Privacy Policy
Privacy notice
The protection of your personal data is important to us. For this reason, hereinafter we explain what type of personal data that IDBC Creative Solutions Kft. processes in the course of its business and marketing activity, for what purpose and on which legal basis, as well as the organisational and technical measures it implements.
The Privacy Notice also sets out the data protection rights. Natural persons (private individuals) have data protection rights. Such natural persons are usually called “data subjects” in the data protection legislation; for this reason, we also use this term in this Notice.
1. Name, contact information of the data controller
Name of the data controller IDBC Creative Solutions Kft. (hereinafter: “Data Controller” or “IDBC”)
The registered seat and mailing address: H-1138 Budapest, Népfürdő utca 22. Duna Tower Office Building, Tower A. Floor 13.
Registration authority: Company Registry Court of Budapest-Capital Regional Court
Company registration number: 01-09-192925
Tax number: 24983332-2-41
E-mail address: info@idbc.hu
Phone number: +36 30 479 8090
Website: https://idbc.hu
2. Main legislation relating to data processing
a) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR” or “General Data Protection Regulation”)
b) Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: “Privacy Act”)
c) Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (hereinafter: “E-Commerce Act”)
d) Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: “Commercial Advertising Act”)
3. Processing activities
3.1. Registration to online events
IDBC supports in a number of ways (e.g., webinars, meetups) that those interested in its business activity can access information and get informed of the professional news and updates. A webinar or a meetup is an online roundtable discussion with experts on a topic announced in advance, while an online training is a knowledge-transfer event relating to a professional matter also announced in advance (hereinafter together: “online event”).
Those interested can participate in the online event after registration on the idbc.hu website. Each online event is subject to a separate registration. Messages containing technical information (e.g., reminder of the date and time, link of the online even) will be sent to the registered e-mail address before and after the date of the online event. IDBC considers it important to improve its services and to nurture public relations, therefore, it request the participants of the online event to complete satisfaction survey after the online event, which is anonymous and non-mandatory.
IDBC relies on the services of Zoho for the registration; further details can be found in point 6.
Processed personal data | Purpose of data processing |
name, e-mail address, company name, title, phone number | identification of the participant of the online event, data security measures, follow-up of the online event (e.g., measurement of satisfaction) |
Legal basis of data processing: Point (f) of paragraph 1 of Article 6 of the GDPR: the legitimate interest of IDBC (definition of the conditions of the service, identification of the participant of the online event, data security measures, follow-up of online events). IDBC stores the data of the participants registered to the webinar in its database, and may contact them later on with advertising contents relating to the topic of the webinar. Acknowledgement of this is a prerequisite for registration.
Period of data processing: up to 3 years from the provision of the personal data
3.2. Newsletter
IDBC sends newsletters at regular intervals (a couple of times a year) to the subscribers, in which it communicates updates and news relating to its business activity, information of the planned events (e.g., topic, date and time, follow-up), as well as accounts and interesting facts of previous events, or conducts opinion polls by phone or in writing among those subscribing to its newsletter. From time to time, IDBC may send special messages or requests using the conclusions drawn from the company name and title provided upon registration (see point 3.1) (e.g., requesting the opinion of persons engaged in recruitment about topics they are interested in).
For technical reasons, subscription to the newsletter takes place simultaneously with the registration (see point 3.1) by completing the drop-down menu destined for this purpose; however, subscription is not a requisite for participating in or registering to the online event.
You can unsubscribe from the newsletter at any time; in this case, the data subject will no longer receive notification of the latest offers of IDBC, the trends experienced in the area of IT and HR, updates, professional information, and accounts of the previous online events. Data subjects can unsubscribe from the newsletter via the “unsubscribe” link at the bottom of the newsletter or by e-mail sent to the e-mail address provided in point 1 (see also points 7.3. and 7.4)
Processed personal data | Purpose of data processing |
name, e-mail address, company name, title, phone number | newsletter, contact, opinion polls |
Legal basis of data processing: Point a) of paragraph 1 of Article 6 of the GDPR: consent of the data subject
Period of processing: until the withdrawal of the data subject’s consent (see also points 7.3. and 7.4)
3.3. Advertising campaigns
In order to provide as high-quality services as possible to the clients, to support the activity of the business partners, and to present its activity, IDBC conducts regular and ad-hoc advertising campaigns.
IDBC uses the following information for its advertising campaigns:
- Facebook statistics (see also point 5)
- LinkedIn profile (occupation, interests)
- Subscribers to the newsletter (company name, title)
The data listed above may only be used for marketing purposes on the basis of the data subject’s consent.
Period of the processing of personal data: until the withdrawal of the data subject’s consent (see also points 7.3. and 7.4)
3.4. Data processing relating to the exercise of data subjects’ rights and to complaints concerning the processing of personal data
In the course of all data processing activities carried out by IDBC, data subjects may exercise their rights set out in point 8 of the Privacy Notice; they also have the right to contact the Data Controller with a complaint concerning the processing of their personal data. If the problem concerning the processing of personal data is associated with the activity of the contributors (see point 6), the given contributor will be competent in the procedure. In the case of a privacy complaint concerning the data processors (see point 6) or enforcement of the data subject’s rights, IDBC will take actions only if the privacy complaint or the exercise of the data subject’s rights concerns the controlling (processing) activity carried out within the framework of the cooperation with IDBC. IDBC may involve the data processor into the investigation of the privacy complaint or enforcement of the data subject’s rights concerning the data processor, and for this purpose it may also transfer the personal data of the data subject referred to in this point to the data processor if this does not violate the rights and freedoms of the data subject. Any data privacy complaint or enforcement of the data subject’s rights concerning the activity of the data processor that falls outside the scope of the contract concluded between IDBC and the data processor will be handled directly by the data processor.
The identification data (name, place and date of birth, mother’s name) will be fully processed only if the data subject’s right cannot be exercised, or the privacy complaint cannot be handled in the absence of such data. The data subject’s rights are rights associated with a person; therefore, If IDBC has any doubt concerning the identity of the person submitting the complaint or exercising the data subject’s right, it may request further identification data to be provided. If the data subject fails to provide the personal data necessary for identifying his or her person which are indispensable for the exercise of his or her rights or handling the privacy complaint, the Data Controller has the right to refuse the exercise of the data subject’s rights or reject the complaint.
Processed personal data | Purpose of data processing |
the name, place and date of birth, mother’s name, e-mail address of the person enforcing the data subject’s rights or submitting a complaint, other data provided in the request concerning the enforcement of his or her right or the privacy complaint (e.g., his or her address, subject of the complaint) | enforcement of the data subject’s rights,handling of complaint |
Legal basis of data processing: Point (c) of paragraph 1 of Article 6 of the GDPR – the fulfilment of the legal obligation under Articles 15-18 and Article 21 of the GDPR
Period of data processing: 5 years from closure of the enforcement of the data subject’s rights or the addressing of the complaint concerning the processing of personal data (general limitation period under the Civil Code). If the enforcement of the data subject’s rights, the addressing of the data subject’s complaint entails an administrative or judicial procedure, the period of the data processing under this point lasts until the retention period of the documents of the administrative or judicial procedure.
3.5. Social media sites
IDBC operates a fan page for business purposes, and in certain cases (e.g., podcast) it creates closed groups on Facebook operated by Facebook Ireland Ltd. [European seat: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland], it also operates a fan page for business purposes on Instagram, which belongs to Facebook (hereinafter together: Facebook) in order to share contents, present its activities and the community events that it organises to the users of the social networking sites, and to the visitors of IDBC’s fan pages and closed Facebook groups.
In the application of this point, all natural persons who view the IDBC social media sites, rate, react to (e.g., likes) or comment on the communications and offers published by IDBC or the services of IDBC, or share the social media pages or any post of IDBC shall be deemed as data subjects. The members of the closed Facebook groups created by IDBC shall also be deemed as data subjects.
In the course of operating the fan pages/closed groups, IDBC and Facebook shall be deemed as Joint Data Controllers; accordingly, IDBC either acts independently or cooperates with Facebook concerning the processing of the personal data, depending on the type of data processing operation which is necessary in connection with the given personal data (not including the data processing operations that can be carried out by the data subject).
The platforms provided by Facebook for business purposes contain features which can be used by the creator of the fan pages operated for business purposes (IDBC) but cannot be changed by the latter. These include the types of cookies used by Facebook to monitor the visitors of the fan pages (counting, analysing the user’s behaviours) As the operator of fan pages/closed groups, IDBC may access demographic data concerning its target group (e.g., composition according to age, marital status and professional situation), data concerning the lifestyle and interest of its target audience (including data relating to the online purchases of the persons visiting its page); furthermore, it can access geographical data as well, based on which it can make the shared contents more targeted, and decide where it should offer special discounts or organise events. IDBC uses the statistical data supplied by Facebook only to the strictly necessary extent.
Given that the data groupings supplied by Facebook may sometimes be suitable for identifying persons but IDBC cannot influence the collection and analysis of such data, the data subjects (visitors of the IDBC fan page, members of the closed groups) are advised to set the privacy authorisations in their own Facebook and Instagram accounts in a way that allows the sharing of private information to the least possible extent. The privacy settings are accessible by clicking on the sign located at the upper right corner of the Facebook profile. More details of the privacy policy of Facebook are available at this link: https://hu-hu.facebook.com/help/213802165366955
IDBC is also present on LinkedIn, created for the purpose of social connections and community building, constituting the network of various professionals and using a number of functions. LinkedIn functions similarly to Facebook, but here the purpose is to share business news, essays, presentations and to discuss professional topics. More information can be found about LinkedIn here: https://about.linkedin.com/?trk=homepage-basic_directory_aboutUrl, and more privacy-related information is available here: https://www.linkedin.com/legal/privacy-policy?src=li-other&veh=www.linkedin.com&trk=homepage-basic_directory_aboutUrl.
IDBC actively uses the functions and features provided by LinkedIn, which can be influenced by the data subject by adjusting the settings of his or her own profile.
Please note that joining the Facebook fan page or any closed groups of IDBC or following the LinkedIn page or using (accepting) the contact function of LinkedIn do not constitute conditions for – for example – establishing or maintaining an employment relationship or establishing a business relationship with IDBC or participating in the online events of IDBC; in this regard, data subjects may act taking into account the information set out in this point, at their own discretion.
4. Profiling, automatised decision making
By using the personal data that it processes, IDBC may sometimes carry out profiling (grouping according to some characteristic) by using conclusions that can be drawn from the name of the workplace and the title; IDBC uses this to define the target audience of thematic newsletters and advertising campaigns. In the course of profiling or on the basis of profiling, IDBC does not apply automatised decision making (machine generated decision affecting the data subject).
5. Data security
IDBC ensures with appropriate IT, organisational and personnel measures the protection of the personal data processed by it from – amongst other things – unauthorised access to or unauthorised change or destruction thereof. The measures cover for example making the use of the IT system subject to roles, logging accesses to the data stored in the IT system; thus, it can always be verified who and when accessed which personal data. The recorded data can be accessed by IDBC and the Joint Data Controllers, as well as the colleagues of data processors authorised to do so, trained in terms of data protection and subject to confidentiality obligations, exclusively in order to perform their job functions, and only to the extent and for the time necessary for doing so.
6. Access to the data, contributors (e.g., data processors)
IDBC relies on contributors for storing the personal data, organising online events and conducting advertising campaigns. If the contributor can access personal data on behalf of IDBC, then it shall be deemed as a data processor under the GDPR. The data processor may not make any independent decision concerning data protection, it may only act in accordance with the contract concluded with IDBC and the instructions received from IDBC in the course of processing the personal data. IDBC only relies on data processors whose adequate technical and organisational measures guarantee a level of data security adequate to the extent of the risk. The specific tasks and responsibilities imposed on the data processor are contained in the contract between IDBC and the data processor.
In the case of social media sites (see point 3.5) it may occur that the company that operates it is deemed as an independent data controller (e.g., LinkedIn) or a joint data controller with IDBC (e.g., Facebook). Independent data controllers are responsible for their own processing; therefore, they will have competence in the activities that they carry out. If during the course of using any platform IDBC is deemed to be a joint data controller, it must be established on a case-by-case basis which processing operation can be influenced by IDBC, and the data subject’s rights can only be exercised in the case of such operations.
6.1. The owner of Facebook and Instagram social media sites (related processing point 5) – joint data controller
Facebook Ireland Ltd. [registered seat: 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland] – joint data controller with IDBC in the course of the processing of the personal data of natural persons visiting the profile of the Data Controller maintained for business purposes (so-called fan page) and interacting with the posts shared on the fan page (e.g., likes, shares, comments).
The Data Use Policy of Facebook is available at this link: https://www.facebook.com/full_data_use_policy.
The Data Policy of Instagram is available at this link: https://help.instagram.com/519522125107875/?helpref=hc_fnav&bc[0]=Instagram%20Help&bc[1]=Privacy%20and%20Safety%20Center
6.2. The owner of LinkedIn community platform (related processing: point 5) – independent data controller
LinkedIn’s European subsidiary (Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, company registration number in Ireland: 477441). The Privacy Policy of LinkedIn is available here: LinkedIn Privacy Policy
6.3. Processing relating to online events (see points 1. and 3.2) – independent data controller
IDBC processes the personal data concerning those registering to online events and subscribing to newsletters by electronic means, for which it uses the Campaigns module of Zoho (https://www.zoho.com/campaigns/). Details concerning the privacy and data security principles of Zoho can be found here (Zoho – Data Privacy and our stand against surveillance.), and those of its privacy notice are available here: (https://www.zoho.com/privacy.html) .
7. Data transmission
IDBC only transfers to third parties (e.g., authority, court, other public entities) the personal data processed by it in the manner and for the purpose specified in the legislation.
8. The data subject’s rights relating to data processing
8.1. Right to receive information, right of access
By using the contact information specified in point 1, the data subject can request IDBC in writing to provide information on the types of his or her personal data processed, the legal basis, purpose of such processing, the source of such data and the period of processing; the data subject may also request for information on the persons to whom IDBC provided access to the personal data or transferred the personal data concerning the data subject, and when and on what legal basis it did so.
In the event where the data subject requests the information under this point in several copies, the Data Controller is entitled to charge a reasonable fee proportionate with the administrative costs incurred in connection with the preparation of the additional copies.
If the data subject’s right of access under this clause affects the rights and freedoms of others adversely – in particular, their business secrets or intellectual properties –, IDBC is entitled to refuse the execution of the data subject’s request to the necessary and proportionate extent.
Given that the exercise of the right of access is guaranteed to the data subject personally, IDBC will request the identification of the applicant’s person prior to the execution of the request. The Data Controller has the right to request the data subject to specify the content of the request, to name the requested information and data processing activities in order to adequately comply with the request.
IDBC will comply with the data subject’s request within up to one month by sending a letter of response to the contact information provided by the data subject.
8.2. Right to rectification
By using the contact information provided under point 1, the data subject can request IDBC to modify any of his or her personal data (for example, he or she may change his or her e-mail address or other contact information at any time) or to complete incomplete personal data.
The Data Controller will comply with the request within up to one month and notify the data subject of the execution in a letter of response sent to the contact information provided by the data subject.
IDBC informs of the rectification those to whom it has transmitted the personal data concerned provided that the provision of this information is not impossible or does not require disproportionate effort from the Data Controller.
8.3. Right to withdraw the consent to data processing
The data subject may withdraw his or her consent to data processing at any time, which does not affect the lawfulness of the data processing carried out prior to the withdrawal based on the consent. If the consent to data processing is necessary for implementing an event or an application in which the data subject wishes to participate and the data subject withdraws his or her consent to data processing, following the withdrawal of the consent his or her participation in the event or application will no longer be longer possible. Withdrawal of the consent to data processing also entails the erasure of the personal data concerning participation in the event or application at the Data Controller (see the next point). If the consent to data processing is withdrawn in a mobile application or other computer application in which the Data Controller does not have “admin” rights, it is the operator or owner of the application that will provide information on the consequences of the withdrawal of the consent (e.g., erasure of data).
8.4. Right to erasure
By using the contact information provided under point 1, the data subject may request IDBC to erase all or some of his or her personal data if any of the following grounds are present:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c) the data subject objects to the processing of his or her personal data under the legal basis of legitimate interest or for the purpose of direct marketing (including profiling used for direct marketing, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services (provided to children) referred to in Article 8(1) of the GDPR.
IDBC will not execute the erasure if data processing is necessary for
a) exercising the right of freedom of expression and information (see point 1)
b) or compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or
c) for certain health-related purposes by or under the liability of persons subject to a legal obligation of professional secrecy,
d) for the establishment, exercise or defence of legal claims, or
e) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and the erasure of personal data is likely to render impossible or seriously impair the achievement of the objectives of that processing.
IDBC will process the data subject’s request of erasure within up to one month and notify the data subject of the result in a letter of response sent to the contact information provided by the data subject.
IDBC informs of the erasure of the data those to whom it has transferred the personal data concerned provided that the provision of this information is not impossible or does not require disproportionate effort from the Data Controller.
8.5. Right to restriction of data processing (to have data blocked)
By using the contact information provided under point 1, the data subject can request IDBC in writing to process his or her personal data in a restricted manner. Blocking takes place by unambiguously marking the restricted nature of data processing and storing the data separately from any other information. This means that no operation other than storage may be carried out with the data. Blocking shall last as long as the ground specified by the data subject renders the blocked storage of the personal data necessary. The data subject may request the blocking of the personal data if he or she believes that IDBC has processed his or her personal data unlawfully, but it is necessary for the conducting of the administrative or judicial procedure initiated by the data subject that the Data Controller shall not erase the personal data. In this case, until a request is received from the authority or court, IDBC processes the personal data in a blocked manner, and it will erase or continue to process them after the conclusion of the administrative or judicial procedure.
8.6. Right to object
By using the contact information provided under point 1, the data subject can object in writing to the processing of data if IDBC processes the personal data on the basis of its own or a third party’s legitimate interest. He or she may object to the processing for example if IDBC would transmit or use the data subject’s personal data for the purpose of opinion polling or scientific research on the basis of its own or a third party’s legitimate interest.
IDBC will assess the data subject’s objection within up to one month and notify the data subject of the result (including notification of the erasure of any unlawfully processed personal data) in a letter of response sent to the contact information provided by the data subject.
9. Options to enforce rights and legal remedies relating to data processing
The data subject can contact IDBC in order to enforce his or her rights relating to the processing and protection of his or her personal data by using the contact information specified in point 1.
If the data subjects believes that his or her rights relating to the protection of his or her personal data have been violated, he or she can apply to the following authority:
Hungarian National Authority for Data Protection (NAIH)
registered seat: H-1055 Budapest, Falk Miksa u. 9-11.
postal address: H-1363 Budapest, Pf. 9.
phone: +36 (1) 391-1400
website: www.naih.hu
email: ugyfelszolgalat@naih.hu
If the data subject experiences the unlawfulness of the processing of his or her personal data, he or she may initiate court proceedings (civil proceedings) against the Data Controller. The adjudication of the action falls within the competence of the regional court. At the option of the data subject, the action may also be initiated before the regional court according to the domicile of the data subject (contact information of the regional courts can be found at the link below: https://birosag.hu/torvenyszekek)
10. Updating and accessibility of the Privacy Notice
IDBC reserves the right to unilaterally amend this Privacy Notice. The Privacy Notice may be amended in particular if amendment is required due to any change in the legislation, the practice of the data protection supervisory authority, a business need, or a newly identified security risk.
Privacy notice to job applicants and users of employment agency services
The protection of your personal data is important to us. For this reason, this Privacy Notice explains the types of the personal data that IDBC Creative Solutions Kft. processes in the course of its recruitment and employment agency activity, the purpose and legal basis of such processing, as well as the organisational and technical measures it implements in order to comply with the data protection rules. The Privacy Notice also sets out the data protection rights that natural persons are entitled to.
The persons applying for jobs or employment agency services are named “applicants”. The data protection legislation names the natural persons “data subjects”, therefore – in addition to or instead of “applicant” – this term is also used in the Privacy Notice.
Those submitting an application for a job or employment agency services are required to get acquainted with this Privacy Notice irrespective of whether the applicant comes into contact with IDBC directly or via an intermediary (via a job advertising or employment agency, or through the recommendation of another natural person). Legal person intermediaries shall be deemed as data controllers, and IDBC considers their processing of personal data to be lawful and compliant with the data protection legislation, i.e., they provide all information relating to processing (including data transmission) to the applicant. With regard to personal data of those recommended by a natural person, IDBC presumes that the applicant is aware of the recommendation of such natural person, and he or she got acquainted with this Privacy Notice before handing over his or her CV. Further details concerning reliance on intermediaries can be found under point 3.5.
1. Name, contact details of the data controller
Data controller: IDBC Creative Solutions Kft. (hereinafter: Data Controller or IDBC)
Registered seat and mailing address :H-1138 Budapest, Népfürdő utca 22. Duna Tower Office Building, Tower A. Floor 13.
Registration authority: Company Registry Court of Budapest-Capital Regional Court
Company registration number: 01-09-192925
Tax number: 24983332-2-41
E-mail address: info@idbc.hu
Phone number: +36 30 479 8090
Website: https://idbc.hu
2. Main legislation relating to data processing
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR” or “General Data Protection Regulation”)
- Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (hereinafter: Privacy Act)
- Act I of 2012 on the Labour Code (hereinafter: Labour Code)
- Act V of 2013 on the Civil Code (hereinafter: Civil Code)
3. Processing activities
3.1. Processing relating to job applications and employment agency
3.1.1. Purpose of the processing of personal data
IDBC is engaged in searching for, selecting, and placing professionals seeking a job or a contract, or interested in a job or a contract (applicants), as well as presenting job or contract opportunities, and sending such opportunities to the applicants. The purpose of the processing of the personal data of applicants (data subjects) is to draw the applicant’s attention to an advertised job or contract, or to search for a job or contract opportunity for the applicant, as well as to conduct the selection process.
3.1.2. Scope of the processed personal data
The following data are required for recruiting an applicant for a job or a contract: identification data of the applicant (name, place and date of place, mother’s name), contact information (phone number, e-mail address, postal address and/or home address), information relating to his or her expertise and work experience (educational attainment, previous workplaces, jobs, etc.).
In addition to the scope of data listed in the foregoing, IDBC processes all personal data that the applicant provides to it during recruitment and placement for a job or contract (including the selection process) (e.g., the applicant’s profile on social media, marital status, interests, content of the cover letter).
3.1.3. Legal basis of the processing of personal data
The legal basis of the processing of personal data is the consent of the applicant, which is provided by him or her upon applying for a job or employment agency services or disclosed by him or her during the selection process.
3.1.4. Period of the processing of personal data
The processing of the data of those applying for a job or employment agency services: until the withdrawal of the consent to data processing, but up to 3 years from the last contact (e.g., phone discussion).
The consent given to processing can be withdrawn at any time, which also signifies the erasure of the processed data (see also point 7.3). After the erasure of certain personal data (e.g., identification data, contact information), the recruitment and employment agency services of IDBC can no longer be used.
3.1.5. Source of personal data
The personal data of the applicant may be received by IDBC either directly from the applicant, or via an intermediary. The intermediary of the personal data of the applicant (e.g., CV) can be a natural person (e.g., recommendation by a colleague) or a legal person. IDBC presumes that the applicant is aware of the submission of his or her CV, and he or she got acquainted with this Privacy Notice before handing over his or her CV to the natural person intermediary.
Legal person intermediaries are independent data controllers; therefore, IDBC presumes that in the course of their activities, they comply with the provisions of the data protection legislation applicable to them, including informing the applicant of the accessibility and/or transfer of his or her personal data.
Currently, IDBC cooperates with the following legal person intermediaries:
- hu (registered seat: H-1123 Budapest, Nagyenyed utca 8-14., company registration number: 01-09-199015, private employment agency registration number: BPM/01/15807-3/2015-1003), whose privacy notice is available here: GDPR Profession
- LinkedIn (Registered seat: 1000 W Maude Sunnyvale, CA 94085, US), whose privacy policy is available here: LinkedIn Privacy Policy
- No Fluff Jobs (Registered seat: Kielecka 5/40 81-303 Gdynia, Lengyelország PL5862324045., Hungary office: H-1123 Budapest, Nagyenyed u. 10-14.), whose privacy policy is available here: pdf (nofluffjobs.com)
- Codersrank Zrt. (Registered seat: 4028 Debrecen, Kassai út 129., company registration number: 09 10 000582, Tax number: 26313986-2-09), whose privacy policy is available here: Privacy Policy – CodersRank
From time to time, IDBC also receives personal data concerning applicants from employment agencies, which cannot be determined in advance due to the ad hoc nature of these situations.
3.2. Data processing relating to complaints and the exercise of the data subject’s rights
3.2.1. Purpose of the processing of personal data
Should you have any problems in connection with the job or employment agency services of IDBC, or the administration, or you wish to exercise your rights under point 7, contact us at any of our contact details provided under point 1.
3.2.2. Scope of the processed personal data
The following personal data are necessary for the handling of complaints or the exercise of the data subject’s rights: identification data (name, place and date of birth, mother’s name), contact information (e-mail address or postal address, or home address), description of the complaint or the data subject’s right intended to be exercised.
The identification data (name, place and date of birth, mother’s name) are fully processed only if it is indispensable for the adjudication of the complaint or the exercise of the data subject’s right. If IDBC has any doubt concerning the identity of the person submitting the complaint or exercising the data subject’s right, it may request further identification data to be provided. If the data subject fails to provide the personal data necessary for identifying his or her person which are indispensable for the handling of the complaint or the exercise of the data subject’s rights, IDBC has the right to reject the complaint or refuse the exercise of the data subject’s rights by giving reasons.
3.2.3. Legal basis of the processing of personal data
The legal basis of the personal data concerning the handling of complaints, or the exercise of the data subject’s rights is point (b) of paragraph 1 of Article 6 of the GDPR, i.e., the fulfilment of the legal obligation under Articles 15-18 and 21 of the General Data Protection Regulation.
3.2.4. Period of the processing of personal data
Period of the processing of the personal data relating to complaint handling or the exercise of the data subject’s rights: 5 years from the addressing of the complaint or the completion of the exercise of the data subject’s rights (general limitation period referred to in the Civil Code).
4. Processing of data
The personal data concerning the applicants are processed by IDBC by electronic means, using the module of Zoho Recruit (Hiring software | Automated hiring platform – Zoho Recruit). Further details concerning the data protection and data security principles of Zoho can be found here (Zoho – Data Privacy and our stand against surveillance.), and those of its privacy notice are available here (GDPR Guide | Free e-book – Zoho Recruit) .
5. Data transmission
IDBC transmits the applicant’s personal data according to the agreement with the applicant to those who offer the job or contract opportunity the applicant is interested in or may find such jobs or contracts for applicant.
Furthermore, IDBC only transfers to third parties (e.g., authority, court, other public entities) the personal data processed by it for the purpose and in the manner specified in the legislation.
6. Data security
IDBC ensures with appropriate IT, organisational and personnel measures the protection of the personal data processed by it from – among other things – unauthorised access or the unauthorised change or destruction thereof. Access to the personal data stored in the IT system is logged, that is, it can always be verified who and when accessed which personal data. The personal data processed can be accessed by the authorised and trained staff of IDBC, exclusively for the purpose and to the extent necessary for performing their job functions.
7. The rights of the data subjects relating to data processing
7.1. Right to receive information, right of access
By using the contact information specified in point 1, the data subject can request IDBC in writing to provide information on the types of his or her personal data processed, the legal basis, purpose of such processing, the source of such data and the period of processing; the data subject may also request for information on the persons to whom IDBC provided access to the personal data or transferred the personal data concerning the data subject, and when and on what legal basis it did so.
In the event where the data subject requests the information under this point in several copies, the Data Controller is entitled to charge a reasonable fee proportionate with the administrative costs incurred in connection with the preparation of the additional copies.
If the data subject’s right of access under this clause affects the rights and freedoms of others adversely – in particular, their business secrets or intellectual properties –, IDBC is entitled to refuse the execution of the data subject’s request to the necessary and proportionate extent.
Given that the exercise of the right of access is guaranteed to the data subject personally, IDBC will request the identification of the applicant’s person prior to the execution of the request. The Data Controller has the right to request the data subject to specify the content of the request, to name the requested information and data processing activities in order to adequately comply with the request.
IDBC will comply with the data subject’s request within up to one month by sending a letter of response to the contact information provided by the data subject.
7.2. Right to rectification
By using the contact information provided under point 1, the data subject can request IDBC to modify any of his or her personal data (for example, he or she may change his or her e-mail address or other contact information at any time) or to complete incomplete personal data.
The Data Controller will comply with the request within up to one month and notify the data subject of the execution in a letter of response sent to the contact information provided by the data subject.
IDBC informs of the rectification those to whom it has transmitted the personal data concerned provided that the provision of this information is not impossible or does not require disproportionate effort from the Data Controller.
7.3. Right to withdraw the consent to data processing
The data subject may withdraw his or her consent to data processing at any time, which does not affect the lawfulness of the data processing carried out prior to the withdrawal based on the consent. If the consent to data processing is necessary for implementing an event or an application in which the data subject wishes to participate and the data subject withdraws his or her consent to data processing, following the withdrawal of the consent his or her participation in the event or application will no longer be longer possible. Withdrawal of the consent to data processing also entails the erasure of the personal data concerning participation in the event or application at the Data Controller (see the next point). If the consent to data processing is withdrawn in a mobile application or other computer application in which the Data Controller does not have “admin” rights, it is the operator or owner of the application that will provide information on the consequences of the withdrawal of the consent (e.g., erasure of data).
7.4. Right to erasure
By using the contact information provided under point 1, the data subject may request IDBC to erase all or some of his or her personal data if any of the following grounds are present:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
c) the data subject objects to the processing of his or her personal data under the legal basis of legitimate interest or for the purpose of direct marketing (including profiling used for direct marketing, and there are no overriding legitimate grounds for the processing;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services (provided to children) referred to in Article 8(1) of the GDPR.
IDBC will not execute the erasure if data processing is necessary for
a) exercising the right of freedom of expression and information (see point 1)
b) or compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or
c) for certain health-related purposes by or under the liability of persons subject to a legal obligation of professional secrecy,
d) for the establishment, exercise or defence of legal claims, or
e) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and the erasure of personal data is likely to render impossible or seriously impair the achievement of the objectives of that processing.
IDBC will process the data subject’s request of erasure within up to one month and notify the data subject of the result in a letter of response sent to the contact information provided by the data subject.
IDBC informs of the erasure of the data those to whom it has transferred the personal data concerned provided that the provision of this information is not impossible or does not require disproportionate effort from the Data Controller.
7.5. Right to restriction of data processing (to have data blocked)
By using the contact information provided under point 1, the data subject can request IDBC in writing to process his or her personal data in a restricted manner. Blocking takes place by unambiguously marking the restricted nature of data processing and storing the data separately from any other information. This means that no operation other than storage may be carried out with the data. Blocking shall last as long as the ground specified by the data subject renders the blocked storage of the personal data necessary. The data subject may request the blocking of the personal data if he or she believes that IDBC has processed his or her personal data unlawfully, but it is necessary for the conducting of the administrative or judicial procedure initiated by the data subject that the Data Controller shall not erase the personal data. In this case, until a request is received from the authority or court, IDBC processes the personal data in a blocked manner, and it will erase or continue to process them after the conclusion of the administrative or judicial procedure.
7.6. Right to object
By using the contact information provided under point 1, the data subject can object in writing to the processing of data if IDBC processes the personal data on the basis of its own or a third party’s legitimate interest. He or she may object to the processing for example if IDBC would transmit or use the data subject’s personal data for the purpose of opinion polling or scientific research on the basis of its own or a third party’s legitimate interest.
IDBC will assess the data subject’s objection within up to one month and notify the data subject of the result (including notification of the erasure of any unlawfully processed personal data) in a letter of response sent to the contact information provided by the data subject.
8. Options to enforce rights and legal remedies relating to data processing
The data subject can contact IDBC in order to enforce his or her rights relating to the processing and protection of his or her personal data by using the contact information specified in point 1.
If the data subjects believes that his or her rights relating to the protection of his or her personal data have been violated, he or she can apply to the following authority:
Hungarian National Authority for Data Protection (NAIH)
registered seat: H-1055 Budapest, Falk Miksa u. 9-11.
postal address: H-1363 Budapest, Pf. 9.
phone: +36 (1) 391-1400
website: www.naih.hu
email: ugyfelszolgalat@naih.hu
If the data subject experiences the unlawfulness of the processing of his or her personal data, he or she may initiate court proceedings (civil proceedings) against the Data Controller. The adjudication of the action falls within the competence of the regional court. At the option of the data subject, the action may also be initiated before the regional court according to the domicile of the data subject (contact information of the regional courts can be found at the link below: https://birosag.hu/torvenyszekek)
9. Updating and accessibility of the Privacy Notice
IDBC reserves the right to unilaterally amend this Privacy Notice. The Privacy Notice may be amended in particular if amendment is required due to any change in the legislation, the practice of the data protection supervisory authority, a business need, or a newly identified security risk.