Privacy notice for job applicants

The protection of your personal data is of the utmost importance to us, and this Privacy Notice explains what personal data we process about you, for what purposes and on what legal basis. The Privacy Notice also sets out your rights.

1. Data of the Data Controller

Data Controller: “Geronto-MED 2005” Non-Profit Ltd (hereinafter referred to as “Data Controller”)
Registered office: 8623 Balatonföldvár, Kemping utca 3/A
Locations:
8623 Balatonföldvár, Kemping utca 3.
8623 Balatonföldvár, Széchenyi utca 2.
Company registration number: 14-09-309359
Tax number: 22210991-2-14
Website: www.irisintezet.hu
Contact details of the Data Protection Officer: info@irisintezet.hu

2. General legislation on which the processing is based

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.)
  • Act I of 2012 on the Labour Code (Labour Code)
  • Act LXXV of 2010 on simplified employment (Efo tv.)

3. Concepts

Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data include in particular: name, address, place and date of birth, mother’s name.

Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the Controller or the specific criteria for the designation of the Controller may also be determined by Union or Member State law.

Data Processor: a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the Controller.

Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed.

4. Data management activities

The Controller processes the personal data of job applicants as follows:

4.1. To apply for the vacancy notice

Purpose of data processing Checking that the conditions for the post are met in relation to the vacancy advertised
Legal basis for processing Article 6(1)(a) GDPR: consent
Scope of personal data processed Personal data proving the applicant’s compliance with the qualifications and competences requirements set out in his/her CV and its annex
Data retention time Until consent is withdrawn, but not later than the closing of the application and notification of the outcome

4.2. Participation in the database

Purpose of data processing Checking the existence of the necessary conditions to fill a job vacancy in the database of the Data Controller for a possible job offer
Legal basis for data processing Article 6(1)(a) GDPR: consent
Scope of personal data processed Personal data proving the applicant’s compliance with the qualifications and competences requirements set out in his/her CV and its annex
Data retention time Until consent is withdrawn, but for a maximum of 2 years after the closure of the application

5. Recording data

Personal data is collected directly from the Data Subject. The Data Controller does not process personal data that is not collected from the Data Subject.

6. Other Data Controller, joint data management

The Data Controller does not use any other Data Controller in the course of data processing. There is no joint processing of personal data of job applicants.

7. Use of a data processor

The Data Controller uses Data Processor(s) in the course of data processing:

  • mail system provider: Google Ireland Ltd. (based in Google Building Gordon House, Barrow St, Dublin 4, Ireland)

8. Data transmission

The Data Controller does not transfer personal data to any other recipient. No data is transferred to an EEA state, a third country or an organisation. Transfers will only be made on the basis of documented requirements under applicable law (e.g. on the basis of a request from a public authority or a court).

9. Access to data

Personal data may be accessed by the competent staff of the Data Controller to the extent necessary for the performance of their tasks.

10. Data security measures

The Data Controller shall take appropriate IT, technical and personnel measures to protect the personal data it processes against, inter alia, unauthorised access or unauthorised alteration.

11. Data Subjects’ rights in relation to data processing and their content

 

About data management

Right of access

Content of the Data Subject’s right in relation to data processing
Right to information

/Articles 13-14 of the GDPR/

You have the right to be informed of the fact and purposes of the processing at the time of obtaining your personal data. The Controller will also provide you with such additional information as is necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. You shall also be informed of the fact of profiling and its consequences.
Right of access

/Article 15 of the GDPR/

You have the right to request information from as to whether or not your personal data is being processed and, if such processing is taking place, you have the right to be informed that the Data Controller:

  • what personal data
  • on what legal basis
  • for what processing purpose
  • how long it treats 
  • to whom, when, under which law, to which personal data, to whom you have given access or to whom you have transferred your personal data
  • the source of your personal data (if not provided by you to the Data Controller)
  • whether it uses automated decision-making and its logic, including profiling.
Right to rectification

/Article 16 of the GDPR/

You have the right to have inaccurate personal data concerning you corrected or incomplete personal data completed by the Data Controller at your request. You may therefore request that the Controller amend any of your personal data (for example, you may change your e-mail address or other contact details at any time).
Right to erasure (“right to be forgotten”)

/Article 17 of the GDPR/

You have the right to have your personal data deleted by the Data Controller at your request if one of the following grounds applies: 

  • your personal data are no longer necessary for the purposes for which they were collected or otherwise processed 
  • you withdraw your consent on the basis of which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing
  • you object to processing on the basis of Article 21(1) and there is no overriding legitimate ground for processing, or you object to processing on the basis of Article 21(2)
  • your personal data have been unlawfully processed
  • your personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Data Controller is subject
  • your personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
Right to restriction

/Article 18 of the GDPR/

You have the right to have the Controller restrict the processing of your personal data at your request if one of the following grounds applies: 

  • You contest the accuracy of your personal data (in which case the limitation applies for the period of time that allows the Controller to verify the accuracy of the personal data)
  • the processing is unlawful and you oppose the erasure of the data and instead request the restriction of their use
  • the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of a legal claim

You have objected to the processing pursuant to Article 21(1) (in which case the restriction applies for the period until it is determined whether the legitimate grounds of the Controller prevail over your legitimate grounds).

Right to data portability

/Article 20 of the GDPR/

You have the right to receive personal data concerning you which you have provided to a Data Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another Data Controller without hindrance from the Data Controller to which you have provided the personal data, if:

  • the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a), or on a contract within the meaning of Article 6(1)(b), and 
  • the processing is carried out by automated means.

You have the right to request, where technically feasible, the direct transfer of your personal data between Data Controllers.

Right to object

/Article 21 of the GDPR/

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f), including profiling based on those provisions. In such a case, the Controller may no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for these purposes, including profiling, where it is related to direct marketing.

Right to withdraw consent

/Article 7(3) GDPR/

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal. You must be informed of this before consent is given. The withdrawal of consent shall be made possible in the same simple manner as the granting of consent.

 

12. Data subject’s rights of redress in relation to data processing and their content

 

Legal remedies Content of the remedy
Right to complain to the Supervisory Authority

/Article 77 of the GDPR/

If your right to the protection of your personal data is infringed, you may lodge a complaint with the following Authority:

National Authority for Data Protection and Freedom of Information 

head office: 1055 Budapest, Falk Miksa utca 9-11.

mailing address: 1363 Budapest, Pf. 9.

phone: +36 (1) 391-1400

email: ugyfelszolgalat@naih.hu   

Website: www.naih.hu 

The right to an effective judicial remedy against the Controller or the Processor (initiation of legal proceedings)

/Article 79 of the GDPR/

You have the right to take legal action against the Controller or Processor if you consider that the processing of your personal data is unlawful. The court will decide the case out of turn. In such a case, you are free to decide whether to bring your action before the competent court in your place of residence or domicile. The courts can be contacted at: www.birosag.hu/torvenyszekek

13. Update of the Privacy Notice

The Data Controller reserves the right to unilaterally amend this Privacy Notice. In particular, this Privacy Notice may be amended if necessary due to changes in legislation, data protection authority practices, business needs or other circumstances. At the Data Subject’s request, the Controller shall send him a copy of the current version of the Privacy Notice in the form agreed with him.

Balatonföldvár, 18 March 2024.