Guests
The amendment to Act CLVI of 2016 on State Functions Pertaining to the Development of Tourism Regions entered into effect on 1 January 2021. The amendment requires accommodation providers to store the data specified by law from accommodation service users in the data storage location designated by the Government for the purposes specified in the Act.
The hosting service provider specified by the Government is the Hungarian Tourism Agency (HTA).
The HTA’s hosting tasks introduced in the amendment are performed by the Closed Guest Information Database system (Vendég Információs Zárt Adatbázis, VIZA).
VIZA is an IT system protected by asymmetric encryption on multiple levels. Starting from 1 September 2021, all the personal data required by law from guests staying at Hungarian accommodation sites are stored in VIZA in an encrypted manner. Accommodation providers process guest data by the last day of the first year following that in which they acquired them; the VIZA system retains the submitted data for a maximum of two years. The data may only be used by the police for crime prevention and law enforcement activities.
The VIZA system is a strictly closed and protected storage space serving the safety of all, governed by the particularly strict security rules prescribed by law. VIZA is only able to receive encrypted data. The same method of registration is used in many other European countries that are visited by tens of millions of tourists every year. Accommodation providers in Great Britain, Spain, Italy, Germany and France all use ID scanners, which speeds up and facilitates the registration process. In recent years, Hungary has successfully maintained its position as a safe travel destination, which fact contributed to the record tourist numbers set in 2019, when 16.5 million guests stayed in Hungarian accommodation. Digital check-in is a new tool for accommodation providers to offer quality services and to maintain security for all.
Under operative Hungarian law, all citizens are required to have an identity document (identity card, passport or driving licence card) regardless of age, thus now including the newborn. The legislation requires data to be recorded for all guests using accommodation services, so recording the data may not be disregarded because of age or any other variable (e.g. the fee payable for the service, discounts, the length of the stay, relationship to the accommodation provider)
Data recording in absence of the guest
The accommodation provider may give guests the option of scanning the personal data required by law from their identity cards by themselves, remotely and digitally using the property management system.
The accommodation provider is still responsible for checking the data provided by the guest, before forwarding the data to the VIZA system. Accordingly, with regard to the data provided remotely, the accommodation provider shall check the identity of the guest, and the veracity of the data recorded in advance, at the latest on arrival of the guest. The check may also be done before the guest arrives, either by video call or by using a digital image providing proof of identity.
Access to system data
On the basis of legal authorisation, the police have sole authorisation to perform searches of the encrypted data stored in the VIZA system, using IT tools. Searches may be made in the interest of law enforcement, crime prevention, maintaining public order, public safety and secure border crossing, protecting the rights, safety and property of the data subject and others, and executing warrant procedures. As a result of a targeted search, the police may only learn which accommodation provider the wanted person was registered with as user of the service, the date of arrival, and the expected or actual date of departure. The police may then request the forwarding of other data processed by the accommodation provider, with an indication of the purpose of the request, which the accommodation provider must forward free of charge.
Required data
When the person using the accommodation service checks in, the accommodation provider records the following data using the ID scanner, with the aid of the PMS, which stores the data in the space specified by the Government decree.
- first name and family name;
- first name and family name at birth;
- place and date of birth;
- sex;
- citizenship;
- mother’s first name and family name at birth;
- the identification data on the identity card or travel document (for guests over the age of 14).
For guests younger than 14, the accommodation provider may record the above data on the basis of data provided by the guest’s representative (e.g. parent, guardian).
THE ACCOMMODATION PROVIDER ALSO ENTERS THE FOLLOWING DATA IN THE PMS:
- the accommodation provider’s address;
- the starting date and the expected and actual end date of using the accommodation service.
DATA NOT INCLUDED IN THE IDENTITY DOCUMENT NEED NOT BE RECORDED.
The data:
- that the ID scanner is unable to read
- or reads incorrectly
must to be entered into the PMS manually by the accommodation provider.
THE TOOLS USED BY ACCOMMODATION PROVIDERS AND THE VIZA SYSTEM MAY NOT STORE IMAGES OF THE SCANNED DOCUMENTS.
Under operative Hungarian law, all citizens are required to have an official identity document (identity card, passport or driving licence card) regardless of age, thus now including the newborn. The legislation requires data to be recorded for all guests using accommodation services, so recording of data may not be neglected because of age or any other variable (e.g. the fee payable for the service, discounts, the length of the stay, relationship to the user).
Guests over the age of 14 using the accommodation service must present a document suitable for personal identification to the accommodation provider for the purpose of recording the data
If the documents are not presented, the accommodation provider shall refuse to provide the accommodation service.
Data not included in the identity document need not be recorded. Data that cannot be recorded by the PMS ID scanner shall be entered by the accommodation provider manually in the PMS. The user of the accommodation service shall be required to present the identification document to the accommodation provider for the purpose of recording the data.
Identity documents
IDENTITY DOCUMENTS SUITABLE FOR IDENTIFICATION AND INCLUDING THE DATA REQUIRED BY LAW:
personal identity card
driving licence
passport
Although the listed documents have photographs, the VIZA system is not able to accept photographs or other biometric data, meaning neither will be scanned, recorded or submitted.
If you or anyone travelling with you is over the age of 14 and does not have a valid identity document before setting off on the journey, we recommend that you read the conditions for the issue, replacement and renewal of Hungarian identity documents in good time, as available on Government Customer Service [Kormányablak] information webpages, and that you take the necessary steps to ensure that all travellers will have valid identity documents by the time they arrive at the accommodation:
Processing of personal data
The VIZA system is only able to accept data packages from PMS with certified ID scanners if the personal data have been encrypted by the accommodation provider using the encryption keys specified by law.
Under operative legislation, guests over the age of 14 must present a document suitable for establishing personal identity: “Hungarian citizens, immigrants, permanent residents, refugees and persons with protected status shall be required to hold and keep safe a valid identity card and to present such in the cases and in the manner specified by law, when requested to do so.”
Regarding the data recording and transfer of data for the VIZA system, the accommodation provider is the data controller for the guest’s personal data and the Hungarian Tourism Agency (HTA), as tourism hosting provider, is the accommodation provider’s data processor.
Based on the provisions of operative legislation, the accommodation provider is obliged to have a privacy policy, as, in line with the provisions of Act CXII of 2011 on the Self-Determination of Information and Freedom of Information, as well as the GDPR ruling, guests must be provided with clear, understandable and detailed information on all facts related to data processing, thus especially the purpose and legal basis for data processing, the person authorised to control and process data, the duration of processing, and the persons entitled to learn such information. Information shall also be provided on the data subject's rights and possible legal remedies.
Legislation
- Act CLVI of 2016 on State Functions Pertaining to the Development of Tourism Regions
- Government Decree 235/2019 of 15 October on implementation of the Act on state responsibilities regarding the development of tourism regions
- Act CLXIV of 2005 on Trade
- Government Decree 239/2009 of 20 October on the detailed conditions for engagement in accommodation service activities and the procedure for issuing accommodation licences
- Government Decree 414/2015 of 23 December on the rules for issuing identity cards and on the uniform recording of likenesses and signatures