General Information

The amendment to Act CLVI of 2016 on State Functions Pertaining to the Development of Tourism Regions entered into effect on 1 January 2021. The amendment requires accommodation providers to store the data specified by law from accommodation service users in the data storage location designated by the Government for the purposes specified in the Act.

The hosting service provider specified by the Government is the Hungarian Tourism Agency (HTA).

The HTA’s hosting tasks introduced in the amendemnt are performed by the Closed Guest Information Database system (Vendég Információs Zárt Adatbázis, VIZA). 

Digitalisation of the accommodation service sector

VIZA is an IT system protected by asymmetric encryption on multiple levels. Starting from 1 September 2021, all the personal data required by law from guests staying at Hungarian accommodation sites have been stored in VIZA in an encrypted manner. Accommodation providers process guest data by the last day of the first year following that in which they acquired them; the VIZA system retains the submitted data for a maximum of two years. The police have sole authorisation to perform targeted searches of the data in the interest of crime prevention and law enforcement.

The purpose of VIZA is to protect the rights, safety and property of the data subject and others, and to support monitoring of the adherence to the provisions pertaining to the residence of third-country nationals and those persons with the right to move freely and to reside, i.e. the primary aim of VIZA is to promote public order, public safety, secure border crossing, and the protection of the rights, safety and property of the data subject and others.

 

 

 

 

 

 

 

 

 

The VIZA system is a strictly closed and protected storage space serving all of our mutual interests and safety, governed by the particulary strict security rules prescribed by law.


VIZA is only able to receive encrypted data. The same method of registration is used in many other European countries that are visited by tens of millions of tourists every year. Accommodation providers in Great Britain, Spain, Italy, Germany and France all use ID scanners, which speeds up and facilitates the registration process. In recent years, Hungary has successfully maintained its position as a safe travel destination, which fact contributed to the record tourist numbers set in 2019 when 16.5 million guests stayed in Hungarian accommodation. In the period following the coronavirus pandemic, the aim is for Hungary to become a leading destination in Europe once again, and the introduction of digital check-in using the data on guests’ travel documents is a new tool to bring accommodation providers one step closer to offering high quality services and to maintaining security for us all.

The guest data recorded in the Property Management System (PMS) using the ID scanner will be forwarded to the VIZA system in an encrypted manner, and only the competent bodies can access them.

 

Scanning guest data using an ID scanner will be required from all Hungarian accommodation providers, regardless of type and capacity. Accommodation providers are required to start the process of connecting to the VIZA system from 1 January 2021, with data forwarding being compulsory from 1 September 2021. From 1 September 2021, the trading authorities may enforce legal consequences in accordance with Section 6/D of Act CLXIV of 2005 on Trade on any accommodation providers who have failed to make the connection.

VENDÉGEM and the VIZA system

The HTA shall provide the VENDÉGEM application (My Guest) free of charge to all accommodation providers who utilise no more than 8 rooms with a total of 16 beds as accommodation. For more information, visit the VENDÉGEM application information site: info.vendegem.hu.

Stored data

The VIZA system is only able to accept data packages where personal data have been encrypted by the accommodation provider using the encryption key specified by law.

When the person using the accommodation service checks in, the accommodation provider records the following data using the ID scanner, with the aid of the PMS, which stores the data in the space specified by the Government decree.

  • first name and family name;
  • first name and family name at birth;
  • place and date of birth;
  • sex;
  • citizenship;
  • mother’s first name and family name at birth;
  • the identification data on the identity card or travel document (for guests who are at least 14 years old).

For guests younger than 14, the accommodation provider may record the above data on the basis of data provided by the guest’s representative (e.g. parent, guardian).


THE ACCOMMODATION PROVIDER ALSO ENTERS THE FOLLOWING DATA IN THE PMS:

  • the accommodation provider’s address;
  • the starting date and the expected and actual end date of using the accommodation service.

DATA NOT INCLUDED IN THE IDENTITY DOCUMENT NEED NOT BE RECORDED.


The data:

  • that the ID scanner is unable to read
  • or reads incorrectly

must be entered  into the PMS manually by the accommodation provider.


THE TOOLS USED BY ACCOMMODATION PROVIDERS AND THE VIZA SYSTEM MAY NOT STORE IMAGES OF THE SCANNED DOCUMENTS.


Under operative Hungarian law, all citizens are required to have an identity document (identity card, passport or driving licence cardregardless of age, thus now including the newborn. The legislation requires  data to be recorded for all guests using accommodation services, so recording the data may not be disregarded because of age or any other variable (e.g. the fee payable for the service, discounts, the length of the stay, relationship to the user).

Guests over the age of 14 using the accommodation service must present a document suitable for personal identification to the accommodation provider for the purpose of recording the data.

If the documents are not presented, the accommodation provider shall refuse to provide the accommodation service.

Access to the data

On the basis of legal authorisation, only the police may perform targeted searches of the encrypted data in the VIZA system, using IT tools. Searches may be made in the interest of law enforcement, crime prevention, maintaining public order, public safety, secure border crossing, protecting the rights, safety and property of the data subject and others, and executing warrant procedures. As a result of the search, the police may only learn which accommodation provider the wanted person was registered with as a user of the service, the date of arrival, and the expected or actual date of departure. The police may then request the forwarding of other data processed by the accommodation provider, with an indication of the purpose of the request, which the accommodation provider must forward free of charge.

Data processing

Regarding the recording and transfer of data for the VIZA system, the accommodation provider is the data controller for the guest’s personal data and the HTA is the accommodation provider’s data processor.

The accommodation provider’s privacy policy

Based on the provisions of operative legislation, the accommodation provider is obliged to have a privacy policy, as, in line with the provisions of Act CXII of 2011 on the Self-Determination of Information and Freedom of Information, as well as the GDPR ruling, guests must be provided with clear, understandable and detailed information on all facts related to data processing, thus especially the purpose and legal basis for data processing, the person authorised to control and process data, the duration of processing, and the persons entitled to learn such information. Information shall also be provided on the data subject's rights and possible legal remedies.

THE HTA, THE OPERATOR OF THE VIZA SYSTEM AND THE HOSTING PROVIDER FOR TOURISM, IS THE ACCOMMODATION PROVIDER’S DATA PROCESSOR AS REGARDS THE DATA SUBMITTED TO THE SYSTEM.

As such, the HTA:

  1. only processes guest data on the basis of instructions received from the accommodation provider, in connection with which it may only perform operations in accordance with the Tourism Act and Section 14 of Government Decree 235/2019 of 15 October on implementation of the Act on state responsibilities regarding the development of tourism regions;
  2. shall ensure that employees performing tasks related to the role of the tourism hosting provider are bound by a confidentiality obligation with regard to guest data;
  3. shall take appropriate technical and organisational measures to take into account the state of science and technology and the costs of implementation, as well as the nature, scope, circumstances and purposes of data processing and the varying probability and severity of the risk to individuals’ rights and freedoms, thus guaranteeing an adequate level of data security through encryption and ensuring that its employees do not have access to the guest data;
  4. may not employ any additional data processor without prior specific ad hoc or general authorisation by the accommodation provider;
  5. taking into account the nature of the data management, taking the necessary technical and organisational measures, it shall assist the accommodation provider as far as possible in fulfilling its obligations in relation to the exercising of the data subject's rights;
  6. taking into account the nature of data management and the information available to the data processor, it shall assist the accommodation provider in fulfilling its obligations regarding the security of data processing and the handling of possible incidents;
  7. on termination of the legal relationship concerning data processing, it shall act in accordance with the instructions of the accommodation provider regarding the guest data and copies thereof, unless the law or a binding legal act of the European Union requires it to continue to store the guest data;
  8. it shall supply the accommodation provider with all the information necessary to verify fulfilment of the obligations set out in the legal relationship concerning data processing, as well as that which enables and facilitates the inspections carried out by the accommodation provider or a person authorised by him, including on-site inspections;
  9. it shall immediately inform the accommodation provider if it considers that any of his instructions infringe the provisions concerning the protection of personal data.