PRIVACY NOTICE
Contents
1 What is the aim of this notice?
2 Details of the data controller
3.1 Processing concerning contacting and communication
3.1.1 What data are processed and what is the purpose of data processing
3.1.2 Legal basis of data processing
3.1.3 Duration of data processing
3.1.4 Method of data processing
3.2. Processing concerning direct requests
3.2.2 Legal basis of data processing
3.2.3 Duration of data processing
3.2.4 Method of data processing
3.3. Processing concerning newsletter
3.3.1. Processed personal data and purpose of processing
3.3.2. Legal basis of processing
4.5 Right to restriction of processing
5 Our process related to requests to exercise rights
5.1 Notification of recipients
5.2 Method and deadline of notification
5.4 Costs of notification and taking action
6 Possible recipients of personal data, and data processors
6.1 In terms of operating the website
6.2 In terms of social media platforms
6.3 Joint data management with Meta Platforms Ireland Limited
8.3 How can cookies be managed?
9.1 Data processing for other purposes
9.2 Record keeping requirements
Appendix 10.1: Applicable laws and regulations
Appendix 10.2: Definition of terms relating to the processing of personal data
Appendix 10.3: Rights of data subjects
Appendix 10.4 PRIVACY NOTICE – in relation to relocation of third-country employees
We hereby accept this Notice in order to provide the representatives of the natural and legal persons (hereinafter: Users) using our services with all the relevant information and details in a concise, transparent, comprehensible and easily accessible way, with clear and simple wording, and also to help Users exercise their rights specified in Section 4. Our services are available at www.hsagroup.hu. HSA Group Zrt. is a member of a group of companies that include HSA Relocation Ltd among others. The HSA Relocation Ltd’s tasks include the administration and assistance in the resettlement of third-country workers, the performance of related administrative activities following the resettlement, as well as the administration relating to the leasing of an apartment for the benefit of such employee, the preparation of the lease contract and the conduct of related communication.
The relevant data processing activities and information are set out in Appendix 10.4. of this Notice. The HSA Group is a group of companies specializing in the employment of all people, including adults, students and pensioners, where the member companies are tasked to provide various tasks required within the scope of the recruitment activities. The members of the HSA Group are involved in the processing of candidates’ and applicants’ personal data stored in the system operated by Hirefy Ltd. The relevant HSA Group privacy notice is available within the Hirefy system.
The basis of our information obligation is Article 12 of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR), applicable as of 25 May 2018, Article 16 of Act CXII of 2011 on informational self-determination and freedom of information (hereinafter: Infotv.), as well as Article 4 of Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (hereinafter: Elkertv.).
This Notice has been prepared with consideration to GDPR, Infotv. and other laws relevant to data processing. These laws and regulations are listed in Appendix 10.1 of this Notice, the main terms are defined in Appendix 10.2, a detailed description of the data subjects’ rights can be found in Appendix 10.3., and the privacy notice of the HSA Relocation Ltd is attached in Appendix 10.4. of this Notice.
When preparing and implementing this notice, we followed the findings in the recommendations of the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság) on the data protection requirements of preliminary information, and also the accountability principle described in Article 5 of the GDPR, particularly Article 5(2). We also monitor the practice of the European Union related to the protection of personal data; thus we include in our practices the content of the guidelines on transparency set out by the Article 29 Working Party of the European Commission.
Name: HSA Group Zrt.
Registered office: H-4025 Debrecen, Széchenyi utca 48. 1. em.
Company registration number: 09-10-000666
VAT ID: 32223877-2-09
Email: info@hsagroup.hu
Data protection officer: Dr. Miklós Péter, miklos.peter@hsagroup.hu
This section details the relevant circumstances for each data processing activity required of all data controllers by the GDPR and other legislation applicable to the industry.
You may contact us through our home page with any purpose. Besides, it is part of our job to process the personal data of the contact persons of our business partners. Please refer to the details of the corresponding data processing below.
Personal data | Purpose of data processing | Legal basis of data processing |
name | identification of the User or the contact person of our business partner | Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR) |
email address | contacting the User or the contact person of our business partner | Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR) |
phone number | contacting the User or the contact person of our business partner | Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR) |
public profile data accessible on social media platforms | identification of the User | Consent given by the User (Article 6(1) (a) of GDPR) Legitimate interest of the business partner (Article 6(1) (f) of GDPR) |
The consent of the User given when getting in contact by showing voluntary, explicit behaviour (making a phone call or sending an email) to processing their personal data for a purpose defined in Section 3.2.1 (Article 6(1) (a) of GDPR).
In case we use the data of the User for a purpose other than the original purpose for which it was collected, we will notify the User about doing so, obtain their preliminary, explicit consent, and give them the opportunity to ban using their data (see: Section 9.1).
The above specified personal data of the contact person of our business partner are processed based on the legitimate interest of the data controller and the business partner (Article 6(1) (f) of GDPR). It’s the legitimate interest of both parties to have effective business communications while using the website and discussing the partnership, and to be able to inform each other’s relevant representatives of the material circumstances relevant to our contract. Here, the right to informational self-determination of the contact person of our business partner is not considered to be violated, as it is their official or contractual duty to facilitate communication between the parties and to provide their personal data for this purpose. The contact person of our business partner can object to such data processing.
We process the provided personal data until the consent is withdrawn. The User can withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
We process the personal data of the contact persons of our business partners for a period necessary for communication and until we are required to do so by applicable law (in compliance with Act V of 2013, it is 5 years from the performance or termination of the contract, and in compliance with Act C of 2000, it is 8 years from issuing the invoice).
Electronically.
In order for us to carry out effective market research and to be able to present our pursued activities to relevant economic operators and businesses, the Data Controller’s employees shall make direct enquiries by telephone and via e-mail. Based on the results and responses to the market research the Data Controller shall prepare a technical material for business magazines and trade portals. Please refer to the details of the corresponding data processing below.
Personal data | Purpose of data processing | Legal basis of data processing |
name of the contact person of a business | identification and addressing the User | Legitimate interest (Article 6(1) (f) of GDPR) |
telephone number and email address of the contact person of a business | contacting the User and forwarding the direct requests to them | Legitimate interest (Article 6(1) (f) of GDPR) |
business address of the contact person of a business | sending a gift package to the business as a reward for the participation in the direct enquiry and to encourage further cooperation | Legitimate interest (Article 6(1) (f) of GDPR) |
The above specified personal data of the contact person of our business partner are processed based on the legitimate interest (Article 6(1) (f) of GDPR). In light of Recital 47 of the GDPR, the processing of personal data for direct marketing purposes may be considered to be based on legitimate interest. As such, we have a legitimate interest in conducting market research relating to the economic activity of our companies and presentation of the activities thereof as a purpose of the processing.
In our view, in the light of the Article 29 Data Protection Working Party’s (Article 29 Working Party) report 06/2014 on the concept of legitimate interest, the Commission shall take the necessary steps to ensure that the information we provide is based on the legitimate interest of the data subject. Our legitimate interest shall prevail over the right of access to the personal data of the contact persons of the undertakings, since our data management practices contribute significantly to our business interests and the contact persons can reasonably assume that the publication of their contact details on the undertaking’s website will lead to them being contacted for any purpose, including but not limited to marketing, by representatives of undertakings unknown to them. The contact person directly contacted has the right to object to the processing (point 4.7.).
In view of the fact that pursuant to Article 6 (1) of Act XLVIII of 2008 on the Basic Conditions and Certain Restriction of Economic Advertising Activities, the prior and explicit consent of the recipient of the advertising to a direct marketing request is only required if the recipient of the advertising is a natural person. In our view, it is not necessary to obtain prior consent of the contact persons in connection with the aforementioned processing, as the recipients of our marketing requests are legal persons.
We process the personal data of the contact persons of our business partners for the purpose of our legitimate interests, until the purpose of the processing is fulfilled. If the contact person objects to or requests the deletion of his or her personal data, his of her name and contact details shall be deleted without delay.
Electronically.
In order to provide relevant information to you, it is possible to subscribe our newsletter both in the registration form and on our website’s specific surface serving for this purpose. The details of such processing are described hereunder.
Personal data | Purpose of processing | Legal basis of data processing |
name | by providing this information we can address the User in our newsletter | Consent given by the User (Article 6(1) (a) of GDPR) |
e-mail address | by providing this information we are able to learn the User’s electronic contact details to which we can send our newsletter to | Consent given by the User (Article 6(1) (a) of GDPR) |
The User’s consent (Article 6 (1) a) of the GDPR and Article 6 (1) of Act XLVIII of 2008 on the Basic Conditions and Certain Restrictions of Economic Advertising (hereinafter: Act XLVIII).
The personal data provided will be processed until consent is withdrawn. You may withdraw your consent at any time by clicking on the “Unsubscribe” button in the letter sent to you. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.
Electronically.
It is important for us to process data in a way that meets the requirements of fairness, lawfulness and transparency. In this context, we will briefly describe in this section what type of rights data subjects have. Further details can be found in Appendix 3 to this notice.
Our Users may request free information on the details of the processing of their personal data, access to or obtain a copy of the personal data processed, and in certain cases specified by law, request the rectification, erasure, blocking or restriction of the processing of such personal data and object to the processing of such personal data. Users may send their requests for information or requests under this section to the contact details provided in Section 2.
Our User can receive feedback from us about the processing of their personal data, access these personal data and the details of their processing, and obtain a copy of the personal data processed by us.
On the User’s request, we rectify their inaccurate personal data without undue delay, and the User shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
On the User’s request, we shall erase their personal data, if processing is not needed any more, or if the User withdraws their consent, or objects to processing their data, or processing is unlawful.
We seek to inform all data controllers of the User’s request for erasure (if they require us to do so) who accessed or might have accessed the potentially disclosed data of the User.
On the User’s request, we shall restrict data processing if the accuracy of personal data is debatable, or data processing is unlawful, or our User objects to processing their data, or in case we no longer need the provided personal data.
Our User can receive the personal data concerning and provided by them in a structured, commonly used and machine-readable format, and has the right to transmit it to other data controllers.
Our User should have the right to object to processing their personal data based on legitimate interest for a reason related to their own circumstances (see: Section 3.1). In this case we are not allowed to process these personal data any longer, unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims. In case of objection, personal data are not allowed to be processed any further by default.
We shall assess the request as soon as possible after submission, but no later than 30 days – 15 days in the case of an objection – after submission, and decide whether it is valid, and notify the requester of this decision. If we don’t fulfil the request of the requester, we inform them in our decision about the factual and legal reasons.
It is important for us to keep personal data safe, and we also respect the User’s right to informational self-determination, therefore we seek to respond to all requests in a fair and timely manner. In this regard, we ask Users to contact us first with any complaints or queries before turning to authorities or courts to enforce their potential claims, so that any objections can be addressed as quickly as possible.
In case this proves unsuccessful, our User can
In the event of rectification, erasure or restriction of data processing, we will always notify the recipients to whom the personal data of the User might have been disclosed, unless this proves to be impossible, or when the effort necessary to do so would be disproportionate. On the User’s request, we shall give information about these recipients.
We shall give information about the measures taken at the requests related to Section 4 electronically no later than one month after receiving such request, if the User does not require otherwise. This period can be extended with an additional two months as applicable, regarding the complexity of the request or the number of requests. The User shall be informed of such extension together with a description of the underlying reasons within one month from receiving the request.
When requested by the User, the information may be provided orally, provided that the User’s identity is proven by other means.
If we do not take action on a request, we shall inform the User of the reasons no later than one month after receiving the request, and also of the fact that they can lodge a complaint with NAIH and seek a judicial remedy (Section 4.9).
Under exceptional circumstances, where we have reasonable doubts concerning the identity of the natural person making the request, we shall request the provision of additional information necessary to confirm their identity. This measure is necessary to promote the confidentiality of data processing defined in Article 5 (1) (f) of GDPR, i.e. to prevent unauthorised access to the personal data.
We shall provide information for the requests concerning Section 4, and implement the corresponding measures free of charge.
If the User’s request is clearly unreasonable or has an excessive character (especially when it’s recurrent), we shall charge a reasonable fee (considering the incurring administrative costs when providing the requested information or the notification, or implementing the requested measure), or we shall refuse to take action based on the request.
The web host as data processor has the right to access the personal data provided during the use of the website.
Name: Websupport Magyarország Kft.
Contact: https://www.hsagroup.hu/impresszum/
Our website is connected to various social media platforms (e.g. Facebook, LinkedIn, Twitter, Google+, Instagram, YouTube); which means that in case the User “likes” our Facebook page, or “follows” us on Twitter, we get to know all the publicly available personal data connected to their account. Data processing activities on these platforms are subject to the relevant information contained in the respective service provider’s own privacy notice.
Meta Platforms Ireland Limited (registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland, Irish company registration number: 462932, website: https://about.facebook.com/meta) is understood to offer Meta-products within the Facebook platform (including Facebook mobile app and in-app browser). In the context of the use of Facebook, the Terms of Use, Privacy Policy and Privacy Notice of Meta Platforms Ireland Limited shall govern the data processing activities depending on the specific purpose of the data processing:
https://www.facebook.com/legal/Workplace_GDPR_Addendum
https://en-gb.workplace.com/legal/Workplace_GDPR_Addendum
https://www.facebook.com/about/privacyshield
https://www.facebook.com/about/privacy/
Data processing implemented by us is based on the User’s consent, in compliance with Article 6 (1) a) of the GDPR. You may withdraw your consent at any time in the future by changing your preferences set in the ’cookie bar’. The withdrawal of consent does not affect the lawfulness of the data processing the took place before the withdrawal of consent.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, we shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
We and the employees of the data processors are authorised to access the personal data of the User to an extent appropriate for the tasks of their job. We shall take all security, technical and organisational measures to safeguard the safety of the data.
Our IT systems can only be accessed with personalised accounts. When assigning such access, there is a “necessary and sufficient” approach: any employee can use our IT systems and services to the extent appropriate for completing their tasks, with the corresponding rights and for the sufficient period of time. Access to the IT systems and services shall be given only to the person who is not subject to restrictions for security or other (e.g. conflict of interest) reasons, and who has the professional, business and information security knowledge for the safe use thereof.
We and our data processors are bound by a written statement of strict confidentiality and are required to act in accordance with these rules of confidentiality in the course of our activities.
Data (except for the data stored by our data processors) are stored on our own devices, in a data centre. The IT devices storing these data are located separately, in severed, secured server rooms, protected by a multi-level access control system with authorisation control.
Our intranet is safeguarded by multi-level firewall protection. There is always a hardware firewall (gateway device) at the entry points of the public networks used, everywhere and in every instance. Data is stored redundantly, which means the same data is stored at different locations, in order to protect them from destruction, loss, damage or unauthorised destruction.
Our intranets are protected from outside attack via multi-level, active protection (e.g. virus protection) against complex malware codes. We enable the necessary external access to the IT systems and databases we operate via an encrypted data connection (VPN).
We shall do our best to always keep our IT devices and software compliant with the technological solutions widely accepted in the market. Through our developments, we create systems that use logging to control and monitor operations and detect incidents such as unauthorised access. Our server is located on a separate and dedicated server of the web host provider, protected and secured. Taking into account the applicable recommendation of NAIH, we use the https protocol on the website, which means a higher level of data security as opposed to the http protocol.
For the appropriate functioning of our website, in certain cases we place small data files on the computer device of the User, just like most modern websites do.
A cookie is a small text file placed on the computer device (including mobile phones) of the User by the website. This allows the website to “remember” the settings of the User (e.g. language, font size, display option, etc. used), so that the User won’t need to set these again when visiting our website. For a list of the cookies used on our website, please see the Cookie Policy published on the website (https://www.hsagroup.hu/sutik//).
Cookie files can be deleted (for more details see www.AllAboutCookies.org), or most browsers used today can block them, too. In this case, however, you will need to make certain settings again each time you use our website, and some services might not function properly. For details about deleting and blocking cookies, see www.AllAboutCookies.org (in English) and the following links regarding the various browsers used by the User:
If we want to use the data provided for a purpose other than the original purpose for which it was collected, we will notify the Users about doing so, obtain their preliminary, explicit consent, and give them the opportunity to ban using their data.
In compliance with Article 30 of the GDPR, we keep records of the data processing activities carried out under our responsibility (records of data processing activities).
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. In case of a personal data breach, we are obliged to proceed according to Articles 33 and 34 of the GDPR. We document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
We have the right to amend this Notice any time unilaterally. In case this Notice is amended, we keep the previous versions, and, if possible and reasonable, notify the data subjects of the amended clauses.
Effective date: 2024 december
HSA Group Zrt.
Data Controller
When drafting this Notice, the Data Controller considered the applicable and effective laws and regulations and the major international recommendations, particularly the following:
Access
The User shall have the right to get access to their personal data processed by us, upon their request submitted via our contact details. By doing this, the User shall obtain information on the following:
Moreover, the User may request making a copy of their personal data subject to data processing available for them. In this case, personal data shall be made available to them in a structured, commonly used and machine-readable format (PDF/XML), and/or in a printed, paper-based version thereof. The User can request such copy free of charge.
Rectification
The User shall have the right to ask the personal data concerning them and processed by us, and which are inaccurate, to be rectified upon their request submitted via our contact details. In case we do not have the information necessary for the correction and completion of the erroneous data, we may ask them to submit the additional information and a verification of the accuracy of these data. We shall restrict processing the data subject’s personal data, and temporarily suspend the operations carried out related to them (except storage), until the correction and completion of data is finished (due to lack of supplementary information).
Erasure
The User shall have the right to ask the erasure of the personal data concerning them and processed by us, upon their request submitted via our contact details, if any of the following conditions apply:
In case we find upon the request of the User that there is a valid obligation to erase the personal data processed by us, we cease processing the data, and destroy the personal data processed earlier. In addition, an obligation to erase personal data may result from the withdrawal of consent, the exercise of the right to object, and also based on legal obligations.
Restriction of data processing
The User shall have the right to ask the restriction of processing the personal data concerning them and processed by us, upon their request submitted via our contact details, in the following cases
We shall automatically restrict processing the personal data when the User contests the accuracy of the personal data, and/or the User exercises their right to object. In this case, restriction applies to a period enabling the verification of the accuracy of the personal data and/or (in case of objection) exploring if the preconditions for data processing are still met.
During the restriction period, no data processing operations shall be completed on the marked personal data, except for storage. In case data processing is restricted, personal data shall be processed exclusively in the following instances:
We shall inform the User before the restriction is lifted.
Data portability
The User shall have the right to ask the provision of the personal data concerning them and processed by us, for further use defined by the User, upon their request submitted via our contact details. In addition, the User can also request us to transfer their personal data to the other data controller specified by them.
This right applies exclusively to the personal data provided by the User and processed for the completion of their contract. There is no option to make any other data portable. Personal data shall be provided to the User in a structured, commonly used and machine-readable format (PDF/XML), and/or in a printed, paper-based version thereof.
Please note that exercising this right does not automatically mean erasing the User’s personal data in our systems. Moreover, the User should have the right to re-establish their relationship with us even after portability of their data is implemented.
Objection
The User shall have the right to object to processing their personal data for purposes described in Section 3.1 of this Notice, upon their request submitted via our contact details. In this case we assess whether the compelling legitimate grounds for the processing which override the interests, rights and freedoms of the User or for the establishment, exercise or defence of legal claims. If we find that such grounds exist, we carry on processing the personal data. Otherwise, we shall not process the personal data any longer.
For the purposes of managing and assisting in the relocation process of employees and students of a third-country wishing to study or work in Hungary (hereinafter referred to as “Employee”) as data subjects, carrying out the administrative activities relating to relocation and post-relocation, as well as managing the tasks related to an apartment leasing agreement on behalf of the Employee, preparing the lease contract and carrying out the related communication, the following personal data shall be processed relating to the Employee: name, date of birth, place of residence, e-mail address, telephone number, VAT number, Hungarian social security (TAJ) number and other personal data voluntarily provided by the data subject. Furthermore, personal data required during the administration process as set forth in Act XC of 2023 on the General Rules for the Entry and Residence of Third-Country Nationals. In addition, personal data relating to the lessor (hereinafter referred to as “Lessor”) within the process of conclusion of the rental contract, preparation and administrative tasks relating thereof. The Employee and the Lessor, shall hereinafter be collectively referred to as Data Subjects.
Our services are available at https://www.go2hu.com/ and https://www.hsagroup.hu/ (hereinafter the Website).
HSA Relocation Ltd. (hereinafter Data Controller or Controller)
(registered seat: 4025 Debrecen, Széchenyi street 48., company registration number: 09 09 017314)
E-mail: miklos.peter@hsagroup.hu
Management and assistance of the Employee concerning the relocation and settlement of Employee and contact with aforementioned Employee.
The purpose of processing of personal data is to take, record and monitor administrative measures following the conclusion of the relocation.
The purpose of the processing of the data relating to the lease agreement is the preparation of the aforementioned agreement, the conclusion with the Lessor thereof, additionally, assistance in the related communication in between the Lessor and Employee.
With regard to the administration of the relocation and the preparation and conclusion of the lease agreement and providing of contact with the Lessor, the processing of data is necessary for the performance of contracts (i.e. the employment and lease agreements) to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract, pursuant to Article 6 (1) (b) (contract) of Regulation 2016/679 of the European Parliament and of the Council (GDPR).
Following the conclusion of the relocation, the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party in accordance with Article 6 (1) (f) of the GDPR (legitimate interest).
Meta Platforms Ireland Limited (registered office: 4 Grand Canal Square Grand Canal Harbour Dublin 2, Ireland, Irish company registration number: 462932, website: https://about.facebook.com/meta) is understood to offer Meta-products within the Facebook platform (including Facebook mobile app and in-app browser). In the context of the use of Facebook, the Terms of Use, Privacy Policy and Privacy Notice of Meta Platforms Ireland Limited shall govern the data processing activities depending on the specific purpose of the data processing:
https://www.facebook.com/legal/Workplace_GDPR_Addendum
https://en-gb.workplace.com/legal/Workplace_GDPR_Addendum
https://www.facebook.com/about/privacyshield
https://www.facebook.com/about/privacy/
Data processing implemented by us is based on the User’s consent, in compliance with Article 6 (1) a) of the GDPR. You may withdraw your consent at any time in the future by changing your preferences set in the ’cookie bar’. The withdrawal of consent does not affect the lawfulness of the data processing the took place before the withdrawal of consent.
Name: Mango Technologies, Inc. DBA ClickUp
Registered seat: 350 Tenth Ave 5th floor San Diego, CA 92101
Contact: https://clickup.com/
Name: Evolution Consulting Ltd.
Registered seat: 3515 Miskolc Egyetemváros AFKI, 2nd floor
Contact: info@evolution-consulting.hu
Name: Websupport Hungary Ltd.
Registered seat: 1119 Budapest, Fehérvári út 97-99.
Contact: https://www.websupport.hu/
The Data Controller shall store the personal data for a period of 6 months from the date of the termination of the Employee’s residence permit or until the notification of an objection occurs.
The Data Controller shall resort to use the photocopies of the documents for the purpose of administrative procedures specified in Act XC of 2023 to the extent necessary for the procedures thereunder and shall erase them upon completion of the purpose of the administrative procedures.
In the event the relocation is unsuccessful, i.e. the purpose of the administrative procedure for relocation fails, the Data Controller shall erase all data within 1 month following the completion of the procedure.
The personal data relating to the Employee’s lease agreement shall be stored by the Data Controller for 6 months following the termination of the lease agreement concluded by the Employee.
The data processing activities will be conducted both electronically and paper based.
The Data Controller stores all data – with the exception of data stored by the data processors – on its own equipment, in a data center. Both the IT system and network of the Data Controller are protected by firewalls against malicious codes and computer viruses. The operator shall ensure appropriate security through server-level and application-level protection measures. The Data Controller shall make its best effort to ensure that its IT tools and software continuously comply with the technological solutions generally accepted in the market operations.
The security of the data stored on documents (forms) shall be ensured by the Data Controller by storing the documents following the processing thereof, in a locked space at the Controller’s registered seat, to which only competent employees shall have access to.
The data of the data subject may be accessed by the Controller’s employees and other staff employed on other legal basis to the extent and for the duration necessary for the performance of their duties. The Data Controller shall take all necessary measures to ensure that the access codes are not disclosed to unauthorized persons.
The Data Subject shall have the right to obtain confirmation from the Controller as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the following information:
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The Data Subject shall have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have complete personal data completed, including by means of providing a supplementary statement.
The Data Subject shall have the right to obtain fro the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds apply:
Where the Controller has made the personal data public and is obliged pursuant to the above to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform Controllers which are processing the personal data that the Data Subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The erasure shall not apply to the extent that processing is necessary:
The Data Subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
Where processing has been restricted for reasons outlined above, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
In exercising his or her abovementioned right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The exercise of the right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right to data portability shall not adversely affect the rights and freedoms of others.
We shall provide information by electronic means on the measures taken following any requests referred to in point 10 within a maximum of on month of the receipt of the request, or 15 days in the event of an objection, unless otherwise requested by the Data Subject. This time limit may be further extended by two months where necessary, having regard to the complexity of the request or the number thereof. We shall inform the User of the extension of the deadline, outlining reasons for the extension, within one month following the receipt of the request. At the request of the Data Subject, information may be provided orally, provided that he or she proves his or her identity by other means.
In the event that we do not act on the request, we shall inform the User of the reasons for not doing so within one month following the receipt of the request at the latest, and of the right to lodge a complaint with the NAIH and to exercise the right to seek redress.
The right to lodge a complaint with the supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa street 9-11.
Telephone: +36 -1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu
Enforcement of rights: the burden of proof that the data processing is lawful is on the Controller. The burden of proof of the lawfulness of the data tranfer lies with the recipient. The General Court has jurisdiction over such case. Actions may also be brought, at the discretion of the Data Subject, before the courts of the place of abode or residence of the Data Subject.
This Privacy Notice applies to the data processing activities of HSA Relocation Ltd. as the Data Controller. In the event a contract specifies a data processing activity for HSA Relocation Ltd., the obligation to provide information on the processing activities shall fall on the Data Controller.
Career. For everyone.
DES&DEV:
