Privacy Notice for T&M Activities

Your privacy as a prospective employee is of utmost importance to us. We have prepared this Privacy Notice to provide you with information about the personal data we process about you, the purposes and legal bases for such processing, as well as the organisational and technical measures we implement to protect your personal data. In addition, this Notice informs you about your rights.

1. Details of the Data Controller

Data Controller: Sprint Consulting Kft.
Registered Office: 2310 Szigetszentmiklós, Bajcsy-Zsilinszky utca 21/D, Hungary
Company Registration Number: 13-09-245149
Tax Number: 14567975-2-13
Website: https://www.sprintconsulting.hu/
Email: info [at] sprintconsulting [dot] com

2. General Legal Framework for Data Processing

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)
Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.)
Act I of 2012 on the Labour Code (Mt.)

3. Definitions

Personal Data: Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Typical personal data include, in particular, name, address, place and date of birth, and mother’s name.

Data Processing: Any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller: The natural or legal person, public authority, agency, or any other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the Data Controller or the specific criteria for its designation may be provided for by Union or Member State law.

Data Processor: A natural or legal person, public authority, agency, or any other body that processes personal data on behalf of the Data Controller.

Recipient: A natural or legal person, public authority, agency, or any other body to whom the personal data are disclosed, whether a third party or not.

4.1. Application for the Advertised Position

Purpose of Processing	To assess the applicant’s eligibility for the advertised position.
Legal Basis for Processing	Article 6(1)(a) of the GDPR – Consent.
Categories of Personal Data Processed	The applicant’s personal data provided in their CV and related documents, including contact details and information verifying compliance with qualification and competency requirements.
Retention Period	Until consent is withdrawn, but no longer than the closing of the recruitment process and notification of the outcome.

4.2. Participation in the Database

Purpose of Processing	To verify the applicant’s eligibility for the position for potential future job offers in the Data Controller’s database.
Legal Basis for Processing	Article 6(1)(a) of the GDPR – Consent.
Categories of Personal Data Processed	The applicant’s personal data provided in their CV and related documents, including contact details and information verifying compliance with qualification and competency requirements.
Retention Period	Until consent is withdrawn, but no longer than 3 years from the receipt of the CV.

4.3. Submission of Unsolicited CVs

Purpose of Processing	Submission of unsolicited CVs.
Legal Basis for Processing	Article 6(1)(a) of the GDPR – Consent.
Categories of Personal Data Processed	The applicant’s personal data provided in their CV and related documents, including contact details and information verifying compliance with qualification and competency requirements.
Retention Period	Until consent is withdrawn, but no longer than 3 years from the receipt of the CV.

4.4. Participation in Interviews

Purpose of Processing	Conducting an interview with the applicant.
Legal Basis for Processing	Article 6(1)(b) of the GDPR – Processing is necessary for the performance of a contract or to take steps at the request of the Data Subject prior to entering into a contract.
Categories of Personal Data Processed	The applicants: Personal data provided by the applicant in their CV and related documents, including contact details and information verifying compliance with qualification and competency requirements. Notes and information collected during the interview.
Retention Period	Up to the closing of the recruitment process and notification of the outcome. If the applicant becomes an employee, the retention periods specified in the Employee Data Management Policy shall apply thereafter.

4.5. Recording of Job Interview Video

Purpose of Processing	Recording a video of the job interview.
Legal Basis for Processing	Article 6(1)(a) of the GDPR – Consent.
Categories of Personal Data Processed	Video recording of the applicant.
Retention Period	Until consent is withdrawn, but no longer than the closing of the recruitment process and notification of the outcome.

4.6. Transcription of the Job Interview

Purpose of Processing	Creating a transcript of the job interview using an AI notetaker.
Legal Basis for Processing	Article 6(1)(a) of the GDPR – Consent.
Categories of Personal Data Processed	Personal data of the applicant disclosed during the job interview.
Retention Period	Until consent is withdrawn, but no longer than the closing of the recruitment process and notification of the outcome.

4.7. Making a Job Offer

Purpose of Processing	Making a salary offer to the most suitable applicant.
Legal Basis for Processing	Article 6(1)(b) of the GDPR – Processing is necessary for the performance of a contract or to take steps at the request of the Data Subject prior to entering into a contract.
Categories of Personal Data Processed	The applicants: Name Phone number Email address Information related to the offer (position, salary offer, start date, terms of acceptance)
Retention Period	Up to the closing of the recruitment process and notification of the outcome. If the applicant becomes an employee, the retention periods specified in the Employee Data Management Policy shall apply thereafter.

5. Data Collection

Personal data are collected from the Data Subject either via the job application portal or directly by the Data Controller.

6. Recipients

6.1. Joint Data Processing

The Data Controller operates business-related fan pages and creates closed group(s) on social media platforms in order to share business-related content and present its activities, services, and events to social media users. Users may interact with the Data Controller’s activities (e.g., by liking, commenting, sending messages, giving ratings, or sharing content).
The Data Controller and the social media platform are considered joint data controllers. Social media platforms:

Facebook – Provider: Meta Platforms Ireland Ltd. (Registered Office: Merrion Road, Dublin 4 D04 X2K5, Ireland)
Privacy Policy:
https://www.facebook.com/privacy/explanation
Instagram – Provider: Meta Platforms Ireland Ltd. (Registered Office: Merrion Road, Dublin 4 D04 X2K5, Ireland)
Privacy Policy:
https://privacycenter.instagram.com/policy/?entry_point=ig_help_center_data_policy_redirect
TikTok – Provider: TikTok Technology Limited (Registered Office: 10 Earlsfort Terrace, Dublin, Ireland)
Privacy Policy:
https://www.tiktok.com/legal/page/eea/privacy-policy/hu
YouTube – Provider: Google Ireland Ltd. (Registered Office: Gordon House, Barrow Street, Dublin 4, Ireland)
Privacy Policy:
https://policies.google.com/technologies/product-privacy?hl=hu

6.2. Independent Data Controllers

Additional contractual partners participate in the recruitment process as independent data controllers, from whose databases the personal data of applicants are transferred to the Data Controller’s database. Such independent data controllers include:

Profession.hu – Operator: Profession.hu Kft. (Registered Office: 1123 Budapest, Nagyenyed utca 8-14, Company Registration Number: 01-09-199015)
Privacy Policy: https://www.profession.hu/adatkezeles/#jelentkezes-allashirdetesre
NoFluff Jobs – Operator: NoFluff Jobs sp. z o.o. (Registered Office: ul. Podolska 21, 81-321 Gdynia, Poland)
Privacy Policy: https://nofluffjobs.com/static/No_Fluff_Jobs_Privacy_Policy.pdf
Profesia.sk – Operator: Alma Career Slovakia sro (Registered Office: Pribinova 19, 811 09 Bratislava, Slovak Republic)
Privacy Policy: https://www.almacareer.com/gdpr/hu/privacy-policy
DreamJobs – Operator: Quantum Digital Solutions Hungary Kft. (Registered Office: 1053 Budapest, Magyar utca 32, 1st floor, Door 5, Company Registration Number: 01-09-393620)
Privacy Policy: https://api.dreamjobs.hu/api/v1/dj-document/adatkezelesi-tajekoztato-2025-05-30_18.pdf
CV Online – Operator: CVO Digital Kft. (Registered Office: 1138 Budapest, Madarász Viktor utca 47-49, Company Registration Number: 01-09-303395)
Privacy Policy: https://www.cvonline.hu/hu/adatvedelmi-tajekoztato
LinkedIn – Provider: LinkedIn Ireland Unlimited Company (Registered Office: Wilton Plaza, Wilton Place, Dublin 2, Ireland)
Privacy Policy: https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
Other job search platforms
Recruitment intermediary platforms

If other independent data controllers participate in the recruitment process, the Data Controller will inform the Data Subject individually.

6.3. Data Processor(s)

The Data Controller only engages Data Processor(s) that provide appropriate guarantees – particularly regarding expertise, reliability, and resources-to implement technical and organisational measures ensuring compliance with the GDPR, including the security of data processing.

The specific tasks and responsibilities of the Data Processor are set out in the Data Processing Agreement concluded between the Data Controller and the Data Processor. The Data Processor may not make independent decisions and must act solely based on the provisions of the Data Processing Agreement and the instructions of the Data Controller.

Data Processors include:

Hosting provider: Dotroll Kft. (1148 Budapest, Fogarasi út 3-5., Company Registration Number: 01-09-882068)
System administrator: Jakus és Jakus Szolgáltató Kft. (Registered Office: 2476 Pázmánd, Hegyalja út 28., Company Registration Number: 07-09-037108)
File sharing platform: Google Drive – Google Ireland Ltd. (Registered Office: Gordon House, Barrow Street, Dublin 4, Ireland)
Email system:
- Google Ireland Ltd. (Registered Office: Gordon House, Barrow Street, Dublin 4, Ireland)
- Microsoft Magyarország Kft. (Registered Office: 1031 Budapest, Graphisoft Park 3., Company Registration Number: 01-09-262313)
Applicant Tracking System (ATS) provider: ATS provider (Registered Office: 2045 Törökbálint, Kossuth Lajos utca 40., Company Registration Number: 13-09-190859)
Online communication platforms:
- Zoom – Lionheart Squared Ltd. (Registered Office: 2 Pembroke House, Upper Pembroke Street 28-32, Dublin D02 EK84, Ireland)
- Google Meet – Google Ireland Ltd. (Registered Office: Gordon House, Barrow Street, Dublin 4, Ireland)
- Microsoft Teams – Microsoft Magyarország Kft. (Registered Office: 1031 Budapest, Graphisoft Park 3., Company Registration Number: 01-09-262313)
Marketing agency(ies)
Assistants

In the event of data transfers outside the European Union, the Data Controller ensures appropriate safeguards in accordance with Chapter V of the GDPR, in particular by applying the EU-U.S. Data Privacy Framework based on the European Commission’s adequacy decision. A list of certified organisations and verification options is available on the official website of the U.S. Department of Commerce: https://www.dataprivacyframework.gov/, which constitutes one of the guarantees for lawful data transfer.

If other Data Processor(s) need to be involved during the recruitment process, the Data Controller will inform the Data Subject individually.

7. Data Transfers

The Data Controller may transfer personal data to other recipients, and the Data Controller will inform the Data Subject individually in such cases. Data transfers are carried out only in accordance with the provisions of applicable laws and are documented (e.g., based on official or court requests).

8. Access to Data

Authorized employees of the Data Controller may access personal data to the extent necessary for the performance of their duties.

9. Data Security Measures

The Data Controller implements appropriate IT, technical, and personnel measures to ensure that the personal data it processes are protected, including against unauthorized access or unlawful alteration.

10. Data Subject Rights Related to Data Processing and Their Scope

Data Subject Right	Scope of the Right
Right to Information /Articles 13-14 GDPR/	You have the right to be informed about the processing of your personal data at the time the data are obtained. The Data Controller provides additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context of data processing. You must also be informed about any profiling and its consequences.
Right of Access /Article 15 GDPR/	You have the right to request information on whether your personal data are being processed. If processing is taking place, you are entitled to know: which personal data are being processed the legal basis for processing the purpose(s) of processing the retention period to whom, when, and on what legal basis your personal data have been made accessible or transferred the source of your personal data, if not provided directly by you whether automated decision-making is applied, including profiling, and its logic
Right to Rectification /Article 16 GDPR/	You have the right to request that the Data Controller correct inaccurate personal data concerning you or complete incomplete personal data. For example, you may request changes to your email address or other contact information at any time.
Right to Erasure (“Right to be Forgotten”) /Article 17 GDPR/	You have the right to request the deletion of your personal data if one of the following applies: Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed You withdraw your consent under Articles 6(1)(a) or 9(2)(a) and there is no other legal basis for processing You object to the processing under Article 21(1) and no overriding legitimate grounds exist, or under Article 21(2) Your personal data have been unlawfully processed Your personal data must be erased to comply with a legal obligation under EU or national law applicable to the Data Controller Your personal data were collected in connection with the offering of information society services under Article 8(1)
Right to Restriction of Processing /Article 18 GDPR/	You have the right to request that the Data Controller restrict processing if one of the following applies: You contest the accuracy of personal data (restriction applies during verification) Processing is unlawful and you oppose erasure, requesting restriction instead The Data Controller no longer needs the personal data for processing purposes, but you require them to establish, exercise, or defend legal claims You objected to processing under Article 21(1) (restriction applies until it is determined whether the Data Controller’s legitimate grounds override yours)
Right to Data Portability /Article 20 GDPR/	You have the right to receive your personal data provided to a Data Controller in a structured, commonly used, and machine-readable format, and to transmit them to another Data Controller without hindrance from the original Data Controller, where: Processing is based on consent (Articles 6(1)(a) or 9(2)(a)) or a contract (Article 6(1)(b)) Processing is carried out by automated means You also have the right, where technically feasible, to request direct transfer of personal data between Data Controllers.
Right to Object /Article 21 GDPR/	You have the right to object at any time, for reasons related to your particular situation, to the processing of your personal data based on Articles 6(1)(e) or (f), including profiling. In such cases, the Data Controller shall no longer process your personal data unless it demonstrates compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. If your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, including profiling to the extent it relates to direct marketing.
Right to Withdraw Consent /Article 7(3) GDPR/	You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You must be informed of this right before giving consent, and withdrawal must be as easy as giving consent.

11. Data Subject Remedies Related to Data Processing and Their Scope

Remedy	Scope of the Remedy
Right to lodge a complaint with the Supervisory Authority /Article 77 GDPR/	If your right to the protection of personal data is violated, you have the right to lodge a complaint with the following Authority: National Authority for Data Protection and Freedom of Information (NAIH) Registered Office: 1055 Budapest, Falk Miksa utca 9-11. Mailing Address: 1363 Budapest, Pf. 9. Phone: +36 (1) 391-1400 Email: ugyfelszolgalat [at] naih [dot] hu Website: www.naih.hu
Right to effective judicial remedy against the Data Controller or Data Processor /Article 79 GDPR/	You have the right to bring a court action against the Data Controller or Data Processor if you consider that the processing of your personal data is unlawful. The court will handle the matter with priority. In this case, you may choose to bring your claim before the court competent according to your place of residence or habitual residence. Court contacts can be found at: www.birosag.hu/torvenyszekek

Remedy

Scope of the Remedy

Right to lodge a complaint with the Supervisory Authority /Article 77 GDPR/

If your right to the protection of personal data is violated, you have the right to lodge a complaint with the following Authority:

National Authority for Data Protection and Freedom of Information (NAIH)
Registered Office: 1055 Budapest, Falk Miksa utca 9-11.
Mailing Address: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat [at] naih [dot] hu
Website: www.naih.hu

Right to effective judicial remedy against the Data Controller or Data Processor /Article 79 GDPR/

You have the right to bring a court action against the Data Controller or Data Processor if you consider that the processing of your personal data is unlawful. The court will handle the matter with priority. In this case, you may choose to bring your claim before the court competent according to your place of residence or habitual residence. Court contacts can be found at: www.birosag.hu/torvenyszekek

12. Updates to the Privacy Notice

The Data Controller reserves the right to unilaterally modify this Privacy Notice. Such modifications may occur, in particular, due to changes in legislation, practices of data protection authorities, business needs, or other circumstances. Upon request, the Data Controller will provide the Data Subject with a copy of the currently effective Privacy Notice in the agreed-upon format.

Szigetszentmiklós, 3. March 2026