INFORMATION ON DATA PROCESSING

 

 

1. Purpose of the Document 1

2. Controller’s data. 1

3. Description of the data processing procedure. 2

4. Rights of the data subjects. 4

5. Obligation related to notifications and measures 6

6. Miscellaneous provisions 7

 

1. Purpose of the Document

 

Computer Partner Kft. (hereafter referred to as the "Controller"),  in order to comply with Article 12 of the Regulation (EU) 2016/679 of the European Parliament and of the Council applicable from May 25th, 2018 (hereinafter referred to as: GDPR), and Section 20 of the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereafter referred to as "Privacy Act"), takes measures to provide natural persons (hereinafter referred to as "data subjects") involved in the processing of personal data with all relevant information in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner and to assist the data subjects in exercising their rights under Article 4.

This Document contains expressly relevant information for the data subjects, whose personal data is processed by the Controller in connection with their project application processes.

 

2. Controller’s data

 

Name:                                                                 Computer Partner Kft.        

Principal place of business                                    H-1118 Budapest, Brassó út 169-179/A.

Company registration number:                              01-09-064272

Tax number:                                                        10317565-2-43

E-mail address:                                                    info@computer-partner.hu

Bank account number:                                          10950009-00000002-50330104

Registration authority:                                          Ministry of Justice

                                                                            Company Information and Electronic Company Procedures Intermediary Service

Data Protection Officer contact details:                 István Legeza email: legeza@computer-partner.hu Phone: +36 1 309 0512

3. Description of the data processing procedure

 

3.1. The name of the process: project bid

 

-          The purpose of the process: to acquire a particular software development project in a bid or to participate in the project.

-          Within the organization, the process is used by the managing director and the HR assistant.

-          The Controller announces the development project on its website and other websites, and expects the application of professional candidates. The data subject applies via email and indicates that he or she is interested in the job opportunity and provides his or her name, contact details and professional profile (maybe even photo). If he or she is not interested in the given job, he or she can apply for another job that suits his or her knowledge and, of course, provide his or her personal data in the same way. The HR assistant records the data in the Outlook database. If the candidate also applies for the job, the HR assistant or the managing director will attach the professional profile of the interested person by indicating his or her name, but no further personal data will be disclosed. If an agreement is concluded, the contact details are disclosed for the purposes of the performance of the agreement.

 

3.2. Data processing

 

-          Data processing related decisions are always made by the data subject. By applying for the job, he or she gives consent to disclose his or her name and professional profile to the Customer.

-          In fact, the data processing procedure means a query in the database. In case of a match, an email will be sent to the data subject if he or she is interested in the job opportunity. By his or her positive response, he or she authorizes the disclosure of his or her name and professional profile to the Customer.

-          The professional experience of the data subject is being processed, which shows whether the data subject will be able to perform the job. If we consider the data subject suitable for the job, we will offer him or her the development position by email.

-          The purpose of data processing is to enable the Controller to conclude an agreement for the job offered by the Customer.

-          Manual data processing is performed.

-          The controller acquires the data subject's personal data by sending out an email.

 

3.3. Access to the procedure

 

-          The data of the data subjects is accessible for the managing director and the HR assistant.

-          Apart from the controller, no other organization, third party, contractual partner or authority has access rights to the data.

 

3.4. Data Transmission, Transfer of Data

 

-          During the process, data is transferred to our Customers.

-          Only the name and the professional profile are forwarded.

-          The purpose of the transmission is to win the project by proving the competency of the data subject.

-          No preliminary agreement has been concluded. The end of the process may of course be an employee or a subcontractor agreement for the data subject.

-          Data may be forwarded to EU and non-EU countries, but EU countries are more common destinations.

-          The frequency is case-specific. The Controller sends out 10 to 20 notifications a day, however, feedback rarely arrives. In the negative case, data subjects do not answer.

-          Being a small company, we do not record the authorization. IT professionals work at another location, and their computers do not have access to the database stored in the cloud.

 

3.5. Data store (storage location, deletion)

 

-          The data is stored in the Microsoft cloud. The Controller concluded an agreement with Microsoft for the cloud service (Microsoft Exchange Server and Microsoft Office). Therefore, we do not have a physical server.

-          Neither provision nor deletion of data is possible on our website. Data subjects receive data via email and they can request the deletion of their data via email as well.

-          There is no deletion deadline. Sometimes the contact details (email, phone number) are changed and the data subject becomes unavailable for us, which results in the deletion of the data subjects’ data from our database.

 

3.6. Security measures

 

-          No technical security measures are expected (Article 32 of the GDPR).

Microsoft's cloud service includes data security, which may be better than the firewall of a private server. Computer access to Microsoft cloud is restricted to the Controller’s workstations.

 

-          Since the managing director of Controller and the HR assistant work separately from the IT professionals, developers' computers are not authorized to sign in to the cloud.  The names and profiles attached to the applications together with other information (e.g. price, possible start date, etc.) are recorded in the database so that they can be retrieved. Other organizational security measures are not expected (Article 32 of the GDPR).

 

3.7. Legal basis

 

a)       Your consent will be requested by email when you are notified of the job. This is how the personal data of the data subjects is recorded in our database.

b)      An employee or subcontractor agreement concluded with the data subject establishes a legal basis for the storage of personal data. In fact, in the case of an employee agreement, the scope of the stored data is expanded.

c)       Compliance with Controller's legal obligation: employees’ personal and income data shall be sent to the National Tax and Customs Administration [NTCA].

 

3.8. Notifying the data subject

 

The data subjects may be notified from two sources:

-          There is a "Data security" button on the home page of our website. By clicking the Privacy button, one can read the “Data protection and data processing policy” and the “Information on data processing” which serve the purpose of informing the data subjects.

 

-          A short description on data processing is included under the signature in our letters sent to the data subjects, which contains a link to the detailed data processing information published on our website.

 

4. Rights of the data subjects

 

4.1.  Access right

 

Before we process any data, we will send an email to the data subject concerning the offered project participation and data will be provided to us in response by him or her. The obtained data is compared with the stored data and is updated if necessary. Because the data subject cannot provide, modify, or retrieve data on our website, he or she can request the data stored via email and it will be provided via email as well. For example, if you have lost your profile, but you know that we have it, you can request it from us.

 

4.2.  Right to amendment

 

As we always contact the data subjects via email, we automatically receive their latest data (contact information, professional profiles) in the reply. We always compare the data received with the data in our system and keep our database up-to-date. Regardless of their business operations, data subjects notify us of data modifications if they moved or their phone number or email address have changed.

 

4.3.  Right of deletion

 

Upon request, personal data relating to the data subjects will be deleted without undue delay if:

 

-          the personal data is no longer needed for the purpose which it was collected or otherwise processed for;

 

-          the data subject withdrew its consent to data processing and there is no other legal basis for data processing;

 

-          the data subject protests against data processing,

 

-          we processed personal data unlawfully.

 

If we have previously disclosed the personal data to be deleted (e.g. to our Customers), we will take all reasonably expected measures in order to inform the controllers - in case of a specific request received from you - of your request to delete any links to personal data or copies or duplicates thereof.

 

4.4.  Right to restrict data processing

 

Upon request, we restrict data processing if one of the following is true:

-          you dispute the accuracy of your personal data;

 

-          data processing is illegal, and instead of deleting it, you request a restriction of your data processing;

 

-          we do not need to process your personal data, but you need them to enforce your rights;

 

-          you object to data processing pursuant to a public authority's power or a legitimate interest-based data processing.

 

4.5. Right to data migration

 

You have the right to obtain personal data provided by you to us in widely used machine-readable format or you may forward them to another Controller.

 

4.6.  Automated decision making

 

We do not process your personal data or any part thereof in an automated way.

 

 

4.7.  Claims and complaints

 

You may enforce your rights at court under Act V of 2013 on the Civil Code and may, in accordance with the Privacy Act, turn to the National Authority for Data Protection and Freedom of Information and file a complaint (H-1125 Budapest, Erzsébet Szilágyi fasor 22/c; https://www.naih.hu/panaszuegyintezes-rendje.html, hereinafter referred to as NAIH).

 

5. Obligation related to notifications and measures

 

5.1.  Notification of recipients

 

Recipients to whom your personal data has been disclosed, will always be notified of its correction, deletion, and data restriction, unless this proves impossible or requires disproportionate effort. We will inform you of these recipients upon request.

 

5.2.  Notification method and deadline

 

You will be informed in electronic form of any measures taken in connection with your claim under Section 4, no later than within one month upon the receipt of the claim, unless otherwise requested. This deadline may be extended by additional two months, if necessary, with regard to the complexity and number of the claim(s). You will be informed of the extension of the deadline within one month upon receipt of the claim by indicating the reasons for it.

 

Oral information may be provided upon request, provided that you otherwise verify your identity.

 

If we do not take any measures based on your claim, we will notify you within one month upon the receipt of your claim and indicate the reasons for this, as well as notifying you that you can file a complaint with NAIH and exercise your right to judicial remedy.

 

5.3.  Monitoring

 

Exceptionally, if we have reasonable doubts about the identity of the natural person submitting the claim, we require further information needed to confirm his or her identity. This measure is necessary in order to facilitate the confidentiality of data processing, i.e. the prevention of unauthorized access to personal data as defined in Article 5, paragraph (1), item f) of the GDPR.

 

5.4.  Costs of information and measures

 

Information provided in case of claims under Article 4 and the measures taken based on it is provided free of charge.

 

If your application is clearly unjustified or excessive, in particular because of its repetitive nature, taking into consideration the administrative costs involved in the provision of the requested information or the requested measures, we charge a reasonable fee or refuse to take measures on the claim.

 

6. Miscellaneous provisions

 

6.1   During the performance of its tasks, the Controller cooperates with NAIH upon request.

 

6.2   The Controller shall ensure that this Policy is revised and updated as necessary.

 

6.3   If the Controller intends to perform further data processing for purposes other than the purpose for which it was collected, he or she informs the data subject and obtains his/her prior express consent or gives him or her the opportunity to prohibit the use of personal data. 

 

6.4   The Controller is entitled to modify the content of the policy unilaterally; in this case, notification of the data subjects is required.

 

6.5   Issues not regulated in this Policy are governed by the provisions of Hungarian law on data protection, in particular the Privacy Act, and the provisions of GDPR applicable from May 25th, 2018.

 

Dated: Budapest, April 26th, 2018

Computer Partner Kft.