Privacy Policy

Objective of the data processing information

The Budapest Sightseeing Korlátolt Felelősségű Társaság as a data controller is accepting as mandatory the content of the present legal announcement. It guarantees that every data processing related to its activity complies with the content of the present policy and the national law in force and the requirements specified in the legal acts of the European Union, with special regard to the 2016/679 general data protection decree of the European Parliament and the Council (EU) (further on: GDPR).

The data protection principles incurring in connection with the Budapest Sightseeing Kft.’s data processing can be accessed on the www.rivercruisebudapest.eu site.

The Budapest Sightseeing Kft. reserves the right to modify the present information. Of course we are notifying the data subject in time about the eventual changes.

Should you have a question in connection with the present announcement, please write to us and our colleague will answer it.

The Budapest Sightseeing Kft. is committed to protect the personal data of its customers and partners, it is outstandingly important to respect the self-determination right of the clients. The Budapest Sightseeing Kft. is handling the personal data confidentially and takes all the security, technical and organisational measures that guarantee the safety of the data.

The Budapest Sightseeing Kft. is hereby presenting its data processing practice.

Particulars of the data controller

Name: Budapest Sightseeing Kft.

Seat: 1075 Budapest, Madách Imre út 13-14.

Company registration number: 01-09-424612

Name of the registering court: Fővárosi Törvényszék Cégbírósága (Company court of the metropolitan court)

Tax number: 13527859-2-42

Legal representative: Fraknóiné Háhn Györgyi – managing director

Phone number: +36 1 327 6690

E-mail: bpsightseeing@discoverbudapest.hu

Website: http:// www. rivercruisebudapest.eu

The Budapest Sightseeing Kft. is deleting every received e-mail together with the contained personal data in one year from supplying the data.

General data processing principles

If the data processing of the Budapest Sightseeing Kft. is based on freely given consent then the data subjects can withdraw their consent in any phase of the data processing.

If the data processing of the Budapest Sightseeing Kft. is mandatory based on law then we are notifying the data subjects accordingly.

In case of handling the data subject’s personal is necessary in order to protect vital interests we are performing interest consideration during which:

  1. we are identifying and recording the righteous interest;
  2. we are identifying and recording the interests and rights of the data subjects;
  3. consideration based on the principles of necessity and proportionality, relation to the objective, data economising, restricted storage possibility;
  4. we are informing the data subjects about the interest consideration.

We are drawing the attention of the parties that are providing data for the Budapest Sightseeing Kft. that if the personal data supplied by them are not theirs then the data supplier is obliged to obtain the consent of the data subjects.

We continuously assure that our data processing principles are in compliance with the law related to the data processing.

Scope, purpose, legal base and duration of the handled personal data


  • The data related to the Budapest Sightseeing Kft.’s touristic service

The scope of the processed data (it may vary depending on the type of the certain service):

  1. last name
  2. first name
  3. age
  4. citizenship
  5. phone number
  6. e-mail address
  7. data of the used touristic service
  8. copies of the personal documents

Legal base of the data processing:

The handling of the data of the party that is using the touristic service takes place for the performance of the contract (article 6. (1) b) of the GDPR)

We are handling these data in connection with our activity with the purpose to meet the legal obligation and sustain the customer contact.

Duration of the data processing:

The Budapest Sightseeing Kft. is deleting the personal data in maximum 1 year from the termination of the legal relationship with the user of the touristic service.

  • Processing the data of the contact keeping persons of the contractual partners

Scope of the processed data:

  1. last name
  2. first name
  3. phone number
  4. e-mail address
  5. company name
  6. position
  7. type, content, date, mode, form of using the service

Legal base of the data processing:

The processing of the data of the contractual partners takes place with the necessity for the performance of the contract and in order to assure the continuity of the business for the purposes of the legitimate interests pursued by the data controller. (articles 6. (1) b) and 6. (1) f) of the GDPR)

Duration of the data processing:

The Budapest Sightseeing Kft. is deleting the personal data in 1 year after the termination of the legal relationship with the contractual partner.

  • The data required for the issuance of the invoice that corresponds to the accounting law

Scope of the processed data:

  1. last name
  2. first name
  3. address
  4. tax identification number
  5. invoice-based service

Legal base of data processing:

Processing is necessary for compliance with a legal obligation (article 6. (1) c) of the GDPR)

Duration of the data processing:

The period of storing the documents that serve as base for the invoice issuance is 8 years.

  • Processing the data of employees and applicants

(with the content and terms and conditions defined in a separate policy)

Legal base of data processing :

Article 6. (1) b) and c) of the GDPR

Duration of the data processing :

The period of storing the documents serving as base for the employment relationship is: 50 years.

  • Footage of the security cameras

(with the contents and terms and conditions specified in a separate policy)

Scope of the processed data:

The footage taken by the security cameras defined in the separate policy.

Legal base of the data processing:

Processing is necessary for the purposes of the legitimate interests (personal and property security) pursued by the controller (article 6. (1) f) of the GDPR)

Duration of the data processing:

Three workdays from recording if they are not used. It is considered use if the recorded image and/or recording or other personal data are used as evidence in proceedings by court or other authority. Pursuant to the all-time law the person whose right or righteous interest is being concerned with the image and/or sound footage respectively the recording of other personal data can – in 3 workdays from the image and/or sound recording respectively the recording of other personal data and by proving his/her right or the righteous interest – ask the data controller not to delete respectively not to destroy the data. 

Technical measures

The Budapest Sightseeing Kft. – for the processing of the personal data – is selecting the IT tools used for providing the service in such a way that the handled data:

  1. are available for the authorised parties (availability);
  2. their authenticity and authentication are assured (authenticity of the data processing);
  3. the invariance can be proved (data integrity);
  4. it is protected against the unauthorised access (confidentiality of data).

The Budapest Sightseeing Kft. is taking proper measures to protect the data against the unauthorised access, modification, forwarding, disclosure, deletion or destruction and the accidental destruction.

The Budapest Sightseeing Kft. is applying technical, organisational and organising measures in order to protect the security of the data processing which provides a proper protection level that corresponds to the risks incurring in connection with the data processing.

During the data processing the Budapest Sightseeing Kft. is preserving

  1. the confidentiality: is protection the information so that only the authorised parties can have access to it;
  2. the integrity: it is protecting the accuracy and completeness of the information and the processing method;
  3. the availability: makes sure that when the entitled user needs it then he/she can have access to the required information and the related instruments are available.

The data controller does not perform automated data management, including profiling.

Data transfer and data processing


  • The data controller is transfer the data to the following addressees:

  1. The Company’s employees and assignees dealing with tasks related to customer service, commercial activity;
  2. Depending on the characteristics of the used travel service and/or the place, mode of the order: the foreign touristic service providers and commercial partners;
  3. Employees and data processors that deal with accounting, taxation and legal tasks.

  • For the security of the personal data we are enforcing the following requirements against the data processors.

  • The data processor may perform instructions that are set in writing.
  • It is mandatory to conclude a written contract between the data controller and the data processor which shall contain the data supplied by the data controller to the data processor as well as the activity the data processor is performing with them.
  • The employees dealing with the personal data are obliged to keep confidentiality.
  • In order to guarantee the data security the data processor is performing the organising and technical measures.
  • The data processor is assisting the data controller in meeting his/her obligations.
  • Based on the data controller’s decision the data processor is returning all the personal data to the data controller or is deleting them, deleting the existing copies, except when the member state’s law or the EU law stipulates the storage of the data.
  • The data processor helps in and enables the audits, on-site investigations performed by the data controller or with the assistance of the assigned supervisor.
  • If the data processor is using another data processor then he/she will be obliged to comply with the same obligations that were created originally through the contract between the data processor and the data controller.

  • Data forwarding to abroad

We are not forwarding the personal data out of the European Economic Community.

Rights and right-enforcing possibilities of the data subject

The data subjects has the right to request from the data controller access to and rectification or – except for the mandatory data processing– erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability, right to object in the way specified during the data recording respectively through the above contact possibilities of the data controller.

  • Right to be informed

The Budapest Sightseeing Kft. takes proper measures so that the data subjects can clearly understand the information related to the handling of the personal data, the information contained in the GDPR’s articles 13 and 14 and all the information corresponding to the articles 15–22 and 34 in a concise, transparent, understandable and easily accessible way.

  • Right of access by the data subject 

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the related significant information 

The data controller shall provide the information at the latest within one month from submitting the request.

  • Right to rectification 

The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her and shall have the right to have incomplete personal data completed, 

  • Right to erasure

In case of the occurrence of one of the following reasons the data subject is entitled to ask the Budapest Sightseeing Kft. – if there is no exclusive reason specified by law – to erase the related personal data without undue delay:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed ;
  2. he data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing ;
  3. the data subject objects to the processing, and there are no overriding legitimate grounds for the processing ;
  4. the personal have been unlawfully processed ;
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. the personal data have been collected in relation to the offer of information society services.

  • Right to restriction of processing 

If requested by the data subject the Budapest Sightseeing Kft. is restricting the data processing if one of the following conditions is being met:

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims ; or
  4. the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject 

Where processing has been restricted such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

  • Right to data portability 

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

  • Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on public interest or entitled through the data controller’s public authority or against the processing required for the enforcing of the interests of the data controller or a third party, including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims

  • Automated individual decision-making, including profiling 

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. 

  • Right to withdraw

The data subject shall have the right to withdraw his/her consent any time.

  • Right to contact the court

In case the rights are infringed the data subject shall have the right to contact the court against the data controller. The court will proceed out of turn in this regard el.

  • Official data protection proceedings

Regarding the complaints related to data processing you may contact the following organisation.

Name: National Data Protection and Freedom of Information Authority

Seat: 1055 Budapest, Falk Miksa utca 9-11.

Postal address: 1363 Budapest, Pf.: 9.

Phone: 0613911400

Fax: 0613911410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

Personal data breach

If the personal data processed by us are access by any unauthorised entity or there was another personal data breach (e.g. unlawful destruction, loss, change) or it is suspected to happen so, then according to the GDPR’s provisions and terms and conditions, without undue delay, where feasible, not later than 72 hours we notify the competent supervisory authority.

After learning about the personal data breach we are immediately take the necessary security measures in order to terminate or restore the damage that forms the base of the data protection incident.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we communicate the personal data breach to the data subject without undue delay.

Other provisions

Regarding the data processing being not listed in the present information we are providing information when recording the data.

We are hereby informing our customers that based on the authorisation of the court, the prosecutor, the investigating authority, the contravention authority, the public administration authority, the National Data protection and liberty of information authority, the National Bank of Hungary respectively the law other organs may contact the data controller in order to provide information or data, transfer data respectively to provide documents.

The Budapest Sightseeing Kft. is supplying the authorities with personal data – if the authority has specified the exact purpose and the scope of data – in an extent that is indispensably required to realise the objective of the contacting.

Date of last update: 13th December 2023.