Privacy Policy

Terms of Use and Privacy

The processing of the data of its users and applicants confidentially and in compliance with the relevant provisions of law is of utmost importance for Bluebird International Zrt.

Accordingly, our Company shall make all efforts in the interest of using the personal data collected only in line with the relevant provisions of law of effect, in the interest of the purposes specified in the present privacy policy, and shall not make such information accessible to unauthorised persons.

1. General rules

The purpose of the present privacy policy is to ensure that, in all areas of the services provided by the Controller, in course of the processing of personal data, the rights and fundamental freedoms of all natural person data subjects concerned, regardless of their nationality or place or residence, be respected, with particular attention to their right to privacy.

The scope of the present privacy policy shall cover all data processing activities and operations, weather paper-based or electronic, performed by the Controller at its registered seat and via the www.bluebird.hu website.

The Controller calls the attention of the data subjects affected by the data processing activities listed in the present privacy policy that the Controller does not check if the personal data provided by the data subjects are accurate and true. All data subjects who provide personal data in accordance with the present privacy policy shall undertake the responsibility at the time of providing such data that they only provide their own personal data for the Controller, which data they are entitled to dispose over. In case a data subject acts differently than provided above, all liability in connection with such acts shall be borne by the data subject.

2. Information pertaining to the Controller

All personal data indicated in the present privacy policy shall be processed by the Controller. Data subjects may contact the Controller using the following contact information:

Controller’s name: Bluebird International Kereskedelmi és Szolgáltató Zártkörűen Működő Részvénytársaság

Registered address: 1075 Budapest, Madách Imre út 13-14. B épület, 4. emelet

Phone number: +36-1-266-24-20

E-mail address: [email protected]

3. Definitions

Personal data: all such information that relates directly or indirectly to a natural person who is identified or identifiable on basis of one or several identifiers, factors or properties.

Controlling: any operation performed on personal data, regardless of its mode, such as collection, recording, organisation, structuring, storage, conversion, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: Bluebird International Zrt., the entity that determines the purpose and means of the processing of the personal information.

Processing: the performance of technical tasks related to data processing operations, irrespective of the methods and means employed for such operations and the venue where it takes place.

Processor: a natural or legal person processing personal data for and on behalf of the controller.

Consent: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she clearly signifies agreement to the processing of his or her personal data.

Filing system: a database containing personal data which are accessible according to specific criteria.

Restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future.

Recipient: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed.

Supervisory authority: the independent authority established in the interest of the protection of the rights and freedoms of natural persons in course of the processing of their personal data, as well as the facilitation of the free flow of personal data within the EU; in Hungary, the National Authority for Data Protection and Freedom of Information (NAIH).

Personal data breach: such violation of the requirements of data security as a result of which the personal data transmitted, stored or otherwise processed are accidentally or unlawfully destroyed, lost, modified, disclosed to unauthorised persons, or such persons gain access to them.

4. The manner and principles of data processing

The data processed by the Controller may only be accessed by authorised employees of the Controller, and only to the extent and for the duration necessary for the performance of their job-related tasks. Such access, as well as all operations performed on the personal data shall be electronically logged, by recording the identity of the person performing the actual data processing operation and the date/time of access. In the interest of full compliance with the requirements applicable to data processing, we t adopted our internal data processing policy, which shall be binding upon all of our employees who come into contact with personal data in course of their work, and compliance with which by all employees shall be enforced and checked by our company.

In Chapter 7 of the privacy policy, the Controller gives detailed information on what personal data may be handed over and in which cases.

The appointed data protection officer of the Controller, whose contact information can be found in Chapter 12 of the present privacy policy, has full access to all personal data processed by our company, in course of the performance of the tasks of the data protection officer.

The personal data listed in the present privacy policy shall be used by the Controller, as a company engaged in private recruitment activities for the benefit of clients in the IT sector looking for workers, and as a company providing various IT services and consulting activities, in each case in accordance with the individually determined purposes of data processing.

When determining the method of data processing and during the entire data processing, the Controller performs all technical and organisational measures with the help of which the principles of data protection can be enforced and the rights of data subjects can be protected. The measures implemented at the Controller as a responsible controller have been determined in line with the state of the art in science and technology, also taking into consideration the costs of implementation, as well as reckoning with and assessing the risks pertaining to the personal data of natural persons.

The Controller shall process all personal data coming into its possession lawfully and fairly, and in such a way that the data processing remains transparent to the natural person data subjects for the entire duration of the data processing activities.

In course of the data processing activities of the Controller, the collection of personal data may only take place for the lawful purposes clearly defined in the present privacy policy. The Controller shall devote particular attention to ensuring that no personal data are processed in a way that is not reconcilable with the purposes detailed in this privacy policy.

The Controller shall only process personal data that are appropriate and relevant from the point of view of the individual purpose of the data processing, as well as necessary for achieving that purpose. The Controller shall strive to ensure that the personal data stored and processed by it are always accurate and up-to-date and shall take all reasonable measures in the interest of ensuring that any inaccurate or incorrect data be rectified or erased as soon as possible.

The Controller shall store the personal data collected until such time as necessary for achieving the purposes of the data processing. In course of the processing of the data, the Controller shall take all such technical and organisational measures with the help of which the Controller can guarantee the security of the data, including their protection against unlawful processing, accidental loss, destruction or damage.

In all such cases when the Controller intends to use the data provided by the data subjects for a purpose other than the original purpose specified in the present privacy policy, the Controller shall notify the data subject in advance in writing, specifying such new purpose and providing the additional information pertaining to data processing, and shall also ensure that it has the appropriate legal grounds enabling it to process the data in such cases.

It is of outstanding importance for the Controller to integrate such technical and organisational measures into its activities whereby it can ensure that the processing of personal data only takes place to the extent and for the duration necessary for attaining the specific purpose of data processing, and that accordingly, access to the personal data is also in line with the above. In the interest of the performance of above obligations, in its internal policies, the Controller has determined regular, mandatory deadlines for review, as well as integrated such regulatory points in its data processing that are suitable for ensuring that the data processing operations stay within the above frameworks at all times. It is of particular importance for the Controller that the personal data with respect to which the purpose of the data processing has already been achieved or the deadline of processing has expired, or the data subject submitted a lawful request, shall be erased without delay.

The Controller shall fulfil its statutory obligation by maintaining records of its data processing activities. Such data processing records shall include, among other things, the name and contact information of the data protection officer of the Controller, the purposes of the individual data processing activities, the list of the data subjects and the personal data affected, as well as the names of the persons to whom the data are handed over and/or transmitted.

5. Processing of personal data of data subjects applying for jobs and IT project tasks

We hereby inform the data subjects that, after clicking on the “CV upload” button on the website www.bluebird.hu operated by the Controller, on the “General application” interface, by providing their names, e-mail addresses and mobile phone numbers, and uploading their Hungarian and/or English CVs, having received the relevant information concerning data processing, they consent to the processing by the Controller of their personal data entered on the interface and included in the CVs. Personal data are processed in order for the Controller to be able to inform data subjects about job offers or project tasks corresponding to them on basis of their educational qualification and professional experience, or to contact them if they are interested in the offer.

The Controller also processes the personal data of such natural persons who, on the website www.bluebird.hu of the Controller, after clicking on the “IT jobs and IT projects” tab, and selecting of the job advertisements posted by the Controller, by clicking on the “CV upload” button, enter their names, e-mail addresses and mobile phone numbers, as well as upload their Hungarian and/or English CVs.

Data subjects also have the opportunity, in case they have a LinkedIn profile, to apply for a job or IT project tasks via their LinkedIn profile instead of completing the fields on the application interface. In this case, data subject shall submit their name, e-mail address and the URL of their LinkedIn profile. Data subjects applying for a job or IT project tasks via their LinkedIn profiles consent to the processing of their personal data.

The purpose of data processing in each of the above cases is to notify data subjects of current job/project opportunities corresponding to their qualifications and professional experiences, by way of the contact information provided by data subject, in the shortest possible time, as well as to evaluate the application of data subjects to job/project opportunities posted by the Controller, and notify data subjects of the results thereof. The Controller shall also process the personal data for the purpose of providing data subjects with an opportunity to introduce themselves in the framework of a personal interview. We call attention to the fact that the notifications sent by the Controller shall not qualify as newsletters or as contacting for marketing or advertising purposes, and therefore, the separate consent of the data subject is not required for the sending of such notifications.

The Controller handles those data only which has been provided by data subject on the online form during his / her application or which are contained in his/her uploaded CVs. If the data subject also provides the URL of his / her LinkedIn profile when applying, the Controller will also handle the personal data containing his/her LinkedIn profile.

The processing of all personal data listed above is indispensable for the Controller to notify and inform data subjects of the currently available opportunities that are best aligned with their educational qualifications and professional experience. We wish to call data subjects’ attention that the more information, as well as the more detailed information we have concerning their educational qualification and professional experiences, the better we are able to offer the more personalized opportunities and we can promote the filling of the selected position as well as the selection for the project task applied by the data subjects.

We inform data subjects already at this time that in that case they do not make available to us the personal data listed above, or only in part, then – in the absence of essential information – we can not accept and evaluate their application and we will not be able to inform them of the opportunities that may be suitable for them.

The Controller hereby informs data subjects that it also processes the personal data of such data subjects who have uploaded their personal data and CVs into databases of Profession (www.profession.hu) and LinkedIn (www.linkedin.com). For each data subject, the Controller processes such personal data that data subject has made available accessible for the purpose of job/working opportunities searches. The Controller processes personal data in all cases in full compliance with the rules set by the operator of the above websites and the provisions for processing of personal data.

The Controller hereby informs data subjects that the scope of personal data processed may vary from one data subject to the next, but in most cases, it includes the following: name, e-mail address, mobile phone number, address of residence, date of birth, photograph (facial image), desired pay, position to be filled, data pertaining to educational attainments, data pertaining to professional experience, knowledge of languages, IT skills, self-introduction, status. At the request of the data subject, the Controller shall provide up-to-date information concerning the exact scope of personal data processed for the given data subject.

We hereby inform data subjects that the processing of personal data made publicly available by them for search of job and/or work opportunities is based on the legitimate interests of the Controller and its third-party customers for on the one hand the Controller provides recruitment services and on the other hand for whom the Controller performs different IT service and consultancy activities. The purpose of the processing of the data is to enable us to notify and inform data subjects, using the contact information provided on the job search sites, in the shortest time possible, of the current opportunities corresponding to their educational qualification and professional experiences on basis of the data they made available publicly, and in case the position/IT project task offered to data subjects by our colleagues raised their interest, to arrange for a personal interview in which we can find out more about the data subjects. We wish to call the attention of all data subjects that their data are processed not only in the interest of the Controller and the third-party customer of the Controller; the processing of personal data made publicly available for searching of jobs/work opportunities indirectly also serves the interest of data subjects, since it also provides them with the opportunity to find a position/working opportunity that is most suitable to data subjects’ expectations in the shortest possible time.

The Controller informs data subjects that, in the interest of processing their data based on the legitimate interests of the Controller, it has carried out a balancing test in accordance with the mandatory requirements of data protection. In course of the balancing test, the Controller has examined and balanced the legitimate interests and fundamental rights on its own and third parties’ side and on the side of the data subjects, as a result of which it has been established that the Controller’s and third parties’ legitimate interest making it possible to process the personal data and serving as the grounds for it is stronger and more emphatic than the interests of the data subjects in preventing the Controller from having access to and processing these data. For the provision of the private recruitment and IT service and consultancy activities performed by the Controller for its contractual partners with the purpose of generating revenue and income, it is essential to process the data of such jobseeker natural persons who have made their data publicly available and who, on basis of their qualifications and professional experiences, may be suitable for the positions/project tasks offered by the third-party contractual partners of the Controller. The absence of the processing of such data would render the provision of the Controller’s private recruitment services impossible and would greatly complicate the performance of IT service and consulting contracts which would result unjustifiably disadvantage for the Controller.

Further, it is widely acknowledged and accepted that persons who make their personal data available and upload their CVs on jobseeker portals and social media sites like this are well aware that, in order to find a job/wok opportunity as soon as possible, it is in their interest that employees of such companies may contact them who can help data subjects in reaching their above purposes. This circumstance also justifies that the legitimate interests of the Controller and third parties contracted with the Controller in processing of the personal data are stronger than the legitimate interests of the data subjects.

In addition to the above, the processing of the personal data of data subjects that they have made publicly available is indispensable for enabling the Controller to find the persons who may be suitable candidates for the given positions/project tasks, for informing and notifying the data subjects and for conducting the selection procedure. If it is necessary, the Controller informs its customer looking for a new employee about the potential applicant by providing certain personal data of data subject.

Further, the processing of this scope of personal data is fully proportionate also with the purpose of the data processing. The Controller warrants that it has examined all legal grounds with respect to the personal data processed on basis of legitimate interests, but in the present case, none of these could be applied. Further, the Controller also warrants that, in course of the processing of the personal data on basis of legitimate interest, it shall use safeguards and guarantees to ensure that the rights and fundamental freedoms of the data subject are not breached in course of the data processing, including, among other things, their option to object to the processing of data based on legitimate interest that is unconditional and unlimited in time.

In case we process personal data made of data subjects made publicly available for searching of job/work opportunities for the purpose specified in the present privacy policy, then we shall continue such data processing activity until such time when data subjects object against such data processing in writing by way of a letter sent to the postal address of Bluebird International Zrt., which is 1075 Budapest, Madách Imre út 13-14., B épület, IV. emelet, or to [email protected]. If data subjects wish to receive further information related to the prohibition of data processing, prior to submitting the application, please also study Chapter 8 of the present privacy policy, on the exercise of rights of data subjects.

6. Processing of data provided for the purpose of establishing contact with the Controller

The Controller hereby informs the data subjects that the processing of personal data on the website www.bluebird.hu occurs in the following cases, and subject to the following conditions:

In case on the website www.bluebird.hu, on the interface displayed after clicking on the “Contact” tab, data subjects provide their name, e-mail address, and send a text message via the website, then they consent to the processing of their personal data provided for contacting data subjects and for answering their questions. We hereby inform data subjects that we process their data provided for the purpose of getting into contact with data subjects until such time that data subjects revoke their consent to the data processing.

7. Communication of data to other recipients

The Controller hereby informs data subjects that the personal data specified in the present privacy policy are only handed over to such third parties for which the Controller performs private recruitment services, on basis of valid service contracts. The Controller only handed over personal data to the third parties to whom the Controller performs IT service and consultancy activities.

7.1. Communication of data relating to performing private recruitment services

The Controller only handed over personal data to the third-party clients engaging the Controller to identify candidates that may qualify, in the opinion of the Controller, as suitable for the positions defined by such clients.

The handover of personal data to third parties in a contractual relationship with the Controller may occur in the cases and in the scope defined below:

7.1.1. Prior to contacting the data subject in connection with a given position, the names of data subjects identified as suitable candidates, after reviewing the personal data of the data subjects, including their qualifications and professional experiences, are handed over to the client. The Controller informs the data subjects that, in this stage of the selection process, only the names of the data subjects are handed over, with the exception of cases where, on basis of the names, the client cannot clearly declare whether they already know the data subject from some other source, and further that they ask for the continuation of the selection process. In this case, in the interest of differentiating the candidates, the Controller also communicates to the client the data subject’s year of birth.

7.1.2. In case the Controller directly contacts the jobseeker data subject for the purpose of arranging for a personal interview, and on basis of the interview, the Controller still considers the data subject suitable for the given position, then the Controller hands over to the client all personal data of the data subject, including the CV of the data subject and the data in such CV. In this stage of the selection process, before conducting the interview, the Controller informs the data subjects of the data handover, expressly identifying also the data of the client receiving such data. The Controller only communicates to the client the abovementioned personal data of the data subject if the data subject voluntarily and expressly consents to the handover of such data in course of conducting the personal interview.

In the first case, the purpose of such data handover is to enable the client to decide, in possession of the name of the data subject, whether the selection process started by the Controller should be continued, while in the second case, the data handover occurs in the interest of enabling the client to obtain further impressions of the potential candidates selected by the Controller in advance, and to contact them in the interest of conducting further interviews.

We call the attention of data subjects that, prior to contacting them personally, the communication of their personal data, in a limited scope, to certain third parties occurs on basis of the legitimate interest of the Controller and third parties, while in case of a personal interview organized by the Controller, based on information received by the Controller, the data subjects voluntarily and expressly consent to the handover of certain personal data to be disclosed to the persons specified in the present point, for the purpose mentioned above.

7.2. Communication of data in course of performing IT services and consulting activities

The Controller may hand over to the contracted customers only the data of the data subject selected by the Controller to perform the project task. The Controller shall hand over the name, contact details (telephone number, e-mail address) and CV of data subject (thereby all data indicated therein) to the customer. The purpose of data handover is to enable the customer to make sure that the person selected by the Controller disposes all qualifications and experience required to perform the given project task. The legal basis for the data handover to the customer is the legitimate interest of the Controller and its customer. The legal basis for the data handover to the customer is the legitimate interest of the Controller’s subcontractor by whom is the data subject is employed and with whom the Controller is in a direct contractual relationship for the performance of the project task. The Controller shall ensure that data subjects receive appropriate information about the customer at the latest at the time of data handover.

7.3. Communication of personal data upon official request

In case the Controller is officially contacted by an authority or court duly authorised by the relevant provisions of law, with the reason for the data disclosure also identified, in which the Controller is required to communicate certain personal data, then the Controller may and shall, in the interest of performing its obligations defined by these provisions of law, hand over such personal data requested by the given authority or court.

Further, the Controller informs the natural person data subjects that it shall not transmit their personal data in any way beyond the cases mentioned in the present point, either within the EU or to third countries, to any data controller, international organisation or other recipient.

8. The rights of data subjects, the exercise of such rights

In course of its data processing activities, the Controller shall guarantee for all data subjects that they can exercise their rights related to the processing of their personal data, as listed in the present privacy policy, fully, without any unjustified limitations or obstacles.

The Controller also ensures that the data subjects can exercise their right of access to the data, the right of erasure, rectification and the restriction of processing, the right to object, the right to revoke consent, and further the right to legal remedy in connection with the data processing activities, as follows.

A. Access to the data

We inform data subjects, that they have the right to access the information pertaining to the data processing activities performed by the Controller, as well as on their personal data processed. In the interest of the above, based on their written request, we shall make available to data subjects copies of their personal data processed, we inform data subjects of the purposes of the data processing, the recipients to whom their personal data are handed over, the planned duration of the storage of their data, as well as on their rights in course of the data processing.

Compliance with such requests is free of charge on the first occasion, while in case of subsequent requests for copies, the Controller may charge a fee. We inform data subjects of the exact amount of the fee in our response given to their request.

We call data subjects’ attention that the Controller is only able to perform requests for the issuance of copies including data in case and to the extent that it does not violate the rights and freedoms of other natural persons.

B. Right to the accuracy, completeness and currency of the data processed

Data subjects have the right to the accuracy, completeness and currency of their data processed by the Controller. Please help us in our work by way of notifying us of any changes in their personal data, by way of writing to [email protected] or by postal mail to Bluebird International Zrt., 1075 Budapest, Madách Imre út 13-14.

C. Right to the rectification of the data

If it comes to data subjects’ attention that the data processed by the Controller are not accurate, they can request the rectification of their personal data, or the supplementation of their personal data they believe to be insufficient, at any time by way of writing to [email protected] or by postal mail to Bluebird International Zrt., 1075 Budapest, Madách Imre út 13-14.

D. Right to the erasure of the data

The Controller hereby informs data subjects that, at their request, it shall erase the personal data stored and processed with respect to them, without undue delay, if any of the following cases occur in connection with the data processing:

the purpose of the data processing discontinued;

data subjects have revoked their consent, and no further legal grounds for the processing of data can be established;

data subjects have objected against data processing, and there are no overriding legitimate grounds that would justify the further data processing;

there was an occurrence of unlawful data processing;

a provision of law requires the erasure of the data.

We call data subjects’ attention that they are entitled to the so-called “right to be forgotten,” which ensures the possibility of rendering their personal data inaccessible in a wider scope. In case data subjects wish to exercise this right, we shall employ all possible IT solutions to ensure that their personal data are no longer available to the Controller in any form in the future. We shall delete the electronic files containing their personal data from the security backup files, and at the same time, we shall also destroy all paper-based documents containing their personal data.

On basis of data subjects’ request, we shall also oblige data processors to delete or destroy all personal data on data subjects that we have handed over to them.

The Controller hereby expressly calls the attention of all data subjects that, after compliance with a request aimed at the erasure of the personal data, such personal data can no longer be restored.

E. Right to the restriction of data processing

Data subjects may restrict the further processing of their personal data by the Controller in the following cases and for the following durations:

if it comes to data subjects’ attention that their personal data processed is inaccurate, until the checking of the accuracy of such personal data;

if data subjects’ data are processed unlawfully, but data subjects specifically request us not the erase their personal data;

if the Controller no longer needs the personal data for the given purpose, but data subjects need the processed data for the purposes of submitting, enforcing or defending their legal claims;

if data subjects have objected to the data processing, pending the verification whether the legitimate grounds of the controller override data subjects’ legitimate interests.

If the Controller finds the restriction of the data processing lawful, it shall notify all recipients to which data subjects’ personal data have been communicated. We call data subjects’ attention to the fact that in case of the restriction of data processing, the Controller may still store data subjects’ personal data but any other data processing operation can not be performed by the Controller.

If data subjects requested the restriction of data processing, the Controller may only process personal data on basis of their consent, for the purposes of submitting, enforcing or defending a legal claim, or for important reasons of public interest. We inform data subjects that in case the grounds for the restriction of the data processing are no longer in place, we shall notify data subjects, in writing, of the termination of the restriction and the date thereof, not later than 15 days before such termination of the restriction.

F. Objection to the processing of the data

Every data subject shall has the right to object, on grounds relating to his/her particular situation, to the processing of his/her personal data at any time, if it occurs on basis of the legitimate interests of the Controller or a third party. We call data subjects attention to the fact that in such a case the Controller shall no longer process their relevant personal data, provided that there are no other legal grounds that would enable the Controller to continue the processing of the data.

G. The right to revoke the consent to data processing

Data subjects are entitled to revoke their consent to the processing of personal data at any time, by sending a written declaration to this effect to [email protected] or via postal mail to Bluebird International Zrt., 1075 Budapest, Madách Imre út 13-14. B épület, IV. emelet. We call data subjects attention to the fact that the revocation of their consent shall not affect the lawfulness of the Controller’s data processing activities before such revocation.

After the revocation of the consent, we shall erase data subjects’ personal data from our records, with the exception of the case where the Controller also processes the data on basis of some other legal grounds (e.g. contract, legitimate interest, statutory provision).

H. Decision on data subjects’ requests

We hereby inform data subjects that, regardless of their content, we shall examine all of the requests submitted to the Controller in connection with the processing of their personal data and the exercise of their rights listed under points A to G, immediately upon receipt, and we shall inform data subjects of the decision on the request in writing, without undue delay, but in any case within 30 days after the receipt of the request by the Controller.

We call data subjects’ attention that, with a view to the complexity of the request or the number of requests submitted by data subjects and received by the Controller, we may extend the above deadline for giving a response by a maximum of 2 additional months. If the deadline for the response is extended, then we shall notify data subjects in writing, within 30 days after receiving their request, and shall also provide the reason for such delay. The above extension of the deadline is not available to the Controller if, on basis of data subjects’ request, in our opinion, it is not necessary to take any data protection measures. In such a case, we shall reply to data subjects’ request within 30 days, and at the same time, we shall also inform data subjects of the reason for not taking a measure, as well as the legal remedies available to them.

The Controller shall not charge any fee for the reply to data subjects’ request and for the measures taken in the interest of complying with it, except in case data subjects submit their request without proper legal grounds or repeatedly with the same content; in such cases, we may charge a reasonable fee, which shall be in proportion to the administrative expenses incurred by us. We shall inform data subjects of the exact amount of the fee in our response given to their request.

I. Legal remedies

In all cases, we shall strive to process data subjects’ personal data lawfully and in accordance with data subjects’ request, and therefore, in case any of the data subjects are unsatisfied with our data processing activities, please contact the Controller first. Our colleagues and our data protection officer may be reached by way of the contact information provided in the present privacy policy. We shall send data subjects written confirmation of the commencement of our investigation into their complaint, and shall inform data subjects of the result of the evaluation of their request upon the receipt of the request, but in any case within 30 days, not including any possible extension of the deadline in accordance with the above, by also providing the reasons for the decision.

If, in data subjects’ opinion, the processing of their personal data by the Controller was not lawful, they can also submit a complaint to the National Authority for Data Protection and Freedom of Information (mailing address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c., e-mail address: [email protected]). The rules applicable to lodging and evaluating complaints, as well as to conducting the procedure by the authority can be found on the website www.naih.hu. Further, we inform data subjects that in case they disagree with the decision of the Authority, or the Authority fails to review their complaint within the relevant deadline, they may seek legal remedy at the competent court of jurisdiction according to the registered seat of the Authority.

If, in data subjects’ opinion, we have violated their rights related to the processing of personal data, they may seek legal remedy from the Metropolitan Court of Budapest (address: 1055 Budapest, Markó u. 227; mailing address: 1363 Budapest, P.O. Box 16), or may initiate a proceeding to be conducted by a Court of Law according to their permanent or temporary address of residence. The contact information of the competent courts is available at the following link: https://birosag.hu/birosag-kereso. We inform data subjects that using legal representation is mandatory at courts of law, and therefore, they can only enforce their claims through the courts of law if using suitable legal counsel.

In case the Controller or its data processors processed data subjects’ personal data not in compliance with the relevant provisions of data protection in effect, as a result of which they suffer any damage, then a claim for damages, or in case of suffering non-pecuniary damages, a claim for restitution to be paid may be submitted against the Controller or its data processors; provided, however, that a data processor shall be liable for damage only in case it failed to comply with the relevant provisions of law applicable to data processing or the instructions of the Controller. Data subjects may enforce a claim, at their option, at the competent court with jurisdiction according to the registered seat of the Controller or the breaching data processor, or according to their permanent or temporary address of residence. The competent courts and their contact information can be found at the following link: https://birosag.hu/birosag-kereso.

We expressly call data subjects’ attention to the fact that, in the interest of avoiding unlawful access to personal data, we can only comply with their request for the exercise of data subjects’ rights pertaining to their personal information after data subjects’ personal identity has been established beyond doubt. In the interest of establishing data subjects’ personal identity beyond doubt, we ask every data subject to indicate in their paper-based applications at least their name, address of residence, and e-mail address, and send their electronically submitted application from their e-mail address provided for and on file with the Controller, and identify their name and address of residence in their request.

9. Data security measures taken by the Controller

The Controller shall make all reasonable efforts to ensure the security of all personal data at a proper level. The selection of the most suitable data security measure shall always take place on a case-by-case basis, with attention to and based on an evaluation of the existing and likely risks in connection with the data processed.

In the interest of the secure processing of personal data, the Controller shall ensure the confidentiality of systems, databases, interfaces and applications making the processing of personal data possible for the entire duration of data processing, and shall further ensure that the systems, databases, interfaces and applications have the necessary protection and be resistant against any unauthorised intervention or attack, as well as against accidental destruction or loss of the data. The Controller is able to guarantee that the systems, databases, interfaces and applications used for the processing of data always be available to the necessary extent for the performance of the data processing operations and for the exercise and enforcement of the rights of data subjects.

The Controller hereby informs the natural persons whose data are processed in accordance with the present privacy policy that, in the interest of full compliance with the requirements of data security, it shall check the efficiency of the measures introduced for the protection of the security of the data periodically, as defined in the relevant internal policies, and shall evaluate the results of such checks in a documented manner.

The Controller calls attention to the fact that the systems and tools to be used in course of the data processing activities have been selected in such a way that in case of the occurrence of a personal data breach, they should be suitable for ensuring access to all personal data, and their restoration within reasonable time. Prior to the commencement of, as well as during any and all data processing activity, the Controller shall continuously monitor and evaluate, in terms of the personal data, the risk factors likely to be in place at the given time, with particular attention to such risks that may involve the accidental or unlawful destruction, modification or loss of the data recorded, stored or otherwise processed by the Controller or access by unauthorised persons to such data.

In the interest of ensuring that all natural and legal persons having access to the personal data only proceed in accordance with the instructions of binding force given by the Controller as the controller of the data, the Controller shall check the performance of these persons on a continuous basis, with the detailed rules of such checks being included in the internal policies of the Controller.

On commission by the Controller, the enforcement of the rules of data protection shall be also checked by the data protection officer, who shall provide professional advice in connection with the data processing activities, provide information both to the Controller’s employees and its contracted data processors, cooperate with the National Authority for Data Protection and Freedom of Information, serve as a point of contact between the Controller and the data subjects on the one hand, and the supervisory authority on the other hand, and verify the enforcement of the rules of data protection.

The information technology systems and networks of the Controller and its processing partners are protected against computer-assisted fraud, espionage, sabotage, vandalism, fire and flooding, as well as computer viruses, computer hacking and denial of service attacks.

In course of its data processing activities, the Controller ensures the security and protection of personal data with the following measures, among other things:

with respect to the IT system and network used, protection against fraud, espionage, computer viruses and other malicious software, unauthorised entry and denial of service attacks (use of firewall, anti-virus software);

regularly updating the software of own development used for the electronic processing of the personal data;

restricting access to the database containing personal data to duly authorised employees only, subject to the use of unique usernames and passwords;

the software used for the processing of personal data continuously logs access to the personal data (recording the name, date and time, as well as the activity performed);

employees in charge of processing personal data have access only to such data that are indispensable for the performance of their job-related tasks;

the Controller processes personal data provided by the data subjects separately for each of the data processing purposes specified in the present privacy policy;

The Controller has minimized the paper-based processing of personal data, and has introduced mechanisms for the destruction of discarded documents in the interest of preventing unauthorised access to data;

the archived, paper-based documents including personal data are placed in a designated, lockable storage room, access to which is restricted to duly authorised employees.

10. The handling of personal data breaches

We hereby inform all data subjects that even despite the data security measures introduced and enforced by the Controller during the entire process of the processing of personal data, some unfortunate cases may occur that put the stored and processed data at risk.

In case of a personal data breach concerning the personal data processed by us, the Controller shall – in accordance with the requirements of the GDPR – guarantee that the personal data breach is reported to the National Authority for Data Protection and Freedom of Information without delay, but in any case within 72 hours after the discovery of the same – unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

We ask data subjects, not to be surprised, if they receive a notification on a personal data breach directly from the Controller: in such a case, the Controller is performing its statutory obligation, which requires it to inform data subjects of the occurrence of personal data breaches that are likely to pose a high risk to the rights and freedoms of the data subjects. Such high risks include, in particular, where the scope of data affected by the personal data breach involves data that could be considered as sensitive (e.g. special category data, information concerning the financial status of the data subject, data suitable for identity theft or for the social valuation of the data subjects. Such a notification shall include the name and contact information of the Controller’s data protection officer, the nature and the consequences of the personal data breach, as well as the measures already taken or proposed to be taken in the interest of eliminating the consequences and possible adverse effects.

We demand from all our staff members working with personal data that, in the interest of the earliest possible detection and elimination of personal data breaches, they follow the action plan determined and introduced by the Controller. In the interest of minimising the occurrence of personal data breaches during the processing of data and to ensure the enforcement of the above rules at highest possible level, the Controller has incorporated regular internal verification operations into its procedures.

The Controller calls the attention of the data subjects whose personal data it processes in accordance with the present privacy policy that, in addition to the official notification, we also draw up a written record and maintain a central registry of all personal data breaches, which includes, among other things, the description of the problematic cases, their qualification and effect on the data subjects, as well as the measures taken for their elimination and the prevention of their adverse effects at the earliest time possible.

Naturally, the Controller also ensures that all such data processors within which it cooperates in course of its data processing activities shall likewise also comply with their obligations concerning the reporting and the documentation of personal data breaches in accordance with the applicable provisions of law.

11. Data protection officer

We inform data subjects that the Controller has appointed a data protection officer, who can be contacted directly with any question related to the processing of personal data, at [email protected]. We call the attention that data subjects may contact the data protection officer in writing, in connection with any question or request related to the processing of personal data, as well as the exercise of their rights related to data processing. The data protection officer has the knowledge and information concerning all data processing activities performed by the Controller and can thus provide data subjects with suitable information as well.

13. Changes to privacy policy 

The Controller reserves the right to unilaterally change the present privacy policy at any time. We wish to indicate that we inform data subjects of the amendments of the present privacy policy, indicating the points of the privacy policy affected by the amendment, as well as the date of entering into force provided, on the website www.bluebird.hu.

14. Applicable laws 

In the preparation of the present privacy policy, the Controller has taken into consideration all mandatory requirements governing the performance of data processing activities, including, in particular, the following provisions of law:

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, or GDPR);

Act CXII of 2011 (Hungary) on the Right of Informational Self-Determination and on Freedom of Information;

Act V of 2013 (Hungary) on the Civil Code (the “Civil Code”);

Act CXXXIII of 2005 (Hungary) on Security Services and the Activities of Private Investigators (the “Security Services Act”);

Act CLV of 1997 (Hungary) on Consumer Protection (the “Consumer Protection Act”);

Act C of 2000 (Hungary) on Accounting (the “Accounting Act”);

Act XC of 2017 (Hungary) on the Code of Criminal Procedures (the “Code of Criminal Procedures”).

Date of last update: 27.12.2020