PRIVACY POLICY REGARDING JOB APPLICATIONS

The purpose of this Privacy Policy (hereinafter the Privacy Policy) is to provide information on the data management practices followed and applied by Sprint Consulting Agile Consulting and Service Limited Liability Company (the Company or Data Controller) regarding curriculum vitaes, motivation letters, application materials (together: Application).

The Data Manager

company name: Sprint Consulting Agilis Tanácsadó és Szolgáltató Korlátolt Felelősségű Társaság
seat: 1082 Budapest, Corvin sétány 2. A
company registry: 01-09-981936
court of registration: Fővárosi Törvényszék Cégbírósága
tax number: 14567975-2-42
postal mailing address: 1082 Budapest, Corvin sétány 2. A
e-mail: info [at] sprintconsulting [dot] com

Details of data management

The source of data

1. applications for vacancies by sending the application to jobs [at] sprintconsulting.com
2. applications submitted without an active job advertisement (spontaneously) to jobs [at] sprintconsulting.com (Incoming Applications)
3. data collection during personal interview / further consultation
4. personal data received from recruitment agencies

The personal data processed

In case the application and all personal data contained therein are sent by e-mail, the e-mail address and its content related to the personal interview and personal data recorded during further consultations.

Purpose, legal basis and duration of the data processing

Applications submitted for an announced specific position and related personal data recorded during the personal interview and further consultations

Purpose of data management Selecting suitable candidates for vacancies, filling the vacancies, and finding candidates for vacancies
Legal basis for data processing Voluntary consent of the Candidate (hereinafter: the Candidate). 
In the absence of consent, the Candidate will not be able to participate in the selection process
Form of consent By sending the application to our Company, the Candidate consents to the processing of his/her application for the above purpose.

If a personal interview / further consultation is held with the Candidate, we will ask the Candidate for consent to the processing of the data recorded there at the beginning of the interview / further consultation.

Duration of data management Personal data will be stored for one year from the receipt of the Candidate’s data by the Company, after which it will be deleted.

Personal data will be deleted at any time at the request of the Candidate.

At the same time, we would like to draw the attention of the Candidates to the fact that if they request the deletion of their data before the closing of the selection, they will no longer be able to participate in the selection, as we will not have the application for evaluation.

People eligible to access the Application Management of the Company

Incoming applications and personal information recorded during the personal interview or during further consultations

Purpose of data management Determining the purpose of the Application and whether the Company has a corresponding vacancy. In case of an open position, conducting the selection process and filling the job.
Form of consent Voluntary consent of the Candidate.
Form of consent By sending the application to our Company, the Candidate consents to the processing of his/her Application for the above purpose. If a personal interview / consultation is held with the Candidate, we will ask the Candidate for consent to the processing of the data recorded there at the beginning of the interview / consultation.

If there are no vacancies upon receipt of the application, we will inform the Candidate accordingly.

Duration of data management For a period of one year from the receipt of the application, in the event that a vacancy corresponding to the application is vacated or opened in the meantime.

Personal data will be deleted at any time at the request of the Candidate.

At the same time, we would like to draw the attention of the Candidates to the fact that if they request the deletion of their data before the closing of the selection, they will no longer be able to participate in the selection, as we will not have the application for evaluation.

People eligible to access the Application Management of the Company

Data processors

We use data processors for data storage and IT services related to data media, as well as for other data management operations. Data processors shall act in accordance with the law and the instructions of the Company when performing data management operations. The data processors we use and their tasks:

DATA PROCESSOR ACTIVITY
Google Ireland Limited  The hosting provider of the Company’s e-mail mailing system.
Cloud Consulting Kereskedelmi és Szolgáltató Bt. Operator of our company’s internal management system (including the data stored and stored there).
Backupify Inc. The provider responsible for backing up electronic storage.
ForceDavid Brasil Tecnologia Ltd. The provider of business development consulting services to our Company.

Candidates’ rights in relation to data management

Candidates have the following rights regarding the processing of their personal data.

Right to information

The Candidate is entitled to receive information about the facts related to data management in relation to the personal data managed by the Company before the start of data processing.
With regard to the data that the Candidates themselves provide to the Company, the Company fulfills its information obligation under Article 13 of the GDPR with the present Privacy Policy.

Right of access (Article 15 GDPR)

The Candidate is entitled to request information at any time about exactly which personal data the Company manages. Upon request, the Company will also provide information on the purposes, legal basis and duration of the data processing concerning the Candidate, as well as on who and for what purpose they receive or have received their data. If data arises that was not obtained by the Company from the Candidate, the Candidate may at any time request information on the source of the data.

The Company shall make the first copy of the personal data subject to data management available to the Candidate free of charge. The Company may charge a reasonable fee for additional copies, based on administrative costs, commensurate with the amount of data, but the amount will be communicated to the Candidate in advance. If the Candidate has submitted its request for information or access electronically, the Company shall make it available to the Candidate in electronic format, unless the Candidate requests otherwise. The right to request a copy must not adversely affect the rights and freedoms of others.

Right to correct or completion (Article 16 GDPR)

The Candidate is entitled to request that the Company correct inaccurate or incorrectly entered personal data. If the data are incomplete – taking into account the purpose of data management – the Candidate may request their completion. If the data requested to be corrected or supplemented are data contained in an official identity card or other public register proving the identity and address, the presentation of this document is also required for the correction or supplementation.

Right to delete personal data (“right to be forgotten”) (Article 17 GDPR)

The Candidate may at any time request the deletion of his personal data from the Company, which the Company is obliged to comply with if one of the following reasons exists:

1. personal data is no longer required for the purpose for which it was collected or otherwise processed by the Company;
2. the Candidate has withdrawn the consent on which the data processing is based and there is no other legal basis for the data processing;
3. the Candidate objects to the Company’s processing of data based on a legitimate interest pursuant to Article 21 (1) of the GDPR and there is no overriding legitimate reason for such processing;
4. personal data was processed unlawfully by the Company;
5. personal data must be deleted in order to comply with a legal obligation under Union or Member State law applicable to the Company.

We do not need to delete the data if data management is required:

1. for the purpose of exercising the right to freedom of expression and information;
2. to fulfill an obligation under the law applicable to the Company requiring the processing of personal data (eg. fulfillment of tax and accounting obligations) or for the performance of a task performed in the public interest or in the exercise of a public authority conferred on the Company;
3. on the basis of the public interest in the field of public health, in accordance with Article 9 (2) (h) and (i) and Article 9 (3) of the GDPR;
4. in accordance with Article 89 (1) of the GDPR, for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes, if the right of deletion would make such processing likely to be impossible or seriously jeopardize it
5. to file, enforce or defend legal claims.

Withdrawal of consent (Article 7 GDPR)

In the case of consent-based data management, the Candidate is entitled to withdraw the given consent at any time, without giving reasons. Following the withdrawal of consent, the personal data affected by the withdrawal will no longer be processed and will be deleted. However, withdrawal of consent shall not be possible retroactively and shall not affect the lawfulness of the processing prior to the withdrawal.

Right to restrict data management (Article 18 GDPR)

The Candidate may request that the Company restricts the processing of certain personal data. We comply with this request by indicating that the processing of the personal data in question is restricted. Restrictions can occur in the following cases:

1. the Candidate disputes the accuracy of the personal data, in which case the restriction applies to the period of time that allows the Company to verify the accuracy of the personal data;
2. the data processing is illegal and the Candidate objects to the deletion of the data, instead requesting a restriction on their use;
3. the Company no longer needs personal data for data processing purposes, but the Candidate requests them in order to submit, enforce or protect legal claims;
4. the Candidate has objected to the data processing pursuant to Article 21 (1) of the GDPR and time is required to examine whether there is a priority legitimate reason for the data processing. In this case, the restriction applies for the period until it is determined whether there is a priority legitimate reason for data processing, i.e. whether the Company’s legitimate reasons for retention and processing of data take precedence over the Candidate’s legitimate reasons for data deletion.

During the restriction period, the data will only be stored by the Company, no other data processing operations will be performed or no data will be modified, unless i) the Candidate consents to further operations or ii) if the processing of the data is necessary to submit, enforce or protect legal claims, and (iii) where necessary for the protection of the rights of another natural or legal person; or (iv) where the processing is necessary in the overriding public interest of the Union or of a Member State.

In case of restriction of data management, the Company shall inform the Candidate in advance about the lifting of the restriction in the form and manner in which the Candidate requested the restriction of data management.

The Company shall inform all recipients of the correction, deletion or restriction of data processing requested by the Candidate and implemented by the Company, with whom the personal data has been communicated, unless this proves impossible or requires a disproportionate effort. At the request of the Candidate, the Company shall inform the Candidate of the addressees who have been informed as described above.

Right to protest (Article 21 GDPR)

The Candidate has the right to object at any time for reasons related to his/her situation to the processing of his/her personal data in the public interest or for the legitimate interest of the Company or a third party (GDPR Article 6 (1) (e) and (f)), including provisions-based profiling (which is not currently the case). In this case, the Company may not further process the personal data, unless it proves that the processing is justified by compelling legitimate reasons which take precedence over the interests, rights and freedoms of the Candidate or which are related to the submission, enforcement or defense of legal claims.

Right to complain (Article 77 GDPR)

The Candidate has the right to file a complaint with a supervisory authority, in particular in the Member State of his/her habitual residence, place of employment or suspected infringement, if the Candidate considers that the processing of personal data concerning him/her violates the provisions of the GDPR.

In Hungary, the supervisory authority is the National Data Protection and Freedom of Information Authority (1055 Budapest, Falk Miksa u. 9-11., e-mail: ugyfelszolgalat [at] naih [dot] hu, +36-1-3911400, Chairman: dr. Attila Péterfalvi Attila, www.naih.hu).

Right to a judicial remedy against the supervisory authority (Article 78 GDPR)

The Candidate may seek a court appeal against the binding decision of the supervisory authority (in Hungary the National Data Protection and Freedom of Information Authority) concerning him/her. 

The Candidate is also entitled to a judicial remedy if the supervisory authority competent under Article 55 or 56 of the GDPR does not deal with the complaint or does not inform him/her within three months of any procedural developments or the outcome of a complaint under Article 77.

Proceedings against the supervisory authority shall be brought before a court of the Member State in which the supervisory authority has its seat. In Hungary, the Metropolitan Administrative and Labor Court has jurisdiction over legal proceedings against the National Data Protection and Freedom of Information Authority.

Right to a judicial remedy against the Company (Article 79 GDPR)

The Candidate is entitled to initiate legal proceedings in court if, in its opinion, the Company has not processed its personal data in accordance with the GDPR and as a result has violated its rights under the GDPR. The proceedings must be initiated in Hungary.

Informing the Candidate about the data protection incident (Article 34 GDPR)

In the event of a data protection incident, we assess its effects and risks (what data are affected, in what quantities, whether they can be replaced, etc.) and take the necessary steps to remedy them immediately.

If the data protection incident is likely to pose a high risk to the Candidates’ rights and freedoms, the Company will inform the Candidate of the data protection incident without undue delay. This information shall include all information relating to the incident, in particular:

– The name and contact details of the person who can provide further information on the incident;
– describe the probable consequences of the incident;
– describe the measures taken or planned to remedy the data protection incident, including our measures to mitigate any adverse consequences of the incident.

The Candidate as a data subject does not need to be informed of a data protection incident if any of the following conditions are met:

1. appropriate technical and organizational protection measures have been implemented and these measures have been applied to the data affected by the data protection incident, in particular measures that make the data incomprehensible to persons not authorized to access personal data;
2. following the data protection incident, we have taken additional measures to ensure that the high risk to the Candidate’s rights and freedoms is no longer likely to materialize;
3. providing information would be a disproportionate effort. In this case, we will provide information through publicly available platforms or take a similar measure to ensure effective information.

We will report the incident to the data protection authority within 72 hours of becoming aware of the incident, unless it is unlikely to jeopardize the Candidate’s rights and freedoms. We also keep records of data protection incidents in the detail required by law.

Right to compensation (Article 82 GDPR)

If the Candidate has suffered pecuniary or non-pecuniary damage as a result of our violation of the GDPR, he/she is entitled to compensation. In the event of a violation of the Candidate’s right to privacy in this area, the Candidate is entitled to claim damages. The courts have jurisdiction over the lawsuit. The lawsuit may be brought before the court of the registered office of the Company or even the domicile or residence of the Candidate.

Enforcement of the rights related to Data Management, submission of the Candidate’s application, contact with the company

Candidates’ questions and requests related to the present Privacy Policy and the managing of their personal data will be answered at any time. In connection with data management, a request may be made to the managing director of the Company in writing, delivered in person on paper or delivered by post, or sent by e-mail to the e-mail address provided above. Consent may be withdrawn in the same way.

The Candidate is kindly requested to provide his/her personal identification data in the request. If we have any doubts about the identity of the Candidate or the data provided is not sufficient for identification, we are entitled to request additional identification data from the Candidate, which is necessary and suitable for confirming the identity. If the Candidate is unable to provide the above data, so there is an obstacle to his/her identification, please contact the Company in person. If the submitter of the application cannot prove his/her identity beyond a reasonable doubt and thus our Company cannot identify him/her, we may refuse to process the application.

Our company will inform the Candidate of the measures taken following the application without undue delay, but in any case within one month from the receipt of the application. If necessary, taking into account the complexity of the application and the number of applications, this time limit may be extended by a further two months. Our Company will inform the Candidate about the extension of the deadline, stating the reasons, within one month from the receipt of the application.

If the Candidate has submitted the application electronically, the information will be provided electronically, unless the Candidate requests otherwise.

If the Company does not take action at the request of the Candidate, we will inform the Candidate without undue delay, but no later than within one month from the receipt of the request about the reasons for non-action and that the Candidate may file a complaint with a supervisory authority and have legal remedies.

We will respond to the request, provide information and action free of charge.

If a request is manifestly unfounded or, in particular because of its repetitive nature, excessive, having regard to the administrative costs involved in providing the information requested or in taking the action requested:

1. we may charge a reasonable fee, or
2. we may refuse to act on the request.