1. Introduction

HD Direkt Hungary Limited Liability Company (registered office: H-1087 Budapest, Baross tér 1. Building 3rd floor 14.; company registration number: 01 09 931447; hereinafter: the Company or Data Controller) is committed to protecting natural persons in relation to the processing of personal data and to the free movement of such data, and to complying with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), as well as Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information. Therefore, the Company provides the following information regarding the processing of personal data.

This notice aims to record – in accordance with the relevant legal provisions – for what purpose, for how long, on what legal basis, and how the Data Controller processes the personal data of data subjects, as well as the data subjects’ rights and remedies in relation to data processing.

If you have any questions or comments regarding the content of this notice, please contact the Data Controller at the email address: geza.balogh@hddirekt.com.

2. Alapfogalmak

Below is a summary of the most important definitions used in this notice:

1. Personal data: any information relating to a data subject that enables identification or makes the data subject identifiable. A natural person is identifiable, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The Data Controller collects personal data for each processing purpose as specified in this notice.

2. Data processing: any operation or set of operations performed on data, regardless of the method applied, including collection, recording, organization, storage, alteration, use, retrieval, transfer, disclosure, alignment or combination, blocking, deletion, and destruction, as well as preventing further use of the data.

3. Data controller: the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. In this notice, HR Direkt is considered the data controller. In the context of temporary agency work, the data controller acts as the temporary work agency.

4. Data processor: a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.

5. Data subject: an identified or identifiable natural person. Data subjects include employees involved in temporary agency work as referred to in this notice. (If other persons are affected, they are specified separately.)

6. Authority: the Hungarian National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11.; email: ugyfelszolgalat@naih.hu; website: http://naih.hu; phone: +36 (1) 391-1400).

7. Recipient: a natural or legal person, public authority, agency, or any other body to whom or with whom the personal data is disclosed, whether or not a third party.

8. Temporary agency work: pursuant to Act I of 2012 on the Labour Code, the activity whereby the temporary work agency assigns an employee employed for the purpose of temporary work to a user company for temporary work in exchange for consideration.

9. Borrower: the legal entity to whom the Data Controller assigns an employee under the framework of temporary agency work.

III. Data Controller

In relation to employee data processing described in this notice, HD Direkt Hungary Kft. acts as the data controller.

Data Controller:

Company name: HD Direkt Hungary Kft.

Registered and mailing address: H-1087 Budapest, Baross tér 1. Building 3rd floor 14.

Company registration number: 01 09 931447

Email: geza.balogh@hddirekt.com

Representative of the Data Controller:

Name: Éva Szilágyi Dzsubákné, Managing Director

Address: H-5000 Szolnok, Kápolna út 3.

Email: geza.balogh@hddirekt.com

1. Purpose of Data Processing, the Data Processing Procedure

Below is a summary of the typical scenarios and purposes of data processing where the personal data of the data subject is processed.

1. Payroll and Personnel Records

Purpose of data processing:

The employer has obligations related to reporting, recordkeeping, contribution calculation and deduction, contribution payment, and declarations regarding the employed individuals, and maintains personnel records for this purpose. In order to fulfill these obligations, the Data Controller processes the following personal data of employees.

Data processing purposes: establishing and maintaining the employment relationship, fulfilling obligations arising from the employment relationship (e.g., reporting to authorities, declarations), planning and maintaining human resource needs, payroll processing.

The Data Controller processes the following personal data:

1. Name, birth name, mother’s name, place and date of birth,
2. Citizenship,
3. Permanent address (and place of residence if different),
4. Job title / position,
5. Data related to income,
6. Social security identification number (TAJ number),
7. Tax identification number;
8. Pensioner ID number;
9. Social security booklet;
10. Referral for occupational medical examination and its result;
11. Data related to sick pay and other contributions,
12. Data on garnishment from the employee’s wages;
13. Medical certificate under Government Decree 102/1995 (VIII. 25.) on the assessment and monitoring of incapacity for work;
14. Records required to assess rehabilitation contribution under Section 23 (7) of Act CXCI of 2011 (on benefits for persons with reduced work capacity), including the natural identification data of the data subject, social security number, degree of reduced work capacity, health condition, disability, and a copy of supporting documents;
15. In the case of paternity leave, data required under Government Decree 535/2022 (XII. 21.): father’s name at birth, mother’s name, TAJ number; child’s name, place and date of birth, TAJ number, mother’s name; the employer keeps records, and the employee presents supporting documents (e.g., birth certificate, adoption certificate, stillbirth certificate);
16. Other data necessary for payroll,
17. Work permit data (if required under Government Decree 445/2013 (XI. 28.)).

Legal basis of data processing:

GDPR Article 6(1)(c) – fulfillment of a legal obligation, furthermore, in the case of health data: GDPR Article 9(2)(b) and (h).

Legislation establishing the legal obligation:

• Act CL of 2017 on the Rules of Taxation (Art.), Annex 1, Point 3 and Section 50.
• Act CXXII of 2019 on Social Security Benefits and the Coverage of Such Benefits, Sections 1(4)-(5), 66(1), 74(4).
• Act I of 2012 on the Labour Code.
• Government Decree 217/1997 (XII.1.) on the Implementation of Act LXXXIII of 1997 on Compulsory Health Insurance Benefits, Section 37(1).
• Government Decree 33/1998 (VI.24.) NM on Medical Examination and Assessment of Occupational, Professional, and Personal Hygiene Fitness.
• Act LXXXIII of 1997 on Compulsory Health Insurance Benefits, Section 62(1).
• Government Decree 465/2017 (XII.28.) on Detailed Rules of Tax Administration, Section 23.
• Act LXXX of 1997 on Social Security Benefits and Private Pensions.
• Act CXVII of 1995 on Personal Income Tax.
• Government Decree 102/1995 (VIII.25.) on the Medical Assessment and Monitoring of Incapacity for Work.
• Act XLVII of 1997 on the Protection and Management of Health and Related Personal Data, Section 4(2)(o).
• Government Decree 535/2022 (XII.21.) on Paternity Leave and Related Cost Reimbursements.
• Act CXCI of 2011 on Benefits for Persons with Reduced Work Capacity and Amendments to Certain Laws.
• Government Decree 445/2013 (XI.28.) on the Non-Combined Application Procedure for Employment of Third-Country Nationals in Hungary, exemption from the obligation to obtain permission, involvement of labor centers in the joint application process, notification of employment of third-country nationals permitted to work without authorization in Hungary, and wage reimbursement.

Duration of data processing:

Documents for determining, verifying, or controlling the tax base, amount, exemptions, allowances, and budget support, as well as invoices serving as a basis for tax or tax advance determination, must be retained until the statute of limitations expires for establishing the right to tax (5 years from the last day of the calendar year when deferred tax becomes due in case of deferred tax) [Art. 78(3)-(4)], with regard to Chapter XXVI of the Art.

Accounting documents supporting directly or indirectly the accounting records (including general ledger accounts, analytical, or detailed registers) must be kept in readable form and traceable by accounting references for at least 8 years [Accounting Act 169(2)].

Medical fitness certificates are managed and retained for 5 years from issuance in accordance with Government Decree 33/1998 (VI.24.) NM on Occupational, Professional, and Personal Hygiene Fitness Medical Examinations and Assessments.

According to Government Decree 217/1997 (XII.1.) Section 37(1) on Compulsory Health Insurance Benefits, the employee hands over the social security booklet (“certificate on insurance relationship and health insurance benefits”) to the employer. The employer records the start and end of insurance relationship in the booklet. The Controller keeps the booklet until termination of employment.

According to Act LXXXI of 1997 on Social Security Pensions Section 99/A(1), the Controller is obliged to keep employment records containing salary and income data relevant for determining service periods or pensions for 5 years after the insured or former insured reaches retirement age. (Such records include employment contracts, contract amendments, and termination documents.)

Records kept for the purpose of determining the rehabilitation contribution must be retained by the employer for 5 years after the termination of employment.

IV. Other Personnel Data Processing:

Employment contract:

Purpose of data processing: conclusion of employment contract, recording and fulfillment of conditions related to employment relationship.

The employment contract contains the following personal data: name, address, place and date of birth, mother’s name, bank account number, citizenship, position, salary, workplace, job description, signature. Providing personal data is mandatory; without it, the contract cannot be concluded.

Legal basis for data processing: GDPR Article 6(1)(b) – necessary for the conclusion and performance of the contract.

Duration of data processing: According to Act LXXXI of 1997 on Social Security Pensions Section 99/A(1), the Controller is obliged to keep employment documents containing data related to earnings relevant for service period or pension determination for 5 years after the insured or former insured reaches retirement age. (Such documents include the employment contract, amendments, termination documents.)

Advance tax determination, tax allowances:

The Controller is obliged to determine employees’ tax advance according to Act CXVII of 1995 on Personal Income Tax. The employer handles declarations regarding: family allowance, allowance for young persons under 25, allowance for mothers under 30, first-married allowance, allowance for mothers raising four or more children, personal allowance, and cost declaration.

Purpose: to claim tax benefits, handle tax advance declarations, payroll.

Data subjects: employee, employee’s child, relatives.

Scope of data processed:

• Declarations include employee’s name and tax identification number.
• For first-married allowance: spouse’s name, tax ID, marriage date; spouse/partner’s name, tax ID, employer/payor name, tax number.
• For allowance for parents raising four or more children: child’s name, place and date of birth, tax ID, mother’s name.
• For personal allowance: disability recorded.
• For family allowance: child’s name, tax ID, dependent status, entitlement title; spouse/partner’s name, tax ID, employer/payor name, tax number.
• For mothers under 30 allowance: expected birth date of fetus, child’s name, date of birth, tax ID, adopted child’s name and tax ID.

Legal basis: GDPR Article 6(1)(c) – compliance with legal obligation, additionally health data under GDPR Article 9(2)(b) and (f).

Duration: According to Art. Section 78(3)-(4) and Chapter XXVI, until the statute of limitations of tax determination (~5 years).

Additional leave:

Purpose: establishing lawfulness and recording of additional leave usage.

Data subjects: employee, employee’s child.

Data processed: employee’s name and possibly disability; child’s name, date of birth, tax number, possibly disability.

Legal basis: legal obligation [GDPR 6(1)(c)]; regarding additional leave – Labour Code Section 118; health data under GDPR 9(2)(b).

Duration: 3 years.

2. Email address and phone number:

The Controller processes employees’ corporate email addresses and phone numbers based on legitimate interest [GDPR 6(1)(f)]. [The Controller has performed a legitimate interest assessment.]

Purpose: communication necessary for coordination and work completion. Data are processed solely in relation to the employment.

Data are kept until termination of employment.

3. Recruitment:

Purpose: The Controller recruits foreign employees for foreign partner companies under service contracts to facilitate employment and job placement.

Source: recruiting partner company.

Data processed: data depending on position and client needs transmitted by recruiting company, e.g., name, address, citizenship, mother’s name, phone number, etc.

Data subjects: job applicants and their relatives.

Legal basis: applicant’s consent [GDPR 6(1)(a)]; relatives – legitimate interest [GDPR 6(1)(f)].

Duration: until closure of recruitment process.

4. Representation of employees in official procedures:

Purpose: acting on behalf of employees with their consent or authorization in official procedures (e.g., immigration, government offices, tax authority for permits, tax card, health insurance card requests).

Processed data: data specified in the power of attorney (name, address, mother’s name), as well as the data and documents necessary for the procedure. More detailed provisions regarding the scope of personal data in immigration procedures are included in the Recipients section. If a social security card (TAJ card) application is made, the Data Controller processes the data of the TAJ card and the data and documents necessary for the TAJ card application. If a tax card application is made, the Data Controller processes the data necessary for the application.

Legal basis: consent [GDPR 6(1)(a)]. (Withdrawal of consent does not affect legality of prior processing.)

Duration: data and documents (permits) are kept for 5 years based on legitimate interest [GDPR 6(1)(f)]. Health insurance and tax card data are kept until the cards are handed over to the employee.

5. Travel cost reimbursement:

Purpose: recording and payment of travel expenses.

Data processed: name.

Legal basis: legal obligation [GDPR 6(1)(c)] – Government Decree 39/2010 (II.26.), Section 25(2) of the Personal Income Tax Act, Government Decree 16/2023 (I.27.) on temporary regulations regarding travel cost reimbursement.

Duration: 8 years according to Accounting Act Section 169(2).

6. Work and rest time records:

The Controller keeps records of employees’ days off and working time for payroll purposes.

Data processed: attendance sheet data (name).

Legal basis: legal obligation [GDPR 6(1)(c)] – Labour Code Section 134(1).

Data is deleted 5 years after reaching retirement age.

7. Certificate of good conduct:

The Controller requests certificates of good conduct for certain positions.

Purpose: verifying eligibility related to position.

Data processed: name, certificate content.

Legal basis: legitimate interest [GDPR 6(1)(f)] and GDPR 9(2)(b) condition met.

Duration: Controller requests certificate presentation but does not keep copies.

V. Recipients

Data Processors:

Arteries Studio Limited Liability Company (Company ID: 01-09-299564; registered office: 1139 Budapest, Forgách utca 9/B; represented by managing director Gábor Németh),

Kis Pici Limited Liability Company (Company ID: 01-09-980878; registered office: 1105 Budapest, Dér utca 40. I. floor, door 4; represented by managing director Győző Mihály),

and Győző Mihály sole proprietor (tax number: 66942775-2-42) provide IT services as data processors for the Controller.

AXXE Accounting and Commercial Limited Liability Company (Company ID: 01-09-667127; registered office: 1154 Budapest, Bánkút utca 48.; represented by managing director Erzsébet Katalin Csorba) provides accounting services as data processor.

The Controller uses XL Bér payroll software (Servantes Software Ltd.; Company ID: 01-09-963496; registered office: 1161 Budapest, József utca 18.) for payroll tasks.

Some data are stored in Hireify software, where Hireify Ltd. (2045 Törökbálint, Kossuth Lajos utca 40.; Company ID: 13-09-190859) performs data processing activities related to software operation, maintenance, and support.

Data Transfers:

The Controller’s auditor Dr. Györgyné Székely (mother’s name: Ilona Kállai; residence: 1044 Budapest, Anód utca 38. C. building) is entitled to access the Controller’s documents to perform the audit.

According to Act CL of 2017 on Taxation (hereinafter Art.), Annex 1, point 3, the Controller must report to the National Tax and Customs Administration (NAV) the insured employee’s family and given name, tax ID number, date of birth, start and end of insurance relationship, suspension periods, weekly working hours, FEOR code, and social security number (TAJ). If the insured lacks a tax ID number, the place of birth, mother’s birth family and given name, and nationality must also be reported.

According to Government Decree 33/1998 (VI. 24.) NM on medical examination and opinion concerning occupational, professional and personal hygiene suitability, the employer issues a referral to the occupational health doctor, who receives data as per the referral. This service is provided by Dr. Cseresnyés and Partners Health Partnership (Company ID: 16-06-004314, registered office: 5100 Jászberény, Berényi u. 13., represented by managing director László Kerekes), MULTI-MED TEAM Ltd. (Company ID: 13-09-072427; registered office: 2724 Újlengyel, Dózsa György utca 12.), Konzulens-B’97 Bt. (Company ID: 16-06-005273; registered office: 5000 Szolnok, Csokonai utca 37. I/3.), Doktor24 Medicina Plc. (Company ID: 01-10-140606; registered office: 1134 Budapest, Váci út 37. 1st floor), and Dr. Anita Eszter Holczerné Jánosi.

*

Data Transfers Based on Legal Obligations (Labour Code Section 217):

The lender (Controller) must provide to the borrower, no later than the employee’s start of work:

1. a) notification to the state tax authority about the employment start of the person employed by the employer or payor according to tax law, and
2. b) a copy of the certificate of registration as a lender per special legislation.

The borrower must inform the lender of data necessary for wage payment and related declarations, reporting, and payment obligations by the 5th day of the month following the relevant month. If the employment terminates mid-month, the borrower must notify the lender within three working days after the last working day.

The Controller as lender may also transfer the following data to the borrower upon request or based on legal obligations or with the employee’s consent for employment administration purposes: name, address, mother’s name, citizenship, social security number, tax number, clothing and shoe size, qualifications, education, language skills, gender, email, phone, etc.

*

Immigration Procedures:

• Representation:
  • Under Section [1] 86/J(4) of the Immigration Act, if a foreign employee wishes to establish employment, the residence permit application can be submitted through the employer with the employee’s unilateral written consent.
  • In other procedures, the employer acts based on employee authorization.

• The Controller represents the employee in:

1. residence permit application
2. accommodation notification
3. accommodation modification
4. work permit

• For residence permit procedures, documents required by:

Section [2] 47(7)-(8) of the Immigration Decree include:

• valid travel document
• photograph
• Documents certifying the fulfillment of the conditions set out in Section 13 (1) points c)–g) of the Act:
  
  • Permit required for return or onward travel
  • Preliminary agreement to establish an employment relationship or a document proving the employment relationship (Harm. Vhr. Section 59 (4))
  • Proof of accommodation/residence
  • Certification that during the stay, the person has sufficient financial means to cover housing, living expenses, and travel costs
  • Proof of being insured for healthcare services or ability to cover related costs
• Declaration undertaking voluntary departure from the territory of European Union Member States as specified in Section 42 (3) of the Harm. Act in case the application is rejected

The 2007 Act on Free Movement and Residence and the 2007 Act on Entry and Residence of Third-Country Nationals, plus the 25/2007 IRM Decree Annex 11 list personal data required in residence permit applications, including personal and family details, education, previous occupation, passport and accommodation data:

• About the employee: Photograph, name, birth name, mother’s name, gender, marital status, place and date of birth, citizenship, qualifications, educational attainment, occupation prior to arrival, passport details, accommodation details in Hungary, etc.
• About dependent relatives: Name, degree of kinship, place and date of birth, citizenship, legal basis of residence.

• During the accommodation registration procedure, the following data must be
  
  • reported to the immigration authority according to Section 73 (1) of the Harm. Act:
• Personal identification data: name, birth name, previous name, place and date of birth, gender, mother’s name, citizenship
• Travel document data
• Address of accommodation, start and end date of use
• Visa/residence permit number
• Date and place of entry
  • The following documents must be submitted according to Section 155 of the Harm. Vhr.:
• Copy of travel document
• Document certifying accommodation

The accommodation certificate contains the data specified in Section 155 (5a) of the Harm. Vhr.:

• Name
• Place and date of birth
• Gender
• Mother’s name
• Citizenship
• Address of accommodation

• According to Section 73 (4) of the Harm. Act, any change of accommodation must also be reported.

• Regarding the work permit, the personal data specified in Government Decree 445/2013 (XI. 28.) are processed, and the data must be submitted to the competent government office as prescribed by the Decree.

VI. Enforcement of Rights and Legal Remedies

Rules for exercising data subject rights:

The Controller shall provide the requested information without undue delay, but no later than within one month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by a further two months. The Controller shall inform the Data Subject of the extension within one month of receiving the request, stating the reasons for the delay.

If the Controller does not take action following the Data Subject’s request, it shall inform the Data Subject without delay, but no later than within one month from receipt of the request, about the reasons for the failure to act and the right to lodge a complaint with the Authority and to exercise judicial remedies.

If the Controller has reasonable doubts about the identity of the person submitting the request, it may request additional information necessary to confirm the identity.

1. Communication with the Controller:

The communication between the Data Subject and the Controller takes place via e-mail or post. The Controller’s e-mail address for this purpose is: adatvedelem@hrdirekt.com; mailing address: Controller’s registered office.

2. Right of access:

The Data Subject has the right to request feedback from the Data Controller at any time regarding whether the processing of their personal data is ongoing. If the data processing is ongoing, the Data Subject has the right to access their personal data processed to the extent outlined below.

Within the scope of access, the information provided by the Data Controller related to data processing may particularly include the following:

1. the source of the personal data,
2. the purpose and legal basis of the processing,
3. the scope of personal data processed,
4. the recipients of the personal data, including third-country recipients and international organizations,
5. the duration of the personal data storage and criteria for determining this period,
6. the rights granted to the Data Subject under the Info Act and GDPR and ways to enforce them,
7. the existence of automated decision-making or profiling,
8. circumstances, effects, and measures related to data protection incidents affecting the personal data,
9. the right to lodge a complaint with the supervisory authority.

3. Rectification:

The Data Subject is obliged to notify the Controller in writing of any changes in their personal data. The Controller shall rectify the data within 8 days of receiving the request. Failure to notify changes may result in consequences borne by the Data Subject. If the provided personal data are inaccurate and correct data are available, the Controller shall automatically correct the data.

4. Right to erasure:

The Data Subject is entitled to request the Controller to erase their personal data without undue delay, and the Controller must comply without undue delay if one of the following applies:

1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. the Data Subject withdraws consent and there is no other legal basis for processing (withdrawal is not retroactive);
3. the Data Subject objects to processing based on legitimate interests;
4. personal data were unlawfully processed;
5. the personal data must be deleted if required by a legal obligation applicable to the data controller under Union or Member State law;
6. personal data were collected in connection with information society services under GDPR Article 8(1).

However, the Controller is not obliged to delete data if processing is necessary for:

1. for the purpose of exercising the right to freedom of expression and information;
2. compliance with a legal obligation or performance of a task in the public interest;
3. archiving, research, or statistical purposes, where deletion would seriously impair these activities;
4. public health reasons under GDPR Article 9(2)(h) and (i);
5. establishment, exercise or defence of legal claims.

5. Right to restriction of processing:

The Data Subject may request restriction of processing if:

1. the Data Subject disputes the accuracy of their personal data; in this case, the restriction applies for the duration necessary to allow the Data Controller to verify the accuracy of the personal data;
2. processing is unlawful and the Data Subject opposes erasure but requests restriction instead;
3. controller no longer needs the data but the Data Subject requires them for legal claims;
4. the Data Subject has objected to the processing of their personal data; in this case, the restriction applies for the period during which it is determined whether the Data Controller’s legitimate grounds override the legitimate grounds of the Data Subject.

If the data processing is restricted as described above, such personal data may only be processed—with the exception of storage—with the consent of the Data Subject, or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons. If the restriction on data processing is lifted, the Data Controller shall inform the Data Subject who requested the restriction in advance of this fact.

6. Objection to data processing:

The Data Subject may object at any time to processing based on legitimate interests for reasons related to their particular situation. The Controller must stop processing unless it demonstrates compelling legitimate grounds that override the Data Subject’s interests, rights and freedoms, or if processing is for legal claims.

7. Right to data portability:

Based on the data subject’s consent or for the purpose of fulfilling a contract, the data subject has the right to receive the personal data they have provided to the Data Controller in a structured, commonly used, and machine-readable format, and also has the right to transmit those data to another data controller without hindrance from the Data Controller to whom the personal data were originally provided. This right applies exclusively to personal data processed based on consent or the performance of a contract and which are processed electronically.

8. Filing a complaint with the Authority:

The Data Subject may lodge a complaint with the National Authority if they believe their data protection rights have been violated or are at risk. The Authority’s investigation is free, and the complainant is protected from retaliation. The Authority may only disclose the complainant’s identity if necessary for the investigation or if the complainant consents.

Authority contact:
Address: 1055 Budapest, Falk Miska u. 9-11.
E-mail: ugyfelszolgalat@naih.hu
Website: http://naih.hu
Phone: +36 (1) 391-1400

9. Judicial enforcement:

The Data Subject may bring a court action against the Controller in case of rights violations. Jurisdiction is generally at the court of the Controller’s registered office but may also be at the Data Subject’s place of residence or stay. Competence can be checked at www.birosag.hu (“Court finder”). Courts shall act urgently.

10. Compensation:

Anyone who suffers damage due to violation of data protection laws is entitled to compensation from the Controller. The Controller is liable for damage caused by unlawful processing but is exempt if it proves no responsibility.

VII. Data Security

We ensure the security of data processing and take the necessary and appropriate technical and organizational measures in this regard. We guarantee the confidentiality of personal data (e.g., prevention of disclosure, unauthorized access), their integrity (prevention of alteration, modification, deletion), and availability (accessibility, recoverability).

To this end, the Controller shall, in particular but not exclusively:

– Ensure by hardware and software means that unauthorized persons cannot access the devices used for data processing (hereinafter: data processing system);

– Store electronic data in a closed, password-protected IT system;

– Prevent unauthorized input of personal data into the data processing system, as well as unauthorized access, modification, or deletion of personal data stored therein, and prevent unauthorized use of data processing systems via data transmission devices;

– Transmit personal data only on the basis of an appropriate legal basis;

– Process personal data only for the necessary duration;

– Ensure that the data processing system can be restored in case of malfunction, provide for the possibility of data recovery, and protect against viruses;

– Regularly review and, if necessary, improve the level of IT compliance;

– Take all possible measures to prevent data protection incidents.

VIII. Miscellaneous Provisions

The Controller reserves the right to unilaterally modify this Notice at any time, about which employees will be informed.

The Notice is governed by Hungarian law and the GDPR.

Budapest, 1 August 2024

HD Direkt Hungary Ltd.

Annexes:

1. No.: Principles

Annex 1

III. Data Processing Principles

Below is a summary of the data processing principles that the Data Controller fully applies throughout the entire duration of data processing.

1. Lawfulness, Fairness, and Transparency: The personal data of the Data Subject are processed exclusively lawfully and fairly, and in a transparent manner towards the Data Subject. The Data Controller makes the current text of the Privacy Notice available free of charge, without obligation, and continuously accessible to the Data Subject. The Data Controller does not process the personal data provided for any unfair or additional purpose beyond those specified in this Notice and acts in accordance with this Notice and applicable laws during its data processing activities.

2. Purpose Limitation:The Data Controller processes personal data only for the clear and lawful purposes stated in this Notice. To ensure full transparency regarding each data processing purpose, the Data Controller provides information in this Notice about which personal data is processed for what purpose, for how long, and under what legal basis. These provisions are binding on the Data Controller.

3. Storage Limitation: The Data Controller stores personal data only in a form that permits identification of the Data Subjects for no longer than necessary for the purposes of the data processing. In case of data processing based on consent pursuant to Article 6(1)(a) of the GDPR, the Data Controller deletes the data upon withdrawal of consent. Personal data processed under legal obligation according to Article 6(1)(c) of the GDPR is kept for the duration prescribed by applicable law.

4. Data Minimization: The Data Controller aims to process only the personal data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. These are always the data necessary for each data processing purpose or required by law.

5. Accuracy: The Data Controller aims to keep recorded personal data accurate and up to date in relation to data processing purposes and takes reasonable steps to ensure this. Please notify the employer promptly if your personal data change.

6. Principle of Data Protection / Integrity and Confidentiality: The Data Controller prioritizes the protection of personal data provided and takes all necessary, reasonable, and up-to-date technical and organizational measures to prevent unauthorized access, unlawful data input, modification, or deletion. For paper records, data are stored in a secured area inaccessible to unauthorized persons.

7. Accountability: The Data Controller is responsible for and must be able to demonstrate compliance with the above principles.

[1] Act II of 2007 on the Entry and Residence of Third-Country Nationals (hereinafter referred to as: Entry and Residence Act, or Harm. Tv.)

[2] Government Decree No. 114/2007 (May 24) on the Implementation of Act II of 2007 on the Entry and Residence of Third-Country Nationals (hereinafter referred to as: Implementation Decree on Entry and Residence, or Harm. Vhr.)