Privacy Policy

The Hungarian Cycling Tourism Association (MAKETUSZ), as the operator of, is providing this information on the processing of the personal data, the organizational and technical measures for data protection and the remedies available to the visitors of its website, the subscribers to its newsletters and persons registering online to its events through the website.

This privacy policy has been drawn up in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) and Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter referred to as Information Act).

The scope of the Policy shall cover the data controller and natural persons whose personal data are made known to and processed by the controller. The policy enters into force on the date of its signature and shall remain valid until the date of its revocation/amendment. The controller shall also have a data protection and data security policy, which contain more detailed rules on the processing of data and which shall be available on the websites and at the registered seat of the controller.

1. The data controller

Hungarian Cycling Tourism Association (Magyar Kerékpáros Turisztikai Szövetség, MAKETUSZ), seat: 9700 Szombathely, Berzsenyi Dániel tér 1. registration no.: 18-02-0200691, tax number: 18877410-1-18, represented by: President Balázs Benyó, e-mail: [email protected], website:

2. The scope of the data processed

• If subscribing for the Bringázás itthon (Cycling in Hungary) newsletter: name and email address. • If registering for an event: name, e-mail address, telephone number, possibly data related to food or other services (height for cycle renting, size for t-shirts). • If participating in an event: consent to being recorded in video and audio to be published under the ‘News’ section. The provision of information requested during event registration is voluntary, which also means that, if such information is refused, the participant accepts the possibility of not having access to some of the data controller's services (e.g. special diet if meals are to be provided).

3. The purpose of the data processing

The controller shall process data for the purpose of completing the tasks under titles 20-38-21 of Chapter XVII of Annex 1 of Act C of 2017. The controller shall not use the personal data for purposes other than those specified. The information provided by registered users is processed with the consent of the user. The purpose of processing personal data submitted with the aim of receiving the Bringazasitthon newsletter is to enable the registered person to receive the newsletter. If registering for an event: the purpose of data processing is to provide the registered person with access to the designated event, to inform the data subject and to communicate with the data subject in the context of the event. The legal basis for the processing is the consent of the data subject (Article 6(1)(a) of GDPR).

4. The duration of the data processing

In the case of a newsletter: the data controller shall retain the personal data on an electronic medium until the person unsubscribes from newsletter. In the case of an event: the registered data shall be deleted within 60 days of the end of the event.

5. Persons with access to data, data processors

Only the administrator data processors at shall have access to personal data provided by users registered for the newsletter and to any data automatically made known due to technical functions. The data is processed and stored in the IT system of MAKETUSZ. In the case of events, the controller shall provide its services through its employees and agents, which means that the personal data of the data subject are made available to communications coordinator employees in the scope of their work and to the extent necessary for the performance of their tasks. The contract entered into with agents shall provide specifically for data protection.

6. The data processor

During event registration, Google Form is used. Please see the data processor’s information here: Google LLC, seat: 1600 Amphitheatre Parkway, Mountain View, CA 94043, represented by: Larry Page CEO, website:

7. The rights of registered users related to the processing of their personal data and to the erasure of such data

By consenting to the Privacy Policy, the registered user shall authorize the controller to process the personal data submitted. The controller shall inform the registered user, upon request, of the processed personal data; the user may request any rectification, blocking, erasure or restriction of the personal data, and may withdraw his consent at any time. The request for information, rectification, blocking or erasure shall be sent to [email protected]. The data controller shall comply with the request of the registered user within the shortest time limit, and at the latest within 30 days, or shall state in writing the reasons for its refusal in a clear and comprehensible manner. The rights of registered users to the processing of their personal data are governed by Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, published in the national Legislation Database (

8. Data security measures

The controller shall do all within its remit to ensure the safe processing and storage of data, and to ensure no third and unauthorized party shall have access to them. Processed data are managed in a reliable, dedicated server environment with high capacity and availability.

9. Enforcement of rights

In the event of a potential breach by the controller of the rights of the registered user, the registered user may apply to the competent court at his place of residence or stay, and to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/C; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ([email protected]) to initiate an investigation, on the grounds that there has been, or there is imminent danger of a breach of a right in relation to the processing of personal data. The rights and remedies of data processing are set out in detail in sections III and VIII of the GDPR and in Chapters II/A and VI of the Information Act.

If a data subject submits a request, the procedure shall be as follows.

1. The controller shall facilitate the exercise of the rights of the data subject. The controller should not refuse to comply with the request for the exercise of the rights of the data subject unless he or she proves that he or she is unable to identify the data subject.

2. The controller shall process the request submitted by the data subject as soon as possible, within a maximum of 25 (twenty-five) days of its submission and shall notify the data subject of its decision (in writing or by electronic means if the data subject has submitted the application in that form).

3. Where the controller does not take action following a request from the data subject, he shall inform the data subject without delay and at the latest within 25 (twenty five) days of receipt of the request, of the reasons for the non-compliance and of the fact that the data subject may lodge a complaint with the supervisory authority and have the right to legal redress.

4. Data controller shall provide information pursuant to Articles 13 and 14 of the GDPR and Articles 15 to 22 and 34 of the GDPR free of charge (confirmation as to whether or not personal data are being processed, access to the data processed, rectification, supplementing, erasure, restriction of data processing, data portability, the right to object to the processing, and information on personal data breaches).

5. If the data subject

a) submits a repeated request for the exercise of its rights under points b-e) of Section 14 of the Information Act in the current year, for the same data set, and b) upon such request, the controller lawfully refuses the rectification, erasure or restriction of the processing of personal data processed by the controller or by the processor acting on his or her behalf or at his or her request, the controller may claim reimbursement from the data subject of costs directly incurred in the context of repeated and unfounded enforcement as provided for in point a) and b).

6. If there are reasonable grounds to consider that the person making an application for enforcement of the rights provided for in points b-e) of Article 14 of the Information Act is not the data subject, the controller shall comply with the request after credible verification of the identity of the requestor.

7. The request may be submitted as follows:

By post: 1062 Budapest, Trombitás út 22. Fszt. 2. By electronic means: [email protected]

10. Disclaimer

The controller reserves the right to amend the Privacy Policy. This may be the case, in particular, if it is made compulsory by law. Changes in the processing of personal data shall not mean processing for purposes other than those established. Related information shall be made available by the controller on its website 15 days in advance.

Budapest, 15 July 2021