Magyar Turisztikai Ügynökség Zrt. (Hungarian Tourism Agency, contact details: H-1027 Budapest, Kacsa u. 15-23; mailing address: H-1525 Budapest, Postafiók 97; central telephone number: +36 1 488 8700; central e-mail address: (hereinafter the Agency), as Controller, is committed to respecting the right to privacy and the right to the protection of personal data of all visitors to the homepage and in the course of its operations, to acting in accordance with the general data protection regulation of the European Union (hereinafter GDPR), the Hungarian Privacy Act (hereinafter Privacy Act) and all other legislation, guidelines and established data protection practices, as well as in consideration of the main international recommendations on data protection.

The Agency as Controller accepts and agrees to be bound by the content of this legal notice. It undertakes to ensure that its data processing related to its services complies with the expectations stipulated in this notice and in operative legislation. The processing activity of the Agency is in compliance with the following data protection regulations:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and on the repeal of Directive 95/46/EC (General Data Protection Regulation, GDPR);
  • Act CXII of 2011 on the Right to Self-Determination of Information and Freedom of Information (Privacy Act);
  • Act V of 2013 on the Civil Code (Hungarian Civil Code).

Personal data may be processed where

  • the Person Concerned has given consent to the processing of his or her personal data for one or more specific purposes;
  • data processing is necessary for the fulfilment of a contract to which the Person Concerned is party or in order to take steps at the request of the Person Concerned prior to entering into a contract;
  • data processing is necessary for compliance with a legal obligation to which the Controller is subject;
  • data processing is necessary to protect the vital interests of the Person Concerned or of another natural person;
  • data processing is necessary for the performance of a task carried out in the public interest or within the scope of exercising official authority vested in the controller;
  • data processing is necessary for the purpose of enforcing the legitimate interests of the Controller or a third party.

Pursuant to Article 8(1) of the GDPR, the validity of the declaration of consent of a minor is not subject to the consent or subsequent approval of the holder of parental responsibility if such minor is at least 16 years old. Where such minor is under 16, however, the validity of his or her declaration of consent shall be subject to the consent of the holder of parental responsibility for the child. The Agency is not able to verify the accuracy and authenticity of the consent; the person granting the consent shall warrant the accuracy thereof.

Purpose of data processing

The Agency may use your (hereinafter: Person Concerned) personal data for the following purposes:

  • the Agency may monitor the use and operation of this website;
  • the Agency may correct and resolve problems related to the operation of this website or the business, products and services of the Agency;
  • the Agency may ensure the security and integrity of this website and the Agency’s business.

Legal basis for data processing

The legal basis for data processing is the voluntary consent to the handling of cookies granted by the Person Concerned. Technical data related to and ensuring the secure operation of the website, including the IP addresses of visitors, shall be processed on the legal basis of legitimate interests.

Categories of data processed

When you visit this website, your computer’s IP address will be treated as technical data during operation of the website, and with your consent we may create cookies on your computer.

Duration of personal data storage

Personal data processed with your consent are processed by the Agency until such consent is withdrawn. The withdrawal of consent does not affect the lawfulness of data processing before consent is withdrawn. Technical data related to and ensuring the secure operation of the website, including IP addresses of visitors and processed on the legal basis of legitimate interests, are retained for 1 year.

The recipients of personal data or categories of recipients

The Agency staff and its data processors operating the website.

Data processors involved

In carrying out its various professional tasks, the Agency uses the services of the following companies as data processors:

  • Rendszerinformatika Kereskedelmi és Szolgáltató Zártkörűen Működő Részvénytársaság (company registration number: 01-10-046912, tax number: 23095942-2-41, registered office: H-1134 Budapest, Váci út 19, IV. em) as service provider supporting website operation;
  • GOOGLE IRELAND LIMITED (a company registered in Ireland and operating pursuant to the laws of Ireland (registration number: 368047), registered office: Gordon House, Barrow Street, Dublin 4, Ireland) as service provider hosting media files.


Like other websites, the Agency uses the standard technology known as cookies, along with web server technical log files, in order to obtain information on how Those Concerned use the website. The use of cookies and web server log files allows the Agency to check website traffic and adjust website content to users’ personal needs. A cookie is a small information package (file) that often carries an anonymised unique identifier. When you visit a website, the given website asks for your computer’s permission to store this small information package on your hard drive, in a location expressly intended for storing cookies. Each website you visit can send cookies to your computer, provided this is allowed by your browser settings. In order to protect your data, however, your browser will only allow a given website to access the cookie sent to your computer by the same website, in other words, a website cannot access the cookies sent by other websites. Browsers usually accept cookies by default. If you do not want to accept cookies, you can set your browser to reject them. In this case, certain elements of the website may not function properly while you are browsing. Cookies cannot obtain other information from your computer’s hard drive and they do not carry viruses.

During operation of the website, the Agency may use the following cookies:

Cookies used
Name of the COOKIE Issued by Type Duration of storage
Marketing COOKIE
_ga cookie google analytics HTTP 2 years
GPS HTTP 1 day
IDE HTTP 1 year
test_cookie HTTP 1 day
YSC HTTP Session
yt-remote-cast-installed HTML Session
yt-remote-connected-devices HTML Permanent storage
yt-remote-device-id HTML Permanent storage
yt-remote-fast-check-period HTML Session
yt-remote-session-app HTML Session
yt-remote-session-name HTML Session


Security of the data we process

The Agency ensures that IT data and the technical environment of the website are appropriately backed up, using the parameters necessary based on the retention period of the individual data to guarantee the availability of the data within the retention period, and at the end of the retention period the data will be permanently destroyed. The integrity and functionality of the IT system and the data storage environment are verified by advanced monitoring techniques, and the necessary capacities are provided continuously. Events in the IT environment are captured using sophisticated logging features to ensure that potential incidents can be subsequently detected and evidenced with legal force. The Agency uses a redundant network environment providing consistently high bandwidth to serve its web pages, which environment is able to distribute resulting loads securely among the resources. The systems are designed to provide planned disaster resilience, to deliver business continuity and thus continuous service to users at a high standard, also through organisational and technical means. High priority is given to the controlled installation of security patches and manufacturers’ updates that also ensure the integrity of our IT systems, thus preventing, avoiding and handling attempts to access or damage the system due to vulnerability. The IT environment is regularly checked by security testing, errors or weak points identified are corrected, and reinforcement of IT system security is seen as an ongoing task. High standards of security, including confidentiality, are set for employees of the Agency, which are also met by providing regular training, and the Agency strives to implement planned and controlled processes in its internal operations. Any possible incidents affecting personal data detected or reported to the Agency during operation of the website will be investigated in a transparent manner using responsible and strict principles within 72 hours. Incidents which occur are dealt with and entered into records. When developing its services and IT solutions, the Agency ensures that the principle of data protection by design is met, data protection already being of high priority in the design phase.

Information on the rights of Persons Concerned

Persons Concerned may request information on the processing of their personal data, and they may request that their data be corrected or deleted, unless the data processing is required by law.

Right to advance information

Persons Concerned have the right to receive notification on facts and information related to data processing prior to the start of the data processing. This Privacy Notice has also been drawn up to ensure this right.

Right of access

Persons Concerned may request the Agency to:

  • confirm that his or her personal data are being processed;
  • provide a copy of such data;
  • provide further information regarding his or her personal data, including in particular what data the Agency has in its possession, what purposes these data are used for, who these data are shared with, whether these data are transferred abroad, what means the Agency uses to protect the data, how long the data are retained, how and in what form the person concerned may lodge a complaint, and finally, what source(s) the Agency obtained the Person’s data from.

Right to correction

Persons Concerned may request the Agency to correct or complete their incorrect, inaccurate or incomplete personal data. Prior to correcting any incorrect data, the Agency is entitled to check the truthfulness or accuracy of such data.

Right to deletion, right to be forgotten

Persons Concerned may request the deletion of their personal data where:

  • the given personal data are no longer necessary for the purposes for which they were collected; or
  • the person has withdrawn consent (provided that data processing is based on consent); or,
  • the person exercises his or her right to object; or
  • the given personal data have been unlawfully handled; or
  • the given personal data must be deleted in order to comply with a legal obligation.

The Agency is not obliged to fulfil the Person’s request for deletion if the processing of personal data is necessary and justified for the following reasons:

  • for compliance with a legal obligation; or
  • for exercising or defending rights or legitimate interests in court.

Right to restrict processing (right to block data)

Persons Concerned may request that the processing of their data be restricted (blocked) where

  • correction is not possible in relation to the accuracy, precision or authenticity of the data (see: “Right to correction”); or
  • the data processing is unlawful, but the Person Concerned does not request that the data be deleted; or
  • the given personal data are no longer necessary for the purposes for which they were collected, but the enforcement of certain rights or legitimate interests in court excludes their deletion; or
  • the Person Concerned has exercised his or her right to object and verification of the lawfulness of the Agency’s actions is still pending.

Where the right to block is exercised, the Agency may continue to use the personal data where:

  • the Person Concerned has consented to such continued use; or
  • the use (existence) of the given data is necessary for enforcing certain rights or legitimate interests in court; or
  • the use (existence) of the given data is necessary for protecting the rights of another natural or legal person.

Ensuring data portability

Persons Concerned may request the Agency to provide the Person Concerned with their personal data in an organised, structured manner in a format readable by IT systems, and/or to send such data directly to another controller.

Right to object

Persons Concerned have the right to object at any time, on grounds related to their particular situation, to the processing of their personal data where they believe this is required by their fundamental rights. Those Concerned may object at any time to the processing of their personal data for direct marketing purposes, without having to give reasons, in which case the Agency will terminate data processing as soon as possible.

Notification of a Person Concerned of a possible data protection incident

The Agency protects the personal and other data of Persons Concerned to the best of its ability in proportion to the relevant risks, it operates a modern and reliable IT environment, and selects its collaborating partners with particular care. It conducts its internal procedures in a regulated and supervised manner, so as to prevent and avoid even the smallest mistake, problem or incident regarding the processing of personal data or, should one occur, to detect, investigate and resolve the case. Should an incident concerning personal data be proven to have occurred and should this be likely to result in a high risk to the rights and freedoms of Persons Concerned, the Agency undertakes to notify the Person Concerned and the data protection authority of the data protection incident in the manner and with content in compliance with operative data protection regulations and without undue delay.

Automated decision-making in individual cases including profiling

Persons Concerned have the right not to be subject to any decision based solely on automated data processing, including profiling, which would have a legal effect on them or significantly affect them in any similar way. The Agency does not operate any procedure involving automated decision making.

Right to lodge a complaint with a supervisory authority

Complaints regarding data processing may be filed with the court or with the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság):
Registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: H-1534 Budapest, Pf.: 5
Telephone: +36 (1) 391-1400
E-mail address:

Right to an effective judicial remedy against a supervisory authority

You have the right to an effective judicial remedy against a legally binding decision made by a supervisory authority with regard to you.

Right to an effective judicial remedy against the Controller or Data Processors

You have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the non-compliant processing of your personal data.