Data Controlling Policy
MP Solutions Kft. (hereinafter referred to as Company) proceeds in its data controlling activities concerning the personal data processed in relation to applicants for positions and its customers/contracting partners (hereinafter referred to as data subject) in accordance with this Data Controlling Policy (hereinafter referred to as Policy).
1. General provisions:
1.1 Data controller
- name: MP Solutions Kft.
- company registration No: Cg. 01-09-914023
- registered by: Registration Court of Budapest-Capital Regional Court
- contact details:
1.2 The purpose of Policy
The purpose of Policy - by complying with the following rules on the processing of personal data processed by the Company - is to ensure the protection of the personal data of the natural person data subjects, compliance with data subjects’ privacy and their right of informational self-determination concerning their personal data, and for this purpose, the safety of data from any accidental or deliberate destruction, alteration, damage, disclosure or access by unauthorised persons.
Further, it is the purpose of Policy to inform data subjects about the facts, rights and obligations related to Company’s manner of data control and data control iself, already prior to the start of such data control. For this purpose, the Company makes this Policy continuously available for data subjects on its websitte (see section 1.1).
By accepting this Policy, data subjects give their consent to the Company to proces data subjects’ personal data in accordance with the terms and conditions herein.
1.3 Effect of Policy
The material scope of Policy covers all the personal data controlled/processed by Company, irrespective of the place, date and form of the control/processing of such personal data.
The personal scope of Policy covers all the staff members/employees of Company, and in the scope of Company’s data processing activities, any possible third party data processors involved in data processing by Company and all the contractual partners of Company (principals and suppliers) as well as all the applicants who either directly responded to Company’s job advertisements or who are directly contacted by Company with a job opportunity.
1.4 Legal background of Policy
General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC,
Act CXII of 2011 on the right of informational self-determination and freedom of information (Info Act)
1.5 Principles of data processing
During its data processing activities, Company all the time ensures the fulfilment of Hungarian and European Union regulatory requirements concerning personal data, that is:
- personal data shall be processed lawfully, fairly and transparently for data subject (principle of lawfulness, fair treatment and transparency);
- personal data shall only be collected and processed for clear and lawful purposes (principle of purpose limitation);
- regarding the purpose of data processing, the data collected shall be appropriate, relevant and limited to the necessary (principle of data minimisation);
- personal data shall be accurate and up-to-date if needed and any inaccurate data shall be erased or corrected without delay (principle of accuracy);
- personal data shall only be stored for the period necessary to achieve the objective of data processing (principle of storage limitation);
- by taking appropriate technical and organisational measures, Company ensures the proper level of safety for personal data and the protection of data against any unauthorised or unlawful processing, accidental loss, destruction or damage (principle of integrity and confidentiality);
- Company shall always maintain such a data processing system with the help of which it can prove that its data processing activity complies with the above principles (principle of accountability).
1.6 Legal basis of data control
During its data processing activity, Company shall only process personal data for the lawful processing of which it possesses (i) data subject’s preliminary consent, or (ii) regulatory authorisation.
Prior to the start of data processing, within the framework of providing preliminary information for data subject, Company shall notify data subject whether data processing is based on consent or regulatory obligation.
Data subject shall have the right to withdraw his/her consent at any time, which, however, shall not affect the lawfulness of data processing based on consent prior to such withdrawal. Company may continue data processing even after the withdrawal of consent if it has regulatory authorisation for it, in particular, if it is necessary for the fulfilment of its legal obligation or for pursuing Company’s legitimate interests.
Data controlling is performed on the basis of regulatory authorisation particularly if:
- data processing is necessary for the performance of a contract in which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6 section (1) b));
- data processing is necessary for compliance with a legal obligation to which Company is subject (e.g. tax payment obligations) (GDPR Article 6 section (1) b; Article 5 of the Info Act);
- data processing is necessary for the purposes of the legitimate interests pursued by Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (GDPR Article 6, section (1)f) ), that is, if the pursuing of such interest is proportionate to the restriction of the right to the protection of personal data (section b), (Article 6 of the Info Act).
1.7 Sources of data collection
In general, Company obtains the data processed by it directly from data subject (applicant, contractual partner, supplier, etc.), possibly from third parties. If the applicant for a position has published a profile about him/herself on any social media webpage, Company shall have the right – in accordance with the principle of purpose minimization - to inspect such public social media page but without data subject’s express consent shall not save or store it particularly with regard to the fact that it may include other data unrelated to the job application or the position which are not significant for Company for the placement of applicant.
Company shall not contact the previous employer of job applicants without applicant’s express consent and similarly, shall not make available any personal data to a former applicant’s subsequent employer without former applicant’s express consent at the requests for information about applicants placed.
1.8 Purpose of data processing
Company shall process personal data related to candidates and contractual partners to provide Company’s services and improve the quality thereof, or within the scope of its regulatory obligations for the purposes defined in the ’Data controlling activity register’. The Data controlling activity register is available from here: upon request the complete and detailed register is available at the reception of the MPS premises after a pre-booked and confirmed appointment.
2. Categories of data subjects and their personal data:
2.1 Data processing related to candidates
The data processing activity of Company as a market actor providing recruitment/executive search services shall be limited to the areas, scope of persons, processed data and data processing periods defined in the ’Data controlling activity register’ in detail and shall be restricted to the purposes defined therein.
Company shall only collect such data of candidates that are relevant for keeping contact with candidate and finding the suitable employment opportunity for such candidate. If beyond such data, candidate him/herself provides any further (in a given case, even sensitive) data about him/herself (health condition, political orientation, criminal record, etc.), data processing shall extend to such data as well, but for the processing of such sensitive data, Company shall specifically obtain data subject’s consent.
In case candidate gives his/her specific consent, Company may use his/her personal data beyond the search for specific candidates, for subsequent marketing activities, profiling, recruitment or for offering other job opportunities as well.
Company shall have the right to share candidate’s personal data (i) with those of its principals, candidate’s potential future employers in whose interest search for candidates is conducted, (ii) with other third parties providing similar recruitment/executive search services who can recommend candidate to their own principals, candidate’s further potential future employers, and (iii) with persons/organisations possessing the references provided by candidate.
Company shall process candidates’ data for maximum two years. If during this two years’ period, Company is unable to offer a suitable job opportunity to candidate, it shall automatically erase the file related to candidate. If during these two years, either Company or candidate confirm their intention to cooperate (e.g. candidate updates his/her CV, or gives feedback to some promotion of Company’s or another enquiry thereof, or Company sends candidate a job offer), the two-year data processing period shall restart from the establishment of relevant contact.
2.2 Data processing related to the users of Company’s website
If beyond browsing, the website user also uploads data to the website, the data processed by Company shall be, in particular, the personal data provided by website user during registratiom on the website, making use of the job newsletter sending, uploading CV and applying to job advertisements. In such a case, the legal base of data processing is the voluntary and express consent given by user to the processing of the personal data provided by him/her under the terms of this Policy: If user does not wish to provide his/her personal data, user acknowledges that because of this, he/she will have no access to Company’s services or to some elements thereof.
Company cannot check the truth and accuracy of the personal data/CV and other content provided on website for which only the user (candidate) providing data shall be held liable.
In spite of the fact that it is almost impossible to link the data file recorded by the cookies to the user’s person, Company considers it important to inform that the cookies also supply certain data about visitors to website to ensure the functionality of the website and measure attendance.
Session cookies help the operation of the page by recording the names of users registered on website to make the next login and the management of the page easier. Such a cookie does not forward any data outside the system.
Google Analytics is a cookie developed by Google, Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA), which is widespread worldwide and is used by third parties, and registers users’ activities on the website anonymously, thus without the identifycation and identifiability of the specific user. With the help of Google Analytics, Company may obtain such attendance information and statistics that may help further improve Company’s website and services. Such data may include the number of website visitors, information about from where, from which other website and how visitor has arrived, which pages of the website he/she has inspected and in which order, etc.
2.4 Data processing related to contractual partners
Company’s as market actor’s and service provider’s data processing activity related to its contractual partners (principals, suppliers) is conducted for the purpose of keeping business contact with partners, performing contracts/enforcing claims, promotions/advertising campaigns organised by Company, organising events and documenting events/ taking recordings.
In general, data processing related to contractual partners/suppliers is limited to contact data, contact persons’ names, telephone numbers and email addresses in order to keep business contact with partners.
The legal basis of data processing related to contractual partners is: (i) data processing necessary for pursuing Company’s – as service provider - legitimate interests; (ii) data processing necessary for the performance of contract between data subject and Company; (iii) data processing based on data subject’s voluntary consent.
2.5 Data processing related to sending letters/emails
If data subject sends a letter to Company by applying the Contact-option on Company’s website or in any other way, this, at the same time, means data subject’s voluntary consent to Company processing his/her personal data given in his/her message/letter with respect to the subject of enquiry and seeking contact with him/her using the contact details given.
3. Forwarding data abroad, data processing, the scope of those getting to know data:
3.1 Company shall not forward data to any third parties with a seat abroad.
3.2 If needed in order to perform specific tasks connected to data processing operations, under the terms of the individual data processing contract concluded with specific partners, Company shall only engage data processors in the data processing activity who provide proper guarantee with regard to their expertise, reliability and resources available that they will properly carry out the technical and organisational measures ensuring the fulfilment of the data safety and other requirements of GDPR.
The data processors employed by Company are included in Annex 2 hereto.
Data processors shall perform the data processing activities they are put in charge of on Company’s as data controller’s behalf. Following finishing the data processing service, data processor shall delete or return all personal data to data controller - in lack of a different legal provision - as data controller decides.
Company shall be liable for data processor’s activities, e.g. for any damage or infringement of personality rights caused by data processor. Company shall be exempted from its liability if (i) it proves that such damage or infringement of personality rights was caused by an unavoidable cause outside the scope of data processing, or (ii) Company shall not be held liable as such damage or infringement of personality rights resulted from the deliberate or severely negligent conduct of the person suffering damage or data subject, respectively.
3.3 The personal data processed by Company may only be disclosed to the persons appointed by Company or employees as set forth in Annex 1 hereto.
4. Technical and organisational measures promoting the safety of data processing:
Pursuant to section (1), Art. 32 of GDPR, Company as data controller and the data processors engaged shall carry out proper tecchnical and organisational measures in order to guarantee a level of data safety appropriate to the extent of the risks of data processing. In the course of this, data controller shall take express account of the risks resulting from the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to the personal data processed, stored or transmitted.
Data controller shall take the following technical/organisational measures:
- shall be lockable drawers and cabinets, lockable office equipped with a safety lock and a gate that can be opened with code and key in the building. PCs shall be protected with individual passwords and the HR software database shall only be used with two-step identification (password and token to email address). Shared drives shall only be accessible from the area of the office, from an internal wireless internet connection protected with password. Applicants and customers shall not get access to the office workspace therefore for them tools shall not be accessible.
5. Procedure in case of data protection incidents:
- in spite of the above data processing practice, a data protection incident can occur in the scope of the data processed by Company, and if the incident is likely to involve high risks to the rights and freedoms of data subjects, after becoming aware of it, Company shall report incident to supervising authority without undue delay but within 72 hours the latest. At the same time, Company shall inform data subjects of the incident, indicating the probable consequences thereof and the measures taken or planned to remedy/alleviate the situation.
Company is not obliged to report any data protection incidents that are not likely to involve high risks to supervising authority. It is not necessary to inform data subjects, either, if the conditions in Article 33 of GDPR are fulfilled, that is, if (i) Company has taken such a measure with which it makes the data affected by incident uninterpretable for unauthorised people, or if (ii) in consequence, following data protection incident, high risks are not likely to occur, or (iii) if such information provision would involve disproportionate efforts. In the latter case, Company provides proper information for data subjects publicly.
In order to check the measures related to incident and inform data subject, Company shall keep a register.
6. Data subjects’ rights and opportunities to enforce their rights:
6.1 Right to transparent information
Data subject shall have the right to get proper information from Company with the content set forth in Articles 13-14, 15-22 and 34 of GDPR and section 14. § (1) a) and 16. § of the Info Act: In every case, Company shall provide information in a concise, transparent, understandable and easily accessibe form, in clear, plain and intelligible language and in writing, including electronic communication.
6.2 Right to access
Data subject shall have the right to get feedback from Company about whether the processing of his/her personal data is in progress or not, and if such data processing is in progress, data subject shall have the right to get access to data and get information concerning the content of data processing pursuant to Article 15 of GDPR, in particular, concerning the purpose of data processing, the categories of the personal data involved, those recipients to whom data have been or will be disclosed, the planned term of data storage, the data subject’s rights related to data processing, the right to make a complaint at the authorities, the source of data collection, the fact of any possible automatised decisionmaking and the circumstances and effects of the personal data breach that may have arisen and the measures taken to deal with them.
6.3 Right to correction
Data subject is entitled to Company correcting any incorrect personal data related to him/her or complete any incomplete data without undue delay.
6.4 Right to erasure
Data subject is entitled to Company erasing any personal data related to him/her without undue delay, and Company shall execute such a request for erasure if
- personal data are no longer necessary for the purpose for which they have been collected or processed;
- data subject withdraws his/her consent forming the base of data processing, and data processing has no other legal base;
- data subject objects to data processing and there is no legitimate priority reason for data processing;
- personal data have been processed unlawfully;
- personal data shall be erased to comply with any legal obligations required in EU or Hungarian law applicable to data subject;
- personal data have been collected in relation to offering services related to information society, primarily to children.
Data subject shall not request the erasure of data, and Company is not obliged to erase data if data processing is necessary for reasons set forth in section (3), Art. 17 of GDPR, in particular if (i) it is necessary for exercising the right of freedom of expression/publicity and information, (ii) it is necessary for complying with any requirements set forth in EU or Hungarian law, requiring the processing of personal data, to be applied to data controller or (iii) it is necessary for the establishment, exercise or defence of legal claims.
6.5 Right to restrict data processing
In case of any restrictions, with the exception of storage, data may only be processed with data subject’s consent, or for submitting, enforcing or defending legal claims, or for the protection of natural persons or in material public interest. Data subject may request the restriction of data processing if
- data subject questions the accuracy of personal data, in which case restriction applies to the period during which Company can check the accuracy of data;
- data processing is unlawful but
- data subject does not request the erasure of data but the restriction of use of data instead;
- relying on the available information there is reason to believe that erasure would infringe the legitimate interests of the data subject, in which case restriction applies to the period as long as there is a legitimate interest justifying the non-erasure;
- there is a need to preserve the data as evidence in investigations or proceedings specified in the applicable law - in particular in criminal proceedings -, in which case restriction applies until the investigation/proceeding has been finally closed;
- there is a need to preserve the data in order to fulfil the obligation of documentation stipulated in section 12.§ (2) of the Info Act, in which case restriction applies for the 10-year period from the erasure of the controlled data.
- Company no longer needs personal data for the purpose of data processing but data subject needs them for submitting, enforcing or defending legal claims
- data subject has objected to data processing. In such a case, restriction applies to the period during which Company establishes whether Company’s legitimate motives have priority over data subject’s legitimate motives.
6.6 Right to data portability
If the legal base of data processing is (i) data subject’s consent, or (ii) it is performed under a contract in which one Party is data subject, or if (iii) data processing is performed in an automated way, data subject may request to get the processed data concerning him/her, and shall have the right to forward these to another data controller. In such a case, data controller shall hand over the personal data to data subject or the data controller designated by data subject in a structured, widely used and machine-readable format.
6.7 Right to object
Data subject shall have the right to object at any time to the processing of his/her data (i) for the public interest or in the framework of exercising public authority vested in data controller, or (ii) against processing of his/her data as necessary to pursue data controller’s or any third party’s legitimate interest, including profiling. In case of such objection, Company may only continue processing data if it proves that (i) data processing is justified by such compelling legitimate causes which have priority over data subject’s interests, rights and freedoms, or (ii) which are related to the establishment, enforcement or defence of legal claims.
If data processing is performed for direct marketing purposes, in case of data subject’s objection, personal data shall not be further processed for such purposes.
6.8 Right to object to automated decisionmaking
Data subject shall have the right not to fall under the effect of a decision based solely on automated data processing - including profiling - which would involve legal effects for him/her or would affect him/her in a similarly substantial way. Data subject shall not have this right if (i) such decision is necessary to conclude or perform a contract between data subject and Company, (ii) decisionmaking is made possible by EU or Hungarian legal requirements or (iii) such decision is based on data subject’s express consent. In cases (i) and (iii), Company shall take appropriate measures to protect data subject’s rights, freedoms and legitimate interests, including as a minimum, data subject’s right to request human (manual) intervention on data controller’s part, express his/her standpoint and raise objections to such decision.
6.9 Right to withdraw consent
Data subject shall have the right to withdraw his/her former voluntary consent at any time. At the same time, such withdrawal of consent shall not affect the lawfulness of data processing prior to such withdrawal.
6.10 Initiating Company’s measures
Company shall promote data subject’s exercising his/her right to enforce his/her rights, and in this respect, shall make every effort to stop or remedy any infringements. If Company has well-founded doubts about data subject’s identity, it may request further information necessary to confirm data subject’s identity.
Company shall inform data subject of any measures taken at his/her request without undue delay but in any case, within twenty-five days upon the receipt of such request. If needed, e.g. because of the complexity or high number of requests, this deadline may be extended by two further months. To a request submitted electronically, in lack of data subject’s other demands, Company shall also provide information electronically if possible.
If Company does not consider it justified to take any measures, it shall inform data subject about this without undue delay but within twenty-five days upon data subject’s request the latest, giving the reason for omitting taking any measures, and providing the information that data subject may make a complaint at a competent supervising authority and may exercise his/her right to judicial review.
In the scope of enforcing rights, Company shall fulfil its obligation to provide information or take measures at its own expense. If data subject’s request is clearly unfounded or – especially due to its repetitive character – exaggerated, Company may charge a fee of a reasonable amount or may refuse to take any measures according to request.
6.11 Right to administrative data protection procedure
In exercising his or her rights, the data subject shall be able to:
- request the data protection authority to investigate the lawfulness of processing by Company as the data controller, if the Company prevented the exercise of his or her rights, or refused his or her request for exercising those rights; and
- request the data protection authority to open administrative proceedings for data protection, if he or she is of the opinion that the Company and/or the data processor acting on Company’s behalf or following Company’s instructions is in breach of the provisions of law or binding legislation of the European Union on the processing of personal data.
Details of the local supervising authority:
- National Authority for Data Protection and Freedom of Information
- 1055 Budapest, Falk Miksa u. 9-11.
- telephone: 1-391-1400
- fax: 1-391-1410
- email: email@example.com
- website: www.naih.hu
6.12 Right of access to a court
In case of the infringement of his/her rights, data subject may initiate proceedings before a court within the legal framework from time to time. Data subject shall also have the right to file a lawsuit before a competent regional court according to his/her place of living or residence.
In the lawsuit, Company shall prove that the data processing objected to complied with legal provisions.
If Company causes damage to data subject by the unlawful processing of his/her data or by failing to fulfil data safety requirements, it shall indemnify data subject, or in case of the infringement of personality rights, it shall pay grievance fee.
7. Definition of key terms in Policy or of data controlling
- data subject: a natural person identified or directly or indirectly identifiable on the basis of any specific personal data;
- personal data: any information relating to data subject; in particular data subject’s name, identification number, and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that natural person or any conclusions that can be drawn from such data about data subject;
- sensitive data: a) personal data related to racial origin, national minority, political views or party affiliation, religious or other philosophical convictions, membership in interest-representative associations or sexual life b) personal data related to health conditions, any addictions or criminal personal data;
- criminal personal data: any personal data produced in criminal proceedings or prior to them, in relation to the criminal offence or criminal procedure at the authorities authorised to conduct criminal procedure or investigate criminal offences, and at penitentiary institutions that can be connected to data subject and personal data concerning criminal record;
- data subject’s consent: any freely given, specificand unambiguous indication of the data subject’s wishes based on proper information, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- objection: data subject’s statement with which he/she objects against the processing of his/her personal data and requests stopping data processing and erasing the data processed;
- data controller: the natural or legal person, or organisation having no legal personality which, alone or jointly with others, determines the purposes of the processing of personal data (including the means used); and makes and carries out decisions or have them carried out by data processor;
- data processing: any operation or set of operations which is performed on personal data or on sets of personal data, irrespective of the procedure applied, such as, in particular, collection, recording, organisation, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, restriction, erasure or destruction, and prevention of further use of data, taking photos, audio or video recordings, and recording any physical characteristics (e.g. finger- or palmprint, DNS sample, iris image) suitable to identify the person
- data transmission: making data available for a specific third party;
- disclosure: making data available for any person
- data erasure: making data unrecognizable in a way that they cannot be restored any more;
- pseudonymisation: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- data marking: supplying data with an identification mark in order to distinguish them;
- data restriction: supplying data with an identification mark in order to restrict their further processing with final effect or for a specific period of time;
- data destruction: total physical destruction of the data carrier containing data;
- data processing: carrying out the technical tasks linked to data processing operations irrespective of the method and means applied to carry out such operations, or the location of application provided that the technical task is carried out on the data;
- data file: all the data processed in one register;
- data protection incident: unlawful controlling or processing of personal data, in particular, unauthorised access to, alteration, transmission, disclosure, erasure or destruction, and accidental destruction and damage of data;
- recruitment: finding the appropriate job and employer for the appropriate candidate, and finding the candidate meeting its demands for the employer, and linking candidate and employer in order to establish employment
- candidate: a person applying for the jobs advertised by Company, a person who has sent his/her personal data and CV to Company to get access to subsequent job opportunities, and a person whom Company has selected and contacted directly or indirectly to offer a specific job opportunity