National Tourism Data Supply Centre

This Privacy Notice (hereinafter the Notice) contains all the information on the processing of personal data in relation to the use of the NATIONAL TOURISM DATA SUPPLY CENTRE (hereinafter NTDSC) operated by MAGYAR TURISZTIKAI ÜGYNÖKSÉG ZRT. (Hungarian Tourism Agency, hereinafter: Company, Controller) to ensure that before the use of NTDSC you (as Data Subject) are made fully aware of the purpose and conditions of the processing, the risks and guarantees related thereto, as well as your rights.

Your rights as Data Subject in the NTDSC system will depend on which user type you will be when using the system.
Processing in the NTDSC service for the purposes stated above is subject to your consent.

• You can visit the NTDSC system website as a guest without a user identification. In this case your personal data of a technical nature (e.g. the IP address of your device’s browser) is processed subject to your consent. As a guest, you will have no access to the pages that contain the internal functions of the system.
• If you are an NTDSC Administrator, before you log into the NTDSC system, we will identify you through the Central Authentication Agent (KAÜ) service, in which case your data will be processed as necessary for compliance with statutory regulations or based on the legitimate interests of the controller or a third party, and you do not need to consent to the processing because by reading and acknowledging the Privacy Notice, you will be entitled to log in. By signing into the NTDSC system and by completing the registration process you as an NTDSC Administrator declare that you have read the version of this Privacy Notice in effect at the time of providing the data or the information.
• If you are a user (NTDSC Accommodation Manager or NTDSC Data User) set up in the NTDSC system by the person acting on behalf of the accommodation service provider, your personal data was provided in the system by your authorised NTDSC Administrator in order to enable us to send you an invitation so that you can log into the system by way of the Central Authentication Agent (KAÜ) service to carry out your tasks. In this case, before your first login you need to consent to the processing. The withdrawal of consent shall not affect the lawfulness of processing subject to consent before its withdrawal. By signing into the NTDSC system and by completing the registration process you declare that you have read and expressly accept the Privacy Notice in effect at the time of the data or the information is provided, and you expressly consent to the processing.

Depending on your user type, you are entitled to use the functions linked to the given role in the NTDSC system.
There are additional, dedicated user types (e.g. Local Government, Notary, NTDSC Internal Administrator) in the NTDSC system that authorise the user to access a number of special, unique functions, but their use is strictly restricted to the users dedicated for this purpose.

If you are the legal or authorised representative of the accommodation service provider in the NTDSC system (NTDSC Administrator), you qualify as a person acting on behalf of the accommodation provider and are authorised to use the functions linked to this role. Moreover, you are authorised to initiate the addition of new users to the organisation represented by you, and to legally transfer the personal data of such users to NTDSC as the Controller’s representative.
If you connect to the NTDSC system as an NTDSC Accommodation Manager or NTDSC Data User after registration, under the authorisation of the accommodation provider’s legal or authorised representative, you will be entitled to use the functions linked to these roles.

Identity check is performed upon login by way of the Central Authentication Agent (KAÜ) service, while a specific person’s authorisations are verified by way of the Authorisation Manager Agent (JKÜ) service in the case of legal or authorised representatives, by querying the authenticated registries.

Our Company stores personal data provided by you on servers operated by the Controller and the Processor within the territory of Hungary.

The purpose of this Privacy Notice is to ensure our Company’s compliance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter the GDPR) and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter the Privacy Act). Our Company is committed to providing data subjects with information regarding the processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language in order to facilitate the exercise of the data subject’s rights.

Our Company reserves the right to amend this Notice unilaterally, effective from the date of the amendment. For this reason, you are advised to visit the page of the Privacy Notice on a regular basis in order to monitor potential changes.

1. NAME AND CONTACT DETAILS OF THE CONTROLLER

 

 

NAME OF CONTROLLER:

Magyar Turisztikai Ügynökség Zrt.

Company registration number: 01-10-041364

Registered office: H-1027 Budapest, Kacsa utca 15-23.

Tax number: 10356113-2-41

Represented by Dr. Zoltán Guller

hereinafter the Company, Controller

MAILING ADDRESS OF THE CONTROLLER:

H-1027 Budapest, Kacsa utca 15-23.

E-MAIL ADDRESS OF THE CONTROLLER: info@mtu.gov.hu

PHONE NUMBER OF THE CONTROLLER: +36 1 488 8700

NAME OF THE CONTROLLER’S DATA PROTECTION OFFICER: Levente Papp

E-MAIL ADDRESS OF THE CONTROLLER’S DATA PROTECTION OFFICER: privacy@mtu.gov.hu

 

2. PROCESSORS EMPLOYED

In carrying out its specific professional tasks, the Company uses the services of the following companies as processors:

• SAGEMCOM MAGYARORSZÁG KFT. (Registered office: H-1037 Budapest, Montevideo u. 16/a) as system developer and as a company providing operational support.
• NISZ NEMZETI INFOKOMMUNIKÁCIÓS SZOLGÁLTATÓ ZRT. (Registered office: H-1081 Budapest, Csokonai utca 3.) as system developer and as a company providing operational support.
• GOOGLE IRELAND LIMITED (a company incorporated in Ireland operating under Irish law (registration number: 368047), registered office: Gordon House, Barrow Street, Dublin 4, Ireland) as the provider of the reCAPTCHA protection functions.

The Processors will not use the data received for their own purposes; they only process data for the Controller. The Controller may disclose the personal data of Data Subjects solely to the Data Processor companies that the Data Subject has been informed of and/or accepted based on this Notice.

 

3. PURPOSE OF PROCESSING

The Controller keeps records of the Data Subject’s specific personal data for the purposes of identifying the Data Subject within the NTDSC service, verifying the legitimacy of access, verifying the accommodation provider’s right of representation, sending automated messages from the NTDSC service, and for the purposes of operating the NTDSC service.

 

4. SCOPE OF PERSONAL DATA PROCESSED

For the purposes of the NTDSC system, personal data shall mean a piece of information that directly contains or may contain personal data, or several pieces of information that may together contain personal data on the basis of which a natural person may be identifiable.

In relation to the public web pages of the NTDSC system, we process the following data:

The IP address of the device that runs the user’s browser, which is processed by the server of the website and the servers running in the environment thereof (e.g. firewall, logging system, backups).

During its operation the NTDSC website uses the http-type JSESSIONID cookie issued by NTAK.hu.

Data processed in relation to users who log in with the help of the Central Authentication Agent authentication:

Some of the data are provided to NTDSC by the Central Authentication Agent service.

• Surname
• Given name
• Surname at birth
• Given name at birth
• Place of birth
• Date of birth
• Mother’s surname at birth
• Mother’s given name at birth
• Name of companion
• E-mail address
• ID number (automatically generated)

Additional personal data created, modified or used while using the NTDSC system:

• ID number
• E-mail address
• Name as in passport
• Name at birth
• Mother's name
• Date and place of birth

Users who use the VENDÉGEM application are given access to the “send and re-send individual contract” function in the NTDSC system, for the purposes of which the NTDSC system transfers the e-mail address of the VENDÉGEM Administrator User to be set up to the VENDÉGEM application.

Data processed for the purposes of communication with the accommodation service provider:

• Tax number (after the tax number has been entered, NTDSC verifies the data from an external, authenticated source, and stores the data only after successful verification)
• Registration number
• Name of the accommodation service provider
• Country
• Postal code
• County
• Town/village
• Name of public area
• Type of public area
• House number
• Floor
• Door
• Topographical lot number
• E-mail address
• Phone number
• Name of private accommodation establishment
• Registration number issued by the local government
• Statistical code
• Registration number of accommodation establishment (automatically generated).

 

5. DURATION OF PROCESSING

From the first login, personal data will be stored:

• until the termination of the accommodation service activities in the case of the person acting on behalf of the accommodation provider,
• for a period of 1 year following the deletion of the user in the case of additional users linked to the accommodation establishment.

The JSESSIONID cookie is stored for the duration of the session. Technical data generated for data security purposes (e.g. IP address, e-mail address) are stored for a period of 1 year.

 

6. LEGAL BASIS FOR THE PROCESSING

Legal basis for the processing:

• In the case of persons acting on behalf of the accommodation provider, compliance with a legal obligation to which the Company is subject (processing is necessary for the enforcement of the legitimate interests of the Controller or a third party under Article 6(1)(c) of the GDPR) and Article 6(1)(f) of the GDPR)
• For other users connected to the accommodation establishment, the voluntary consent of the user to the processing (Article 6(1)(a) of the GDPR).

 

7. RECIPIENTS OF PERSONAL DATA AND CATEGORIES OF RECIPIENTS

The personal data you provide will be accessible to the Controller and to employees directly supervised by the Processors for the performance of their duties. They will manage the data in a confidential manner and in accordance with the laws, regulations and policies applicable at any time to the Controller and to the Processors.

 

8. RIGHTS OF THE DATA SUBJECT

Your rights regarding data processing include the following:

RIGHT TO PRIOR INFORMATION
You have the right to be informed of facts and information relating to the data processing prior to the commencement of the processing. In part, this Privacy Notice has been drawn in order to ensure this right.

DATA SUBJECT’S RIGHT OF ACCESS
The data subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information.

RIGHT TO RECTIFICATION
The data subject may request from the Company to rectify or complete its incorrect, inaccurate or incomplete personal data. Prior to rectifying the incorrect data, the Company is entitled to verify the truthfulness or accuracy of such data.

RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)
The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall be obliged to do so. You shall not have this right if processing is based on a legal obligation.

RIGHT TO WITHDRAWAL:
If processing is subject to consent, the data subject shall have the right to withdraw such consent at any time without affecting the lawfulness of processing subject to consent before its withdrawal.

RIGHT TO RESTRICTION OF PROCESSING (RIGHT TO BLOCK DATA)
The data subject shall have the right to request the Controller to restrict data processing in certain cases.

RIGHT TO DATA PORTABILITY
The data subject shall have the right to receive personal data relating to him or her which he or she has made available to the Controller in a structured, commonly used, machine-readable format.

RIGHT TO OBJECT
The data subject shall have the right to object at any time to the processing of his or her personal data, on grounds relating to his or her particular situation, if such processing is in the public interest or it is necessary to pursue the legitimate interests of the Controller, including profiling.

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
The data subject shall have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her. The Controller does not employ automated decision-making.

COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT
When a personal data breach is likely to result in a high risk to your data and/or to your rights and freedoms, the Controller shall communicate the personal data breach to you without undue delay.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
You shall have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes the data protection regulations.

National Authority for Data Protection and Freedom of Information
Registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
Mailing address: H-1534 Budapest, Pf.: 834
Phone: +36 1 391 1400
Fax: +36 1 391 1410
E-mail: ugyfelszolgalat@naih.hu

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY
You shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you.

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A CONTROLLER OR PROCESSOR
You shall have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the non-compliant processing of your personal data.

 

9. DATA SECURITY MEASURES

The Company undertakes to ensure the security of the data, and to adopt technical and organisational measures and establish procedures to ensure that the data recorded, stored or processed are protected or prevented from being destroyed or subjected to unauthorised use or unauthorised changes. The Company shall also instruct its Processors to comply with the data security requirements.

The Controller shall ensure that no unauthorised person has access to the processed data, and that such persons cannot disclose, transmit, modify or delete the data processed. The Controller shall use its best endeavours to ensure that the data are not accidentally damaged or destroyed. The Controller shall ensure that its employees participating in the processing activities and the Processor(s) proceeding on behalf of the Controller(s) also undertake the same commitment.

The Company shall ensure that the IT data and the technical environment of the website are appropriately backed up, using the parameters necessary based on the retention period of the individual data to guarantee the availability of the data within the retention period, and at the end of the retention period it shall permanently destroy the data.

The integrity and functionality of the IT system and the data storage environment are verified by advanced monitoring techniques, and the necessary capacities are continuously provided.

Events in the IT environment are captured using sophisticated logging features to ensure that potential incidents can be subsequently detected and legally validated.

A redundant network environment that provides consistently high bandwidth is used to serve web pages, and such environment is capable of distributing the resulting load securely across our resources.

Our systems are designed to provide planned disaster resilience, deliver business continuity and, consequently, continuous service to users in high quality also through organisational and technical means. High priority is given to the controlled installation of security enhancements and manufacturers’ updates that also ensure the integrity of our IT systems, thus preventing, avoiding and managing attempts to access or damage the system via vulnerabilities.

The IT environment is regularly monitored through security testing, errors or vulnerabilities are identified and corrected, and IT system security reinforcement is seen as an ongoing task.

High standards of security, including confidentiality, are set for employees, which are also ensured through regular training, and it strives to operate planned and controlled processes in its internal operations. Any personal data breach detected or reported to the Company in the course of its operation shall be investigated in a transparent, responsible and strict manner within 72 hours. Data breaches that have occurred are addressed and recorded.

When developing its services and IT solutions, the Company ensures that the principle of data protection by design is met, and data protection is already a high priority requirement during the design phase.

 

10. MANAGING AND REPORTING PERSONAL DATA BREACHES

A personal data breach shall mean an event that results in the unlawful handling or processing of the personal data managed, transmitted, stored or processed by the Controller; including, in particular, unauthorised or accidental access to, alteration, communication, deletion, loss or destruction, and accidental destruction or damage of such personal data. Persons in charge of data protection shall promptly investigate any reported or detected personal data breach and, within 24 hours of becoming aware of the personal data breach, shall make a recommendation to remedy and address such breach. The Controller warrants that the data will be processed in full compliance with the applicable legal provisions.

 

This Notice comes into effect on 1 August 2020.