Privacy Policy

  1. Identity of the data controller and general framework of data processing

The website www.bdpstgroup.hu is operated by BDPST Zártkörűen Működő Részvénytársaság (registered office: 1026 Budapest, Pasaréti út 122–124; hereinafter: “Data Controller”).

The Data Controller, as the operator of the website and the data controller in respect of the data processing activities set out in this notice, is committed to the protection of personal data, and pays particular attention to ensuring that the processing of data subjects’ personal data complies in all respects with applicable legislation, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR), as well as Hungarian legislation on the right to self-determination in relation to information and freedom of information.

The purpose of this privacy notice is to provide detailed and transparent information to visitors to the website and to natural persons who contact the Data Controller (hereinafter: “data subjects”) regarding the circumstances of the processing of personal data. In this context, the notice describes in particular the purpose of data processing, the legal basis, the scope of the data processed, the duration of data processing, the cases of data transfer, as well as the rights of data subjects and the manner in which they may exercise those rights.

The Data Controller processes personal data in all cases in accordance with the principles of purpose limitation and data minimisation, meaning that it collects and uses only such data as is necessary and proportionate to achieving the specific purpose of data processing. During data processing, the Data Controller ensures that the processing of personal data is lawful, fair and transparent to data subjects.

The Data Controller draws attention to the fact that various data processing activities may take place during the use of the website, in particular:

  • data processing related to contact requests,
  • the processing of job applications,
  • and technical data processing related to the operation of the website (e.g. the use of cookies).

The detailed rules governing each type of data processing are set out in the subsequent sections of this notice.

When processing personal data, the Data Controller endeavours to ensure that the rights of data subjects are not infringed and guarantees that data subjects may exercise their rights – including, in particular, the right of access, rectification, erasure and objection – within the framework set out in the legislation.

The Data Controller reserves the right to unilaterally amend this privacy notice, in particular in the event of changes to legislation or changes to data processing practices. Amendments shall take effect upon publication on the website.

  1. Principles of data processing

When processing personal data, the Data Controller shall in all cases act in accordance with the principles set out in Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR) and shall ensure that its data processing practices are carried out in accordance with these principles.

The Data Controller processes personal data lawfully, fairly and in a manner that is transparent to data subjects. In this context, the Data Controller ensures that data subjects are provided with all relevant information regarding the processing of their personal data, in particular the purpose, legal basis and duration of the processing, as well as their rights and the means of exercising them.

The Data Controller ensures that personal data is collected solely for specified, explicit and legitimate purposes, and that it is not processed in a manner incompatible with those purposes. Data processing is always purpose-limited, and the Data Controller endeavours to ensure that the scope of the data processed is restricted to the minimum necessary.

In accordance with the principle of data minimisation, the Data Controller processes only such personal data as is essential for achieving the specific purpose of data processing, and does not process such data to a greater extent than is necessary. Accordingly, the Data Controller continuously reviews its data processing practices to ensure that the scope of the data processed does not exceed what is necessary.

The Data Controller pays particular attention to ensuring that the personal data processed are accurate and – where necessary in view of the purpose of the data processing – kept up to date. To this end, it takes all reasonable measures to ensure that inaccurate or outdated personal data are rectified or erased without delay.

The Data Controller shall process personal data only for as long as is necessary to achieve the purpose of the processing. In all cases, the duration of the processing shall be aligned with the specific purpose of the processing, and the Data Controller shall ensure that personal data are erased or anonymised where their further processing is no longer justified.

When processing personal data, the Data Controller shall implement appropriate technical and organisational measures to ensure the security of the data, in particular to protect against unauthorised or unlawful processing, accidental loss, destruction or damage. In this context, the Data Controller shall ensure, amongst other things, the appropriate regulation of access, the protection of IT systems and the preservation of the confidentiality of the data processed.

The Data Controller assumes responsibility for ensuring that its data processing activities comply with the above principles and is able to demonstrate such compliance (principle of accountability). To this end, the Data Controller applies internal policies, procedures and control mechanisms, and continuously reviews its data processing practices.

The Data Controller endeavours to ensure that the protection of personal data is incorporated into its data processing activities at the design stage (data protection by design) and by default (data protection by default), thereby ensuring a high level of protection of data subjects’ rights.

  1. Data processing in connection with contacting us

The website provides visitors with the opportunity to contact the Data Controller, in particular via the contact form available on the website or the email addresses provided there.

When contacting us, the data subject voluntarily provides the personal data necessary to respond to the enquiry. In this context, the Data Controller processes the enquirer’s name, email address and any other personal data provided in the message.

The purpose of data processing is to receive, process and respond to incoming enquiries, as well as to maintain contact with the data subject. Data processing is always initiated by the data subject and takes place exclusively in connection with the content of the enquiry.

The legal basis for data processing is the data subject’s consent pursuant to Article 6(1)(a) of the GDPR. When contacting us, the data subject expressly consents – by ticking the appropriate box – to the Data Controller processing the personal data provided for the purposes of responding to the enquiry and maintaining contact. The data subject has the right to withdraw their consent at any time; however, this does not affect the lawfulness of data processing prior to withdrawal. In the event of withdrawal of consent, the Data Controller shall erase the personal data without delay, unless further processing is necessary to comply with a legal obligation.

The Data Controller shall make the personal data provided during the contact process available exclusively to those employees or agents who are involved in handling the enquiry and for whom knowledge of the data is necessary to perform their duties.

As a general rule, the Data Controller does not transfer personal data to third parties, unless the nature of the enquiry justifies this (for example, if the matter in question falls within the remit of another company within the group). In such cases, the Data Controller may transfer the data to the relevant member company of the BDPST Group in order to handle the enquiry in accordance with the provisions of this Privacy Notice and applicable data protection laws.

The Data Controller shall retain the personal data provided during the initial contact for a maximum of 6 months following the closure of the enquiry. Should the initial contact lead to the conclusion of a contract, data processing shall thereafter be governed by the data processing rules applicable to the relevant legal relationship.

In connection with the processing of the personal data provided during the initial contact, the data subject is entitled to request information from the Data Controller, request the rectification or erasure of their data, and object to the processing of their data in accordance with the conditions set out in the legislation.

The Data Controller draws attention to the fact that the data subject must provide only their own personal data when making contact. If the data subject provides the data of a third party, they are obliged to ensure that they have the appropriate legal basis for the data processing.

  1. Data processing in connection with job applications

Via the website, data subjects have the opportunity to submit their job applications electronically, by email, to the Data Controller. When submitting an application, the data subject voluntarily provides the personal data required for the application.

Given the specific operational characteristics of the BDPST Group, incoming applications are received and processed by the central HR function within the Data Controller. During the selection process, application materials may – depending on the nature of the position – be forwarded to those subsidiaries of the BDPST Group which act as employers in relation to the position in question or are involved in the selection process.

Such data transfers are necessary for the operation of the group and serve to select the appropriate candidate.

During the application process, the Data Controller may process the following personal data in particular: the applicant’s name, contact details (email address, telephone number), the information contained in the CV and cover letter, and any other information voluntarily provided by the applicant.

The purpose of data processing is to assess the applicant’s suitability, to conduct the selection process, and to maintain contact with the applicant.

The legal basis for data processing is Article 6(1)(b) of the GDPR, i.e. taking steps at the request of the data subject prior to entering into an employment relationship. Should the Data Controller wish to retain the application documents even after the selection process has been concluded for the purpose of notifying the applicant of future job opportunities, the legal basis for data processing under is the data subject’s consent pursuant to Article 6(1)(a) of the GDPR.

The Data Controller processes personal data until the selection process is completed. If the data subject consents to further data processing, the Data Controller will retain the data for a maximum of 12 months.

The Data Controller ensures that access to application materials is restricted to those persons involved in the selection process and for whom knowledge of the data is necessary to perform their duties.

The data subject is entitled to request the erasure of their personal data at any time following the submission of the application.

The Data Controller draws attention to the fact that the applicant must provide only their own personal data during the application process. If the application contains the data of a third party, the applicant is obliged to ensure that the data processing is carried out on a lawful basis.

  1. Management of cookies

The www.bdpstgroup.hu website uses cookies and similar technologies to ensure proper functioning, improve the user experience and compile statistical analyses.

Cookies are small data files that are placed on the user’s device when visiting the website, and which enable the user’s device to be recognised, as well as the storage and retrieval of certain information.

5.1. Types and purposes of cookies

The Data Controller may use the following types of cookies on the website:

  1. a) Essential cookies

These cookies are essential for ensuring the basic functions of the website, such as secure operation, network communication and the preservation of user settings.

Without these cookies, the website cannot function properly.

  1. b) Statistical (analytical) cookies

The Data Controller may use cookies for statistical purposes to collect information on how visitors use the website (for example, which pages they visit, how much time they spend on the site, and what errors occur).

This information helps the Data Controller to develop the website and improve the user experience.

5.2. Legal basis for the use of cookies

The legal basis for the use of cookies necessary for the operation of the website is the Data Controller’s legitimate interest pursuant to Article 6(1)(f) of the GDPR, which relates to ensuring the secure and proper functioning of the website.

The use of cookies for statistical purposes takes place exclusively on the basis of the data subject’s prior and explicit consent, in accordance with Article 6(1)(a) of the GDPR.

The data subject may decide on the use of non-essential cookies via the cookie management interface (cookie banner) that appears on their first visit to the website.

5.3. Cookies used by third parties

Services provided by third parties may be used on the website, in particular for statistical analysis purposes (e.g. Google Analytics).

These service providers may place their own cookies on the user’s device and process the collected data in accordance with their own privacy policies. The Data Controller endeavours to use only service providers that offer adequate data protection safeguards.

5.4. Managing and deleting cookies

The user is entitled to restrict or disable the use of cookies in their browser settings, as well as to delete previously placed cookies.

Most browsers allow the user to:

  • receive a notification when cookies are placed,
  • prevent their automatic acceptance,
  • or delete previously stored cookies.

Please note that if certain cookies are disabled, some features of the website may not function properly.

5.5. Withdrawal of consent

The data subject is entitled to withdraw their consent to the use of statistical cookies at any time via the cookie management interface. Withdrawal of consent does not affect the lawfulness of data processing prior to withdrawal.

  1. Use of data processors and data transfer

In the course of processing personal data, the Data Controller may, in certain cases, engage external service providers (hereinafter: “data processors”) for the purpose of carrying out its activities.

Data processors act on behalf of and in accordance with the instructions of the Data Controller, and may process personal data solely for the purposes and in the manner specified by the Data Controller. The Data Controller, , ensures in all cases that contracts concluded with data processors comply with the requirements of the relevant data protection legislation and ensure an adequate level of protection for personal data.

In particular, the Data Controller uses the following types of data processors:

  • IT and system operation service providers (e.g. hosting services, server operation): SMBInfo Kft., registered office: 1076 Budapest, Péterfy Sándor utca 7.
  • email service providers: Microsoft Ireland Operations Ltd. (registered office: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland)
  • Service provider for website development and maintenance: Busai Gábor e.v. (registered office: 2151 Fót, Ybl Miklós utca 15.)

Data subjects may request information regarding the current list of data processors via the Data Controller’s contact details.

6.1. Data transfer within the BDPST Group

Due to the nature of the BDPST Group’s operations, the Data Controller is entitled to transfer personal data to other companies within the Group, provided that this is necessary to achieve the specific data processing purpose.

In particular, such data transfers may occur:

  • in the case of job applications, to subsidiaries involved in the selection process,
  • in the case of enquiries, if, based on the content of the enquiry, the matter falls within the remit of another group member.

The legal basis for such data transfers is aligned with the specific data processing purpose (in particular, taking steps prior to entering into a contract or the data subject’s consent).

The Data Controller ensures that data transfers within the group are always limited to the extent necessary, and that the data is only made available to those organisational units for which the processing of the data is necessary for the performance of their duties.

6.2. Data transfer to third parties

As a general rule, the Data Controller does not transfer personal data to third parties, except:

  • where the data subject has given their explicit consent,
  • where the transfer of data is necessary to comply with a legal obligation,
  • or if the data transfer is necessary for the Data Controller to exercise its rights or fulfil its obligations.

The Data Controller shall in all cases ensure that the data transfer is carried out on an appropriate legal basis and does not infringe the rights of the data subjects.

6.3. Data transfer to a third country

As a general rule, the Data Controller does not transfer personal data to countries outside the European Economic Area (third countries).

However, should such data transfers occur during the use of certain services on the website (in particular analytical tools), the Data Controller ensures that the data transfer takes place in accordance with the provisions of the GDPR and with appropriate safeguards, in particular through the use of standard contractual clauses adopted by the European Commission.

  1. Data Security

When processing personal data, the Data Controller pays particular attention to ensuring data security and takes all necessary technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, erasure or destruction, as well as accidental loss or damage.

In the course of data processing, the Data Controller shall employ IT and organisational solutions that ensure the confidentiality, integrity and availability of personal data.

In this context, the Data Controller applies the following measures in particular:

  • access to personal data is restricted to authorised levels,
  • access is logged and monitored,
  • IT systems are equipped with appropriate security measures (e.g. firewalls, virus protection),
  • data is transferred using appropriate security protocols (e.g. encrypted communication),
  • data backup and recovery are ensured,
  • the Data Controller ensures that employees are adequately aware of and trained in data protection.

When processing personal data, the Data Controller takes into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, as well as the risks to the rights and freedoms of data subjects, and determines the data security measures to be applied accordingly.

The Data Controller shall ensure that any data processors it engages also implement appropriate technical and organisational measures to protect personal data.

  1. Rights of data subjects and the exercise thereof

The data subject has the right to receive confirmation from the Data Controller as to whether their personal data is being processed, and if such processing is taking place, they have the right to access their personal data and information relating to the processing.

The data subject has the right to request the rectification of inaccurate personal data concerning them, as well as the completion of incomplete data.

The data subject is also entitled to request the erasure of their personal data if:

  • the personal data are no longer necessary for the purposes for which they were collected or processed,
  • the legal basis for the processing is the data subject’s consent and the data subject withdraws it,
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing,
  • the processing of personal data is unlawful,
  • the personal data must be erased to comply with a legal obligation.

The data subject has the right to request the restriction of processing where:

  • they contest the accuracy of the personal data (for the period necessary to verify the accuracy),
  • the processing is unlawful, but the data subject objects to the erasure of the data,
  • the Data Controller no longer needs the personal data, but the data subject requires it for the establishment, exercise or defence of legal claims,
  • the data subject has objected to the processing of the data (until a balancing of interests has been carried out).

The data subject has the right to receive the personal data concerning him or her, which he or she has provided to the Data Controller, in a structured, commonly used and machine-readable format, and has the right to transmit those data to another data controller (right to data portability), provided that the legal basis for the processing is consent or a contract, and the processing is carried out by automated means.

The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data, where the legal basis for the processing is the legitimate interests of the Data Controller. In this case, the Data Controller shall no longer process the personal data, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.

Where the processing is based on the data subject’s consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

8.1 Exercising the data subject’s rights

The data subject may exercise the above rights by contacting the Data Controller, in particular in writing or by electronic means.

The Data Controller shall examine the data subject’s request without undue delay, but no later than one month from receipt of the request, and shall inform the data subject of its decision. If necessary – taking into account the complexity of the request and the number of requests – this time limit may be extended by a further two months, in which case the Data Controller shall inform the data subject, stating the reasons for the delay.

If the Data Controller does not take action in response to the data subject’s request, it shall inform the data subject without delay, but no later than within one month, of the reasons for the failure to act, as well as of the fact that the data subject may lodge a complaint with the supervisory authority or seek judicial remedy.

As a general rule, the Data Controller shall comply with requests free of charge. Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Data Controller is entitled to charge a reasonable fee or to refuse to comply with the request.

  1. Remedies

The data subject has the right to lodge a complaint with a supervisory authority regarding the processing of their personal data, in particular in the Member State where they have their habitual residence, place of work or where the alleged infringement occurred.

In Hungary, the competent supervisory authority is:

National Authority for Data Protection and Freedom of Information (NAIH)

Registered office: 1055 Budapest, Falk Miksa Street 9–11.

Postal address: 1363 Budapest, PO Box 9.

Telephone: +36 (1) 391-1400

Email: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu

The data subject is also entitled to bring a claim before a court in the event of a breach of their rights relating to the protection of their personal data. The adjudication of the claim falls within the jurisdiction of the court, and the data subject may, at their discretion, initiate proceedings before the court of their place of residence or habitual residence.

However, the Data Controller recommends that the data subject should, in the first instance, address their complaint directly to the Data Controller, so that any questions or issues can be resolved quickly and effectively.