. Right to rectification (Article 16 GDPR)
d. Right to erasure (“right to be forgotten”) (Article 17 GDPR)
e. Right to restriction of processing (Article 18 GDPR)
f. Right to data portability (Article 20 GDPR)
g. Right to object (Article 21 GDPR)

a.Right to information

Since the Controller collects personal data directly from the Data Subject, it fulfills its information obligation pursuant to Article 13 GDPR through this Privacy Notice. The Controller does not collect personal data from any source other than the Data Subject.

b. Right of access
The Data Subject has the right to request confirmation and information as to whether their personal data are being processed. The Controller is obliged to provide such information, including access to the details set out in Article 15 GDPR.

c. Right to rectification

If the Controller processes any personal data of the Data Subject inaccurately or incompletely, the Data Subject may request that the Controller rectify the inaccurate personal data without undue delay or complete the incomplete personal data on the basis of data provided and verified by the Data Subject.

d. Right to erasure (“right to be forgotten”)
The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning them without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed,
  • the Data Subject withdraws consent on which the processing is based, and there is no other legal ground for the processing,
  • the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing,
  • the personal data have been unlawfully processed,
  • the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the Controller,
  • the personal data have been collected in relation to the offer of information society services.

The Controller informs the Data Subjects that it is not obliged to comply with a request for erasure/forgetting if the processing is necessary:

  • for exercising the right of freedom of expression and information,
  • for compliance with a legal obligation requiring processing, or for the performance of a task carried out in the public interest or in the exercise of official authority,
  • for reasons of public interest in the area of public health,
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,
  • for the establishment, exercise, or defense of legal claims.

e. Right to restriction of processing
The Data Subject has the right to obtain from the Controller restriction of processing where:

  • the accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data, or
  • the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead, or
  • the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims, or
  • the Data Subject has objected to processing pending the verification of whether the legitimate grounds of the Controller override those of the Data Subject.

f. Right to data portability

The Data Subject has the right to receive the personal data concerning them, which they have provided to a Controller, in a structured, commonly used and machine-readable format, where:

  • the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, or on a contract pursuant to Article 6(1)(b) GDPR, and
  • the processing is carried out by automated means.

In exercising the right to data portability, the Data Subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible.

g. Right to object


The Data Subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on the Controller’s legitimate interest, including profiling based on those provisions. In such cases, the Controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing.

The Data Subject may exercise their rights set out in this chapter at any time by submitting a request to the Controller. Requests may be submitted electronically, in writing by post, or in person at the Controller’s registered office to the Controller or its representative. The Controller shall provide information about the processing of personal data and the exercise of rights without undue delay, but no later than 1 month from receipt of the request, free of charge and in the same format as the request was submitted.

IX. Remedies

If the Data Subject considers that, in relation to the processing of their personal data, the Controller is infringing the provisions of data protection law, they may seek judicial remedy at the competent court or submit a complaint to the National Authority for Data Protection and Freedom of Information.

National Authority for Data Protection and Freedom of Information
Registered office: 1055 Budapest, Falk Miksa u. 9-11.
Postal address: 1363 Budapest, Pf. 9.
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
Website: http://naih.hu

The Controller shall also make the effective Privacy Notice available in electronic form on its website. If the Data Subject submits a request for it in electronic or paper form, the Controller will send the Privacy Notice as an attachment to an email to the electronic address provided by the Data Subject.

The Controller reserves the right to unilaterally amend this Privacy Notice, particularly in the event of changes in legislation, regulatory practice, or other external circumstances. The Controller shall inform the Data Subject of any such changes, and upon request, the Controller shall send the effective Privacy Notice to the Data Subject.

Effective from: April 15, 2025

HRH BUD Management Kft.
Controller

Pullman Budapest
Budapest, Nagymező u. 38, 1065
Sunday – Thursday
12:00 – 23:30
Friday – Saturday
12:00 – 01:00
© 2026 Supplément Bacon
Data Protection noticeHouse Rules