Magyar Turisztikai Ügynökség Zrt. (contact details: 1027 Budapest, Kacsa u. 15-23, postal address: 1525 Budapest P.O. Box.: 97, central phone number: +36 1 488 8700, central e-mail address: firstname.lastname@example.org) (hereinafter: ‘Agency’), as Controller, is dedicated to respecting the right to privacy and security of the personal data of the visitors visiting the https://ntak.hu website, and to proceed in compliance with the data protection regulation of the European Union (hereinafter: ‘GDPR’), the Hungarian data protection act (hereinafter: ‘Freedom of Information Act’) and other legal regulations during its operation, as well as in accordance with the guidelines and established data protection practices, taking into account the main international recommendations related to data protection.
The Agency, as Controller, acknowledges the content of this legal notice as binding. It undertakes to ensure that the data processing related to its services meets the requirements set out in this notice and in all applicable legislation.
The processing activities of the Agency are in compliance with the following legal regulations on data protection:
- Regulation of the European Parliament and of the Council (EU) 2016/679 (27 April 2016) on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR);
- Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information (Freedom of Information Act),
- Act CXII of 2013 on the Right to Information Self-Determination and Freedom of Information (Freedom of Information Act),
Personal data may be processed, if
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- is necessary for the enforcement of the legitimate interests of the Controller or a third party.
Pursuant to Article 8 (1) of the GDPR, statements of consent of data subject minors over the age of 16 shall be considered valid without the permission or subsequent approval of their legal representative, while statements of consent of data subject minors below the age of 16 are not valid without the consent of the party exercising parental supervision over the minor. The Agency has no tools to verify the accuracy and validity of the consent, its accuracy is warranted by the person granting consent.
The Agency uses Your personal data for the following purposes:
- the Agency may contact You directly by e-mail should You request any information;
- the Agency may verify the use and operation of the website;
- the Agency may rectify and resolve problems relating to the operation of the Website, and the business activities, products and services of the Agency;
- the Agency may maintain the security and integrity of the Website and its own business operation.
If you do not wish to be contacted directly by the Agency in the future or receive newsletters from us, please send an e-mail message to info.NTAK@mtu.gov.hu, in the subject of which please indicate the words “leiratkozás” (unsubscribe) or “stop” or send a letter to the Agency’s address: 1027 Budapest, Kacsa utca 15-23. In the latter case, please provide your name, address and e-mail address.
The legal ground of processing is the performance of contractual obligations within the framework of co-operation, and voluntary and express consent elsewhere.
When You visit the Website or send an e-mail to the Agency through the Website and initiate contact, the Agency may request information about You, including your name and e-mail address. During the operation of the Website, the IP address of your computer is processed as technical data and we also embed cookies in your computer.
The Agency processes the data during the period of operation and for one subsequent year, while data processed with consent shall be processed until the consent is withdrawn if no other legal ground of processing applies. The withdrawal of consent does not affect the lawfulness of prior processing.
The users of the Agency maintaining partner relationships and providing customer services and, in the case of technical data, the IT staff members.
The Agency uses the services of the following companies as processors for the performance of some of its professional tasks:
- Rendszerinformatika Kereskedelmi és Szolgáltató Zártkörűen Működő Részvénytársaság (Company registration number: 01-10-046912, Tax number: 23095942-2-41, Registered office:1134 Budapest, Váci út 19, 4th floor)
- Sagemcom Magyarország Elektronikai Korlátolt Felelősségű Társaság (Company registration number: 01-09-077688, Tax number: 10568723-2-51, Registered office:1037 Budapest, Montevideó u. 16/A)
Similarly to other commercial websites, the Agency also uses the general technology known as cookies and webserver technical log files in order to obtain information about how the data subjects use the Website. With the help of the cookies and webserver log files, the Agency can control the visits to the Website and adjust its contents to your personal need.
A cookie is a small information package (file) which often carries an anonymised individual ID. When you visit a website, the website asks your computer to store that file in a part of the hard disc of your computer which is expressly used to store cookies.
Each individual website you visit can send a cookie to your computer if the settings of your browser allow it. However, in order to protect your data, your browser will only allow the particular website to access only the cookie that the particular website sent to your computer, i.e., one website cannot have access to cookies embedded by other websites. In general the browsers are set up to accept cookies.
However, if you do not wish to accept cookies, you can set up your browser to reject their acceptance. In that case, some components of the website may not function effectively when you browse on it. The cookies cannot obtain other information from the hard disc of your computer and do not carry viruses.
The Agency arranges for creating backups that are suitable according to the IT data and the technical environment of the Website. The backups are stored according to the criteria applicable to the retention period of the specific data and, thereby guaranteeing the availability of data during the retention period, after which they will be finally destroyed. The IT system and the integrity and operability of the environment storing the data are checked with advanced monitoring techniques and the required capacities are provided constantly. The events of the IT environment are registered with complex logging functions, thus ensuring subsequent detectability and legal proof of any data breach. We use a high broadband, redundant network environment to serve our websites, with which any load can be safely distributed among the resources.
The disaster tolerability of our systems is scheduled and guaranteed, and we use organisational and technical instruments to guarantee high-level business continuity and constant services to our users. The controlled installation of security patches and manufacturer updates that also ensure the integrity of our information systems is a key priority, thus preventing, avoiding and managing any access or harmful attempt involving the abuse of vulnerability. We apply regular security tests to our IT environment, during which the detected errors and weaknesses are corrected because enhancing the security of our information system is a continuous task.
High-security requirements are also set for our staff, which also include confidentiality, and compliance with which is ensured with regular training. During our internal operation, we try to use well designed and controlled processes.
Any personal data breach detected during our operation or reported to us is investigated transparently, with responsible and strict principles within 72 hours. The actual data breaches are all processed and recorded. During the development of our services and IT solutions we arrange for complying with the principle of installed data protection, as data protection is a priority requirement even in the design phase.
The data subject may request information on the processing of their personal data, the rectification of their personal data and may also request the erasure of their personal data, with the exception of processing required by law.
The data subject has the right to obtain information regarding the facts and information about the processing, prior to its start.
One of the reasons why this Privacy Notice was created was to guarantee that right.
The data subject may request the Agency to:
- confirm the processing of their personal data;
- provide a copy of such data;
- provide information about their personal data, including especially the data recorded by the Agency and the purpose of their use, the parties with whom these data are shared, whether the data are transferred abroad and the method used to protect such data, the duration of storage of the data and the manner and form of submitting complaints and, finally, the source from which the agency obtained the data of the data subject.
The data subject may request the Agency to rectify or supplement inaccurately or incompletely recorded personal data. Prior to the rectification of any erroneous data, the Agency may inspect the authenticity and accuracy of the data subject’s data.
The data subject may request the erasure of their personal data when:
- the specific data are no longer required for the processing purposes specified when the data were collected; or
- when the data subject has withdrawn consent (if processing is based on consent); or,
- when the data subject exercises the right to objection; or,
- the data of the data subject were processed unlawfully; or
- the erasure of the specific data is based on a statutory obligation.
The Agency is not obliged to fulfil the data subject’s request for the erasure of their personal data when the processing of the personal data is necessary and justified for the following reasons:
- to comply with statutory obligations; or
- to enforce or protect the law or legitimate interest in court.
The data subject may request a restriction of the processing of their personal data (blocking of data),
- when no rectification can be made in relation to the correctness, accuracy or authenticity of the data (see “Right to rectification”); or
- when processing is unlawful but the data subject does not request the erasure of data; or
- the specific data are no longer required for the processing purposes specified when the data were collected but their erasure is precluded due to the enforcement of certain rights or legitimate interests in court; or
- when the data subject exercised the right to objection and the assessment of the lawfulness of the Agency’s procedure has not yet been completed.
When the right to blocking is exercised, the Agency may still use your personal data when:
- the data subject has granted consent in that regard; or
- the use of the specific data (availability) is required in order to enforce a certain right or legitimate interest in court; or
- the specific data need to be used (be available) in order to protect the rights of another natural person or legal person.
The data subject may request the Agency to transfer their personal data to the party concerned in an orderly, transparent manner, legible also for information systems and to transfer the data directly to a different controller.
For reasons relating to their own situation, the data subject may object to the processing of their personal data at any time when they believe that it is required to exercise their fundamental rights.
The data subject may object to the processing of their personal data for direct marketing purposes at any time, without providing any reasoning, in which case the Agency terminates the processing within the shortest possible time.
The Agency protects the personal and other data of the data subject to the best of its knowledge and in proportion to the risks, uses an advanced and reliable IT environment and selects its co-operation partners with special care. It performs its internal processes in a regulated and supervised manner in order to prevent or avoid even the smallest error, problem or incident occurring during the processing of personal data and to detect, inspect and manage any event that may still happen.
If an incident relating to personal data still occurs provenly and it is likely to impose a high risk to the rights and freedoms of the data subjects, the agency undertakes to inform the data subject and the data protection authority about the personal data breach in a manner and providing the information specified in the effective data protection regulations, without any unreasonable delay.
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The Agency does not operate any procedure during which it applies automated decisions.
Complaints about processing may be submitted to the Hungarian National Authority for Data Protection and Freedom of Information:
Registered office: H-1125 Budapest Szilágyi Erzsébet fasor 22/C
Postal address:1534 Budapest, P.O. Box: 834
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410