Magyar Turisztikai Ügynökség Zrt. (Hungarian Tourism Agency Ltd.) (Company registration number: 01-10-041364, Tax number: 10356113-4- 41, registered seat: H-1027 Budapest, Kacsa u. 15-23, 4. emelet, Hungary, mailing address: H-1525 Budapest Pf.: 97, central phone: +36 1 488 8700, central e-mail: email@example.com, represented by: dr. Zoltán Guller, data protection officer’s contact information: Levente Papp, firstname.lastname@example.org), hereinafter the ‘Agency’ or ‘Controller’ is committed to respect website visitors’ right to privacy and the protection of personal data, and to operate in compliance with the data protection regulation of the European Union (hereinafter the ‘GDPR’), the Hungarian data protection act (hereinafter the ‘Privacy Act’) and other laws, guidelines and the best practices of data protection, subject to key international recommendations regarding data protection.
The Agency as controller accepts and agrees to be bound by the content of this legal notice. It undertakes to ensure that its data processing related to its services complies with the expectations stipulated in this notice and the law in force.
THE DATA PROCESSING OPERATIONS OF THE AGENCY COMPLY WITH THE FOLLOWING LAWS ON DATA PROTECTION
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR); Act CXII of 2011 on Informational Self-Determination and Freedom of Information (‘Privacy Act’) and Act V of 2013 on the Civil Code of Hungary (‘Civil Code’).
Personal data may be processed where
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or within the framework of exercising official authority vested in the controller;
- processing is necessary for the purposes of enforcing the legitimate interests of the controller or a third party.
Pursuant to Article 8(1) of the GDPR, the validity of the declaration of consent of a minor (i.e. the data subject) is not subject to the consent or subsequent approval of the holder of parental responsibility over the minor if such minor is at least 16 years old; where such minor is under 16, however, the validity of his or her declaration of consent shall be subject to the consent of the holder of parental responsibility over the child. The Agency has no means to verify the accuracy and authenticity of the consent; the person granting the consent shall warrant the accuracy thereof.
1. PURPOSE OF PROCESSING
The Agency may use your Personal Data for the following purposes:
in the case of subscription to the newsletter, the Agency may directly contact you via e-mail, including newsletters, offers, promotional materials and other information expressly targeted to you;
the Agency may control the use and operation of the Website;
the Agency may correct and solve the problems related to the operation of the Website or the business, products and services of the Agency;
the Agency may ensure the security and integrity of the Website and the business of the Agency.
If you no longer want to receive direct communication from the Agency, including newsletters, please send an e-mail to email@example.com with the subject line ‘unsubscribe’ or ‘stop’, or write to the Agency’s address: H-1027 Budapest, Kacsa utca 15-23. In the latter case, please also provide your name, address and e-mail. Please note that the Agency performs no data processing in relation to the functions invoked by way of the icons of external providers on the webpage (Facebook, Twitter, Linkedin, Instagram); in such cases, the external provider acts as controller.
2. LEGAL BASIS OF PROCESSING
In the case of subscription to newsletter or initiating contact, data processing is based on the voluntary consent of the data subject.
3. CONDITIONS PRECEDENT TO DATA PROCESSING
Subscription to the newsletter is conditional upon you providing your personal data to the Controller. By providing your personal data and by subscribing, you accept and acknowledge the provisions of this privacy notice and consent to processing.
4. SCOPE OF DATA PROCESSED
When you subscribe to the newsletter through the Website or initiate contact through the Contact menu, the Agency may request information concerning you, including your name and e-mail. During the operation of the Website, we process the IP address of your computer as technical data, and we also store cookies on your computer.
5. DURATION OF STORING PERSONAL DATA
Personal data processed based on consent are processed by the Agency until the withdrawal of such consent, provided that there is no other legal basis for data processing. The withdrawal of consent shall not affect the lawfulness of processing before such withdrawal.
6. RECIPIENTS OF PERSONAL DATA AND CATEGORIES OF THE RECIPIENTS
Users of the Controller and Processor companies performing partner relations and customer service activities; for technical data, the IT staff.
7. PROCESSORS USED
- In performing marketing communication activities and tasks, including the delivery of newsletters, the Agency uses the services of TURISZTIKAI MARKETINGKOMMUNIKÁCIÓS ÜGYNÖKSÉG NONPROFIT ZRT. (Registered seat: H-1027 Budapest, Kacsa utca 15-23, Company registration number: 01-10- 049807), as well as MEDIATOR GROUP REKLÁMÜGYNÖKSÉG KFT. (Registered seat: H-1034 Budapest, Bécsi út 58, Hungary, Company registration number: 01-09-864793) .
- For webpage hosting, the Agency uses the services of RENDSZERINFORMATIKA KERESKEDELMI ÉS SZOLGÁLTATÓ ZRT. (Registered seat: H-1134 Budapest, Váci út 19. IV. em., Company registration number: 01-10-046912)
Like other commercial websites, the Agency uses the standard technology called cookie, along with web server technical log files, in order to obtain information on how data subjects use the Website.
A cookie is a small information package (file) that often carries an anonymised unique identifier. When you visit a website, the website asks for the permission of your computer to store this file on the hard drive, on a part expressly dedicated for storing cookies.
Each webpage you visit can send cookies to your computer, provided that this is allowed in the settings of your browser. In order to protect your data, however, your browser will only allow the given website to access the cookie sent to your computer by the same webpage, that is, a website cannot access the cookies sent by other websites. Browsers by default usually accept cookies.
If you do not want to accept cookies, you can set your browser to reject them. In such a case, certain elements of the Website may not function properly while you are browsing it. Cookies cannot obtain other information from the hard drive of your computer and do not carry viruses.
9. SECURITY OF THE DATA WE PROCESS
The Agency ensures that IT data and the technical environment of the website are properly backed up, using the parameters necessary based on the retention period of the individual data to guarantee the availability of the data within the retention period, and at the end of the retention period it shall permanently destroy the data.
The integrity and functionality of the IT system and the data storage environment are verified by advanced monitoring techniques, and the necessary capacities are continuously provided.
Events in the IT environment are captured using sophisticated logging features to ensure that potential incidents can be subsequently detected and legally demonstrable.
A redundant network environment providing consistently high bandwidth is used to serve our webpages, which distributes the resulting load securely across our resources.
Our systems are designed to provide planned disaster resilience, deliver business continuity and, consequently, continuous high quality service to our users also through organisational and technical means.
High priority is given to the controlled installation of security enhancements and manufacturers’ updates that also ensure the integrity of our IT systems, thus preventing, avoiding and managing attempts to access or damage the system via vulnerabilities.
Our IT environment is regularly tested by security testing, errors or vulnerabilities identified are corrected, and IT system security reinforcement is seen as an ongoing task.
High standards of security, including confidentiality, are set for our employees, which we also ensure through regular training, and we strive to operate planned and controlled processes in our internal operations.
Any personal data breach detected or reported to us in the course of our operation shall be investigated in a transparent, responsible and strict manner within 72 hours. Data breaches that have occurred are addressed and recorded.
In developing our services and IT solutions, we ensure that the principle of data protection by design is met, and data protection is already a high priority requirement during the design phase.
10. INFORMATION ON DATA SUBJECTS’ RIGHTS
Data subjects may request information about the processing of their personal data, and may request the rectification and, unless processing is required by law, the erasure of the data.
10.1. Right to prior information
The data subject has the right to be informed of facts and information relating to the data processing prior to the commencement of processing. We have created this Privacy Notice in order to assure this right.
10.2. Right of access
The data subject may request the Agency to:
- confirm that his or her personal data are being processed;
- provide a copy of such data;
- provide further information regarding his or her personal data, including in particular what data the Agency has in its possession, what purposes such data are used for, whom such data are shared with, whether such data are transferred to abroad, what means the Agency uses to protect such data, for how long the data are retained, how and in what form the data subject can lodge a complaint, and finally, from what source(s) the Agency obtained the data subject’s data.
10.3. Right to rectification
The data subject may request that the Agency rectify or complete any personal information of the data subject that is incorrect, inaccurate or incomplete. Prior to rectifying any incorrect data, the Agency is entitled to verify the truthfulness or accuracy of such data.
10.4. Right to erasure, right to be forgotten
The data subject may request the erasure of his or her personal data where:
- the personal data are no longer necessary for the purposes for which they were collected;
- the data subject has withdrawn consent (provided that data processing is based on consent); or,
- the data subject exercises his or her right to object; or
- the given personal data have been unlawfully processed; or
- the given personal data have to be erased for compliance with a legal obligation.
The Agency shall not be obliged to fulfil the data subject’s erasure request where the processing of personal data is necessary and justified for the following reasons:
- for compliance with a legal obligation; or
- for exercising or defending rights or legitimate interests before the court.
10.5. Right to restrict processing (right to block data)
The data subject may request the restriction of processing of his or her data (the blocking of data) where
- rectification (see ‘Right to rectification’) in connection with their correctness, accuracy or truthfulness cannot be ensured; or
- data processing is unlawful, but the data subject does not request the erasure of data; or
- the personal data are no longer necessary for the purposes for which they were collected, but the enforcement of certain rights or legitimate interests before the court excludes their erasure; or
- the data subject has exercised his or her right to object, pending conclusion of the Agency’s inspection regarding the lawfulness of the Agency’s proceedings.
Where the right to blocking is exercised, the Agency may continue to use the personal data where:
- the data subject has consented to such continued use; or
- the use (existence) of the given data is necessary for enforcing certain rights or legitimate interests before court; or
- the use (existence) of the given data is necessary for protecting the rights of another natural or legal person.
10.6. Ensuring data portability
The data subject may request the Agency to provide his or her personal data to the data subject in an organised, structured manner in a format readable by IT systems, and/or to send such data directly to another controller.
10.7. Right to object
Data subjects shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them where they believe this is required by their fundamental rights. The data subject may object to the processing of his or her personal data for direct marketing purposes at any time, without having to give the reasons, in which case the Agency will terminate processing as soon as possible.
10.8. Right to withdrawal
If the processing is based on the data subject’s consent, the data subject has the right to withdraw his or her consent at any time without affecting the lawfulness of processing based on consent before such withdrawal.
10.9. Communication of a personal data breach to the data subject
The Agency protects the data subject’s personal and other data to the best of its knowledge in proportion to the relevant risks, operates a modern and reliable IT environment, and selects its collaborating partners with particular care. It conducts its internal procedures in a regulated and supervised manner, so as to prevent and avoid even the smallest mistake, problem or incident regarding the processing of personal data or, should they nevertheless arise, to detect, investigate and resolve the case. Should a breach regarding personal data nevertheless be proven to have occurred and be likely to result in a high risk to the rights and freedoms of data subjects, the Agency undertakes to communicate the personal data breach to the data subject and notify the same to the data protection authority in the manner and with a content in compliance with the effective data protection regulations and without undue delay.
10.10. Automated decision-making in individual cases including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning him or her or similarly significantly affects him or her. The Agency does not operate any procedure involving automated decision-making.
10.11. Right to lodge a complaint with a supervisory authority
Complaints regarding data processing may be filed with the court or the Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság):
Registered seat: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c
Postal address: H-1534 Budapest, Pf.: 834
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
E-mail address: firstname.lastname@example.org
10.12. RIGHT TO AN EFFECTIVE JUDICIAL REMEDY AGAINST A SUPERVISORY AUTHORITY:
You shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning you.
10.13. Right to an effective judicial remedy against the controller or processors
You shall have the right to an effective judicial remedy where you consider that your rights have been infringed as a result of the processing of your personal data in non-compliance with the law.