PRIVACY NOTICE
1.1. Identity of the data controller and its activity
In the context of the data processing specified in this Notice (“Notice”) the data controller is CodeCool Kft. (registered office: H-1065 Budapest, Nagymező utca 44.; company registration number: 01-09-394554; tax number: 25076587-2-42; e-mail: [email protected]; hereinafter: “Controller”). Name and contact details of the Controller: dr. FREIDLER Gábor, [email protected].
The Controller is a company registered in Hungary. The Controller is engaged in the training, hiring and placement of programmers, as published on its website (www.codecool.com, hereinafter: “Website”).
The Controller conducts its activities within the scope of the laws of the European Union and Hungary. Data processing is primarily governed by the EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC; hereinafter “GDPR”).
1.2. Data subject
For the data processing covered by this Notice, the data subject is the person who enters into a legal relationship with the Controller or initiates the establishment of a legal relationship, and for this purpose provides the Controller with his or her personal data.
Therefore, the scope of this Notice does not cover data that do not relate to natural persons (e.g. company data) or that cannot be linked to natural persons (e.g. statistical data, data that are anonymised).
1.3. Process of data processing
Data subjects contact the Controller through the Website. If the data subject wishes to participate in the training of the Controller, he or she registers on the Website, providing the following data: name of the training selected, surname, first name, e-mail address, telephone number. When applying, the data subject shall accept the privacy notice.
After the application, the data subject will be directed to the online screening platform (survey) in English via the Website. The Controller may change the online screening process. During the screening, the data subject shall declare that he/she meets the preconditions for the training, then complete the screening tasks and answer the questions asked, and, if requested, write a motivation letter with the content and length of his/her choice. The data subject will be informed of the result of the online screening.
After a successful online screening, the Controller will contact the data subject and a personal screening will take place at an agreed time, which may also be taken via a remote device or an app. This involves the data subjects taking part in group and individual situational exercises, solving group and individual tasks and participation in motivational interviews. The Controller shall keep a record of the screening, in which the participation of the data subject, the characteristics of the participation, the answers given by the data subject and their evaluation shall be recorded. A visual or audio recording of the screening will only be made with the explicit consent of the data subjects, if the recording is necessary for evaluation or promotional purposes. In case of refusal to consent to the recording, the data subject will not suffer any disadvantage, in which case the Controller will provide the screening without recording. The personal screening can also be done online, using a telecommunication device or software.
If the result of the screening is unsatisfactory (the application is unsuccessful), the data recorded will not be deleted by the Controller, so if the data subject tries the screening again, the previous data will be available and the data subject will be informed on this. The Controller shall delete the data if the data subject so requests or if one year has elapsed since the screening. The stored data will be used by the Controller only in the event of re-application and screening, to assess changes in the period since the previous application.
In the case of a successful screening, the Controller enters into a contract with the data subject, on the basis of which the data subject participates in the training. When entering into a contract, the data subject provides the data specified in this Notice.
During the training, the Controller continuously monitors the participation of the data subject and records the fact of participation, absence (broken down by sessions), the results of each survey, the feedback of the data subject on the training. These data are processed by the Controller in its own system.
Once the training has been completed, the data subjects may be placed or hired out. For this purpose, the data subjects shall prepare their professional CV, based on a template set by the Controller. The CV will include information about personal identity, skills, qualifications, motivation and interests. The Controller shall process the CV for two years after the successful placement and shall inform the data subject if it is able to find another work, job for the data subject. The data subject may, of course, request the deletion of the data before that.
The Controller takes a photo of the data subject (or receives a photo provided by the data subject), which appears in the Controller’s system alongside the data relating to the data subject. The photo of the data subject is used to identify the data subject; the photo can be used by the data subject to create his or her CV.
If the placement is successful, an employment relationship may be established between the data subject and the Controller. In this case, the parties sign the employment contract. In the event of termination of employment, the Controller, as the employer, shall process the data in accordance with the applicable legislation.
The Controller operates a recommendation system whereby the data subject can recommend a third party to the Controller’s training programme. In the case of a successful recommendation, the Controller will provide the data subject with the predetermined discount or benefit. The person making the recommendation is responsible for the lawfulness of the recommendation, in particular for the fact that the recommended person has consented to the processing of his/her data. On this basis, the person making the recommendation shall obtain the consent of the recommended person before the recommendation.
The Controller partly carries out its activities with the involvement of third parties (agents, contractors), and in all cases it concludes a contract with these persons that ensures data protection.
The Controller shall collect the data primarily from the data subject. The Controller shall only collect data from other sources if the data subject has given his or her consent (e.g. data provided by an employment agency) or if the law explicitly authorises the collection of data.
The Controller shall not copy documents. Where the data subject presents a document, the Controller shall record the fact of presentation and, if necessary, the identifier of the document, but shall not make a copy.
2.1. Purpose of data processing
The primary purpose of data processing is to establish and maintain a legal relationship between the data subject and the Controller for the purpose of training and later employment, to provide the data subject with a placement offer. Purpose of data processing in particular:
– Identification of the data subject, contact and communication with the data subject;
– Identify the data and circumstances (e.g. education, skills) of the data subject relevant to the training;
– Assess the suitability of the data subject;
– Establish a legal relationship, draft and sign the contract establishing the legal relationship;
– Organisation and management of the training;
– Monitoring the participation and progress of the data subject;
– Testing, setting specific targets, development;
– Certification of participation;
– Place the data subject to another employer, facilitating the establishment of a legal relationship
– Invoicing and payment of fees;
– Establishing and maintaining an employment relationship, exercising related rights and fulfilling obligations;
– Performance of statutory obligations (e.g. providing data to tax and social security authorities);
– Exercise rights, fulfil obligations and enforce claims arising from the legal relationship;
– Proof of compliance with tender specifications when using grant funds;
– Promotion of the Controller’s activities;
– Website operation;
– Protecting and maintaining the safety of persons and property.
2.2. Legal basis of data processing
Given that the Controller processes personal data for several purposes, the legal basis for the processing may also be different. The main legal grounds are set out below, with the specific legal grounds relating to each processing operation set out in clause III of this Notice.
Consent of the data subject (Article 6 (1) (a) GDPR)
The primary legal basis for data processing is the consent of the data subject. The data subject gives his or her consent by contacting the Controller and initiating the establishment of the legal relationship, starting the application process. Consent is always voluntary, but failure to give consent may result in the legal relationship between the data subject and the Controller not being established or being terminated. In all cases, the Controller shall inform the data subject of the processing.
Contract between the Controller and the data subject (Article 6 (1) (b) GDPR)
If the data subject enters into a contract with the Controller, he or she shall provide in the contract and the related forms the data necessary for the establishment and performance of the contract. In the case referred to in this point, data processing is carried out in order to perform the contract and to take the steps initiated by the data subject, on the basis of the referred clause of the GDPR.
If the data subject does not consent to the processing of any data requested by the Controller or specified in a contract, he or she has the right to refuse to provide the data. If the processing of the data is required by law or if the contract cannot be performed in the absence of the data, the contract will not be concluded if the data is not provided.
Compliance with a statutory obligation (Article 6 (1) (c) GDPR)
In some cases, the legal basis for data processing is a provision of the law. If data processing is mandatory by law, it is indicated in clause III of this Notice.
The legitimate interests of the controller or a third party (Article 6 (1) (f) GDPR)
Where data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, the data will be used by the Controller to pursue those interests. Processing of data under this paragraph is exceptional and will only be carried out on the basis of an individual assessment (the so-called “balancing of interests test”) in the cases set out in this Notice.
III SCOPE OF THE DATA PROCESSED, SPECIFIC PROCESSING OF DATA
3.1. Data processing related to applications
Description of data processing: Data subjects can apply for training of the Controller via the Website. When applying, the data subject provides the data specified on the Website and declares his/her acceptance of the Privacy Notice. If the Controller contacts the data subject, the data will be used solely for the purpose of the request and will be deleted after the request. If the data subject starts the application process but does not complete it, the Controller will process the data in order to allow the data subject to continue the application process. In this case, the controller will delete the data after six months, unless the data subject requests deletion earlier. In the case of a successful application, if the data subject participates in the training, the controller will process the data in connection with the contract and the training.
Scope of the data: Surname, first name, e-mail address, telephone number, selected training, selected training location.
Legal basis of data processing: The legal basis for data processing is the consent of the data subject, which he or she gives by registering and thereby consenting to the processing of his or her data. Data processing is essential for establishing the relationship between the parties and for the application process. The data subject may prohibit, refuse or withdraw his or her consent, in which case the application process will be terminated without result.
Purpose of data processing:
– Identification of the data subject, contact and communication with the data subject.
Term of data processing: If the application is without result (the data subject does not complete the application), the Controller will process the data for six months in order to allow the data subject to continue the application process. The data subject may request the deletion of the data. If the application is successful and the data subject participates in the training, the Controller will process the data in connection with the contract and the training.
3.2. Data processing related to online screening
Description of data processing: As part of the application process, the data subject shall participate in an online survey, during which the Controller asks questions about the data subject’s qualifications, motivation, language skills and there will be logical exercises as well.
Scope of the data: Answers to the questions asked during the online screening, data on language skills, education, logical test results, motivation letter.
Legal basis of data processing: The legal basis for data processing is the consent of the data subject, which he or she gives by applying and thereby consenting to the processing of his or her data. Data processing is essential for establishing the relationship between the parties and for the application process. The data subject may prohibit, refuse or withdraw his or her consent, in which case the application process will be terminated without result.
Purpose of data processing:
– Identification of the data subject, contact and communication with the data subject;
– Identify the data and circumstances (e.g. education, skills) of the data subject relevant to the training;
– Assess the suitability of the data subject;
– Establish a legal relationship, draft the contract establishing the legal relationship.
Term of data processing: If the data subject does not complete the screening or its result is unsatisfactory (the application is unsuccessful), the data recorded will be stored by the Controller and then delete them after one year. The purpose of processing the data in the case of a new application is to analyse the data of the previous application, to compare the data, and the data may not be used for any other purpose. The Controller shall delete the data even within the period of one year if the data subject so requests. If the screening is successful and the data subject participates in the training, the controller will process the data in connection with the contract and the training.
3.3. Data processing related to personal screening
Description of data processing: In the case of a successful online screening, the Controller will contact the data subject and a personal screening will take place at an agreed time. This involves the data subjects taking part in group and individual situational exercises, solving group and individual tasks and participation in motivational interviews. The Controller shall keep a record of the screening, in which the participation of the data subject, the characteristics of the participation, the answers given by the data subject and their evaluation shall be recorded. A visual or audio recording of the screening will only be made with the explicit consent of the data subjects, if the recording is necessary for evaluation or promotional purposes. In case of refusal to consent to the recording, the data subject will not suffer any disadvantage, in which case the Controller will provide the screening without recording. The personal screening can also be done without an actual personal meeting, by using a telecommunication device or software.
Scope of the data: Name of the exercises used during the screening, the participation of the data subject, his/her answers, their evaluation, and, if the data subject consents, a video and audio recording.
Legal basis of data processing: The legal basis for data processing is the consent of the data subject, which he or she gives by applying and thereby consenting to the processing of his or her data. With regard to video and audio recording, data processing is voluntary and the data subject may refuse consent. In the context of other data, data processing is essential for establishing the relationship between the parties and for the application process. The data subject may prohibit, refuse or withdraw his or her consent, in which case the application process will be terminated without result.
Purpose of data processing:
– Identification of the data subject, contact and communication with the data subject;
– Identify the data and circumstances (e.g. education, skills) of the data subject relevant to the training;
– Assess the suitability of the data subject;
– Establish a legal relationship, draft the contract establishing the legal relationship.
Term of data processing: If the data subject does not complete the screening or its result is unsatisfactory (the application is unsuccessful), the data recorded will be stored by the Controller and then delete them after one year. The purpose of processing the data in the case of a new application is to analyse the data of the previous application, to compare the data, and the data may not be used for any other purpose. The Controller shall delete the data even within the period of one year if the data subject so requests. If the screening is successful and the data subject participates in the training, the controller will process the data in connection with the contract and the training.
3.4. Data processing related to contracts
Description of data processing: In the case of a successful screening, the Controller enters into a contract with the data subject, on the basis of which the data subject participates in the training. The contract sets out the rights and obligations of the parties in relation to the training. Where the data subject terminates the contract and justifies the termination on the grounds of exceptional circumstances, the Controller may require the data subject to verify the circumstances justifying the termination and exempting the data subject from liability. The Controller shall not copy any document in this regard. If the contract is an adult education contract, the controller shall record the data set out in clause 3.6 below, as specified therein.
Scope of the data: Name, address, place and date of birth, mother’s name, identity card number, tax identification number, social security number, gender, e-mail address, telephone number; in case of termination, the relevant information; the parties’ statements regarding the contract; the time, manner and reason for termination.
Legal basis of data processing: The processing is necessary for the conclusion, drafting and performance of the contract between the Controller and the data subject, therefore, the legal basis for the processing is the contract. The Act LXXVII of 2013 on Adult Education (hereinafter: “Adult Education Act”) makes the conclusion of a contract and the processing of data mandatory for the training courses covered by the Adult Education Act, thus the legal basis for data processing is section 11 (1) of the Adult Education Act. Data processing is essential for establishing, maintaining, performing the relationship between the parties. If the data subject does not provide the data, the contract will not be concluded. In the event of termination of the contract, the processing of the related data may not be prohibited if the processing is required by law (see clause 3.6.) or is necessary to enforce claims against the data subjects.
Purpose of data processing:
– Identification of the data subject, contact and communication with the data subject;
– Establish a legal relationship, draft and sign the contract establishing the legal relationship;
– Organisation and management of the training;
– Performance of statutory obligations;
– Exercise rights, fulfil obligations and enforce claims arising from the legal relationship.
Term of data processing: The Controller shall process the data recorded in the contracts for the duration of the training and for eight years after termination. The duration of data processing is partly justified by the fact that it is possible to enforce claims related to the contract within the limitation period (the limitation period is five years, but it can be suspended or interrupted) and partly by the fact that the training is paid for by the data subject and the documents of this must be kept for eight years. The Controller shall process the data specified by the Adult Education Act until the expiry of the time limit specified in clause 3.6.
3.5. Data processing related to the training
Description of data processing: During the training, the Controller continuously monitors the participation of the data subject and records the fact of participation, absence (broken down by sessions), the results of each survey, the feedback of the data subject on the training. The trainers delivering the training may also take notes on the strengths, progress and areas for improvement of the data subject. These data are processed by the Controller in its own system.
Scope of the data: Documentation of attended and missed sessions (through attendance sheets), documents verifying professional coaching delivered by electronic means, monitoring, results of surveys, tests, feedback from the data subject, instructors’ notes.
Legal basis of data processing: As a general rule, data processing is closely linked to the training, i.e. the performance of the contract between the parties, and the processing of certain data is also provided for by the Adult Education Act (see below, clause 3.6.). The data subject may not prohibit the processing of data the processing of which is required by law, in particular by the Adult Education Act, or the processing of which is indispensable for the performance of a contract between the parties or for the enforcement of claims. If, in the absence of the data requested to be deleted, the training can be carried out, the contract can be fulfilled and the processing of the data is not required by law, the Controller shall delete the data at the request of the data subject.
Purpose of data processing:
– Organisation and management of the training;
– Monitoring the participation and progress of the data subject;
– Testing, setting specific targets, development;
– Certification of participation;
– Exercise rights, fulfil obligations and enforce claims arising from the legal relationship.
Term of data processing: The Controller shall process the data for the duration of the training and for eight years after termination. The duration of data processing is justified by the fact that it is possible to enforce claims related to the contract within the limitation period (the limitation period is five years, but it can be suspended or interrupted). The Controller shall process the data specified by the Adult Education Act until the expiry of the time limit specified in clause 3.6.
3.6. Data processing related to adult education
Description of data processing: Taking into account that the Controller is an organisation subject to the Adult Education Act, it is obliged to process the data specified in the Adult Education Act.
Scope of the data: Data specified in section 21 of the Adult Education Act. The Controller shall process the name, name at birth, place and date of birth, mother’s name, gender, nationality, the legal title of residence in Hungary of a non-Hungarian citizen and the name and number of the document or document entitling to residence, address, postal address, e-mail address and telephone number, social security number, tax identification number of the data subject. In addition to the above, based on the Adult Education Act, the Controller shall process training-related data pertaining to the data subject, which relate to the education, qualification, vocational qualification and foreign language skills of the person participating in the training, the entry and completion of the training, the exit from the training in the absence of completion of the training, the assessment and qualification during the training, the payment obligations related to the training and the training credit used. The Controller shall also process attendance sheets, documents certifying the professional training carried out electronically and the monitoring, original documents certifying the conditions for starting and continuing the training or copies thereof certified by the adult education provider, as well as documents certifying the input competency assessment and the preliminary knowledge assessment.
Legal basis of data processing: Data specified in sections 16 and 21 of the Adult Education Act.
Purpose of data processing:
– performance of statutory obligations.
Term of data processing: The Controller shall process the data until the last day of the eighth year following the conclusion of the adult education contract, pursuant to section 21 (5) of the Adult Education Act.
3.7. Provision of data under the Adult Education Act
Description of data processing: In compliance with its obligation under section 15 of the Adult Education Act, the Controller shall process and transmit the personal data specified in the relevant section. Data are transmitted through electronic data transfer to the official adult education administration authority. The data subject may prohibit the transfer of his/her personal data, e-mail address, tax identification number; the declaration of prohibition shall be made in writing.
Scope of the data: The data specified in the Adult Education Act, such as training data (data on the name, nature, location, number of hours, first day of training and, except for training in the context of closed system distance e-learning, the planned date of completion), as well as the name, name at birth, mother’s name, date and place of birth, tax identification number, e-mail address, gender, education ID, highest educational level of the data subject participating in the training.
Legal basis of data processing: Legal basis of data processing is section 15 of the Adult Education Act. The data subject may prohibit the processing in writing, in which case the transmission of natural personal data, e-mail address, tax identification number will not take place.
Purpose of data processing:
– performance of statutory obligations.
Term of data processing: The Controller shall process the data for a period of five years from the date of their creation (section 15 (2) of the Adult Education Act).
3.8. Data processing related to the provision of statistical data
Description of data processing: The Controller, as an organisation subject to the Adult Education Act, is an organisation obliged to provide statistical data pursuant to the Government Decree No. 388/2017 (XII. 13.). The Controller shall transfer the data processed by it, as defined in clause 3.6. above, to the Central Statistical Office.
Scope of the data processed: Data specified in clause 3.6. above.
Purpose of data processing:
– performance of statutory obligations.
Legal basis of data processing: Legal basis of data processing is performance of a statutory obligation (section 21 of the Adult Education Act).
Term of data processing: The Controller shall process the data as set out in clause 3.6. above; the data included in the provision of statistical data are processed in an unidentifiable manner.
3.9. Data processing related to hiring out, processing of CV
Description of data processing: Once the training has been completed, the data subjects may be placed. For this purpose, the data subjects shall prepare their professional CV, based on a template set by the Controller. The CV shall include the professional portfolio of the data subject. The CV will include information about personal identity, skills, qualifications, motivation and interests. The Controller shall process the CV for two years after the successful placement and shall inform the data subject if it is able to find another work, job for the data subject. Prior to that, the data subject may request the deletion of the data.
In the placement process, the Controller shall forward the CV of the data subject and the Controller’s recommendation to the partners where the data subject may be employed, taking into account the partner’s operational area and needs. The data subject may indicate companies or other employers with which he or she does not wish to establish a legal relationship, in which case the Controller shall not transmit the data to them. If requested by the data subject, the Controller shall only transfer the data subject’s data to partners of which the Controller has informed the data subject in advance and where the data subject has consented to the transfer.
After a successful placement, the data subject either enters into a legal relationship with the partner or enters into an employment contract with the Controller for temporary employment.
Scope of the data: CV, references (name of the employer concerned, details of the employment relationship: job title, place of employment).
Legal basis of data processing: The primary legal basis for data processing is the contract concluded between the parties, consent of the data subject. Data processing is essential for performing the contract between the parties. If the data subject refuses the data processing, placement becomes impossible, in which case the Controller may terminate the contract. The data subject may prohibit the transfer of data to specific partners and may request that the transfer is always based on his or her individual consent.
Purpose of data processing:
– Place the data subject to another employer, facilitating the establishment of a legal relationship
– Establishing and maintaining an employment relationship, exercising related rights and fulfilling obligations;
– Exercise rights, fulfil obligations and enforce claims arising from the legal relationship.
Term of data processing: The Controller shall process the data for eight years after the placement. The duration of data processing is justified by the fact that it is possible to enforce claims related to the contract within the limitation period (the limitation period is five years, but it can be suspended or interrupted).
3.10. Recordings
Description of data processing: The Controller may make video and audio recordings of the screening or training for the purpose of presenting it to existing and potential partners, thereby increasing the effectiveness of the placement activity. Any recording is made and used only with the consent of the data subject.
If the training is financed by a grant provided by the European Union, the purpose of the recordings is to comply with the obligation set out in the Government Decree No. 272/2014 (XI. 5.) on the rules for the use of certain EU funds in the 2014-2020 programming period, on the basis of which the Controller shall document the training. Recordings are stored by the Controller and can be accessed by the bodies acting in the course of auditing the use of the grant funds, in particular the National Office for Vocational Education and Training.
Scope of the data: The video and audio recording made.
Legal basis of data processing: Data processing is voluntary and the data subject may refuse consent.
Purpose of data processing:
– Promotion of the Controller’s activities,
– Performance of statutory obligations;
– Proof of compliance with tender specifications when using grant funds.
Term of data processing: The Controller shall delete the recordings made for promotional purposes after five years. Prior to this, the Controller shall delete the recording if it is clear that it will not be used or if the data subject requests its deletion. The Controller shall retain the recordings made for the purpose of monitoring the use of grant funds for a period of eight years, before which the Controller shall delete the recordings if the monitoring has been completed and there is no need to present the recordings in the future.
3.11. Data processing related to invoicing, payment
Description of data processing: The Controller shall invoice the training fee to the data subject in accordance with the contract between the parties and shall provide for the related administration.
Scope of the data: Information on the invoice (amount to be paid, deadline, details of the payor), payment details (method and time of payment).
Legal basis of data processing: Data processing is mandatory and it is based on law (Accounting Act).
Purpose of data processing:
– Invoicing and payment of fees;
– Performance of statutory obligations (e.g. providing data to tax and social security authorities).
Term of data processing: The data in the document will be processed by the controller for eight years under the Accounting Act.
3.12. Data processing related to employment
Description of data processing: If the placement is successful, an employment relationship may be established between the data subject and the Controller for temporary employment. In this case, the parties sign the employment contract. As part of the data processing, the Controller makes the notifications required by law (tax authority, social security).
The Controller shall record the data of the data subject in the HR records. The register includes an IT application in which the data are recorded and processed, and which is used by the Controller for labor administration, payroll accounting and the production of statements. The Controller shall retain the card copy documents received in the personal file of the data subject. The HR records contain information on the remuneration and benefits of the data subject (income, fringe benefits).
The Controller shall verify the medical aptitude of the data subject, as defined in the applicable legislation. The aptitude test shall be carried out by a company doctor, and the Controller shall provide the data of the employee to the company doctor after informing the employee. The Controller shall only process the result of the test and shall not process any health data.
In the event of termination of the employment relationship between the Controller and the data subject, the Controller shall make the necessary notifications and issue the certificates and forms provided for by the Labor Code, and make the necessary notifications to the authorities.
In the case of temporary employment, the Controller shall transmit to the temporary work agency the data of the data subject which are necessary for the temporary employment (natural person’s identification data, job title).
Scope of the data: Details of the data subject as contained in the employment contract (name, mother’s name, date and place of birth, address, identity card number, social security number, tax identification number); medical aptitude results (fit – unfit – temporarily unfit), bank account number, other data generated in the context of the employment relationship (salary, career, statements).
Legal basis of data processing:
Data processing is based on the contract between the parties. Data processing is essential for establishing, maintaining, performing the relationship between the parties. The data subject may prohibit, refuse or withdraw his or her consent, in which case the contract is not concluded, the concluded contract will terminate.
Data processing is mandatory in the case of a concluded employment contract and it is based on law. The legislation that requires data processing is the legislation on social security, taxation, medical aptitude assessment.
Purpose of data processing:
– Identification of the data subject, contact and communication with the data subject;
– Establish a legal relationship, draft and sign the contract establishing the legal relationship;
– Establishing and maintaining an employment relationship, exercising related rights and fulfilling obligations;
– Performance of statutory obligations (e.g. providing data to tax and social security authorities);
– Exercise rights, fulfil obligations and enforce claims arising from the legal relationship.
Term of data processing: The data will be processed by the Controller for eight years after the termination of the employment. In addition, the Controller shall also process the data necessary to establish entitlement to social security pension benefits, taking into account that the data subject may need to provide proof of entitlement to pension benefits. These data will be deleted by the Controller if the data subject so requests – in this case, subsequent provision of data is not possible.
3.13. Data processing related to asserting claims
Description of data processing: Under the contract, the data subject shall pay a fee to the Controller. If a dispute arises between the Controller and the data subject, and one of the parties to the dispute intends to assert a claim (material or otherwise) against the other party, the data may be used in the course of the assertion of the claim. In this case, the Controller uses the processed data for the purpose of proving the validity of the claim and, if necessary, to assert the claim through legal proceedings.
Scope of the data: The nature of the claim, the data on which the claim is based, the data relating to asserting the claim.
Legal basis of data processing: The legal basis for the processing is partly a provision of law, which allows asserting the claim in the legal relationship between the parties. If the claim is based on a contract, the legal basis for processing is the performance of the contract between the data subject and the Controller. The legal basis for processing is also the asserting of the Controller’s legitimate interests. The Controller has performed the balancing of interests test.
Purpose of data processing:
– Exercise rights, fulfil obligations and enforce claims arising from the legal relationship.
Term of data processing: The processing lasts until the claim is asserted or, failing that, until the claim is legally enforceable. The Controllers shall delete the data if the claim cannot be asserted, in particular if it is time-barred or if asserting the claim is unsuccessful.
Short presentation of the balancing of interests test:
In the case of processing under this clause, it is in the interest of the Controller to obtain the due consideration in the event of performance of the contract between the Controller and the data subject. In all cases, the processing is carried out for the purposes of asserting a claim based on a contract or an undertaking given by either party; the conclusion of the contract or the undertaking is always based on the data subject’s voluntary decision. In other words, the data subject has undertaken to pay the contractual fee to the Controller if the service is used. The Controller has a legitimate, contractual interest and right to receive this fee.
If the data subject does not voluntarily comply with the Controller’s claim, the Controller shall assert it by legal means, as provided for by the applicable legislation, i.e. there is no other way to achieve the purpose.
Asserting the claim is subject to the use of the data necessary to support the claim, to prove it, to initiate the necessary procedures; without the use of these data, the claim cannot be asserted, as the Controller cannot prove it, or initiate the procedures.
Taking into account that the ground for the processing is the unlawful action of the data subject and that the data are used in a lawful manner (procedure), the processing cannot be considered as a disproportionate restriction
3.14. Data processing related to recommendation, system of recommending
Description of data processing: The Controller operates a recommendation system whereby the data subject can recommend a third party to the Controller’s training programme. In the case of a successful recommendation, the Controller will provide the data subject with the predetermined discount or benefit. The person making the recommendation is responsible for the lawfulness of the recommendation, in particular for the fact that the recommended person has consented to the processing of his/her data. On this basis, the person making the recommendation shall obtain the consent of the recommended person before the making recommendation.
Scope of the data: Name of the recommending person, e-mail address, name of the person recommended, other information provided by the recommending person.
Legal basis of data processing: Data processing is voluntary and the data subject may refuse consent. The recommendation is conditional on the consent of the person recommended, i.e. the recommending person shall always seek the consent of the person recommended. If the recommended person requests, the Controller will delete all data related to the recommendation.
Purpose of data processing:
– Establish a legal relationship, draft and sign the contract establishing the legal relationship;
– Promotion of the Controller’s activities.
Term of data processing: The data will be deleted by the Controller if the data subject so requests. If the recommendation is unsuccessful (the recommended person does not wish to contact the Controller), the data will be deleted by the Controller. If the recommendation is successful, the processing will follow the general rules.
3.15. Processing of image
Description of data processing: The Controller takes a photo of the data subject (or requests a photo), which appears in the Controller’s system alongside the data relating to the data subject. The photo of the data subject is used to identify the data subject; the photo can be used by the data subject to create his or her CV.
Scope of the data: Photo of the data subject.
Legal basis of data processing: Data processing is voluntary and the data subject may refuse consent.
Purpose of data processing:
– Place the data subject to another employer, facilitating the establishment of a legal relationship.
Term of data processing: The photo is processed by the Controller in the same way and for the same period as the CV. The data subject may request the deletion of the image.
3.16. Requests from authorities, bailiffs, courts
Description of data processing: If the Controller receives a request from an authority, bailiff or court concerning any employee and the request complies with the applicable legislation, the Controller shall register and execute the request and record the action taken on the basis of the request.
Scope of the data processed: Data related to the request in question.
Legal basis of data processing: The legal basis for data processing is always the legal authorisation on which the request is based.
Purpose of data processing:
– Performance of statutory obligations (e.g. providing data to tax and social security authorities).
Term of data processing: The duration of data processing is subject to the general rules applicable to the data concerned.
3.17. Data processing related to the Website
Description of data processing: When visiting the Website, the IP address of the data subject’s computer, the start and end times of the visit and, in some cases, depending on the settings of the data subject’s computer, the type of browser and the operating system will be recorded. These data recorded in a log file will be used for statistical purposes only and will be transmitted by the controller to third parties only on the basis of an express provision of the law.
To enable the Controller to tailor its website to the needs of its customers, it uses the system of Hotjar Ltd. (www.hotjar.com), which collects and stores data for marketing and optimization purposes. It uses this data to create user profiles under pseudonyms. Without the consent of the data subject provided specifically for this purpose, the data collected will not be able to identify the visitor of the Website individually and will not be linked to the personal data of the pseudonym holder. In this context, the data of the user’s browser and internet device (country, IP address in an anonymised form, type of device, screen size, browser type, operating system type, pages visited, time of visit) are processed and stored. The collection and storage of data can be disabled in the user’s browser, more information on which can be found at the following link: https://www.hotjar.com/opt-out5. The processing of data is not suitable for personal identification.
On the Website, the Controller maintains a chat service in the form of an automated chatbot. Users may ask questions in the chatbot and are not required to provide any personal data. The service provider of the chatbot, and thus the processor of the personal data entered in the chatbot, is Talk-a-bot Kft.
The Controller uses cookies on the Website, as set out in the Cookie Notice.
Scope of the data processed: The data provided above, related to the visit of the Website, are the data provided by the user in the chatbot.
Legal basis of data processing: The legal basis of data processing is the data subject’s consent, which he or she gives by visiting the Website in the knowledge of the notice of data processing.
Purpose of data processing:
– Website operation
Term of data processing: As data is stored anonymously in the Controller’s system after the data subject’s visit, the data is processed for as long as the data subject uses the Website. The content provided in the chatbot is stored by the Controller for five years.
3.18. Camera recordings
Description of data processing: There are cameras in operation in the Controller’s training rooms. In all cases, the cameras are placed in a clearly visible location, and the fact of surveillance is obvious to the data subjects. The cameras point exclusively at the entrance to each room. There are no cameras in operation in rest areas, restrooms, and other places where surveillance may violate the privacy of the data subjects. No cameras point at workplaces and do not monitor the work and study activities of the data subjects. The recordings made by the cameras are recorded on a server maintained by the Controller, and only the executive of the Controller and a person authorised in writing by him or her have access to the recordings. The recordings will be processed by the Controller for three days, and the recordings will only be disclosed when justified by a relevant event (an act that violates personal or property security or endangers safety). If, on the basis of the recordings, it can be assumed that further measures will be necessary, official proceedings will be initiated, lawsuits will be filed, and the recordings will be used in these proceedings, the Controller shall block the relevant part of the recordings and store them separately. If using or retaining a recording is necessary for the enforcement of the right or legitimate interest of the data subject, the Controller shall, upon a reasoned request by the data subject, block the recording, store it separately and disclose it upon request of an authority or court in proceedings initiated by the data subject.
Scope of the data processed: Image recorded by the cameras.
Legal basis of data processing: The legal basis of data processing is the legitimate interests of the Controller. The Controller has performed the balancing of interests test.
Purpose of data processing:
– Protecting and maintaining the safety of persons and property.
Term of data processing: The Controller shall delete the recordings within three days if their further storage is no longer necessary on the basis of the above. If further storage is necessary, the Controller shall process the recordings until the purpose for which they were stored ceases to exist, and shall delete the recordings when their use is no longer necessary.
Short presentation of the balancing of interests test:
In the case of processing under this clause, it is in the interest of the Controller to ensure that the security of persons and property in the premises of the Controller where a large number of teachers and students are present is maintained, and to ensure that acts that infringe these are detected. Thus the value to be protected is the safety of persons and property.
The interest to be protected can be enforced in several ways, such as the continuous presence of security personnel, prior screening of data subjects. In the case of cameras, infringing acts can be prevented, since cameras have a significant deterrent effect, and cameras can also be used to detect infringements of the safety of persons and property, to hold the offenders accountable, to sanction the offence or to enforce the relevant claim in the appropriate official or judicial proceedings. In other words, by using cameras, the interest can be achieved and secured, therefore the use of cameras is necessary.
The presence of the cameras is obvious to the data subjects, they are informed about it and there is no secret surveillance. By selecting the areas monitored (placement of cameras) it is guaranteed that no areas are monitored where the privacy of the data subjects would be disproportionately affected. The data subject may have access to the recordings and, where justified, may also use them, therefore the recording may also serve the interests of the data subject.
4.1. Data transfer
General rules of data transfer: The Controller shall only transfer personal data to third parties if the data subject has given his or her unambiguous consent, knowing the scope of the data transferred and the recipient of the data transfer, or if the transfer is authorised by law. The transfer of data is mandatory if it is based on a request issued by the police, public authority or court bailiff in accordance with the applicable law.
Data transfer to the employer: If the data subject successfully completes the training, the hiring out or placement will be carried out, as described in clauses 3.9. and 3.12. above.
Data transfer in relation to the employment: Where an employment relationship is established between the Controller and the data subject, the Controller, as the employer, shall transfer the data when this is required by law. In particular, the following laws impose an obligation to transfer data:
– Act LXXX of 1997 on Persons Entitled to Social Security Benefits and Private Pensions and on the Coverage of these Services (data to be provided to the social security administration bodies, tax authorities, for the purpose of social security registration);
– Act LXXXI of 1997 on Social Security Pension Benefits (providing data to the pension insurance administration for the purpose of recording the length of service, earnings and other data required for pension entitlement and pension determination);
– Act XCIII of 1993 on Occupational Safety and Health (data reporting to the Occupational Safety and Health Authority, reporting of accidents at work, registration of workers exposed to carcinogens, registration of serious accidents at work);
– Act CL of 2017 on the Rules of Taxation (providing information to the tax authority on the payment of a taxable amount, the assessment of tax or the issuance of a certificate entitling to a tax reduction).
In addition to the above, the Controller shall transmit the employee’s data to the company doctor who performs the medical aptitude assessment.
Data transfer on the basis of the Adult Education Act: data transfer is described in the clauses 3.7. and 3.8. above.
4.2. Data processing
The Controller is entitled to use a data processor to carry out its activities. Data processors do not take independent decisions, they act on behalf of the Controller in the course of the processing on the basis of a written contract with the Controller, as specified in the contract and as instructed by the Controller. The Controller monitors the work of the data processors. Data processors may use an additional processor only with the consent of the Controller. The Controller shall inform the data subject about the data processors upon his or her request.
4.3. Data security, access to data
The Controller shall ensure the security of the data, shall take the technical and organisational measures and shall establish the procedural rules to ensure the implementation of the data security requirement. The Controller shall keep records of the data processed by it in accordance with the applicable legislation, ensuring that the data may only be accessed by employees and other persons acting in the interests of the Controller who need to know them in order to perform their job or task, and that only data necessary for the performance of the job of the person concerned may be accessed. Confidential processing of data is a job-related obligation for all employees.
The Controller shall provide, in particular, in the context of its IT security responsibilities, for:
– Measures to protect against unauthorised access, including protection of software and hardware devices and physical protection (access protection, network protection);
– Measures to ensure that data files can be recovered, including regular backups and separate, secure management of copies (mirroring, backup);
– Protecting data files against viruses (virus protection);
– The physical protection of data files and the media on which they are stored, including protection against fire, water, lightning and other natural hazards, and the recoverability of damage caused by such events (archiving, fire protection).
The Controller shall take the necessary measures to protect paper-based records, in particular with regard to physical security and fire protection.
Employees, agents and other persons acting on behalf of the Controller shall keep secure and protect data media containing personal data which they use or have in their possession, regardless of the way in which the data are recorded.
4.4. Term of data processing
The Controller shall ensure that the duration of the processing of personal data does not exceed what is necessary and lawful by establishing and maintaining rules on deletion. Data will be deleted in the following cases:
In the event of deletion, the Controller shall render the data unidentifiable. Where required by law, the Controller shall destroy the storage medium containing the personal data.
4.5. Personal data breach management
A personal data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Controller shall notify the personal data breach to the National Authority for Data Protection and Freedom of Information without undue delay, unless the data breach is unlikely to pose a risk to the rights and freedoms of data subjects. The Controller shall keep a record of the personal data breaches, together with the actions taken in relation to the relevant incident. If the incident is serious (i.e. likely to result in a high risk to the rights and freedoms of the data subject), the Controller shall inform the data subject of the personal data breach without undue delay.
5.1. Rights of the data subjects
Information (access). Data subjects are entitled to be informed about the processing of their data. The Controller shall inform the data subject about the processing of the data at the time of collection, and this Notice shall be available to the data subject at any time. The data subject may request comprehensive information on the processing of his or her data at any time during the processing. The data subject may request the Controller to provide him/her with a copy of the data.
Rectification. The data subject may request the Controller to correct inaccurate data relating to him or to complete incomplete data.
Deletion, withdrawal of consent. The data subject may withdraw his or her consent to the processing of his or her data at any time and may request the deletion of his or her data. The Controller shall refuse deletion only if the processing is based on law or if the processing is necessary for the establishment, exercise or defence of legal claims.
Restriction. The data subject may request the restriction of processing in the following cases:
If the processing is restricted, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or a Member State.
Objection. Where the processing is based on the legitimate interests of the Controller or a third party, the data subject may object to the processing of his or her personal data at any time on grounds relating to his or her particular situation. In this case, the controller may not continue processing the personal data unless the controller demonstrates that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject may object at any time to the processing of personal data relating to him or her for such purposes.
Data portability. The data subject may receive personal data relating to him or her in a structured, commonly used, machine-readable format and the right to transmit such data to another controller, provided that the processing is carried out by automated means. The data subject may request, where technically feasible, the direct transfer of personal data to another controller.
5.2. Guaranteeing the rights of the data subject, processing the data subject’s requests
The Controller shall inform the data subject about the data processing at the time of contact. The information on data processing can be found on the forms on which the data subject provides his or her data, and the data subject also has access to this detailed Notice, the fact and availability of which the Controller draws the data subject’s attention to.
The data subject may submit by any means (oral, written) to the Controller a request to exercise his or her rights. The Controller shall examine the request without delay, decide whether to comply with it and take the necessary measures. The Controller shall notify the data subject of the measures taken within one month. The notification shall in all cases include the action taken by the Controller or the information requested by the data subject. If the Controller refuses to comply with the request (fails to take the necessary measures to comply with the request), the notification shall include the legal basis for the refusal, the grounds for refusal and the legal remedies available to the data subject.
The Controller shall not make the execution of the request subject to the payment of any fee or reimbursement of costs.
Where, due to the circumstances or the manner in which the request was made, it is not certain that the request originates from the data subject, the Controller may require the applicant to prove his or her eligibility or to present the request in such a way that eligibility can be clearly established.
The Controller shall inform any recipient to whom or with which the personal data have been disclosed of the rectification, deletion or restriction of processing, unless this proves impossible or involves a disproportionate effort. Upon his or her request, the controller shall inform the data subject of these recipients.
5.3. Remedies
Where the data subject’s rights have been infringed, the data subject may request the controller to cease the unlawful processing, to review the processing or the refusal of the data subject’s request. The Controller shall in any case investigate the data subject’s complaint in this regard and inform the data subject of the outcome.
The data subject may also lodge a complaint directly with the National Authority for Data Protection and Freedom of Information (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/c.; phone: +36-1-391-1400; e-mail: [email protected]; website: www.naih.hu).
The data subject may take legal action if his or her rights are infringed. The Controller shall provide the data subject, upon request, with detailed information about the court having jurisdiction to hear the case and the possibility of bringing an action.25076587-2-42