Privacy Policy

Terms of Use and Privacy

The processing of the data of its users and applicants confidentially and in compliance with the relevant data protection laws is of utmost importance for Bluebird.

Accordingly, Bluebird shall make all efforts in the interest of using the personal data collected exclusively in line with the relevant data protection laws of effect, in the interest of the purposes specified in the present privacy policy and shall not make such information accessible to unauthorised persons.

1. Information pertaining to the Controller

All personal data indicated in the present privacy policy shall be processed by the following Controllers.

Controller: BB Global Expansion Limited (Cluas Centre Limited, 31/32 Greemount Office Park, Harold’s Cross Road, Dublin D6W P289, Ireland). Controller performs its data processing activities detailed in this privacy policy with Bluebird International Zrt. (1134 Budapest, Váci út 23-27. B. ép. 1. em) jointly.

Controller has determined together with the Joint Controller the purpose, means and distribution of responsibilities for fulfilling the controller's obligations in relation to processing, as well as the role of controllers vis-à-vis data subjects and their relationship with them. The Controller informs the data subjects that they may primarily submit to the Joint Controller with their questions and possible complaints related to data processing, and they may also submit their request for exercising their rights to the Controller. Nevertheless, data subjects may decide at any time to address their questions regarding the processing of their data directly to the Controller and they exercise their rights directly against the Controller.

In this privacy policy, the controller and the joint controller are hereinafter referred to as the Controller together.

2. General Rules

The purpose of the present privacy policy is to ensure that, in all areas of the services provided by Bluebird, in course of the processing of personal data, the rights and fundamental freedoms of all data subjects, regardless of their nationality or place or residence, be respected, with particular attention to their right to privacy.

The scope of this policy shall cover all data processing activities and operations listed in this document and performed by the Controller.

Bluebird calls the attention of the data subjects that Bluebird does not check if the personal data provided by the data subjects are accurate and true. All data subjects who provide personal data in accordance with the present privacy policy shall undertake the responsibility at the time of providing such data that they only provide their own personal data Bluebird, which data they are entitled to dispose over. In case a data subject acts differently than provided above, all liability in connection with such acts shall be borne by the data subject.

The provisions of this Privacy Policy govern the processing of data of data subjects located in the EU and in the United States of America by BB Global Expansion Limited (Cluas Centre Limited, 31/32 Greemount Office Park, Harold's Cross Road, Dublin D6W P289, Ireland, [email protected]) as controller.

Processing of personal data of individuals located in the United States of America by Bluebird Global Inc. (1221 Brickell Ave, Suite 900, Miami, FL 33131, USA, [email protected]) as controller is governed by [applicable Federal Data Protection Regulation and not this privacy policy.

3. Definitions

Personal data: all such information that relates directly or indirectly to a natural person who is identified or identifiable on basis of one or several identifiers, factors or properties.

Processing: any operation performed on personal data, regardless of its mode, such as collection, recording, organisation, structuring, storage, conversion, alteration, retrieval, consultation, use, disclosure by transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the entity that alone or jointly with others determines the purpose and means of the processing of the personal information.

Processor: a natural or legal person processing personal data for and on behalf of the controller who performs technical tasks related to data processing, irrespective of the methods and means employed for such operations and the venue where it takes place.

Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she clearly signifies agreement to the processing of his or her personal data.

Filing system: a database containing personal data which are accessible according to specific criteria.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.

Supervisory authority: the independent authority established in the interest of the protection of the rights and freedoms of natural persons in course of the processing of their personal data, as well as the facilitation of the free flow of personal data within the EU.

Personal data breach: such violation of the requirements of data security as a result of which the personal data transferred, stored or otherwise processed are accidentally or unlawfully destroyed, lost, modified, disclosed to unauthorised persons, or such persons gain access to them.

Website: the website accessible at https://bluebirdinternational.com/ URL, on which the data subjects provide their personal data processed by the Controller.

4. The Manner and Principles of Data Processing

The data processed by the Controller may only be accessed by authorised employees of the Controller, and only to the extent and for the duration necessary for the performance of their job-related tasks. Such access, as well as all operations performed on the personal data shall be electronically logged, by recording the identity of the person performing the actual data processing operation and the date/time of access. In the interest of full compliance with the requirements applicable to data processing, the Controller adopted its internal data processing policy, which shall be binding upon all of its employees who become familiar with personal data during their work, and compliance with the aforementioned internal policy by all employees shall be enforced and checked by the Controller.

The personal data listed in the present privacy policy shall be used by the Controller, as a company engaged in private recruitment activities for the benefit of clients in the IT sector looking for workers, and as a company providing various IT services and consulting activities, in each case in accordance with the individually determined purposes of data processing.

When determining the method of data processing and during the entire data processing, the Controller performs all technical and organisational measures with the help of which the principles of data protection can be enforced, and the rights of data subjects can be protected. The measures implemented at the Controller as a responsible controller have been determined in line with the state of the art in science and technology, also taking into consideration the costs of implementation, as well as reckoning with and assessing the risks pertaining to the personal data of individuals.

The Controller shall process all personal data coming into its possession lawfully and fairly, and in such a way that the data processing remains transparent to the data subjects for the entire duration of the data processing activities.

In course of the data processing activities of the Controller, the collection of personal data may only take place for the lawful purposes clearly defined in the present privacy policy. The Controller shall devote particular attention to ensuring that no personal data are processed in a way that is not reconcilable with the purposes detailed in this privacy policy.

The Controller shall only process personal data that are appropriate and relevant from the point of view of the individual purpose of the data processing, as well as necessary for achieving that purpose. The Controller shall strive to ensure that the personal data stored and processed by it are always accurate and up-to-date and shall take all reasonable measures in the interest of ensuring that any inaccurate or incorrect data be rectified or erased as soon as possible.

The Controller shall store the personal data collected by it until such time as necessary for achieving the purposes of the data processing. In course of the processing of the data, the Controller shall take all such technical and organisational measures with the help of which the Controller can guarantee the security of the data, including their protection against unlawful processing, accidental loss, destruction or damage.

In all such cases when the Controller intends to use the data provided by the data subjects for a purpose other than the original purpose specified in the present privacy policy, the Controller shall notify the data subject in advance in writing, specifying such new purpose and providing the additional information pertaining to data processing, and shall also ensure that it has the appropriate legal grounds enabling it to process the data in such cases.

It is of outstanding importance for the Controller to integrate such technical and organisational measures into its activities whereby it can ensure that the processing of personal data only takes place to the extent and for the duration necessary for attaining the specific purpose of data processing, and that accordingly, access to the personal data is also in line with the above. In the interest of the performance of above obligations, in its internal policies, the Controller has determined regular, mandatory deadlines for review, as well as integrated such regulatory points in its data processing that are suitable for ensuring that the data processing operations always stay within the above frameworks. It is of particular importance for the Controller that the personal data with respect to which the purpose of the data processing has already been achieved or the deadline of processing has expired, or the data subject submitted a lawful request for erasure, shall be deleted without delay.

The Controller shall maintain records of its data processing activities. Such data processing records shall include, among other things, the data of the Controller, the fact of the joint controllership, the purpose and legal basis of the given data processing activities exercised by the Controller, the list of the data subjects and their processed personal data, as well as the recipients to whom the data are handed over and/or transferred.

5. Processing of Personal Data of Data Subjects Applying for Jobs and It Project Tasks

The Controller hereby informs the data subjects that, after clicking on the “CV upload” button on the Website on the “General application” interface, by providing their names, e-mail addresses and phone numbers, and uploading their CVs, having received the relevant information concerning data processing, they consent to the processing by the Controller of their personal data entered on the interface and included in the CVs. Personal data are processed in order for the Controller to be able to inform data subjects about job offers or project tasks corresponding to them on basis of their educational qualification and professional experience, or to contact them if they are interested in the offer.

The Controller also processes the personal data of such individuals who, on the Website of the Controller, after clicking on the “IT jobs and IT projects” tab, and selecting of the job advertisements posted by the Controller, by clicking on the “CV upload” button, enter their names, e-mail addresses and phone numbers, as well as upload their CVs.

Data subjects also have the opportunity, in case they have a social media profile, to apply for a job or IT project tasks via their social media profile instead of completing the fields on the application interface. In this case, data subject shall submit their name, e-mail address and the URL of their social media profile. Data subjects applying for a job or IT project tasks via their social media profiles consent to the processing of their personal data.

The purpose of data processing in each of the above cases is to notify data subjects of current job/project opportunities corresponding to their qualifications and professional experiences, by way of the contact information provided by data subject, in the shortest possible time, as well as to evaluate the application of data subjects to job/project opportunities posted by the Controller, and to notify data subjects of the results thereof. The Controller shall also process the personal data for the purpose of providing data subjects with an opportunity to introduce themselves in the framework of a personal interview. The Controller calls the attention to the fact that the notifications sent by the Controller shall not qualify as newsletters or as contacting for marketing or advertising purposes, and therefore, the separate consent of the data subject is not required for the sending of such notifications.

The Controller handles those data only which has been provided by data subject on the online form during his / her application or which are contained in his/her uploaded CVs. If the data subject also provides the URL of his / her social media profile when applying, the Controller will also handle the personal data containing his/her social media profile.

The processing of all personal data listed above is indispensable for the Controller to notify and inform data subjects of the currently available opportunities that are best aligned with their educational qualifications and professional experience. The Controller wishes to call data subjects’ attention that the more data, as well as the more detailed information it has concerning their educational qualification and professional experiences, the better the Controller is able to offer the more personalized opportunities for them and the Controller can promote the filling of the position selected by the data subject as well as the selection of the data subject for the project task applied by him/her.

The Controller already informs data subjects at this point that if they do not make available to the Controller his/her personal data listed above, or they provide their data only in part, then – in the absence of essential information – the Controller can not accept and evaluate their application and it will not be able to inform them of the opportunities that may be suitable for them.

The Controller hereby informs data subjects that it also processes the personal data of such data subjects who have uploaded their personal data and CVs into databases of social media platforms. For each data subject, the Controller processes such personal data that data subject has made available accessible for the purpose of job/working opportunities searches. The Controller processes personal data in all cases in full compliance with the rules set by the operator of the above websites and the provisions for processing of personal data.

The Controller hereby informs data subjects that the scope of personal data processed may vary from one data subject to the next, but in most cases, it extends to the following: name, e-mail address, phone number, address of residence, date of birth, photograph (portrait), desired salary, position to be filled, data pertaining to educational qualification, data pertaining to professional experience, knowledge of languages, IT skills, personal description, status. At the request of the data subject, the Controller shall provide up-to-date information concerning the exact scope of personal data processed for the given data subject.

The Controller hereby informs data subjects that the processing of personal data made publicly available by them for search of job and/or work opportunities is based on the legitimate interests of the Controller and its third-party customers for whom the Controller on the one hand provides recruitment services and on the other hand for whom the Controller performs different IT service and consultancy activities. The purpose of the processing of the data is to enable the Controller to notify and inform data subjects, using the contact information provided on the job search sites, in the shortest time possible, of the current opportunities corresponding to their educational qualification and professional experiences on basis of the data they made available publicly, and in case the position/IT project task offered to data subjects by its colleagues raised their interest, and to arrange for a personal interview in which the Controller can find out more about the data subjects. The Controller wishes to call the attention of all data subjects that the processing of personal data made publicly available for searching of jobs/work opportunities indirectly also serves the interest of data subjects, since it also provides them with the opportunity to find a position/working opportunity that is most suitable to their own expectations in the shortest possible time.

The Controller informs data subjects that, in the interest of processing their data based on the legitimate interests of the Controller, it has carried out an interest balancing test in accordance with the mandatory provisions of GDPR. In course of the interest balancing test, the Controller has examined and balanced the legitimate interests and fundamental rights on its own and third parties’ side and on the side of the data subjects, as a result of which it has been established that the Controller’s and third parties’ legitimate interest making it possible to process the personal data and serving as the grounds for it is stronger and more emphatic than the interests existing on data subjects’ side in preventing the Controller from having access to and processing these data. For the provision of the private recruitment and IT service and consultancy activities performed by the Controller for its contractual partners with the purpose of generating revenue and income, it is essential to process the data of such jobseeker individuals who have made their data publicly available and who, on basis of their qualifications and professional experiences, may be suitable for the positions/project tasks offered by the third-party contractual partners of the Controller. The absence of the processing of such data would render the provision of the Controller’s private recruitment services impossible and would greatly complicate the performance of IT service and consulting contracts which would result unjustifiably disadvantage for the Controller.

Further, it is widely acknowledged and accepted fact that persons who make their personal data available and upload their CVs on jobseeker portals and social media sites like this are well aware that, in order to find a job/work opportunity as soon as possible, it is in their interest that employees of such companies may contact them who can help data subjects in reaching their above purposes. This circumstance also justifies that the legitimate interests of the Controller and third parties contracted with the Controller in processing of the personal data are stronger than the legitimate interests of the data subjects.

In addition to the above, the processing of the personal data of data subjects that they have made publicly available is indispensable for enabling the Controller to find the persons who may be suitable candidates for the given positions/project tasks, for informing and notifying the data subjects and for conducting the selection procedure. If it is necessary, the Controller informs its customer looking for a new employee about the person of the potential applicant by providing certain personal data of data subject.

Further, the processing of this scope of personal data is fully proportionate also with the purpose of the data processing. The Controller warrants that it has examined all legal grounds with respect to the personal data processed on basis of legitimate interests, but in the present case, none of these could be applied. Further, the Controller also warrants that, in course of the processing of the personal data on basis of legitimate interest, it shall use safeguards and guarantees to ensure that the rights and fundamental freedoms of the data subject are not breached in course of the data processing, including, among other things, their right to object to the processing of data based on legitimate interest at any time and for any reason.

In case the Controller processes personal data made of data subjects made publicly available for searching of job/work opportunities for the purpose specified in the present privacy policy, then the Controller shall continue such data processing activity until such time when data subjects object against such data processing in writing via e-mail (receiving address: [email protected]. If data subjects wish to receive further information related to the objection to processing, prior to submitting the application, he/she can study Chapter 8 of the present privacy policy, on the exercise of rights of data subjects.

6. Processing of Data Provided for the Purpose of Establishing Contact With the Controller

In case on the Website, on the interface displayed after clicking on the “Contact” tab, data subjects provide their name, e-mail address, and send a message via the website, then they consent to the processing of their personal data provided for contacting them and for answering their questions. The Controller hereby informs data subjects that the Controller processes their data provided for the purpose of getting into contact with them until they revoke their consent to the data processing.

7. Data Processing Related to Sending Newsletters

The Controller informs the data subjects that if they subscribe to the newsletter on the Controller's website, the Controller will process their data necessary for sending newsletters to them.

The legal basis for data processing is the consent of the individuals subscribing to the newsletter, which they provide to the Controller by marking the checkbox when subscribing.

For the purpose of sending newsletters, the Controller processes the names and email addresses of the concerned individuals.

The Controller processes the subscribers' data until the individuals withdraw their consent.

The Controller informs the individuals that they may withdraw their consent enabling data processing at any time. To do so, they simply need to click on the unsubscribe link found at the bottom of the Controller's newsletters. The Controller's system will automatically detect and record the unsubscription, and thus the fact of withdrawing consent for data processing. Following this, the Controller will no longer process the individuals' data for the purpose of sending newsletters.

The Controller draws the attention to the fact that if data subject’s email address and/or name are processed for other purposes listed in this notice, unsubscribing from the newsletter will result in the deletion of their data only from the Controller's database/electronic system specifically maintained for the purpose of sending newsletters.

The Controller informs data subjects that withdrawing consent does not affect the legality of data processing activities previously carried out by the Controller based on the individuals' consent.

8. Communication of Data to Other Recipients

The Controller hereby informs data subjects referred in Chapter 5 that their personal data are handed over exclusively to such third parties for which the Controller performs private recruitment services, on basis of valid service contracts. The Controller only hands over personal data to the third parties to whom the Controller performs IT service and consultancy activities.

8.1. Communication of data relating to performing private recruitment services

The Controller hands over personal data exclusively to the third-party clients engaging the Controller to identify candidates that may qualify, in the opinion of the Controller, as suitable for the positions defined by such clients.

The handover of personal data to third parties in a contractual relationship with the Controller may occur in the cases and in the scope defined below:

8.1.1. Prior to contacting the data subject in connection with a given position, the names of data subjects identified as suitable candidates, after reviewing the personal data of the data subjects, including their qualifications and professional experiences, are handed over to the client. The Controller informs the data subjects that, in this stage of the selection process, only the names of the data subjects are handed over, with the exception of cases where, on basis of the names, the client cannot clearly declare whether they already know the data subject from some other source, and further that they ask for the continuation of the selection process. In this case, in the interest of differentiating the candidates, the Controller also communicates to the client the data subject’s year of birth.

8.1.2. In case the Controller directly contacts the jobseeker data subject for the purpose of arranging for a personal interview, and on basis of the interview, the Controller considers the data subject suitable for the given position, then the Controller hands over to the client all personal data of the data subject, including the CV of the data subject and the data in such CV. In this stage of the selection process, before conducting the interview, the Controller informs the data subjects of the data handover, expressly identifying also the data of the client receiving such data. The Controller only communicates to the client the abovementioned personal data of the data subject if the data subject voluntarily and expressly consents to the handover of his/her data in course of conducting the personal interview.

In the first case, the purpose of such data handover is to enable the client to decide, in possession of the name of the data subject, whether the selection process started by the Controller should be continued, while in the second case, the data handover occurs in the interest of enabling the client to obtain further impressions of the potential candidates selected by the Controller in advance, and to contact them in the interest of conducting further interviews.

The Controller calls the attention that, prior to contacting data subjects personally, the transfer of their personal data, in a limited scope, to certain third parties occurs on basis of the legitimate interest of the Controller and third parties, while in case of a personal interview organized by the Controller, data subjects voluntarily and expressly consent to the handover of certain personal data to be disclosed to third parties - based on information received from the Controller -, for the purpose mentioned above.

8.2. Communication of data in course of performing IT services and consulting activities

The Controller may hand over to the contracted customers only the data of the data subject selected by the Controller to perform the project task. The Controller shall hand over the name, contact details (telephone number, e-mail address) and CV of data subject (thereby all data indicated therein) to the customer. The purpose of data handover is to enable the customer to make sure that the person selected by the Controller disposes all qualifications and experience required to perform the given project task. The legal basis for the data handover to the customer is the legitimate interest of the Controller and its customer. The legal basis for the data handover to the customer is the legitimate interest of the Controller and its subcontractor by whom is the data subject is employed and with whom the Controller is in a direct contractual relationship for the performance of the project task. The Controller shall ensure that data subjects receive appropriate information about the customer at the latest at the time of data handover.

8.3. Communication of personal data upon official request

In case the Controller is officially contacted by an authority or court duly authorised by the relevant provisions of law, with the reason for the data disclosure also identified, in which the Controller is required to communicate certain personal data, then the Controller may and shall, in the interest of performing its obligations defined by these provisions of law, hand over such personal data requested by the given authority or court.

Further, the Controller informs data subjects that it shall not transfer their personal data in any way beyond the cases mentioned in the present Chapter, either within the EU or to third countries, to any controller, international organisation or other recipient.

9. The Rights of Data Subjects, the Exercise of Such Rights

In course of its data processing activities, the Controller shall guarantee for all data subjects that they can exercise their rights related to the processing of their personal data, as listed in the present privacy policy, fully, without any unjustified limitations or obstacles.

The Controller also ensures that the data subjects can exercise their right of access to the data, the right of erasure, rectification and the restriction of processing, the right to object, the right to revoke consent, and further the right to legal remedy in connection with the data processing activities, as follows.

A. Access to the Data

The Controller informs data subjects, that they have the right to access the information pertaining to the data processing activities performed by the Controller, as well as on their personal data processed. In the interest of the above, based on their written request, the Controller shall make available to data subjects copies of their personal data processed, the Controller informs data subjects of the purposes of the data processing, the recipients to whom their personal data are handed over, the planned duration of the storage of their data, as well as on their rights in course of the data processing.

Compliance with such requests is free of charge on the first occasion, while in case of subsequent requests for copies, the Controller may charge a fee. The Controller informs data subjects of the exact amount of the fee in its response given to their request.

The Controller calls data subjects’ attention that the Controller is only able to perform requests for the issuance of copies of their data in case and to the extent that it does not violate the rights and freedoms of other natural persons.

B. Right to the Accuracy, Completeness and Currency of the Data Processed

Data subjects have the right to the accuracy, completeness and currency of their data processed by the Controller. Please help the Controller in its work by way of notifying the Controller of any changes in their personal data, by way of writing to [email protected].

C. Sharing Newsletter Subscribers' Data with Other Recipients

For those individuals who subscribe to our newsletter through our website, the Data Controller sends newsletters with the assistance of the Rocket Science Group LLC (headquarters and mailing address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308). As a data processor acting on the instructions of the Data Controller, the service provider may handle the names and email addresses of subscribers solely for the purpose of sending newsletters to the individuals concerned. In accordance with the relevant regulations, the Data Controller and the data processor have entered into a data processing agreement with each other. The data processor may process personal data only for as long as the Data Controller uses the newsletter sending service provided by the data processor. In the event of any termination of the cooperation for any reason, the data processor is obliged, according to the provisions of the Data Controller, to delete the data it processes or return it to the Data Controller.

D. Right to the Rectification of the Data

For those individuals who subscribe to the Controller’s newsletter, it sends newsletters with the assistance of the Rocket Science Group LLC (headquarters and mailing address: 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308).

The Rocket Science Group LLC as a data processor acting on the instructions of the Controller, the service provider may handle the names and email addresses of subscribers solely for the purpose of sending newsletters to data subjects. In accordance with the relevant regulations, the Controller and the data processor have entered into a data processing agreement with each other. The data processor may process personal data only for as long as the Controller uses the newsletter sending service provided by the data processor. In the event of any termination of the cooperation for any reason, the data processor is obliged, according to the provisions of the Controller, to delete the data it processes or return it to the Controller.

https://mailchimp.com/legal/data-processing-addendum/#Annex_C_-_Standard_Contractual_Clauses

E. Right to the Erasure of the Data

The Controller hereby informs data subjects that, at their request, it shall erase the personal data stored and processed with respect to them, without undue delay, if any of the following cases occur in connection with the data processing:

  1. 1
    the purpose of the data processing discontinued;
  2. 2
    data subjects have revoked their consent, and no further legal basis for the processing of data can be established;
  3. 3
    data subjects have objected against data processing, and there are no overriding legitimate grounds that would justify the further data processing;
  4. 4
    there was an occurrence of unlawful data processing;
  5. 5
    a provision of law requires the erasure of the data.
Newsletter subscribers’ personal data are transferred to data processor to the USA. Data processor guarantees to ensure the level of protection of personal data required and guaranteed by the GDPR with regard to the personal data processed by him. Legal basis of the data transfer is the Standard Contractual Clauses (SCC) relating to data transfer in relation to data controllers and data processors. SCC applied by the data processor is set out in Annex 3 of the data processing agreement:

The Controller calls data subjects’ attention that they are entitled to the so-called “right to be forgotten,” which ensures the possibility of rendering their personal data inaccessible in a wider scope. In case data subjects wish to exercise this right, the Controller shall employ all possible IT solutions to ensure that their personal data are no longer available to the Controller in any form in the future. The Controller shall delete the electronic files containing their personal data from the security backup files, and at the same time, the Controller shall also destroy all paper-based documents containing their personal data.

On basis of data subjects’ request, the Controller shall also oblige data processors to delete or destroy all personal data on data subjects that the Controller has handed over to them.

The Controller hereby expressly calls the attention of all data subjects that, after compliance with a request aimed at the erasure of the personal data, such personal data can no longer be restored.

F. Right to the Restriction of Data Processing

Data subjects may restrict the further processing of their personal data by the Controller in the following cases and for the following durations:

  1. 1
    if it comes to data subjects’ attention that their personal data processed is inaccurate, until the checking of the accuracy of such personal data;
  2. 2
    if data subjects’ data are processed unlawfully, but data subjects specifically request the Controller not the erase their personal data;
  3. 3
    if the Controller no longer needs the personal data for the given purpose, but data subjects need the processed data for the purposes of submitting, enforcing or defending their legal claims;
  4. 4
    if data subjects have objected to the data processing, pending the verification whether the legitimate grounds of the controller override data subjects’ legitimate interests.

If the Controller finds the restriction of the data processing lawful, it shall notify all recipients to which data subjects’ personal data have been communicated. The Controller calls data subjects’ attention to the fact that in case of the restriction of data processing, the Controller may still store data subjects’ personal data but any other data processing operation can not be performed by the Controller.

If data subjects requested the restriction of data processing, the Controller may process personal data exclusively based on their consent, for the purposes of submitting, enforcing or defending a legal claim, or for important reasons of public interest. The Controller informs data subjects that in case the grounds for the restriction of the data processing are no longer in place, the Controller shall notify data subjects, in writing, of the termination of the restriction and the date thereof, not later than 15 days before such termination of the restriction.

G. Objection to the Processing of the Data

Every data subject shall have the right to object, on grounds relating to his/her particular situation, to the processing of his/her personal data at any time, if it occurs on basis of the legitimate interests of the Controller or a third party. The Controller calls data subjects’ attention to the fact that in such a case the Controller shall no longer process their personal data, provided that the processing is not justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

H. The Right to Revoke the Consent

Data subjects are entitled to revoke their consent to the processing of personal data at any time, by sending a written declaration to this effect to [email protected]. The Controller calls data subjects attention to the fact that the revocation of their consent shall not affect the lawfulness of the Controller’s data processing activities before such revocation.

After the revocation of the consent, the Controller shall erase data subjects’ personal data from its records, with the exception of the case where the Controller also processes the same data for one r more other lawful purposes.

I. Decision on Data Subjects’ Requests

The Controller hereby informs data subjects that, regardless of their content, the Controller shall examine all of the requests submitted to the Controller in connection with the processing of their personal data and the exercise of their rights listed under points A to G, immediately upon receipt, and the Controller shall inform data subjects of the decision on the request in writing, without undue delay, but in any case within 1 month after the receipt of the request by the Controller.

The Controller calls data subjects’ attention that, with a view to the complexity of the request or the number of requests submitted by data subjects and received by the Controller, the Controller may extend the above deadline for giving a response by a maximum of 2 additional months. If the deadline for the response is extended, then the Controller shall notify data subjects in writing, within 1 month after receiving their request and shall also provide the reason for such delay. The above extension of the deadline is not available if, on basis of data subjects’ request, in the Controller’s opinion, it is not necessary to take any data protection measures. In such a case, the Controller shall reply to data subjects’ request within 1 month, and at the same time, the Controller shall also inform data subjects of the reason for not taking a measure, as well as the legal remedies available to them.

The Controller shall not charge any fee for the reply to data subjects’ request and for the measures taken in the interest of complying with it, except in case data subjects submit their request without proper legal grounds or repeatedly with the same content; in such cases, the Controller may charge a reasonable fee, which shall be in proportion to the administrative expenses incurred by the Controller. The Controller shall inform data subjects of the exact amount of the fee in its response given to their request.

J. Legal Remedies

In all cases, the Controller shall strive to process data subjects’ personal data lawfully and in accordance with data subjects’ request, and therefore, in case any of the data subjects are unsatisfied with its data processing activities, please contact the Controller first. The colleagues of the Controller may be reached by way of the contact information provided in the present privacy policy. The Controller shall send data subjects written confirmation of the commencement of its investigation into their complaint and shall inform data subjects of the result of the evaluation of their request upon the receipt of the request, but in any case within 1 month, not including any possible extension of the deadline in accordance with the above, by also providing the reasons for the decision.

If, in data subjects’ opinion, the processing of their personal data by the Controller was unlawful, they can also submit a complaint to the competent supervisory authority. Further, the Controller informs data subjects that in case they disagree with the decision of the supervisory authority, or the supervisory authority fails to review their complaint within the relevant deadline or the supervisory authority does not inform the data subjects within three months on the progress or outcome of the complaint lodged by them, they may seek legal remedy at the competent court of jurisdiction according to the registered seat of the supervisory authority.

The contact data of supervisory authority competent to the Controller’s registered seat are the following:

Data Protection Commission registered seat: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, postal address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, website: https://www.dataprotection.ie/, online interface: https://forms.dataprotection.ie/contact)

The contact data of supervisory authority competent to the Joint Controller’s registered seat are the following:

Nemzeti Adatvédelmi és Információszabadság Hatóság (registered seat: H-1055 Budapest, Falk Miksa utca 9-11., Hungary, postal address: H-1363 Budapest, Pf. 9., Hungary, e-mail: [email protected], website: https://www.naih.hu/, online interface: https://www.naih.hu/online-ugyinditas/380-adatvedelmi-hatosagi-eljaras-erintetti-beadvany-gdpr)

If, in data subjects’ opinion, Controller has violated their rights related to the processing of personal data, they may seek legal remedy from the competent court according to the registered seat of the Controller, or may initiate a proceeding to be conducted by a competent court according to their permanent or temporary address of residence.

In case the Controller or its data processors processed data subjects’ personal data not in compliance with the relevant provisions of data protection in effect, as a result of which data subjects suffer any damage, then a claim for damages, or in case of suffering non-pecuniary damages, a claim for restitution to be paid may be submitted against the Controller or its data processors; provided that a data processor shall be liable for damage only in case it failed to comply with the relevant provisions of law applicable expressly to data processors or the instructions of the Controller. Data subjects may enforce a claim, at their option, at the competent court with jurisdiction according to the registered seat of the Controller or the breaching data processor, or according to their permanent or temporary address of residence.

The Controller expressly calls data subjects’ attention to the fact that, in the interest of avoiding unlawful access to personal data, the Controller can only comply with their request for the exercise of data subjects’ rights pertaining to their personal information after data subjects’ personal identity has been established beyond doubt. In the interest of establishing data subjects’ personal identity beyond doubt, the Controller asks every data subject to send their electronically submitted request from their e-mail address provided for and on file with the Controller, and identify their name and address of residence in their request.

10. Data Security Measures Taken by the Controller

The Controller shall make all reasonable efforts to ensure the security of all personal data at a proper level. The selection of the most suitable data security measure shall always take place on a case-by-case basis, with attention to and based on an evaluation of the existing and likely risks in connection with the data processed.

In the interest of the secure processing of personal data, the Controller shall ensure the confidentiality of systems, databases, interfaces and applications making the processing of personal data possible for the entire duration of data processing, and shall further ensure that the systems, databases, interfaces and applications have the necessary protection and be resistant against any unauthorised intervention or attack, as well as against accidental destruction or loss of the data. The Controller is able to guarantee that the systems, databases, interfaces and applications used for the processing of data always be available to the necessary extent for the performance of the data processing operations and for the exercise and enforcement of the rights of data subjects.

The Controller hereby informs data subjects that in the interest of full compliance with the requirements of data security, it shall check the efficiency of the measures introduced for the protection of the security of the data periodically, as defined in the relevant internal policies, and shall evaluate the results of such checks in a documented manner.

The Controller calls attention to the fact that the systems and tools to be used in course of the data processing activities have been selected in such a way that in case of the occurrence of a personal data breach, they should be suitable for ensuring access to all personal data, and their restoration within reasonable time. Prior to the commencement of, as well as during any and all data processing activity, the Controller shall continuously monitor and evaluate, in terms of the personal data, the risk factors likely to be in place at the given time, with particular attention to such risks that may involve the accidental or unlawful destruction, modification or loss of the data recorded, stored or otherwise processed by the Controller or access by unauthorised persons to such data.

In the interest of ensuring that all natural and legal persons having access to the personal data only proceed in accordance with the instructions of binding force given by the Controller, the Controller shall check the performance of these persons on a continuous basis, with the detailed rules of such checks being included in the internal policies of the Controller.

The information technology systems and networks of the Controller and its processing partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flooding, as well as computer viruses, computer hacking and denial of service attacks.

In course of its data processing activities, the Controller ensures the security and protection of personal data with the following measures, among other things:

  1. 1
    with respect to the IT system and network used, protection against fraud, espionage, computer viruses and other malicious software, unauthorised entry and denial of service attacks (use of firewall, anti-virus software);
  2. 2
    regularly updating the software of own development used for the electronic processing of the personal data;
  3. 3
    restricting access to the database containing personal data to duly authorised employees only, subject to the use of unique usernames and passwords;
  4. 4
    the software used for the processing of personal data continuously logs access to the personal data (recording the name, date and time, as well as the activity performed);
  5. 5
    employees in charge of processing personal data have access only to such data that are indispensable for the performance of their job-related tasks;
  6. 6
    the Controller processes personal data provided by the data subjects separately for each of the data processing purposes specified in the present privacy policy;
  7. 7
    the Controller has minimized the paper-based processing of personal data, and has introduced mechanisms for the destruction of discarded documents in the interest of preventing unauthorised access to data;
  8. 8
    the archived, paper-based documents including personal data are placed in a designated, lockable storage room, access to which is restricted to duly authorised employees.

11. The Handling of Personal Data Breaches

The Controller hereby informs all data subjects that even despite the data security measures introduced and enforced by the Controller during the entire process of the processing of personal data, some unfortunate cases may occur that put the stored and processed data at risk.

In case of a personal data breach concerning the personal data processed by the Controller, it shall – in accordance with the requirements of the GDPR – guarantee that the personal data breach is reported to the supervisory authority without delay, but in any case within 72 hours after the discovery of the same – unless the personal data breach is unlikely to result in a risk to the rights and freedoms of data subjects.

The Controller asks data subjects, not to be surprised, if they receive a notification on a personal data breach directly from the Controller: in such a case, the Controller is performing its statutory obligation, which requires it to inform the individuals of the occurrence of personal data breaches that are likely to pose a high risk to the rights and freedoms of the data subjects. Such high risks include, in particular, where the scope of data affected by the personal data breach involves data that could be considered as sensitive (e.g. special category data, information concerning the financial status of the data subject, data suitable for identity theft or for the social valuation of the data subjects. Such a notification shall include the name and contact data of the person appointed by the Controller for data processing issues, the nature and the consequences of the personal data breach, as well as the measures already taken or proposed to be taken in the interest of eliminating the consequences and possible adverse effects.

The Controller demands from all its staff members working with personal data that, in the interest of the earliest possible detection and elimination of personal data breaches, they follow the action plan determined and introduced by the Controller. In the interest of minimising the occurrence of personal data breaches during the processing of data and to ensure the enforcement of the above rules at highest possible level, the Controller has incorporated regular internal verification operations into its procedures.

The Controller calls the attention of the data subjects that in addition to the official notification, the Controller also draws up a written record and maintain a central registry of all personal data breaches, which includes, among other things, the description of the problematic cases, their qualification and effect on the data subjects, as well as the measures taken for their elimination and the prevention of their adverse effects at the earliest time possible.

Naturally, the Controller also ensures that all such data processors with whom it cooperates in course of its data processing activities shall likewise also comply with their obligations concerning the reporting and the documentation of personal data breaches in accordance with the applicable provisions of law.

12. Changes to Privacy Policy 

The Controller reserves the right to unilaterally change the present privacy policy at any time. The Controller wishes to indicate that the Controller informs data subjects of the amendments of the present privacy policy, indicating the points of the privacy policy affected by the amendment, as well as the date of entering into force provided, on the Website.

13. Applicable Laws 

In the preparation of the present privacy policy, the Controller has taken into consideration all mandatory legal requirements governing the performance of data processing activities, including, in particular, the following provisions of law: 

  1. 1
    Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, or GDPR);
  2. 2
    Act CXII of 2011 (Hungary) on the Right of Informational Self-Determination and on Freedom of Information (“Info Act”);
  3. 3
    Act V of 2013 (Hungary) on the Civil Code (the “Civil Code”);
  4. 4

    Act CXXXIII of 2005 (Hungary) on Security Services and the Activities of Private Investigators (the “Security Services Act”);

  5. 5

    Act CLV of 1997 (Hungary) on Consumer Protection (the “Consumer Protection Act”);

  6. 6

    Act C of 2000 (Hungary) on Accounting (the “Accounting Act”);

  7. 7

    Act XC of 2017 (Hungary) on the Code of Criminal Procedures (the “Code of Criminal Procedures”).

Date of last update: 19.02.2024