Prohumán 2004 Munkaerő Szolgáltató és Tanácsadó Korlátolt Felelősségű Társaság, Profield Munkaerő-kölcsönző Kft., Profield Személyzeti Tanácsadó Kft., Human Existence Kft., HR-RENT Szolgáltató Kft., HR-Montage Kft., ProAktív Közérdekű Nyugdíjas Szövetkezet, furthermore, PRODIÁK School Cooperative (hereinafter collectively referred to as: the Data Controller or Data Controllers), as the operator of the websites available under the domain name www.prohuman.hu, www.proaktivszövetkezet.hu; www.profieldkolcsonzo.hu; www.hr-rent.hu, furthermore, www.prodiak.hu (hereinafter collectively referred to as: the Website) hereby publish information on the data management performed within the framework of the Website, the services related to the Website and the other services provided by the Data Controllers.
Considerint that the purpose of certain data management activities specified in this Information Note and the method of data management are jointly determined by the Data Controllers, Prohumán 2004 Munkaerő Szolgáltató és Tanácsadó Korlátolt Felelősségű Társaság, Profield Munkaerő-kölcsönző Kft., Service Flow Kft., Human Existence Kft., HR-RENT Szolgáltató Kft., furthermore, PRODIÁK School Cooperative shall be considered as a joint data controller in accordance with Chapter IV Section 1 Article 26 of Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as: the General Data Protection Regulation (GDPR)).
By starting to use the Website and using the services of the Data Controller, the users visiting the Website and using the services of the Data Controller (hereinafter referred to as: the User or Data Subject) accept all the terms and conditions included in this Information Note on Data Management (hereinafter referred to as: the Information Note), therefore please read this Information Note carefully before using the Website or the Services.
Data of Data Controllers
Rrepresented by: Executives
The scope of personal data managed
On the registration interface of the Website and the terminal located in the offices of the Data Controller, the User has the opportunity to enter their data in order to use the services of the Website (hereinafter referred to as: the Registration). During the Registration, the following personal data is required (data marked with * are mandatory):
Subscription to the newsletter.
It is also possible to register and log in to the Website with the User’s Facebook, Google or LinkedIn profile, during which the Website requests the following data from the personal data provided in the User’s profile, with the User’s consent:
location of planned employment;
educational attainment level;
After Registration, the system creates a User Profile of the Data Subject, which contains the following information:
data of the Data Subject provided during the Registration;
data of the Data Subject provided in connection with job search.
When using the User Profile, the User has the option to upload their CV or create a new curriculum vitae.
When creating a new CV, it is possible to enter the following information:
type and title of qualification, name of institution, date of completion;
IT knowledge, certification;
language skills: language, level, time of acquisition;
driving license type, date of obtainment;
name of the employing company;
job role title;
address of work;
duration of employment;
job role description.
In the User profile, the User also has the opportunity to enter the information related ot the job search (job type, location, other aspects), furthermore, to save job ads, modify the entered data, delete the data with the exception of not mandatory data, or to subscribe to or unsubscribe from the newsletter.
Data sheet and interview
During the personal appearance in the offices operated by the Data Controller or within the framework of a personal conversation with the advisor of the Data Controller (hereinafter referred to as: the Interview), the Data Subject also ahs the opportunity to provide his or her data and CV on a paper-based or digital data sheet specifically used for this purpose (hereinafter referred to as: the Data sheet), together with his or her needs related to the job role to be fulfilled, so that the Data Controller can contact him or her with the right job offer. During the completion of the Data sheet or in course of the interview, only those data of the Data Subject will be recorded which are necessary for the job search. Based on the data provided on the Data sheet or during the Interview, the Data Controller also creates the User profile of the Data Subject, which may contain the data provided in the “User profile” menu option, based on the voluntary consent of the Data Subject.
Subscription to the newsletter:
On the Website, the Data Subject has the opportunity to subscribe to the Data Controller’s newsletter on an interface specifically created for this purpose. In order to subscribe to the newsletter, one must provide the following personal information (data marked with an * are required):
Applying for a job advertisement
The Data Controller handles the personal data (curriculum vitae, identification data, contact details, data related to education, employment, field of interest) provided during the applications for job vacancies advertised by it on other websites or on other advertising surfaces (printed media) during and for the purpose of processing the job application. The application procedure is as follows: the Data Subject sends their data to the Data Controller to the e-mail address specified in the job advertisement, which the Data Controller confirms by e-mail and sends a questionnaire to the Data Subject in the confirmation letter, reconciling the data or requesting any missing information.
In case of concluding a membership agreement
The Data Controller manages the data of the Data Subject which are relevant for the conclusion, performance and termination of the membership agreement concluded with the Data Controller in accordance with the relevant statutory requirements:
Data recorded in the membership agreement are:
Place and date of birth:
Mother’s (maiden) name:
Tax identification number:
Hungarian social security number (TAJ):
Pension disbursement registration number:
Bank account number:
Data provided in the entry declaration:
Hungarian social security number (TAJ)
Bank account number
Pension disbursement registration number
Place of birth
Date of birth
Permanent residential address
Place and date of birth
Tax identification number
Data related to the fulfillment of the membership agreement:
Data on performance time records;
Data on annual leave, sick leave;
Income payment data.
During the establishment and maintenance of a temporary employment relationship,
the Data Controller manages the data of the Affected Employee in accordance with Section 10 of Act I of 2012 on the Labor Code (hereinafter referred to as: the Mt.), which are relevant from the establishment, fulfilment and termination of the employment relationship established with the Data Controller:
Employee identification data:
Name (birth name);
Place and date of birth;
Place of residence, dwelling place;
Hungarian social security number (TAJ), tax identification number; personal identity card number;
Number of children, their place and date of birth; their tax identification number;
Bank account number;
Data on studies and qualification:
Data on educational attainment;
Data related to professional or vocational qualification;
Data related to the employment:
Beginning of the employment relationship, the position held, the extent of working hours, the place of work;
Date, manner and conditions of termination of employment.
The Data Controller shall only collect special data with the written consent of the Data Subject that are necessary for the performance of the given job (for example, in case of employment or hiring of persons with disabilities) or if the Data Subject provides such data and they are not necessary for the job, the Data Controller shall immediately delete the special data.
Only persons over the age of 16 are entitled to provide data.
The purpose of data management
The Data Controller uses the data for the following purposes in connection with the services it provides:
During Registration on the Website: the purpose of data management is to provide the services of the Website, to create a User Profile.
When creating a User profile (or filling in the Data sheet and holding the Interview), the purpose of data management is:
to manage, modify and delete data and CVs stored in the User profile;
to use data for the purpose of applying for a job advertisement, set up job searches, save job offers, as well as keep in touch with the User, send notifications about job offers and job opportunities corresponding to his or her qualifications, abilities and needs;
the purpose of processing the data provided during the preparation of the CV is to allow for the Data Controller to contact the User with the appropriate job offer, as well as to explore the User’s qualifications, abilities and needs that are significant for the employment relationship to be filled by the User;
to monitor and facilitate the professional development of the Data Subject;
If you subscribe to the newsletter on the Website or in the User profile: Sending n electronic newsletter or advertising message about the offers and prize competitions related to the Data Controller and its partners to the e-mail address provided by the Data Subject (hereinafter collectively referred to as: the “Newsletter”).
In case of applying for a job advertisement, the purpose of data management is to:
communicate with the Data Subject in connection with the indicated job offer;
transmit his or her data and CV to the employer announcing the indicated job offer on the basis of the consent of the Data Subject;
conduct the selection procedure related to the job advertisement published by the Data Controller;
facilitate the establishment and maintenance of an employment relationship;
in case of their special consent, to create a User profile of the Data Subject, and to explore the qualifications, endowments and needs of the Data Subject relevant to the employment relationship to be fulfilled; to mediate job offers to the Data Subject meeting their scope of interests and qualifications, endowments and needs;
In case of establishing a membership relationship, the purpose of data management is the fulfilment of administrative tasks related to the performance, existence and termination of the membership relationship between the Data Controller and the Data Subject (including also personnel tasks, income calculation, transfer and social security accounts) and HR controlling (including also efficient business organization of human resources). Based on the express and voluntary consent of the Data Subject, the Data Controller transmits the Data Subject’s personal data to a third party determined in the individual agreement on the performance of tasks and related to the membership agreement (hereinafter referred to as: the Service User) for data processing for the purpose of performing tasks within the framework of the cooperative membership, in the extent required for that purpose.
During the establishment and maintenance of a temporary employment relationship, the purpose of data management is to exercise the rights and fulfill the obligations arising from the establishment, performance and termination of the employment relationship between the Data Controller and the Affected Employee in accordance with the provisions of the Employment Contract and the provisions of the Labor Code – with special regard to Section 10 of the Labour Code.
The Data Controller also uses the personal data provided by the User for statistical purposes, exclusively in such a way as to anonymise the personal data, so that they are no longer suitable for personal identification and cannot be linked to any natural person.
Duration of data management
During the existence of the purpose of data management, such as registration on the Website, in case of the User profile and when sending the Newsletter, the Data Controller shall handle the personal data until the User requests the deletion of their data or revokes their consent given to the management of their personal data or reception of Newsletters.
Personal data will be deleted simultaneously with the termination of the purpose of data processing or without undue delay at the request of the User, except for data that the Data Controller is obliged to retain based on a statutory obligation for the period specified in the legislation ordering mandatory data processing, thus the Data Controller will retain the personal data managed during the establishment, performance and termination of the employment relationship established with the Data Controller until the expiry of the employment law claim arising out of the employment relationship, i.e. for 3 years from the termination of the employment relationship, or during this period of time, if a period longer than this is prescribed for by a regulation.
If a membership is established, the Data Controller manages the personal data during the existence of the purpose of data management. In the event of termination of the membership, the Data Controller shall delete the personal data one year after the termination of the membership. In case of mandatory (statutory) data processing, the Data Controller manages the data for the period specified by the law.
In case of applying for a job advertisement, the Data Controller handles personal data during the existence of the purpose of data processing, i.e. in case of a specific job offer, until the administration of the job offer, and in case of mediating a job offer to the Data Subject meeting their scope of interests or preference, for the existence of the purpose of data management, or until the Data Subject requests the deletion of the data or withdraws their consent.
In order to fulfill the services provided by the Data Controller, in case of applying for a specific job advertisement, from among the data of the User provided during the Registration and the application for the job advertisement, the Data Controller shall transfer the data required for the assessment of the application – personal data, studies, work experience, other information necessary for the assessment of the application (planned start, results of the completed tests, etc.) – to the employer who advertised the job specified in the job advertisement (hereinafter referred to as: the Employer).
In case of any data transmission, during which the transmissopm is addressed to an Employer that carries out its data management activities in a third country, the Data Controller shall only transmit the User’s personal data with the appropriate prior provision of information and express consent of the User.
The Data Controller declares that after the transmission of the data to the Employer, he does not take responsibility for the legality of processing of these data by the Employer. The Data Subject may receive information on the Employer’s data management on the Employer’s website or at other contact details.
Legal basis for processing personal data
During the Registration, use of the User profile, application for a job advertisement or subscription to the Newsletter, the Data Subject agrees that the Data Controller will handle his or her personal data as described in this Information Note. The processing of personal data is based on the Data Subject’s voluntary consent given in the knowledge of this information.
The Data Subject may exclusively provide his/her personal data on the Website or when using the services of the Data Controller.
Data Controller shall take the obligation to take care about the security of data, furthermore, to take all the necessary technical and organisational measures and establish the procedural rules which ensure that the recorded, stored or managed data are protected, moreover, it shall prevent their destruction, unauthorized use and unauthorized alteration. Furthermore, it shall take the obligation to call on any third parties to comply with the data security requirements, to whom it may potentially transmit or hand over data based on the consent of Data Subjects.
The Data Controller shall ensure that no unauthorized person has access to, disclose, transmit, modify or delete the data processed. The processed data may only be disclosed to the Data Controller and its employees, as well as to the Data Processor(s) used by it, and the Data Controller shall not transfer them to a third party who is not authorized to learn about the data.
The Data Controller shall do its utmost to ensure that the data are not accidentally damaged or destroyed. The above commitment is also provided for by the Data Controller to its employees participating in the data management activity.
The Data Subject acknowledges and accepts that the protection of data on the Internet cannot be fully guaranteed if the personal data is provided on the Website, despite the fact that the Data Controller has state-of-the-art security means to prevent unauthorized access to or retrieval of the data. In the event of occurrence of unauthorized access or data disclosure despite our efforts, the Data Controller shall not be held liable for such data acquisition or unauthorized access to data or for any damage caused to the Data Subject for these reasons. In addition, the Data Subject may also disclose his or her personal data to third parties who may use it for illegal purposes or in any other way.
Data security is ensured by the Data Controller in the most up-to-date way possible. The Data Controller takes the obligation to immediately suspend the service and publish a declaration until the elimination of the error in the event of a data protection incident that occurs despite the above measures, and to keep a record of the data protection incidents and the actions taken.
The scope of persons authorized to learn about personal data; data processing
The Data Controller and the Employers to whom the Data Subject has expressly given their consent to the transmission of their personal data to the Employers are authorized to learn about the data of the Data Subject.
The Data Processors used by the Data Controller are authorized to learn about the personal data in accordance with the applicable legislation.
The data are processed by the following data processors acting on behalf of the Data Controller:
DoclerNet Hosting Kft. (…): Hosting service
Gbart Solutions Kft.: System development, website operation
Textkernel BV.: IT services relating to the use of a database
Brightly Kft.: Website operation
The Data Controller reserves the right to involve an additional data processor in the data management in the future, of which it informs the Users by amending this Information Note.
In the absence of an express statutory provision, the Data Controller shall only transfer data suitable for personal identification to third parties with the express consent of the given User.
User rights in relation to their data managed
Right of access
At the request of the User, the Data Controller shall provide information on whether the Data Controller continues to process his/her personal data and, if so, shall grant him/her access to the personal data, as well as inform him/her of the following information:
the purpose(s) of data management;
the types of personal data involved in the processing;
in case of transmission of the User’s personal data, the legal basis and recipient(s) of the transmission;
the planned duration of the data processing;
the rights of the User in connection with the rectification, deletion and restriction of the processing of personal data, as well as the protest against the processing of personal data;
the possibility of turning to the Authority;
the source of data;
the name and address of the data processors, and their activity relating to the data processing.
The Data Controller shall provide the User with a copy of the personal data subject to data management free of charge. The Data Controller may charge a reasonable fee based on administrative costs for additional copies requested by the User. If the User has submitted the request electronically, the requested information shall be made available to in a widely used electronic format, unless requested otherwise by the Data Subject.
The Data Controller shall be obliged to provide the information at the request of the User in an intelligible form without undue delay, but no later than within 30 days from the submission of the request. The User can submit their request for access by e-mail sent to prohuman@prohuman and by postal mail sent to the following address: H-1146 Budapest, Hungária krt. 140-144., in both cases with proof of identity.
Correction of managed data
The user is authorized to request the correction of inaccurate personal data or the supplementation of incomplete data (indicating the correct data), taking into account the purpose of data management, also at the e-mail address firstname.lastname@example.org or at the H-1146 Budapest, Hungária krt. 140-144. postal address, in both cases with proof of identity. The Data Controller shall carry out the rectification in its register without any undue delay and shall notify the Data Subject thereof in writing.
Deletion of managed data (right to be forgotten)
In addition to the above, the User may, at any time, request the deletion of their data – in part or in full – at the email@example.com e-mail address or by post at H-1146 Budapest, Hungária krt. 140-144 free of charge, without justification, with proof of identity if one of the following reasons exists:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the User withdraws their consent on which the data processing is based, and there is no other legal basis for the processing;
the User objects to the processing of their personal data;
the processing of personal data was unlawful;
the personal data must be deleted in order to fulfill a legal obligation under Union or Member State law applicable to the Data Controller;
the collection of personal data on a consensual basis has taken place in connection with the provision of information society services to children.
Where the data Controller has made the personal data public and is obliged to erase such personal data in accordance with the above, the Data Controller, taking into account the available technology and the cost of implementation, shall take reasonable steps and measures to inform data controllers who are processing the personal data that the User has requested the erasure by such controllers of any links to, or copy or replication of, the personal data in question.
Personal data do not need to be deleted if data processing is necessary:
for the purpose of exercising the right to freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
for reasons of public interest in the area of public health;
for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, in so far as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of legal claims.
Restriction of data managed
The User is authorized to request the Data Controller to restrict data management instead of correcting or deleting the personal data, if any of the following criteria is met:
the User disputes the accuracy of the personal data, i nwhich case such restriction shall be valid for a period enabling the Data Controller to verify the accuracy of the personal data;
the data management is unlawful and the User is opposed to the deletion of the data and, instead, he or she asks for the limitation of their use;
of the Data Controller no longer needs the personal data for the purposes of data management, but the User requires them to submit, enforce or protect legal claims; or
the User has objected to the data management; in this case such restriction shall be valid for as long as it is established whether the legitimate grounds of the Data Controller override those of the Data Subject.
Where data processing is restricted, such personal data may be processed, with the exception of storage, only with the User’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural person or legal entity or for reasons of important public interest of the Union or of a Member State.
The Data Controller shall inform the User, at whose request the data management has been restricted, of the lifting of the data management restriction in advance.
Notification obligation related to the correction or deletion of personal data or the restriction of data management
The Data Controller shall inform each recipient of any rectification, erasure of personal data or data management restriction, whom or which the personal data have been disclosed to, unless this proves impossible or involves a disproportionate effort. Upon request, the Data Controller shall inform the User of these recipients.
In addition, the Data Subject may at any time decide that the Data Controller will no longer send him a Newsletter. The Data Subject may withdraw their consent to receive the Newsletters at any time, free of charge, without giving the reasons or without any restriction, by clicking on the unsibscription link placed at the bottom of the newsletters, or by writing an e-mail to firstname.lastname@example.org, or by sending a letter to H-1146 Budapest, Hungária krt. 140-144 (indicating exact personal data). Upon receipt of the unsubscription request, the Data Controller shall immediately delete the unsubscribing Data Subject’s data from the direct marketing database and shall no longer send a Newsletter to the Data Subject.
If the withdrawal of consent concerns only the data management for direct marketing purposes (sending a Newsletter), the Data Controller shall immediately delete the Data Subject only from the direct marketing register, otherwise the Data Controller shall continue to be authorized to manage the Data Subject’s data in order to provide the Website Services used by the Data Subject.
The right to object
The User may object to the processing of his/her personal data if the data processing
is necessary for the performance of a task in the public interest or in the exercise of a public authority granted to the Data Controller;
is necessary to enforce the legitimate interests of the Data Controller or a third party.
In the event of the User’s objection, the Data Controller may not continue to process the personal data, except where the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject, or are needed for the establishment, exercise or defence of legal claims.
If the processing of personal data is for the purpose of direct business acquisition, the User has the right to object at any time to the processing of personal data concerning him or her for this purpose. If the User objects to the processing of personal data for the purpose of direct business acquisition, the personal data may no longer be processed for this purpose.
The Data Controller shall inform the User without undue delay, but no later than within one month from the receipt of the request, of the measures taken following the request for access, rectification, deletion, restriction, protest and data portability. If necessary – taking into account the complexity of the request and the number of requests – this deadline may be extended by two additional months. The User will be notified of any extension of the deadline by the Data Controller within one month after the request is received, indicating the reason for the extension. If the User has submitted the request electronically, the requested information shall be made available to him or her in electronic format, unless the Data Subject expressly requested otherwise.
If the Data Controller does not take any action upon the User’s request, the Data Controller shall inform the User without delay, but at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
At the request of the User, the information, notification and the action taken upon his or her request shall be provided free of charge. Where the request of the User is manifestly unfounded or excessive, in particular because of its repetitive character, the Data Controller may either charge a reasonable fee taking into account the administrative costs of providing the information or notification, or taking the action requested; or refuse to act based on the request. The Data Controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Handling and reporting privacy incidents
A data protection incident is any event that involves the unlawful handling or processing of personal data in connection with personal data managed, transmitted, stored or processed by the Data Controller, in particular unauthorized or accidental access, alteration, communication, deletion, loss or destruction and accidental destruction and injury.
The Data Controller shall report the data protection incident to the Hungarian National Authority for Data Protection and Freedom of Information (Hungarian abbreviation: NAIH) without any undue delay, and, if possible, latest in 72 hours after learning about the data protection incident; unless the Data Controller can prove that the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons. If the report cannot be made within 72 hours, it shall state the reason for the delay and the required information may also be provided in detail without further undue delay. The report to the NAIH shall contain at least the following information:
the character of the data protection incident, the number and category of data subjects and personal data;
name and contact details of the Data Controller;
the probable consequences arising out of the data protection incident;
the measures taken or planned to manage, eliminate or remedy the data protection incident.
The Data Controller shall inform the data subjects about the data protection incident via the Data Controller’s website within 72 hours after the detection of the data protection incident. The notification shall contain at least the information specified in this Article.
The Data Controller shall keep a register of data protection incidents in order to monitor the measures related to the data protection incident and to inform the data subjects. The register shall contain the following information:
the scope of personal data concerned;
the scope and number of data subjects;
the date and time of the data protection incident;
the circumstances and impact of the data protection incident;
the measures taken to eliminate the data protection incident.
The data contained in the register shall be kept by the Data Controller for 5 years from the detection of the data protection incident.
Possibility of judicial remedy
The Data Controller shall make every effort to ensure that the personal data is processed in accordance with the law; however, if the Data Subject feels that this has not been complied with, it is possible to write to the e-mail address email@example.com or to the postal address H-1146 Budapest, Hungária Krt. 140-144.
If the Data Subject feels that his or her right to the protection of personal data has been violated, he or she may seek redress from the competent authorities in accordance with the applicable law:
the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C., firstname.lastname@example.org; www.naih.hu)
The National Media and Communications Authority acts in connection with advertisements sent by electronic means (Newsletter), and the detailed regulation can be read in Act CXII of 2011 on the Right to Information Self-Determination and Freedom of Information, furthermore, Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services.
This Information Note is governed by the provisions of the Hungarian law and of Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as: the General Data Protection Regulation (GDPR)).