PRIVACY NOTICE info.NTAK.hu

Magyar Turisztikai Ügynökség Zrt. (Hungarian Tourism Agency, contact details: H-1027 Budapest, Kacsa u. 15-23; mailing address: H-1525 Budapest, Postafiók 97; central phone number: +36 1 488 8700; central e-mail address: info@mtu.gov.hu) (hereinafter the Agency), as Controller, is committed to respecting the right to privacy and the right to the protection of personal data of all visitors of the info.NTAK.hu homepage and to acting, in the course of its operations, in accordance with the general data protection regulation of the European Union (hereinafter the GDPR), the Hungarian Privacy Act (hereinafter the Privacy Act), all other legislative acts, guidelines and established data protection practices, also in consideration of the main international recommendations on data protection.

 

As Controller, the Agency considers the contents of this legal communication binding on itself. It warrants that its processing activities related to its service comply with the requirements set out in this Notice and in the legislation in effect. The processing activity of the Agency is in compliance with the following data protection regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation) (General Data Protection Regulation, GDPR);
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Privacy Act);
  • Act V of 2013 on the Civil Code (Civil Code).

 

Personal data may be processed under the following circumstances:

  • the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party.

 

Pursuant to Article 8(1) of the GDPR, the statement of consent by minors over the age of 16 shall be considered valid without the permission or subsequent approval of their legal representative. In the case of minors under the age of 16, the Data Subject’s statement of consent shall be valid subject to consent by the holder of parental responsibility for the child. The Agency is unable to verify the accuracy and authenticity of the consent; it is the responsibility of the person giving the consent to vouch for the accuracy thereof.

 

Purpose of processing

The Agency may use your personal data (hereinafter you are referred to as Data Subject) for the following purposes:

  • the Agency is entitled to inspect the use and the operation of this website;
  • the Agency is entitled to correct or resolve the problems arising in connection with the functioning of this website, or with the operations, products and services of the Agency;
  • the Agency is entitled to preserve the safety and integrity of this website and of the Agency’s operations.

 

Legal basis for the processing

In relation to the use of cookies, the legal basis for the processing is the Data Subject’s voluntary consent. Technical data related to and ensuring the secure operation of the website, including the IP addresses of visitors, shall be processed on the legal basis of legitimate interests.

 

Data categories processed

When you visit this website, the IP address of your computer will be treated as technical data during the operation of the website, and we are entitled to create cookies on your computer provided that you consent to it.

 

Duration of data storage

The Agency will process the personal data processed with your consent until the withdrawal of your consent. The withdrawal of consent shall not affect the lawfulness of processing before the withdrawal of the consent. Processed on the legal basis of legitimate interests, technical data related to and ensuring the secure operation of the website, including the IP addresses of visitors, shall be retained for a period of 1 year.

 

Recipients of personal data and categories of recipients

The employees of the Agency and the Processors who are responsible for operating the website.

 

Processors involved

In carrying out its specific professional tasks, the Agency uses the services of the following companies as Processor:

  • Rendszerinformatika Kereskedelmi és Szolgáltató Zártkörűen Működő Részvénytársaság (Company registration number: 01-10-046912, Tax number: 23095942-2-41, Registered office: H-1134 Budapest, Váci út 19. em)

 

Cookies

Similar to other websites, the Agency, as well, applies the established technology commonly referred to as “cookies”, and uses web server technical log files in order to obtain information on how Data Subjects use the website.

The use of cookies and web server log files enables the Agency to check website traffic, and to align the contents of the website with the personal preferences of users. A cookie is a small information package (file) which often carries an anonymised, unique identifier. When you visit a website, the website concerned asks permission from your computer to save this small information package on a specific part of your hard drive that was specifically designed to store such cookies. Each website visited by you can send cookies to your computer, provided that your browser settings permit the website to do so. In order to protect your data, however, your browser only allows the given website to access cookies that were sent by the given website to your computer; in other words, that particular website has no access to cookies sent by another website. Browsers are typically set to allow cookies. If you do not wish to receive cookies, you may set your browser to refuse cookies. In such a case, some website elements may not be able to function efficiently during your browsing. Cookies are unable to obtain other information from your computer’s hard drive, and they do not carry viruses.

In operating the website, the Agency may use the following cookies:

 

Name of COOKIE

Issuer

Type

Duration of storage

_ga cookie

google analytics

HTTP

2 years

GPS

youtube.com

HTTP

1 day

IDE

doubleclick.net

HTTP

1 year

test_cookie

doubleclick.net

HTTP

1 day

VISITOR_INFO1_LIVE

youtube.com

HTTP

179 days

YSC

youtube.com

HTTP

For the duration of the session

yt-remote-cast-installed

youtube.com

HTML

For the duration of the session

yt-remote-connected-devices

youtube.com

HTML

Permanent storage

yt-remote-device-id

youtube.com

HTML

Permanent storage

yt-remote-fast-check-period

youtube.com

HTML

For the duration of the session

yt-remote-session-app

youtube.com

HTML

For the duration of the session

yt-remote-session-name

youtube.com

HTML

For the duration of the session

 

Security of personal data processed by us

The Agency shall ensure that the IT data and the technical environment of the website are appropriately backed up, using the parameters necessary based on the retention period of the individual data to guarantee the availability of the data within the retention period, and at the end of the retention period it shall permanently destroy the data. The integrity and functionality of the IT system and the data storage environment are verified by advanced monitoring techniques, and the necessary capacities are continuously provided. Events in the IT environment are captured using sophisticated logging features to ensure that potential incidents can be subsequently detected and legally validated. A redundant network environment that provides consistently high bandwidth is used by the Agency to serve web pages, and such environment is capable of distributing the resulting load securely across the resources. Systems are designed to provide planned disaster resilience, deliver business continuity and, consequently, continuous service to users in high quality also through organisational and technical means. High priority is given to the controlled installation of security enhancements and manufacturers’ updates that also ensure the integrity of our IT systems, thus preventing, avoiding and managing attempts to access or damage the system, if any, via vulnerabilities. The IT environment is regularly monitored through security testing, errors or vulnerabilities are identified and corrected, and IT system security reinforcement is seen as an ongoing task. High standards of security, including confidentiality, are set for the employees of the Agency, which are also ensured through regular training, and it strives to operate planned and controlled processes in its internal operations. Any personal data breach detected or reported to the Agency in the course of the operation of the website shall be investigated in a transparent, responsible and strict manner within 72 hours. Data breaches that have occurred are addressed and recorded. When developing its services and IT solutions, the Agency ensures that the principle of data protection by design is met, and data protection is already a high priority requirement during the design phase.

 

Information on the rights of Data Subjects

The Data Subject may request information on the processing of his or her personal data or request the rectification or – except for statutorily prescribed processing – erasure of his or her personal data.

 

Right to prior information

The Data Subject shall have the right to be informed of facts and information relating to the data processing prior to the commencement of the processing. In part, this Privacy Notice has been drawn up in order to assure this right.

 

Right of access

The Data Subject may request the Agency to:

  • confirm the processing of his or her personal data;
  • provide a copy of such data;
  • provide additional information in relation to his or her personal data; thus, in particular, the specific data held by the Agency, the purpose for which such data are used, the entities with which such data are shared, whether such data are transferred abroad, how such data are protected and how long they are stored, how and in what form the Data Subject can lodge a complaint and, finally, how the Agency obtained the data of the Data Subject.

 

Right to rectification

The Data Subject may request from the Agency to rectify or complete its incorrect, inaccurate or incomplete personal data. Prior to rectifying any incorrect data, the Agency is entitled to verify the truthfulness or accuracy of such data.

 

Right to erasure, right to be forgotten

The Data Subject may request the erasure of his or her personal data if:

  • such data are no longer necessary in relation to the purposes for which they were collected; or
  • the Data Subject’s consent has been withdrawn (if the processing is subject to consent); or
  • the Data Subject exercises his or her right to object; or
  • such data have been unlawfully processed; or
  • such data have to be erased for compliance with a legal obligation.

The Agency shall not be required to satisfy the Data Subject’s request for the erasure of his or her personal data if the processing of relevant data is necessary for or justified by:

  • compliance with a legal obligation; or
  • the exercise or defence of legal claims or legitimate interests before the courts.

 

Right to restriction of processing (right to block data)

The Data Subject may request the Agency to restrict the processing of (block) his or her personal data, if

  • rectification is not possible in relation to the correctness, accuracy or authenticity of the data (see: “Right to rectification”); or
  • the processing is unlawful, but the Data Subject opposes the erasure of the data; or
  • the data concerned are no longer necessary in relation to the purposes for which they were collected, but the exercise or defence of legal claims or legitimate interests before the courts excludes their erasure; or
  • the Data Subject has exercised his or her right to object and the verification of the lawfulness of the Agency’s actions is still pending.

 

Where the Data Subject exercises the right to block data, the Agency shall continue to be entitled to use his or her personal data if:

  • the Data Subject has given consent to that effect; or
  • the use (existence) of such data is necessary for the exercise or defence of legal claims or legitimate interests before the courts; or
  • the use (existence) of such data is necessary for the protection of the rights of another natural or legal person.

 

Right to data portability

The Data Subject may request the Agency to transfer his or her personal data to the Data Subject in a structured, transparent, machine-readable format, and the Agency may also be requested by the Data Subject to transfer the data directly to another Controller.

 

Right to object

The Data Subject may, at any time, object to the processing of his or her personal data on grounds relating to his or her particular situation if in his or her judgement this is necessitated by his or her fundamental rights. The Data Subject may at any time object, without justification, to the processing of his or her personal data for direct marketing purposes, in which case the Agency shall discontinue the processing as soon as possible.

 

Communication of a personal data breach to the Data Subject

The Agency shall do its utmost to protect the Data Subject’s personal and other data, in proportion to the risks involved; it operates an up-to-date and reliable IT environment, and selects its cooperating partners with special care. It carries out its internal processes in a regulated and supervised manner in order to prevent the occurrence of even the smallest mistake, problem or incident in relation to the processing of personal data or, if such a mistake, problem or incident still occurs, in order to detect, investigate and address the issue. If an incident involving personal data still verifiably occurs and is likely to entail a high risk to the rights and freedoms of the Data Subject, the Agency shall notify the Data Subject and the data protection authority of the personal data breach without undue delay, in the manner and with the contents prescribed by prevailing data protection requirements.

 

Automated individual decision-making, including profiling

The Data Subject shall have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her. The Agency does not employ any procedure which would entail automated decision-making.

 

Right to lodge a complaint with a supervisory authority

Complaints concerning processing may be lodged with the courts or with the National Authority for Data Protection and Freedom of Information.

Registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: H-1534 Budapest, Pf.: 834.

Phone: +36 1 391 1400 Fax: +36 1 391 1410

E-mail: ugyfelszolgalat@naih.hu

 

Right to an effective judicial remedy against a supervisory authority

You shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you.

 

Right to an effective judicial remedy against the Controller or Processor

You shall have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the processing of your personal data in non-compliance with the law.