This Privacy Notice (hereinafter Notice) contains comprehensive information on the processing of personal data related to the VENDÉGEM guest registration application (hereinafter Application) operated by MAGYAR TURISZTIKAI ÜGYNÖKSÉG ZRT. (hereinafter Company or Controller) for the purpose of notifying you (as the Person Concerned) of all such information prior to using the Application, for you to be fully aware of the purpose and conditions of data processing, the related risks and guarantees, as well as your rights.

With respect to data processing operations related to its own business activities, the accommodation provider using the Application must act within its own competence. In this context, the accommodation provider establishes the conditions for lawfully obtaining the personal data to be registered in the Application, with regard to which data the accommodation provider is the Controller. This Notice does not regulate data processing activities and operations carried out by the accommodation provider.

In the Application, your rights as Person Concerned depend on what type of user you are while using the system.

  • You may use the web interface of the Application as a guest without user identification, in which case your technical personal data (e.g. the IP address of the device you are using for browsing) is processed based on the Controller's legitimate interest. As a guest, you will have no access to the pages that contain the internal functions of the system.
  • If you have Administrator rights in the Application, you will be identified with the aid of the Central Identification Agent service before you log into the Application. In this case, your data are processed for the purpose of complying with a legal obligation and on the basis of the legitimate interest of the Controller or a third party. You are not required to consent to data processing, but you become eligible to log in by reading and acknowledging this Notice. By logging into the Application as Administrator, you declare that you have read the version of this Notice which is in effect at the time such data or information are provided.
  • If you are a user set up in the Application by the person acting on behalf of the accommodation provider (Administrator or Data Provider), your personal data have been entered into the system by your authorised Administrator for the purpose of allowing us to send you an invitation, and for you to log into the system and to perform your tasks using your email address and password. In this case, before your first login, you need to consent to the processing of your data. The withdrawal of consent does not affect the lawfulness of data processing subject to consent which was performed before consent was withdrawn. By logging in to the Application, you expressly declare that you are aware of and accept the version of this Notice which was in effect at the time such data or information was provided, and you consent to data processing.

Depending on the type of user you are, you are eligible to use the functions allocated to that particular role in the Application.

If you are a legal or authorised representative of the accommodation provider in the Application (Administrator), you qualify as a person acting on behalf of the accommodation provider and are eligible to use the corresponding functions. You also have the right to initiate the creation of additional users assigned to the organisation you represent, and to lawfully transfer their personal data in the Application as representative of the accommodation provider.

If on invitation you log into the Application as Administrator or Data Provider with the approval of the legal or authorised representative of the accommodation provider, you are eligible to use the functions allocated to that role.

As representative of the accommodation provider, in the case of all three user types, you declare that you will lawfully process guest data, customer data, reservation/booking data and invoice payment information (hereinafter guest data), you record such data in the Application while in possession of all relevant authorisations and that you forward guest data in a lawful manner to the Application’s data processing operator. You will make a declaration on behalf of the organisation you represent concerning the compliance of data transfer, and assume the pertinent liability.

The identity confirmation during login is performed using the Central Identification Agent service or the Application’s own authentication system, while the personal authorisations for legal or authorised representatives are verified through the Authorisation Management Agent, by way of retrieval from certified public registries.

Our Company stores your personal data on servers operated by the Controller and/or the Data Processor in the territory of Hungary.

Our Company stores your personal data on servers operated by the Controller and/or the Data Processor in the territory of Hungary.

Our Company reserves the right to amend this Notice unilaterally, effective from the date of amendment. For this reason, you are advised to visit the Privacy Notice page on a regular basis in order to monitor potential changes.


(company registration number: 01-10-041364; registered office: H-1027 Budapest, Kacsa utca 15-23; tax number:10356113-4-41; represented by Dr. Zoltán Guller) (hereinafter Company or Controller)
POSTAL ADDRESS OF THE CONTROLLER: H-1027 Budapest, Kacsa utca 15-23


In carrying out its various professional tasks, the Company uses the Data Processing services of the following companies:

  • SAGEMCOM MAGYARORSZÁG KFT. (registered office: H-1037 Budapest, Montevideo u. 16/a) as system developer and the company providing operational support.
  • NISZ NEMZETI INFOKOMMUNIKÁCIÓS SZOLGÁLTATÓ ZRT. (registered office: H-1081 Budapest, Csokonai utca 3) as the service provider hosting the IT environment running the system.

The Data Processors will not use the data received for their own purposes; they only process data for the Controller. Controllers may only disclose the personal data of the Persons Concerned to the designated Data Processing companies that the Persons Concerned are informed of and/or have accepted on the basis of this Notice.


The Controller stores and records various personal data of the User (Person Concerned) for the purpose of identifying the Person Concerned in the Application, for verifying his access rights, for confirming the accommodation provider’s right of representation, for sending automated letters from the Application, for operating the Application and for communicating with users. Communication may include notifications delivered to the Application users concerning the following professional matters:

  • general, professional communication
  • public opinion polling, surveying the tourism situation, tourism strategy
  • emergency communication, matters to be focused on
  • professional events, education, training related to the Application
  • changes made to the Application.


In the Application, a piece of information is regarded as personal data if it directly contains or may contain personal data, or several pieces of information together which may contain personal data on the basis of which a natural person may become identifiable.

In relation to the public website areas of the Application, we process the following data: The IP address used by the device running the user's browser, which is handled by the website server and the servers in its environment (e.g. firewall, logging system, security backups).

User data
stored in the Application: some of the data are supplied to the Application by the Central Identification Agent service.

  • surname;
  • given name;
  • surname at birth;
  • given name at birth;
  • place of birth;
  • date of birth;
  • mother’s surname at birth;
  • mother’s given name at birth;
  • name of accompanying person;
  • email address;
  • email address again.

Additional personal data created, modified and utilised when using the Application:

  • surname;
  • given name;
  • email address;
  • confirmation of email address;
  • name of accommodation establishment;
  • comment.

The Application may only be applied for from the National Tourism Data Supply Centre (NTDSC). In this case, the Send and Resend Confirmation function is activated by the NTDSC for the Application’s Administrator user, to which end the NTDSC forwards to the Application the email address of the Administrator user to be created.

Concerning finalisation of the user role, the User receives an invitation by email, and they then enter their password using the link in the email. Data processed in relation to the above:

  • new password.

Of the data processed by accommodation establishments, the following may be received for further processing on being recorded by the User:

1) For accommodation units:

  • comment;
  • identifier;
  • name.

2) For reservations/bookings:

  • customer’s email address;
  • customer’s name;
  • telephone number;
  • customer’s nationality;
  • comment;
  • reservation/booking number;
  • date and time of reservation/booking.

3) For guests:

  • guest’s surname;
  • guest’s given name;
  • guest’s gender;
  • date of birth;
  • place of birth;
  • citizenship;
  • country;
  • post code;
  • telephone number;
  • residential address;
  • email.

4) Products and services:

  • identifier;
  • name;
  • comment.

5) Settings for closure:

  • code required for closure;
  • confirmation of code.

6) Delete personal data function:

  • guest’s surname;
  • guest’s given name;
  • place of birth;
  • date of birth.


From the first login, personal data are retained:

  • until termination of the accommodation service activities in the case of the person acting on behalf of the accommodation provider;
  • for a period of 1 year following deletion of the user in the case of additional users linked to the accommodation establishment.

Technical data generated for data security purposes (e.g. IP address, email address) are stored for a period of 1 year.


In the case of a person acting on behalf of the accommodation provider, based on Article 6(1)b) of the GDPR, i.e. the fulfilment of a contract to which the person acting on behalf of the accommodation provider is one party as Person Concerned and, pursuant to Article 6(1)f) of the GDPR, the data processing is necessary in order to enforce the legitimate interests of the Controller or a third party.
In the case of additional users associated with the accommodation establishment, voluntary consent by the Persons Concerned. (Article 6(1)a) of the GDPR).
The Company acts as Data Processor with regard to guest-related personal data recorded by the accommodation provider’s users.
Messages sent and replies received as part of professional correspondence are processed on the basis of the Controller’s legitimate interest.


The personal data you provide are accessible to the Controller and to the employees directly supervised by the Data Processors for the performance of their duties. They will treat the data confidentially, and in accordance with currently operative legislation, as well as the internal regulations and procedures of the Controller and Data Processors.


As User, your rights regarding data processing are as follows:

  • Right to advance information:

You have the right to be notified of facts and information related to the data processing prior to the commencement of processing. We have created this Privacy Notice in order to ensure this right.

  • Right of access by the Person Concerned:

The Person Concerned has the right to obtain confirmation from the Controller as to whether his personal data are being processed or not, and if they are, to have access to the personal data and information.

  • Right to correction:

The Person Concerned may request that the Company correct or complete any of the personal information on the Person Concerned that is incorrect, inaccurate or incomplete. Prior to correcting any inaccurate data, the Company is entitled to verify the truthfulness or accuracy of such data.

  • Right to deletion, right to be forgotten:

The Person Concerned has the right to have the Controller delete personal data concerning him or her without undue delay and the Controller is obliged to do so. You do not have this right if the data processing is based on a legal obligation.

  • Right to withdraw:

If the data processing is based on the consent of the person concerned, the person concerned has the right to withdraw his or her consent at any time without affecting the lawfulness of data processing based on consent carried out before consent was withdrawn.

  • Right to restriction of processing (right to block data):

The Person Concerned has the right to request the Controller to restrict data processing in certain cases.

Right to data portability:

The Person Concerned has the right to obtain personal data related to him or her in a structured, widely used, machine-readable format, which data he had previously made available to the Controller

  • Right to object:

The Person Concerned has the right to object at any time to the processing of his or her personal data on grounds related to his/her particular situation, if such processing is being done in the public interest or if it is necessary for pursuing the legitimate interests of the Controller, including profiling.

  • Automated decision-making in individual cases, including profiling:

Persons Concerned have the right not to be subject to any decision based solely on automated data processing, including profiling, which would have a legal effect on them or significantly affect them in any similar way. The Controller does not employ automated decision making.

  • Notifying the Person Concerned of a data protection incident:

Should a data protection incident be likely to result in a high risk to your data and/or to your rights and freedoms, the Controller will notify you of the incident without undue delay.

  • Right to lodge a complaint with a supervisory authority:

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes data protection regulations. Supervisory authority: National Authority for Data Protection and Freedom of Information
Registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: H-1534 Budapest, Pf.: 5
Telephone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email address:

  • Right to an effective judicial remedy against a supervisory authority:

You have the right to an effective judicial remedy against a legally binding decision made by a supervisory authority with regard to you.

  • Right to an effective judicial remedy against a controller or data processor:

You have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the non-compliant processing of your personal data.


The Company undertakes to ensure the security of data, and to take the necessary technical and organisational measures and to develop the necessary procedural regulations to ensure that the recorded, stored or processed data remain secure, and to prevent the destruction, unauthorised use or unauthorised modification thereof. The Company shall also instruct its Data Processors to comply with the data security requirements.

The Controller shall ensure that no unauthorised person have access to the processed data, and that such persons be unable to disclose, transmit, modify or delete them. The Controller shall do everything in its power to ensure that the data cannot be damaged or destroyed by accident. The Controller shall require the same commitment from its employees participating in the data processing activities and the Data Processor(s) proceeding on behalf of the Controller(s).

The Company ensures that IT data and the technical environment of the website are appropriately backed up, using the parameters necessary based on the retention period of the individual data to guarantee the availability of the data within the retention period, and that at the end of the retention period the data will be permanently deleted.

The integrity and functionality of the IT system and the data storage environment are verified by advanced monitoring techniques, and the necessary capacities are provided continuously. Events in the IT environment are captured using sophisticated logging features to ensure that potential incidents can be subsequently detected and evidenced with legal force.

The Company uses a redundant network environment providing consistently high bandwidth to serve its web pages, which environment is able to distribute the resulting loads securely among the resources. The systems are designed to provide planned disaster resilience, to deliver business continuity and thus a continuous service to users at a high standard, also through organisational and technical means.

High priority is given to the controlled installation of security enhancements and manufacturers’ updates that also ensure the integrity of their IT systems, thus preventing, avoiding and handling attempts to access or damage the system due to vulnerability. The IT environment is regularly monitored by security testing, errors or weak points identified are corrected, and reinforcement of IT system security is seen as an ongoing task.

High standards of security, including confidentiality, are set for employees, which are also met by providing regular training, and it strives to implement planned and controlled processes in its internal operations. Any incidents affecting personal data detected or reported to the Company during operation will be investigated in a transparent manner applying responsible and strict principles within 72 hours. Incidents which occur are dealt with and entered into records.

When developing its services and IT solutions, the Company ensures that the principle of data protection by design is met, data protection already being of high priority in the design phase.


A data protection incident corresponds to to an event that results in the unlawful handling or processing of the personal data managed, forwarded, stored or processed by the Controller, including in particular, unauthorised or accidental access to, alteration, communication, deletion, loss or destruction, and accidental destruction of or damage to such personal data. Persons in charge of data protection shall promptly investigate any reported or detected data protection incident and shall make a recommendation for remedying and addressing the incident within 24 hours of becoming aware of it.

The Controller warrants that data will be processed in full compliance with the provisions of operative legislation.

This Notice is valid from 1 September 2020.