INTRODUCTION

REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (henceforth “Regulation”), with regard to the protection of natural persons (henceforth “Data Subject”) concerning the processing and free movement of personal data, and to superseding Directive 95/46/EC, prescribes that the Data Controller (henceforth “Controller”) shall implement appropriate measures to make available every and all information and notices related to the processing of personal data to the Data Subject in a concise, transparent, intelligible, and easily accessible manner, in clear and easy-to-understand language, furthermore, the Controller shall facilitate the exercise of the Data Subject’s rights.

The Controller's obligation to provide prior notice on information self-determination and freedom of information is also prescribed by Act CXII of 2011.

By providing the information below, we are hereby complying with the Act’s prescription of our obligations.

The information shall be published on our Company’s home Web page, or sent to the Data Subject upon his/her request.

CHAPTER 1 – LEGAL BACKGROUND AND DEFINITIONS

  1. Sea World Divers Ltd. hereinafter discloses its data handling principles, and introduces the conditions it had formulated for itself and shall observe, as the Controller. Sea World Divers Ltd. (henceforth “Sea World Divers Ltd. ”, “Company” or “Controller”), as the Controller, acknowledges the content of the present Policy it shall be bound by, and covenants that all of its data processing related to its present activities comply with applicable and operative regulations such as:
    • Regulation 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing and free movement of personal data, and to superseding Directive 95/46/EC (henceforth “General Data Protection Regulation”  or “GDPR”);
    • Act CXII of 2011 on information self-determination and freedom of information (henceforth “Infotv.”);
    • Act CXIX of 1995 on the use of name and address information for the direct purpose of research and direct marketing (henceforth “Katv.”);
    • Act C of 2000 on accounting (henceforth “Számv.tv.”);
    • Act CVIII of 2001 on certain issues of electronic commerce  and information society services (henceforth “Ekertv.”);
    • Act C of 2003 on electronic communication (henceforth “Eht.”);
    • Act XLVIII of 2008 on the basic requirements and certain restrictions of commercial advertising activities (henceforth “Grt.”);
    • Government Decree 213/1996 (XII.23.) on tour operator (travel organisation) and travel agent activity; and
    • Government Decree 281/2008. (XI.28.) on travel contract.
  2. Definitions

    Controller: Any natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purpose and means of the processing of personal data (“Controller” in the present Policy, unless otherwise stated, shall mean Sea World Divers Ltd.);

    Processing: Any operation or set of operations performed on personal data or on sets of personal data whether or not by automated means such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other means of making available, alignment or combination, restriction, erasure, or destruction;

    Processor: Any natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Controller;

    Recipient: Any natural or legal person, public authority, agency, or any other body to whom personal data is disclosed by the Controller;

    GDPR: Regulation 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing and free movement of personal data, and to superseding Directive 95/46/EC;

    Data Subject: Any natural person whose personal data is used by the Controller (to perform data processing activities, including, among other things, clients, travellers, enquirers);

    Consent: Any freely given, specific , informed, and unambiguous indication of the Data Subject’s wishes by which he/she signifies agreement to the processing of personal data relating to him/her by a statement or by clear, affirmative action;

    Supervisory authority or NAIH: National Authority of Data Protection and Freedom of Information;

    Email marketing (eDM, newsletter): Electronic message that solely contains advertisements, and materials for the purpose of soliciting business or for marketing, and that is sent by the Controller to multiple Data Subjects at once to the email addresses provided by them;

    Profiling: Any form of, whether automated or not, personal data processing that consists of the use of personal data to evaluate certain personal attributes related to any natural persons, in particular, to analyse or predict aspects concerning his/her performance at work, economic situation, status of health, personal preferences, interests, reliability, behaviour, location, or movements;

    Personal data: Any information that relates to any identified or identifiable natural persons (Data Subject); identifiable natural person is someone who can be identified, directly or indirectly, in particular, by reference to an identifier such as name, identification number, location data, online identifier, email address, phone number, postal address, billing address,  or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

    Special categories of personal data: Personal data relating to race or ethnicity, political views, religious affiliation or ideology, or trade union membership; genetic and biometric data for the purpose of individual identification of natural persons; data concerning health; personal data related to the sexual life or sexual orientation of natural persons;

    Customer: Any natural person who demonstrates interest in the Controller’s products or services in person, on its Web site, by phone, or by any other means; who enters into a contractual agreement with the Controller for travel, services, or for any other purpose or in any other legal form.

CHAPTER 2 – NAME OF CONTROLLER

Issuing the present Policy, also called the Controller:

Company name: Sea World Divers Ltd.

Headquarter: Saket Elwaily Street, Emarat Mayo, Emara 7, Near Elgamaa El Omalya, Madint Nasr Cairo, Egypt

(henceforth “Controller”)

 

CHAPTER 3 – NAMES OF PROCESSORS

Processor: Any natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Controller; (Chapter 1, Article 4, § 8 of the Regulation). The Data Subject’s prior consent is not necessary for obtaining the Processor's services but he/she must be notified. Accordingly, we provide the following information:

 

CHAPTER 4 – LEGAL BASIS OF DATA PROCESSING

The processing of personal data shall be lawful only if it has legal basis prescribed in the Regulation which, in case of Sea World Divers Ltd., are the following:

  1. Consent of Data Subject;
  2. Performance of contract; and
  3. Fulfillment of Controller's legal obligations.

 

CHAPTER 5 – INFORMATION ON SEA WORLD DIVERS LTD.' CERTAIN DATA PROCESSINGS

5.1 – USER DATA PROCESSING FROM THE COMPANY'S WEB SITE, AND NOTIFICATION ON THE USE OF COOKIES

5.1.1 Web page Users must be notified on the Web page of the use of cookies to which their consent—except for cookies technically essential to the work process (session)— must be requested.

5.1.2 General information on cookies

  1. A cookie is a form of data that is sent (in a name-value pair format) from a Web site that is being accessed (visited), to the Web browser of the User (visitor, Data Subject) to be stored, allowing the content of the same Web page to be loaded at a later time. Cookies may have an expiration, they may be deleted when the browser is closed, or they may be stored indefinitely. During its lifespan, the cookie’s information will be transmitted to the browser server every time the User visits the Web site (at every HTTP request), thereby modifying the data on the User’s device.
  2. The reason behind cookies is that Web site services, due to their inherent nature, must identify every User (i.e. the User has accessed the Web page) to be able to manage them accordingly in the future. The alarming aspect of this process is that the User is not always aware of it, and the cookies may be used to track the User by the Web site operator or by other service providers whose content is embedded in the Web page (i.e. Facebook, Google Analytics), thereby creating a User profile in which case the cookie content is deemed personal data.
  3. Types of cookies
    • Session (technically strictly necessary) cookies: Without these cookies the Web site would simply not be functional. They are essential for being able to identify the User (i.e. process them), to see if they have accessed the site, what they have put into their shopping cart, etc. This is essentially the storage of a session ID. The other data is stored on the server which is safer. There are safety concerns if the cookie value is not generated accurately. In this case there is a threat of session hijacking, so it is vital that the values are generated accurately. According to other terminology, session cookies are cookies that are deleted after closing the browser (one session is the navigation of a browser from the time it is accessed to the time it is closed).
    • Tracking (functionality) cookies: These cookies store User preferences such as the format in which they want to view the Web page. These cookies are essentially data settings stored in the cookies.
    • Third-party (performance) cookies: Although they do not have much to do with performance, these are cookies that collect information on User behaviour, preferences, habits, time spent, clicks on the visited Web page. These are usually applications belonging to a different domain, to a third party (i.e. Google Analytics, AdWords, Yandex.ru cookies). They are suitable for developing User profiles.

 

You can find information on Google Analytics cookies here:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

You can find information on Google AdWords cookies here:

https://support.google.com/adwords/answer/2407785?hl=hu

Accepting and allowing the use of cookies is not mandatory. You may adjust your browser settings to disable/block all cookies or to warn you if cookies are accessing your system. While most browsers automatically accept cookies by default, these settings may be changed to disable automatically accepting cookies, and to offer the choice to accept or to block cookies every time they are trying to access the site.

You can find information on the cookie settings of the most popular browsers here:

We must also emphasise that certain Web site functions and services may not work effectively without the use of cookies.

5.1.3 Information on cookies used on our Company Web site and on data generated when using our site

  1. Data processed during Web site use: During Web site use, our Company Web site may track and process the following data of the User and/or of the device used for browsing:
    • IP address of User;
    • Type of browser;
    • Operating system attributes of device used for browsing (i.e. language settings);
    • Time and date of Web site access;
    • Pages/subpages, features, services used; and
    • Clicks.
  2. We will store these data for 90 days maximum, and may be permitted to process them primarily for the investigation of security breaches/incidents.

  3. Cookies used on our Company Web page
  4. b.1 Session (technically necessary) cookies

    Purpose of data processing: To ensure the adequate functioning of the Web site. These cookies are necessary in order to enable Users to browse the Web site, to use its features and the services that can be accessed through the site easily and comprehensively, especially, among other things, to track User activities on any given page, or to identify logged-in Users during site access. The data processing period of these cookies is strictly restricted to the User’s use of the site at any given time. This type of cookies are automatically erased from the User’s device after the end of a session, after closing the browser.

    Legal basis for data processing: Act CVIII of 2001 (Elkertv.) on certain issues of electronic commerce  and information society services , Article 13/A. § (3) according to which the Provider (Controller), for the purpose of performing its services, shall be permitted to process personal data that are technically essential for the providing of services. The Provider, all other terms being equal, shall choose and at all times operate the tools applied during the providing of services related to information society in a manner during which processing of personal data shall only take place if it is absolutely necessary for the providing of the service and for the performance of other purposes prescribed by law, but only to the effect and for the duration that is necessary.

    b.2 Tracking (functionality) cookies

    These cookies track User preferences, such as the format in which they want to view the Web site. These cookies are essentially data settings stored in the cookies.

    Legal basis for data processing:  User consent.

    Purpose of data processing: To increase service effectiveness and User satisfaction, and to provide easy Web site use.

    This data is primarily stored on the User’s device, the Web page can only access it, and through it can (possibly) identify the User.

    b.3 Third-party (performance) cookies

    These are cookies that collect information on User behaviour, preferences, habits, time spent, clicks on the visited Web page. These are usually applications belonging to a different domain, to a third party (i.e. Google Analytics, AdWords).

    Legal basis for data processing: User consent.

    Purpose of data processing: To analyse the Web page, to send marketing information.

     

5.2 – DATA PROCESSING RELATED TO COMMERCE ACTIVITIES BY SEA WORLD DIVERS LTD

 

Range of Data Subjects the data processing applies to: Customers of SEA WORLD DIVERS LTD

Purpose of data processing: The use of services provided by SEA WORLD DIVERS Ltd. and/or its partners, whether through travel agencies or online; entering into, performance of, and follow-up  on contracts; billing; distribution of travel offers via email and/or telephone; contact for the purpose of direct marketing via direct mail and/or telephone.

Range of data being processed: Name; address; email address; phone number; phone call data; email data; birth date; gender; travel document (necessary for travel) data (i.e. identification number, expiry date, etc.); range of interests related to travel; travel companions’ names, gender, birth dates; special needs (i.e. lifestyle, diet, physical attributes); direct marketing consent document; data related to travel; date; signature.

Legal basis for data processing: According to Chapter 2, Article 6, § 1/b) of the Regulation, performance of a contract, and the steps to be taken at the request of the Data Subject prior to entering into a contract. In case of direct marketing activities via mail post, the legal basis for data processing shall be Article Grt. 6.§(4), and in case of telemarketing activities, Article Eht. 162.§. According to the legal basis, Chapter 2, Article 6, § 1/f of the Regulation, the recording and storing of telephone conversations is necessary for the purpose or legitimate interests pursued by SEA WORLD DIVERS Ltd. a) for the substantiation of services ordered, contracts being entered into, disclaimers (i.e. request to unsubscribe, protests) made by Data Subjects via telephone; b) for enabling the subsequent reconstruction of interaction with the Data Subjects (i.e. complaints); c) for the practice and protection of SEA WORLD DIVERS Ltd.'s legal rights with regard to disputes. (Based on balancing test, SEA WORLD DIVERS Ltd. has defined its legitimate interests above, and determined that the data processing it is to undertake is necessary for the validation of its legitimate interests, and that the interests, fundamental rights, and freedoms of the Data Subjects of the data processing do not override the Controller’s legitimate interest).

Duration (retention period) of data processing: Six years following the expiration of contract-related claims. Eight years in the case of accounting records generated during sales activities according to Decree Számv. tv. 169. §. In the case of indirect marketing activities, the retention period of data processing lasts until the objection/unsubscription of the Data Subject. The retention period of telephone conversations is one year from the date of the telephone conversation. The telephone numbers provided by Data Subjects requesting a call-back are erased following the call-back.

Recipients of processed data: When it is necessary for the use of the requested services, SEA WORLD DIVERS Ltd., following appropriate notification, shall transfer the necessary data to its contractual partners (i.e. insurance companies, lodging providers, transportation providers, air carriers, and other partners). In these cases the personal data of Data Subjects, depending on the location (outside of the EEA) of the service requested by the Data Subject, may be transferred to third countries as well.

Recipients of processed data related to tour operator (travel organisation) activities: In the case of the ordering and the use of services published by SEA WORLD DIVERS Ltd., as the tour operator, the personal data of Data Subjects shall be transferred to the service providers that are participants of the performance of the contract (depending on the ordered service: hotel where the accommodations are booked, air carrier providing air travel services or other transfer provider agencies, insurance company where the Data Subject's insurance policy is purchased, other agencies providing services that are ordered by the Data Subject). Furthermore, SEA WORLD DIVERS Ltd., as the travel agency, when ordering the services of and/or entering into contracts with other tour operators, shall transfer the personal data of Data Subject to the tour operator.

We must inform our customers that the validity of Data Subject's data, and the obtaining of consent for the processing of Data Subject’s data is the sole responsibility of the person who enters into contract for the service.

Data transfer to third countries: In the case of Data Subject’s data being transferred to third countries by SEA WORLD DIVERS Ltd., it shall, at all times, observe the provisions pursuant to Chapter 5. of the Regulation and

 (a) Shall transfer personal data to countries where the Commission has decided  that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection; or

(b) Shall apply standard contractual clauses that have been issued by the European Commission for the transfer of data;  or

(c) Shall transfer personal data during data transfer to the USA only to persons/entities who are participants of the EU-USA Data Privacy Shield which prescribes the adequate data protection safety level according to the Regulation. Data Subjects may contact the Controller at the contact information listed in Chapter 2 of the present Policy concerning data transfer provisions as they relate to them.

Data transfer to SEA WORLD DIVERS Ltd.: The ordering of services published by SEA WORLD DIVERS Ltd., as the tour operator, through travel agencies.

When entering into a contract, Data Subject's data shall be transferred to SEA WORLD DIVERS Ltd. by the travel agency, and with regard to this data, from then on SEA WORLD DIVERS Ltd. shall act according to the terms in Section 5.2 (5.2 – DATA PROCESSING RELATED TO COMMERCE ACTIVITIES BY SEA WORLD DIVERS Ltd.) of the present Chapter.

You may withdraw your consent to or remove yourself from receiving direct marketing message (including direct mail) and/or being contacted by telephone in the following manners:

  • By post mail by returning a consent withdrawal to the address of SEA WORLD DIVERS Ltd., 1092 Budapest, Erkel utca 9;
  • By email by sending an email message to the address info@redseaboats.hu;
  • By phone by calling the number 0036/70/904-9975; or
  • In person in the office of SEA WORLD DIVERS Ltd.

5.3 DATA PROCESSING RELATED TO ELECTRONIC NEWSLETTER SENDING ACTIVITIES BY SEA WORLD DIVERS Ltd.

Range of Data Subjects: Persons subscribing to the newsletter.

Purpose of data processing: The sending of regular email newsletters to subscribers, that also contain business advertising; providing notification on current information and/or offers.

Legal basis for data processing: The voluntary consent of the subscriber according to Article Grt. 6.§(1) and Chapter 2, Article 6, § 1/a of the Regulation. The subscriber may, at any time, without explanation, withdraw his/her consent by unsubscribing from the newsletter which does not affect the legality of the data processing based on the consent prior to the unsubscription.

Range of data being processed: Name; gender; birth date; telephone numbers; email address; travel practices, preferences; data processing consent; direct marketing consent document; date.

Duration (retention period) of data processing: Until the withdrawal of consent.

To unsubscribe from the newsletters:

  • By email by sending an email message to the address info@cassiopeiasafari.com;
  • By clicking the button “unsubscribe” or similar found at the bottom of the newsletter.

5.4 DATA PROCESSING RELATED TO COMPLAINT MANAGEMENT ACTIVITIES

Range of Data Subjects: Customers of SEA WORLD DIVERS Ltd.

Purpose of data processing: The investigation of customer complaints.

Legal basis for data processing: According to Chapter 2, Article 6, § 1/f of the Regulation, the legitimate interests of SEA WORLD DIVERS Ltd.  with regard to the protection of its rights and to the investigation of complaints. (Based on the balancing test, SEA WORLD DIVERS Ltd. has defined its legitimate interests above, and determined that the data processing it is to undertake is necessary for the validation of its legitimate interests defined above, and that the interests, fundamental rights, and freedoms of the Data Subjects of the data processing do not override the Controller’s legitimate interests. Users may request further information on the balancing test and its details at the Controller’s contact information listed in Chapter 2 of the present Policy).

Range of data being processed: Name; names, gender, birth dates of travel companions; number of booked individuals on the trips; detailed description of complaints; number of individuals affected by the complaint; date and time the complaint is received; travel destination; date of travel; code of place of accommodation; the time and format for sending a reply; the claim for compensation, its amount and its form; value of chargeable expenses; date; signature.

Duration (retention period) of data processing: Six years following the expiration of contract-related claims. Data Subject’s rights with regard to data processing, including the right to complain, as per the general information described in Chapter 7 of the present Policy.

5.5.SERVICE-RELATED CUSTOMER CORRESPONDENCE, DATA PROCESSING RELATED TO OFFER REQUEST ACTIVITIES

If customers of SEA WORLD DIVERS Ltd. raise questions or concerns during the use of the Controller's services, they may contact the Controller at the contact details listed in Chapter 2 of the present Policy.

Data provided by the User during request for an offer on the company's Web site  shall not be registered on the server that operates the Web site, but shall be transferred via email by the server to the appropriate individuals. The emails received by SEA WORLD DIVERS Ltd., along with the sender’s name and email address, and any other voluntarily supplied personal data, shall be deleted by SEA WORLD DIVERS Ltd. after a maximum of six years following administration.

CHAPTER 6 – STORAGE METHOD OF PERSONAL DATA, DATA PROCESSING SECURITY

The computer technology systems and other data storage locations of SEA WORLD DIVERS Ltd. are located at its headquarter and at the Processor named in Section 3 of the present Policy.

SEA WORLD DIVERS Ltd. is aware of and fulfills the data security obligations and requirements prescribed by Chapter 4, Article 32 of the Regulation, and it has implemented internal measures and processes for the management of data protection incidents.

For the management of personal data, SEA WORLD DIVERS Ltd. chooses and operates information technology tools that are applied during the providing of service in a manner, so that the data being processed:

  1. Is accessible by any authorised persons (it is available);
  2. Has ensured integrity and authenticity (data management credibility);
  3. Has certifiable integrity (data integrity); and
  4. Is protected against unauthorised access (data confidentiality).

SEA WORLD DIVERS Ltd. ensures the protection of data processing safety by implementing  technical, organisational, and institutional measures that ensure adequate level of protection against potential risks with regard to data processing.

During data processing, SEA WORLD DIVERS Ltd. safeguards:

  1. Confidentiality: It protects data from unauthorised use, providing access only to those with authorisation;
  2. Integrity: It protects the accuracy and authenticity of data and data process method;
  3. Availability: It ensures access to data requested by authorised Users, and the availability of the necessary tools for this action.

SEA WORLD DIVERS Ltd. has implemented the applicable data safeguarding measures:

  • Software protection of information technology systems;
  • Development and implementation of levels of accessibility;
  • Physical protection of data media—computers, storage devices, documents, contracts, statements, storage facilities; and
  • Requesting of employees, who handle data processing, the signing of a confidentiality agreement with regard to personal data. The administrator’s confidentiality obligations also include keeping documents and statements containing personal data waiting to be processed out of sight of unauthorised persons.

The information technology systems and networks of SEA WORLD DIVERS Ltd.'s partners are equally protected from computerised fraud, spying, sabotage, vandalism, fire and flood, and computer virus, computer break-in, denial-of-service attacks. The IT Provider ensures safety by the implementation of server-level  and application-layer protection measures.

We inform Users that electronic messages transmitted via the Internet, regardless of protocol (email, Web, ftp, etc.) are vulnerable to network threats that entice dishonest activities, contract disputes, or to reveal or alter information.

 

CHAPTER 7 – INFORMATION ON DATA SUBJECT RIGHTS AND JUDICIAL REMEDIES

Summary of Data Subject rights

  1. Right to transparent information, communication and facilitation of exercising Data Subject rights;
  2. Right to information where personal data are collected from Data Subject;
  3. Right to be informed and to information if the data about the Data Subject was not obtained by the Controller;
  4. Right to access;
  5. Right to rectification;
  6. Right to erasure (“right to be forgotten”);
  7. Right to restriction of data processing;
  8. Notification obligation regarding rectification or erasure of personal data, or restriction of data processing;
  9. Right to data portability;
  10. Right to object;
  11. Automated individual decision-making, including profiling;
  12. Restrictions;
  13. Right to notification of personal data breach;
  14. Right to lodge complaint with supervisory authority (right to judicial remedy);
  15. Right to effective judicial remedy against supervisory authority; and
  16. Right to effective judicial remedy against the Controller or Processor.

 

Detailed Data Subject rights

  1. Transparent notification and communication, and facilitation of exercising Data Subject rights
    • The Controller shall take appropriate measures to provide all information and communication relating to the processing of data to the Data Subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the Data Subject, the information may be provided orally, provided that the identity of the Data Subject is proven by other means.
    • The Controller shall facilitate the exercise of Data Subject rights.
    • The Controller shall provide information on action taken on a request with regard to the exercising of his/her rights, to the Data Subject without undue delay and in any event within one month of receipt of the request. This period may be extended by two additional months according to the terms of the Regulation. The Controller shall inform the Data Subject of any such extension.
    • If the Controller does not take action on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action, and on the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.
    • Information and notification on Data Subject rights, and arrangements shall be provided free of charge by the Controller.

    Chapter 3, Article 12 of the Regulation contains the detailed provisions.

  2. Right to information where personal data are collected from Data Subject.
    • 2.1 Data Subject has the right to be informed about facts and notifications related to data processing ahead of the commencement of data processing. Data Subject shall be informed accordingly of the following:
      • Identity and contact information of the Controller and his/her representative;
      • Contact information of the data protection officer (if applicable);
      • Purpose of intended personal data processing, and the legal basis for data processing;
      • Legitimate interests of the Controller or a third party where data processing is based on validating legitimate interests;
      • Recipients or categories of recipients, if any, of personal data (who are being informed of the personal data); and
      • Where applicable, the fact that the Controller intends to transfer personal data to a third country or international organisation.
    • 2.2 In addition, the Controller shall provide the Data Subject with the following additional information necessary to ensure fair and transparent data processing:
      • Period during which the personal data is stored, or if not possible, the criteria used to determine this period;
      • Right of the Data Subject to request from the Controller access to, and rectification or erasure of personal data, or restriction of processing, to object to the processing of such personal data as well as the right to data portability;
      • Where data processing is based on the Data Subject’s consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of data processing based on consent before its withdrawal;
      • Right to lodge complaint with supervisory authority;
      • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the Data Subject is obligated to provide the personal data, and of the possible consequences of failure to provide such data; and
      • Existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic applied, as well as the significance and the envisaged consequences of such processing for the Data Subject.

    2.3 If the Controller intends to perform further processing of personal data for a purpose other than that for which the personal data were collected, the Controller shall provide the Data Subject, prior to that further processing, with information on that other purpose and with any relevant further information.

    Chapter 3, Article 13 of the Regulation contains detailed provisions on the right to be informed in advance.

  3. Notification of Data Subject and information provided to him/her where personal data have not been obtained from the Data Subject by the Controller.
    • 3.1 If the personal data have not been obtained from the Data Subject by the Controller, the Controller, within one month from the time of obtaining the personal data; if personal data is used for communication with Data Subject, at the latest at the time of the first communication with the Data Subject; or if the data is shared with other recipients, at the latest when the personal data are disclosed, shall inform the Data Subject of the facts and information via contact information listed in Chapter 2 of the Present Policy, as well as of the personal data categories of the Data Subject, the source of the personal data, and when applicable, whether the source of data is publicly accessible.
    • 3.2 Further rules are regulated by the terms listed in the preceding Section 2 of the present Policy (Right to information).

      Chapter 3, Article 14 of the Regulation contains detailed provisions on this notification.

  4. Data Subject’s right to access
    • 4.1 The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him/her are being processed, and, where that is the case, has the right to access the personal data and information detailed in the preceding Sections 2 and 3 of the present Policy (Chapter 3, Article 15 of the Regulation).
    • 4.2 If personal data are transferred to a third country or to an international organisation, the Data Subject shall have the right to be informed of the appropriate safeguards pursuant to Chapter 5, Article 46 of the Regulation relating to the transfer.
    • 4.3 The Controller shall provide to the Data Subject a copy of the personal data undergoing processing. For any further copies requested by the Data Subject, the Controller may charge a reasonable fee based on administrative costs.

      Chapter 3, Article 15 of the Regulation contains detailed provisions on the Data Subject’s right to access.

  5. Right to rectification
    • 5.1 The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him/her.
    • 5.2 Taking into account the purposes of data processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

      Chapter 3, Article 16 of the Regulation contains these provisions.

  6. Right to erasure (“right to be forgotten”)
    • 6.1 The Data Subject shall have the right to obtain from the Controller the erasure of personal data concerning him/her without undue delay, and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
      • Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
      • Data Subject withdraws consent on which data processing is based, and where there is no other legal ground for data processing;
      • Data Subject objects to data processing and there are no overriding legitimate grounds for data processing;
      • Personal data have been unlawfully processed;
      • Personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject; or
      • Personal data have been collected in relation to the direct offer of information society services to children.
    • 6.2 The right to erasure shall not apply if data processing is necessary for:
      • Exercising the right of freedom of expression and information;
      • Compliance with a legal obligation which requires processing by Union or Member State law to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
      • Reasons of public interest in the area of public health;
      • Purpose of archiving in the public interest, purposes for scientific or historical research, or statistics in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of data processing; or
      • Establishment, exercise, or defence of legal claims.

        Chapter 3, Article 17 of the Regulation contains detailed provisions on the right to erasure.

  7. Right to restriction of data processing
    • 7.1 If data processing has been restricted, such personal data shall be processed, with the exception of storage, only with the consent of the Data Subject; or for the establishment, exercise or protection of legal claims; or for the protection of the rights of other natural or legal persons; or for reasons of important public interest of the Union or one of its Member States.
    • 7.2 The Data Subject shall have the right to obtain from the Controller restriction of data processing where one of the following applies:
      • The accuracy of the personal data is contested by the Data Subject, in which case the restriction applies to the time period that enables the Controller to verify the accuracy of the personal data;
      • The data processing is unlawful, and the Data Subject opposes the erasure of the personal data, and requests the restriction of their use instead;
      • The Controller no longer needs the personal data for the purposes of data processing, but they are required by the Data Subject for the establishment, exercise or protection of legal claims; or
      • The Data Subject has objected to the data processing in which case the restriction applies to the time period that enables verification whether the legitimate grounds of the Controller override those of the Data Subject.
    • 7.3 The Data Subject shall be informed by the Controller in advance of the lifting of the data processing restrictions

      Chapter 3, Article 18 of the Regulation contains the applicable provisions.

  8. Notification obligation regarding the rectification or erasure of personal data, or the restriction of data processing

    The Controller shall communicate any rectification or erasure of personal data or restriction of data processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform the Data Subject about those recipients at the request of the Data Subject.

    Chapter 3, Article 19 of the Regulation contains these provisions.

  9. Right to data portability
    • 9.1 According to the terms of the Regulation, the Data Subject shall have the right to receive the personal data concerning him/her, which he/she has provided to a Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another Controller without hindrance from the Controller to whom the personal data have been provided, if:
      • Data processing is based on consent or on a contract; and
      • Data processing is carried out by automated means.
    • 9.2 The Data Subject shall have the right to have the personal data transmitted directly from one Controller to another.
    • 9.3 The exercise of the right to data portability shall be without prejudice to Chapter 3, Article 17 of the Regulation (right to erasure or “right to be forgotten”). That right to data portability shall not apply to data processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

      This right shall not adversely affect the rights and freedoms of others.

      Chapter 3, Article 20 of the Regulation contains the detailed provisions.

  10. Right to object
    • 10.1 The Data Subject shall have the right to object, on grounds relating to his/her particular situation, at any time to the processing of personal data concerning him/her which is based on Chapter 2, Article 6, § 1/e and § 1/f, including profiling based on those provisions. In this case the Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the data processing which override the interests, rights, and freedoms of the Data Subject, or for the establishment, exercise, or protection of legal claims.
    • 10.2 If personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to the processing of personal data concerning him/her for such purpose, which includes profiling, to the extent that it is related to direct marketing. If the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data shall no longer be processed for such purposes.
    • 10.3 At the latest at the time of the first communication with the Data Subject, these rights shall be explicitly brought to the attention of the Data Subject, and the related information shall be presented clearly and separately from any other information.
    • 10.4 The Data Subject may exercise his/her right to object by automated means using technical specifications.
    • 10.5 If personal data are processed for scientific or historical research purposes, or for statistical purposes, the Data Subject, on grounds relating to his/her particular situation, shall have the right to object to the processing of personal data concerning him/ her, unless the data processing is necessary for the performance of a task carried out for reasons of public interest.
  11. Automated individual decision-making including profiling
    • 11.1 The Data Subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her, or similarly affects him/her significantly.
    • 11.2 This right shall not apply if the decision:
      • Is necessary for entering into, or performance of, a contract between the Data Subject and the Controller;
      • Is authorised by Union or Member State law to which the Controller is subject, and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests; or
      • Is based on the Data Subject’s explicit consent.
    • 11.3 In the cases referred to in points (a) and (c) of the preceding Paragraph, the Controller shall implement suitable measures to safeguard the Data Subject’s rights and freedoms, and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his/her point of view, and to contest the decision.

      Chapter 3, Article 22 of the Regulation contains further provisions.

  12. Restrictions

    Union or Member State law to which the Controller or the Processor is subject, may restrict by way of a legislative measures the scope of the obligations and rights (Chapter 2, Article 5; Chapter 3, Articles 12 to 22; Chapter 4, Article 34of the Regulation) in so far as its provisions correspond to the rights and obligations when such restrictions respect the essence of the fundamental rights and freedoms

    Chapter 3, Article 23 of the Regulation contains the provisions for such restrictions.

  13. Communication of personal data breach to the Data Subject
    • 13.1 If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the Data Subject without undue delay. The communication to the Data Subject shall describe in clear and plain language the nature of the personal data breach, and contain at least the following:
      • Name and contact information of the data protection officer or other contact point where more information can be obtained;
      • Description of the likely consequences of the data breach; and
      • Description of measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    • 13.2 The communication to the Data Subject referred to in Section 13.1 in Chapter 7 of the present Policy, shall not be required if any of the following conditions are met:
      • The Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
      • The Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize; or
      • It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the Data Subjects are informed in an equally effective manner.

        Chapter 4, Article 34 of the Regulation contains further provisions.

  14. Right to lodge complaint with supervisory authority (right to judicial remedy)

    If the Data Subject feels that SEA WORLD DIVERS Ltd. has processed his/her personal data  in a manner that is non-compliant with the Regulation, SEA WORLD DIVERS Ltd. recommends that the Data Subject contact, without delay, the Company at any of its contact information listed in Chapter 2 of the present Policy to clear up and peacefully settle the issue at the earliest convenience.

     

    If this shall not result in a mutually acceptable outcome, or the Data Subject does not want to take this kind of action, he/she has the right—without prejudice to other administrative or judicial remedies— to lodge a complaint with NAIH (National Authority for Data Protection and Freedom of Information), or with any other data protection authority in the jurisdiction of the Data Subject’s usual residence, workplace, or of the location of the suspected infringement.

    The Data Subject may also bring the action before the courts in case of an infringement (the trial falls under the jurisdiction of the court) and may decide whether to start proceedings before the court  in the jurisdiction of his/her home address or residence.

     

    The Data Subject has the right to lodge a complaint with a supervisory authority—especially in the Member State where he/she resides, or works, or where the suspected infringement has taken place—if according to the Data Subject, the processing of data related to him/her infringe on the Regulation. The supervisory authority with whom the complaint has been lodged, shall inform the Data Subject of any developments with regard to the complaint, and of the result thereof, including that the Data Subject has the right to judicial remedies.

     

    IN CLOSING

    If any of our Users or Customers raise questions that are not clear based on the present General Data Protection Policy, we ask them to write to us at any of our contact details listed in Chapter 2 of the present Policy, and we will answer these questions.

     

    Valid: from May 22, 2018 until withdrawal or modification