By enlisting the services of the website www.gwshub.com or www.sscheroes.com (hereinafter referred to as „Website”) the control of the personal data – provided by the User – by the Operator of the Website as data controller (hereinafter referred to as: „Operator”) based on the provisions of the Act CXII of 2011 on Informational Self-determination and Freedom of Information (hereinafter referred to as “Act”) as follows.
The data control extends to the duration necessary to achieve its purpose. The services of the Website offer the opportunity for a successful recruitment of the _User. However, the Website may also serve as a permanent platform for the User to initiate another recruitment process later, as well as for other services provided there. In order to achieve the above mentioned purpose, the control of data of the User may not automatically cease after a successful recruitment. User is entitled to request the cancellation of the data provided (and as a result of it, the cessation of the data control) any time.
Global Web Solutions Kft.
Address: Hungary, 8060 Mór, Kert utca 18.
Company registration number: 07-09-025475
Tax number: 25063293-2-07
Registration number of the data control (registry of the National Authority for Data Protection and Freedom of Information): NAIH-93072/2016.
I. The Operator as data controller controls the following data of the User enlisting the services of the Website:
- First name
- Last Name
- Email address
- Video(s) recorded and uploaded by the User in the course of the job application process
- Personal data included in the CV of User generated by the Website (see details in GTC)
- Personal data included in the tests
- Scanned copy of the identity card or passport, address card and driving license (if required)
- Scanned copy of the certification of qualification, and the entitlement to work (if necessary)
- Data necessary for issuing invoices in accordance with the act on public accountancy in effect
- Other data
II. The purpose of data control:
Data control takes place based on the legal relationship between Operator and User as the client of Operator for the purpose of making use of the services of the Website – with special emphasis on the application of User for the jobs offered on the Website – as well as – in case of the explicit consent of User in a separate online declaration – sending newsletters to User.
The operator is considered to be a data processor as well. The processing of data takes place using electronic devices.
III. Data transfer
Data transfer shall take place to the subcontractors of Operator as well as the clients and partners of Operator making use of the Website for the purpose of recruitment service. The scanned copy of the identity card, passport, address card, driving license, certification of qualification, certification of entitlement to work are not included in the data transfer.
Data transfer to a third country may take place as follows:
During the application process, the videos uploaded by User will be stored in cloud-based servers of the following company (the recipient of the transmitted data):
D2Soft Technologies Inc.
12315 place Bellefleur
Montréal (Québec) H3L3G5
Registration number: 1161936050
User takes notice of the fact that in the above mentioned case, data transfer may take place to a Third Country for the purpose of data storage. User takes notice of the fact as well that due to the known characteristics of the cloud-based servers, the place of the storage of the data may vary. User takes notice of the fact that it is aware of the basic characteristics of cloud-based data storage. By commencing the job application process on the Website, User gives its explicit consent to the transfer of the video(s) to the recipient mentioned above.
IV. The principles of data control:
- Personal data may exclusively be controlled for a specific purpose to realize rights and fulfill obligations. Data control must at every stage comply with the objective of the data control; data must be recorded and controlled in a fair and legal manner.
- Only personal data essentially needed to satisfy the aim of the control, appropriate for achieving the goal may be controlled. Personal data may only be controlled to the extent and for the time required to achieve the goal.
- Throughout the data control process, personal data shall be classified as such until its connection with the data subject can be restored. The connection with the data subject can be restored if the data controller has the technical conditions required for restoration at his or her disposal.
- It has to be ensured during the course of control that the data are accurate, complete and – if required for the data control – updated, and that the data subject is only identifiable for the time required for the data control
V. The requirement of data security:
- The controller must plan and execute control operations in a way that these ensure the protection of the private sphere throughout the application of the present Act and other regulations applicable in connection with data control.
- The controller, as well as the data processor within their respective scope of activities, is obliged to ensure data security, institute technical and organizational measures and develop procedural rules required to enforce the present Act, as well as other data protection and confidentiality rules.
- Through the institution of the appropriate measures the data must be particularly protected from unauthorized access, modification, transfer, disclosure, deletion or destruction, accidental destruction and damage as well as disabled access occurring due to changes to the technology applied.
- In order to protect data sets controlled electronically in various files it is necessary to ensure that – unless otherwise permitted by law – data stored in files cannot be directly connected and linked to the data subject by ensuring the appropriate technological solutions.
- During the course of the automated processing of personal data, the controller and data processor ensures the following by taking additional measures:
- prevents unauthorized data entry;
- prevents the use of automatic data processing systems by unauthorized persons by using data transfer devices;
- ensures the ability to control and determine which bodies the personal data have or can be sent to by using a data transfer device;
- ensures the ability to control and determine which personal data has been registered in the automatic data processing systems, when this was done and who did it;
- ensures the ability to restore the systems installed in the event of malfunctions and;
- compiles a report on errors occurring during the course of automated processing.
- The controller and data processor must take account of the current level of development of the relevant technology when determining and applying measures taken to protect the data. The solution which ensures a higher level protection of the personal data must be selected from among several possible control solutions, unless this proves far too difficult for the controller.
VI. Rights of User as Data Subject and their Enforcement:
- The User may request from the data controller
- information on the control of personal data,
- correction of personal data, and
- deletion, blocking of personal data, with the exception of mandatory control.
- Pursuant to the request of the data subject, the controller is entitled to provide information on the subject’s data they control, as well as the data processed by the data processor they contracted, their sources, the objective of the control, its legal grounds and duration, the name and address of the data processor and the activities they undertake in connection with control, in addition to the legal grounds and recipients should the personal data of the data subject not be transferred.
The controller keeps a record of data transferred to verify the legitimacy of the data transferal and informs the data subject which file details the date on which the personal data they controlled was sent, the legal grounds of this action and its recipients, the specific scope of the personal data sent, as well as other data specified in legislation prescribing control.
The Act prescribing control may restrict the duration of the obligation to safeguard data set out in subsection (2) in the data transfer file, and therefore, the information notification period. Within the scope of this restriction, a minimum period of five years applies in the case of personal data and a minimum of 20 years in the case of special data.
The controller shall provide clear information in writing within the shortest possible space of time following the submission of the request; however, no later than within 30 days.
Information specified in subsection (4) is provided free of charge, if the individual requesting the information has not yet submitted a request for information to the controller in connection with the same scope of data in the same year. The rate of reimbursement of costs may also be specified in the contract concluded by the parties. Reimbursed costs that have already been paid must be reimbursed in the event that the data was illegitimately controlled, or the request for information leads to correction.
- Should a request for information be denied, the controller must notify the data subject of this in writing by referring to the relevant section of the Act.
Should a request for information be denied, the controller must notify the data subject of this in writing by referring to the relevant section of the present Act on what grounds the request for information was denied. Should a request for information be denied, the controller must inform the data subject of the means available to facilitate legal redress in court and contact the National Authority for Data Protection and Freedom of Information (hereinafter Authority) to seek help.
The controller keeps the Authority informed about rejected requests each year up to 31 January following the year under review.
VII. Definitions of the Act:
- Data subject: any natural person identified or directly or indirectly identifiable on the basis of personal data.
- Personal data: data relating to the data subject, in particular the name and identification number of the data subject, as well as one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject.
- Special data:
- a) personal data concerning racial or national origin, political opinion or party membership, religious or other philosophical belief, membership in an interest representation organisation, sex life;
- b) personal data concerning health, addiction, as well as criminal personal data.
- Criminal personal data: personal data relating to the data subject or a criminal record, generated in the course of or prior to the criminal proceedings, in connection with the offence or criminal proceedings, at the bodies authorised to carry out criminal proceedings or to detect offences, as well as at penal institutions.
- Data of public interest: information or data other then personal data registered in any mode or form concerning activities undertaken and controlled by the body or individual carrying out state or local government responsibilities, as well as other public duties defined in relevant legislation, regardless of their mode of control, independent or collective nature; therefore, with special regard to data concerning the scope of authority, competence, organisational structure, professional activity and evaluation equally encompassing its effectiveness, the type of data held and legislation regulating operation, as well as data concerning financial management and concluded contracts.
- Data public on grounds of public interest: data other then data of public interest, the disclosure of or the access to which is provided for by the law, in the public interest.
- Consent: any freely given specific and informed indication of the will of the data subject, by which he signifies his agreement to personal data relating to him being controlled fully or to the extent of specific operations.
- Objection: declaration made by the data subject objecting to the control of his personal data to request the termination of data control, as well as the deletion of the data controlled.
- Controller: natural or legal person, or organisation without legal personality which alone or jointly with others determines the purposes and means of the control of the data; makes and executes decisions concerning data control (including the means used) or contracts a data processor to execute it.
- Data control: any operation or the totality of operations performed on the data, regardless of the procedure applied; in particular, data collecting, recording, registrating, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing, as well as preventing the further use of the data, taking photos, making audio or visual recordings, as well as registrating physical characteristics suitable for personal identification (such as, fingerprints or palm prints, DNA samples, iris scans).
- Data transfer: ensuring access to the data for a third party.
- Disclosure: ensuring open access to the data.
- Data deletion: making data unrecognisable in a way that it can never again be restored.
- Tagging data: marking data with a special ID tag to differentiate such data.
- Blocking data: marking data with a special ID tag to indefinitely or definitely restrict its further control.
- Data destruction: complete physical destruction of the data carrier recording the data.
- Data processing: undertaking technical tasks in connection with data control operations, regardless of the method and means used for executing the operations, as well as the place of use, provided that the technical task is performed on the data.
- Data processor: natural or legal person or organisation without legal personality processing the data on the grounds of a contract concluded with the controller, including contracts conducted upon legislative provisions.
- Data officer: the body responsible for undertaking the public responsibility which generated the data of public interest that must be disclosed through electronic means, or during the course of operation in which this data was generated.
- Data publisher: the body responsible for undertaking the public responsibility which uploads the data sent by the data control officer, if this officer has not published the data.
- Data set: total data controlled in a single file.
- Third party: any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor.
- EEA State: any Member State of the European Union and any State which is party to the Agreement on the European Economic Area, as well as any State the nationals of which enjoy the same legal status as nationals of States which are parties to the Agreement on the European Economic Area, based on an international treaty concluded between the European Union and its Member States on the one hand and the State which is not party to the Agreement on the European Economic Area on the other hand.
- Third country: any State that is not an EEA State.