Electronic Surveillance System

Privacy Notice on the use of an electronic surveillance system

1. Details of the data controller
Data controller: Blue Guava Technology Kft. (in the future: Data Controller)

Registered seat: H-1158 Budapest, Neptun utca 39/1.

Site: H-1143 Budapest, Ilka utca 31. B. ép. 3. em.

Corporate registration number: 01-09-307922

Tax number: 26209168-2-42

Website: www.guava.blue

Contact details of the Data Protection Officer: gdpr@guava.blue

Telephone: 06-30/478-9243

2. General legislative provisions serving as a legal basis for data processing

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (hereinafter: Regulation or GDPR)
  • Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Act on Privacy)
  • Act CXXXIII of 2005 on Security Services and the Activities of Private Investigators (hereinafter: Act on Security Services)

3. Definitions
Personal data: means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data includes, in particular: name, address, place, and date of birth, mother’s name.

Processing: means any operation or set of operations which is performed on personal data or stages of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data processor: means the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.

Recipient: means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.

4. Operator of the camera system: the Data Controller

5. Place of data processing and storage
The camera recordings are made and stored at the site of the Data Controller. The Data Controller operates a camera system exclusively on the following property:

  • site: H-1143 Budapest, Ilka utca 31 B. 3. em

6. The purposes of data processing
Purposes of operating the camera system:

  • preserving, protecting, and securing the lives, physical integrity, and personal freedom of individuals entering and staying in the area (guests, customers, employees) and
  • the tangible assets of the Data Controller.

The electronic surveillance system records and stores personal data and images following the effective legislations. Data processing is not aimed at observing the persons staying on the premises. The Data Controller does not operate cameras in places prohibited by law (for example, locker rooms, toilets, dining halls, or smoking areas).

7. Scope of personal data processed
The Data Controller records and stores the Data Subject’s picture, which can be obtained by a camera image.

8. The legal basis of data processing: legitimate interest based on Article 6 (1) f) of the GDPR<

9. Duration of data processing: 7 days from recording

10. Data recording

Personal data is obtained from the Data Subject. The Data Controller does not process personal data that has not been collected from the Data Subject.


11. Sub-controllers, joint data processing
The Data Controller shall not engage additional sub-controllers for the processing of data. Joint data processing will not be performed in the course of operating the electronic surveillance system.

12. Engagement of a Data Processor
The Data Controller shall not engage Data Processors to process data in operating the electronic surveillance system.

13. Data transfer
The Data Controller shall not transfer personal data to other recipients. In data processing, data transmission does not occur to EEA countries or a third country or organization. Data transfers are only performed based on the requirements set out in the legislation in force, in a documented manner (e.g., based on official or judicial requests).

14. Access to data
The Data Controller’s competent staff can access personal data to the extent necessary for their duties’ performance.

15. Data security measures
The Data Controller shall ensure adequate IT, technical and personnel measures to protect the processed personal data, including protecting the personal data against unlawful access or unauthorized alterations.

16. Data subject rights and their content relating to data processing

With concern to the processing of personal data recorded and stored, the Data Subject shall be entitled to contact the Data Controller at the contact details defined in section 1 of this Notice and exercise the rights set out under Chapter III of the GDPR, in particular the following:

  • right to object
  • right of access (consultation)
  • right to erasure
  • right to restriction (blocking)
  • right to object




Data subject rights relating to data processing

Content of data subject rights relating to data processing
Right to be informed

/GDPR, Article 13-14/

You have the right to be informed about the fact and purpose of data processing at the time when personal data are obtained. The Data Controller provides you with additional information necessary to ensure fair and transparent data processing, taking into account the specific circumstances and context of personal data processing. You must also be informed about any profiling and its consequences.


Right of access

/GDPR, Article 15/

You are entitled to receive confirmation as to whether your personal data are being processed. If such data processing is in progress, you will be entitled to be granted access concerning:

·     what personal data

·     on what legal basis

·     for what processing purposes

·     for how long

are processed by the Data Controller

·     who to, when, and based on which legislation did the Data Controller provide access to your personal data or who were they transmitted to

·     what source do personal data originate from (if it was not you that provided them to the Data Controller)

·     whether you apply automated decision-making and its logic, including profiling as well.


Right to erasure (“right to be forgotten”)

/GDPR, Article 17/

You have the right to obtain from the Data Controller the erasure of your personal data where one of the following grounds applies:

·     your personal data are no longer necessary about the purposes for which they were collected or otherwise processed

·     you withdraw your consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and there is no other legal ground for the processing

·     you object to data processing based on Article 21 (1), and there is no overriding legitimate reason for the processing of data, or you object to data processing based on Article 21 (2)

·     your personal data have been unlawfully processed

·     your personal data must be deleted to comply with a legal obligation imposed by EU or Member State law applicable to the Data Controller

·     the collection of your personal data is performed to offer information society services, as referred to in Article 8 (1).




Right to restriction

/GDPR, Article 18/

You have the right to obtain from the Data Controller the restriction of your personal data where one of the following grounds applies:

·     The accuracy of your data is contested by you (in this case, the regulation applies to the period which allows the Data Controller to verify the accuracy of the personal information)

·     the data processing is unlawful, and you oppose the erasure of the data and request the restriction of their use instead

·     the Data Controller no longer needs the personal data for data processing, but you require them to present, exercise, or defend a legal claim

In light of Article 21 (1), you objected to data processing (in this case, the restriction applies to the period necessary to determine whether the Data Controller’s legitimate reasons override your legitimate reasons).


Right to object

/GDPR, Article 21/

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you, which is based on point (e) or (f) of Article 6 (1), including profiling based on the referred provisions. In this case, the Data Controller shall not continue to process your personal data, except where the Data Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims.

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing purposes, which includes profiling to the extent that it is related to such direct marketing.


Right to consultation and blocking

Only authorized persons may consult the camera recordings. Consultation and blocking may only be performed in a documented manner; therefore, the Data Controller shall record minutes on such activities in all cases. The person who’s right or legitimate interest is affected by making the recording, after verification of their identity in a credible manner, may request that the Data Controller not dispose of or delete the recording within the retention period. The Data Controller shall decide on the request as promptly as possible. The designated recording must be saved and transferred to the person specified by the Data Controller, who will ensure its proper guarding. Upon request by courts or other authorities, the Data Controller shall send the recorded material to the court or other authority without delay.

17. Legal remedies for data subjects relating to data processing, and their content

Legal remedy Content of the remedy
Right to complain with a supervisory authority

/GDPR, Article 77/

If your right to the protection of personal data is infringed, you may complain to the following Authority:

Hungarian National Authority for Data Protection and Freedom of Information

registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C.

postal address: H-1530 Budapest, Pf.: 5

telephone: +36 (1) 391-1400


website: www.naih.hu


Right to effective judicial remedy against a controller or processor (initiation of court proceedings)

/GDPR, Article 79/

You are entitled to go to court against the Data Controller or the Data Processor if you experience your personal data’s unlawful processing. The court will give priority to the case. In such cases, you are free to decide whether to submit your request to the tribunal of your domicile or your residence. Contact details of the tribunals:  https://birosag.hu/torvenyszekek.