Complaints handling policy

Information on the internal abuse reporting system

prepared in order to fulfil the information obligation of the Hévíz Palace Hotel Kft. (registered office: 8380 Hévíz, Rákóczi u. 1-3.) as an employer under Article 25 of Act XXV of 2023 on Complaints, Public Interest Reports and Rules for Reporting Abuse (hereinafter referred to as the Complaints Act).

1. Subject of the notifications

Information on unlawful or suspected unlawful acts or omissions or other forms of abuse may be reported to the internal abuse reporting system established by the employer.
Examples of the types of abuse that may be reported include, but are not limited to:
- workplace abuse: fraud, money laundering, bribery, kickbacks,
- retaliation at work, termination of employment, withholding of pay, undeclared work, forced labour,
- illegal work safety conditions or environmental abuse,
- harassment, discrimination, racism, sexual harassment, threats, intimidation,
- unfair competition,
- unfair contract terms,
- breach of a trade or professional secret.

2. Persons entitled to make a complaint

The persons entitled to file a complaint are defined in Article 20 (2-3) of the Complaints Act. According to these provisions, persons entitled to file a complaint are, for example, employees, former employees, members of the employer's staff, contractors, subcontractors, suppliers or persons under the control of a contractor, subcontractors, suppliers or agents, trainees and volunteers working for the employer.

3. Making the declaration

The notifier may make the notification in writing or orally. An oral notification may be made by telephone or in person using the contact details in point 9.

4. Investigation or non-investigation of the notification

The employer shall investigate the allegations made in the notification as soon as possible, but not later than 30 days after receipt of the notification. The 30-day time limit may be extended in particularly justified cases, provided that the notifier is informed at the same time.
The employer may refrain from investigating the notification if
(a) the notification was made by an unidentified notifier,
(b) the notification was not made by an authorised person,
(c) the notification is a repeat notification by the same notifier with the same content as the previous notification; or
(d) the harm to the public interest or to an overriding private interest would not be proportionate to the restriction of the rights of the natural or legal person concerned by the notification resulting from the examination of the notification.

5. Measures to remedy abuses

In the course of the investigation of the notification, the employer must examine and assess the relevance of the facts set out in the notification and take measures to remedy the abuses reported.

6. Information to the notifier following the notification

The whistleblower protection officer shall inform the whistleblower in writing of the investigation of the notification or the decision not to investigate the notification and the reasons for the decision not to investigate, the outcome of the investigation of the notification, and the action taken or planned. The written information may be waived if the whistleblower has been informed orally by the operator of the internal whistleblowing system and has taken note of the information.

7. Data management rules

The identity of the whistleblower, if he or she provides the information necessary to establish it, shall be kept confidential at all stages of the investigation. A separate privacy notice has been prepared by the employer on the handling of personal data processed in an internal abuse report.

8. Protection of whistleblowers

The protection of whistleblowers is governed by Articles 41-49 of the Complaints Act. According to these, any measure which is detrimental to the whistleblower and which is taken as a result of the lawful making of a report and which is taken in connection with the whistleblower's legal relationship or connection with the whistleblower is unlawful, even if it would otherwise be lawful.
The rights of protection of whistleblowers apply only to a notification made lawfully and in good faith. A whistleblower acting in bad faith is not entitled to the whistleblower protection rights under the Complaints Act. A whistleblower report cannot constitute a crime or an offence. When making a whistleblowing report, the whistleblower must observe the rules on defamation and libel.

9. The whistleblower protection officer

The Employer's internal whistleblowing system is operated by László Szabó.

Receiving whistleblowers
Via the whistleblowing system: https://platform.crespo.hu/form?fktu7sgt=3e70a575-09a5-433b-a814-8f307e001b8e
In person: 8380 Hévíz, Rákóczi u. 1-3., by prior arrangement on 06 83 542 140
By mail: 8380 Hévíz, Rákóczi u. 1-3.
By e-mail: panaszbejelentes@palacehotelheviz.hu
Hévíz, 10 December 2023.

Hévíz Palace Hotel Kft.

DATA MANAGEMENT INFORMATION
on the operation of the whistleblowing system

1. Name, location of the data controller Representative of the data controller
Name: Hévízi Palace Hotel Kft.
Registered office.
Legal representative: Edina Pémer, Managing Director

2. Data Protection Officer
László Szabó - szabolaszlo411@gmail.com

3. Definition of the data processed
- The data provided by the whistleblower, information about an unlawful or suspected unlawful act or omission or other misuse may be reported to the abuse reporting system. The internal abuse reporting system shall process the personal data of the whistleblower and the personal data of the person whose conduct or omission gave rise to the report and who has relevant information in relation to the report. All other personal data not covered by the foregoing shall be deleted from the notification system without delay.

4. Purpose and duration of data processing
The purpose of the processing is: solely to investigate the notification and to remedy or stop the conduct which is the subject of the notification.
Duration of processing: the data will be kept until the purpose specified above has been achieved.

5.
To fulfil a legal obligation. [Article 6(1)(c) GDPR] The controller is obliged to investigate and process the notification pursuant to Act XXV of 2023 on complaints, notifications of public interest and rules relating to the notification of abuse.

6.
- No processing will take place.

7. Transmission of data, recipients
Recipients: the personal data of the notifier may only be transferred to the public body or authority competent to conduct the procedure initiated on the basis of the notification, if such public body or authority is entitled to process the data by law or if the notifier has consented to the transfer of the data. The personal data of the notifier shall not be disclosed without his/her consent. If it has become apparent that the notifier has communicated false data or information in bad faith, his or her personal data shall be disclosed in accordance with the procedure
body or person entitled to initiate or conduct the relevant proceedings.
No transfer will be made to a third country or international organisation.

8. Legal basis for the transfer
- consent of the data subject

9. Duration of processing of personal data
- The data will be processed until the data subject's authorisation is withdrawn. The newsletter can be unsubscribed at the end of each newsletter, which also means that the data subject requests the deletion of his/her e-mail address.

10. Information on the rights of the notifier
The data subject has the right to,
- to be informed by the controller whether or not his/her personal data are being processed and, if such processing is taking place, to have the right to access to the personal data.
- to obtain, at his or her request and without undue delay, the rectification by the controller of inaccurate personal data relating to him or her.
- on his or her request, the controller to erase without undue delay personal data relating to him or her and the controller to erase without undue delay personal data relating to him or her where other conditions are met
- at the controller's request, the controller shall restrict processing where o the data subject contests the accuracy of the personal data, /the restriction shall last until the controller verifies the accuracy of the personal data,/
1. the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
2. the controller no longer needs the personal data but the data subject requests them for the establishment, exercise or defence of legal claims.
3. the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.
4. to receive personal data relating to him or her which he or she has provided to the controller in a structured and commonly used format and to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, where the processing is based on voluntary consent or on a contract and is automated.
5. where the processing of personal data is carried out for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.
6. not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

11. Information on profiling, automated decision-making
- no profiling or automated decision-making takes place
12.Data storage, data security
The data controller and the organisation acting as a data processor shall store the data on its own computer equipment located at its headquarters or, in the case of a data processor, in a rented server park. The data controller and the data processor shall select and operate the IT tools they use in such a way that the data processed are accessible to those authorised to access them, their authenticity and authentication are guaranteed, their integrity is verifiable and they are protected against unauthorised access. The data shall be protected against unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction and against accidental destruction or accidental damage or loss, and against inaccessibility resulting from changes in the technology used, by ensuring that the controller ensures the security of processing by technical, organisational and organisational measures which, having regard to the state of the art, provide a level of protection appropriate to the risks associated with the processing.
13. Right of recourse to public authorities:
The data subject may take the controller to court in the event of a breach of his or her rights. At the data subject's option, the lawsuit may be brought before the court of the place of residence or domicile of the data subject. The court will decide the case out of turn.
Legal remedies and complaints may be lodged with the National Authority for Data Protection and Freedom of Information: Name: National Authority for Data Protection and Freedom of Information Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Postal address: 1530 Budapest, Pf.: 5.

14. Contact details of the Privacy Policy
The Data Protection Policy of the Data Controller is available at the Data Controller's headquarters and on its website www.palacehotelheviz.hu.