From the beginning of the year, data on all hotel guests staying in Hungary has gone into a central database, drawing concerns from the National Authority for Data Protection and human rights groups about its use and storage.
The Hungarian Tourism Agency, the MTU, insists that collection of the data is the responsibility of accommodation owners. But many say they are suffering as a result.
“Many of our guests are reluctant to hand over their passports with all their personal data. Despite my telling them that this is a legal obligation, they leave with a bad experience. So they give us bad ratings on booking sites, which depresses our turnover,” a man who runs a small accommodation centre in Budapest told the Magyar Narancs weekly.
The latest innovation of the government in tourism, the National Tourism Data Supply Centre, NTAK, was launched in mid-2019 and has been fully effective since January 1, 2020.
The basic idea is to help to develop a tourism strategy and reduce the number of accommodations centres that do not operate in a completely legal way. All those offering accommodation, from big hotels to small Airbnbs, have to report their data on a daily basis.
Data on income, rooms, reservations and all guests have to be submitted to NTAK. Hotels can use their own software to communicate with it. Smaller service providers use the web-based Az Én Vendégszobám (My Guestroom) system, offered by the MTU free of charge.
While the collection of financial data is widely welcomed in the sector due to the large number of illegal or half-legal guestroom lettings, the collection of personal data raises more questions.
The programme collects the names of guests, their citizenship, date and place of birth, sex, mother’s name, number of travel documents, zip code and country of residence. There is a possibility of storing emails and phone numbers as well. It is not clear, however, exactly what kind of data is stored and who can access it. While hotels and Airbnb in many countries gather personal data of their guests, it is unusual to have one central database run by the state.
The MTU says the personal data is stored and handled only by the accommodation providers, not by them. However, according to the description of the NTAK, the system stores personal data in encrypted form. In addition, the software offered by MTU is web-based and stores all the data in the central server.
The current law does not specify what data the tourism agency is allowed to collect and states that the MTU can store personal data but not access it.
New legislation will be effective only from September. That will settle many questions, like specifying what data the agency can collect, what has to be encrypted, and more. But the legislation that comes into force in September also allows the police to search the data stored in the data-centre. Also, the agency is sending the data on all third-country guests to the National Directorate General for Aliens Policing. If the personal data was really encrypted, this would be impossible. Magyar Narancs sent several questions to MTÜ before publication, but its reply was only a statement without concrete answers to the queries.
Ádám Ramport, from the Hungarian Civil Liberties Union, HCLU, a human rights NGO, argues this could be seen as a pooling data gathering, which is unconstitutional.
The National Authority for Data Protection also wrote in a statement that the need for this data collection is not well reasoned. It questioned why the Aliens Policing department is allowed to keep the submitted data for five years. The practice is “a further restriction of … the right to the protection of personal data”, the authority summarized.