MADIS Consulting Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság as controller – hereinafter referred to as the Company or the Controller - provides a detailed information on its Privacy Policy to the natural person (hereinafter referred to as Data Subject) below and in accordance with Article 12, 13 and 14 of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
1. Name of the Controller and contact details
Name of the Controller: MADIS Consulting Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Registered seat: Cirok str. 9. 3/B, H-1024 Budapest,
Registration No.: 01-09889239
Email address: office@madis.hu
Phone: +36 30 478 5569
Responsible for data protection issues: István Szente, CEO
2. Definitions
Personal Data: when this Policy mentions personal data, it refers to any information concerning an identified or identifiable natural person.
(Identifiable natural person: the natural person, who is directly or indirectly – especially upon each identical data (such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person) identifiable.
Data subject: a natural person, who is identifiable upon any information.
Recipient: means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
3. Legal framework of data processing
Main legal rules applicable for data processing referred in this Policy are the followings:
· Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”)
· Act CXII of 2011 on informational self-determination and the freedom of information (the “Information Act”)
4. Scope of personal data
Certain data processing include the data of employees of the Company and other persons thereof (such as access control system)
4.1. Types of data processing
4.1.1 Processing of Job applications
Data processing 1
Purpose of data processing: Filling the open positions within the Company
Legal basis of data processing: preparing of the employment contract (see point b) of paragraph (1) of Article 6 of GDPR)
Scope of personal data: data needed to evaluate job application:
· name, date and place of birth, address, contact details
· data relating to skills and educations and former employments.
Date of data erasure: according to Data subjects request, or 5 years in lack of a request. Erasure or rectification (modification) may be initiated via the abovementioned contact details in point 1.
Data processing 2
In case of certain positions the Company involve recruitment agencies.
Purpose of data processing: to assure the accountability between the Company and recruitment agencies.
Legal basis of data processing: mutual legitimate interest of the Company and the recruitment agency (point f) of paragraph (1) of Article 6 of GDPR)
Scope of personal data:
· name of the candidate, date of birth, contact details
· date of nomination
Date of data erasure: 365 days after the date of nomination
Erasure or rectification (modification) may be initiated via the recruitment agency nominated the candidate.
Recruitment agency shall inform the data subjects about the fact, the means and other characters of data processing, before the commencement of data processing
4.2. Data processing of university students fulfil their internships at the Company
Purpose of data processing: professional internship program for university students (4.2.1), informing the university about the fulfilment of internship program (4.2.2), concluding student employment contract with the interns (4.2.3), see details below.
4.2.1. Purpose of data processing: professional internship program for university students
Legal basis of data processing: legitimate interest of the Company (data saved for security issues)
Scope of personal data: name, internal IDs (if any), other data required for employment (these are collected from the data subject)
Date of data erasure: we preserve data for an unlimited period. There is no option for erasure.
The Student may request rectification of its data, may object against data processing, or request restriction thereof.
4.2.2. Purpose of data processing: informing the university about the fulfilment of internship program
Legal basis of data processing: legal obligation (in compliance with Act on higher education)
Scope of personal data: data required by the university: name, date of birth, student ID number, data transferred to Tudásközpont (Learning Centre)
Date of data erasure: 1 year after termination of contract concluded with the university with a maximum of 2 years
Erasure, rectification of personal data:
· if the university transferred them to the Company, then it could be requested at the university being the original source thereof, which will notify the Company about the changes;
· if the student itself provided his or her personal data to the Company, then it could be requested via contact details for objection.
The student may object against the processing or request restriction thereof via the access detailed in point 1.
4.2.3. Purpose of data processing: concluding student employment contract with the interns for the time of internship
Legal basis of data processing: legal obligation (Labour Code)
Scope of personal data: prescribed by the Labour Code:
· name, date and place of birth, address
· student ID number, contact details
· tax ID, social security number
· bank account
Date of data erasure: 50 years
The student may request for rectification via contact details in point 1.
4.3. Data of access system
Visitor card may be requested by the reception of the office building.
Purpose of data processing: security of the properties in office building and the Company therewithin
Legal basis of data processing: legitimate interest of the office building and the Company
Scope of personal data: name, card number, rights of access, data of movements (where, which way, when)
Date of data erasure: 30 days
Controller: office building or its attorney
There is no option for earlier erasure or rectification of personal data regarding the purpose of processing.
4.4. Contact details of contracting parties
Purpose of data processing: to ensure the received information are from our real contracting parties.
Legal basis of data processing: Legitimate interest of the Company
Scope of personal data: name, contact details (mail, phone number), other data (if any) provided by the contracting party
Source of personal data: personal data provided by the contracting party, who is responsible for data transferring is lawful
Date of data erasure: equal to the retention time of the relevant contract
There is no option for earlier erasure or rectification of personal data regarding the purpose of processing.
4.5. Contact details of other (non-contracting) parties
Purpose of data processing: to ensure the received information are from our real parties.
Legal basis of data processing: consent of data subject
Scope of personal data: name, contact details (mail, phone number) other data (if any) provided by the party
Source of data: personal data provided by the party, who is responsible for data transferring is lawful
Date of data erasure: upon notification by the party or withdrawal of consent
Erasure or rectification of personal data may request at the partner.
4.6. Visiting our website
The website of the Company is in English. The Privacy Policy regarding to visit of the website may be found at https://madis.hu/privacy-policy/#infocollect
While the Privacy Policy for data subject as candidate in recruitment and job application process may be found at [xxxx]Transfer of personal data
5. Transfer of personal data
The Controller is solely entitled to transfer personal data to a third person, if the data subject – being in aware of the scope of the transferred data and the recipient of the transfer – clearly and unambiguously agreed thereto, or the Controller has a valid legal ground to transfer.
6. Data protection measures
In order to guarantee the confidentiality, integrity and availability of personal data of data subject, the Company stores personal data solely on the designated data medium and data storages which enables data subject upon right to access, and stores in databases protected by password and/or by encryption in line with common IT security standards.
The Company secures data protection risk proportionally and adjusted to personal or business nature of data, on the level of network, infrastructures and applications (firewalls, antivirus software, encryption mechanism for storage and communication and other technical and process related solutions).
The Company monitors and handles personal data breaches continuously. The Company provide for the security of paper based records and all personal data processed on paper through a storage place unavailable for unauthorized persons. After duration of data processing period has been expired, paper based records shall be destructed by burning or by shredder with the assistance of designated Data subjects.
7. Rights of data subjects relating to data processing
Within the timeframe of data processing, data subjects have the rights mentioned below in relation to data processing in accordance with Article 15, 16, 17, 18, 21, 11, 77, 78,79 and 82 of GDPR and Section 14-23 of Information Act:
Right to request information:
If the Company process any personal data of the data subject, the Company is shall provide information – without request therefor – upon the most important characters of data processing, such as the purpose, legal basis, the retention time of data processing, identity of the controller and its representative with their contact details, contact details of data protection officer, recipients of personal data, legitimate interest of the Company and/or the third partyin case of data processing based thereon, and rights and options for legal remedies regarding data processing (including right to lodge a complaint to the supervisory authority), and, if the source of the data is not the data subject personally, then the source of personal data and the categories of personal data concerned, provided, the Data Subject is not aware of this information. The Company provides this information to Data Subjects by making available this Privacy Policy.
Right to access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the information listed in GDPR, including purposes of processing, categories of personal data concerned, recipients of personal data, (planned) period of processing, rights and options for legal remedies of data subject (including the right to lodge a complaint to a supervisory authority), and where the personal data are not collected from the data subject, any available information as to their source. Upon the request from the data subject, the Company provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy shall not adversely affect the rights and freedoms of others. The options, means and possible expenses and other details regarding to obtain a copy, the Company provides information upon the request of data subject.
Right to rectification (correction):
Data subjects shall have the right to request the Company to change any of their inaccurate personal data without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to restriction of processing:
The data subject shall have the right to obtain from the controller restriction of processing if the accuracy of the personal data is contested by the data subject, or if the processing is unlawful, and the data subject opposes the erasure of the personal data, or if the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the enforcement of his or her legal claims. Where processing has been restricted as above, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format, if the processing is based on consent or contract and the processing is carried out by automated means. Regarding automated processing, the data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her (including ‘profiling’) which is based solely on automated processing and which significantly affects him or her
Right to erasure (’right to be forgotten’):
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her in cases prescribed in point a-f) in paragraph (1) of Article 17 of GDPR. The Company is obliged to erasure – beside others – personal data of data subject, if the data subject request and the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or if data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing, or if the personal data have been unlawfully processed, or if the data subject object to the processing and there are no overriding legitimate grounds for the processing, or the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which is applicable to the Controller.
Data subject is not allowed to exercise the right to erasure if the processing is necessary in compliance with paragraph (3) of Article 17 of GDPR, especially, if the processing is necessary
· for exercising the right of freedom of expression and information,
· for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject;
· for or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, provided that the right erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
· for the establishment, exercise or defence of legal claims
Right to object:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on legitimate interest of the Controller or official authority vested therein. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right to withdraw:
If the data processing of the Company based on the consent of data subject, data subject shall have the right to withdraw his or her consent at any time.
Information about exercising rights:
The Company shall provide information on action taken on a request based on the rights of data subject listed above to data subject without undue delay and in any event within one month of receipt of the request.
That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority (in Hungary with Hungarian National Authority for Data Protection and Freedom of Information; ‘NAIH’) and seeking a judicial remedy.
Contact details of NAIH
address: 1055 Budapest, Falk Miksa str. 9-11.;
phone: +36-1-391-1400;
Fax: +36-1-391-1410
e-mail: ugyfelszolgalat@naih.hu
website: www.naih.hu
The information above shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes GDPR.
Furthermore, data subjects shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them, or even if competent supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with GDPR. Proceedings against the Company or its processor partner shall be brought before the courts of the Member State where the Company or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
