Data management
prospectus
- for a job application
for the applicant

The Prospective Employee The protection of your personal data is extremely important to us. We have developed this Privacy Policy to provide you with information on what personal data, for what purpose and legal basis we process about you, and what organizational and technical measures we take to protect your personal data, as well as to inform you about your rights.

1. General legislation on which data processing is based

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR)
• Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.)
• Act I of 2012 on the Labor Code (Mt.)

2. Concepts

Personal data:any information relating to an identified or identifiable natural person (“Data Subject”); identifiable is a natural person who can be identified, directly or indirectly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person. Such typical personal data in particular: name, address, place and time of birth, mother's name.

Data management:the totality of any operation or operations performed on personal data or files in an automated or non-automated manner, including by collection, recording, organising, categorising, storing, transforming or altering, querying, viewing, using, communicating, transmitting, distributing or otherwise making available, coordinating or linking, restricting, erasure or destruction.

Data Controller:the natural or legal person, public authority, agency or any other body which determines, independently or jointly with others, the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the specific criteria for the designation of the Controller or the Controller may also be determined by Union or Member State law.

Data processor:the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the Controller.

Recipient:the natural or legal person, public authority, agency or any other body with whom the personal data is disclosed, whether third party or not.

3. Data management activity

A. JOINT DATA MANAGEMENT

Joint data processing is carried out during the application for a job application (published job application, database application).

Joint Data Controllers:

1)
Data Controller:UNITED CONSULT Ltd.
Registered office:1117 Budapest, Dombóvári út 26.
Company registration number: 01-10-141235
Tax ID: 29139727-2-43
Website:https://united-consult.hu/
Contact information of the Data Protection Officer: info@united-consult.hu

2)
Data Controller: UC Hire Lab Ltd.
Registered office: 1037 Budapest, Hunor Street 62. Tt 7. door
Company registration number: 01-09-426018
Tax ID: 28793487-2-41
Website:https://uchirelab.hu/
Contact information of the Data Protection Officer: info@uchirelab.hu

3)
Data Controller: UC Innovations Ltd.
Registered office: 7030 Paks-Dunakömlőd, Radnóti street 9.
Branch: 1117 Budapest, Dombóvári út 26.
Company registration number: 17-09-004939
Tax ID: 13194318-2-17
Website:https://united-consult.hu/
Email contact: info@united-consult.hu

4)
Data Controller: UC Big Data Ltd.
Registered office: 1117 Budapest, Dombóvári út 26.
Company registration number: 01-10-143058
Tax ID: 32684715-2-43
Website: https://datandroll.hu/
Email contact: info@united-consult.hu

5)
Data Controller: UC CRM Solutions Ltd.
Registered office: 1117 Budapest, Dombóvári út 26.
Company registration number: 01-10-143062
Tax ID: 32685895-2-43
Website:https://successplatform.hu/
Email contact: info@united-consult.hu

a) application for the advertised job application‍

Purpose of data processing: Verification of the conditions necessary for filling the job application by applying for a published job application

Legal basis for data processing:Art. 6 para. 1 lit. a) GDPR: consent

Scope of personal data processed:
Applicants for the job application:

• contact details provided in your CV, related documents and at the interview and personal data confirming compliance with qualification requirements

Data Retention Period: Until the withdrawal of consent, but not more than until the closing of the application for a position and notification of its outcome

b) participation in the database‍

Purpose of data processing:Checking the existence of the necessary conditions for holding the position in order to obtain a possible subsequent job offer in the Data Controller's database

Legal basis for data processing: Art. 6 para. 1 lit. a) GDPR: consent

Scope of personal data processed:
Applicants for the job application:

• contact details provided in your CV, related documents and at the interview and personal data confirming compliance with qualification requirements

Data retention period: Until the withdrawal of consent

‍

c) making a payment offer ‍

Purpose of data processing:Making a payment offer to the most suitable candidate for the job application

Legal basis for data processing: Article 6 (1) (b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract

Scope of personal data processed:
Applicants for the job application:

• name
• phone number
• email address
• information about the offer (position, payment offer, start date, conditions of acceptance)

Data retention period: Until the retention period of the resume. If the payment offer is accepted, the retention period specified in the Employee Data Protection Notice will govern.

4. Data recording

Personal data from the Data Subject:through a job search portal, from a headhunting company (as an independent data controller) or directlyare sent to the Data Controller.

5. Recipients

a. Independent Data Controller (s)‍

As independent data controllers, additional contractual partners participate in the recruitment process, from whose database the personal data of applicants for the job application are transferred to the Data Controller's database. Such independent Data Controller (s):

• job-search portal operator (s):

• Profession.hu is operated by: Profession.hu Kft. (registered office: 1123 Budapest, Nagyenyed utca 8-14., company registration number: 01-09-199015)

The data management information is available at this link: https://www.profession.hu/adatkezeles/#jelentkezes-allashirdetesre

• NoFluff Jobs sp. z o.o. (registered office: ul. Podolska 21 81-321 Gdynia, Poland)

The data management information is available at this link: https://nofluffjobs.com/static/No_Fluff_Jobs_Privacy_Policy.pdf

• social portals:

• LinkedIn Provider: LinkedIn Ireland Unlimited Company (based in Wilton Plaza, Wilton Place, Dublin 2, Ireland)

The data management information is available at this link: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy

• Facebook Provider: Meta Platforms Ireland Ltd. (registered office: Merrion Road, Dublin 4 D04 X2K5, Ireland)

The data management information is available at this link:
https://www.facebook.com/privacy/explanation

If other Independent Data Controller (s) are involved in the application process, the Data Controller will always inform the Data Subject individually.

b. Data processor (s)

The Controller shall use only Data Processor (s) who provide adequate guarantees, in particular as regards expertise, reliability and resources, that they implement technical and organisational measures to ensure compliance with the requirements of the GDPR, including the security of data processing.

The specific tasks and responsibilities assigned to the Data Processor are set out in the Data Processing Agreement concluded between the Data Controller and the Data Processor. The Data Processor may not make an independent decision, acting solely on the basis of the Data Processing Agreement and in accordance with the instructions of the Data Controller.

The Data Processor (s):

• mail system: Microsoft Magyarország Kft. (registered office: 1031 Budapest, Graphisoft Park 3., company registration number: 01-09-262313)
• hosting provider: Tpax Kft. (registered office: 1107 Budapest, Zagreb Street 1. 4. em. door 404, company registration number: 01-09-277343)
• candidate management system:Salesforce is operated by SFDC Ireland Ltd. (registered office: Block A, Nova Atria North, Sandyford Business District 18 Dublin, Ireland)
• online communication platform (Microsoft Teams):Microsoft Magyarország Kft. (registered office: 1031 Budapest, Graphisoft Park 3., company registration number: 01-09-262313)
  

If the involvement of other Data Processor (s) becomes necessary during the application process, the Data Controller will always inform the Data Subject individually.

6. Data transfer

The Data Controller may transfer personal data to another recipient, the Data Controller will always inform the Data Subject individually about this. Data transfer takes place only on the basis of the requirements set out in the current legislation, documented (for example, on the basis of an official or court request). ‍

‍

7. Access to data

Personal data may be accessed by the competent employees of the Data Controller to the extent necessary for the performance of their duties.

8. Data security measures

The Data Controller shall take appropriate IT, technical and personal measures to ensure that the personal data it processes are protected, inter alia, against unauthorised access or unauthorised alteration.

9. Rights of the Data Subject and their content in relation to data processing

In the event of a violation of the rights set out in the GDPR, the Data Subject may lodge a complaint with the Data Controller at Point 1with a written request sent to the specified email addresses. In accordance with Article 12 (3) of the GDPR, the Controller shall comply with the Data Subject's request for the exercise of his/her rights without undue delay, but not later than within 1 month of receipt thereof.

‍

Data subject's right to data processing: Right to information /Art. 13-14 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to receive information about the fact and purposes of data processing at the time of obtaining your personal data. The Controller also provides you with additional information that is necessary to ensure fair and transparent data processing, taking into account the specific circumstances and context of the processing of personal data. You must also be informed of the fact of profiling and its consequences.

Data subject's right to data processing:Right of access /Article 15 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to request information as to whether your personal data is being processed and, if such processing is ongoing, you have the right to know that the Data Controller:

• what personal data
• on what legal basis
• for what purpose of data processing
• how long does it treat
• to whom, when, under what law, to which personal data you have granted access or to whom you have transmitted your personal data
• the source of your personal data (if you have not provided it to the Controller)
• whether automated decision-making is used, as well as its logic, including profiling.

Data subject's right to data processing:Right to rectification/Article 16 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to request the Controller to correct inaccurate personal data concerning you or to supplement incomplete personal data. So you can ask the Controller to change some of your personal data (for example, you can change your e-mail address or other contact information at any time).

Data subject's right to data processing: Right to erasure (“right to be forgotten”) /Article 17 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to request the Controller to delete your personal data if one of the following reasons applies:

• your personal data is no longer needed for the purpose for which it was collected or otherwise processed
• You withdraw your consent on the basis of the processing pursuant to Article 6 (1) (a) or Article 9 (2) (a) and there is no other legal basis for the processing
• You object to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 (2)
• your personal data has been unlawfully processed
• your personal data must be deleted in order to comply with a legal obligation under Union or Member State law applicable to the Controller
• your personal data have been collected in connection with the provision of information society services referred to in Article 8 (1).

Data subject's right to data processing:Right to restriction /Article 18 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to request the Controller to restrict processing if one of the following reasons applies:

• You dispute the accuracy of your personal data (in this case, the limitation applies to the period of time that allows the Controller to verify the accuracy of the personal data)
• the processing is unlawful and you object to the deletion of the data and instead request the restriction of their use
• the Controller no longer needs the personal data for the purposes of data processing, but you require it for the establishment, exercise or protection of a legal claim

You have objected to the processing pursuant to Article 21 (1) (in this case, the limitation applies to the period until it is established whether the legitimate reasons of the Controller take precedence over your legitimate reasons).

Data subject's right to data processing: Right to data portability /Article 20 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to receive the personal data concerning you that you have provided to a Data Controller in a structured, widely used, machine-readable format, and you have the right to transmit such data to another Data Controller without hindrance from the Data Controller to whom you have provided the personal data, if:

• the processing is based on consent pursuant to point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract pursuant to point (b) of Article 6 (1), and
• data processing is carried out in an automated manner.

You have the right, if technically feasible, to request the direct transfer of your personal data between Data Controllers.

Data subject's right to data processing:Right to object /Article 21 of the GDPR/

Content of the Data Subject's right to data processing:You have the right to object at any time to the processing of your personal data based on points (e) or (f) of Article 6 (1), on grounds relating to your own situation, including profiling based on those provisions. In this case, the Controller may no longer process your personal data, unless the Controller proves that the processing is justified by compelling legitimate reasons which override your interests, rights and freedoms or which are related to the establishment, exercise or defence of legal claims.

If your personal data is processed for direct marketing, you have the right to object at any time to the processing of your personal data for this purpose, including profiling, insofar as it is related to direct marketing.

Data subject's right to data processing: Right to withdraw consent /Article 7 (3) of the GDPR/

Content of the Data Subject's right to data processing:You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of data processing based on consent prior to withdrawal. You must be informed of this before giving your consent. Withdrawal of consent shall be as simple as giving it.

‍

10. Data Subject's redress options and their content in relation to data processing

Remedy option: Right to complain to the Supervisory Authority (Art. 77 GDPR)

‍Content of the remedy: In the event of a violation of your right to the protection of your personal data, you may lodge a complaint with the following Authority:
National Authority for Data Protection and Freedom of Information
registered office: 1055 Budapest, Falk Miksa street 9-11.
mailing address: 1363 Budapest, Pf. 9.
Telephone: +36 (1) 391-1400
e-mail: ugyfelszolgalat@naih.hu
website: www.naih.hu

Remedy option:Right to an effective judicial remedy against the Controller or the Data Processor (initiation of legal proceedings) /Article 79 of the GDPR/

Content of the remedy: You have the right to take legal action against the Controller or the Data Processor if you find that the processing of your personal data is unlawful. The court will act in the case out of line. In this case, you are free to decide whether to file your claim with the court competent for your place of residence or residence. Contact of the Tribunals: www.birosag.hu/torvenysekek‍

‍

11. Updating of the Privacy Policy ‍

The Data Controller reserves the right to unilaterally amend this Privacy Policy. This notice may be amended in particular if it is necessary due to a change in legislation, data protection authority practices, business needs or other circumstances. At the request of the Data Subject, the Data Controller shall send him a copy of the information in force at all times in the form agreed with him.

Budapest, 1 September 2025