Privacy Policy

1. THE COMPANY

The basic company data of DNXperts Solution Korlátolt Felelősségű Társaság (hereinafter referred to as: Company)

company registration number: 07-09-029169,
registered address: 8000 Székesfehérvár, Álmos vezér utca 6.,
personal data of the representative of the Company: Szalai Dániel managing director (mother’s maiden name: Szilasi Erzsébet, address: 8127 Aba, Kölcsey utca 26.).

2. THE BASIC LEGAL REGULATIONS

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and ont he free movement of such data (hereinafter referred to as: Regulation),
• Act CXII. of 2011. ont he right of informational self-determination and on freedom of information (hereinafter referred to as: Information Act),
• Act I. of 2012. on the Labour Code (hereinafter referred to as: Labour Code),
• Act CXVII. of 1995. on the personal income tax (hereinafter referred to as: PIT Act),
• Act LXXXIII. of 1997. on compulsory healthcare provisions (hereinafter referred to as: Healthcare Act),
• Act LXXXI. of 1997. on social pension provisions (hereinafter referred to as: Pension Act),
• Act LXVI. of 1995. on public documents, archives and on the protection of documents in private archives (hereinafter referred to as: Archives Act),
• Act CL. of 2017. on the order of taxation (hereinafter referred to as: Taxation Act),
• Act LIII. of 1994. on the execution of court orders (hereinafter referred to as: Execution Act).

3. THE SCOPE AND EFFECT OF THE PRIVACY POLICY

A) The scope and effect of the Privacy Policy in relation with the experts

The Company operates the Techysium internet portal that is accessible at www.techysium.com. The Techysium internet portal is a website that enables enterprises performing or ordering IT development services to recruit and contract teams of experts from the set of experts who are registered to the portal.

The aim of the Privacy Policy is:

- to regulate the handling of electronic documents containing personal data that are administered online,
- to ensure that the constitutional principles of data protection and data security prevail in the data handling procedures of the Company,
- to prevent the illegal modification or publication of personal data and the access of personal data by unauthorised entities.


The material effect of the Privacy Policy covers all data processing activities of the Company that relate to personal data.

The personal effect of the Privacy Policy covers all employees and contractors of the Company performing data processing activities, to the extent regulated in the respective contracts.

The effect of the Privacy Policy also covers the usage of the database possessed by the Company, furthermore all communications and contracts between the company and the affected private persons. Affected private persons are all private persons, whose personal data are processed by the Company.

By registering to Techysium portal the experts voluntarily give their consent to the processing and forwarding of their personal data according to the regulations of the Privacy Policy.

B) The scope and effect of the Privacy Policy in relation with the employees

The aim of the Privacy Policy is:

- to regulate the handling of electronic and printed documents containing personal data relating to employees of the Company,
- to ensure that the constitutional principles of data protection and data security prevail in the data handling procedures of the Company,
- to prevent the illegal modification or publication of personal data and the access of personal data by unauthorised entities.

The material effect of the Privacy Policy covers all data processing activities of the Company that relate to personal data of the employees.

The personal effect of the Privacy Policy covers all employees of the Company and Centrum Audit-V Kft. as accountant of the Company, to the extent regulated in the respective contract on accounting services.

The Privacy Policy is effective from 15th January 2019.

4. DEFINITIONS

„expert”: any natural person, who uses the services of the Company in order to participate in IT projects;

„client”: any business enterprise that uses the services of the Company in order to contract experts to IT projects;

„employee”: any natural person employed by the Company;

„personal data”: data relating to the data subject, in particular by reference to the name and identification number of the data subject or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data in regard to the data subject;;

„data processing”: any operation or the totality of operations performed on the data, irrespective of the procedure applied; in particular, collecting, recording, registering, classifying, storing, modifying, using, querying, transferring, disclosing, synchronising or connecting, blocking, deleting and destructing the data, as well as preventing their further use, taking photos, making audio or visual recordings, as well as registering physical characteristics suitable for personal identification (such as fingerprints or palm prints, DNA samples, iris scans);

„restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future;

„pseudonymisation”: the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

„filing system”: any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

„controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or member state law, the controller or the specific criteria for its nomination may be provided for by EU or member state law;

„processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

„recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with EU or member state law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

„third party”: any natural or legal person, or organisation without legal personality other than the data subject, the data controller or the data processor;

„the data subject’s consent”: any freely and expressly given specific and informed indication of the will of the data subject by which he signifies his agreement to personal data relating to him being processed fully or to the extent of specific operations;

„data incident”: the unlawful processing or process of personal data, in particular the illegitimate access, alteration, transfer, disclosure, deletion or destruction as well as the accidental destruction or damage;

„genetic data”: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

„biometric data”: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

„data concerning health”: personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

„main establishment”:
a) as regards a controller with establishments in more than one EU member state, the place of its central administration in the EU, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;
b) as regards a processor with establishments in more than one EU member state, the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under the Regulation;

„representative”: means a natural or legal person established in the EU who, designated by the controller or processor in writing, represents the controller or processor with regard to their respective obligations under the Regulation;

„supervisory authority”: an independent public authority which is established by an EU member state;

„supervisory authority concerned’: means a supervisory authority which is concerned by the processing of personal data because: a) the controller or processor is established on the territory of the member state of that supervisory authority; b) data subjects residing in the member state of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or c) a complaint has been lodged with that supervisory authority;

„cross-border processing”:
a) processing of personal data which takes place in the context of the activities of establishments in more than one member state of a controller or processor in the EU where the controller or processor is established in more than one member state; or
b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU but which substantially affects or is likely to substantially affect data subjects in more than one member state.

5. THE LEGAL GROUND OF DATA PROCESSING

Expert

Data processing on the basis of the voluntary consent of the data subject: The Company processes personal data only with the preliminary consent of the data subject (Regulation, Article 4 clause 11.). The Company does not process special personal data in relation with the experts (Regulation article 9.).

Data processing due to the fulfillment of legal obligations:

Employee

Data processing on the basis of the voluntary consent of the data subject: The Company processes personal data only with the preliminary consent of the data subject (Regulation, Article 4 clause 11.). The Company does not process special personal data in relation with employees (Regulation article 9.).

Data processing due to the fulfillment of legal obligations takes place with respect to the following legal regulations:

Processing of phone number and e-mail address
• Labour Code 9. § and 10. §
Reporting in relation with employment relationship
• PIT Act Annex 1. point 3.
Accomodation support
• PIT Act –Annex 1. point 9.7.4. and 9.7.6.
Reporting in relation with health insurance
• Health insurance Act 79. § (2)
Justification of employment term
• Pension Act 43. §
Storage of documents
• Archives Act 4. §
Reporting to tax authority
• Taxation Act 41. § [Reporting of foreign natural persons], 92. § [Reporting concerning documents relating to tax benefits]
Usage of electronic survey devices (camera system)
• Privacy Act 28. § (2) point d) pont and 31.§ (1) and (2)
Execution of payment obligations ordered by court
• Execution Act 25. §

6. THE PRINCIPLES OF DATA PROCESSING

Personal data can be processed only for specific purposes, in order to facilitate the practicing of rights or the fulfillment of obligations. Data processing shall always comply with the specific purpose and the controlling of personal data shall be fair and legal in all aspects.

Only those personal data shall be processsed that are indispensable and suitable for the fulfillment of the specific purpose. Personal data shall only be processed to the extent and duration that is necessary for the fulfillment of the specific purpose.

The company shall record all data processing performed by the Company. The Company shall ensure that the personal data provided by the data subjects are processed confidentially and in line with the effective EU and member state regulations.

VII. DATA PROCESSING METHODS, DEADLINES RELATING TO DATA PROCESSING

Expert

The Company possesses and controls the database that contains the personal data of data subjects. The personal data controlled by the Company consist of data provided by the data subjects (eg. data provided in the CV and other written materials, data provided at interviews). The personal data of the data subject are processed in order to facilitate the selection of the experts by the clients of the Company.

In the course of the registration process the expert provides the following data to the Company:

Name,
Place of birth,
Date of birth,
Mother’s name,
Profile's picture,
Tax registration number,
Social security number,
Number of document proving education.

Synchronisation

The synchronisation of the project defined by the client with the expert possessing the required skills takes place on the basis of personal data provided by the expert and stored in the database of the Company. Synchronisation is performed partially automatically, by an algorythm developed by the Company, and partially manually, by advisors employed by the Company.

Selection

The client is entitled to appoint experts from the database of the Company for interview.

Position interview

The advisors of the Company are entitled to make interviews with the experts and record information concerning the experts, which are relevant to the position, but are not available in the database of the Company. The above written recording of data is performed on the basis of the voluntary consent of the data subject. The recorded personal data will only be added to the database if they provide information that is relevant to future position offers.

Update of personal data

In the course of interviews the advisors of the Company make updates to the personal data listed in the database. In case the content of the database differs from the actual status, the data listed in the database shall be corrected by the advisors. The above written update of personal data takes place on the basis of the voluntary consent of the data subject.

Transfer of data to third parties

The transfer of personal data to contractual partners of the Company takes place on the basis of the voluntary consent of the data subject.

The data of the contractual partners:

Company name: DNXperts Solution LTD,
Registered address: 20-22 WENLOCK ROAD, LONDON, N1 7GU.,
Company registration number: 11494277,
Tax registration number: 305 4854 10,
Phone number: +36 20 413 8923,
E-mail: dnx@techysium.com.

Electronic newsletters:

The Company is entitled to send electronic newsletters on the basis of the voluntary consent of the recipients. The types of newsletters:

• Group e-mails,
• E-mails dedicated to individual recipients.

The deadline of data processing:

Personal data that the Company processes on the basis of the consent of the data subject are stored until the withdrawal of the consent or until the ceasing of the legal interest that backs up the storage of the data.

In case the status of the data subject has been inactive for a period exceeding 5 years (the data subject does not react to the notifications of the Company and does not provide an updated CV to the Company) the personal data of the data subject shall be deleted from the database of the Company.

EMPLOYEE

The personal data of the employee that the Company processes before the conclusion of the work contract:

Curriculum vitae (CV)

If the employee is selected for a position or if the Company refuses the application, the CV of the employee shall be deleted. The process of deletion is regulated in section 15. of the Privacy Policy.

Data processing on the basis of legal regulations stated in section 6. of the Privacy Policy:

The Company shall report the employment relationship to the electronic system of the tax authority before the commencement of work.
The data required for the reporting of employment relationship:
Name of employee,
Place of birth,
Date of birth,
Mother’s name,
Tax registration number,
Social security number,
Number of document proving education.

In order to facilitate the provision of health security benefits the National Health Security Authority requires:

the address of the employee.

Work contract, calculation of wages and other appurtenances:

Processing of documents (eg. work contracts, modifications of work contracts, payroll calculations) relating to the emplyment of the data subject:

According to section 4. of Act LXVI. of 1995. all documents relating to the reporting of employment and relating to payroll calculations shall be stored until the employee reaches pensioner status. The documents containing personal data of the employees shall be stored in closed file cabinets and the Company shall ensure the security of the files.

The documents containing personal data of the employees shall only be handled by the office manager of the Company, who is empowered to get acquainted with the personal data. In order to fullfill the task of data management the office manager is entitled to copy and transfer the documents to competent authorities.

The Company forwards documents containing personal data of the employees to third parties only with the voluntary consent of the data subject.
The Company destructs documents containing personal data of the employees according to section 15. of the Privacy Policy.

Information sheets, scopes of activities:

The office manager of the Company is empowered to process the information sheets and scopes of activities relating to employment relationships.

After the termination of the employment relationship the Company deletes the electronic documents containing information sheets and scopes of activities and the Company destructs such printed materials according to section 15. of the Privacy Policy.

The contact data of the employee:

In order to facilitate that the Company is able to contact the employee as stated in the Labour Act, the following contacts of the employee are required:

• Phone number,
• E-mail address;

The office manager of the Company is empowered to process the phone numbers and e-mail addresses of the employees.

After the termination of the employment relationship the Company deletes the electronic documents containing phone numbers and e-mail addresses of the employees and the Company destructs such printed materials according to section 15. of the Privacy Policy.

The personal data that have been recorded in the course of medical investigations necessary for employment:

The medical data of the employee classify as special personal data (Article 9. of the Regulation). The Company is entitled to process special personal data with the voluntary consent of the data subject (Article 9. clause (2) subclause a) of the Regulation).

The contracted doctor of the Company is empowered to to process the medical data of the employees. The medical data of the employees shall be stored in a closed file cabinet in the registered office of the Company. The contracted doctor of the Company is exclusiely entitled to access the above written medical data.

The contracted doctor forwards the results of medical investigations necessary for employment to the Company. Simultaneously, the contracted doctor informs the Company whether the medical condition of the employee is suitable / unsuitable / suitable with limitations for the respective position.

The information concerning the medical condition of the employee shall be processed by the office manager of the Company. The office manager shall not forward the information to any third party.

The information concerning the medical condition of the employee shall be destructed according to section 15. of the Privacy Policy.

THE ACCOUNTANT

The payrolls of the employers are drawn up and processed by Centrum Audit-V Kft. as the accountant (hereinafter referred to as: Accountant) of the Company. The Accountant receives in electronic format the personal data of the employees stated on the personal datasheet. After the usage of the personal data stated on the personal datasheet, the Accountact deletes the datasheet. The Accountant forwards personal data to third parties only in cases prescribed by law.

After the closing of every business year the Accountant shall return all printed materials containing personal data of employees. According to section 4. of Act LXVI. of 1995. all payroll documents containing personal data of the employees shall be stored until the employee reaches pensioner status. The documents containing personal data of the employees shall be stored in closed file cabinets and the Company shall ensure the security of the files. The office manager of the Company is empowered to process the above written documents.

The work contract of the office manager contains all necessary confidentiality regulations relating to the processing of the personal data of employees.

The data subject is entitled to inspect the documents containing his/her personal data, to request copies of the documents and to request the forwarding of the documents to authorities.

The documents containing personal data of the employees can be forwarded to third parties only at the request of the data subject or with the voluntary consent of the data subject or in cases prescribed by law.

The Company manages the destruction of the above written documents according to section 15. of the Privacy Policy

8. REGULATIONS CONCERNING COOKIES

The Company uses cookies at the www.techysium.com website.

9. REQUIREMENT OF THE PROVISION OF PRELIMINARY INFORMATION TO THE DATA SUBJECT

Before the commencement of data processing the data subject shall be informed in detail about all important facts relating to data processing, especially about the aim and legal ground of data processing, the entities participating in data processing, the duration of data processing and also about the entities that get acquaintance to the data. The provided information shall also include notification concerning the rights and remedies of the data subject with respect to data processing.

THE EXPERT

The regulations concerning the personal data of the Experts are drawn up in the Privacy Policy, which shall be made available on the website of the Company. The link leading to the Privacy Policy shall also appear on the electronic newsletters of the Company.

In case of an interview the Company shall provide verbal information to the Expert concerning the content of the Privacy Policy and the availability of the Privacy Policy on the website of the Company. On the website the Company also offers opportunity for the Expert to give voluntary consent to data processing.

EMPLOYEE

Before the commencement of data processing the data subject shall be informed in detail about all important facts relating to data processing, especially about the aim and legal ground of data processing, the entities participating in data processing, the duration of data processing and also about the entities that get acquaintance to the data. The provided information shall also include notification concerning the rights and remedies of the data subject with respect to data processing.

The regulations concerning the processing of personal data of the employee are drawn up in the Privacy Policy. Simultaneously with the signing of the work contract the Privacy Policy shall be handed over to the employee.

10. THE RIGHTS OF THE DATA SUBJECT AND THE ENFORCEMENT OF THE RIGHTS

10.1 Right to information

At the request of the data subject the Company shall inform the data subject about the personal data processed by the Company, the source of personal data, the aim, legal ground and duration of data processing, the name, address and data processing activities of the data processor, and in case of data transfer also about the legal ground of the transfer and the recipient of the transferred data.

The Company shall provide the above stated information in written form, latest within 25 days after the reception of the request. The Company shall not charge any fee for the provision of the information.

In case the Company refuses to provide the requested information the data subject should receive a written notice of the refusal including a reference to the legal ground of the refusal. In case of such refusal the Company shall inform the data subject about his/her right to initiate a court procedure or to contact the National Authority for Data Protection and the Freedom of Information (address: 1024 Budapest, Szilágyi E. fasor 22/C., www.naih.hu). The Company shall also inform the Authority about the refused requests on an annual basis, before 31st January of each year.

10.2 Correction, deletion

In case any data processed by the Company is incorrect and the correct data are accessible, the Company shall make the correction to the data. In case the data subject becomes aware of any incorrect data, the data subject is also entitled to request correction.

The Company shall delete the processed personal data in case
a) the processing of the data is illegal;
b) the data subject requests the deletion of the data, except for cases when the Company is obliged by law to store the data;
c) the processed data areincomplete and/or incorrect and the complete and/or correct data cannot be restored, except for cases when the Company is obliged by law to store the data;
d) the aim of data processing ceased or the duration of data processing expired;
e) any court or other authority ordered the deletion of the data.

In case the Company refuses to perform the correction or deletion according to the request of the data subject, within 25 days from the reception of the request by the Company the data subject should receive a written notice of the refusal, including a reference to the legal ground of the refusal. In case of such refusal the Company informs the data subject about his/her right to initiate a court procedure or to contact the competent data protection authority.

10.3 Access to personal data

The data subject is entitled to have access to all his/her personal data processed by the Company.

10.4 Handover of personal data

At the request of the data subject the data processor is obliged to hand over the processed personal data to the data subject in a widely used electronic format that is comprehesible by the data subject.

10.5 Objections

The data subject is entitled to object against the processing of his/her personal data and request the termination of data processing and the deletion of the processed personal data.

In case the Company refuses to accept the objection or refuses to terminate data processing and the deletion of the processed personal data, within 25 days from the reception of the request by the Company the data subject should receive a written notice of the refusal, including a reference to the legal ground of the refusal. In case of such refusal the Company informs the data subject about his/her right to initiate a court procedure or to contact the competent data protection authority.

10.6 Restriction of data processing

The data subject is entitled to request the restriction of data processing in relation with his/her personal data. In this case the Company shall mark the stored personal data with the aim of limiting their processing in the future for a definite or indefinite period of time.

In case the Company refuses to perform the limitation according to the request of the data subject, within 25 days from the reception of the request by the Company the data subject should receive a written notice of the refusal, including a reference to the legal ground of the refusal. In case of such refusal the Company informs the data subject about his/her right to initiate a court procedure or to contact the competent data protection authority.

11. DATA PROCESSING REGISTER

In order to ensure the transparency of the processing of personal data the Company shall apply a data processing register. The register shall contain:
a) the aim of data processing,
b) the legal ground of data processing,
c) the definition of data subjects,
d) the description of personal data affected by data processing,
e) the source of personal data,
f) the duration of data processing,
g) the types of data forwarded to third parties, the recipient of the data and the legal ground of forwarding, including transfer of data to third countries,
h) the name and address of the data processor, the place of data processing and the activities performed in the course of data processing,
i) the technological characteristics of data processing.

12. DATA INCIDENT

The Company shall record all data incidents that occur in relation with the data processing of the Company. The record shall contain the list of personal data and data subjects affected by the incident, the date, circumstances and effects of the incident and the measures taken to restore the lawful state of affairs. At the request of the data subject the Company shall inform the data subject about the content of the record relating to the data subject within 30 days from the reception of the request.

13. DATA SECURITY REGULATIONS

Basic security principles:

Personal data shall be secured against unauthorised access, modification, transfer, publication, deletion, destruction and/or damages.

The Company uses softwares and online solutions that operate according to the prescriptions of the Regulation.

The regulations relating to the processing of personal data of the experts

The Company performs electronic data processing concerning the personal data of the Experts only on electronic devices operated by the Company. On these devices the Company uses and regularly updates security softwares and firewall as prescribed in the Regulation.

During the work process the employees of the Company shall use IT devices that are secured by password. In case the employees leave their place of work, they shall always lock their IT devices.

The employees of the Company shall not use open wi-fi network in connection with the processing of personal data.

Definitions of access rights, passwords:

The Company shall draw up a regulation relating to the operation of the IT system. The definition of the access rights of the employees and the regulations relating to the privacy of passwords shall be laid down in the IT regulation of the Company.

14. SECURITY MEASURES RELATING TO MANUALLY PROCESSED PERSONAL DATA:

Security measures relating to fire and burglary: all documents, reports and devices that contain personal data shall be stored at closed, dry places that are equipped with fire and burglary alarm system.

Security measures relating to illegal access: Only those employees and contractors of the Company are entitled to access the personal data, who have the necessary empowerment to perform data processing and whose activities are regulated by respective contracts.

Security measures relating to human risk: The Company reduces the human risk by education of the staff and by the introduction of legal regulations describing proper practices. In order to reduce human risk the Company introduces the regulations of the Privacy Policy to the employees and contractors, moreover the Company regularly provides information to the employees concerning data protection obligations.

The destruction of paper debris containing personal data: The Company manages the professional handling and destruction of papeAdatvédelmi szabályzatr debris containing personal data. The paper debris can be destructed after the term of data handling has expired or if the content of the documents prove to be invalid or incorrect. The destruction of paper debris takes place by using a shredder. In order to register the destruction of the paper waste, the Company shall draw up a protocol, which contains the following data: The name of the data subject,
The decription of the destructed document,
The date of destruction.

15. THE COMPANY DATA AND CONTACT DATA OF THE DATA PROCESSORS

Company name: DNXperts Solution Korlátolt Felelősségű Társaság Registered address: 8000 Székesfehérvár, Álmos vezér utca 6.
Company registration number: 07-09-029169,
Tax registration number: 26390112-2-07,
Phone number: +36 20 413 8923,
E-mail: info@techysium.com