Information Centre

This privacy notice (hereinafter: Notice) contains all information regarding the processing of personal data generated during the operation of the Information Centre (hereinafter: information centre) run by the MAGYAR TURISZTIKAI ÜGYNÖKSÉG ZRT. (registered office: 1027 Budapest, Kacsa utca 15-23., hereinafter: Company, Controller) in order to ensure that, before giving your consent, you are fully aware of the purpose and the conditions of data processing, the related risks and guarantees as well as the rights that you have.

Please consider the contents of this Notice before giving your consent. Giving the consent to the Controller is the condition of data processing.

Please note that during a telephone inquiry, your call will be recorded with your consent for quality assurance purposes. If you do not consent to the voice recording, please contact us by e-mail at info@mtu.gov.hu or by post at the 1027 Budapest, Kacsa utca 15-23. mailing address.

After due consideration, you, as the party initiating the contact (hereinafter: Data Subject), give your express consent to data processing in accordance with this Notice by pressing the consent button required for voice recording in the case of a telephone call, or simultaneously with establishing contact by e-mail and post.

By publishing this Notice, our Company intends to comply with the provisions of Regulation (EU) 2016/679 of 27 April 2016 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereafter: Regulation, GDPR) – as well as with Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: Info Act). Our Company takes effort to provide the Data Subjects with any information on personal data processing in a concise, transparent, intelligible and easily accessible form, using clear and plain language, as well as to promote the exercise of rights by the Data Subjects. The terms used in the Notice correspond to the terms defined in the Info Act and in the Regulation and to their interpretation. The Controller warrants that the data is processed in full compliance with the provisions of the effective legal rules. Should the data processing conditions change, the Company will inform the Data Subjects about the modifications.

NAME OF THE CONTROLLER:

MAGYAR TURISZTIKAI ÜGYNÖKSÉG ZRT. (company registration number: 01-10-041364, Registered office: 1027 Budapest, Kacsa utca 15-23., tax number: 10356113-4-41, represented by: dr. Zoltán Guller)

MAILING ADDRESS OF THE CONTROLLER: 1027 Budapest, Kacsa utca 15-23.

E-MAIL ADDRESS OF THE CONTROLLER: info@mtu.gov.hu

TELEPHONE NUMBER OF THE CONTROLLER: +36 1 488 8700

NAME AND CONTACT DETAILS OF THE DATA PROTECTION OFFICER: Levente Papp, privacy@mtu.gov.hu

The Company does not use a Data Processor in connection with the operation of the Information Centre.

The purpose of personal data processing is to identify the party initiating the contact, to ensure the operational quality of the Information Centre and to contact and inform the Data Subject.

When initiating a contact, we process the following personal data in connection with the Data Subject:

• in the case of a telephone inquiry, the name and telephone number of the Data Subject; the voice recording made during the telephone conversation with our employee; the date-hour-minute data of the call origination and the name and telephone number of the Data Subject for identifying and retrieving the voice recording.
• In the case of an e-mail inquiry, the name and the e-mail address of the Data Subject.
• in the case of a postal inquiry, the name and postal address of the Data Subject.

We store the personal data that you provide for 1 year in order that all circumstances important from a legal viewpoint can be proven by the Controller.

Article 6 (1) (a) of the GDPR, i.e. the consent of the Data Subject.

The personal data provided by you may be accessed by authorised employees under the direct control of the Controller in order to perform their duties, and they treat the data confidentially, in accordance with the effective legal regulatory conditions as well as with the internal rules and procedural order of the Controller.

Your rights regarding data processing are as follows:

RIGHT TO TRANSPARENT INFORMATION:

You have the right to receive notification about the facts and information related to data processing prior to starting the data processing. We have also created this Privacy Notice to ensure this right.

RIGHT OF ACCESS BY THE DATA SUBJECT:

The Data Subject shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the following information:

• the processed personal data and the category of personal data, the purpose of data processing;
• the recipients or categories of recipient to whom the personal data have been, or will be disclosed by the Controller;
• the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.

• at request, the controller provides the data subject with a copy of the personal data that are the subject of data processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

RIGHT TO RECTIFICATION:

The Data Subject may request the Company to rectify or complete any personal information that is incorrect, inaccurate or incomplete. Before rectifying the erroneous data, the Company may verify the truthfulness or accuracy of the data involved.

RIGHT OF WITHDRAWAL:

In the case of data processing based on the Data Subject’s consent, the Data Subject may withdraw his/her consent at any time, which does not affect the lawfulness of data processing based on consent before the withdrawal.

RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’):

The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay, and the Controller is obliged to do so. You do not have this right in the case of data processing based on a legal obligation.

RIGHT TO RESTRICTION OF PROCESSING (RETENTION RIGHT):

The Data Subject shall have the right to obtain from the Controller restriction of processing in the following cases:

• if the accuracy of the personal data is contested by the Data Subject, for a period enabling the controller to verify the accuracy of the personal data;
• if the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
• if the Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
• if the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.

RIGHT TO DATA PORTABILITY:

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: The Data Subject shall have the right to data portability if:

• the processing is based on the data subject's consent or on the consent to processing specific categories of the personal data for one or more specific purposes, or on a contract pursuant to Article 6 (1) (b) GDPR, and
• the processing is carried out by automated means.

RIGHT TO OBJECT:

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her except where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling. The Controller shall not terminate data processing on the basis of the objection if the data processing is justified by compelling legitimate reasons which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims

AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING:

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or otherwise significantly affects them. The Company does not use automated decision making.

COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT:

If a potential data breach is likely to pose a high risk to your data, rights and freedoms, the Controller will notify you about the data breach without undue delay.

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY:

In the event where the Data Subject suffered a harm concerning the processing of his or her personal data, it is advisable to contact the Controller before lodging the complaint and submit a request to exercise the relevant data subject's right in order to handle the matter more quickly and efficiently.

You shall have the right to complain to a supervisory authority if you consider that the processing of personal data violates the data protection laws.

National Authority for Data Protection and Freedom of Information

Registered office: 1055 Budapest, Falk Miksa utca 9-11.

Mailing address: 1363 Budapest, Pf.: 9.

Phone number: +36 (1) 391-1400

Facsimile number: +36 (1) 391-1410

E-mail: ugyfelszolgalat@naih.hu

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY:

You have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning you.

RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST DATA CONTROLLERS OR DATA PROCESSORS:

Without prejudice to the right to lodge a complaint, the Data Subject shall have the right to an effective judicial remedy by instituting civil proceedings if, in his or her opinion, his or her rights have been violated as a result of the improper processing of his or her personal data. The Metropolitan Court has jurisdiction to hear the case, but the data subject may also choose to bring the case before the court having jurisdiction over his or her place of residence.

The Company is obliged to ensure data security, to take the technical and organisational actions as well as to work out the procedural rules ensuring that the collected, stored and processed data are protected; furthermore, it prevents the annihilation, the unauthorised usage and the unauthorised modification of such data. It also obliges its Processors to comply with the data security requirements.

The Controller ensures that unauthorised persons may not access, disclose, forward, modify or erase the processed data. The Controller does its best to ensure that the data is not damaged or destroyed, not even accidentally. The Controller also imposes the above obligation on its employees participating in data processing and on the Processor(s) acting on behalf of the Controller.

The Company ensures proper data backup according to the technical environment of the IT data and the website, which it operates with the necessary parameters based on the storage period of each data, thus guaranteeing the availability of the data within the storage period, and it finally erases them upon the expiry of the storage period.

The integrity and operability of the IT system and the data storage environment are checked with advanced monitoring techniques, and the necessary capacities are continuously provided.

Events in the IT environment are recorded by using complex logging functions, including the IP addresses of visitors, thus ensuring the subsequent detection and legal proof of potential incidents.

It uses a redundant network environment that continuously provides high bandwidth to serve the websites, securely distributing the upcoming loads among our resources.

The Company ensures the planned disaster resilience ability of its systems, ensuring the continuity of business operations and thus the continuous service of users at a high level, with organisational and technical means.

Priority is given to the controlled installation of security patches and vendor updates that also ensure the integrity of IT systems, thus preventing, avoiding and addressing attempts to gain access or cause damage by exploiting vulnerabilities.

The IT environment is regularly inspected through security testing, any detected errors or vulnerabilities are corrected and supporting the security of the IT system is considered as an ongoing task.

It sets high security standards for its employees that also include confidentiality, it ensures their fulfilment through regular training and strives to operate planned and controlled processes with regard to their internal operations.

Any incidents involving personal data detected or reported during operations are investigated in a transparent manner, in accordance with responsible and rigorous principles, within 72 hours. Incidents that have occurred are processed and recorded.

When developing its services and IT solutions it ensures that the principle of built-in data protection is met and data protection is treated as a priority already in the planning phase.

Data breach is any event that, in connection with personal data processed, transferred, stored or managed by the Controller, results in the unlawful management or processing of personal data, thus specifically unauthorised or accidental access, alteration, disclosure, erasure, loss or annihilation as well as accidental destruction and injury. The data protection officer immediately investigates the reported or detected data breach and, within 24 hours from becoming aware of the data breach, makes a proposal for eliminating and managing the data breach.

The Controller warrants that the data is processed in full compliance with the provisions of the effective legal rules.

Should the data processing conditions change, the Company will inform the participants about the modifications.