1. The data controller and its contact details
Name of the data controller: Magyar Turisztikai Szövetség Alapítvány (Hungarian Tourism Association Foundation) (Hereinafter: Data Controller)
Registered seat, postal address: 1101 Budapest, Albertirsai út 10.
Registration number: 20-01-0001187, Zalaegerszegi Törvényszék (Zalaegerszeg Regional Court)
Tax number: 18941610-2-42
E-mail address: email@example.com
2. The data processing of the data subjects
2.1. The scope of the data subjects
The Data Controller handles the personal data of the following natural persons (hereinafter: Data Subject): users who register (hereinafter: Education) for the educational materials called Hungary Specialist, and visitors to the website: www.hungaryspecialist.com.
2.2 Data processing related to the registration on the Hungary Specialist website and to the use of educational materials
2.2.1. The Data Controller manages the following personal data of the Data Subject:
(i) surname and first name
(ii) e-mail address
(v) company name
(viii) data related to educational tasks and exam results
(ix) electronic correspondence relating to education
The Personal Data is provided to the Data Controller by the Data Subject via the Online System at the time of registration, and additional personal data that can be linked to the Data Subject is created during the performance of the tasks and the exam.
If the user provides the data of another person during the communication, the informant is obliged to obtain the consent of the data subject.
Registration to the program requires an approval, registered users through the website will only receive their access to the system after receiving the approval. The data entered during an unapproved registration will be deleted within 30 days of providing the data.
2.2.2. Purpose, legal basis and duration of the data processing
The purpose of the Data Processing is to make the content of the website and the online educational material available to registered users, to ensure the use of the e-learning module, to perform educational tasks, to send educational materials, to provide feedback and contact, to identify the Data Subject for this purpose.
The legal basis for the Data Processing is the consent of the Data Subject (Point (a) Paragraph 1 of Article 6 of the GDPR). The consent is given by the Data Subject through the Online System.
In the absence of the consent, the Data Subject cannot use the training materials of Hungary Specialist, and the other services available to registered users of the website.
The consent is voluntary, the Data Subject is entitled to withdraw the consent at any time, without restriction, by notifying the Data Controller. The Data Subject may send the notification to any of the contact addresses specified in Point 1 of this Policy or the registered Data Subject may also initiate the cancellation of his or her registration via the Online System.
The Data Controller does not intend to provide the services of the Online System to children in view of the target group of users, the Data Subject by giving consent expresses, that his or her age is over 16, and that the consent of the person holding the parental responsibility over the child is not required for the granting of consent in accordance with the regulations applicable to the Data Subject (Paragraph 1 Article 8 of the GDPR).
The withdrawal of consent has no consequence for the Data Subject. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The Data Controller may process the personal data without further specific consent, and even after the withdrawal of the consent in order to fulfil the legal obligation to the Data Controller; or for the purpose of enforcing the legitimate interests of the Data Controller or third parties, if the exercise of such interest is proportionate to the restriction of the right to the protection of personal data.
The Data Controller shall not perform automated decision making, including profiling.
Time of the storage (retention) of the personal data: the Data Controller shall handle the personal data until the consent is revoked.
During the communication, the Data Controller shall process the personal data (sender's email address, name, time of sending, content of the message) in connection with the messages received with the consent of the sender by implied conduct (sending of a message) (Paragraph 1 Article 6 of the GDPR).
The Data Controller shall delete the messages together with all the received data after a maximum of 1 year from the receipt of the message.
2.3. Data Processing of www.hungaryspecialist.com website
2.3.1. Data of the visitors of the website
The scope of personal data processed: the IP address of the website visitor's device, the date and time of the visit to the website, information about the operating system and browser.
The purpose of data processing: technical control of the operation of the website, prevention of possible abuses.
Legal basis of the data processing: a legitimate interest in identifying users and preventing abuse (Point f) of Paragraph 1 of Section 6 of the GDPR) and Paragraph (3) of Section 13/A. of Act CVIII of 2001 on certain issues of electronic commerce activities and information society services.
Duration of the data processing: one month from the date of viewing the website.
2.3.2. Processing of Cookies
When visiting the website, small files on the user's computer, called cookies are placed or read back to facilitate the storage and management of the settings and other information applied on the website.
In some cases, cookies can be used to track how a particular visitor came to the website and what actions they made.
Cookies used by Google Analytics, a third party independent of the Data Controller, collect data about the visit to the website for statistical purposes (which part of the website the user clicked on, possible error messages for viewing each session, etc.).
In order to improve the smooth operation, functions and user experience of the website, Google Analytics provides the websites’ operator with data only in an anonymised form, in the form of statistical reports, on the basis of which certain persons cannot be identified.
More information on Google Analytics cookies is available at the link below: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage
2.4. Data Processing of Newsletter: the Data Controller provides the opportunity to subscribe to a newsletter. Personal data processed in connection with this: name, e-mail address, company name, position, country, date of subscription.
Purpose of the data processing: enabling the sending of a newsletter including commercial advertising, the creation of a database related to that, the transfer of a database (to the recipient specified in this Policy with the consent of the Data Subject).
Legal basis of the data processing: consent of the Data Subject (Point a) Paragraph 1 of Section 6 of the GDPR), and Paragraphs (2), (5) of Section 6 of Act XLVIII of 2008 on the basic conditions of economic advertising and certain limits.
The Data Controller manages the data until the consent is revoked. The consent can be revoked at the contact details of the Data Controller indicated in Point 1 electronically, or by letter, or via the unsubscribe link in the newsletters.
3. Recipients of the personal data, Data Processors used by the Data Controller
Personal data may be processed by duly authorized employees of the Data Controller in the performance of their duties.
|Name||Seat||Data Processor Duty|
|GAIA Software Kft.||1039 Budapest, Árpád utca 20.||E-learning platform|
|ECOFORM Systems Kft.||8900 Zalaegerszeg, Tompa utca 1-3. II.em.||Webpage|
|Wanadis Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság||1112 Budapest, Budaörsi út 153.||Newsletter|
Transfer of data
In the case of consent given during registration, the Data Controller shall transmit the following personal data of the Data Subject to the Magyar Turisztikai Ügynökség Zártkörűen Működő Részvénytársaság (Hungarian Tourism Agency Limited) (Registered seat: 1027 Budapest, Kacsa utca 15-23.; Postal address: 1525 Budapest, Mailbox 97.; Telephone: 06 (1) 488 8700;
Email address: firstname.lastname@example.org; Website: www.mtu.gov.hu):
name, e-mail address, company name, position, country, date of consent.
Purpose of data processing at the recipient: sending a newsletter including commercial advertising, creating a related database.
Duration of data processing: until withdrawal of consent.
The recipient's data processing policy: https://mtu.gov.hu/adatvedelmi-tajekoztato.
Withdrawal of consent can be announced at the following contact details:
Magyar Turisztikai Ügynökség Zrt.
1525 Budapest Pf.: 97.
4. Data security measures
The Data Controller shall ensure the security of the data according to the current state of technology, the costs of implementation, and the characteristics of data management, and the possible risks. The Data Controller shall also take the technical and organizational measures (password protection, logging, access rights management, physical security measures, etc.), and shall establish procedural rules to ensure that the data recorded, stored or processed are protected to prevent their destruction, unauthorized use and unauthorized alteration, interconnection. The Data Controller shall raise the awareness on third parties to whom the Data Subject's data have been transferred, to comply with the data security requirements. The Data Controller shall ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorized persons.
The Data Controller will do its utmost to ensure that the data is not damaged or destroyed. The above mentioned obligation is also prescribed by the Data Controller for the employees participating in its data processing activities and for the Data Processors acting on behalf of the Data Controller. The Data Controller shall make the necessary improvements and modifications as the technical possibilities change.
5. Rights and effective legal remedies of the Data Subject
Right of access
The Data Subject has the right to request information from the Data Controller as to whether the processing of his or her personal data is in progress, and in case of ongoing data processing, to have access to the personal data and the following information:
a) the purposes of the data processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be communicated, including in particular the recipients in third countries or international organizations;
d) the intended period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
e) the right to request the rectification, erasure or restriction of the processing of personal data or to object to the processing of personal data;
f) the right to lodge a complaint with a supervisory authority;
g) if the data was not collected from the data subject, all available information on their source;
The Data Subject may request a copy of the personal data, subject to the data processing free of charge. The Data Controller makes a copy available to the data subject. The Data Controller may charge a fee based on administrative costs for additional copies requested by the Data Subject. If the Data Subject has submitted the request electronically, the information shall be provided by the Data Controller in electronic format, unless the Data Subject requests otherwise.
Right to rectification
The Data Subject has the right to have inaccurate personal data concerning him or her corrected at his or her request without undue delay. Taking into account the purpose of the data processing, the right of the Data Subject and to request the completion of his or her missing personal data, among other things, by means of an additional statement.
Right to erasure, right to be forgotten
At the request of the Data Subject, the Data Controller is obliged to delete the personal data of the Data Subject without undue delay, if
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the Data Subject withdraws the consent on which the data processing is based and there is no other legal ground for the data processing;
- if the data processing is necessary to enforce the legitimate interests of the Data Controller or a third party, the Data Subject protests against the data processing and there is no priority legitimate reason for the data processing, or the data is processed for direct marketing purposes and the Data Subject protests against the data processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Data Controller is subject.
Where the Data Controller has made the personal data public and is obliged pursuant to the above mentioned, to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data (right to be forgotten).
Right to restriction of processing
The Data Subject shall have the right to obtain from the Data Controller restriction of processing, if one of the following applies:
- the accuracy of the personal data is contested by the Data Subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
- the processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims;
- the Data Subject has objected to processing pending the verification whether the legitimate grounds of the Data Controller override those of the Data Subject.
Personal data subject to restriction, with the exception of storage, may be processed only with the consent of the Data Subject or for the purpose of establishing, exercising or defending legal claims or protecting the rights of another natural or legal person or in the important public interest of the Union or a Member State.
A Data Subject who has obtained restriction of processing, shall be informed by the Data Controller before the restriction of processing is lifted.
The Data Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the Data Subject about those recipients if the Data Subject requests it.
Right to data portability
The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another Data Controller, if the data processing takes place in an automated manner and the data processing is based on the consent of the Data Subject or a contract in which the Data Subject is one of the parties.
Right to object
The Data Subject has the right to object to the data processing if the data processing is necessary to enforce the legitimate interests of the Data Controller or a third party. In this event the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the Data Subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right of withdrawal
The Data Subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Procedure for exercising the rights of the data subject
The Data Controller may not refuse to comply with the Data Subject's request to exercise the above mentioned rights, unless he or she proves that the Data Subject cannot be identified. The Data Controller shall use all reasonable measures to verify the identity of a Data Subject who requests access. If the Data Controller can prove that its is not in a position to identify the Data Subject, the Data Controller shall inform them accordingly in an appropriate manner. In such cases, the Data Controller will not be able to comply with the request unless the Data Subject provides additional information enabling to be identified in order to exercise these rights.
The Data Controller shall inform the Data Subject of the measures taken following his or her request as soon as possible after the receipt of the request, but not later than within one month. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Data Controller shall inform the Data Subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the Data Subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the Data Subject.
If the Data Controller does not take action on the request of the Data Subject, the Data Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The requested information, and any communication and any actions in connection with it shall be provided free of charge. Where requests from a Data Subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request.
Communication of a personal data breach to the data subject
When the personal data breach (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed) is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall communicate the personal data breach to the data subject without undue delay.
The Data Controller shall describe the nature of the data protection incident in the information provided to the Data Subject, shall provide the name and contact details of the contact person for further information; shall describe the likely consequences of a data protection incident; shall describe the measures taken or planned to remedy the data protection incident, including measures to mitigate any adverse consequences arising from the data protection incident.
The communication to the Data Subject shall not be required if any of the following conditions are met:
a) the Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
b) the Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialize;
c it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Right to remedy
a) The Data Subject may contact the Data Controller with a remark regarding the handling of his or her personal data at one of the contact details provided in this Policy.
b) Compensation and damages: if the Data Subject has suffered material or non-material damage as a result of the infringement of the data protection regulation, he or she is entitled to a compensation from the Data Controller or the Data Processor for the damage suffered. A Data Controller or Data Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
c) The right of access to court: in the event of a breach of his or her rights the Data Subject may turn to court against the Data Controller. The court shall adjudicate the request as a matter of priority. The claim falls within the jurisdiction of the district court. The claim may also be brought before the regional court of the Data Subjects place of residence (you can view the list and contact details of the regional courts via the link below: http://birosag.hu/torvenyszekek).
d) Data protection authority procedure – the Data Subject may lodge a complaint with the competent authority regarding the processing:
Name: Nemzeti Adatvédelmi és Információszabadság Hatóság (Hungarian National Authority for Data Protection and Freedom of Information)
Registered seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.
Postal address: 1530 Budapest, Pf.: 5.
E-mail: email@example.com Website: http://www.naih.hu
The Data Controller reserves the right to amend the Policy at any time. The Data Controller shall notify the Data Subject of the amendment via the Online System at least 30 days prior to the entry into force of the amendment.
* * *
Budapest, 28th July 2020
Magyar Turisztikai Szövetség
represented by: dr. Princzinger Péter, president of the board of trustees