I. INTRODUCTION
GreenSearch Kft. (registered seat: 1133 Budapest, Váci út 76., company registration number 01-09-990194), acts mainly as a data processor and data controller as specified below, in this Privacy Policy provides information on how it handles CVs.
GreenSearch Kft. places advertisements mainly to fulfil orders, on the basis of which CVs are received by it electronically. In this case, GreenSearch Kft. performs its activities on behalf of its clients, who are the data controllers, by collecting and forwarding CVs to them. In addition, GreenSearch Kft. may also receive CVs irrespective of the orders, which GreenSearch Kft. shall handle as described in this Privacy Policy. GreenSearch Kft. does not control special data nor does it control the personal data of children.
GreenSearch Kft. when controlling the data of a data subject, acts in accordance with the effective data protection and other legal rules. This way the controlling activities fully comply with but not limited to the following laws:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Act CXII of 2011 on Informational Self determination and Freedom of Information (hereinafter referred to as ‘Info act’);
Act V of 2013 on the Civil Code (hereinafter referred to as ‘Civil Code’);
Act CXIX of 1995 on of name and address data processing for research and direct marketing purposes.
In developing this current data protection principles GreenSearch Kft. considered the provisions of the VI. Regulation of the year 1998 about the annunciation of the Agreement dated January 28, 1981 in Strasbourg about the protection of individuals during the automatic processing of personal data and also the provisions of the Charter of Fundamental Rights of the European Union.
GreenSeach Kft. is committed to the lawful controlling of personal data and the respect of the right of informational self-determination. GreenSearch Kft. undertakes to take all the appropriate measures required to ensure that the controlling of personal data complies with the relevant legal provisions.
GreenSearch Kft. regarding the data controlling takes into consideration the following principles set under the General Data Protection Regulation (GDPR):
• lawfulness, fairness and transparency
• purpose limitation
• data minimisation
• accuracy
• storage limitation
• integrity and confidentiality
II. PURPOSE AND SCOPE OF DATA CONTROLLING
GreenSearch Kft. handles CVs and personal data obtained from CVs in relation to the following directives:
When a data subject responds to a job advertisement and his or her CV is received by GreenSearch Kft. via the job advertisement, in accordance with the client’s interests, it handles the CV and the personal data contained in it, and transfers them to an email address/person designated by the client. In this case when handling personal data contained in a CV GreenSearch Kft. is considered a data processor.
When a data subject sends his or her CV directly to GreenSearch Kft. it is then considered a data controller. It controls the data subject’s CV and his or her personal data contained in the CV in order to transfer them to a client for a suitable position matching his or her professional experience, qualification, skills and knowledge. The data subject shall receive confirmation of his or her CV being transferred to a client specifying the client’s name and seat.
GreenSearch Kft. does not keep separate records of personal data gained from CVs. CVs received by GreenSearch Kft. are stored electronically either being saved as an electronic file or in the incoming mail section.
CVs usually contain the following personal data:
• full name
• e-mail address containing name
• place and date of birth
• telephone number
• mother’s name
• address
• data concerning current and prior employees (employment period, positions held)
• data concerning education history (educational establishments, description of qualifications, may include number of certificates, diplomas)
In case a data provider is not providing his or her own personal data, it is the obligation of the data provider to obtain the consent of the data subject. GreenSearch Kft. is not entitled to verify the accuracy and correctness of the data provided consequently, the data provider providing the data is assumed responsible for the accuracy and correctness of the data provided. GreenSearch Kft. accepts the personal data provided as correct and true, until no evidence is found to the contrary, and considers that the data subject is entitled to provide personal data.
III. LEGAL BASIS FOR DATA CONTROLLING
The legal basis for data controlling is created by the previous voluntary consent of the data subject.
The data subject shall have the right to withdraw his or her consent to data controlling at any time during the term of data controlling. Such withdrawal shall, however, not affect the legitimacy of any data controlling performed with the data subject’s consent prior to such withdrawal.
If a data subject does not provide his or her requested personal data, GreenSearch Kft. shall not store his or her CV nor shall it control his or her personal data contained in his or her CV.
IV. DATA CONTROLLING PERIOD
GreenSearch Kft. shall handle CVs containing personal data until the data subject requests deletion of the data concerned or the data controlling period, specified below, elapses.
The period of controlling may be differentiated, depending on whether GreenSearch Kft. receives the CV for a specific job advertisement, on the data subject sends his or her CV to GreenSearch Kft. indifferently of a job advertisement.
• If a CV is received by GreenSearch Kft. responding to a job advertisement GreenSearch Kft. acts as a data processor, controlling and storing the personal data contained in the CV in its electronic systems for a period determined by the client. The period of data storage may vary from case to case. The data subject may request information about the data storage period by using the e-mail address below.
• If the data subject sends his or her CV directly to GreenSearch Kft., irrespective of a job advertisement, or his or her CV is sent to GreenSearch Kft. responding to a job advertisement but the client chooses a different candidate for the position but the data subject gives his or her consent to controlling by GreenSearch Kft., in this case the CV shall be stored electronically by GreenSearch Kft. for one year, and shall automatically be deleted by the end of the quarter of the year the CV is received. (i.e. a CV received on 10 January shall be deleted on 31 March. or a CV received in May shall be deleted on 30 June). Deletion happens automatically without the notification of the data subject.
The concerned data subject may request the data controller for the deletion of his or her personal data in the following ways:
• by e-mail to: deak@greensearch.hu;
• by mail addressed to the addressee of: GreenSearch Kft, H-1133 Budapest, Váci út 76.
V. REGISTRATION AND CONTACT DETAILS OF GREENSERACH KFT. (AS A DATA PROCESSOR AND CONTROLLER)
Company name: GreenSearch Kft.
Registered seat: 1133 Budapest, Váci út 76.
Company registration number: 01-09-990194
E-mail address: andrea.deak@greensearch.hu
Legal representative: Deák Andrea
The contact details of legal representative correspond to the aforementioned data.
VI. RIGHTS OF DATA SUBJECT
1. RIGHT TO BE INFORMED
The controller shall take appropriate measures to provide any information in writing, or by other means, including, where appropriate, by electronic means relating to controlling to the data subject. The information shall be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The scope of this Privacy Policy is contained in Articles 12 to 14, 15 to 22 and 34 of the General Data Protection Regulation. This Privacy Policy contains the information stipulated in the articles in this paragraph.
2. RIGHT TO WITHDRAW CONSENT
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of the consent shall not affect the lawfulness of controlling based on consent before its withdrawal.
3. RIGHT OF ACCESS
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
• the purposes of the controlling;
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed;
• the envisaged period for which the personal data will be stored;
• the right to request from the controller rectification or erasure of personal data or restriction of controlling of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority.
4.RIGHT TO RECTIFICATION
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the controlling, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
5. RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
• the data subject withdraws consent on which the controlling is based;
• the data subject requests the erasure of his or her personal data;
• the data subject objects to the controlling on grounds relating to his or her particular situation;
• the personal data have been unlawfully controlled;
• the personal data have to be erased for compliance with a legal obligation.
Personal data cannot be erased if the controlling is necessary;
• for exercising the right of freedom of expression and information;
• for the establishment, exercise or defence of legal claims.
6. RIGHT TO RESTRICT PROCESSING
The data subject shall have the right to obtain from the controller restriction of controlling where one of the following applies:
• the accuracy of the personal data is contested by the data subject, in this case the restriction is for a period enabling the controller to verify the accuracy of the personal data;
• the controlling is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the controlling, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• the data subject has objected to the data controlling, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where controlling has been restricted, such personal data shall, with the exception of storage, only be controlled with the data subject’s consent by the controller for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The data subject who has obtained restriction of controlling shall be informed by the controller before the restriction of processing is lifted.
7. RIGHT TO DATA PORTABILITY
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
The exercise of this right shall not adversely affect the rights and freedoms of others.
8. RIGHT TO OBJECT
In the case of controlling provided for the purposes specified in this Privacy Policy the right to object is not applicable because the right to object is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or if controlling is necessary for the purposes of the legitimate interests pursued by a third party.
9. RIGHTS IN RELATION TO AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING
The data subject shall have the right not to be subject to a decision based solely on automated controlling, including profiling, which produces legal effects concerning him or her or similarly affects significantly him or her.
Automated individual decision-making or profiling related to the controlling defined in this Privacy Policy are not used.
10. RIGHT TO COMMUNICATION OF A PERSONAL DATA BREACH TO THE DATA SUBJECT
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach. The communication to the data subject shall not be required if any of the following conditions are met:
• the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
• following the data breach the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
• the communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
11. RIGHT TO LODGE A COMPLAINT
In the case of dispute over the lawfulness of data controlling, the data subject concerned may initiate the following procedures:
• Address a complaint directly to the controller.
• Turn to the Court and request the controller of unlawful data controlling, and claim restitution and damages. In the context of unlawful data controlling restitution and damages can only be determined by the Court.
• Lodge a complaint with the National Data Protection and Freedom of Information Authority (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C., hereinafter ‘the Authority’). The Authority is not entitled to decide on restitution or damages.
12. COMMON PROVISIONS RELATING TO THE EXERCISE OF RIGHTS REFERRED TO IN POINTS 3 – 9
The data controller shall provide information on the above action taken to the data subject concerned within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The controller provides information free of charge. Where requests from the data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller taking into account the administrative costs of providing the information or communication or taking the action requested; may either:
• charge a reasonable fee; or
• refuse to take measures based on a request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Where the controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
VII. SECURITY OF DATA CONTROLLING
GreenSearch Kft. shall take into account, in particular, but not limited to, in the selection and use of IT tools used to control personal data the following conditions:
• availability: data shall be available to authorised persons;
• integrity of data controlling: integrity of data is ensured;
• data integrity: assurance of data consistency;
• data security and confidentiality: protection against unauthorised access is guaranteed, only people who have the right can access data.
GreenSearch Kft. uses measures to ensure the protection of data by the latest recognised state-of-the-art tools, providing a level of protection appropriate to the data controlling risks.
GreenSearch Kft. protects the data by applying appropriate measures, including, but not limited to, against unauthorised access, publication, unauthorised transfer of data, unauthorised deletion, destruction, damage, and becoming unavailability.
A GreenSearch Kft.’s IT systems and IT networks are protected against computer viruses and cyber attacks.
VIII. COOKIE POLICY
Cookies are small data packages that are stored on a user’s computer or browser when visiting a website allowing the website to recognise its users on subsequent visits. When the user’s browser returns a previously saved cookie, the cookie manager can link the user’s current visit with their previous ones but exclusively in regards of its own content.
Cookies are used to make the use of a website more effective. Cookies are used in order for the website to recognise its returning users and thus to collect information about the habits of visitors to the website such as what pages they view of the website and what function they use.
The data is used to analyse, optimise, develop and tailor advertising strategies on the website in order to make the service more effective.
The purpose of data controlling is therefore to identify, distinguish between users, identify user sessions and store data provided during the sessions and to carry out web analytics.
The legal basis for data controlling is the consent of the data subject concerned.
Scope of controlled data includes: identification number, date, time, previously visited page.
Duration of data controlling: 12 months
Users can delete cookies from their computers and they can disable cookies in their browsers.
Cookies can be managed in the Tools/Preferences menus of the browser in the Privacy/History/Custom Settings menus.
If the user does not allow the use of cookies, the website may only be used in a limited or incomplete form, or the analytics may be inaccurate.
IX. MODIFICATION OF PRIVACY POLICY
Data controllers are entitles to modify this Privacy Policy at any time unilaterally, without the consent of the data subject. Should the purpose of the controlling be modified the personal data shall be controlled subject to the consent of the data subject to the modified data controlling purpose.
The up-to-date Privacy Policy is available at www.greensearch.hu.