We hereby accept this Notice in order to provide the representatives of the natural and legal persons (hereinafter: Users) using our services with all the relevant information and details in a concise, transparent, comprehensible and easily accessible way, with clear and simple wording, and also to help Users exercise their rights specified in Section 4. Our services are available at www.hsagroup.hu. HSA Group Zrt. is a member of a group of companies that include HSA Relocation Ltd among others. The HSA Relocation Ltd’s tasks include the administration and assistance in the resettlement of third-country workers, the performance of related administrative activities following the resettlement, as well as the administration relating to the leasing of an apartment for the benefit of such employee, the preparation of the lease contract and the conduct of related communication.
The relevant data processing activities and information are set out in Appendix 10.4. of this Notice. The HSA Group is a group of companies specializing in the employment of all people, including adults, students and pensioners, where the member companies are tasked to provide various tasks required within the scope of the recruitment activities. The members of the HSA Group are involved in the processing of candidates’ and applicants’ personal data stored in the system operated by Hirefy Ltd. The relevant HSA Group privacy notice is available within the Hirefy system.
The basis of our information obligation is Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR), applicable as of 25 May 2018, Article 16 of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Infotv.), as well as Article 4 of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Elkertv.).
This Notice has been prepared with consideration to GDPR, Infotv. and other laws relevant to data processing. These laws and regulations are listed in Appendix 10.1 of this Notice, the main terms are defined in Appendix 10.2, a detailed description of the data subjects’ rights can be found in Appendix 10.3., and the privacy notice of the HSA Relocation Ltd is attached in Appendix 10.4. of this Notice.
When preparing and implementing this notice, we followed the findings in the recommendations of the National Authority for Data Protection and Freedom of Information on the data protection requirements of preliminary information, and also the accountability principle described in Article 5 of the GDPR, particularly Article 5(2). We also monitor the practice of the European Union related to the protection of personal data; thus we include in our practices the content of the guidelines on transparency set out by the Article 29 Working Party of the European Commission.
Name: HSA Group Zrt.
Registered office: H-4025 Debrecen, Széchenyi utca 48. 1. em.
Company registration number: 09-10-000666
VAT ID: 32223877-2-09
Email: info@hsagroup.hu
Data protection officer: Dr. Miklós Péter, miklos.peter@hsagroup.hu
This section details the relevant circumstances for each data processing activity required of all data controllers by the GDPR and other legislation applicable to the industry.
You may contact us through our home page with any purpose. Besides, it is part of our job to process the personal data of the contact persons of our business partners. Please refer to the details of the corresponding data processing below.
| Personal data | Purpose of data processing | Legal basis of data processing |
| name | identification of the User or the contact person of our business partner |
Consent given by the User (Article 6(1)(a) of GDPR) Legitimate interest of the business partner (Article 6(1)(f) of GDPR) |
| email address | contacting the User or the contact person of our business partner |
Consent given by the User (Article 6(1)(a) of GDPR) Legitimate interest of the business partner (Article 6(1)(f) of GDPR) |
| phone number | contacting the User or the contact person of our business partner |
Consent given by the User (Article 6(1)(a) of GDPR) Legitimate interest of the business partner (Article 6(1)(f) of GDPR) |
| public profile data accessible on social media platforms | identification of the User |
Consent given by the User (Article 6(1)(a) of GDPR) Legitimate interest of the business partner (Article 6(1)(f) of GDPR) |
The consent of the User given when getting in contact by showing voluntary, explicit behaviour (making a phone call or sending an email) to processing their personal data for a purpose defined in Section 3.2.1 (Article 6(1)(a) of GDPR).
In case we use the data of the User for a purpose other than the original purpose for which it was collected, we will notify the User about doing so, obtain their preliminary, explicit consent, and give them the opportunity to ban using their data (see: Section 9.1).
The above specified personal data of the contact person of our business partner are processed based on the legitimate interest of the data controller and the business partner (Article 6(1)(f) of GDPR). It’s the legitimate interest of both parties to have effective business communications while using the website and discussing the partnership, and to be able to inform each other’s relevant representatives of the material circumstances relevant to our contract. Here, the right to informational self-determination of the contact person of our business partner is not considered to be violated, as it is their official or contractual duty to facilitate communication between the parties and to provide their personal data for this purpose. The contact person of our business partner can object to such data processing.
We process the provided personal data until the consent is withdrawn. The User can withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
We process the personal data of the contact persons of our business partners for a period necessary for communication and until we are required to do so by applicable law (in compliance with Act V of 2013, it is 5 years from the performance or termination of the contract, and in compliance with Act C of 2000, it is 8 years from issuing the invoice).
Electronically.
In order for us to carry out effective market research and to be able to present our pursued activities to relevant economic operators and businesses, the Data Controller’s employees shall make direct enquiries by telephone and via e-mail. Based on the results and responses to the market research the Data Controller shall prepare a technical material for business magazines and trade portals. Please refer to the details of the corresponding data processing below.
| Personal data | Purpose of data processing | Legal basis of data processing |
| name of the contact person of a business | identification and addressing the User | Legitimate interest (Article 6(1)(f) of GDPR) |
| telephone number and email address of the contact person of a business | contacting the User and forwarding the direct requests to them | Legitimate interest (Article 6(1)(f) of GDPR) |
| business address of the contact person of a business | sending a gift package to the business as a reward for the participation in the direct enquiry and to encourage further cooperation | Legitimate interest (Article 6(1)(f) of GDPR) |
The above specified personal data of the contact person of our business partner are processed based on the legitimate interest (Article 6(1)(f) of GDPR). In light of Recital 47 of the GDPR, the processing of personal data for direct marketing purposes may be considered to be based on legitimate interest. As such, we have a legitimate interest in conducting market research relating to the economic activity of our companies and presentation of the activities thereof as a purpose of the processing.
Our legitimate interest shall prevail over the right of access to the personal data of the contact persons of the undertakings, since our data management practices contribute significantly to our business interests and the contact persons can reasonably assume that the publication of their contact details on the undertaking’s website will lead to them being contacted for any purpose, including but not limited to marketing, by representatives of undertakings unknown to them. The contact person directly contacted has the right to object to the processing (Section 4.7).
In view of the fact that pursuant to Article 6(1) of Act XLVIII of 2008 on the Basic Conditions and Certain Restriction of Economic Advertising Activities, the prior and explicit consent of the recipient of the advertising to a direct marketing request is only required if the recipient of the advertising is a natural person. In our view, it is not necessary to obtain prior consent of the contact persons in connection with the aforementioned processing, as the recipients of our marketing requests are legal persons.
We process the personal data of the contact persons of our business partners for the purpose of our legitimate interests, until the purpose of the processing is fulfilled. If the contact person objects to or requests the deletion of his or her personal data, his or her name and contact details shall be deleted without delay.
Electronically.
In order to provide relevant information to you, it is possible to subscribe our newsletter both in the registration form and on our website’s specific surface serving for this purpose. The details of such processing are described hereunder.
| Personal data | Purpose of processing | Legal basis of data processing |
| name | by providing this information we can address the User in our newsletter | Consent given by the User (Article 6(1)(a) of GDPR) |
| e-mail address | by providing this information we are able to learn the User’s electronic contact details to which we can send our newsletter to | Consent given by the User (Article 6(1)(a) of GDPR) |
The User’s consent (Article 6(1)(a) of the GDPR) and Article 6(1) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising.
The personal data provided will be processed until consent is withdrawn. You may withdraw your consent at any time by clicking on the “Unsubscribe” button in the letter sent to you. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.
Electronically.
Job applications may reach us from several different sources (e.g. our own website, job portals, social media platforms, headhunting agencies, professional databases, direct applications via e-mail). Based on the applications received, we build and maintain a database of individuals seeking employment opportunities. In order to ensure the efficient use of the available candidate database, we may contact applicants regarding additional job opportunities that differ from the original application but correspond to their qualifications and professional experience. Please refer to the details of the corresponding data processing below.
| Personal data | Purpose of data processing | Legal basis of data processing |
| name | identification and addressing the applicant | Legitimate interest (Article 6(1)(f) of GDPR) |
| telephone number and email address | contacting the applicant regarding further job opportunities | Legitimate interest (Article 6(1)(f) of GDPR) |
| data contained in the CV (education, professional experience, competencies) | identification of relevant job opportunities for the applicant | Legitimate interest (Article 6(1)(f) of GDPR) |
| other professional information provided by the applicant | preliminary assessment of suitability | Legitimate interest (Article 6(1)(f) of GDPR) |
The legal basis of our data processing is the enforcement of our legitimate interest (Article 6(1)(f) of GDPR). We have a legitimate interest in efficiently utilising the candidate database available to us, built on applications received from various sources (e.g. our own website, job portals, social media platforms, recruitment agencies), and in informing applicants about further job opportunities corresponding to their professional profile. The rapid and successful selection of suitable professionals, as well as the high-quality fulfilment of our partners’ workforce needs, constitutes an essential element of our economic activity.
In our view, our legitimate interests prevail over the data subjects’ right to informational self-determination, since we process exclusively professional data provided by the applicant, the purpose of the processing is to offer potentially beneficial employment opportunities to the applicant, the data subject may reasonably expect to be contacted regarding further positions matching their qualifications based on their professional application, the processing does not result in disproportionate interference with the private sphere of the data subject, and the data subject has the right to object to the processing at any time (see Section 4.7).
Contacting applicants regarding further job opportunities does not qualify as economic advertising activity within the meaning of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising Activities, as its purpose is not the promotion of products or services, but the facilitation of the applicant’s professional employment. Accordingly, no separate consent is required for such processing.
We process the personal data of the data subject for the purpose of enforcing our legitimate interests until the purpose of the processing is fulfilled. If the data subject objects to the processing or requests the erasure of their personal data, such data shall be deleted without delay.
Electronically.
It is important for us to process data in a way that meets the requirements of fairness, lawfulness and transparency. In this context, we will briefly describe in this section what type of rights data subjects have. Further details can be found in Appendix 10.3 to this notice.
Our Users may request free information on the details of the processing of their personal data, access to or obtain a copy of the personal data processed, and in certain cases specified by law, request the rectification, erasure, blocking or restriction of the processing of such personal data and object to the processing of such personal data. Users may send their requests for information or requests under this section to the contact details provided in Section 2.
Our User can receive feedback from us about the processing of their personal data, access these personal data and the details of their processing, and obtain a copy of the personal data processed by us.
On the User’s request, we rectify their inaccurate personal data without undue delay, and the User shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
On the User’s request, we shall erase their personal data, if processing is not needed any more, or if the User withdraws their consent, or objects to processing their data, or processing is unlawful.
We seek to inform all data controllers of the User’s request for erasure (if they require us to do so) who accessed or might have accessed the potentially disclosed data of the User.
On the User’s request, we shall restrict data processing if the accuracy of personal data is debatable, or data processing is unlawful, or our User objects to processing their data, or in case we no longer need the provided personal data.
Our User can receive the personal data concerning and provided by them in a structured, commonly used and machine-readable format, and has the right to transmit it to other data controllers.
Our User should have the right to object to processing their personal data based on legitimate interest for a reason related to their own circumstances (see: Section 3.1 and Section 3.2). In this case we are not allowed to process these personal data any longer, unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims. In case of objection, personal data are not allowed to be processed any further by default.
We shall assess the request as soon as possible after submission, but no later than 30 days – 15 days in the case of an objection – after submission, and decide whether it is valid, and notify the requester of this decision. If we don’t fulfil the request of the requester, we inform them in our decision about the factual and legal reasons.
It is important for us to keep personal data safe, and we also respect the User’s right to informational self-determination, therefore we seek to respond to all requests in a fair and timely manner. In this regard, we ask Users to contact us first with any complaints or queries before turning to authorities or courts to enforce their potential claims, so that any objections can be addressed as quickly as possible.
In case this proves unsuccessful, our User can:
In the event of rectification, erasure or restriction of data processing, we will always notify the recipients to whom the personal data of the User might have been disclosed, unless this proves to be impossible, or when the effort necessary to do so would be disproportionate. On the User’s request, we shall give information about these recipients.
We shall give information about the measures taken at the requests related to Section 4 electronically no later than one month after receiving such request, if the User does not require otherwise. This period can be extended with an additional two months as applicable, regarding the complexity of the request or the number of requests. The User shall be informed of such extension together with a description of the underlying reasons within one month from receiving the request.
When requested by the User, the information may be provided orally, provided that the User’s identity is proven by other means.
If we do not take action on a request, we shall inform the User of the reasons no later than one month after receiving the request, and also of the fact that they can lodge a complaint with NAIH and seek a judicial remedy (Section 4.9).
Under exceptional circumstances, where we have reasonable doubts concerning the identity of the natural person making the request, we shall request the provision of additional information necessary to confirm their identity. This measure is necessary to promote the confidentiality of data processing defined in Article 5(1)(f) of GDPR, i.e. to prevent unauthorised access to the personal data.
We shall provide information for the requests concerning Section 4, and implement the corresponding measures free of charge.
If the User’s request is clearly unreasonable or has an excessive character (especially when it’s recurrent), we shall charge a reasonable fee (considering the incurring administrative costs when providing the requested information or the notification, or implementing the requested measure), or we shall refuse to take action based on the request.
The web host as data processor has the right to access the personal data provided during the use of the website.
Name: Websupport Magyarország Kft.
Contact: https://www.hsagroup.hu/impresszum/
Our website is connected to various social media platforms (e.g. Facebook, LinkedIn, Twitter, Google+, Instagram, YouTube); which means that in case the User “likes” our Facebook page, or “follows” us on Twitter, we get to know all the publicly available personal data connected to their account. Data processing activities on these platforms are subject to the relevant information contained in the respective service provider’s own privacy notice.
Meta Platforms Ireland Limited (registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland, Irish company registration number: 462932, website: https://about.facebook.com/meta) is understood to offer Meta-products within the Facebook platform (including Facebook mobile app and in-app browser). In the context of the use of Facebook, the Terms of Use, Privacy Policy and Privacy Notice of Meta Platforms Ireland Limited shall govern the data processing activities depending on the specific purpose of the data processing:
Together with Meta Platforms Ireland Limited, we are jointly responsible for the processing of your personal data for the purposes of targeting, delivering commercial and transactional messages, personalizing features and content, and improving and securing Meta-products. In order to comply with the GDPR, the agreement pertaining to the clarification of responsibilities and the Data Privacy Shield Framework are available on the following pages:
https://www.facebook.com/legal/Workplace_GDPR_Addendum
https://en-gb.workplace.com/legal/Workplace_GDPR_Addendum
https://www.facebook.com/about/privacyshield
In the context of joint data processing, it is predominantly the responsibility of Meta Platforms Ireland Limited to provide information about the processing, furthermore, to enable data subjects to exercise their rights according to the GDPR. For more information on Facebook’s processing of your personal data and the rights and options available to you in this regard, please refer to the Privacy Notice for Facebook of the Meta Platforms Ireland Limited, available here: https://www.facebook.com/about/privacy/
In all other respects the parties shall be responsible for the processing of personal data individually.
Data processing implemented by us is based on the User’s consent, in compliance with Article 6(1)(a) of the GDPR. You may withdraw your consent at any time in the future by changing your preferences set in the ’cookie bar’. The withdrawal of consent does not affect the lawfulness of the data processing that took place before the withdrawal of consent.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, we shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
We and the employees of the data processors are authorised to access the personal data of the User to an extent appropriate for the tasks of their job. We shall take all security, technical and organisational measures to safeguard the safety of the data.
Our IT systems can only be accessed with personalised accounts. When assigning such access, there is a “necessary and sufficient” approach: any employee can use our IT systems and services to the extent appropriate for completing their tasks, with the corresponding rights and for the sufficient period of time. Access to the IT systems and services shall be given only to the person who is not subject to restrictions for security or other (e.g. conflict of interest) reasons, and who has the professional, business and information security knowledge for the safe use thereof.
We and our data processors are bound by a written statement of strict confidentiality and are required to act in accordance with these rules of confidentiality in the course of our activities.
Data (except for the data stored by our data processors) are stored on our own devices, in a data centre. The IT devices storing these data are located separately, in severed, secured server rooms, protected by a multi-level access control system with authorisation control.
Our intranet is safeguarded by multi-level firewall protection. There is always a hardware firewall (gateway device) at the entry points of the public networks used, everywhere and in every instance. Data is stored redundantly, which means the same data is stored at different locations, in order to protect them from destruction, loss, damage or unauthorised destruction.
Our intranets are protected from outside attack via multi-level, active protection (e.g. virus protection) against complex malware codes. We enable the necessary external access to the IT systems and databases we operate via an encrypted data connection (VPN).
We shall do our best to always keep our IT devices and software compliant with the technological solutions widely accepted in the market. Through our developments, we create systems that use logging to control and monitor operations and detect incidents such as unauthorised access. Our server is located on a separate and dedicated server of the web host provider, protected and secured. Taking into account the applicable recommendation of NAIH, we use the https protocol on the website, which means a higher level of data security as opposed to the http protocol.
For the appropriate functioning of our website, in certain cases we place small data files on the computer device of the User, just like most modern websites do.
A cookie is a small text file placed on the computer device (including mobile phones) of the User by the website. This allows the website to “remember” the settings of the User (e.g. language, font size, display option, etc. used), so that the User won’t need to set these again when visiting our website. For a list of the cookies used on our website, please see the Cookie Policy published on the website (https://www.hsagroup.hu/sutik//).
Cookie files can be deleted (for more details see www.AllAboutCookies.org), or most browsers used today can block them, too. In this case, however, you will need to make certain settings again each time you use our website, and some services might not function properly. For details about deleting and blocking cookies, see www.AllAboutCookies.org (in English) and the following links regarding the various browsers used by the User:
If we want to use the data provided for a purpose other than the original purpose for which it was collected, we will notify the Users about doing so, obtain their preliminary, explicit consent, and give them the opportunity to ban using their data.
In compliance with Article 30 of the GDPR, we keep records of the data processing activities carried out under our responsibility (records of data processing activities).
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. In case of a personal data breach, we are obliged to proceed according to Articles 33 and 34 of the GDPR. We document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
We have the right to amend this Notice any time unilaterally. In case this Notice is amended, we keep the previous versions, and, if possible and reasonable, notify the data subjects of the amended clauses.
Effective date: 2026 february
| HSA Group Zrt. Data Controller |
When drafting this Notice, the Data Controller considered the applicable and effective laws and regulations and the major international recommendations, particularly the following:
Access
The User shall have the right to get access to their personal data processed by us, upon their request submitted via our contact details. By doing this, the User shall obtain information on whether processing is taking place, the purposes, categories, recipients, storage period, rights, remedy options, and the source of data.
Moreover, the User may request making a copy of their personal data subject to data processing available for them in a structured, commonly used and machine-readable format (PDF/XML) and/or in a printed version. The User can request such copy free of charge.
Rectification
The User shall have the right to ask the personal data concerning them and processed by us, and which are inaccurate, to be rectified. We may ask for additional information to verify accuracy. We shall restrict processing until correction is finished where needed.
Erasure
The User shall have the right to ask the erasure of personal data if we no longer need the data, or if the User has concerns about the lawfulness of our processing. If erasure is required, we cease processing and destroy the data.
Restriction of data processing
The User may request restriction instead of erasure where processing is contested or where the data are needed for legal claims. During restriction, only storage is performed, unless specific exceptions apply.
Data portability
The User may request provision of their personal data in a structured, commonly used and machine-readable format (PDF/XML) and/or printed version, and may request transfer to another controller. This does not automatically mean deletion from our systems.
Objection
The User may object to processing for purposes described in Section 3.1. We will assess overriding legitimate grounds; if none exist, we will stop processing.
Personal data processed:
For the purposes of managing and assisting in the relocation process of employees and students of a third-country wishing to study or work in Hungary (hereinafter referred to as “Employee”) as data subjects, carrying out the administrative activities relating to relocation and post-relocation, as well as managing the tasks related to an apartment leasing agreement on behalf of the Employee, preparing the lease contract and carrying out the related communication, the following personal data shall be processed relating to the Employee: name, date of birth, place of residence, e-mail address, telephone number, VAT number, Hungarian social security (TAJ) number and other personal data voluntarily provided by the data subject. Furthermore, personal data required during the administration process as set forth in Act XC of 2023 on the General Rules for the Entry and Residence of Third-Country Nationals. In addition, personal data relating to the lessor (hereinafter referred to as “Lessor”) within the process of conclusion of the rental contract, preparation and administrative tasks relating thereof. The Employee and the Lessor shall hereinafter be collectively referred to as Data Subjects.
Our services are available at https://www.go2hu.com/ and https://www.hsagroup.hu/ (hereinafter the Website).
Data controller:
HSA Relocation Ltd. (hereinafter Data Controller or Controller)
(registered seat: 4025 Debrecen, Széchenyi street 48., company registration number: 09 09 017314)
Contact details to the Data Protection Officer:
E-mail: miklos.peter@hsagroup.hu
Purpose of the intended processing of personal data:
Legal basis for processing:
Categories of recipients of personal data:
Data processor:
The storage period of personal data:
Data security measures
The data processing activities will be conducted both electronically and paper based.
The Data Controller stores all data – with the exception of data stored by the data processors – on its own equipment, in a data center. Both the IT system and network are protected by firewalls. Documents are stored in a locked space; access is granted only to competent employees and staff to the extent necessary for duties, and measures are taken to prevent unauthorized access.
Rights of data subjects:
Right of access – confirmation, access and information as listed in the notice, including copies (fees for additional copies may apply).
Right to rectification – correction of inaccurate data and completion of incomplete data.
Right to erasure – “right to be forgotten”, including exceptions and obligations.
Right of restriction of processing – conditions and effects of restriction and communication to recipients.
Right to object – objection on grounds relating to the data subject’s situation; processing stops unless overriding grounds exist.
Right to data portability – receipt and transmission of provided data under GDPR conditions.
Provision of information
We shall provide information by electronic means on the measures taken following requests within a maximum of one month (or 15 days in the event of an objection), unless otherwise requested; deadlines may be extended by two months where necessary, with notice of reasons.
Remedies
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa street 9-11.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Enforcement of rights: the burden of proof that the data processing is lawful is on the Controller. The burden of proof of the lawfulness of the data transfer lies with the recipient. The General Court has jurisdiction. Actions may also be brought, at the discretion of the Data Subject, before the courts of the place of abode or residence of the Data Subject.
This Privacy Notice applies to the data processing activities of HSA Relocation Ltd. as the Data Controller. In the event a contract specifies a data processing activity for HSA Relocation Ltd., the obligation to provide information on the processing activities shall fall on the Data Controller.
