Zum Hauptinhalt springen

Datenschutzerklärung
Citadella Experience

Introduction

This notice summarises the personal data processed by City Memories Management Kft., operating under the name Citadella Experience – Citadella Café, Citadella Gift Shop, Citadella Chimney Cake & Gelato, Liberty Gift Shop and Liberty Café, as well as the website listed below (hereinafter: "Data Controller") – including the purposes, legal bases and retention periods of such processing. This document complies with the information obligation set out in Article 13 of Regulation (EU) 2016/679 (the General Data Protection Regulation, GDPR), which requires data controllers to inform data subjects, inter alia, of the identity of the controller, the purposes and legal bases of processing, the retention periods, the recipients, transfers to third countries, and the rights of data subjects.

Data Controller Details

  • Name: City Memories Management Korlátolt Felelősségű Társaság (short name: City Memories Management Kft.)

  • Registered office: 1024 Budapest, Margit körút 5. Building A, Floor 3, No. 1

  • Website: citadellaexperience.hu

  • Company registration number: 01 09 285923 (Metropolitan Court of Registration).

  • Tax number: 25417269 2 41

  • E mail: Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein..

  • Supervisory authority: National Authority for Data Protection and Freedom of Information (NAIH), 1055 Budapest, Falk Miksa utca 9 11, www.naih.hu.

General Information on the Processing of Personal Data

The Data Controller processes only such data as are necessary for the performance of its services, for ensuring the safety, comfort and satisfaction of guests, or for compliance with its legal obligations. In the course of processing personal data, the Data Controller observes the principles of lawfulness, transparency, purpose limitation, data minimisation and accuracy, and applies technical and organisational measures that guarantee the adequate security of personal data.

1. Closed-Circuit Television (CCTV) Surveillance System

Purpose and legal basis: The CCTV system operating on the premises serves the purpose of protecting the physical safety and property of guests and employees. The recording is based on the legitimate interest of the Data Controller (Article 6(1)(f) GDPR). Footage from this camera system is stored for 5 days.

Data processed: Image recordings captured by the cameras, which may include the face, movements and the time of recording of the data subject. No audio recordings are made.

Data subjects: Visitors, employees and suppliers of the restaurant and terrace.

Location of cameras: Cameras are installed at entrances, in guest areas, common areas and corridors. The field of view of the cameras covers only the premises of the restaurant; public areas, restrooms and changing rooms are not monitored. Visitors are informed of the CCTV surveillance by conspicuous notices displayed in the entrance area of the restaurant and on the website.

Retention period: Recordings are retained for 5 days and then automatically deleted, unless retention is required for the enforcement of a legal claim or for regulatory proceedings.

Access: Access to the recordings is restricted to the management of the Data Controller and to employees designated for security duties. Recordings are disclosed to external parties only in the event of a lawful obligation (police, court).

Consequence of data provision: The provision of data arising from CCTV surveillance is associated with entry onto the premises; the data subject is not obliged to enter the premises, and enters the monitored area with knowledge of this notice.

2. Newsletter and Marketing

Purpose: Through the restaurant's newsletter service, guests receive offers, event notifications and promotions.

Legal basis: The processing of the e mail address and name is based on the consent of the data subject (Article 6(1)(a) GDPR). The data subject may withdraw their consent at any time by using the unsubscribe link in the newsletter or by contacting Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein..

Data processed: Name, e mail address, and interaction data measured by the newsletter system (e.g. opens, clicks) for the purpose of measuring the effectiveness of marketing activities.

Retention period: Data are processed for as long as the data subject remains subscribed to the newsletter or until consent is withdrawn.

Access: The data are used by the restaurant's marketing team and management. For the purposes of sending electronic newsletters and measuring related interactions, the Data Controller engages a newsletter service provider acting as a data processor; the details of the service provider are set out in the section of this notice concerning data processors.

Consequence: Subscription to the newsletter is voluntary; in the absence of a subscription, the data subject will not receive marketing messages.

3. Loyalty Programme and Guest Relationship Management System (CRM)

Purpose: The restaurant's loyalty programme enables returning guests to receive personalised offers and discounts, and allows the restaurant to track consumption habits for the purpose of improving its services.

Legal basis: The legal basis for processing is the performance of a contract (Article 6(1)(b) GDPR) in the case of a membership agreement concluded with the guest, and consent (Article 6(1)(a) GDPR) where the data subject voluntarily provides data for marketing purposes.

Data processed: Name, e mail address, telephone number, consumption and visit data (e.g. dates of visits, products consumed), configured preferences, and, as special category data, food allergies or specific dietary information, which are processed only with the express consent of the data subject.

Retention period: For the duration of the membership programme, but no longer than 1 year from the last activity (e.g. last purchase). The data of a data subject who withdraws consent will be deleted within 30 calendar days.

Access and data processors: For the operation of the guest relationship management system, the Data Controller engages SevenRooms Inc. (245 Park Avenue, 39th Floor, New York, NY 10167, USA). The service provider transfers personal data to the USA; the transfer is carried out on the basis of the EU USA Data Privacy Framework, adopted by the European Commission on 10 July 2023, which ensures that certified US companies provide an adequate level of data protection. The data subject may verify whether the service provider holds a valid certification and may exercise their rights of access, rectification or erasure within the framework. In addition, the CRM system is accessible to the restaurant's marketing team.

Consequence: Participation in the loyalty programme is voluntary; in the absence of such processing, the guest will not benefit from the advantages of the loyalty programme.

4. Satisfaction Measurement (Guest Survey Research)

Purpose: For the purpose of improving services and the customer experience, the Data Controller sends satisfaction questionnaires to guests or provides an opportunity to complete online reviews.

Legal basis: Consent (Article 6(1)(a) GDPR).

Data processed: E mail address, telephone number (if provided), the guest's feedback, ratings, and any responses. The questionnaire may also be completed anonymously.

Retention period: 1 year from the submission of responses, or until withdrawal of consent. Anonymised statistical data may be retained for a longer period.

Access: The results are accessible solely to the management and marketing team of the Data Controller. Where an external research firm is engaged, the Data Controller ensures by contract that the data are treated as confidential and may not be used by the third party for any other purpose.

Consequence: Completion of the questionnaire is voluntary; failure to complete it does not entail any disadvantage.

5. Technical Data of the Website and Cookies

During the use of the website www.citadellaexperience.hu, the system may automatically record certain technical data and may place cookies on the user's device. Some cookies are essential for the functioning of the website (session cookies, basket cookies), while others serve statistical, analytical or marketing purposes.

Legal basis: In the case of necessary cookies, processing is based on the legitimate interest of the Data Controller or on the performance of a contract (Article 6(1)(b) and (f) GDPR). The use of statistical and marketing cookies is based on consent, which the visitor may grant or refuse in the cookie management pop-up displayed upon the first visit.

Data processed: IP address, cookie identifier, browser and device data, website usage data (e.g. pages visited, time spent on a given sub-page), and, in the case of marketing cookies, information relating to the user's behaviour.

Service providers (data processors) involved in cookie management:

  • Google Ireland Limited (Barrow Street, Dublin 4, Ireland) – Google Analytics (GA4) and Google Ads. Through the use of Google's services, anonymous statistics are compiled and remarketing advertisements are displayed. Google may transfer data to the USA. The transfer is carried out on the basis of the EU USA Data Privacy Framework adopted on 10 July 2023 or, where necessary, on the basis of standard contractual clauses approved by the European Commission.

  • Meta Platforms Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Facebook Pixel. A marketing cookie enabling remarketing advertisements. Data may be transferred to the USA pursuant to the Data Privacy Framework or standard contractual clauses.

  • Cookie consent management systems – A solution (e.g. Cookiebot or a similar service) is applied that enables the user to accept or refuse cookies by category.

Retention period: Session cookies expire upon closure of the browser; analytical cookies are stored for 14 months; marketing cookies are stored for a maximum of 6 months, where the visitor has given consent.

Consequence: If the user does not accept statistical and marketing cookies, all functions of the website remain accessible, but personalised content and advertisements will not be displayed.

6. Table Reservations

Purpose: Guests may make table reservations through the restaurant's online, telephone or in-person reservation system.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR), as a reservation gives rise to a service contract. In the case of special category data (e.g. food allergy, diet), the legal basis for processing is the express consent of the data subject (Article 9(2)(a) GDPR).

Data processed: Name, e mail address, telephone number, date and time of reservation, number of guests, preferences (e.g. type of table), and any food allergy or special dietary requirement. Bank card data are not processed at the point of payment; payment takes place on the secure payment interface of a payment service provider (Stripe).

Data processors:

  • SevenRooms Inc. – online reservation module, see above.

  • Stripe Inc. (354 Oyster Point Boulevard, South San Francisco, CA 94080, USA) – online payment processor. Stripe stores the card data necessary for the transaction in the USA; the transfer takes place on the basis of the Data Privacy Framework or standard contractual clauses. Stripe holds PCI DSS certification in compliance with European data processing requirements.

Retention period: Reservation data are retained for 2 years following completion of the reservation. Data relating to food allergies are processed for no longer than the date of the reservation.

Consequence: In the absence of the required data, a table reservation cannot be made. Sensitive data (food allergy) need not be provided, but disclosure is recommended by the restaurant in the interest of protecting the guest's health.

7. Event Bookings (Event and Venue Hire)

Purpose: Organisation of corporate or private events, hire of ballroom and salon.

Legal basis: Performance of a contract (Article 6(1)(b) GDPR), and legitimate interest (Article 6(1)(f) GDPR) in the context of administration related to the contract (e.g. invoicing, debt recovery).

Data processed: Name, company name (in the case of a corporate event), contact details of the contact person (telephone, e mail), event details (date, time, number of attendees, menu), payment data (advance payment, deposit), invoicing data.

Data processors:

  • Tripleseat Software LLC (55 Middlesex Turnpike, Bedford, MA 01730, USA) – event booking platform. The transfer of data to the USA takes place on the basis of the Data Privacy Framework or standard contractual clauses.

  • Stripe Inc. – payment processing.

Retention period: 1 year following performance of the contract. Invoicing data are retained for at least 8 years in accordance with accounting legislation.

Consequence: In the absence of the data required for an event booking, the service cannot be provided. The processing of certain data is required by law for invoicing purposes.

8. Data Processors and Recipients

The table below summarises the individual data processors and the activities they perform:



Data Processor and Address

Activity / Service

HG BackOffice Kft. (1024 Budapest, Margit körút 5. Building A, Floor 3, No. 1)

Accounting, payroll administration, tax matters

KBOSS.hu Kft. (1031 Budapest, Záhony utca 7.)

Invoicing software (issuance of invoices)

Rackforest Zrt. (1132 Budapest, Victor Hugo utca 11.)

Web hosting, backup

Connect Things Kft. (1116 Budapest, Nádudvar utca 7.)

IT maintenance and operation

Google Ireland Ltd. (Barrow Street, Dublin 4, Ireland)

Analytics, online advertising (Google Analytics/Ads)

Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland)

Online advertising (Facebook Pixel)

SevenRooms Inc. (245 Park Avenue, New York, NY 10167, USA)

CRM, table reservations, and newsletter distribution

Stripe Inc. (354 Oyster Point Blvd., South San Francisco, CA 94080, USA)

Online payment processing

Tripleseat Software LLC (55 Middlesex Turnpike, Bedford, MA 01730, USA)

Event booking system

HAMU és Gyémánt Kft. (1024 Budapest, Margit körút 5. Building A, Floor 3, No. 1)

Marketing and public relations



The Data Controller has concluded written agreements with the above data processors to ensure that the processors handle the data solely for the specified purposes and in compliance with the GDPR.

9. Transfers to Third Countries

Some of the Data Controller's service providers are located in countries outside the European Economic Area (primarily the USA). These transfers take place on the following legal bases:

  • EU USA Data Privacy Framework: SevenRooms, Stripe, Tripleseat and the marketing companies (Google, Meta) participate in the voluntary certification scheme of the Data Privacy Framework. The European Commission determined on 10 July 2023 that certified US companies provide an adequate level of protection, so personal data may be transferred without separate authorisation.

  • Standard Contractual Clauses (SCCs): Where a service provider does not hold Data Privacy Framework certification, the transfer takes place on the basis of standard contractual clauses pursuant to Article 46 GDPR.

The Data Controller regularly monitors the compliance of its partners and informs data subjects if the legal basis for a transfer to a third country changes.

10. Rights of Data Subjects

Under the GDPR, data subjects are entitled to several rights in relation to the processing of their personal data. In accordance with the "Your Europe" guide, the service provider must inform data subjects of the purposes and legal bases of processing, the recipients of the data, the retention periods, the rights of data subjects and automated decision-making. The following is a summary of these rights, which are equally applicable in the case of Citadella Experience:

  • Right of access: The data subject may request confirmation as to whether their personal data are being processed and may request a copy of the data. The Data Controller is obliged to provide a free copy within one month.

  • Right to rectification: The data subject may request the rectification of inaccurate data or the completion of incomplete data; recipients who have previously received the inaccurate data must also be notified.

  • Right to erasure ("right to be forgotten"): The data subject may request the erasure of their data where the data are no longer necessary, where consent has been withdrawn, where the data subject has objected to processing based on legitimate interest, or where the processing is unlawful. An exception applies where erasure would be contrary to a legal obligation or to archiving in the public interest.

  • Right to restriction of processing: The data subject may request the restriction of processing (e.g. where the accuracy of data is disputed, or where processing is unlawful but erasure is not requested). Restricted data may only be stored; any further processing thereof requires the consent of the data subject.

  • Right to data portability: The data subject may request that the Data Controller provide the personal data they have supplied in a structured, commonly used and machine-readable format, and may request their transmission to another service provider.

  • Right to object: The data subject may at any time object to the processing of their personal data where processing is based on legitimate interest (e.g. CCTV system, marketing activities). Upon receipt of an objection, the Data Controller must examine whether compelling legitimate grounds for the processing exist; if they do not, the processing must cease. In the case of direct marketing, an objection automatically results in the cessation of marketing messages.

  • Right not to be subject to automated individual decision-making, including profiling: Where processing produces decisions that have a legal effect on the data subject or significantly affect them, and those decisions are based solely on automated processing, the data subject is entitled to request human review, to express their point of view and to contest the decision.

  • Right to withdraw consent: The data subject may withdraw their consent at any time without this affecting the lawfulness of processing carried out prior to the withdrawal.

  • Right to lodge a complaint: The data subject is entitled to lodge a complaint with the supervisory authority (NAIH) or with the competent authority of the Member State of their habitual residence. Prior to lodging a complaint, it is recommended that the data subject contact the Data Controller so that any issue may be resolved through internal means.

The exercise of the above rights may be initiated, upon request, by e mail sent to Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein. or by post. The Data Controller shall respond to requests without undue delay and in any event within one month. In particularly complex cases, the deadline may be extended by a further two months, of which the data subject will be informed.

11. Data Security

The Data Controller applies technical and organisational measures for the protection of personal data, including in particular:

  • Access management: Access to systems is restricted by password protection and multi-factor authentication; access rights are reviewed on a regular basis.

  • Encryption: Data transmitted over the network are protected by TLS/SSL encryption, and e mail traffic is protected via encrypted channels.

  • Backups: The databases of the web hosting service and the CRM system are regularly backed up on the servers of Rackforest Zrt. Only authorised persons have access to the backups.

  • Antivirus and intrusion protection: The IT systems of the restaurant are equipped with up-to-date antivirus and anti-malware protection, intrusion detection systems and firewall solutions.

  • Physical security: Paper-based documents are kept in lockable filing cabinets; access to the offices is regulated by a card-based access control system.

12. Other Provisions

  • Data Protection Impact Assessment (DPIA): The CCTV system, the processing of sensitive data (food allergies) and profiling are activities that may potentially pose a high risk to the rights of data subjects. The Data Controller regularly reviews its activities.

  • Management of personal data breaches: Upon detection of a security incident affecting personal data, the Data Controller shall immediately assess the severity of the incident. Where the incident is likely to result in a high risk to the rights of data subjects, the data subjects shall be notified without delay and, where necessary, the incident shall be reported to the NAIH. When informing data subjects, the nature of the incident, the likely consequences and the measures taken shall be described.

  • Amendment of this notice: The Data Controller reserves the right to update this notice where the data processing practices or the legislative environment change. The updated version will be published on our website.



Issued in Budapest, 21 April 2026.