Hungarian tourism sector faces new mandatory data reporting rules

Hungary

For security reasons, accommodation providers and those wishing to use accommodation services are required to provide extensive additional information on guest identities. From 1 September 2021, accommodation providers will be obliged to record data from ID cards or other identification documents upon the arrival of each guest. The documents must be digitally scanned and uploaded to a Closed Information Database for Guests (VIZA).

Central database

As a result of the amendment to Act CLVI of 2016 on the State Tasks of the Development of Tourist Areas, starting 1 September 2021 accommodation providers are obliged to record the data of those using accommodation services on the Guest Information Closed Database system (Vendég Információs Zárt Adatbázis or VIZA) provided by the Hungarian Tourism Agency (MTÜ). According to the Tourism Act, the primary objective of the VIZA is to promote public policy, security and border control. The system will also protect the rights, security and property of the data subject and others.

Affected parties

There is no exception to this policy. Even the smallest accommodation providers in the sector must provide data. The new obligation will apply to all accommodation providers in the sector, irrespective of their size or profile, for guests staying for both private and business purposes.

The data available on the guests’ identification document must be obtained with a digital document scanner, which the accommodation providers must acquire themselves and are free to choose. The MTÜ offers the application called “VENDÉGEM” (available in the AppStore here and in the Google Playstore here) for small accommodation providers with up to eight rooms with sixteen beds free of charge.

Mandatory data collection

The data must be collected with the digital document scanner and accommodation management software upon arrival at the front desk or reception.

The data to be collected from arriving guests include:

  • name, surname, place and date of birth, nationality, mother’s maiden name and surname,
  • data in the identification document, in case of third-country national the visa or residence permit number, the date and place of entry,
  • the address of the accommodation, the start and expected and actual end dates of stay.

For Hungarian guests, nationality identity cards, driving licences and passports are accepted as proof of identity. For guests arriving from the EU, identity cards and passports are accepted, and for guests arriving from third countries, only passports are accepted for identification and document scanning.

If a guest refuses to show the required document, this individual must be refused the service. If a guest who refuses to produce an ID document has paid a deposit, this amount must be refunded.

Responsible parties for data protection

In terms of data protection, the Tourism Act designates the accommodation providers as data controllers primarily responsible for compliance with the requirements of Regulation (EU) 2018/679 (GDPR). The MTÜ acts as a data processor that provides the storage space. This means that accommodation providers will be responsible for the following:

  • defining the appropriate legal basis of the data processing, which will likely be according to Art. 6 (1) c) GDPR, since the processing is necessary for compliance with a legal obligation to which the controller is subject.
  • informing the guests (i.e. data subjects) about the circumstances of the collection prior check-in via online and offline channels. Information on this process, including the web site's privacy policies, can be sent to each potential guest in a confirmation email.
  • handling any potential guest request that is based on a data subject’s right under the GDPR, such as a data access request or request for information.
  • deleting the data after the mandatory storage period, which is the last day of the first year after the date of the data collection (e.g. where the data was collected on 1 January 2022, the data must be deleted on 31 December 2023).

For more information on this registration process and the Hungarian tourism sector, contact your CMS client partner or local CMS experts.

The article is co-authored by Anna Horváth.