DATA PROCESSING

DATA PROCESSING POLICY

  1. Data controller

1.1       Data controller’s name, contacts:

Data controller: B+N Referencia Zrt.

Registered company seat: 3644 Tardona, Katus domb 1.

Postal address: 1133 Budapest, Váci út 116-118. Agora TOWER 1, 15. em.

E-mail address: iroda@bnref.hu

Phone: +36-30-670-8752

Fax: +36-1-877-9610

Webpage: www.bnref.hu

Name of Data Protection Officer: Gábor Farkas

Contact: adatvedelem@bnref.hu

The present Policy may be modified and/or withdrawn unilaterally by the Data controller at any time, with the simultaneous information of the Parties. Information is considered as effected with the disclosure of information on the website or, depending on the nature of the modification, the direct notification of the persons concerned.

The Information was created based on Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), the Act CXII of 2011 on the right to informational self-determination and on the freedom of information, and provisions of Act V of 2013 on the Civil Code.

  1. Aim of data controlling

2.1       Advertising services, providing information for website visitors

Introduction of the company

Indication of company contacts

Introduction of services provided by the company

Communication with persons interested

Legal basis of data control: legitimate interest

– Direct marketing is the legitimate interest of the data controller

While visiting the website, the Party concerned provided data according to point A) to the Data controller.

Range of data controlled:

Partyal identification data (last name, first name, contact (phone number, e-mail address), date, time, address of page visited, IP address of the user’s computer, data and photo included in the CV, as well as other data voluntarily disclosed by the customers.

Range of data controlled in case of service-related inquiry:

Name,

E-mail address,

Message send by the Party concerned, other data provided by them in the message (e.g. phone number, secondary email address, address, temporary address).

If the Party concerned provides personal data in the optional message box which is not necessary for the Data controller to be able to handle the personal data adjusted to the purpose of the function available on the website, Data controller shall delete the unnecessary personal data without delay.

Consequence of missed data reporting: Provision of personal data depends on the choice of the Party concerned, however, without the provision of name and email address, the application cannot be sent.

2.2       Selection of new labour force for Data controller:

The purpose of data control is the assessment of applications for positions advertised by the Data controller and establishment of employment.

Legal basis of data control: Permission

Range of data controlled:

Name,

Email address,

Field of work applied for,

Salary request,

Applicant’s message,

During job application on the website, the applicant may attach their CV (not compulsory), containing data given by the applicant, with special regard to:

The data provided above,

Studies, qualifications, certificate proving qualification as well as their ID numbers, and date of obtaining certificate,

Hobby, field of interest,

References,

Permanent address, temporary address,

Previous employers and positions,

With foreign applicants existing work permit,

Picture,

Other data provided by applicant,

If the Party concerned provides personal data in the optional message box, which is not necessary for the Data controller to be able to handle the personal data adjusted to the purpose of the function available on the website, the Data controller shall delete the unnecessary personal data without delay.

Consequence of missed data reporting: Provision of personal data depends on the choice of the Party concerned, however, without the provision of name and email address, the application cannot be sent.

  1. Range of persons concerned

Users and visitors of the website http://bnref.hu/, their contact persons or job applicants.

  1. Children

Our services and job advertisements are not aimed at people under the age of 16, therefore we specifically ask people under 16 not to give their Partyal data to the Data controller. If it comes to our knowledge that we have collected data from a child under 16, the Data controller shall delete the unnecessary personal data without delay.

  1. Duration of data control

With permission: until withdrawal of the Party concerned

In case of legitimate interest: until objection of the Party concerned

IP address…………., 30 days

  1. Provision of information on the service of the Data controller

The present webpage is managed by B+N Referencia Zrt. 3937 Komlóska Szkalka köz 1. Cg. 05 10 000479

  1. People authorized to access data

The Data controller may not disclose the data provided to a third party other than the designated data processor. Only the Data controller and the designated data processor may get into contact with the data recorded.

  1. Automatic decision making

The Data controller shall not apply an automatic decision making system.

  1. Rights of Parties concerned

The Party concerned may make requests from the Data controller via the contacts given in Point 1 in connection with the following issues:

request for information on the management of their personal data,

request for data modification,

request for deletion of personal data or restriction on data controlling,

objection to data controlling

request for the transferring of their data to another data controller if data controlling is based on contract or permission and the Organization manages it in the framework of automated procedures.

request for the withdrawal of permission for data controlling

The Party concerned may exercise their rights listed above at any time.

Furthermore, the Party concerned may make requests from the Data controller via the contacts given in Point 1 in connection with the following issues:

request for the transferring of their data to another data controller if data controlling is based on contract or permission and the Organization manages it in the framework of automated procedures.

request for the withdrawal of previously given permission for data controlling

The Data controller shall investigate the report within a maximum of 1 month following the submission of the request and informs the Party concerned in writing.

If the legal basis of the objection is well-established, the Data controller terminates data management without delay – including data transfer and further data recording – and the data are locked. The Data controller informs of the objection everyone whom the data of the Party concerned have been sent to.

If the Party concerned does not agree with the decision made by the Organization, they can resort to court within 30 days after receiving the decision.

9.1       Cost of providing information

The Organization provides the measures and necessary information free of charge for the first time.

If the Party concerned requests the same data for the second time within a month, and those data have not changed, the Data controller shall charge administrative fee.

Administrative fees are always accounted for based on the hourly minimum wage.

The number of work hours spent on providing information is accounted for for the above hourly fee.

In case of a need for paper-based notification, the amount payable consists of the first cost of printing and the postage cost.

9.2       Denial of providing information

If the request of the Party concerned is clearly unfounded, or they are not eligible for receiving information or the Organization, as the data controller, can prove that the Party concerned is in possession of the information requested, Data controller shall reject the request for information.

If the request of the Party concerned is excessive, especially if overly repetitive (e.g. they request exercising of their rights according to Articles 15-22 for the third time within a month), the Organization may reject the request.

9.3       Right to objection

The Party concerned has the right to object to the use of their personal data based on legitimate interest or public authority.

In that case the Organization may not manage the personal data any further, except if it can prove that further management of data is imperative due to justifiable reasons which are a priority compared to the interest, rights and freedoms of the Party concerned,

or which are related to the presentation, enforcement or protection of legal rights.

If the legal basis of the objection is well-established, the Data controller shall terminate data management without delay – including data transfer and further data recording – and the data shall be locked. The Data controller informs of the objection everyone whom the data of the Party concerned have been sent to.

Handling of the request is free of charge except if unjustified or excessive, for which Data controller may charge appropriate and reasonable fee as administrative costs. If the Party concerned does not agree with the decision made by the Data controller, they can resort to court.

  1. Data transfer to third country or international organization

The Data controller may NOT disclose the personal data of the Party concerned to third countries outside of the European Economic Area or international organizations.

  1. Information about data security measures

The Data controller manages data in a closed system in compliance with the stipulations of the Information Security Policy.

The Data controller provides default and built-in data security. To ensure this, the Data protector applies the appropriate technical and organizational measures in order to:

regulate access to data;

authorize access to minimally necessary data for those who need them for their work;

carefully choose data processors, and ensure the safety of data with the appropriate data processing contract;

ensure the integrity, credibility and protection of data.

The Data controller shall apply reasonable physical, technical, and organizational safety measures for the protection of the data of the Party concerned, especially for their unintentional, unauthorized or illegal termination, loss, modification, forwarding, use, access or processing. The Data controller shall notify the Party concerned without delay about any known unauthorized high-risk access to or use of personal data.

The Data controller, if it is necessary to forward data of Party concerned, ensures the safety of the data forwarded, for example with data encryption. The Data controller is fully liable to the data management of the Party concerned by third party people.

With appropriate and regular safety backups the Data controller ensures data of the Party concerned is protected from being destroyed or deleted.

  1. Legal remedy

In the case of any real or suspected legal injury with regard to the management of their personal data, any party concerned can turn to the Budapest Municipal Court or submit a request for investigation at the Hungarian National Authority for Data Protection and Freedom of Information.

Registered company seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Postal address: 1530 Budapest, Pf.: 5

E-mail: ugyfelszolgalat@naih.hu

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Website: www.naih.hu

In case of user right violation, the user may resort to court. The lawsuit is under the competence and jurisdiction of the Court of Budapest. The lawsuit  – according to the choice of the Party concerned – can be launched at the court closest to the permanent or temporary address of the Party concerned. Upon request, Data controllers inform the Party concerned about the ways and means of legal remedy.