Data protection policy

Turizmus Idegenforgalmi Kiadói Propaganda és Kereskedelmi Korlátolt Felelősségű Társaság

  1. General provisions and contact details of data controller

The purpose of the data processing policy is for the data subjects to receive the appropriate information on certain of their rights and obligations pertaining to the processing of their personal data. On the basis of the policy, the circumstances of the processing of personal data shall become evident for the data subjects, and on this basis they can decide on giving their consent for data processing.

The current data processing policy is based on Section 20. § (2) of the Act on Information, inasmuch as the data subject shall be clearly informed, in detail, prior to the start of data processing, about all aspects pertaining to the processing of their data, in particular the purpose and legal basis for data processing, the person entitled to process data and carry out processing, the duration of the data processing, and whether the personal data of the data subject is processed by the data controller pursuant to Section 6. § (5) of the Act on Information, furthermore, the person(s) to whom this data may be disclosed. The policy shall extend to the rights and opportunities for judicial remedy pertaining to data processing of the data subject.

Pursuant to Section 4. § (1) of the Act on Information, personal data may be processed exclusively for specified and explicit purposes, where it is necessary for the exercising of certain rights and fulfilment of obligations. The purpose of data processing must be satisfied at all stages of data processing operations; recording and processing of personal data shall be done under the principle of lawfulness and fairness. Pursuant to Section 4. § (2) of the Act on Information, personal data processed must be essential for the purpose for which it was recorded, and it must be suitable to achieve that purpose. Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

The company has an extremely wide portfolio, therefore in the interest of implementation of its own activities it cooperates with PR in Hungary Kft. owned by Turizmus Kft. as joint data controller. Accordingly, the legal force of the current data processing policy extends to the undernamed company in the ownership of Turizmus Kft.:
– PR in Hungary Marketing Szolgáltató Korlátolt Felelősségű Társaság (Company registration No.: 01-09-899039)
Turizmus Kft. informs the data subjects prior to the start of data processing through the current data processing policy about the facts pertaining to the processing of data. The information contained in the data processing policy covers the rights and opportunities for judicial remedy pertaining to the data processing of data subjects, furthermore, whether a data controller will be used in the course of data processing.

In respect of all data processing dealt with in the policy, Turizmus Kft. is the data controller.

Data and contact details of the data controller:

Turizmus Kft.
• head office: H-1074 Budapest, Munkás utca 9.
• company registration No.: 01-09-899039
• taxation No.: 1432920-2-42
• presentative: Zsolt Szebeni, general manager

Relevant contact data:
• Turizmus Kft.
• Address: H-1074 Budapest, Munkás utca 9.
• Telephone No.: 06-1/492-0451
• E mail: sales@turizmus.com

  • Data controller website: www.turizmuskft.hu

The data processing policy can be read online on the www.turizmuskft.hu website at the Data processing policy menu.

  1. Processing data of employees

Turizmus Kft. (hereinafter: ‘company’), as employer, processes the data of those natural persons who are in an employment relationship with the company on the basis of an employment contract, on the basis of its own data protection and processing regulation as interpreted together with the current data processing policy.

II.1. Legal basis for data processing

  • The personal data of employees are processed on the basis of fulfilment of the employment contract signed between the data subjects and the company. [General Data Protection Regulation (GDPR) Article 6. (1) b)]

II.2. Purpose of data processing

The processing of personal data as defined in a separate legal regulation of Turizmus Kft. and the data subjects, that is, employees, in an employment relationship with it, is implemented in order that reporting liabilities arising on the part of the employer shall occur in the interest of both the company and the employees, furthermore, that access to data shall, in the course of any audit by the authorities, be ensured.

II.3. Duration of data processing

Processing of the personal data of data subjects shall – in the case of every data subject – be implemented for the storage duration following termination of the employment relationship existing on the basis of the employment contract and stipulated in a separate legal regulation.

Pursuant to Article 6. § (5) a) of the Act on Information, inasmuch as data processing is necessary deriving from a legal liability, the company shall process the data until the expiry of such legal liability.

II.4. Scope of data processed

Surname, given name, sex, date of birth, taxation number, personal identification certificate number, Hungarian Social Insurance Identification (TAJ) number, official residence certificate data; furthermore, all other data as stipulated by separate legal regulation on the establishment of an employment relationship.

II.5. Payroll accounting and other data processing declaration

The following company carries out payroll accounting for the company on commission of the data controller, furthermore, as data processor in this context, processes the data of employees of the company:
Art of Balance Kft.
Head office: 2092 Budakeszi, Arany János utca 8.
Representative: Anikó Nagy, general manager

II.6. Those entitled to access to the data

Turizmus Kft. processes data exclusively in the interest of the legal maintenance of the employment relationship, therefore the general manager of the company, furthermore, employees in an employment relationship with the company may have access to personal data referred to in the current chapter.

III. Processing data of newsletter subscribers

On the basis of its own data protection and processing regulation as interpreted together with the current data processing policy, Turizmus Kft. processes the data of those natural persons who, in regard of the electronic newsletter published by the company, requested the newsletter despatched electronically and published and edited by the company following a registration process.

III.1. Legal basis for data processing

  • Data processing occurring for the purposes referred to below is on the basis of the voluntary consent of the data subjects.

III.2. Purpose of data processing

In order to be able to despatch, electronically, the newsletter published by Turizmus Kft., it is essential to have the electronic mailing address of data subjects by registration, and to store such up until the time that the data subject no longer requires the newsletter referred to. Accordingly, data processing referred to in the current point serves to allow the newsletter and its contents therein to be acquired by all those data subjects who voluntarily registered to acquire the content.

III.3. Duration of data processing

Processing of the personal data of data subjects shall – in the case of every data subject – be implemented exclusively until the data subject him/herself indicates to the data controller company that he/she does not require the newsletter referred to in III.2. above; following this, the data controller shall immediately delete the electronic mailing address of the data subject.

Pursuant to Article 6. § (5) a) of the Act on Information, inasmuch as data processing is necessary deriving from a legal liability, the company shall process the data until the expiry of such legal liability.

III.4. Scope of data processed

Surname, given name, electronic mailing address.

III.5. Declaration on IT support

As hosting service provider, the following company provides the technical conditions for digital data storage for the company on the commission of the data controller:
Netrix Kft.
Head office: 1027 Budapest, Horvát utca 14-24.
representative: Géza Bálint, general manager;

Inclust Systems Kft.
Head office: 1054 Budapest, Honvéd utca 8. 1. em. 2.
representative: Gábor Búza, general manager;

Doctusoft Kft.
Head office: 1143 Budapest, Gizella út 42-44.
representative: István Boscha, general manager;

MailChimp c/o The Rocket Science Group, LLC
Head office: 675 Ponce De Leon Ave NESuite 5000 Atlanta, GA 30308 USA

E.N.S. Informatikai és Rendszerintegrációs Zrt.
Head office: 1106 Budapest, Fehér út 10. 2. ép. 2. em.
representative: Balázs Nádasdy-Nagy, CEO

III.6. Those entitled to access to the data

Exclusively the general manager of Turizmus Kft., furthermore, employees in an employment relationship with the company, may have access to personal data referred to in the current chapter.

  1. Processing of data of contracted partners, clients, subscribers

Turizmus Kft. (hereinafter: ‘company’) processes the data of those who, as external partners, are in any contractual relationship with the company in relation to the activities of the company in compliance with the company’s particular corporate form and on the basis of its own data protection and processing regulation as interpreted together with the current data processing policy.

IV.1. Legal basis for data processing

  • The legal basis for data processing is the voluntary consent of the data subjects, furthermore, liabilities necessary for fulfilment of the contract; accordingly, the data of external partners are entered into a register.

IV.2. Purpose of data processing

To the degree of the activity of the company and given the nature of its operation, Turizmus Kft. is in a contractual relationship with several external partners or natural persons in order to ensure fulfilment of the obligations undertaken by the company. Accordingly, the purpose of the current data processing is fulfilment of contracts, furthermore, processing of subscribers for the company’s online and/or print media products, and implementation of promotional events organized by the data controller.

When implementing promotional events organized by the data controller, it can happen that personal data of data subjects may be forwarded. Forwarding of data shall occur exclusively with the express consent and written agreement of the data subjects.

IV.3. Duration of data processing

Processing of the personal data of data subjects shall – in relation to the purposes set down in IV.2. above – be implemented for the duration stipulated in a separate legal regulation.

Pursuant to Article 6. § (5) a) of the Act on Information, inasmuch as data processing is necessary deriving from a legal liability, the company shall process the data until the expiry of such legal liability.

The applicant can request deletion of his/her data, withdrawal of his/her consent in writing to postal address 1074 Budapest, Munkás utca 9.

IV.4. Scope of data processed

Surname, given name, sex, date of birth, citizenship, e-mail address; furthermore, all other personal-related data required to be registered as stipulated in a separate legal regulation.

IV.5. Declaration on IT support

As hosting service provider, the following company provides the technical conditions for digital data storage for the company on the commission of the data controller:
Netrix Kft.
Head office: 1027 Budapest, Horvát utca 14-24.
representative: Géza Bálint, general manager;

Inclust Systems Kft.
Head office: 1054 Budapest, Honvéd utca 8. 1. em. 2.
representative: Gábor Búza, general manager;

Doctusoft Kft.
Head office: 1143 Budapest, Gizella út 42-44.
representative: István Boscha, general manager;

MailChimp c/o The Rocket Science Group, LLC
Head office: 675 Ponce De Leon Ave NESuite 5000 Atlanta, GA 30308 USA

E.N.S. Informatikai és Rendszerintegrációs Zrt.
Head office: 1106 Budapest, Fehér út 10. 2. ép. 2. em.
representative: Balázs Nádasdy-Nagy, CEO

IV.6. Those entitled to access to the data

Turizmus Kft. uses data exclusively in the interest of fulfilment of the purposes referred to in IV.2. above. The company declares that persons in an employment relationship and an agency relationship with the company can access the personal data of data subjects exclusively for the purpose of data processing.

  1. Rights of the data subject in relation to data processing

Rights of the data subject:

  • request for information
    • request for correction of data
    • request for deletion, blocking of data
    • objection against data processing

Request for information, correction, blocking, correction of personal data, furthermore, objection concerning data processing can be lodged at any time at the following contact points:

  • by post: 1074 Budapest, Munkás utca 9.
    • in person: Turizmus Kft., 1074 Budapest, Munkás utca 9.

V.1. Information

The data subject (hereinafter: User) can at any time request Turizmus Kft. (hereinafter: Data Controller), to inform him/her about the processing of his/her personal data. The Data Controller shall be required to give the information in an easily intelligible form, in writing, at the request of the data subject without delay, at most within 25 days from the date of submission of the request.

The User can submit the request for information to the Data Controller in writing by post. In the request, the User shall be required to give such identification details that will allow the Data Controller to establish the entitlement to acquisition of personal data. In the request, the User shall be required to give a postal address to which the Data Controller can send the information.

The User can request information on the scope of personal data that is processed, the source of personal data, the purpose of processing of personal data, furthermore, on what legal basis the Data Controller processes personal data, for what duration the Data Controller processes personal data, as well as the activities of the Data Controller pertaining to the processing of personal data.

In the event of receiving such a request, the Data Controller shall give information about which contracted partner it forwarded personal data to and the legal basis for the forwarding of data.

Inasmuch as in the course of data processing a data protection incident occurs, the User may also request information on its circumstances, effects and measures taken by the Data Controller in order to prevent its reoccurrence. A data protection incident is where the processing of personal data takes place in a manner that infringes legal regulations. Such cases are in particular where an unauthorized person gains access to personal data, personal data are unlawfully modified, forwarded or made public, or where such data are deleted or destroyed in a manner that infringes legal regulations. Furthermore, if personal data are destroyed or damaged during an accidental event, this qualifies as a data protection incident.

The Data Controller shall post the information at most within 25 days from the date of arrival of the request by the User. The Data Controller shall provide the information free of charge on one occasion per year with regard to the personal data designated in the request.

The Data Controller may refuse to provide information to the data subject exclusively in the two cases detailed below:

  • Inasmuch as, in the case of data forwarding, the Data Controller receives the personal data from the data forwarder in such a way that the data forwarder notifies the Data Controller that the rights of informing the data subject are restricted by any domestic or international legal regulation.
  • Inasmuch as the right for information of the data subject may be restricted by law in order to safeguard the external and internal security of the State, such as defence, national security, the prevention and prosecution of criminal offences, and in the interest of law enforcement, furthermore, to protect the economic and financial interests of central and local government, safeguard the important economic and financial interests of the European Union, guard against disciplinary and ethical breaches in relation to the exercise of professions, prevent and detect breaches of obligation related to labour law and occupational safety – including in all cases control and supervision – and to protect the rights of data subjects or others.

If the Data Controller refuses to comply with the Data Subject’s request for information, the reason for the refusal shall be communicated to the Data Subject in writing, precisely designating the legal basis for the refusal. In this case, the Data Controller shall also inform the Data Subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority (as regards judicial remedy, see VI. of the current policy).

V.2. Correction of data

The Data Subject may at any time request the Data Controller to correct his/her personal data if they do not reflect the truth. If the personal data do not reflect the truth and the true personal data are at the disposal of the Data Controller, the personal data shall be corrected by the Data Controller. The Data Subject can despatch the request for correction to the Data Controller in writing by post or in an e-mail.

If the Data Controller does not fulfil the request for correction of the Data Subject, then it shall designate in writing the legal basis thereof within 25 days of receipt of the request. In this case, the Data Controller shall also inform the Data Subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

V.3. Deletion or blocking of data

The Data Subject may at any time request the Data Controller to delete or block his/her personal data. The Data Subject can despatch the request for deletion or blocking to the Data Controller in writing by post.

The Data Controller shall delete personal data if:
• they were unlawfully processed,
• the Data Subject requests the deletion or blocking of his/her personal data,
• data processing is incomplete or inaccurate – and this state cannot be remedied legally assuming that deletion is not excluded by law,
• the purpose of data processing has terminated, or the deadline of data storage as stipulated in the law has expired,
• a court or Authority orders the deletion of data.

If the Data Controller does not fulfil the Data Subject’s request for deletion or blocking, the reason for the refusal shall be communicated in writing, by post, within 25 days of receipt of the request, designating the legal basis for the refusal. In this case, the Data Controller shall also inform the Data Subject of the possibilities for seeking judicial remedy or lodging a complaint with the Authority.

The Data Controller shall block the personal data instead of deleting them if the Data Subject so requests, or if on the basis of available information it can be presumed that deletion would injure the lawful rights of the Data Subject. Personal data thus blocked can be processed only as long as the legislative or factual circumstances obstructing their deletion exist.

V.4. Objection against processing of personal data

The Data Subject has the right to object against processing of personal data in the following cases:
• if the processing of personal data is necessary exclusively for fulfilment of legal liabilities pertaining to the Data Controller, or for the assertion of the rights and legitimate interests of the Data Controller or a third party,
• if the purpose of the processing of personal data is directly for marketing, public opinion polling or scientific research,
• if the law permits the Data Subject to lodge such an objection.

The Data Subject can despatch the objection in writing, by post, to the Data Controller. The Data Controller shall examine and reach a decision on the justification of the objection within 15 days of submission of the objection. The Data Controller shall inform the Data Subject of its decision in writing. If the objection of the Data Subject is found to be justified, the Data Controller shall terminate all data processing and data forwarding, it shall block personal data, and it shall notify all to whom any of these data had previously been transferred concerning the objection and the ensuing measures, upon which these recipients shall also take measures regarding the enforcement of the objection.

  1. Opportunities for judicial remedy of the data subject

If the Data Subject does not agree with the decisions of the Data Controller, or if the Data Controller neglects the 15-day deadline available for assessing the objection of the Data Subject, the Data Subject – within 30 days calculated from the announcement of the decision, or the final day of the deadline – may turn to the court for judicial remedy.

The Data Subject can turn to the National Authority for Data Protection and Freedom of Information for judicial remedy in cases where there has been an infringement of rights regarding the processing of personal data, or the Data Subject can launch a legal action in the competent court.

The Data Subject can contact the National Authority for Data Protection and Freedom of Information as follows:

  • address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
    • postal address: 1530 Budapest, Pf.: 5.
    • telephone: +36 (1) 391-1400
    • fax: +36 (1) 391-1410
    • e-mail: ugyfelszolgalat@naih.hu
    • website: www.naih.hu

The Data Subject can also launch proceedings against the Data Controller in the tribunal competent according to residence or place of abode.

The Data Subject is only entitled to give consent to data processing by the Data Controller if he/she is cognisant of the data protection and data processing provisions as above, and he/she is fully aware of the rights and obligations pertaining to the processing of his/her personal data.

Budapest, 25 May 2018

Turizmus Kft.
representative: Zsolt Szebeni
general manager