data protection notice.

a. for candidates.

SCOPE OF DATA PROCESSED

Personal data & purpose of data processing

• Name and other personal identification data (mother's name, date of birth, address): Identification of candidates, job placement (finding the optimal job and position for candidates; finding suitable candidates for job vacancies advertised by Randstad clients), registration in the Randstad job seeker database, maintaining contact with the Candidate, providing information on the assessment of applications for specific job offers, and notifying Candidates of further job opportunities.
• Email address: maintaining contact with the Candidate during the recruitment process, providing information about applications for specific job offers and their assessment, and, with separate consent, notifying the Candidate of further job opportunities after successful placement
• Telephone number: to keep in touch with the Candidate during the job placement process, to provide information about applications for specific job offers, their evaluation, and, with separate consent, to notify the Candidate of further job opportunities after successful placement
• citizenship and, in the case of foreign nationals, legal basis for residence: job placement (finding the optimal job and position for candidates; finding suitable candidates for job opportunities advertised by Randstad's clients)
• native language: job placement (assessment of job suitability)
• Candidate's previous and current place of work and employment details (professional experience, position held, business sector, field of activity, job title, length of employment): job placement (finding the optimal workplace and job for candidates; finding suitable candidates for job opportunities advertised by Randstad clients), assessment of job suitability and compatibility
• reference (name of the person providing the reference, telephone number, text of the reference): job placement (finding the optimal job and position for candidates; finding suitable candidates for job opportunities advertised by Randstad clients), assessment of job suitability
• education, training, language skills, computer skills: job placement (finding the best job and position for candidates; finding the right candidates for job openings advertised by Randstad clients), assessing job suitability and qualifications
• type of driver's license: job placement (finding the optimal workplace and job for candidates; finding suitable candidates for job opportunities advertised by Randstad clients), assessment of job suitability and compatibility
• job search and workplace preferences (possible start date, place of work, position sought, field of work, motivating factors at work, salary requirements, benefits sought): job placement (finding the optimal workplace and job for candidates; finding suitable candidates for job opportunities advertised by Randstad clients)
• personality traits: job placement (finding the optimal workplace and job for candidates; finding suitable candidates for job opportunities advertised by Randstad clients), assessment of job suitability and compatibility
• Skill-related data: job placement (finding the optimal workplace and job for candidates; finding suitable candidates for job opportunities advertised by Randstad clients), assessment of job suitability and compatibility
• If the candidate participates in a competency assessment or interview during the job search process, the results of the assessment, interview notes, and the professional recommendation of Randstad consultants: job placement (finding the optimal job and position for candidates; finding suitable candidates for job opportunities advertised by Randstad clients), assessment of job suitability and compatibility
• Personal data voluntarily provided by the Candidate in their CV (e.g. photograph, professional strengths): job placement (finding the best job and position for candidates; finding suitable candidates for job openings advertised by Randstad clients), assessment of job suitability and compatibility
• Video recording of candidates applying for internal positions at Randstad: finding candidates who meet Randstad's own staffing needs, assessing their job suitability and compatibility, evaluating candidates' applications. Storage period: 3 months.

Legal basis for data processing

The legal basis for data processing is the voluntary and explicit consent of the candidates based on prior information, in accordance with Article 6(1)(a) of the Regulation. By registering in Randstad's candidate database or applying for a specific job vacancy, the Candidate confirms that they have fully read and understood this Data Protection Notice and accept the provisions contained therein as binding upon themselves, and voluntarily, informed and definite consent to Randstad processing the personal data voluntarily provided to it for the purposes specified in this Notice, within the framework of the Regulation and this Data Protection Notice.

In the course of providing its headhunting services, Randstad processes the personal data of Candidates obtained from professional databases for the purpose of establishing contact on the basis of Article 6(1)(f) of the Regulation and in the legitimate interests of Randstad or its clients.

In exceptional cases, data processing may also be based on the fact that it is necessary for the fulfillment of a legal obligation to which Randstad is subject.

Duration of data processing

Randstad will process the personal data of Candidates for a maximum of 4 years after registration in the candidate database, provided that Candidates may withdraw their consent to the processing of their data at any time. In such cases, Randstad will delete the Candidate's CV and all personal data from its candidate database.

3. DATA PROCESSING

Randstad uses data processors to perform certain technical (IT) operations on personal data. The data processors are as follows:

• Traffit sro, (registered office: Gdynia, Aleja Zwycięstwa 96/98, Poland) – activity: database management
• Google Inc. (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – activity: data storage, correspondence, hosting services
• Prozenda Hungary Kft. (registered office: 8000 Székesfehérvár, Móricz Zs. utca 82.) – activity: data filtering
• Amazon (registered office: 410 Terry Avenue North Seattle, Washington 98109-5210 USA) – activity: server and hosting provider
   

4. ACCESS TO DATA AND DATA SECURITY MEASURES, DATA TRANSFER

4.1. Access to data, data transfer

Personal data may be accessed by employees of Randstad and companies belonging to the Randstad group who need it to perform their duties. Personal data may be transferred to or made available to Randstad's clients who use Randstad's recruitment or headhunting services, i.e. who offer potential job opportunities to Candidates, in the event that they apply for a specific job offer. Video interviews recorded in connection with internal positions may not be transferred to third parties, including Randstad's clients, nor will they be made available to third parties. Randstad will inform the Candidate in advance about the transfer of data and the making available of personal data. Randstad's client, i.e. the Candidate's potential employer, is entitled to process the Candidate's personal data forwarded or made available by Randstad exclusively in connection with the job opportunity advertised by them, for the purpose of successfully completing the application process and only until the end of the selection process. Randstad's client can provide information about the conditions and circumstances of data processing.

In exceptional cases, it may be necessary to transfer personal data to countries outside the European Union where the level of protection of personal data is not guaranteed to the extent required by the European Union. However, such data transfers may only take place after the Candidate has been informed and has given their express consent.

4.2. Data security measures

The Data Controller shall take all necessary measures to ensure the security of the data and shall ensure an appropriate level of protection against unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage. The Data Controller shall ensure the security of the data by appropriate technical and organizational measures.

The Data Controller shall select and operate the IT tools used for the processing of personal data in the course of providing the service in such a way that the data processed:

• is accessible to those authorized to do so (availability);
• its authenticity and verification is ensured (data processing authenticity);
• its integrity can be verified (data integrity);
• it is protected against unauthorized access (data confidentiality).

During data processing, the data controller shall preserve

• confidentiality: it shall protect the information so that only those who are authorized to access it can do so;
• integrity: it protects the accuracy and completeness of the information and the processing methods;
• availability: it ensures that when an authorized user needs it, they can actually access the desired information and that the related tools are available.
   

5. RIGHTS OF THE CANDIDATE

The Candidate may request information from Randstad in writing via the contact details provided in point 1, asking for information on:

• what personal data is being processed,
• on what legal basis,
• for what purpose,
• from what source,
• for how long,
• to whom, when, on what legal basis, and to which personal data the Data Controller has granted access or to whom it has transferred the personal data.

The Data Controller shall provide the information to the Candidate in a widely used electronic format, unless the Candidate requests it in writing on paper. Randstad does not provide verbal information over the phone.

Randstad shall provide the Candidate with a copy of their personal data (in person at the customer service office) free of charge on the first occasion. Randstad may charge a reasonable fee based on administrative costs for any additional copies requested by the Data Controller. If the Candidate requests a copy by electronic means, Randstad will provide the information to the Candidate by email in a widely used electronic format.

After receiving the information, if the Candidate does not agree with the data processing or the accuracy of the data processed, they may request the correction, supplementation or deletion of their personal data, or the restriction of its processing, or object to the processing of such personal data, or initiate the procedure specified in Section 6.

5.1. Right to rectification of personal data

Upon the Candidate's written request, the Data Controller shall, without undue delay, rectify any inaccurate personal data indicated by the Candidate in writing or in person, or complete any incomplete data with the content indicated by the Candidate. The Data Controller shall inform all recipients to whom the personal data have been disclosed of the rectification or supplementation, unless this proves impossible or involves a disproportionate effort. The Candidate shall be informed of the details of these recipients upon written request.
 

5.2. Right to restriction of processing

The Candidate may request the Data Controller in writing to restrict the processing of their data if

• the Candidate disputes the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data;
• the processing is unlawful and the Candidate opposes the erasure of the data and requests the restriction of their use instead;
• the Data Controller no longer needs the personal data for the purposes of the processing, but the Candidate requests them for the establishment, exercise or defense of legal claims.

With the restriction, the Candidate's personal data may only be processed with the Candidate's consent or for the purpose of submitting, enforcing or defending legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. The Data Controller shall inform the Candidate whose data processing has been restricted at their request of the lifting of the restriction on data processing in advance.

5.3. Right to erasure (to be forgotten)

At the request of the Candidate, the Data Controller shall erase personal data concerning the Candidate without undue delay if one of the following grounds applies: i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Data Controller; ii) the Candidate withdraws the consent on which the processing is based and there is no other legal basis for the processing; iii) the personal data are unlawfully processed by the Data Controller.

The Candidate may not exercise his or her right to erasure if the processing is necessary i) for exercising the right of freedom of expression and information; ii) for reasons of public interest in the area of public health; iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the exercise of the right to erasure would render impossible or seriously impair the processing; or iv) for the establishment, exercise or defense of legal claims.

5.4. Right to data portability

The Candidate has the right to request that the data provided by him/her be provided in a machine-readable format. If technically feasible, they may request that the data be transferred to another data controller. In all cases, the right is limited to the data provided by the Candidate; other data cannot be transferred. (e.g. statistics, etc.)

The Candidate may request that the personal data concerning them found in the Data Controller's system be provided in a

• receive it in a structured, widely used, machine-readable format,
• transfer it to another data controller,
• request the direct transfer of the data to another data controller, if this is technically feasible in Randstad's system.

Randstad will only comply with requests for data portability upon written request by email or post. In order to comply with the request, Randstad must be satisfied that it is indeed the Candidate who is entitled to exercise this right. Within the scope of this right, the Candidate may request the portability of data that they have provided to Randstad themselves. Exercising this right does not automatically result in the deletion of the data from Randstad's systems, therefore the Candidate will continue to be registered in Randstad's systems even after exercising this right, unless they also request the deletion of their data.

5.5. Enforcement of the rights of a deceased Candidate by another person

Within five years of the Candidate's death, the rights to which the deceased was entitled during his or her lifetime, such as the right of access, rectification, erasure, restriction of processing and data portability, may be exercised by a person authorized by the deceased by means of an administrative provision, or in a public document or private document with full probative force, made at Randstad. If the deceased made several such statements at Randstad, the person named in the later statement may exercise these rights.

If the deceased did not make such a statement, the rights to which the deceased was entitled during his or her lifetime and specified in the previous paragraph may be exercised by his or her close relative as defined in the Civil Code within five years of the death of the person concerned (in the case of several close relatives, the close relative who first exercises this right shall be entitled to exercise the above rights).

Close relatives are defined in Section 8:1(1)(1) of the Civil Code as spouses, direct relatives, adopted children, stepchildren and foster children, adoptive parents, step-parents and foster parents, and siblings. The close relative of the deceased must prove:

• the fact and time of the death of the deceased with a death certificate or court decision, and
• their own identity – and, if necessary, their status as a close relative – with a public document.

The person exercising the rights of the deceased shall be entitled to the rights and subject to the obligations of the deceased during the exercise of those rights, in particular in proceedings against Randstad, the National Data Protection and Freedom of Information Authority, or before a court, in accordance with the Infotv. and the Decree.

The data controller shall, upon written request, inform the next of kin of the measures taken, unless the deceased expressly prohibited this in their statement.

5.6. Deadline for fulfilling the request

The Data Controller shall inform the Candidate of the measures taken without undue delay, but in any case within one month of receipt of any request pursuant to Sections 5.1-5.5. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months, but in this case Randstad shall inform the Candidate within one month of receipt of the request, indicating the reasons for the delay and that the Candidate may lodge a complaint with the supervisory authority and exercise his or her right to judicial remedy.

If the Candidate's request is clearly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to take action on the request. The burden of proof shall lie with the Data Controller.

If the Candidate submitted the request electronically, the Data Controller shall provide the information electronically, unless the Candidate requests otherwise.

The Data Controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of data processing, unless this proves impossible or involves disproportionate effort. At the Candidate's request, Randstad shall inform the recipients of this information.

5.7. Compensation and damages

Any person who has suffered material or non-material damage as a result of a breach of the Regulation shall be entitled to compensation from Randstad or the data processor for the damage suffered. The data processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations specifically imposed on data processors by law or if it has disregarded or acted contrary to Randstad's lawful instructions. The Data Controller or the data processor shall be exempt from liability if it proves that it is in no way responsible for the event causing the damage.

6. ENFORCEMENT OPTIONS

The Candidate may exercise his or her rights by sending a written request by email or post.

The Candidate cannot exercise his or her rights if Randstad proves that it is not in a position to identify the Candidate. If the Candidate's request is clearly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to take action. The burden of proof lies with Randstad. If Randstad has doubts about the identity of the natural person submitting the request, it may request further information necessary to confirm the identity of the applicant.

The Candidate may, pursuant to Info.tv., the Regulation and the Civil Code (Act V of 2013)

a. to the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; https://www.naih.hu) or

b. enforce their rights in court. The lawsuit may be brought before the court of the Candidate's place of residence, at the Candidate's discretion (a list of courts and their contact details can be found at the following link: https://birosag.hu/torvenyszekek).

7. HANDLING OF DATA PROTECTION INCIDENTS

A data protection incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Randstad keeps a record for the purpose of monitoring measures taken in relation to data protection incidents, informing the supervisory authority and informing the Candidate, which includes the scope of personal data affected by the incident, the scope and number of data subjects, the time and circumstances of the incident, its effects and the measures taken to remedy it. In the event of an incident, the Data Controller shall, unless there is no risk to the rights and freedoms of natural persons, inform the Candidate and the supervisory authority of the data protection incident without undue delay, but within 72 hours at the latest.

8. OTHER PROVISIONS

The Data Controller reserves the right to unilaterally amend this Privacy Policy with prior notice on the website https://www.randstad.hu, in particular, but not exclusively, in the event of changes in the law. The amendments shall take effect on the date specified in the notification to the Candidate, unless the Candidate objects to the amendments.

If any person has provided the data of a third party in order to use Randstad's services and has caused any damage in any way, the Data Controller shall be entitled to claim compensation from that person.

Date of entry in force of this Data Protection Notice: February 5, 2020.

b. contact persons

2. SCOPE OF DATA PROCESSING, LEGAL BASIS, PURPOSE AND DURATION OF DATA PROCESSING

• Name of contact person: Identification of contact person, maintaining contact
• Email address: Maintaining contact with Randstad's clients and suppliers
• telephone number: Contacting Randstad clients and suppliers
• other personal data that may appear on business cards or in service or supplier contracts: Contacting Randstad clients and suppliers

Legal basis for data processing

The legal basis for data processing is Article 6(1)(b), (c) and (f) of the Regulation. Randstad processes the personal data of Contact Persons for reasons necessary to enforce its legitimate interests and because data processing is necessary for the performance of its legal obligations and the contracts it has concluded.

Duration of data processing

The personal data of Contact Persons will be processed for the duration of the legal relationship with the customer or supplier, until the expiry of the limitation period for the enforcement of rights and obligations arising from that legal relationship.

3. DATA PROCESSING

Randstad uses data processors to perform certain technical (IT) operations on personal data. The data processors are as follows:

• Traffit sro, (registered office: Gdynia, Aleja Zwycięstwa 96/98, Poland) – activity: database management
• Google Inc. (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – activity: correspondence, hosting services
• Amazon (registered office: 410 Terry Avenue North Seattle, Washington 98109-5210 USA) – activity: server and hosting provider
• ActiveCampaign LLC. (registered office: 1 North Dearborn Street, 5th Floor, Chicago, IL 60602) – activity: marketing communication

4. ACCESS TO DATA AND DATA SECURITY MEASURES, DATA TRANSFER

4.1. Access to data, data transfer

Personal data may be accessed by Randstad employees – and, in exceptional cases, subcontractors – who need it to perform their duties.

4.2. Data security measures

The Data Controller shall take all necessary measures to ensure the security of the data and shall ensure an appropriate level of protection against unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage. The Data Controller shall ensure the security of the data by appropriate technical and organizational measures.

The Data Controller shall select and operate the IT tools used for the processing of personal data in the course of providing the service in such a way that the data processed:

• is accessible to those authorized to do so (availability);
• its authenticity and verification is ensured (data processing authenticity);
• its integrity can be verified (data integrity);
• it is protected against unauthorized access (data confidentiality).

During data processing, the data controller shall preserve

• confidentiality: it shall protect the information so that only those who are authorized to access it can do so;
• integrity: it protects the accuracy and completeness of the information and the processing methods;
• availability: it ensures that when an authorized user needs it, they can actually access the desired information and that the related tools are available.

5. RIGHTS OF CONTACT PERSONS

The contact person may request information from Randtad in writing via the contact details provided in point 1, requesting information on:

• what personal data
• on what legal basis
• for what data processing purposes
• from what sources
• for how long
• to whom, when, on what legal basis, and to which personal data the Data Controller has granted access or to whom it has transferred personal data.

The Data Controller shall provide the information to the Contact Person in a widely used electronic format, unless the Contact Person requests it in writing on paper. Randstad does not provide verbal information by telephone.

Randstad will provide the Contact Person with a copy of their personal data (in person at the customer service office) free of charge on the first occasion. Randstad may charge a reasonable fee based on administrative costs for any additional copies requested by the Data Controller. If the Contact Person requests a copy by electronic means, Randstad will provide the information to the Contact Person by email in a widely used electronic format.

After receiving the information, if the Contact Person does not agree with the data processing or the accuracy of the data processed, they may request the correction, supplementation, deletion or restriction of the personal data concerning them, or object to the processing of such personal data, as specified in Section 5. 5. Right to rectification of personal data

Upon written request from the Contact Person, the Data Controller shall, without undue delay and in accordance with the requirements of the applicable law, rectify any inaccurate personal data concerning the Contact Person.

Upon written request by the Contact Person, the Data Controller shall, without undue delay, correct any inaccurate personal data indicated by the Contact Person in writing or in person, or supplement any incomplete data with the content indicated by the Contact Person. The Data Controller shall inform all recipients to whom the personal data have been disclosed of the rectification or supplementation, unless this proves impossible or involves disproportionate effort. The Contact Person shall inform the recipients of the data if requested to do so in writing.

5.2. Right to restriction of processing

The Contact Person may request the Data Controller in writing to restrict the processing of their data if

• the Contact Person disputes the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data
• the processing is unlawful and the Contact Person opposes the erasure of the personal data and requests the restriction of their use instead,
• the Data Controller no longer needs the personal data for the purposes of the processing, but the Contact Person requires them for the establishment, exercise or defense of legal claims,
• the Contact Person objects to the data processing: in this case, the restriction applies for a period until it is determined whether the Data Controller's legitimate grounds override those of the Contact Person.

With the restriction, the personal data of the Contact Person may only be processed, with the exception of storage, with the consent of the Contact Person or for the establishment, enforcement or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Data Controller shall inform the Contact Person whose data processing has been restricted at their request of the lifting of the restriction on data processing in advance.

5.3. Right to erasure (to be forgotten)

At the request of the Contact Person, the Data Controller shall erase personal data relating to the Contact Person without undue delay if one of the following grounds applies: i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller; ii) the Contact Person objects to the processing on grounds relating to his or her particular situation, and there are no legitimate grounds for the processing; iii) the Contact Person objects to the processing of personal data concerning him or her for direct marketing purposes; iv) the personal data have been unlawfully processed by the Data Controller.

The Contact Person may not exercise his or her right to erasure or to be forgotten if the processing is necessary i) for exercising the right of freedom of expression and information; ii) for reasons of public interest in the area of public health; iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the exercise of the right to erasure would render impossible or seriously impair the processing; or iv) for the establishment, exercise or defense of legal claims.

5.4. Right to data portability

The Contact Person has the right to request that the data provided to them be provided in a machine-readable format. If technically feasible, they may request that the data be transferred to another data controller. In all cases, the right is limited to the data provided by the Contact Person; other data cannot be transferred. (e.g. statistics, etc.)

The Contact Person shall receive the personal data relating to him/her in the Data Controller's system:

• in a structured, commonly used and machine-readable format
• may transfer it to another data controller,
• may request the direct transfer of the data to another data controller, if this is technically feasible in Randstad's system.

Randstad will only comply with requests for data portability upon written request by email or post. In order to comply with the request, Randstad must be satisfied that it is indeed the Contact Person who is entitled to exercise this right. Within the scope of this right, the Contact Person may request the portability of data that they themselves have provided to Randstad. Exercising this right does not automatically result in the deletion of the data from Randstad's systems, therefore the Contact Person will continue to be registered in Randstad's systems even after exercising this right, unless they also request the deletion of their data.

5.5. Objection to the processing of personal data

The contact person may object to the processing of their personal data by submitting a statement to the Data Controller if the legal basis for the processing is a legitimate interest pursuant to Article 6(1)(f) of the GDPR.

If the right to object is exercised, the Data Controller may no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. The Data Controller shall decide whether compelling legitimate grounds justify the processing. The Data Controller shall inform the Contact Person of its position in this regard.

The Contact Person may object in writing (by email or post) or, in the case of a newsletter, by clicking on the unsubscribe link in the newsletter.

5.6. Enforcement of the rights of the deceased Contact Person by another person

Within five years of the death of the Contact Person, the rights to which the deceased was entitled during his or her lifetime, such as the right of access, rectification, erasure, restriction of processing, data portability and objection, may be exercised by a person authorized by the deceased by means of an administrative provision, or in a public document or private document of full probative value, may be exercised by a person authorized by the deceased in a statement made to Randstad. If the deceased made several such statements to Randstad, the person named in the later statement may exercise these rights.

If the deceased did not make such a statement, the rights to which the deceased was entitled during his or her lifetime and specified in the previous paragraph may be exercised by his or her close relative as defined in the Civil Code within five years of the death of the Contact Person (in the case of several close relatives, the close relative who first exercises this right shall be entitled to exercise the above rights who exercises this right first).

Close relatives are defined in Section 8:1(1)(1) of the Civil Code as spouses, direct relatives, adopted children, stepchildren and foster children, adoptive parents, step-parents and foster parents, and siblings. The close relative of the deceased must prove:

• the fact and time of death of the deceased by means of a death certificate or court decision, and
• their own identity – and, if necessary, their status as a close relative – by means of a public document.

The person exercising the rights of the deceased shall be entitled to the rights and subject to the obligations of the deceased during the exercise of those rights, in particular in proceedings against Randstad, the National Data Protection and Freedom of Information Authority, or in court, in accordance with the Infotv. and the Decree.

The data controller shall, upon written request, inform the next of kin of the measures taken, unless the deceased expressly prohibited this in their statement.

5.7. Deadline for fulfilling the request

The data controller shall inform the contact person of the measures taken without undue delay, but in any case within one month of receipt of any request pursuant to points 5.1 to 5.5. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months, but in this case Randstad shall inform the Contact Person within one month of receipt of the request, stating the reasons for the delay and that the Contact Person may lodge a complaint with the supervisory authority and exercise their right to judicial remedy.

If the request of the Contact Person is clearly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to take action on the request. The burden of proof shall lie with the Data Controller.

If the Contact Person submitted the request electronically, the Data Controller shall provide the information electronically, unless the Contact Person requests otherwise.

The Data Controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of data processing, unless this proves impossible or involves disproportionate effort. Randstad shall inform the Contact Person of these recipients upon request.

5.8. Compensation and damages

Any person who has suffered material or non-material damage as a result of a breach of the Regulation shall be entitled to compensation from Randstad or the data processor for the damage suffered. The data processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations specifically imposed on data processors by law or if it has disregarded or acted contrary to Randstad's lawful instructions. The Data Controller or the data processor shall be exempt from liability if it proves that it is in no way responsible for the event causing the damage.

6. LEGAL REMEDIES

The Contact Person may exercise his or her rights by sending a written request by email or post.

The Contact Person may not exercise his or her rights if Randstad proves that it is not in a position to identify the Contact Person. If the request of the Contact Person is clearly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to take action. The burden of proof lies with Randstad. If Randstad has doubts about the identity of the natural person submitting the request, it may request further information necessary to confirm the identity of the applicant.

The Contact Person may, pursuant to the Info.tv., the Regulation and the Civil Code (Act V of 2013)

1. contact the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; https://www.naih.hu) or
2. before a court of law. The lawsuit may also be brought before the court of the place of residence of the Contact Person, at the latter's discretion (a list of courts and their contact details is available at the following link: https://birosag.hu/torvenyszekek).
    

7. HANDLING OF DATA PROTECTION INCIDENTS

A data protection incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Randstad keeps a record for the purpose of monitoring measures taken in relation to data protection incidents, informing the supervisory authority and informing the Contact Person, which includes the scope of personal data affected by the incident, the scope and number of data subjects, the time and circumstances of the incident, its effects and the measures taken to remedy it. In the event of an incident, the Data Controller shall, unless there is no risk to the rights and freedoms of natural persons, inform the Contact Person and the supervisory authority of the data protection incident without undue delay, but in any case within 72 hours.

8. OTHER PROVISIONS

The Data Controller reserves the right to unilaterally amend this Privacy Policy with prior notice on the website www.randstad.hu, in particular, but not exclusively, in the event of changes in the law. The amendments shall take effect on the date specified in the notification to the Contact Person, unless the Contact Person objects to the amendments.

If any person has provided the data of a third party in order to use Randstad's services and has caused damage in any way, the Data Controller shall be entitled to claim compensation from that person.

Effective date of this Data Protection Notice: May 20, 2019.

c. website visitors

What personal data do we collect?

When you visit our website, we collect information about your device, browser, and your navigation on our website, such as:

• your device's IP address
• the IP address of your internet service provider
• your device's screen resolution
• device type (unique device identifiers)
• browser and operating system versions
• geographical location (country only)
• preferred language for display
• date and time of access to the website
• the internet address from which you came directly to our website
• the operating system you are using
• the parts of the website you visit
• the pages you visit and the information you view
• the hyperlinks you click on
• the material you send to or download from our website

If you decide to download our reports or recommendations, or subscribe to our newsletters, events, and notifications, we may ask you to fill out a form with information such as your name, email address, job title, and company. From the moment you perform any of the above actions, we can link the information listed above directly to you from your device, browser, and how you navigate our website.

Why do we need your personal data?

Randstad processes your personal data only for the purposes specified below:

- For website management and system administration purposes (e.g. to diagnose technical problems, analyze traffic on our website): based on the following legal basis: (a) our legitimate interest in managing our website and our marketing and communication strategy; and/or

(b) If (a) is not possible because it is required by local mandatory law, this may only be based on consent in those limited cases.

- In the case or web analytics, to optimize the user experience (analyzing the traffic on our websites, analyzing trends, observing and measuring how our visitors interact with our website) and to optimize the quality of the content provided to you (e.g., job advertisements): based on the following legal basis: (a) Our legitimate interest in improving our website, marketing and communication strategy; and/or

(b) If (a) is not possible because it is required by local mandatory law, it may only be based on consent in limited cases.

- If you decide to download our reports or recommendations, or subscribe to news, events and alerts, or fill out web forms, we will use the information you provide to send you the requested content, to communicate with you (including, if you agree, to send you related information that may be of interest to you) and to improve our marketing and communication strategy: Randstad may send you white papers, newsletters, events, and alerts if you have consented to receive them. If you are no longer interested in receiving these Randstad messages, you can unsubscribe from receiving such messages at any time.

- To handle specific requests: (a) based on our legitimate interest in improving our website, marketing and communication strategy; (b) if (a) is not possible because local mandatory law requires it, this may only be based on consent in those limited cases.

- Cooperation with law enforcement authorities/courts, handling legal disputes/claims: Processing is necessary for the legitimate interests pursued by Randstad, including the protection of the company's assets, the protection of its legal interests, and the handling of legal claims/disputes;

d. cookies

You can find more information about the cookies we use, the purpose of using cookies, and further settings for configuring or deleting cookies in our cookie policy.

e. data processing for marketing purposes

DATA PROCESSING INFORMATION

For newsletter subscribers

RANDSTAD Hungary Kft. (registered office: 1134 Budapest, Dózsa György út 146-148., Green Court Office, Building A, 3rd floor, company registration number: 01-09-729305, hereinafter referred to as "Randstad") pays special attention to the personal data of persons who subscribe to its newsletter service. The protection of natural persons with regard to the processing of personal data and on the free movement of such data, and of the Repealing of Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "Regulation"), Act CXII of 2011 on the right to self-determination in relation to information and on freedom of information, and other applicable legal provisions. and other applicable laws.

The terms used in this privacy policy shall be interpreted in accordance with the definitions set out in the GDPR.

The purpose of this data protection notice (hereinafter referred to as the "Notice" or "Data Protection Notice") is to provide information to subscribers to the newsletter about the data processing practices applied by Randstad when processing their personal data. Randstad acknowledges this Notice and its contents as binding upon itself, respecting the privacy rights and self-determination rights of natural persons who use the Services in any way and of subscribers to the newsletter.

Subscribers to the newsletter use the Data Controller's services on their own behalf. In other cases, the subscriber is responsible for ensuring that they have obtained the consent of third parties for the processing of personal data provided or made available to them. The subscriber is responsible for the content provided or shared by the subscriber and for the authenticity, adequacy and accuracy of the personal data. Randstad accepts no responsibility for any consequences arising from incomplete data or incorrectly provided data, and Randstad expressly excludes any liability in this regard.

The subscriber is entitled to withdraw their consent to data processing in whole or in part by sending a written notification to Randstad or to request the deletion of their data by sending an email to helpdesk@randstad.hu.

1. IDENTITY AND CONTACT DETAILS OF THE DATA CONTROLLER

Name: Randstad Hungary Personnel Agency and Service Provider Limited Liability Company

Registered office: 1024 Budapest, Lövőház utca 39. 2. em.

Company registration number: Cg. 01-09-729305

Telephone number: +36 1 4112090

Email address: helpdesk@randstad.hu

Website: https://www.randstad.hu

Data protection officer of the data controller: Dr. Dénes Aparácz

Contact details of the data controller: dpo@randstad.hu

Hereinafter referred to as "Randstad" or "Data Controller"
 

2. SCOPE OF DATA PROCESSED, LEGAL BASIS, PURPOSE AND DURATION OF DATA PROCESSING

SCOPE OF DATA PROCESSED

Subscriber's name and email address: Identification of the subscriber, sending Randstad newsletters, maintaining contact for the purpose of sending newsletters

Legal basis for data processing

The legal basis for data processing is the voluntary and explicit consent of newsletter subscribers based on prior information, in accordance with Article 6(1)(a) of the Regulation. By subscribing to the newsletter, the subscriber confirms that they have fully read and understood this Privacy Policy, accept the provisions contained therein as binding, and voluntarily, knowingly, and decisively consents to Randstad processing the personal data voluntarily provided to it for the purposes specified in this Notice, within the framework of the Regulation and this Data Protection Notice.

Duration of data processing

The Data Controller shall retain the personal data of subscribers for the duration of their subscription. Subscribers may unsubscribe from the newsletter at any time and thereby withdraw their consent to data processing. As a result of unsubscribing from the newsletter, the Data Controller will delete the personal data of the data subject within [72 hours] of the relevant request/unsubscription.

3. DATA PROCESSING

Randstad uses data processors to perform certain technical (IT) operations on personal data. The data processors are as follows:

• Google Inc. (registered office: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – activity: correspondence, hosting services
• Amazon (registered office: 410 Terry Avenue North Seattle, Washington 98109-5210 USA) – activity: server and hosting provider
• Traffit sro, (registered office: Gdynia, Aleja Zwycięstwa 96/98, Poland) – activity: database management
   

4. ACCESS TO DATA AND DATA SECURITY MEASURES, DATA TRANSFER

4.1. Access to data, data transfer

Personal data may be accessed by Randstad employees who need it to perform their duties. The personal data of newsletter subscribers will not be transferred to third parties.

4.2. Data security measures

The data controller shall take all necessary measures to ensure the security of the data and shall ensure an appropriate level of protection against unauthorized access, alteration, transfer, disclosure, deletion or destruction, as well as accidental destruction and damage. The Data Controller shall ensure the security of the data by appropriate technical and organizational measures.

The Data Controller shall select and operate the IT tools used for the processing of personal data in the course of providing the service in such a way that the data processed:

• is accessible to those authorized to do so (availability);
• its authenticity and verification is ensured (data processing authenticity);
• its integrity can be verified (data integrity);
• it is protected against unauthorized access (data confidentiality).

During data processing, the data controller shall preserve

• confidentiality: it shall protect the information so that only those who are authorized to access it can do so;
• integrity: it protects the accuracy and completeness of the information and the processing methods;
• availability: it ensures that when an authorized user needs it, they can actually access the desired information and that the related tools are available.
   

5. RIGHTS OF THE DATA SUBJECT

By contacting Randstad in writing at the contact details provided in point 1, subscribers to the newsletter may request information from Randstad regarding:

• what personal data it processes,
• on what legal basis,
• for what purpose,
• from what source,
• for how long it processes it,
• to whom, when, on what legal basis, and to whom the personal data has been disclosed or transferred.

The data controller shall provide the information to the newsletter subscriber in a widely used electronic format, unless the newsletter subscriber requests it in writing on paper. Randstad does not provide verbal information by telephone.

Randstad will provide a copy of the personal data (in person at the customer service desk) to the newsletter subscriber free of charge on the first occasion. Randstad may charge a reasonable fee based on administrative costs for any additional copies requested by the data controller. If the newsletter subscriber requests a copy electronically, Randstad will provide the information to the newsletter subscriber by email in a widely used electronic format.

After receiving the information, if the newsletter subscriber does not agree with the data processing or the accuracy of the data processed, they may request the correction, supplementation or deletion of their personal data, or object to the processing of such personal data, as specified in Section 6. 5.1. Right to rectification of personal data

The data subject has the right to request the rectification of personal data concerning him or her.

Upon written request by the newsletter subscriber, the Data Controller shall, without undue delay, correct any inaccurate personal data indicated in writing or in person by the newsletter subscriber, or complete any incomplete data with the content indicated by the newsletter subscriber. The Data Controller shall inform all recipients to whom the personal data have been disclosed of the rectification or supplementation, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the newsletter subscriber of the data of these recipients upon written request.
 

5.2. Right to restriction of processing

Subscribers to the newsletter may request the Data Controller to restrict the processing of their data by written request if

• the newsletter subscriber disputes the accuracy of the personal data, in which case the restriction shall apply for a period enabling the Data Controller to verify the accuracy of the personal data,
• the processing is unlawful and the subscriber to the newsletter opposes the erasure of the data and requests the restriction of their use instead
• the Data Controller no longer needs the personal data for the purposes of the processing, but the subscriber to the newsletter requires them for the establishment, exercise or defense of legal claims.

With the restriction, the personal data of newsletter subscribers may only be processed with the consent of the newsletter subscriber, or for the purpose of asserting, enforcing or defending legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State, during this period. The Data Controller shall inform the newsletter subscriber whose data processing has been restricted at their request of the lifting of the restriction on data processing in advance.

5.3. Right to erasure (to be forgotten)

At the request of the newsletter subscriber, the Data Controller shall erase personal data relating to the newsletter subscriber without undue delay if one of the following grounds applies: i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Data Controller; ii) the subscriber to the newsletter withdraws the consent on which the data processing is based – unsubscribes from the newsletter and there is no other legal basis for the data processing; iii) the personal data is processed unlawfully by the Data Controller.

The subscriber to the newsletter may not exercise their right to erasure if the processing is necessary i) for the exercise of the right of freedom of expression and information; ii) for reasons of public interest in the area of public health; iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as the exercise of the right to erasure would render impossible or seriously impair such processing; or iv) for the establishment, exercise or defense of legal claims.

5.4. Right to data portability

Subscribers to the newsletter have the right to request that the data they have provided be provided to them in a machine-readable format. If technically feasible, they may request that the data be transferred to another data controller. In all cases, the right is limited to the data provided by the newsletter subscriber; other data cannot be transferred. (e.g. statistics, etc.)

The newsletter subscriber may receive the personal data relating to them that is stored in the Data Controller's system:

• in a structured, commonly used and machine-readable format
• may transfer it to another data controller,
• may request the direct transfer of the data to another data controller, if this is technically feasible in Randstad's system.

Randstad will only comply with requests for data portability upon written request by email or post. In order to comply with the request, Randstad must be satisfied that it is indeed the newsletter subscriber who is entitled to exercise this right. Within the scope of this right, newsletter subscribers may request the portability of data that they themselves have provided to Randstad. Exercising this right does not automatically result in the deletion of the data from Randstad's systems, therefore, even after exercising this right, the newsletter subscriber will remain registered in Randstad's systems, unless they also request the deletion of their data.

5.5. Enforcement of the rights of a deceased Candidate by another person

Within five years of the death of a person who subscribed to the newsletter, the rights to which the deceased was entitled during their lifetime, such as the right of access, rectification, erasure, restriction of processing and data portability, may be exercised by a person authorized by the deceased in an administrative provision, public document or private document with full probative force. If the deceased made several such statements at Randstad, the person named in the later statement may exercise these rights. If the deceased did not make such a statement,

the rights of the deceased as specified in the previous paragraph may be exercised by the deceased's close relative as defined in the Civil Code. the rights to which the deceased was entitled during his or her lifetime and specified in the previous paragraph may be exercised by his or her close relative as defined in the Civil Code within five years of the death of the person concerned (in the case of several close relatives, the close relative who first exercises this right shall be entitled to exercise the above rights).

Close relatives are defined in Section 8:1(1)(1) of the Civil Code as spouses, direct relatives, adopted children, stepchildren and foster children, adoptive parents, step-parents and foster parents, and siblings. The close relative of the deceased must prove:

• the fact and time of the death of the deceased with a death certificate or court decision, and
• their own identity – and, if necessary, their status as a close relative – with a public document.

The person exercising the rights of the deceased shall be entitled to the rights and subject to the obligations of the deceased during the exercise of those rights, in particular in proceedings against Randstad, the National Data Protection and Freedom of Information Authority, or before a court, in accordance with the Infotv. and the Decree.

The data controller shall, upon written request, inform the next of kin of the measures taken, unless the deceased expressly prohibited this in their statement.

5.6. Deadline for fulfilling the request

The data controller shall inform the newsletter subscriber of the measures taken without undue delay, but in any case within one month of receipt of any request pursuant to Sections 5.1-5.5. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months, but in this case Randstad shall inform the newsletter subscriber within one month of receipt of the request, stating the reasons for the delay and that the newsletter subscriber may lodge a complaint with the supervisory authority and exercise their right to judicial remedy.

If the request of the newsletter subscriber is clearly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to take action on the request. The burden of proof lies with the Data Controller.

If the request was submitted electronically by the newsletter subscriber, the Data Controller shall provide the information electronically, unless the newsletter subscriber requests otherwise.

The Data Controller shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure or restriction of data processing, unless this proves impossible or involves disproportionate effort. Randstad shall inform subscribers to the newsletter of these recipients upon request.

5.7. Compensation and damages

Any person who has suffered material or non-material damage as a result of a breach of the Regulation shall be entitled to compensation from Randstad or the data processor for the damage suffered. The data processor shall only be liable for damage caused by data processing if it has failed to comply with the obligations specifically imposed on data processors by law or if it has disregarded or acted contrary to Randstad's lawful instructions. The Data Controller or the data processor shall be exempt from liability if it proves that it is in no way responsible for the event causing the damage.

6. LEGAL REMEDIES

You may exercise your rights as a subscriber to the newsletter by sending a written request by email or post.

You cannot exercise your rights as a subscriber to the newsletter if Randstad proves that it is not in a position to identify you as a subscriber. If the request of the newsletter subscriber is clearly unfounded or excessive (in particular due to its repetitive nature), the Data Controller may charge a reasonable fee for complying with the request or refuse to take action. The burden of proof lies with Randstad. If Randstad has doubts about the identity of the natural person submitting the request, it may request further information necessary to confirm the identity of the applicant.

Persons subscribing to the newsletter may, pursuant to Info.tv., the Regulation and the Civil Code (Act V of 2013)

a. contact the National Authority for Data Protection and Freedom of Information (1125 Budapest, Szilágyi Erzsébet fasor 22/c.; https://www.naih.hu) or

b. enforce their rights in court. The lawsuit may be brought before the court of the place of residence of the Candidate, at their discretion (a list of courts and their contact details can be found at the following link: https://birosag.hu/torvenyszekek).

7. HANDLING OF DATA PROTECTION INCIDENTS

A data protection incident is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. Randstad keeps a record for the purpose of monitoring measures taken in relation to data protection incidents, informing the supervisory authority and informing newsletter subscribers, which includes the scope of personal data affected by the incident, the scope and number of data subjects, the time and circumstances of the incident, its effects and the measures taken to remedy it. In the event of an incident, the data controller shall, unless there is no risk to the rights and freedoms of natural persons, inform the newsletter subscriber and the supervisory authority of the data protection incident without undue delay, but within 72 hours at the latest.

8. OTHER PROVISIONS

The Data Controller reserves the right to unilaterally amend this Privacy Policy with prior notice on the website https://www.randstad.hu, in particular, but not exclusively, in the event of changes in the law. The amendments shall take effect on the date specified in the notification for subscribers to the newsletter, unless the subscriber objects to the amendments.

If any person has provided the data of a third party in order to use Randstad's services and has caused any damage in doing so, the Data Controller shall be entitled to claim compensation from that person.

This Privacy Policy shall enter into force on September 8, 2020.