1. What qualifies as a personal data breach?
Under Article 4(12) of the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Examples that may qualify as an incident:
- Unauthorized access to the Bokko database
- Accidental deletion or corruption of guest data
- Accidental disclosure of booking data to a third party
- A security event at a sub-processor that affects Bokko data
- Contact between malware or ransomware and live data
2. Incident response process
Internal steps
- Detection and containment: after identifying the incident, we immediately start minimizing the impact — suspending access, isolating the affected component.
- Investigation and assessment: we determine the type of incident, the scope and categories of data affected, the approximate number of data subjects affected, and the likely risk to data subjects.
- Documentation: we keep an internal record of every incident — including non-notifiable events — pursuant to Article 33(5) of the GDPR.
- Notification to the supervisory authority (where Bokko acts as data controller): if the incident poses a risk to data subjects and Bokko has acted as an independent data controller (e.g., subscriber platform accounts), we will notify the NAIH within 72 hours of becoming aware of the incident. Where Bokko acted as a data processor (guest booking data), we will notify the subscriber without undue delay — see Section 3.
- Notification to data subjects (where required): if the incident poses a high risk to data subjects, we will notify them directly.
- Recovery and follow-up: remediation of the root cause and, where necessary, improvement of processes.
Threshold for notification to the supervisory authority
Under Article 33 of the GDPR there is a notification obligation unless the incident is unlikely to result in a risk to the rights and freedoms of natural persons. Risk-free incidents are also documented but not notified.
3. Notification obligations
Notifying subscribers (data controllers)
Subscribers act as data controllers in respect of their guests' data; Bokko acts as data processor. Under Article 33(2) of the GDPR, the processor is required to notify the controller without undue delay of any personal data breach.
Bokko notifies the affected subscribers about the incident at their registered email address, providing the following information:
- The nature of the incident and its approximate time
- The categories of data affected and the number of data subjects (if known)
- The likely consequences
- Measures taken or planned
- Contact point for further information
Notification to the supervisory authority
The competent supervisory authority is the NAIH (Hungarian National Authority for Data Protection and Freedom of Information). Website: naih.hu.
Role allocation: For incidents affecting guest booking data, notifying the NAIH is the obligation of the data controller (the subscriber) (Article 33 GDPR). As a data processor, Bokko notifies the subscriber without undue delay so that the subscriber can make the notification to the supervisory authority within the 72-hour deadline.
4. Data subject requests (DSAR)
If you, as an end user (guest) or as a subscriber, wish to submit a request regarding your personal data, please follow the guidance below.
Where to write
All data subject requests should be sent to [email protected].
Identification
To fulfill a request we need to verify that the person submitting the request is the one whose data the request relates to. To this end we may ask for:
- Confirmation of the email address provided in the request (confirmation email)
- An identifier linked to the booking or account (if available)
- An official identity document only if identity cannot be established by other means
Deadlines
| Type of request | Fulfillment deadline | Extension |
|---|---|---|
| Access request (provision of a copy) | Within 1 month | In complex cases up to 2 months, with notification |
| Erasure request | Within 1 month | Documented exception in case of a retention obligation |
| Rectification request | Within 1 month | — |
| Portability request (data export) | Within 1 month | — |
| Restriction of processing request | Within 1 month | — |
Scope — guests vs. subscribers
Bokko processes guest data as a data processor on behalf of the subscriber. If you submit a request as a guest, we will also forward it to the relevant subscriber (provider), as they are the primary data controller. Where Bokko processes your data as a controller in its own right (e.g., a registered subscriber's account), we will fulfill the request directly.
5. Summary of data subject rights
| Right | GDPR Article | Substance |
|---|---|---|
| Right of access | Article 15 | Confirmation whether we process your data; request for a copy |
| Right to rectification | Article 16 | Correction of inaccurate or incomplete data |
| Right to erasure (right to be forgotten) | Article 17 | Erasure of data once the processing purpose has ceased |
| Right to restriction | Article 18 | Suspension of processing if you contest accuracy or lawfulness |
| Right to data portability | Article 20 | Request to receive your data in a machine-readable format |
| Right to object | Article 21 | Objection to processing based on legitimate interest |
| Exemption from automated decision-making | Article 22 | Request for human intervention in the case of an automated decision. Bokko currently does not carry out solely automated decision-making with legal effect within the meaning of GDPR Article 22 — details: AI and automated processing. |
Detailed description: Privacy Policy
6. Contact
Data subject requests, incident reports, and privacy-related questions: [email protected]
Supervisory authority: NAIH — naih.hu