Skip to content

Privacy Policy

Your privacy matters to us. We would like you to feel cool about entrusting us with your data when you visit our website, sign up to our newsletter, or we interact in any way. Let us explain what data we collect about you and what we do with it. By using our services, you consent to our use of your data under this privacy policy. If you would like to know more about our collection and use of cookies only, please check out the CodeCool cookie policy.

I. GENERAL INFORMATION, THE DATA CONTROLLER


1.1. Identification and the business activity of the data controller
In this policy („Policy”) the data controller shall mean CodeCool Kft. (registered seat: 1065 Budapest, Nagymező utca 44.; registration No.: 01-09-394554; VAT No.: 25076587-2-42; e-mail: [email protected]; adult education registration No.: B2020/000727, adult education license No.: E2020000041, license No. for employment lease: BP/0701/000194-2/2022-1886, Recruitment licence No: BP/0701/000196-2/2022-1293 hereinafter referred to as: the „Data Controller”). Name and email address of the data protection officer: dr. Freidler Gábor, [email protected].
The Data Controller is a limited liability company registered in Hungary.The Data Controller deals with the education of programmers, employment lease and recruitment service as introduced in its website (www.codecool.com, hereinafter referred to as „Website”).
The Data Controller performs its activities under the scope of the European Union and Hungarian legislation. The data management is primarily governed by the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679 of the European Parliament and of the Council (April 27, 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as well as the repealing directive No. 95 /46/EC; hereinafter: “GDPR”)


1.2. Users
 In the case of data management issues within the scope of this Policy, the person concerned is the one who initiates or enters into a legal relationship with the Data Controller and for this purpose provides the Data Controller with his/her personal data.
Based on this, the scope of this Policy does not cover data that does not relate to natural persons (e.g. company data) or that cannot be linked to natural persons (e.g. statistical data, data that is anonymized).


1.3. The procedure of data management
 The users contact the Data Controller via the Website. If the user wishes to participate in the Data Controller’s training, he/she registers on the Website and provides the following information: name of the chosen training, surname, first name, e-mail address, phone number. During the application, the data subject shall accept the provisions of this Data Policy.
After the application, the user will be able to access the English-language interface of the online screening (survey) via the Website. The Data Controller has the right to change the course of the online screening. During the screening, the person concerned must declare that he/she meets the prerequisites of the training, then complete the tasks associated with the screening and answer the questions, and if requested, write his/her motivation letter, with the content and length of his/her choice. The user will be informed about the result of the online screening.
After a successful online screening, the Data Controller will contact the applicant and the personal screening will take place at an agreed time, which can also be processed via a telecommunications device or app. In the process, those involved take part in group and individual situation exercises, solve tasks in groups and then individually and take part in motivational discussions. The Data Controller prepares a record of the screening, in which the participation of the applicant, the characteristics of the participation, the answers given by the applicants and their evaluation are recorded. A video or audio recording of the screening may only be made after the express consent of those involved and if the recording is necessary for the purpose of evaluation or for promotional purposes. In the case of refusal to consent to recording, the applicant will not suffer any disadvantage, in this case the Data Controller will proceed the screening without recording. The personal screening can also be done online, using a telecommunications device or software.
If the result of the screening is not satisfactory (the application is unsuccessful), the Data Controller will not delete the recorded data, so if the applicant tries the screening again, the previous data will be available and the applicant will be informed about this. The Data Controller deletes the data if the applicant requests it or if one year has passed since screening. The Data Controller uses the stored data only in case of re-application and screening, to evaluate the changes that have occurred in the period since the previous application.
In case of a successful screening, the Data Controller concludes contract with the applicant, based on which the applicant participates in the training. During the conclusion of the contract, the applicant provides data specified in this Policy.
During the training, the Data Controller continuously monitors the participation of the applicant and records the fact of participation and absence (broken down into sessions), the results of individual surveys, and the data subject’s feedback on the training. The Data Controller manages this data on its own system.
After completion of the training, the persons concerned may be employed in accordance with the rules of employment lease or offered for work. The persons concerned prepare their professional CVs, based on the template provided by the Data Controller. The resume includes data on personal identification, skills, qualifications, motivation, and interests. The Data Controller manages the CV for two years after the successful mediation, and if it can mediate another job or position for the person concerned, it informs him/her. The data subject may request the deletion of his/her data any time.
The Data Controller takes a photo of the data subject (or takes a photo provided by the data subject), which appears in the Data Controller’s system, alongside with the data concerning the data subject. It is possible to identify the data subject through the photo of the data subject; the person concerned can use the photograph to create his/her CV.
If the introduction for work is successful, a working relationship can be established between the person concerned and the Data Controller. In this case, the parties sign the employment contract. If the employment relationship is terminated, the Data Controller, as an employer, will process the data in accordance with the applicable laws.
The Data Controller operates a referral system, the essence of which is that the data subject can recommend third parties to the Data Controller’s training program. In case of a successful recommendation, the Data Controller will grant the data subject a predetermined discount or benefit. The recommender is responsible for the legality of the recommendation, and in particular for the fact that the recommended person consented to the processing of his/her data. Based on all of this, before making the recommendation, the recommending person is obliged to request the consent of the recommended person.
The Data Controller partially performs its activities with the involvement of third parties (agents, contractors), and always concludes a contract with these persons that ensures the protection of data.
The Data Controller collects the data primarily from the data subject. The Data Controller collects data from other sources only if the data subject has consented to this (e.g. provision of data by an employment agency), or the law expressly authorizes the collection of data.
The Data Controller does not copy documents. If the person concerned presents a document, the Data Controller records the fact of presentation and, if necessary, the identifier of the document, but does not make a copy.


II. PURPOSE AND LEGAL BASIS OF DATA MANAGEMENT AND THE SCOPE OF THE MANAGED DATA


2.1. Purpose of data management
The primary purpose of data management is to create and maintain a legal relationship between the data subject and the Data Controller aimed at training and later work, and to mediate work for the data subject. Within this, the purposes of data management:
– Identification of the person concerned, contacting and maintaining contact with the person concerned;
– Disclosure of data and circumstances relevant to the relevant training (e.g. education, skills);
– Examining the suitability of the person concerned;
– Establishing a legal relationship, preparing and signing the contract establishing the legal relationship;
– Organization and implementation of the training;
– Monitoring the participation and development of the person concerned;
– Accountability, definition of individual goals, development;
– Proof of participation;
– Referral of the affected person to another employer, facilitating the establishment of the legal relationship
– Invoicing and payment of fees;
– Creating and maintaining an employment relationship, exercising related rights and fulfilling obligations;
– Fulfillment of obligations imposed by law (e.g. provision of data to tax authorities, social security bodies);
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims;
– In the case of the use of tender resources, proof of compliance with the tender specifications;
– Promotion of the Data Controller’s activities;
– Operation of the Website;
– Protection and maintenance of personal and property security.

2.2. Legal basis of the management of data
 In view of the fact that the Data Controller processes personal data for several purposes, the legal basis for data processing can be various. The main legal bases are the following, the specific legal bases related to individual data management are listed in Section III of this Policy.
Consent of the data subject (GDPR Article 6 (1) point a)
The legal basis for data management is primarily the consent of the data subject. The data subject gives his/her consent by contacting the Data Controller and initiating the creation of the legal relationship, starting the application process. In all cases, consent is voluntary, but failure to give consent may result in the legal relationship between the data subject and the Data Controller not being established or terminated. The Data Controller informs the data subject in all cases about the data management.
The contract between the Data Controller and the data subject (GDPR Article 6 (1) point b)
If the data subject enters into a contract with the Data Controller, he/she shall provide the data necessary for the creation and fulfillment of the contract and the related forms. In the case according to this point, the data is processed in order to fulfill the contract and take steps initiated by the data subject, based on the referenced point of the GDPR.
If the data subject does not consent to the processing of any data requested by the Data Controller or indicated in the contract, he has the right to refuse to provide the data. If the processing of the data is mandatory by law, or if the data is not provided, the contract cannot be fulfilled, the contract will not be concluded if the data is not provided.
Fulfillment of legal obligations (GDPR Article 6 (1) point c)
In some cases, the legal basis for data management is a statutory provision. If the data management is a legally obliged to data management, it is included inSection III of this Policy.
Enforcement of the legitimate interests of the Data Controller or a third party (GDPR Article 6 (1) point f)
If data management is necessary to enforce the legitimate interest of the Data Controller or a third party, the data will be used by the Data Controller for the purpose of enforcing this interest. The data processing according to this paragraph is exceptional, it only takes place on the basis of an individual assessment (the so-called interest assessment test) in the cases specified in this Policy.


III. SCOPE OF DATA, INDIVIDUAL DATA MANAGEMENT


3.1. Data relating application
Description of data management: Interested persons can apply for the trainings of Data Controller via the Website. During the application, the data subject provides the data specified on the Website and declares acceptance of the data management information. If the Data Controller contacts the data subject, it uses the data only for the purpose of the request and deletes them after the request. If the data subject starts the application process but does not complete it, the Data Controller manages the data so that the data subject can continue the application that has already started. In this case, the data controller deletes the data after six months, unless the data subject requests the deletion of the data earlier. In case of a successful application, if the data subject participates in the training, the data controller will handle the data in connection with the contract and the training.
Scope of data: surname, first name, e-mail address, phone number, chosen training, chosen training location.
Legal basis for data management: The legal basis for data management is the data subject’s consent, which he gives by registering and thereby consenting to the processing of his/her data. Data management is essential for establishing a relationship between the parties and for conducting the application process. The data subject can prohibit data management, refuse or withdraw their consent, but in this case the application process will end unsuccessfully.
The purpose of data management: Identification of the person concerned, contacting and maintaining contact with the person concerned.
Duration of data management: If the application is unsuccessful (the data subject does not complete the application), the Data Controller processes the data for six months in order to allow the data subject to continue the application that has already started. The data subject can request the deletion of the data. If the application is successful and the data subject participates in the training, the Data Controller will process the data in connection with the contract and training.


3.2. Data management relating online screening
 Description of data management: Part of the application process is that the data subject participates in an online survey, during which the Data Controller asks questions about the data subject’s education, motivation, language skills, and also logical tasks.
Scope of data: Answers to the questions asked during the online screening, data on language skills and education, logic test results, motivation letter.
Legal basis for data management: The legal basis for data management is the consent of the data subject, which is given by signing up, participating in the screening process, and thereby consenting to the processing of their data. Data management is essential for establishing a relationship between the parties and for conducting the application process. The data subject can prohibit data processing, refuse or withdraw their consent, but in this case the application process will end unsuccessfully.
The purpose of data management:
– Identification of the person concerned, contacting and maintaining contact with the person concerned;
– Disclosure of data and circumstances relevant to the relevant training (e.g. education, skills);
– Examination of the suitability of the person concerned
– Establishment of a legal relationship, preparation of the contract establishing the legal relationship.
Duration of data management: If the person concerned does not complete the screening or the result is not satisfactory (the application is unsuccessful), the Data Controller will keep the recorded data and delete it after one year. In case of re-application, the purpose of data management is to analyze the data of the previous application, to compare the data, the data may not be used for any other purpose. The Data Controller will delete the data within one year if the data subject requests it. If the screening is successful and the data subject participates in the training, the data controller will handle the data in connection with the contract and training.


3.3. Data management in connection with personal screening
 Description of data management: In case of a successful online screening, the Data Controller will contact the data subject, and the personal screening will take place at an agreed time. In the process, those involved take part in group and individual situation exercises, solve tasks in groups and then individually, and take part in motivational discussions. The Data Controller prepares a record of the screening, in which the participation of the data subject, the characteristics of the participation, the answers given by the data subject, and their evaluation are recorded. A video or audio recording of the screening will only be made based on the express consent of those involved, if the recording is necessary for evaluation or promotional purposes. In the case of refusal to consent to recording, the data subject will not suffer any disadvantage, in this case the Data Controller will provide the screening without recording. The personal screening can take place without an actual personal meeting, using a telecommunications device or software.
Scope of data: Name of the practices used during the screening, participation of the person concerned, answers given by him, their evaluation, video and audio recording if the person concerned consents.
Legal basis for data management: The legal basis for data management is the consent of the data subject, which is given by signing up, participating in the screening process, and thereby consenting to the processing of their data. Regarding the recording of images and sounds, data processing is voluntary, the data subject can refuse consent. With regard to other data, data management is essential for the establishment of a relationship between the parties and the completion of the application process. The data subject can prohibit data processing, refuse or withdraw their consent, but in this case the application process will end unsuccessfully.
The purpose of data management:
– Identification of the person concerned, contacting and maintaining contact with the person concerned;
– Disclosure of data and circumstances relevant to the relevant training (e.g. education, skills);
– Examining the suitability of the person concerned;
– Establishment of a legal relationship, preparation of the contract establishing the legal relationship.
Duration of data management: If the person concerned does not complete the screening or the result is not satisfactory (the application is unsuccessful), the Data Controller will keep the recorded data and then delete it after one year. In case of re-application, the purpose of data management is to analyze the data of the previous application, to compare the data, the data may not be used for any other purpose. The Data Controller will delete the data within one year if the data subject requests it. If the screening is successful and the data subject participates in the training, the data controller will handle the data in connection with the contract and training.


3.4. Data management in connection with contracts
 Description of data management: In case of a successful screening, the Data Controller concludes a contract with the data subject, on the basis of which the data subject participates in the training. The contract establishes the rights and obligations of the parties in relation to the training. If the data subject terminates the contract and the termination is justified by some extraordinary circumstances, the Data Controller may request that the data subject prove the circumstances that justify the termination and exempt the data subject from liability. The Data Controller does not copy documents in this regard. If the contract is classified as an adult training contract, the data controller records the following 3.6. data specified in point, as specified there.
Scope of data: Name, address, place and time of birth, mother’s name, identity card number, tax identification number, TAJ number, gender, e-mail address, telephone number; in case of termination, the relevant data; declarations of parties regarding the contract; the time, method and reason for termination of the contract.
Legal basis for data management: Data management is necessary for the conclusion, preparation and fulfillment of the contract between the Data Controller and the data subject, so the legal basis for data management is the contract. The Act LXXVII of 2013 on adult education (hereinafter: “Fktv.”) makes the conclusion of the contract and the management of data mandatory for the training courses under its scope, so the legal basis for data management is Section 11 (1) of the Fktv. Data management is essential for establishing, maintaining and fulfilling the legal relationship between the parties. If the data subject does not provide the data, the contract will not be concluded. In the event of termination of the contract, the processing of related data may not be prohibited if the data processing is required by law (see point 3.6) or is necessary to assert claims against the data subjects.
The purpose of data management:
– Identification of the person concerned, contacting and maintaining contact with the person concerned;
– Establishing a legal relationship, preparing and signing the contract establishing the legal relationship;
– Organization and implementation of the training;
– Fulfillment of obligations prescribed by law;
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims.
Duration of data management: The Data Controlller manages the data recorded in the contracts for the duration of the training and for eight years from the date of termination. The duration of the data management is partly justified by the fact that it is possible to assert claims related to the contract within the limitation period (the limitation period is five years, but this can be suspended or interrupted), and partly by the fact that the person concerned makes the payment in connection with the training, and the receipts for this are kept for eight years must be preserved. The data defined by the Fktv. is handled by the Data Controller until the deadline specified in point 3.6.


3.5. Data management relating the trainings
 Description of data management: During the training, the Data Controller continuously monitors the participation of the data subject and records the fact of participation and absence (broken down into sessions), the results of individual surveys, and the data subject’s feedback on the training. The instructors conducting the training can also take notes on the strengths, progress, and areas for improvement of the person concerned. The Data Controller manages this data in its own system.
Scope of data: Attended and missed classes (via attendance sheet), documents certifying electronic professional training and inspection, results of surveys, audits, feedback from stakeholders, teachers’ notes.
Legal basis for data management: As a main rule, data management is closely related to training, i.e. to the performance of the contract between the parties, in addition, the management of certain data is regulated by the Fktv. (see below, point 3.6). The data subject may not prohibit the processing of data whose processing is regulated by law – thus, in particular, the Fktv. – prescribes, or the management of which is essential for the fulfillment of the contract between the parties, for the enforcement of claims. If, in the absence of the data requested to be deleted, the training can be carried out, the contract can be fulfilled, and the handling of the data is not required by law, the Data Controller will delete the data at the request of the data subject.
The purpose of data management:
– Organization and implementation of the training;
– Monitoring the participation and development of the person concerned;
– Accountability, definition of individual goals, development;
– Proof of participation;
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims.
Duration of data management: The Data Controller manages the data for the duration of the training and for eight years from the date of termination. The duration of the data management is justified by the fact that it is possible to assert claims related to the contract within the limitation period (the limitation period is five years, but this can be suspended or interrupted). The Fktv. data defined by the Data Controller in accordance with 3.6. It is handled until the deadline specified in point.


3.6. Data management relating adult education
 Description of data management: Considering that the Data Controller is an organization acting in accordance with the Fktv., it is obliged to manage the data defined in the Fktv.
Scope of data: The Data Controller manages the data subject’s name, birth name, place and time of birth, mother’s name, gender, nationality, legal address of non-Hungarian citizen’s stay in Hungary and the name and number of the right-of-residence document, address, mailing address, email address and telephone number , social security identification number, tax identification number. In addition, Fktv. In the case of the data subject, the Data Controller manages the data related to the training in the case of the person concerned, which relates to the education, professional qualification, professional qualifications and knowledge of foreign languages of the person participating in the training, the entry into the training and the completion of the training, and in the absence of completion of the training, the exit from the training, during the training are related to its evaluation and qualification, its payment obligations related to the training and the used training loan. The Data Controller also manages the attendance records, documents certifying electronic professional training and verification, original documents certifying the conditions necessary for starting and continuing the training or copies thereof certified by the adult trainer, as well as documents certifying the input competency test and the preliminary knowledge test.
Legal basis for data management: The legal basis for data management is Section 16 and Section 21 of the Fktv.
The purpose of data management:
– fulfillment of statutory obligations.
Duration of data management: In accordnce with Section 21 (5) of the Fktv, the Data Controller manages the data on the basis of the contract until the last day of the eighth year from the conclusion of the adult education contract.


3.7. Data provision in accordance with the Fktv.
 Description of data management:. The Data Controller manages and forwards the personal data specified in § 15 of the Fktv. The data is forwarded via electronic data provision to the state administrative body for adult education. The data subject may prohibit the transmission of his personal identification data, e-mail address, tax identification number, the prohibition statement must be in writing.
Scope of data: Data specified by the Fktv:, mother’s name, place and time of birth, tax identification number, e-mail address, gender, education ID, highest education.
Legal basis for data management: The legal basis for data management is Section 15 of Fktv. The data subject can prohibit data processing in writing, in which case natural personal identification data, e-mail address, and tax identification number will not be forwarded.
The purpose of data management:
– fulfillment of statutory obligations.
Duration of data management: The Data Manager manages the data for five years from the date of their creation (Fktv. § 15. (2)).


3.8. Data management relating to statistical data provision obligation
 Description of data management: The Data Controller, as an Fktv. based organization obliged to provide statistical data. The Data Controller manages the data in accordance with 3.6 above. submits the data specified in point to the Central Statistical Office.
Scope of processed data: Data listed in Section3.6 above
The purpose of data management:
– fulfillment of statutory obligations.
Legal basis for data management: The legal basis for data management is the fulfillment of a legal obligation (§ 21 of the Civil Code).
Duration of data management: The data is processed by the Data Controller in accordance with section 3.6 above. as specified in point 2, handles the data included in the statistical data provision in a way that is not suitable for personal identification.


3.9. Data management relating employment lease and curiculum vitaes
 Description of data management: After the completion of the training, the workforce of the affected parties may be interrogated. To this end, the persons concerned prepare their professional resumes, based on the template defined by the Data Controller. The curriculum vitae contains the professional portfolio of the person concerned. The resume includes data on personal identification, skills, qualifications, motivation, and interests. The Data Controller manages the resume for two years after the successful mediation, and if it can mediate another job or position for the person concerned, it informs the person concerned. The data subject may request the deletion of the data before this.
During the mediation, the Data Controller forwards the resume of the data subject and the recommendation of the Data Controller to the partners with whom the data subject may be employed, taking into account the partner’s field of operation and needs. The data subject can indicate economic companies and other employers with whom he does not wish to establish a legal relationship, in which case the Data Controller will not forward the data to them. If the data subject requests it, the Data Controller will only forward the data subject’s data to partners of which the data subject is informed in advance and for which the data subject has consented to the transfer of data.
After a successful mediation, the person concerned either enters into a legal relationship with the partner, or enters into an employment contract with the Data Controller for temporary employment.
Scope of data: Curriculum vitae, recommendation (name of the employer concerned, data related to the mediated employment relationship: job title, place of employment).
Legal basis for data management: The legal basis for data management is the contract between the parties and the consent of the data subject. Data management is essential for the fulfillment of the contract between the parties. If the data subject refuses the data management, mediation is impossible, in which case the Data Controller may terminate the contract. The data subject has the right to prohibit the transfer of data to specific partners, and may also request that data transfer be made based on his/her separate consent in all cases.
The purpose of data management:
– Referral of the affected person to another employer, facilitating the establishment of the legal relationship
– Creating and maintaining an employment relationship, exercising related rights and fulfilling obligations;
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims.
Duration of data management: The Data Controller manages the data for eight years after transmission. The duration of the data management is justified by the fact that it is possible to assert claims related to the contract within the limitation period (the limitation period is five years, but this can be suspended or interrupted).


3.10. Video and audio recordings (sound and pictures)
 Description of data management: The Data Controller can make a video and audio recording of the screening and training, in order to present it to existing and potential partners, thereby increasing the effectiveness of the mediation activity. The recording and use takes place only with the consent of the person concerned.
If the training is financed from the tender source provided by the European Union, the purpose of the admissions is to comply with Regulation No. 272/2014 (XI.5.) on the procedure for the use of subsidies from individual European Union funds in the 2014-2020 programming period. Fulfillment of the obligation specified in the Government Decree, based on which the Data Controller is obliged to document the training. The recordings are stored by the Data Controller, and can be accessed by the bodies involved in the audit of the use of tender resources – primarily the National Adult Education Office – during their audits.
Scope of data: The completed image and audio recording.
Legal basis for data management: Data management is voluntary, the data subject may refuse consent.
The purpose of data management:
– Promotion of the Data Controller’s activities,
– Fulfillment of obligations prescribed by law;
– In the case of the use of tender resources, proof of compliance with the tender specifications.
Duration of data management: The Data Controller deletes the recording made for promotional purposes after five years. Prior to this, the Data Controller will delete the recording if it is clear that it will not be used, or if the data subject requests the deletion. The Data Controller keeps the recordings made for the purpose of monitoring the use of tender resources for eight years; prior to this, the Data Controller deletes the recordings if the inspection has been completed and there is no need to present the recordings later.


3.11. Számlázással, fizetéssel kapcsolatos adatkezelés
 Description of data management: The Data Controller issues an invoice to the data subject for the training fee as specified in the contract between the parties, and handles the related administration.
Scope of data: Data included in the invoice (amount to be paid, deadline, obligee’s data), payment data (payment method, time).
Legal basis for data management: Data management is mandatory and based on legislation (Accounting Act).
The purpose of data management:
– Invoicing and payment of fees;
– Fulfillment of obligations stipulated by law (e.g. provision of data to tax authorities, social security bodies).
Duration of data management: The data manager processes the data on the receipt for eight years based on the Act on Accounting.


3.12. Data management relating to employment
 Description of data management: If the workforce presentation is successful, an employment relationship can be established between the data subject and the Data Controller, for employment within the framework of temporary employment. In this case, the parties sign the employment contract. As part of data management, the Data Controller makes the notifications required by law (tax authority, social security).
The Data Controller records the data of the data subject in the personnel register. Part of the register is the IT application in which the data is recorded and managed, and which the Data Controller uses for labor administration, payroll processing, and the production of statements. The Data Controller keeps the documents created on paper and handed over in the data subject’s personal file. The personnel register contains data on the compensation and benefits of the person concerned (income, benefits in addition to wages).
The Data Controller checks the medical fitness of the person concerned, as defined in the applicable legislation. The suitability test is carried out by a doctor, and the Data Controller hands over the employee’s data to the company doctor – after informing the employee. The Data Controller only manages the results of the examination, not health data.
If the employment relationship between the Data Controller and the data subject is terminated, the Data Controller makes the necessary notifications and issues the certificates and forms specified by the Labor Code, and makes the necessary notifications to the authorities.
In the case of labor hire, the Data Controller forwards the data of the data subject to the lessor, which are necessary for employment within the framework of the hire (natural personal identification data, job title).
Scope of data: Data of the affected person in the employment contract (name, mother’s name, place and time of birth, residential address, identity card number, social security number, tax identification number); health fitness result (fit – not fit – temporarily not fit), bank account number, other data generated in connection with the employment relationship (salary, progress, statements).
Legal basis for data management:
The legal basis for data management is the contract between the parties. Data management is essential for establishing, maintaining and fulfilling the legal relationship between the parties. The data subject can prohibit data processing, refuse or withdraw consent, but in this case the contract will not be created, the already concluded contract will be terminated.
In the case of an employment contract, data management is mandatory and based on legislation. The legislation requiring data management is the legislation relating to social security, taxation, and health fitness testing.
The purpose of data management:
– Identification of the person concerned, contacting and maintaining contact with the person concerned;
– Establishing a legal relationship, preparing and signing the contract establishing the legal relationship;
– Creating and maintaining an employment relationship, exercising related rights and fulfilling obligations;
– Fulfillment of obligations imposed by law (e.g. provision of data to tax authorities, social security bodies);
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims.
Duration of data management: The Data Manager manages the data for eight years after the termination of the employment relationship. In addition, the Data Controller handles the data necessary to establish social security pension entitlement, bearing in mind that the data subject may need proof of pension entitlement. This data will be deleted by the Data Controller if the data subject requests it – in this case, data provision is not possible later.


3.13.Data management relating claims
 Description of data management: Based on the contract, the data subject is obliged to pay a fee to the Data Controller. If a legal dispute arises between the Data Controller and the data subject, and in the course of this dispute one party wishes to enforce a claim (financial or other in nature) against the other party, the data required for this can be used during the claim enforcement. In this case, the Data Controller uses the processed data for the purpose of proving the validity of the claim and, if necessary, to enforce the claim legally.
Scope of data: The nature of the request, the data underlying the request, data related to the validation of the request.
Legal basis for data management: The legal basis for data management is partly the provisions of legislation, of those legislations that enable the enforcement of the claim in the legal relationship between the parties. If the request is based on a contract, the legal basis for data management is the fulfillment of the contract between the data subject and the Data Controller. The legal basis for data management is also the enforcement of the Data Controller’s legitimate interests. The Data Controller performed the interest assessment test.
The purpose of data management:
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims.
Duration of data management: Data management lasts until the request is validated, failing which, until the request can be legally enforced. The Data Controllers delete the data if the claim cannot be validated, especially if it has expired or the claim is unsuccessful.
A brief introduction to the balance of interests test:
In the case of data management according to this point, the Data Controller’s interest is to receive the compensation due to him in the event of the fulfillment of the contract between him and the data subject. In all cases, the processing of data serves to enforce a claim based on a contract or a commitment of a party; the conclusion of the contract or the commitment was made in all cases based on the voluntary decision of the person concerned. In other words, the data subject has undertaken the obligation to pay the fee according to the contract to the Data Controller in case of using the service. The Data Controller has a legitimate, contractual interest and right to receive this fee.
If the data subject does not voluntarily comply with the Data Controller’s request, the Data Controller is forced to enforce it legally, in accordance with the applicable legislation, i.e. there is no other way to achieve the goal.
The condition for validating the claim is the use of the data that is necessary to support and prove the claim, and to initiate the necessary procedures; without the use of these data, the claim cannot be asserted, as the Data Controller cannot prove it and initiate the procedures.
Taking into account that the reason for the data processing is the illegal procedure of the data subject and the data is used in a manner defined by law (procedure), the data processing cannot be considered a disproportionate restriction


3.14. Recommendation-related data management, recommendation system
 Description of data management: The Data Controller operates a referral system, the essence of which is that the data subject can recommend a third party to the Data Controller’s training program. In the case of a successful recommendation, the Data Controller will grant the data subject a predetermined discount or benefit. The recommender is responsible for the legality of the recommendation, and in particular for the fact that the recommended person consented to the processing of his/her data. Based on all of this, the recommending person is obliged to request the recommended person’s consent before making the recommendation.
Scope of data: Recommender’s name, e-mail address, recommended person’s name, other information provided by the recommender.
Legal basis for data management: Data management is voluntary, the data subject may refuse consent. The condition of the recommendation is that the recommended person consents to it, that is, the recommender must definitely request the consent of the recommended person. If requested by the recommended person, the Data Controller will delete all data related to the recommendation.
The purpose of data management:
– Establishing a legal relationship, preparing and signing the contract establishing the legal relationship;
– Promotion of the Data Controller’s activities.
Duration of data management: The Data Controller deletes the data if the data subject requests it. If the recommendation is unsuccessful (the recommended person does not wish to contact the Data Controller), the data will be deleted by the Data Controller. If the recommendation is successful, the data will be processed according to the general rules.


3.15. Data management of images
 Description of data management: The Data Controller takes a photo of the data subject (or requests a photo), which appears in the Data Controller’s system, alongside the data concerning the data subject. It is possible to identify the data subject through the photo of the data subject; the person concerned can use the photograph to create his/her CV.
Scope of data: Photograph of the data subject.
Legal basis for data management: Data management is voluntary, the data subject may refuse consent.
The purpose of data management:
– Referral of the affected person to another employer, facilitating the establishment of the legal relationship.
Duration of data processing: The Data Controller processes the photograph in the same way and for the same period as the CV. The person concerned can request the deletion of the image.


3.16. Authority, executive, court inquiries related data management
 Description of data management: If the Data Controller receives a request from an authority, bailiff, or court regarding an employee, and the request complies with the relevant legislation, the Data Controller files the request and fulfills it, at the same time recording what measures were taken based on the request.
Scope of processed data: The data that are related to the given inquiry.
Legal basis for data management: In all cases, the legal basis for data management is the legal authorization on which the request is based.
The purpose of data management:
– Fulfillment of obligations stipulated by law (e.g. provision of data to tax authorities, social security bodies).
Duration of data management: The duration of data management is subject to the general rules governing the given data.


3.17. Website-related data management
 Description of data management: When viewing the Website, the IP address of the data subject’s computer, the start and end time of the visit, and in some cases – depending on the settings of the data subject’s computer – the type of browser and operating system are recorded. These data, recorded in a log file, are only used for statistical purposes, and the data manager only forwards them to third parties based on the express provisions of the law.
In order for the Data Controller to adapt its website to the expectations of its customers, it uses the system of Hotjar Ltd. (www.hotjar.com), which collects and stores data for marketing and optimization purposes. It uses this data to create user profiles running under a pseudonym. Without the data subject’s separate consent for this purpose, the data collected will not be able to individually identify the visitor of the Website, nor will they be connected to the personal data of the user of the pseudonym. In this context, the data of the user’s browser and device used for Internet browsing (country, IP address in anonymized form, device type, screen size, browser type, operating system type, visited pages, time of visit) are processed and stored. The user can turn off the collection and storage of data in his browser, which you can find more information about at the following link: https://www.hotjar.com/opt-out5. Data management is not suitable for personal identification.
The Data Controller maintains a chat service on the Website in the form of an automatic chatbot. Users can ask questions in the chatbot, they are not required to provide personal data. The service provider of the chatbot, thus the processor of the personal data displayed in the chatbot, is Talk-a-bot Kft.
The Data Controller uses cookies on the Website, as specified in the cookie information.
Scope of processed data: The data related to the visit to the website specified above, the data entered by the user in the chatbot.
Legal basis for data management: The legal basis for data management is the consent of the data subject, which is given by visiting the Website in the knowledge of the invitation to data management.
The purpose of data management:
– Operation of the Website
Duration of data management: After the data subject’s visit, the data is stored anonymized by the Data Controller’s system, so data management lasts as long as the data subject uses the Website. The content provided in the chatbot is stored by the Data Manager for five years.


3.18. Footage recorded by cameras
 Description of data management: Cameras operate in the Data Controller’s educational premises. In all cases, the cameras are placed in a clearly visible location, and the fact of surveillance is obvious to those involved. The cameras are directed exclusively at the entrance to each room. Cameras do not work in rest rooms, washrooms, and other places where surveillance may violate the privacy of those involved. The cameras are not aimed at places of work, they do not observe the work or study activities of the persons concerned. The recordings of the cameras are recorded on the server maintained by the Data Controller, and only the manager of the Data Controller and the person authorized by him in writing have access to the recordings. The recordings are handled by the Data Controller for three days, and the recordings are only made available in the event of an event that caused it (an act that violates personal or property security or endangers it). If, based on the recordings, it can be assumed that it will be necessary to take further measures, initiate an official procedure, or initiate a lawsuit, and the use of the recordings is necessary in these procedures, the Data Controller will lock the given part of the recording and store it separately. If the use or storage of a recording is necessary to assert the rights and legitimate interests of the data subject, upon the data subject’s justified request, the Data Controller will block the recording, store it separately, and release it upon request by the authority or court in the proceedings initiated by the data subject.
Scope of processed data: Image recording recorded by cameras.
Legal basis for data management: The legal basis for data management is the enforcement of the Data Controller’s legitimate interests. The Data Controller performed the interest assessment test.
The purpose of data management:
– Protection and maintenance of personal and property security.
Duration of data management: The Data Controller will delete the recordings within three days if their further storage is not necessary based on the above. If further storage is necessary, the Data Controller manages the recordings until the purpose of storage ceases, so the Data Controller deletes the recordings if their use is no longer necessary.
A brief introduction to the balance of interests test:
In the case of data management in accordance with this point, the Data Controller’s interest is to maintain personal and property security in the Data Controller’s premises where a large number of teachers and students are present, and to ensure the detection of acts that violate them. The interest to be protected is therefore personal and property security.
The interest to be protected can be enforced in several ways, such as the continuous presence of security personnel and the preliminary screening of those involved. In the case of cameras, illegal acts can be prevented, since cameras have a significant deterrent power, in addition, acts that violate the security of persons and property can be revealed later by means of cameras, it is possible to hold the violators responsible, to sanction the illegal act in appropriate official or court proceedings, or to validation of an emerging demand. In other words, by using the cameras, the interest can be achieved and ensured, so the use of the cameras is necessary.
The presence of the cameras is obvious to those concerned, they are informed about it, there is no secret surveillance. By choosing the monitored areas (placement of cameras), it is ensured that no areas are monitored where the monitoring disproportionately violates the privacy of the persons concerned. The data subject can access the recordings, and in justified cases he can also use them, so recording can also serve the interests of the data subject.


3.19. Data management related to verification of omissions
 Description of data management: Based on the contract concluded with the Data Controller, the data subject is obliged to participate in the training and fulfill his obligations related to participation in the training and accountability. If the data subject fails to fulfill these obligations, the Data Controller is entitled to apply the consequences specified in the contract or the governing legislation. The application of the consequences can be waived if the data subject excuses the omission and provides the data and documents necessary to prove the omission to the Data Controller. The Data Controller may request that the data subject prove the reason for the deletion with a document. If the reason for the rescue is related to the affected person’s medical condition (e.g. illness, medical treatment), the doctor’s certificate regarding the duration of the illness or treatment is sufficient; the Data Controller does not process data on the actual state of health or the treatment received. If the data subject wishes to present a certificate that contains such data, the Data Controller requests the masking and deletion of the health data. The Data Controller will not accept any document that contains data on the health condition of the person concerned and the treatments received.
Scope of processed data: The nature and duration of the omission, the data on which the data subject was saved, the documents provided by the data controller to the data controller.
Legal basis for data management: The legal basis for data management is the data subject’s consent, which he gives by handing over the data to the Data Controller in order to remedy his failure. The purpose of data management is also to fulfill the contract between the parties and to verify the fulfillment of the obligations arising from the contract.
The purpose of data management:
– Organization and implementation of the training;
– Monitoring the participation and development of the person concerned;
– Exercising rights arising from the legal relationship, fulfilling obligations, asserting claims.
Duration of data management: The Data Controller manages the data for the duration of the contract and for five years after the termination of the contract. The duration of data management is justified by the fact that claims may be asserted even after the termination of the contract.


OTHER INFORMATION RELATING TO DATA MANAGEMENT


4.1. Data transfer
General rules of data transmission: The Data Controller only transmits personal data to a third party if the data subject has clearly consented to it – knowing the scope of data transmitted and the recipient of the data transmission – or the law authorizes the data transmission. The transfer of data is mandatory if it is made on the basis of an inquiry issued by the police, authorities, or executive legislation in accordance with the governing legislation.
Transfer of data to the employer: If the person concerned successfully completes the training, the loan or mediation will take place, in accordance with 3.9 and 3.12 above.
Data transmission in connection with an employment relationship: If an employment relationship is established between the Data Controller and the data subject, the Data Controller, as an employer, will transmit the data for which it is required by law. Primarily, the following legislation imposes a data transfer obligation:
–Act LXXX of 1997 on those entitled to social security benefits and private pensions and the coverage of these services (data provision to social security administrative bodies, tax authorities, for the purpose of social security registration);
– Act LXXXI of 1997 on social security retirement benefits (data provision to the pension insurance administrative body, for the purpose of recording service time, earnings (income) and other data necessary for pension entitlement and pension determination);
– Act XCIII of 1993 on labor protection (data provision to the occupational safety authority, for the purpose of reporting occupational accidents, registering employees in contact with carcinogenic substances, registering serious occupational accidents);
– Act CL of 2017 on the taxation system (providing information to the tax authority on the payment of a taxable amount, the assessment of tax or the issuance of a certificate entitling to tax relief).
In addition to the above, the Data Controller will hand over the employee’s data to the company doctor conducting the medical fitness test.
Data transmission on the basis of the Fktv.: the data transfer according to 3.7 and 3.8 above. Shown by points.


4.2. Data processing
 The Data Controller is entitled to use a data processor to carry out their activities. The data processors do not make independent decisions, during data management they act on behalf of the Data Controller based on the written contract concluded with the Data Controller, as defined in the contract and according to the Data Controller’s instructions. The Data Controller checks the work of the data processors. Data processors are entitled to use additional data processors only with the consent of the Data Controller. The Data Controller informs the data subject about data processors upon request.


4.3. Data security, access to data
 The Data Controller ensures the security of the data, takes the technical and organizational measures and establishes the procedural rules that ensure the enforcement of the requirement of data security. The Data Controller records the data it manages in accordance with the applicable legislation, ensuring that only those employees and other persons acting in the Data Controller’s sphere of interest who need it for the performance of their duties and tasks can access the data, and that only such data can be accessed. , which are necessary for the performance of the given person’s job. The confidentiality of data is a job duty for all employees.
As part of its duties related to IT protection, the Data Controller ensures in particular:
– About the measures ensuring protection against unauthorized access, including the protection of software and hardware devices, and physical protection (access protection, network protection);
– About the measures that ensure the possibility of restoring data files, including regular backups and the separate, safe handling of copies (mirroring, backups);
– Protection of data files against viruses (virus protection);
– About the physical protection of the data files and the devices that carry them, including protection against fire damage, water damage, lightning strikes, and other elemental damage, as well as the reparability of damage caused by such events (archiving, fire protection).
In order to protect paper-based records, the Data Controller takes the necessary measures, especially in terms of physical security and fire protection.
Employees, agents and other persons acting on behalf of the Data Controller are obliged to securely store and protect the data carriers they use or own that contain personal data, regardless of the method of recording the data.


4.4. Duration of data management
 The Data Controller ensures that the duration of the processing of personal data does not exceed the necessary and legal extent by establishing and complying with the rules for deletion. Data will be deleted in the following cases:
The personal data is no longer needed for the purpose for which it was collected or otherwise processed. If the purpose of the data management has ceased, and the data management is not made mandatory by law, the data will be deleted by the Data Controller. If the legal relationship between the data subject and the Data Controller ceases, the purpose of data management is to enforce claims arising from the legal relationship. In view of the fact that the claims become statute-barred in five years, but the statute of limitations can be interrupted and restarted, the data must be deleted eight years after the termination of the legal relationship.
The Data Subject withdraws his consent. If the Data Subject withdraws his consent or the Data Subject requests the deletion of the data, the Data Controller will always check whether the data processing is mandatory based on the law. If so, the Data Controller will refuse the deletion request. If the processing of the data is not mandatory, but the Data Controller has a legal basis for doing so, and the data processing is necessary for the submission, enforcement and protection of legal claims, the Data Controller will check whether the data can be deleted. If the processing of the data is not required by law, the Data Controller has no legal basis for processing the data apart from consent, or despite the legal basis, the processing of the data is not justified, the Data Controller will delete the data at the request of the Data Subject. If the Data Controller refuses the deletion request, the Data Subject will be informed of this in all cases, and at the same time will clearly indicate the legal basis for the refusal of the deletion request and the legal remedies.
The data subject objects to data processing. If the data management is based on the legitimate interests of the data controller, the data subject may object to the data management. In this case, the Data Controller deletes the data, unless it can be proven that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are related to the submission, enforcement or defense of legal claims.
It becomes certain that the processing of the data is illegal. If the processing of the data is illegal, the Data Controller will always delete it as soon as the fact of the illegal data processing becomes apparent.
The deletion of the data is necessary to fulfill a legal obligation, or the deletion has been ordered by a court or the National Data Protection and Freedom of Information Authority. If the deletion is mandatory by law, or if it has been ordered by a court or Authority, and the provision is legally binding, the Data Controller will delete the data.
The deadline for data storage specified in advance, by law or in the consent, has expired. If the duration of data management is prescribed by law, the Data Controller will delete the data after the period specified in the law.
In the event of deletion, the Data Controller renders the data unsuitable for personal identification. If required by law, the Data Controller destroys the data carrier containing personal data.


4.5. Management of data protection incidents
 A data protection incident is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled. The Data Controller shall immediately report the data protection incident to the National Data Protection and Freedom of Information Authority, unless the data protection incident is likely to pose no risk to the rights and freedoms of the data subjects. The Data Controller keeps records of data protection incidents, together with the measures related to the given incident. If the incident is serious (i.e. likely to involve a high risk to the rights and freedoms of the data subject), the Data Controller will inform the data subject of the data protection incident without undue delay.


THE RIGHTS OF THE DATA SUBJECTS AND THEIR ENFORCEMENT


5.1. Rights of data subjects
Information (access). The data subject has the right to receive information about the processing of his data. The Data Controller informs the data subject about the data management when the data is collected, and this Information Sheet is also available to the data subject at any time. The data subject can request full information about the processing of his data at any time during data processing. The data subject may request that the Data Controller make a copy of the data available to him.
Rectification. The person concerned can request that the Data Controller correct inaccurate data concerning him or her, and supplement incomplete data.
Deletion, withdrawal of consent. The data subject may withdraw his consent to the processing of his data at any time, or request the deletion of his data. The Data Controller will only refuse deletion if the data management is based on legislation, or if the data management is necessary for the submission, enforcement or protection of legal claims.
Restriction. The data subject has the right to request the restriction of data processing in the following cases:
a) the data subject disputes the accuracy of the personal data, in which case the limitation applies to the period that allows the data controller to check the accuracy of the personal data;
b) the data management is illegal and the data subject opposes the deletion of the data and instead requests the restriction of their use;
c) the data controller no longer needs the personal data for the purpose of data management, but the data subject requires them to present, enforce or defend legal claims;
d) the data subject objected to data processing; in this case, the restriction applies to the period until it is established whether the legitimate reasons of the data controller take precedence over the legitimate reasons of the data subject.
If data management is subject to restrictions, such personal data may only be processed with the consent of the data subject, with the exception of storage, or for the presentation, enforcement or defense of legal claims, or for the protection of the rights of another natural or legal person, or for the important public interest of the European Union or a member state .
Protest. If the data management is based on the enforcement of the legitimate interests of the Data Controller or a third party, the data subject has the right to object to the processing of his personal data at any time for reasons related to his own situation. In this case, the data controller may no longer process the personal data, unless the data controller proves that the data processing is justified by compelling legitimate reasons that take precedence over the interests, rights and freedoms of the data subject, or that are necessary for the presentation, enforcement or defense of legal claims. are connected. If personal data is processed for the purpose of direct business acquisition, the data subject has the right to object at any time to the processing of his personal data for this purpose.
Data portability. The data subject has the right to receive his/her personal data in a segmented, widely used, machine-readable format, and is also entitled to transmit this data to another data controller, provided that the data is processed in an automated manner. The data subject has the right to – if this is technically possible – request the direct transfer of personal data to another data controller.


5.2. Ensuring the rights of the data subject, handling the requests of the data subject
 The Data Controller informs the data subject at the same time as the contact is made about the handling of the data. The information on data management can be found on the forms on which the data subject provides their data, and the data subject can also access the present, detailed information sheet, the fact and availability of which the Data Controller draws the data subject’s attention to.
The data subject can send the request for the exercise of his rights to the Data Controller in any way (verbally, in writing). The Data Controller examines the request immediately, makes a decision on the fulfillment of the request, and takes the necessary measures. The Data Controller will inform the data subject of the measures taken within one month. In all cases, the information includes the measures taken by the Data Controller or the information requested by the data subject. If the Data Controller refuses to fulfill the request (they do not take the necessary measures to fulfill the request), the information contains the legal basis for the refusal, the reasons and the legal remedies available to the person concerned.
The Data Controller does not oblige the fulfillment of the request to the payment of a fee or reimbursement of costs.
If, due to the circumstances and method of submitting the application, it is not certain that the application originates from the data subject, the Data Controller may request that the applicant prove his or her entitlement or submit the application in such a way that the entitlement can be clearly established.
The Data Controller will inform all recipients of the correction, deletion or limitation of data management to whom or to whom the personal data was disclosed, unless this proves to be impossible or requires a disproportionately large effort. At the request of the data subject, the data controller informs about these recipients.


5.3. Legal remedy
 In the event of a violation of his rights, the data subject may request that the Data Controller terminate the unlawful data processing, examine the data processing, and reject the data subject’s request. In all cases, the Data Controller investigates the data subject’s complaint in this direction and informs the data subject of the result.
The person concerned can file a complaint directly with the National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; telephone: +36-1-391-1400; e-mail: [email protected]; website: www. naih.hu) too.
In case of violation of the rights of the person concerned, to go to court. Upon request, the Data Controller informs the data subject in detail about the court with authority and jurisdiction to adjudicate the lawsuit, and about the possibility of filing a lawsuit.

Stay sharp in the tech world!

Subscribe to our newsletter for monthly doses of tech trends, insider updates and a competitive edge.