This Privacy Notice (hereinafter Notice) contains comprehensive information on the processing of personal data related to the VENDÉGEM guest registration application (hereinafter Application) operated by MAGYAR TURISZTIKAI ÜGYNÖKSÉG ZRT. (hereinafter Company or Controller) for the purpose of notifying you (as the Person Concerned) of all such information prior to using the Application, for you to be fully aware of the purpose and conditions of data processing, the related risks and guarantees, as well as your rights.
With respect to data processing operations related to its own business activities, the accommodation provider using the Application must act within its own competence. In this context, the accommodation provider establishes the conditions for lawfully obtaining the personal data to be registered in the Application, with regard to which data the accommodation provider is the Controller. This Notice does not regulate data processing activities and operations carried out by the accommodation provider.
In the Application, your rights as Person Concerned depend on what type of user you are while using the system.
Depending on the type of user you are, you are eligible to use the functions allocated to that particular role in the Application.
If you are a legal or authorised representative of the accommodation provider in the Application (Administrator), you qualify as a person acting on behalf of the accommodation provider and are eligible to use the corresponding functions. You also have the right to initiate the creation of additional users assigned to the organisation you represent, and to lawfully transfer their personal data in the Application as representative of the accommodation provider.
If on invitation you log into the Application as Administrator or Data Provider with the approval of the legal or authorised representative of the accommodation provider, you are eligible to use the functions allocated to that role.
As representative of the accommodation provider, in the case of all three user types, you declare that you will lawfully process guest data, customer data, reservation/booking data and invoice payment information (hereinafter guest data), you record such data in the Application while in possession of all relevant authorisations and that you forward guest data in a lawful manner to the Application’s data processing operator. You will make a declaration on behalf of the organisation you represent concerning the compliance of data transfer, and assume the pertinent liability.
The identity confirmation during login is performed using the Central Identification Agent service or the Application’s own authentication system, while the personal authorisations for legal or authorised representatives are verified through the Authorisation Management Agent, by way of retrieval from certified public registries.
Our Company stores your personal data on servers operated by the Controller and/or the Data Processor in the territory of Hungary.
Our Company stores your personal data on servers operated by the Controller and/or the Data Processor in the territory of Hungary.
Our Company reserves the right to amend this Notice unilaterally, effective from the date of amendment. For this reason, you are advised to visit the Privacy Notice page on a regular basis in order to monitor potential changes.
NAME OF THE CONTROLLER: MAGYAR TURISZTIKAI ÜGYNÖKSÉG ZRT.
(company registration number: 01-10-041364; registered office: H-1027 Budapest, Kacsa utca 15-23; tax number:10356113-4-41; represented by Dr. Zoltán Guller) (hereinafter Company or Controller)
POSTAL ADDRESS OF THE CONTROLLER: H-1027 Budapest, Kacsa utca 15-23
EMAIL ADDRESS OF THE CONTROLLER: info@mtu.gov.hu
TELEPHONE NUMBER OF THE CONTROLLER: +36 1 488 8700
NAME OF THE CONTROLLER’S DATA PROTECTION OFFICER: Levente Papp
EMAIL ADDRESS OF THE CONTROLLER’S DATA PROTECTION OFFICER: privacy@mtu.gov.hu
In carrying out its various professional tasks, the Company uses the Data Processing services of the following companies:
The Data Processors will not use the data received for their own purposes; they only process data for the Controller. Controllers may only disclose the personal data of the Persons Concerned to the designated Data Processing companies that the Persons Concerned are informed of and/or have accepted on the basis of this Notice.
The Controller stores and records various personal data of the User (Person Concerned) for the purpose of identifying the Person Concerned in the Application, for verifying his access rights, for confirming the accommodation provider’s right of representation, for sending automated letters from the Application, for operating the Application and for communicating with users. Communication may include notifications delivered to the Application users concerning the following professional matters:
In the Application, a piece of information is regarded as personal data if it directly contains or may contain personal data, or several pieces of information together which may contain personal data on the basis of which a natural person may become identifiable.
In relation to the public website areas of the Application, we process the following data: The IP address used by the device running the user's browser, which is handled by the website server and the servers in its environment (e.g. firewall, logging system, security backups).
User data
stored in the Application: some of the data are supplied to the Application by the Central Identification Agent service.
Additional personal data created, modified and utilised when using the Application:
The Application may only be applied for from the National Tourism Data Supply Centre (NTDSC). In this case, the Send and Resend Confirmation function is activated by the NTDSC for the Application’s Administrator user, to which end the NTDSC forwards to the Application the email address of the Administrator user to be created.
Concerning finalisation of the user role, the User receives an invitation by email, and they then enter their password using the link in the email. Data processed in relation to the above:
Of the data processed by accommodation establishments, the following may be received for further processing on being recorded by the User:
1) For accommodation units:
2) For reservations/bookings:
3) For guests:
4) Products and services:
5) Settings for closure:
6) Delete personal data function:
From the first login, personal data are retained:
Technical data generated for data security purposes (e.g. IP address, email address) are stored for a period of 1 year.
In the case of a person acting on behalf of the accommodation provider, based on Article 6(1)b) of the GDPR, i.e. the fulfilment of a contract to which the person acting on behalf of the accommodation provider is one party as Person Concerned and, pursuant to Article 6(1)f) of the GDPR, the data processing is necessary in order to enforce the legitimate interests of the Controller or a third party.
In the case of additional users associated with the accommodation establishment, voluntary consent by the Persons Concerned. (Article 6(1)a) of the GDPR).
The Company acts as Data Processor with regard to guest-related personal data recorded by the accommodation provider’s users.
Messages sent and replies received as part of professional correspondence are processed on the basis of the Controller’s legitimate interest.
The personal data you provide are accessible to the Controller and to the employees directly supervised by the Data Processors for the performance of their duties. They will treat the data confidentially, and in accordance with currently operative legislation, as well as the internal regulations and procedures of the Controller and Data Processors.
As User, your rights regarding data processing are as follows:
You have the right to be notified of facts and information related to the data processing prior to the commencement of processing. We have created this Privacy Notice in order to ensure this right.
The Person Concerned has the right to obtain confirmation from the Controller as to whether his personal data are being processed or not, and if they are, to have access to the personal data and information.
The Person Concerned may request that the Company correct or complete any of the personal information on the Person Concerned that is incorrect, inaccurate or incomplete. Prior to correcting any inaccurate data, the Company is entitled to verify the truthfulness or accuracy of such data.
The Person Concerned has the right to have the Controller delete personal data concerning him or her without undue delay and the Controller is obliged to do so. You do not have this right if the data processing is based on a legal obligation.
If the data processing is based on the consent of the person concerned, the person concerned has the right to withdraw his or her consent at any time without affecting the lawfulness of data processing based on consent carried out before consent was withdrawn.
The Person Concerned has the right to request the Controller to restrict data processing in certain cases.
Right to data portability:
The Person Concerned has the right to obtain personal data related to him or her in a structured, widely used, machine-readable format, which data he had previously made available to the Controller
The Person Concerned has the right to object at any time to the processing of his or her personal data on grounds related to his/her particular situation, if such processing is being done in the public interest or if it is necessary for pursuing the legitimate interests of the Controller, including profiling.
Persons Concerned have the right not to be subject to any decision based solely on automated data processing, including profiling, which would have a legal effect on them or significantly affect them in any similar way. The Controller does not employ automated decision making.
Should a data protection incident be likely to result in a high risk to your data and/or to your rights and freedoms, the Controller will notify you of the incident without undue delay.
You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes data protection regulations. Supervisory authority: National Authority for Data Protection and Freedom of Information
Registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: H-1534 Budapest, Pf.: 5
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email address: ugyfelszolgalat@naih.hu
You have the right to an effective judicial remedy against a legally binding decision made by a supervisory authority with regard to you.
You have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the non-compliant processing of your personal data.
The Company undertakes to ensure the security of data, and to take the necessary technical and organisational measures and to develop the necessary procedural regulations to ensure that the recorded, stored or processed data remain secure, and to prevent the destruction, unauthorised use or unauthorised modification thereof. The Company shall also instruct its Data Processors to comply with the data security requirements.
The Controller shall ensure that no unauthorised person have access to the processed data, and that such persons be unable to disclose, transmit, modify or delete them. The Controller shall do everything in its power to ensure that the data cannot be damaged or destroyed by accident. The Controller shall require the same commitment from its employees participating in the data processing activities and the Data Processor(s) proceeding on behalf of the Controller(s).
The Company ensures that IT data and the technical environment of the website are appropriately backed up, using the parameters necessary based on the retention period of the individual data to guarantee the availability of the data within the retention period, and that at the end of the retention period the data will be permanently deleted.
The integrity and functionality of the IT system and the data storage environment are verified by advanced monitoring techniques, and the necessary capacities are provided continuously. Events in the IT environment are captured using sophisticated logging features to ensure that potential incidents can be subsequently detected and evidenced with legal force.
The Company uses a redundant network environment providing consistently high bandwidth to serve its web pages, which environment is able to distribute the resulting loads securely among the resources. The systems are designed to provide planned disaster resilience, to deliver business continuity and thus a continuous service to users at a high standard, also through organisational and technical means.
High priority is given to the controlled installation of security enhancements and manufacturers’ updates that also ensure the integrity of their IT systems, thus preventing, avoiding and handling attempts to access or damage the system due to vulnerability. The IT environment is regularly monitored by security testing, errors or weak points identified are corrected, and reinforcement of IT system security is seen as an ongoing task.
High standards of security, including confidentiality, are set for employees, which are also met by providing regular training, and it strives to implement planned and controlled processes in its internal operations. Any incidents affecting personal data detected or reported to the Company during operation will be investigated in a transparent manner applying responsible and strict principles within 72 hours. Incidents which occur are dealt with and entered into records.
When developing its services and IT solutions, the Company ensures that the principle of data protection by design is met, data protection already being of high priority in the design phase.
A data protection incident corresponds to to an event that results in the unlawful handling or processing of the personal data managed, forwarded, stored or processed by the Controller, including in particular, unauthorised or accidental access to, alteration, communication, deletion, loss or destruction, and accidental destruction of or damage to such personal data. Persons in charge of data protection shall promptly investigate any reported or detected data protection incident and shall make a recommendation for remedying and addressing the incident within 24 hours of becoming aware of it.
The Controller warrants that data will be processed in full compliance with the provisions of operative legislation.
This Notice is valid from 1 September 2020.