Privacy Policy


The Hungarian Tourism Agency Ltd. (company registration number: 01-10-041364, tax number: 10356113-4-41, contact information: 1027 Budapest, Kacsa u. 15-23.; mailing address: 1525 Budapest, Postafiók 97.; central telephone number: +36 1 488 8700; central e-mail address:; represented by: Dr. Zoltán Guller, CEO; Data Protection Officer’s contact information: Levente Papp,; hereinafter: Agency, Data Controller) is committed to respecting the rights of visitors to the website with regard to privacy and the protection of their personal data. In the course of its activities, it proceeds in compliance with the General Data Protection Regulation of the European Union (hereinafter: GDPR), the Hungarian Privacy Act (hereinafter: Information Act), and other legal regulations, guidelines and established data protection practices, including the most important international recommendations on data protection.

The Agency as Data Controller considers the contents of this legal notice binding. It undertakes to ensure that all data processing related to its services meets the requirements set out in this Policy and in all operative legislation. The processing activities of the Agency are in compliance with the following legal regulations on data protection:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation or GDPR);

  • Act CXII of 2011 on the Self-Determination of Information and Freedom of Information (Information Act);

  • Act V of 2013 on the Civil Code (Hungarian Civil Code).

The terms used in this Policy have the meaning or interpretation specified by the Information Act or the GDPR. The Agency endeavours to provide the Data Subject with any information relating to processing of personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.

Personal data may be processed if

  • the Data Subject has given consent to the processing of his or her personal data for one or more specific purposes;

  • processing is necessary for the fulfilment of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;

  • processing is necessary for compliance with a legal obligation to which the Data Controller is subject;

  • processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;

  • processing is necessary for the performance of a task carried out in the public interest or in the exercising of official authority vested in the Data Controller;

  • processing is necessary in order to assert the vital interests of the Data Controller or of a third person.

Pursuant to Article 8 (1) of the GDPR, statements of consent of minor Data Subjects over the age of 16 shall be considered valid without the permission or subsequent approval of their legal representatives, while statements of consent of minor Data Subjects below the age of 16 are invalid without the consent of the party exercising parental supervision over the minor. The Agency has no means of verifying the accuracy and validity of the consent, its accuracy is warranted by the person granting consent.


The Agency may process any personal data of yours (hereinafter: Data Subject) for the following purposes:

  • the Agency may check the use and operation of the present website;

  • the Agency may rectify and resolve problems relating to the operation of the website, and the business activities, products and services of the Agency;

  • the Agency may maintain the security and integrity of the website and its own business operations;

  • You may contact the Agency customer service using any of the contact information provided under the Contact menu item.


In connection with the use of cookies and when initiating contact, the legal basis for data processing is the Data Subject’s freely given consent. The technical data pertaining to and ensuring the secure operation of the website, thus including the user’s IP address, are processed on the basis of legitimate interest.


When you visit this website, we treat your computer’s IP address as technical data and with your consent we may also store cookies on your computer. We will process your name, e-mail address, and/or telephone number if you contact the Agency using any of the contact details provided.


Data processed on the basis of consent are processed by the Agency until such consent is withdrawn. The withdrawal of consent does not affect the lawfulness of processing based on consent before it was withdrawn. We retain the technical data pertaining to and ensuring the secure operation of the website and processed on the basis of legitimate interest, thus including the user’s IP address, for 1 year.


The recipients of the data are the employees of the Agency and its data processors who operate the website and our customer services. The Data Controller and authorised employees under the direct control of the Data Controller may access the data in the course of doing their jobs; they treat the data as confidential, in accordance with the current legislative provisions applicable to the Data Controller and Data Processor, and with their internal rules and policies.


The Agency uses the services of the following companies as data processors, in the course of performing certain technical tasks:

  • KISFALUDY2030 TURISZTIKAI FEJLESZTŐ NONPROFIT ZÁRTKÖRŰEN MŰKÖDŐ RÉSZVÉNYTÁRSASÁG (registered seat: 1037 Budapest, Bokor utca 23-25., tax number: 25869628-4-41)

  • SAGEMCOM MAGYARORSZÁG KFT. (registered seat: 1037 Budapest, Montevideo u. 16/a, tax number: 10568723-2-41)

  • NISZ NEMZETI INFOKOMMUNIKÁCIÓS SZOLGÁLTATÓ ZRT. (registered seat: 1081 Budapest, Csokonai utca 3., tax number: 10585560-2-44)

  • RENDSZERINFORMATIKA KERESKEDELMI ÉS SZOLGÁLTATÓ ZÁRTKÖRŰEN MŰKÖDŐ RÉSZVÉNYTÁRSASÁG (registered seat: 1134 Budapest, Váci út 19. IV. em, tax number: 23095942-2-41)



Just like other websites, the Agency uses the standard technology known as cookies, along with web server technical log files, in order to obtain information on how Data Subjects use the website.

With the aid of the cookies and web server log files, the Agency can monitor the visits to the website and adjust its contents to users’ personal needs. A cookie is a small information package (file) that often carries a unique, anonymised identification code. When you visit a website, the website asks your computer for permission to store this small information package on a part of your computer hard disk which is specifically used for storing cookies. Every website you visit can store cookies on your computer, if allowed by your browser settings. However, in order to protect your data, your browser will only allow that particular website to access the cookie it stored on your computer, i.e. one website cannot access cookies stored by other websites. Browsers are generally configured to accept cookies. However, if you do not wish to accept cookies, you can set your browser to reject them. In that case, some components of the website may not function properly when you are browsing. Cookies are unable to obtain other information from your computer’s hard drive and they do not carry viruses.


Name Publisher Type Period of data storage

_ga cookie

google analytics


2 years



1 day



1 year



1 day



179 days









permanent data storage



permanent data storage












1 day



1 year



The Agency ensures that data backups are made in accordance with the IT data and the website’s technical environment. The backups are handled with the parameters required on the basis of the retention periods stipulated for the various types of data, thus guaranteeing the availability of the data within the retention period. After this expires, the data are irrecoverably deleted. Advanced monitoring technology is used to check the integrity and operability of the IT system and the environment used to store the data, constantly ensuring the necessary capacities. The events that take place in the IT environment are recorded with the use of complex logging functions, which ensure that any incidents can be subsequently traced and used as legally binding evidence. The Agency uses a redundant network environment that guarantees a continuous high bandwidth for its websites, safely distributing the incurred loads between resources. The Agency provides for the high-standard disaster resistance of its systems, and the continuity of its business processes, thus guaranteeing a continuous service for its users via both organisational and technical means. The Agency assigns high priority to the controlled installation of security patches and manufacturer’s updates that help guarantee the integrity of its IT systems, thus preventing, avoiding and handling possible attempts at gaining access or causing damage by exploiting vulnerabilities. It examines its IT environment with the use of regular safety tests, repairs the identified errors or weaknesses, and considers the strengthening of IT system security to be an ongoing task. The Agency has stipulated a high level of security requirements for its employees that also extend to confidentiality; it ensures that these requirements are met by running regular training courses and, with regard to its internal operations, it strives to implement well planned and controlled processes. While operating the website, the Agency investigates all detected or reported incidents involving personal data in a transparent manner within 72 hours, applying responsible and strict principles. It handles and registers any incidents that occur. When developing its services and IT solutions, the Agency ensures that the principle of data protection by design is met and it treats data protection as a priority requirement even in the planning phase.



In connection with data processing, you have the following rights:

The right to information in advance

You are entitled to be notified on the facts and information regarding data processing prior to the commencement of such processing. This Privacy Policy has been complied in order to guarantee this right.

The Data Subject’s right of access

The Data Subject has the right to obtain confirmation from the Controller as to whether his personal data are being processed, and if so, he has the right to access the following:

  • the processed personal data, the category of the personal data, and the purpose of processing

  • the recipients or the category of recipients to whom the Data Controller has disclosed the personal data, or will disclose them

  • the recipients or the category of recipients to whom the Data Controller has disclosed the personal data, or will disclose them

Right to correction

The Data Subject may request that the Agency correct or supplement any inaccurate, wrong or incomplete personal data. Before correcting the wrong information, the Agency may examine the veracity or accuracy of the Data Subject’s data.

The right to withdraw consent

The Data Subject has the right to withdraw the consent given for the processing of his data at any time, without affecting the lawfulness of data processing based on the consent before it was withdrawn.

Right to deletion (‘right to be forgotten’)

The Data Subject has the right to ask the Data Controller to delete his personal data without undue delay, which the Controller is obliged to do. You do not have this right if data processing is based on a legal obligation.

Right to restriction of processing

The Data Subject has the right ask the Controller to restrict the processing where one of the following applies:

  • the accuracy of the personal data is contested by the Data Subject, for a period enabling the data controller to verify the accuracy of the personal data;

  • the processing is unlawful and the Data Subject opposes deletion of the personal data but instead requests the restriction of their use;

  • the Data Controller no longer needs the personal data for the purpose of data processing, but they are required by the Data Subject for the establishment, enforcement or defence of legal claims;

  • the Data Subject has objected to processing pending the verification of whether the legitimate grounds of the Data Controller override those of the data subject.

Right to data portability

The Data Subject has the right to obtain his personal data  which he has provided a Controller with, in a structured, commonly used and machine-readable format, and the right to have the Data Controller transmit those data to another controller without hindrance from the Data Controller to which the personal data have been provided. The Data Subject shall be due the right of data portability if:

  • processing is based on the Data Subject’s consent, or his consent given for processing special categories of personal data for one or more specific purposes, or a contract pursuant to Article 6 (1) (b) of the GDPR, and

  • the processing is carried out by automated means.

Right to object

 The Data Subject has the right to object at any time, on grounds relating to his particular situation, to the processing of his personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller or for the purpose of the legitimate interests pursued by the Data Controller or by a third party, including profiling. In this case, the Data Controller shall not terminate processing of the personal data if processing is justified by compelling legitimate grounds which override the Data Subject’s interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Automated decision-making in individual matters, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect on concerning him or significantly affects him in a similar way. The Agency does not use automated decision-making.

Informing a data subject of a personal data breach

If a possible personal data breach is likely to result in a high risk to your rights and freedoms, the Controller shall inform you of the personal data breach without undue delay.

Right to lodge a complaint with a supervisory authority

If the Data Subject suffers any injury in connection with the processing of his personal data, in the interest of faster and more efficient handling of the issue, before filing a complaint, he should contact the Data Controller and submit a request pertaining to the exercise of the data subject’s relevant right.

You are entitled to submit a complaint to the supervisory authority if you feel that the processing of your data is in violation of the provisions of data protection legislation.

Nemzeti Adatvédelmi és Információszabadság Hatóság [Hungarian National Authority for Data Protection and Freedom of Information]

Registered seat: 1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf.: 9.

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410




Right to an effective judicial remedy against a supervisory authority

You have the right to an effective judicial remedy against a legally binding decision made by a supervisory authority against you.

Right to an effective judicial remedy against a controller or processor

Without prejudicing the right to lodge a complaint, the Data Subject has the right to effective judicial remedy by way of initiating a civil lawsuit if he feels that his personal rights have been violated by way of non-compliant personal data processing. The Fővárosi Törvényszék [Metropolitan Court of Budapest] has jurisdiction to adjudge the case, but the Data Subject may choose to launch the proceedings at the regional court with jurisdiction for his home address.

The present Privacy Policy is effective from 27 May 2021.