PRIVACY NOTICE

1. Data Controller’s Details and Data Protection Contact

Details of the Data Controller

The website available at https://firstbbq.hu/ (hereinafter referred to as the “website” or “webpage”) is operated by Ersaltima Vendéglátó és Rendezvényszervező Korlátolt Felelősségű Társaság.

Short name: Ersaltima Kft.
Company registration number: 01-09-991667 – registered by the Company Court of the Metropolitan Court of Budapest
Tax number: 24126067-2-42
Registered seat: 1074 Budapest, Dob utca 3.
Legal representative: László Turi, Managing Director
Website: https://firstbbq.hu/
Email: lac.turi80@gmail.com

(hereinafter referred to as the Data Controller)

The Data Controller is not required to appoint a Data Protection Officer; however, any inquiries related to data protection will be answered via the following contact:
Email: lac.turi80@gmail.com

↑ Back to top

2. Scope of Data Processing, Principles, and Possible Legal Bases

This Privacy Notice applies to data processing activities carried out by the Data Controller through or in connection with the services provided via the website. It also includes information related to events organized by the Data Controller.

The scope of this Notice covers visitors to the website, individuals who contact the Data Controller, subscribers to the Data Controller’s newsletter, purchasers of gift cards, individuals initiating restaurant reservations (including the contact persons specified in such reservations), and guests visiting the restaurant — all of whom are considered natural persons affected by data processing (hereinafter: “you” or the “Data Subject”).

In the case of events organized by third parties at the premises operated by the Data Controller, data processing is governed by a separate privacy notice provided by the respective third-party event organizer. The Data Controller is not responsible for such data processing activities.

The Data Controller reserves the right to unilaterally amend or supplement this Privacy Notice. The version available on the website shall always contain the current and applicable information regarding data processing.

Principles Applicable to the Processing of Personal Data

• processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);
• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
• kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);
• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).

In all of its data processing activities, the Data Controller acts in accordance with the above principles and takes the necessary measures to be able to demonstrate compliance with these principles (“accountability”).

Legal Basis for the Processing of Personal Data

Personal data may only be processed if an appropriate legal basis is available. In the absence of a valid legal basis, data processing cannot be carried out lawfully. Such legal bases may include:

• compliance with a legal obligation applicable to the Data Controller (e.g. fulfilling invoicing obligations);
• the Data Subject’s consent for one or more specific purposes (e.g. consent to processing during contact or inquiry);
• legitimate interests of the Data Controller (e.g. cookies placed prior to obtaining consent);
• performance of a contract to which the data subject is party or steps taken at the data subject’s request prior to entering into a contract (e.g. contact details of an event representative);
• protection of vital interests of the data subject or another natural person (e.g. measures taken in the event of an accident).

↑ Back to top

3. Applicable Laws and Regulations

The Data Controller’s personal data processing activities are primarily governed by the following laws and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR);
• Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.);
• Act V of 2013 on the Civil Code (Civil Code);
• Act CLV of 1997 on Consumer Protection (Consumer Protection Act);
• Act CXXVII of 2007 on Value Added Tax (VAT Act);
• Act C of 2000 on Accounting (Accounting Act);
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (E-Commerce Act).

↑ Back to top

4. Definitions

Data Controller: a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller.

Data Processing: the performance of technical tasks related to data processing operations, regardless of the methods and tools used for executing such operations or the place of application, provided that the technical task is performed on the data.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Data Subject’s Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.

Identifiable Natural Person: a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities must be in compliance with the applicable data protection rules according to the purposes of the processing.

Data Subject: any identified or identifiable natural person based on any information.

Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, the Data Controller, the Data Processor and persons who, under the direct authority of the Data Controller or Processor, are authorised to process personal data.

Special Categories of Personal Data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

The Data Controller may, on a case-by-case basis, process health-related data concerning food allergies that the Data Subject explicitly discloses during contact, food ordering or table reservation. These data are not recorded or transmitted by the Data Controller and are used exclusively for the provision of the service.

Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Personal Data: any information relating to an identified or identifiable natural person. Any data that can be used — either alone or in combination with other data — to identify a natural person is considered personal data.

↑ Back to top

5. Cookie Management

The Data Controller uses cookies for the operation of the website and for collecting technical data related to visitors of the website.

The Data Controller provides a separate notice regarding the data processing activities carried out through the use of cookies, which is available on the website under the Cookie Notice menu item.

↑ Back to top

6. Electronic Surveillance System

An electronic surveillance and recording system operates at the FIRST Craft Beer & BBQ restaurant, with cameras installed at the entrances, counters, and guest areas of the restaurant. Further information regarding the exact locations of the cameras and the areas under surveillance is available in the CCTV Notice displayed on-site at the restaurant.

The Data Controller stores the recordings on a central server with enhanced data security measures in place to ensure that unauthorized persons do not have access to the footage.

The live camera feeds and recorded footage may only be accessed by the restaurant manager acting on behalf of the Data Controller.

Recordings are generally retained for 7 days, and data transfers based on the recordings occur only in the event of administrative or criminal proceedings, and exclusively to the competent authorities or courts conducting such proceedings. In case of an ongoing administrative or criminal procedure, the relevant recordings may be retained for a longer period as required for the purposes of the procedure.

↑ Back to top

7. Automated Decision-Making and Profiling

No automated decision-making takes place in the course of personal data processing.

The Data Controller does not engage in profiling activities.

↑ Back to top

8. Social Media Presence

The Data Controller maintains social media pages for the purpose of promoting the restaurant, sharing events and offers, and responding to messages and comments. Users can send comments, messages, and reactions at the following links:

• Facebook: https://www.facebook.com/FIRSTcraftbeerbbq
• Instagram: https://www.instagram.com/firstcraftbeer_bbq/
• TikTok: https://www.tiktok.com/@first.craft.beer.bbq
• Tripadvisor: Tripadvisor restaurant page
• Untappd: https://untappd.com/v/first-craft-beer-and-bbq/6883913

↑ Back to top

9. Personal Data Processed

Provision of Hosting Services

Purpose: Proper functioning of the website’s hosting services, backups, correct display of features and images.
Legal basis: GDPR Article 6(1)(f) and Section 13/A (3) of the E-Commerce Act.
Scope of data: Personal data provided by the Data Subject on the website.
Duration: Backups retained for a maximum of 5 years.

Table Reservation

Purpose: Managing reservations, preparing for guest arrivals, and — where applicable — providing services tailored to individual requests.
Legal basis: Data Subject’s consent (GDPR Article 6(1)(a)).
Scope of data: Typically name, phone number, email address; other data voluntarily shared.
Duration: Up to 3 years following service provision, or until consent is withdrawn (whichever occurs first).

Contact and Communication

Purpose: Responding to inquiries/requests and providing information on services (e.g. food and drink availability/ingredients, events).
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Scope of data: Contact details provided (typically name, phone, email).
Duration: 2 years following completion of the reservation or event.

Issuance of Accounting Documents

Purpose: Issuing accounting documents with appropriate data content to meet legal obligations.
Legal basis: Compliance with a legal obligation (GDPR Article 6(1)(c)).
Scope of data: Last name, first name, address, email address.
Duration: For the period required by applicable retention laws or until deadlines in official requests expire.

Sending Newsletters (Sörlevél)

Purpose: Information about current offers, products, and events.
Legal basis: Data Subject’s consent (GDPR Article 6(1)(a)).
Scope of data: Name, email address, identifier, date/time of consent, delivery/dispatch info.
Duration: Until consent is withdrawn.

Complaint Handling

Purpose: Investigation, management, and response to complaints.
Legal basis: Compliance with a legal obligation (GDPR Article 6(1)(c)).
Scope of data: Complainant’s name, email, phone; complaint content.
Duration: 5 years (Section 17/A(7) of the Consumer Protection Act).

Investigation of Incidents

Purpose: Managing and documenting extraordinary incidents occurring at the restaurant premises.
Legal basis: Legitimate interests (GDPR Article 6(1)(f)). If health data are recorded: consent (GDPR Article 6(1)(a)); in case of employees: legal obligation (GDPR Article 6(1)(c)) per Section 64(4) of the Occupational Safety Act.
Scope of data: Name, address, phone; parent/guardian details (if applicable); date/time; injury/accident description; measures taken; first-aider’s name (if applicable); witnesses’ data; location of incident.
Duration: 5 years.

Provision of Restaurant Wi-Fi Access

Purpose: Providing internet access to guests.
Legal basis: Data Subject’s consent (GDPR Article 6(1)(a)).
Scope of data: Device type, username.
Duration: For the duration of the connection.

CCTV Surveillance System

Purpose: Protecting physical safety, property and high-value cash assets; preventing/detecting violations; investigating and evidencing offences.
Legal basis: Legitimate interests (GDPR Article 6(1)(f)).
Scope of data: Images and video of persons entering the premises.
Duration: 7 days from recording.

Guest Satisfaction Surveys and Publication of Testimonials

Purpose: Collecting guest experience data and promoting the restaurant.
Legal basis: Data Subject’s consent (GDPR Article 6(1)(a)).
Scope of data: Name and facial image of the reviewing guest; the personal opinion provided.
Duration: Until consent is withdrawn.

Social Media Presence and Communication

Purpose: Responding to comments/messages; promoting the restaurant.
Legal basis: Data Subject’s consent (GDPR Article 6(1)(a)).
Scope of data: Name of poster/sender; date/time of message.
Duration: Until consent is withdrawn.

Photos and Videos Taken at Events

Purpose: Promoting the restaurant and responding to comments/messages.
Legal basis: Data Subject’s consent (GDPR Article 6(1)(a)).
Scope of data: Facial image and video recordings of the Data Subject.
Duration: Until consent is withdrawn.

↑ Back to top

10. Recipients of the Data and Data Processors

The online platforms provided by the data processors used by the Data Controller may contain information originating from third parties who are not affiliated with the Data Controller. Such third parties may place content, cookies, or web beacons on the user’s device or use similar technologies to collect data. In these cases, the data processing is subject to the privacy policies and rules established by those third parties, and the Data Controller assumes no responsibility for such data processing activities.

↑ Back to top

11. Data Security Measures

In the course of its activities, the Data Controller implements the necessary access control, internal organizational, and technical measures to ensure that personal data cannot be accessed, deleted, extracted, or altered by unauthorized persons.

The Data Controller maintains a record of any personal data breaches and, where required, provides notification regarding such incidents.

Computers used by the Data Controller’s employees are protected by passwords, and its IT devices are equipped with firewall protection.

All computers owned by the Data Controller are secured with strong passwords and antivirus software. Servers are stored in locked, access-controlled, air-conditioned rooms. The Data Controller performs regular backups of its servers and disposes of IT equipment when justified and necessary.

In the case of data transfers, the reason for and time of access to the data are documented by the Data Controller, which also keeps records of its processing activities in accordance with the requirements of the GDPR.

↑ Back to top

12. Data Subjects’ Rights

You have the right to request information at any time — by post, electronically, or by phone — using the contact details provided in this Privacy Notice, regarding the personal data we process about you.

Upon your request, we will inform you about:

• the data we process,
• the purpose of the processing,
• the legal basis for the processing,
• the duration of the processing, and
• who receives or has received your data and for what purpose.

We will provide the requested information in writing, primarily via electronic means, within 30 days of receiving the request, unless you request a different method.

The provision of information is free of charge. If your request is clearly unfounded or excessive (e.g. repeated at short intervals), the Data Controller may charge a reasonable fee or refuse to act on the request, taking into account the administrative costs of providing the requested information or taking the requested action.

You have the right to object to the processing of your personal data at any time. We will review your objection as soon as possible, but no later than 30 days from its submission, and inform you of the decision.

Right to Erasure

The Data Controller will erase your personal data without undue delay if any of the following apply:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• you withdraw your consent and there is no other legal basis for the processing;
• you object to the processing and there are no overriding legitimate grounds for the processing (only applicable to processing based on legitimate interests);
• the personal data have been unlawfully processed;
• the personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the Data Controller.

Right to Rectification

You have the right to request the rectification of inaccurate personal data. Upon such a request, the Data Controller will correct or supplement the relevant data.

Right to Restriction of Processing

You may request the restriction of processing of your personal data via the contact details provided in this Privacy Notice. The Data Controller will mark the data as restricted and ensure that they are handled separately from other data, if:

• you contest the accuracy of the personal data (restriction applies for the time necessary to verify accuracy);
• the processing is unlawful and you oppose the erasure of the data and request restriction instead;
• the Data Controller no longer needs the data for processing, but you require them for the establishment, exercise or defence of legal claims;
• you have objected to the processing (restriction applies until it is determined whether the Data Controller’s legitimate grounds override yours).

Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the Data Controller, in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller where the processing is based on your consent and is carried out by automated means. You may also request that we transmit the data directly to another controller, where technically feasible.

Withdrawal of Consent

If we process your personal data based on your consent, you may withdraw your consent at any time by contacting the Data Controller or the data protection contact person using the contact details provided in this Privacy Notice. Where applicable, the Data Controller also ensures that consent may be withdrawn through simpler means (e.g. via an “Unsubscribe” link in the newsletter). You may unsubscribe from the newsletter at any time by using the “Unsubscribe” function included in each message, or by a written or email request, which will be considered as a withdrawal of consent.

Accessibility on Request

If you are visually impaired or of advanced age, you may request that the Data Controller — via the contact details provided in this Privacy Notice or through the data protection contact person — provide a verbal explanation of the contents of this Privacy Notice or make it available in a large-print version.

Remedies

You also have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information:

1055 Budapest, Falk Miksa utca 9–11.
Website: www.naih.hu
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu

Alternatively, you may enforce your rights related to the processing of your personal data before the competent court in accordance with Act III of 1952 on the Code of Civil Procedure. You can find the competent court at: https://birosag.hu/birosag-kereso.

You may exercise the rights set out in this Privacy Notice at any time by contacting the Data Controller or the data protection contact person in writing (e.g. via email). In connection with your request, you may be asked to identify yourself or to provide additional personal information necessary to verify your identity and confirm your entitlement to exercise the right in question.

You can contact the Data Controller via the contact details provided in this Privacy Notice (firstcraftdob3@gmail.com), as well as through the designated data protection contact person.

↑ Back to top