Data Processing Information
The purpose of these provisions is to determine for Mortoff Group, including
a, MORTOFF Informatikai Tanácsadó és Szolgáltató Kft. (registered address: Dunavirág utca 2, HU-1138 Budapest; Data processing registration number: NAIH-55430/2012.)
b, I-DEAL Informatikai, Szolgáltató és Kereskedelmi Kft. (registered address: Dunavirág utca 2, HU-1138 Budapest; Data processing registration number: NAIH-55430/2012.)
(hereinafter referred to as 'Service Provider') the data protection and data processing principles and practices (hereinafter referred to as 'Privacy Statement'), with special regard to the websites: karrier.mortoff.hu; www.mortoff.hu; www.testify.hu; rpa.mortoff.hu; msigno.hu; mitras.mortoff.hu; www.mortoff.de and www.mortoff.at (hereinafter referred to as the 'Website'). The same rules apply to all applications sent to the following e-mail addresses: @mortoff.hu, @probi.hu, @testify.hu, @mortoff.de and @mortoff.at
When creating the Privacy Statement, the following legal provisions were especially taken into account: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Act CXII of 2011 on Informational Self-Determination and the Freedom of Information (hereinafter referred to as the Act); Act VI of 1998 on the Automatic Processing of Personal Data, and the Promulgation of the Convention signed in Strasbourg on 28 January 1981; Act C of 2003 on Communications.
The purpose of the Privacy Statement is to ensure services in all areas of the Service Provider’s online services for each individual without any discrimination (of gender, race, religion, etc.), and to respect their fundamental rights during the automatic processing of their personal data. The Service Provider agrees to be bound by the Privacy Statement. The Statement is publicly available on its website at www.mortoff.hu .
- personal data: means any information relating to the data subject - in particular the name, identification number and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that data subject;
- consent: means voluntary and express wish of the data subject, based on having received prior information, by which the data subject gives his/her unambiguous consent to the comprehensive or limited processing of his/her personal data;
- objection: statement made by the data subject objecting the processing of his/her personal data and requesting the deletion or erasure of the data processed;
- data controller: means the natural or legal person, business entity without legal personality, who or which determines the purposes of processing personal data, makes decisions relating to the data processing (including the tools of such processing) and executes thereof, or has the data processor perform them;
- data processing: means any operation or set of operations which is performed on personal data, such as collection, entering, recording, organisation, storage, alteration, use, transfer, disclosure, dissemination or otherwise making available, alignment or combination, erasure or destruction, as well as the prevention of further use; photo, audio or video recordings, and the recording of physical characteristics suitable for the identification of a person (e.g.: finger or palm prints, DNS sample, iris imaging);
- data transfer: making any data available to a specified third party;
- disclosure: making the data accessible for anyone;
- data erasure: making any data unrecognisable in a way that such data may no longer be restored;
- data identification: assigning identifiers to data with the purpose of distinguishing them;
- data blocking: means the assigning of an identifier to the data with the purpose of limiting - permanently or for a fix term - the further processing of such data;
- data erasure: means the complete physical destruction of the media containing the data;
- data processing: means performing technical tasks in connection with data processing activities, regardless of the methods and tools used for executing the operations, or the location where they are performed, provided that such technical tasks are performed on data;
- data processor: means a natural or legal person, or an entity without legal personality, who or which processes personal data on behalf of the controller, based on a contract - including a contract under the provisions of legislation - concluded with the data controller;
- data material: all data processed within one registry;
- third party: means a natural or legal person, or an entity without legal personality other than the data subject, data controller or data processor;
- EEA state: means an EU member state and such state, which is party to the Agreement on the European Economic Area, as well as a state the citizens of which enjoy the same legal status as the citizens of a state that concluded an international agreement with the European Union and its member states or a state that is not party to the Agreement on the European Economic Area.
- third country: any state which is not an EEA state.
- external recommendation: candidate for a position recommended for work by a party with no legal relationship to the Service Provider, that is, an external party.
- internal recommendation: candidate for a position recommended for work by a party with legal relationship to the Service Provider, that is, an internal party.
Basic principles of data processing
Personal data may be processed when
- the data subject has given his consent, or
- it is ordered by law - under the authority of the law, within the scope specified therein - or by a local government decree.
If the data subject is physically or legally, or for other unavoidable reasons is incapable of giving consent, then the personal data of the data subject can be processed to the extent necessary for the protection of the vital interests of the data subject or of another natural person, or for the elimination or prevention of direct threat to such persons’ life, physical integrity, or properties.
If the data subject is a minor over 16 years of age, the consent or subsequent approval of his legal guardian is not required for his legal declaration of his consent to be valid. The Service Provider shall not store the data of a person under the age of 16 years for the purpose of a job application. Use for other purposes requires the authorization of a legal representative.
Personal data may be processed only for a specific purpose, in the interest of exercising a right or performing an obligation. Each phase of data processing must comply with this objective.
Only such personal data may be processed, which are essential and suitable, and only to the extent necessary for the implementation of the objective of the data processing. Personal data may only be used to the extent and duration necessary to achieve the specific purpose.
Prior to the start of data processing, the data subject must be clearly and in detail informed about any facts related to the processing of his data, in particular about the purpose and legal basis of the data processing, the person entitled to data processing, the duration of the data processing, and about who can have access to the data. The information should include the rights of the data subject and any legal remedies relating to data processing.
The data controller is obliged to design and implement data processing operations in a way to ensure the protection of the privacy of those involved in the application of the law and other regulations on data processing.
The data controller - as well as the data processor within its scope of activity - is required to ensure the safety of the data, take all technical and organisational measures, and set up any procedural regulations that are required in the interest of the enforcement of data protection and the protection of confidentiality.
The data must be protected by appropriate measures, in particular against unauthorized access, alteration, transmission, disclosure, deletion or destruction, unavailability due to accidental destruction and damage resulting from a change in the technology used.
In order to ensure the protection of data sets processed electronically in various records, appropriate technical solutions must be used to protect that such data stored in the records may not be directly interconnected and made suitable for the identification of the data subject - unless permitted by law.
During the automated processing of personal data, the data controller and the data processor provide further measures to prevent unauthorized data entry;
to prevent the use of automated data processing systems by unauthorized persons using data transmission equipment; to verify and establish that the personal data were transmitted or forwarded, or may be transmitted or forwarded, by a data transfer equipment and to which bodies;
to verify and establish which personal data, when and by whom were entered in the automatic data processing systems;
recoverability of the installed systems in case of a malfunction, and reports to be created on errors occurring during the processing.
When determining and implementing measures for the safety of the data, the data controller and the data processor must consider the actual development level of the technology. In case there are several possible solutions for data processing, the one should be selected which offers higher protection level for the personal data, unless this would cause unreasonable hardship to the data controller.
A data controller performing data processing under the law may only transfer personal data to data controller performing data controlling in a third country, or may only provide personal data to a data processor performing data processing in a third country, if the data subject has given his explicit consent in this respect, or there are conditions contained in the law for such data processing, and the appropriate level of protection of the transferred personal data is ensured during data processing in such third country.
Data transfer to EEA states must be regarded as data transfer taking place within the territory of Hungary.
Information on, correction and deletion of personal data
The data subject may request the data controller
- information on processing his personal data,
- rectification of his personal data, and
- erasure or blocking of his personal data - with the exception of mandatory data processing.
At the request of the data subject, the data controller will provide information about his data managed thereby, and about the data processed by a data processor acting on its behalf, and about the source of such data, the purpose, the legal basis and the term of the data processing, the name and address of the data processor, the activities relating to the data processing, and - in case the personal data of the data subject are transferred - the legal basis and the addressee of data transfer operations.
The data controller shall keep records of the transferred data to verify the legality of the data transfer and to provide information to the data subject, which records contain the transfer date of the personal data it processes, the legal basis and the recipient of the data transfer, the determination of the scope of the personal data transferred, and other data specified in legislation on data processing. The period of retaining data in the data transfer records - and similarly, the related information obligation - may be restricted by the law specifying data processing. Within the scope of such limitation, periods no shorter than five years can be specified for personal data, or twenty years in the case of sensitive data. Upon the data subject’s request, the data controller shall provide information as soon as possible after the submission of the request, or at the latest within 30 days in writing, in a clearly understandable form. Such information is free, except in case the person requesting the information submitted request for information in the same year regarding the same set of data. In other cases, expenses may be charged. The amount of such may be specified in an agreement made between the parties. Any cost reimbursement that has already been furnished shall be repaid in case the data have been processed in an illegal manner, or the request for information resulted in rectification.
The data controller may only refuse providing information for the data subject if it is allowed by law. The data controller is required to provide reasons for refusing the provision of information. In case of refusing the provision of information, the data controller shall inform the data subject about the available legal remedies, as well as about his rights to contact the National Authority for Data Protection and Freedom of Information (hereinafter: Authority).
If the personal data are not realistic, while the realistic personal data are available to the data controller, the personal data shall be corrected by the data controller.
Personal data shall be deleted if
- processing is unlawful;
- requested by the data subject;
- the data are incomplete or incorrect - and this situation cannot be lawfully remedied - provided that such cancellation is not excluded by law;
- the purpose of the data processing has ceased or the duration for storing the data specified by law has expired;
- it has been ordered by the court or the Authority.
The data controller shall mark the processed data if the data subject disputes their correctness or accuracy, while such incorrectness or inaccuracy may not be clearly ascertained.
The data subject shall be notified on the rectification, blocking and deletion of the data, and a similar notification shall be sent out to all remaining parties to whom the disputed data had been transmitted. Notification may be omitted if this does not violate the legitimate interest of the data subject with respect to the purpose of the data management.
If the data controller denies fulfilling the data subject’s request for correction, blocking or erasing the disputed data item, the same controller will be obliged to advise the subject in writing within 30 days upon the receipt of the request on the factual and legal causes of the rejection of the rectification, blockage or erasure request thus submitted. If compliance with the rectification, erasure or blockage request thus submitted by the data subject is withheld by the data controller, the same controller will be under obligation to advise the subject on the available appeal procedures and legal remedies offered by the courts or the administrative authority.
Protesting against the processing of personal data
The data subject may object to the processing of his personal data
- if the processing or transfer of the personal data is required exclusively for fulfilling the legal obligation of the data controller, or for the enforcement of the legitimate interest of the data controller, the recipient or a third party, except in case of compulsory data processing;
- if the purpose of the use or the transfer of personal data is direct marketing, opinion survey, or scientific research; and
- in other cases set out by the law.
The data controller shall examine the protest as soon as possible after it was submitted, but within no later than 15 days; it shall make a decision on its grounds, and inform the data subject about its decision.
If, based on the findings of the data controller, the data subject’s objection is justified, the data controller shall terminate all controlling operations (including data recording and transmission), block the data involved and notify all recipients to whom any of these data had previously been transferred concerning the objection and the ensuring measures, upon which these recipients shall also take measures regarding the enforcement of the objection. If the data subject disagrees with the decision made by the data controller, or the data controller fails to meet the respective deadline, the data subject shall have the right to turn to court within 30 days following the last day of the deadline.
Asserting rights before court
In case the rights of the data subject are violated, the data subject shall have the right to judicial remedy against an action of the data controller. Such court proceedings shall be conducted under priority.
Other privacy information
The User must complete a registration form or contact form in order to have access to certain services of the Service Provider that are available on the Website. Filling in the registration sheet and the contact form is voluntary. When filling in the registration form or the contact form, the Service Provider is required to process or use in any way the information and data provided by the User in order to achieve the objectives of the legal relationship which the User intends to establish or which may already exist between them in accordance with its rules.
By submitting the registration form and the contact form, the registered user accepts the Service Provider's Privacy Statement.
The Service Provider processes personal data in particular for the following purpose:
- information for registered users,
- the transfer of personal data in an anonymised form to ensure the protection of registered users, to third parties related to the Service Provider and interested in the registered user.
During registration you have the opportunity to upload your CV and other application documents (motivation letter or even photo, etc.) into our database in Hungarian and foreign languages.
The Service Provider is entitled to process the data provided during the telephone/ personal interview (e.g. interview notes) as well as the test/ task questions required for selection. As mentioned above, the Service Provider will keep such information confidential.
The scope of the personal data you intend to provide in your CV is exclusively your decision. You may also send your CV without including any personal information. However, please note that the Service provider does not, under any circumstances, collect special data, i.e. data that relate to racial origin, membership of a national or ethnic minority, political opinions or party affiliations, religious or other beliefs, representation of interests, health status, harmful passion, sexual life or criminal record.
Exceptions are cases where they have been requested and authorised in advance by the candidate and are strictly necessary for the performance and completion of the job (e.g. data on changed working capacity).
If the candidate has voluntarily provided special information in his/her CV or in another document, the Service Provider shall not be responsible for processing such data.
If the Service Provider becomes aware that a user placed data qualifying as special pursuant to the Information Act in the database, it shall immediately delete it and have the right to cancel the registration of the user concerned.
The applicant may change, update or cancel his/her CV and other application documents at any time. It is our common interest to ensure that the data provided in the resume and in other application documents are accurate, complete and updated at all times. Accordingly, please ensure that the data contained in your resume and other application documents - in case of any change - are amended, updated or deleted accordingly.
We will forward your resume and other application documents in accordance with your consent in an anonymised form, or make them available to the companies in customer relationship with our company who may be interested in your documents provided via the Website registration, or based on the company preferences (Data transfer). The sole purpose of data transfer is to provide access to potential employers or recruitment agencies for directly viewing the information uploaded by you to the Website database and anonymized by us. When you upload your data to the Website, we consider it as your consent to data transfer to all organizations contained in our database. The Data Controller is not responsible for the companies in customer relationship with the Data Controller regarding their lawful data processing and online data transfer. However, you are assured that we as data controller will make every effort to ensure that you can exercise your rights to informational self-determination in full. If you would like further information about data processing carried out by persons or organizations involved in the transfer of data, please contact the relevant data controller directly.
Your resume and other application documents are stored for 3 years after they are uploaded to our database, except if you have previously deleted them (which is available for you at any time), or when you update them in compliance with our request.
From time to time, our visitors and users are requested to communicate data by filling out surveys and questionnaires in accordance with the law.
Participation in such collection of information is always voluntary, and any data provision may only be made based on the voluntary consent of the data subject. Our visitors and users are always free to decide whether they provide personal data (e.g. name and e-mail address), or only demographic information (e.g. postcode and position).
In the event of a recommendation from a recruiting agency, they are responsible for ensuring that the candidate provided its consent in advance to making his/her data available for the Service Provider.
In case of an internal/external recommendation, the recommending person is responsible for ensuring that the candidate provided his/her prior consent to making his/her data available for the Service Provider.
In case of recommendation by a recruitment agency or internal/ external recommendations, the Service Provider shall consider the receipt of each letter/ message as one that the recruitment agency/ recommending party arranged for any related consent in advance.
If it is found that the recruitment agency/ recommending party transferred the candidate’s data without the candidate's consent, the consequences shall be borne by the source transferring the data to us, and the Service Provider shall delete the data within 15 days. In addition, the Service Provider shall, at the time of each contact with the candidate, make sure that the candidate actually consented to the data processing, and was aware of such recommendation/ data transfer by the recruitment agency.
Legal background and the legal basis of cookies
Data processing is based on Act CXII of 2011 on the Right of Informational Self-Determination and on the Freedom of Information (Freedom of Information Act), and Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and information Society Services. The legal basis of data processing is your consent in accordance with point a) of Section 5 (1) of the Freedom of Information Act.
The main features of cookies used on the website
Google Analytics cookie
In addition, you may prevent the transferring and processing of data to Google that were collected by cookies on your use of the website (e.g. IP address) if you download and install a browser utility program (plugin) by clicking on the following link.
For more information about the General Terms and Conditions of Google Analytics, please click on the link below.
Enabling, restricting or disabling cookies
Visitors can set accepting cookies in all modern browsers. Similarly, you can customize the settings in your browser in respect of whether the visitor would like to be notified when the site wishes to place a cookie in your browser, as well as the period while different types of cookies can be stored there, or whether they should be deleted when the browser is closed. It is important to be aware of the fact that the services available on certain websites specifically depend on the acceptance of cookies, so by disabling cookies, the visitor may experience unexpected activity, or, at the worst, it becomes impossible to use the website services.
For further information on the cookie settings of the most popular browsers, please see the following links:
If you have further questions not included in this Privacy Statement, or any comments, please contact us at the following e-mail address: firstname.lastname@example.org
The Privacy Statement is in effect from 18 May 2018. We reserve the right to amend this Privacy Statement. The effective version is always the version publicly available on the Website.
Our IT Service Provider
Our Company employs a data processor to maintain the website and provide IT services (hosting), and within this framework - to the extent of the contract concluded with us - processes the personal data provided via the website. The operation performed is storing personal data on the server.
The name of the data processor is:
Name: ErdSoft doo
Headquarters: 24000 Szabadka, Luja Pastera 5, Szerbia
Registration number: 21354619
Tax number: 110478829
Representative: Erdudac Dániel
Phone: +381 60 44 60 555