Privacy Notice

The Hungarian Tourism Association Foundation (hereinafter: the “Controller”) as the operator of the website (hereinafter: the “Website”) hereby publishes the information on data processing on the Website and during the services related to the Website.
By starting to use the Website and using the services of the Controller, the user visiting the Website or using the service of the Controller (hereinafter: “User”) accepts all the terms and conditions set forth in this Privacy Notice (hereinafter: “Notice”). Therefore, please read this Notice carefully before using the Website or using the Service.
The Controller assumes the obligation to respect the right to privacy and the right to the protection of personal data of Users as well as to proceed during their operations in conformity with the European Union’s Data Protection Regulation as well as other Hungarian data protection laws, other legal regulations, guidelines and the established data protection practice, by taking also into account the major international recommendations related to data protection.
The Controller accepts the content of this legal notice as binding on it. It undertakes to ensure that the data processing related to its services complies with the requirements set out in this notice and in the applicable laws.


Controller: Hungarian Tourism Association Foundation
Registered office: 1011 Budapest, Szilágyi Dezső tér 1. 3/4.
Registration number: 20-01-0001187
Tax number: 18941610-2-41
Statistical code: 18941610-9499-569-01
Represented by: Dr. Péter Gábor Princzinger, President of the Board of Trustees E-mail address:


The Controller may use the data for the following purposes:
• During the communication initiated by e-mail, the purpose of data processing is to provide information on the Controller's service and activities, including contacting Users interested in the services provided by the Controller, informing Users and handling comments related to the Controller's activities.
• Checking the use and operation of the Website.


The Controller processes the personal data that are processed with consent until the consent is revoked, unless no other legal basis is available for data processing. The withdrawal of consent shall not affect the lawfulness of processing before the withdrawal. Data stored with the legal basis of legitimate interest as well as related to and ensuring the safe technical operation of the website, including the IP address of visitors, are kept for 1 year.


By accepting this Notice during the communication initiated by the User in e-mail, the User consents to the Controller's processing of the User's personal data as described in this Notice. We treat data related to the secure technical operation of the website, including the IP addresses of the visitors, on the basis of legitimate interest.


When you, as a User, initiate a contact by e-mail or through the contact form, the Foundation may request information about you, including your name and email address. During the operation of the Website, we treat the IP address of your computer as technical data and we also place cookies on your computer.

Please note that we will immediately delete any communication containing sensitive personal data you sent to us.


Users of the Controller and the Data Processor in charge of customer relations and customer service activities, in the case of technical data, the IT staff.


The Controller uses the services of DotRoll Számítástechnikai Korlátolt Felelősségű Társaság (registered office: 1148 Budapest, Fogarasi út 3-5.; company registration number: 01-09-882068) for hosting the website.


Like other similar commercial websites, the Controller also uses the standard technology called cookies as well as the web server technical log files in order to obtain information about how the Users use the website.

The use of cookies and web server log files allows the Controller to monitor visits to the Website and to tailor the content to the User’s personal needs.

A cookie is a small piece of information (file) that often carries an anonymised, unique identifier. When a User visits a website, the website asks their computer for permission to store this file on a portion of their computer's hard drive that is specifically designed to store cookies.

Each website that a User visits can send a cookie to their computer if it is allowed by the settings of the browser they are using. However, in order to protect the User’s data, their browser only allows the website to access the cookie that the website has sent to their computer, i.e. a website does not have access to cookies sent by other websites. Browsers are usually set to accept cookies.

However, if the User does not wish to receive cookies, they can set their browser to refuse to accept cookies. In this case, some elements of the Website may not work effectively. Cookies cannot retrieve other information from the hard drive of the User’s computer and do not carry viruses.


The Controller is obliged to ensure data security, to take the technical and organisational actions as well as to work out the procedural rules ensuring that the collected, stored and processed data are protected; furthermore, it prevents the annihilation, the unauthorised usage and the unauthorised modification of such data. The Controller also undertakes to permanently destroy the processed data at the end of the retention period.

The integrity and operability of the IT system and the data storage environment are checked with advanced monitoring techniques, and the necessary capacities are continuously provided. Events in the IT environment are recorded by using complex logging functions, thus ensuring the subsequent detection and legal proof of potential incidents. We use a redundant network environment that continuously provides high bandwidth to serve our websites, securely distributing the upcoming loads among our resources.

We ensure the planned disaster resilience ability of our systems, ensuring the continuity of business operations and thus the continuous service of users at a high level, with organisational and technical means.

Priority is given to the controlled installation of security patches and vendor updates that also ensure the integrity of our IT systems, thus preventing, avoiding and addressing attempts to gain access or cause damage by exploiting vulnerabilities. We regularly inspect our IT environment through security testing, correct any detected errors or vulnerabilities, and consider it an ongoing task to support the security of the IT system. We set high security standards for our employees that also include confidentiality, and we ensure their fulfilment through regular training and strive to operate planned and controlled processes with regard to their internal operations.

Any incidents involving personal data detected or reported during our operations are investigated in a transparent manner, in accordance with responsible and rigorous principles, within 72 hours. Incidents that have occurred are processed and recorded.

When developing our services and IT solutions we ensure that the principle of built-in data protection is met and data protection is treated as a priority already in the planning phase.


Right to prior information

The User has the right to receive notification about the facts and information related to data processing prior to starting the data processing. This Privacy Notice ensures the enforcement of this right.

Right of access

The User has the right to know what personal data the Controller has about the User, and may request information about the personal data concerning them.
The User is thus entitled to request from the Controller:
• to confirm that their personal data is being processed;
• to provide a copy of the processed data;
• to provide further information about their personal data, in particular what data it has, for what purpose it uses such data, with whom it shares such data, whether it transfers such data abroad, how it protects such data, how long it stores the same, how and in what form the User can make a complaint and, finally, from where it obtained the User’s data.

Right to rectification

The User may request the Controller to rectify or complete any personal information that is incorrect, inaccurate or incomplete. Before rectifying the erroneous data, the Controller may verify the truthfulness or accuracy of the data.

Right to erasure (right to be forgotten)

At the request of the User, the Controller shall erase the User's personal data in the following cases:
• if the data is no longer necessary for the purposes of the data processing specified when the data was collected, or
• if the User has withdrawn their consent (where the data processing is based on consent), or
• if the User exercises their right to protest, or
• if the data has been processed unlawfully, or
• if the erasure of the data is required by law.

The Foundation is not obliged to comply with the User's request to erase their personal data if the processing of their personal data is necessary and justified for the following purposes:
• to ensure compliance with a legal obligation, or
• to enforce or defend a right or legitimate interest in court.

Right to restriction of processing (blocking right):

The User may request the restriction of the processing of their data (blocking of data):
• if no correction can be made to ensure the correctness, accuracy or truthfulness of the data, or
• if the processing is unlawful but the User does not request the erasure of the data, or
• if the data is no longer necessary for the purposes of the data processing specified when the data was collected but its erasure is prohibited by a court procedure started to enforce certain rights or interests, or
• if the User has exercised their right to protest and the investigation of the lawfulness of the data controller’s actions has not yet been completed.

In case of exercising the right to block, the Controller is entitled to continue using the User’s data if:
• it has received a relevant consent from the User, or
• if the use (existence) of the data is necessary for enforcing a certain right or legitimate interest in court, or
• if using the data (or its existence) is required for protecting the rights of another natural person or a legal entity.

Ensuring data portability (migration)

The User has the right to receive their personal data to which the Controller has access in a structured, commonly used and machine-readable form, or to have such data transferred to another data controller.

Right to object

The User has the right at any time to object to their personal data being processed, if they believe that it is desirable for exercising their fundamental rights. The User may object at any time, without giving reasons, to the processing of their personal data for direct marketing purposes, in which case the Controller shall terminate such data processing as soon as possible.

Right to withdraw consent

In the case of data processing based on the Data Subject’s consent, the User may withdraw their consent at any time, which does not affect the lawfulness of data processing based on consent before the withdrawal.

Informing the User about a possible data breach

The Controller shall protect the personal and other types of data of the User to the best of its knowledge and in proportion to the risks, operating a modern and reliable IT environment, and selecting its cooperating partners with special care. It shall implement its internal processes in a regulated and supervised manner in order to prevent or avoid the slightest error, problem or incident in the processing of personal data, or, if any of these occur, to detect, investigate and address the same. Should an incident involving personal data still occur and be likely to pose a high risk to the rights and freedoms of Users, the Controller shall inform the User and the data protection authority of the data breach in such manner and with such content as required in the applicable data protection regulations and without undue delay.

Automated individual decision-making, including profiling

The User should have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or otherwise significantly affects them. The Controller does not have any procedure that uses automated decision making.

Available legal remedies

If the User feels that their right to the protection of personal data has been violated, they may seek legal remedy from the competent authorities in accordance with the applicable laws:
• National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11)
Registered office: 1055 Budapest, Falk Miksa utca 9-11.
Mailing address: 1374 Budapest, Pf.: 603.
Phone number: +36 (1) 391-1400
Facsimile number: +36 (1) 391-1410
• at the Metropolitan Court (1055 Budapest, Markó utca 27.) or at the court competent according to the User's address, at the User's choice.


This Privacy Notice shall be governed by the provisions of Act CXII of 2011 on Informational Self-determination and Freedom of Information and Regulation (EU) 2016/679 of the European Parliament and of the Council (‘GDPR’).

Budapest, 03.06.2022.

Hungarian Tourism Association Foundation