Zachár Winery & Apartments

This English translation is provided for convenience only; in case of any discrepancy, the Hungarian original prevails.

Privacy Notice

for Customers

The protection of personal data is extremely important to us; therefore, in this Privacy Notice we describe what personal data we process about you, for what purpose, and on what legal basis. This Privacy Notice also sets out the rights to which you are entitled.

  1. Details of the Data Controller

Data Controller: Kőhalom dűlő Kft. (hereinafter: the "Data Controller")

Registered seat: 9400 Sopron, Villa sor 34.

Company registration number: 08-09-026832

Tax number: 25084814-2-08

Website: https://zacharbor.hu/

Email address: info@zacharbor.hu

  1. General legislation underlying the processing

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, "GDPR")
  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information ("Infotv.")
  • Act V of 2013 on the Civil Code ("Ptk.")
  • Act CXXVII of 2007 on Value Added Tax (the "VAT Act")
  • Act C of 2000 on Accounting (the "Accounting Act")
  • Act CLV of 1997 on Consumer Protection (the "Consumer Protection Act")
  1. Definitions

Personal data: any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Typical personal data of this kind include in particular: name, home address, place and date of birth, and mother's maiden name.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller: the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Data Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Processor: a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Data Controller.

Recipient: a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not.

  1. Principles

In processing personal data, the Data Controller takes into account the following principles, pursuant to which personal data shall be:

  1. processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (lawfulness, fairness, and transparency)
  2. collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; in accordance with Article 89(1) of the GDPR, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered incompatible with the original purposes (purpose limitation)
  3. adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
  5. kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of Data Subjects (storage limitation)
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by using appropriate technical or organizational measures (integrity and confidentiality)
  7. the Data Controller shall be responsible for, and be able to demonstrate compliance with, the above (accountability)
  1. Data processing activities

  1. contact (website)

Purpose of processing

Making contact via a form

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Person making an inquiry

Scope of personal data

Name, email address, subject, content of the message

Data retention period

Until the end of the 1st year following the contact

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· hosting provider: Rackhost Zrt. (registered seat: 1132 Budapest, Victor Hugó utca 18-22., company registration number: 06-10-000489)

· email system: Google Ireland Ltd. (registered seat: Google Building Gordon House, Barrow Street, Dublin 4, Ireland)

Source of data

The source of the personal data is the person making the inquiry

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to contact you

  1. contact and correspondence by email

Purpose of processing

Making contact and maintaining contact by email

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Person making an inquiry, customer

Scope of personal data

Name, phone number, email address, content of the message

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· email system: Google Ireland Ltd. (registered seat: Gordon House, Barrow Street, Dublin 4, Ireland)

Source of data

The source of the personal data is the person making the inquiry and the customer

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to contact or correspond with you by email

  1. booking a wine tasting

Purpose of processing

Booking a wine tasting by email, phone, through the website, or through online booking platforms

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Customer

Scope of personal data

Name, phone number, email address

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· email system: Google Ireland Ltd. (registered seat: Google Building Gordon House, Barrow Street, Dublin 4, Ireland)

In the case of a booking made through an online booking platform, the personal data are also accessed, as an independent data controller, by the operator of that platform:

· Borindex Kft. (registered seat: 3200 Gyöngyös, Vármegyeház tér 1., company registration number: 10-09-038377)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to ensure your participation in the wine tasting

  1. keeping of a guest book by Guests (on paper)

Purpose of processing

Keeping of a guest book by Guests after a wine tasting

Legal basis for processing

Article 6(1)(a) GDPR: consent

Categories of Data Subjects

Customer

Scope of personal data

Customer's name, personal note

Data retention period

Until withdrawal of consent

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller does not use any Data Processor(s)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is voluntary. If you do not provide the personal data, you will not be able to write in the guest book

  1. registration

Purpose of processing

Registration, creation of a user account

Legal basis for processing

Article 6(1)(a) GDPR: consent

Categories of Data Subjects

Customer

Scope of personal data

Email address, name, confirmation that the Data Subject is of legal age

Data retention period

Until withdrawal of consent

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· hosting provider: Rackhost Zrt. (registered seat: 1132 Budapest, Victor Hugó utca 18-22., company registration number: 06-10-000489)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is voluntary. If you do not provide the personal data, the Data Controller will not be able to accept the registration

  1. purchase of a product

Purpose of processing

Purchase of a product with or without registration

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Customer

Scope of personal data

Name, product, phone number, email address

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· hosting provider: Rackhost Zrt. (registered seat: 1132 Budapest, Victor Hugó utca 18-22., company registration number: 06-10-000489)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to serve you

  1. sending system messages about an order

Purpose of processing

Sending system messages about an order (order confirmation, order status, etc.)

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Customer

Scope of personal data

Name, email address, order details

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· email service provider: Google Ireland Ltd. (registered seat: Google Building Gordon House, Barrow Street, Dublin 4, Ireland)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to send you system messages

  1. delivery of a product

Purpose of processing

Delivery of the ordered product

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Customer

Scope of personal data

Name, phone number, email address, delivery address

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller does not use any Data Processor(s)

The personal data are also accessed, as an independent Data Controller, by the courier company:

· FoxPost Kft. (registered seat: 1068 Budapest, Dózsa György út 84. B. ép., company registration number: 01-09-423958). The company's privacy notice is available here:

https://foxpost.hu/
uploads/documents/hu

/adatkezelesi_tajekoztato.pdf

· Magyar Posta Zrt. (registered seat: 1138 Budapest, Dunavirág utca 2-6., company registration number: 01-10-042463)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to deliver the ordered product to you

  1. payment of the price of a product or service

Purpose of processing

Payment of the price of a product or service in cash or by online bank card payment

Legal basis for processing

Article 6(1)(b) GDPR: necessary for the performance of a contract or in order to take steps at the request of the Data Subject prior to entering into a contract

Categories of Data Subjects

Customer

Scope of personal data

Name, product or service identifier, data related to online bank card payment

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· online bank card payment provider: Barion Payment Zrt. (registered seat: 1117 Budapest, Irinyi József utca 4-20. 2nd floor, company registration number: 01-10-048552)

In the case of withdrawal or a warranty claim in connection with a product purchase, upon refund of the purchase price the personal data are also accessed, as an independent Data Controller, by the Data Controller's account-keeping bank:

· OTP Bank Nyrt. (registered seat: 1051 Budapest, Nádor utca 16., company registration number: 01-10-041585); the Bank's privacy notice is available here: https://www.otpbank.hu/portal/hu/adatvedelem

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, you will not receive the Data Controller's product

  1. invoicing

Purpose of processing

Issuing an invoice

Legal basis for processing

Article 6(1)(c) GDPR: compliance with a legal obligation: Section 159(1) of the VAT Act

Categories of Data Subjects

Customer

Scope of personal data

Name, address, tax number (for corporate customers), email address

Data retention period

8 years pursuant to Section 169(1) and (2) of the Accounting Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· invoicing software, operator of szamlazz.hu: KBOSS.hu Kft. (registered seat: 1031 Budapest, Záhony utca 7., company registration number: 01-09-303201)

· accountant: Magyar és Osztrák Kft. (registered seat: 9400 Sopron, Ferenczy János utca 5., company registration number: 08-09-009829)

Pursuant to Point 1 of Annex 10 to Act CXXVII of 2007 on Value Added Tax (VAT Act), the Data Controller supplies data to the National Tax and Customs Administration (NAV)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to comply with its statutory invoicing obligation

  1. product review

Purpose of processing

Displaying reviews from customers in connection with a product

Legal basis for processing

Article 6(1)(a) GDPR: consent

Categories of Data Subjects

Customer

Scope of personal data

Content of the review

Data retention period

Until withdrawal of consent, or for 30 days from withdrawal of consent

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller uses the following Data Processor(s):

· hosting provider: Rackhost Zrt. (registered seat: 1132 Budapest, Victor Hugó utca 18-22., company registration number: 06-10-000489)

Source of data

The source of the personal data is the customer

Method and consequence of providing data

Providing the data is voluntary. If you do not provide the personal data, the Data Controller will not be able to display your review

  1. contractual contact management

In respect of its contracted Partners (suppliers, customers), the Data Controller communicates and maintains its business relationship through the contact person specified in the contract.

Purpose of processing

Maintaining communication and cooperation for the purposes of the performance of the contract between the Data Controller and the Partner

Legal basis for processing

Article 6(1)(f) GDPR: legitimate interest

Categories of Data Subjects

Employee of the Partner (sole proprietor, Kft., Bt., Zrt.) designated as the contact person

Scope of personal data

Name, position, phone number, email address

Data retention period

Until the end of the 5th year following performance or termination of the contract

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller does not use any Data Processor(s)

Source of data

The source of the personal data is the Partner's contact person

Method and consequence of providing data

Providing the data is necessary. If you do not provide the personal data, the Data Controller will not be able to liaise with the Partner

  1. complaint handling

Purpose of processing

Handling of any complaint relating to a product

Legal basis for processing

Article 6(1)(c) GDPR: compliance with a legal obligation: Act CLV of 1997 on Consumer Protection

Categories of Data Subjects

Consumer

Scope of personal data

Name, home address, phone number, email address, place, time and manner of filing the complaint, detailed description of the complaint, list of documents, records and other evidence submitted by the consumer

Data retention period

3 years pursuant to Section 17/A(7) of the Consumer Protection Act

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller does not use any Data Processor(s)

Source of data

The source of the personal data is the consumer as complainant

Method and consequence of providing data

Providing the data is voluntary. If you do not provide the necessary data, it is possible that the Data Controller will not be able to investigate your complaint

  1. communication on social media platforms

Purpose of processing

Communication on social media platforms

Legal basis for processing

Article 6(1)(a) GDPR: consent

Categories of Data Subjects

Person registered on the social media platform

Scope of personal data

Name, public profile data

Data retention period

The processing takes place on the social media platform itself, so the privacy notice of the given platform is applicable

Data transfer

No data transfer under Articles 44-49 GDPR takes place

Recipients

The Data Controller does not use any Data Processor(s)

The Data Controller is a joint controller together with the operator of the social media platform; the name, registered seat, and privacy notice of the operator are set out in Section 7

Source of data

The source of the personal data is the registered person

Method and consequence of providing data

Providing the data is voluntary. If you do not provide the personal data, the Data Controller will not be able to communicate with you on social media platforms

  1. Data processing on the Website

The Website uses cookies.

A cookie is a file placed on your computer when you visit a website. A cookie is a package of information sent by the server to the browser, which the browser then returns to the server with each subsequent request, together with the data content specified by the server. The purpose of this is to save the internet settings of the website you have visited, so that if you visit the same website again from the same device, the site will already remember the settings you have configured.

Cookies have numerous functions. They are most often used for advertising, personalizing services, and analyzing website traffic.

Under the legislation currently in force, a cookie may only be stored on your device if it is absolutely necessary, i.e. indispensable for the operation of the website; these are referred to as "necessary cookies". The use of any other type of cookie requires your consent. You can view and configure the cookies currently used on the website in the pop-up window that appears when you enter the website.

Modern browsers allow you to modify cookie settings. Some browsers accept cookies automatically by default, but this setting can also be changed so that you can prevent automatic acceptance in the future. If you change this setting, the browser will thereafter offer you the option of configuring cookie settings every time.

Given that the purpose of cookies is to support and facilitate the usability and the processes of the website, if cookies are disabled it cannot be guaranteed that you will be able to make full use of all the functions of the website. In this case, the website may behave differently than intended in the browser. Further detailed information on cookie settings for the following browsers:

  1. Social Media

The Data Controller can be reached on the following social media platform(s).

The operator of the social media platform qualifies as an independent Data Controller; information on its processing is available at the following links:

Social media platform:

Name and registered seat of the Data Controller:

Availability of the privacy notice:

Facebook

Meta Platforms Ireland Ltd. (registered seat: Merrion Road, Dublin 4 D04 X2K5, Ireland)

https://www.facebook.com/privacy/explanation

Instagram

Meta Platforms Ireland Ltd. (registered seat: Merrion Road, Dublin 4 D04 X2K5, Ireland)

https://help.instagram.com/519522125107875/?helpref=hc_fnav

The Data Controller does not record or process, in its internal database and systems, any personal data of the users of the given social media platform.

  1. Access to the data

Personal data may be accessed by the Data Controller's authorized staff members, to the extent necessary for the performance of their duties.

  1. Data security measures

The Data Controller ensures, by means of appropriate IT, technical, and personnel measures, that the personal data it processes are protected against, among other things, unauthorized access or unauthorized alteration.

  1. Data Subject rights relating to the processing and their content

Data Subject right

relating to the processing

Content of the Data Subject right relating to the processing

Right to information

/Articles 13-14 GDPR/

You have the right to receive information about the fact and purposes of the processing at the time your personal data are obtained. The Data Controller shall also provide you with such further information as is necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. You must also be informed of the fact of profiling and its consequences.

Right of access

/Article 15 GDPR/

You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to be informed of:

· what personal data of yours

· on what legal basis

· for what processing purpose

· for how long

are processed by the Data Controller,

· to whom, when, on the basis of which legislation, and to which of your personal data access was granted, or to whom your personal data were transferred

· from what source your personal data originate (if not provided to the Data Controller by you)

· whether automated decision-making, including profiling, is applied, and, if so, the logic involved.

Right to rectification

/Article 16 GDPR/

You have the right to obtain from the Data Controller, without undue delay, the rectification of inaccurate personal data concerning you, or the completion of incomplete personal data. This means you may request that the Data Controller modify certain personal data (for example, you may change your email address or other contact details at any time).

Right to erasure ("right to be forgotten")

/Article 17 GDPR/

You have the right to obtain from the Data Controller the erasure of personal data concerning you, where one of the following grounds applies:

· the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

· you withdraw the consent on which the processing is based pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, and there is no other legal ground for the processing

· you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR

· the personal data have been unlawfully processed

· the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the Data Controller is subject

· the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

Right to restriction of processing

/Article 18 GDPR/

You have the right to obtain from the Data Controller the restriction of processing, where one of the following applies:

· you contest the accuracy of your personal data (in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data)

· the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead

· the Data Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise, or defense of legal claims

you have objected to processing pursuant to Article 21(1) of the GDPR (in which case the restriction shall apply for the period pending the verification whether the legitimate grounds of the Data Controller override your legitimate grounds).

Right to data portability

/Article 20 GDPR/

You have the right to receive the personal data concerning you which you have provided to a Data Controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another Data Controller without hindrance from the Data Controller to which the personal data have been provided, where:

· the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR, or on a contract pursuant to Article 6(1)(b) of the GDPR, and

· the processing is carried out by automated means.

Where technically feasible, you have the right to request the direct transmission of your personal data between Data Controllers.

Right to object

/Article 21 GDPR/

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. In such a case the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes, including profiling to the extent that it is related to such direct marketing.

Right to withdraw consent

/Article 7(3) GDPR/

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You must be informed of this prior to giving consent. It shall be as easy to withdraw consent as to give it.

  1. Data Subject remedies relating to the processing and their content

Remedy

Content of the remedy

Right to lodge a complaint with a Supervisory Authority

/Article 77 GDPR/

If you consider that your right to the protection of your personal data has been infringed, you may lodge a complaint with the following Authority:

National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság)

registered seat: 1055 Budapest, Falk Miksa utca 9-11.

postal address: 1363 Budapest, Pf. 9.

phone: +36 (1) 391-1400

email: ugyfelszolgalat@naih.hu

website: www.naih.hu

Right to an effective judicial remedy against the Data Controller or the Data Processor (initiating court proceedings)

/Article 79 GDPR/

You are entitled to bring proceedings before a court against the Data Controller or Data Processor if you experience that your personal data have been processed unlawfully. The court shall deal with the case as a matter of priority. In this case, you may freely decide whether to bring your action before the regional court (törvényszék) having jurisdiction over your place of residence or your place of stay. Contact details of the regional courts: www.birosag.hu/torvenyszekek.hu

  1. Update of this Privacy Notice

The Data Controller reserves the right to unilaterally amend this Privacy Notice. This Notice may in particular be amended where required by a change in legislation, data protection supervisory practice, business needs, or other circumstances. Upon your request, the Data Controller will send you a copy of the Notice in force at any given time, in a format agreed with you.

Sopron, 15 August 2025