The amendment to Act CLVI of 2016 on State Functions Pertaining to the Development of Tourism Regions entered into effect on 1 January 2021. The amendment requires accommodation providers to store the data specified by law from accommodation service users in the data storage location designated by the Government for the purposes specified in the Act.
The hosting service provider specified by the Government is the Hungarian Tourism Agency (HTA).
The HTA’s hosting tasks introduced in the amendemnt are performed by the Closed Guest Information Database system (Vendég Információs Zárt Adatbázis, VIZA).
VIZA is an IT system protected by asymmetric encryption on multiple levels. Starting from 1 September 2021, all the personal data required by law from guests staying at Hungarian accommodation sites have been stored in VIZA in an encrypted manner. Accommodation providers process guest data by the last day of the first year following that in which they acquired them; the VIZA system retains the submitted data for a maximum of two years. The police have sole authorisation to perform targeted searches of the data in the interest of crime prevention and law enforcement.
The purpose of VIZA is to protect the rights, safety and property of the data subject and others, and to support monitoring of the adherence to the provisions pertaining to the residence of third-country nationals and those persons with the right to move freely and to reside, i.e. the primary aim of VIZA is to promote public order, public safety, secure border crossing, and the protection of the rights, safety and property of the data subject and others.
The VIZA system is a strictly closed and protected storage space serving all of our mutual interests and safety, governed by the particulary strict security rules prescribed by law.
VIZA is only able to receive encrypted data. The same method of registration is used in many other European countries that are visited by tens of millions of tourists every year. Accommodation providers in Great Britain, Spain, Italy, Germany and France all use ID scanners, which speeds up and facilitates the registration process. In recent years, Hungary has successfully maintained its position as a safe travel destination, which fact contributed to the record tourist numbers set in 2019 when 16.5 million guests stayed in Hungarian accommodation. In the period following the coronavirus pandemic, the aim is for Hungary to become a leading destination in Europe once again, and the introduction of digital check-in using the data on guests’ travel documents is a new tool to bring accommodation providers one step closer to offering high quality services and to maintaining security for us all.
The guest data recorded in the Property Management System (PMS) using the ID scanner will be forwarded to the VIZA system in an encrypted manner, and only the competent bodies can access them.
Scanning guest data using an ID scanner will be required from all Hungarian accommodation providers, regardless of type and capacity. Accommodation providers are required to start the process of connecting to the VIZA system from 1 January 2021, with data forwarding being compulsory from 1 September 2021. From 1 September 2021, the trading authorities may enforce legal consequences in accordance with Section 6/D of Act CLXIV of 2005 on Trade on any accommodation providers who have failed to make the connection.
The HTA shall provide the VENDÉGEM application (My Guest) free of charge to all accommodation providers who utilise no more than 8 rooms with a total of 16 beds as accommodation. For more information, visit the VENDÉGEM application information site: info.vendegem.hu.
The VIZA system is only able to accept data packages where personal data have been encrypted by the accommodation provider using the encryption key specified by law.
When the person using the accommodation service checks in, the accommodation provider records the following data using the ID scanner, with the aid of the PMS, which stores the data in the space specified by the Government decree.
For guests younger than 14, the accommodation provider may record the above data on the basis of data provided by the guest’s representative (e.g. parent, guardian).
THE ACCOMMODATION PROVIDER ALSO ENTERS THE FOLLOWING DATA IN THE PMS:
DATA NOT INCLUDED IN THE IDENTITY DOCUMENT NEED NOT BE RECORDED.
The data:
must be entered into the PMS manually by the accommodation provider.
THE TOOLS USED BY ACCOMMODATION PROVIDERS AND THE VIZA SYSTEM MAY NOT STORE IMAGES OF THE SCANNED DOCUMENTS.
Under operative Hungarian law, all citizens are required to have an identity document (identity card, passport or driving licence card) regardless of age, thus now including the newborn. The legislation requires data to be recorded for all guests using accommodation services, so recording the data may not be disregarded because of age or any other variable (e.g. the fee payable for the service, discounts, the length of the stay, relationship to the user).
Guests over the age of 14 using the accommodation service must present a document suitable for personal identification to the accommodation provider for the purpose of recording the data.
If the documents are not presented, the accommodation provider shall refuse to provide the accommodation service.
On the basis of legal authorisation, only the police may perform targeted searches of the encrypted data in the VIZA system, using IT tools. Searches may be made in the interest of law enforcement, crime prevention, maintaining public order, public safety, secure border crossing, protecting the rights, safety and property of the data subject and others, and executing warrant procedures. As a result of the search, the police may only learn which accommodation provider the wanted person was registered with as a user of the service, the date of arrival, and the expected or actual date of departure. The police may then request the forwarding of other data processed by the accommodation provider, with an indication of the purpose of the request, which the accommodation provider must forward free of charge.
Regarding the recording and transfer of data for the VIZA system, the accommodation provider is the data controller for the guest’s personal data and the HTA is the accommodation provider’s data processor.
Based on the provisions of operative legislation, the accommodation provider is obliged to have a privacy policy, as, in line with the provisions of Act CXII of 2011 on the Self-Determination of Information and Freedom of Information, as well as the GDPR ruling, guests must be provided with clear, understandable and detailed information on all facts related to data processing, thus especially the purpose and legal basis for data processing, the person authorised to control and process data, the duration of processing, and the persons entitled to learn such information. Information shall also be provided on the data subject's rights and possible legal remedies.
THE HTA, THE OPERATOR OF THE VIZA SYSTEM AND THE HOSTING PROVIDER FOR TOURISM, IS THE ACCOMMODATION PROVIDER’S DATA PROCESSOR AS REGARDS THE DATA SUBMITTED TO THE SYSTEM.
As such, the HTA: