Data Protection Information Notice for Applicants for Job Positions or Internship Programs

The BDO Hungary group of companies considers it important to respect and enforce the rights related to the processing of personal data of natural persons applying for job or internship positions advertised at any of its member companies, and in the course of its data processing acts in accordance with the material and procedural rules of the applicable legislation and its internal regulations. The rules governing data processing are primarily included in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (hereinafter: “Regulation”), and Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.

The purpose of this data protection information notice is to inform the data subjects about the data processing practices described in the title carried out by the BDO Hungary group of companies.

The unified information notice regarding all data processing activities of the BDO Hungary group of companies is available at the following link: Data Protection Declaration – BDO

1. Definitions

Data subject: For the purposes of this notice, the natural person who applies for a job or internship position advertised by any company of the BDO Hungary group.

Data controller: For the purposes of this notice, primarily BDO Hungary Holding and Service Limited Liability Company (registered office: 1103 Budapest, Kőér utca 2/A.; company registration number: Cg.01-09-865069; tax number: 13627289-4-42; contact: BDO Office Management; Email: office@bdo.hu; hereinafter: “BDO Holding”).

Joint controllers: Given that the purposes and means of processing are jointly determined, the following entities are joint controllers regarding the data processing described in this notice:

• BDO Magyarország Vagyonkezelő és Szolgáltató Kft.
• BDO Magyarország Adótanácsadó Kft.
• BDO Magyarország Könyvvizsgáló Kft.
• BDO Magyarország Könyvelő és Bérszámfejtő Kft.
• BDO Magyarország Digitális Szolgáltatások Kft.
• BDO Legal Jókay Ügyvédi Iroda
• BDO Pénzügyi Tanácsadó Zrt.
• BDO Magyarország ESG Tanácsadó Kft.
• BDO Magyarország FDI Tanácsadó Kft.

(hereinafter collectively referred to as: “BDO”, or depending on context, the relevant BDO member company: “BDO Member Company” or “Data Controller”).

The above-named joint Data Controllers have designated BDO Holding as the primary Data Controller responsible for the lawfulness and security of data processing. Data subjects can primarily enforce their rights against BDO Holding, which also acts in interactions with data subjects. Data subjects may contact BDO Holding using the above contact details.

If the data subject applied for a specific position at BDO, then BDO Holding and the BDO Member Company advertising the position act jointly as joint controllers. In this case, the personal data of the data subject is only transferred to another BDO Member Company if the data subject has given prior consent.

2. Data Processing

Legal basis for processing: The data subject’s (applicant’s/candidate’s) consent [GDPR Article 6(1)(a)].

Providing consent for data processing is not obligatory, but without it BDO cannot assess the application. If the data subject gives consent, it can be withdrawn at any time without justification, but withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Categories of processed data based on the submitted application: name, birth name, date of birth, mother’s maiden name, address, education and language skills, photo, and other data provided by the data subject (e.g., health-related data).

Purpose of data processing: Selection of suitable future employees to fill vacant job positions.

Further purpose after evaluation of the application for unsuccessful candidates, if separately consented to by the data subject: direct contact for further job opportunities.

Duration of data processing:

  • If the application was unsuccessful: up to 90 days after the decision.

  • If the data subject has separately consented or has not applied for a specific position: two years from receipt.

  • If the data subject registered on the BDO online career portal: until withdrawal of consent (until registration is deleted).

  • If the data subject gave consent only verbally (e.g., applied by phone), and BDO did not obtain written or electronic confirmation: up to 90 days from the recording of data.

  • If the application was successful for a position at a BDO Member Company, BDO will process the data necessary for establishing and maintaining the employment relationship according to a separate privacy notice.

Source of data: BDO may obtain the personal data of the data subject directly from the data subject (via the email address on the website or by mail), via a recruitment agency, or through a job portal used by BDO.

Method of data storage: Electronically and/or on paper.

Automated decision-making, profiling: The Data Controller does not perform profiling nor make decisions based solely on automated data processing.

Data transfers: The Data Controller does not transfer personal data to third parties. BDO does not transfer data subjects’ data to data controllers outside the EU.

If the data subject applies for an internship, the selected individual’s data may be transferred, with their consent, to the chosen cooperative association or other employer.

3. Rights of Data Subjects and Their Enforcement

Right of access: The data subject has the right to request information about the characteristics of data processing as defined in Articles 13 and 14 of the GDPR, which BDO fulfills through this Privacy Notice.

The data subject has the right to access data processed about them by BDO (i.e., may inquire whether processing is ongoing and, if so, access the personal data and the information under Article 15 of the GDPR).

The data subject may request a copy of the personal data processed. The first copy is free of charge; BDO may charge a reasonable fee based on administrative costs for additional copies. If the request is submitted electronically, the information will be provided in an electronic format, via a secure, password-protected channel, unless the data subject requests otherwise.

Right to rectification: The data subject has the right to request correction of inaccurate data.

Right to erasure: In certain cases, the data subject has the right to request the deletion of their personal data, and the Data Controller is obliged to delete such data. Data cannot be deleted if processing is required to fulfill obligations under EU or Member State law applicable to the Data Controller.

Right to restriction of processing: In certain cases, BDO does not delete data but limits processing to storage only.

Right to data portability: The data subject has the right to receive their data processed by BDO in a structured, commonly used, machine-readable format and transmit it to another controller or request direct transfer to another controller.

Right to object: The data subject may object to processing of their personal data if:

  • it is based on legitimate interest; in this case, processing must cease unless overriding compelling legitimate grounds justify it, or it is necessary for legal claims;

  • it is for or related to direct marketing purposes; in such case, processing must stop.

Enforcement of data subject rights
If the data subject notifies the Data Controller of their intent to exercise a right, the Data Controller shall inform them of the action taken without undue delay, but no later than one month from receipt of the request. If no action is taken, the Data Controller shall inform the data subject accordingly.

4. Legal Remedies

If the data subject has any complaints regarding their personal data, they may contact BDO using the contact information provided in this notice for prompt amicable resolution. If the complaint is unsuccessful, the data subject may lodge a complaint with the data protection authority [Hungarian National Authority for Data Protection and Freedom of Information, 1055 Budapest, Falk Miksa u. 9-11.; Mailing address: 1363 Budapest, Pf.: 9.; Phone: +36 1 391 1400, +36 (30) 683-5969, +36 (30) 549-6838; Fax: +36 1 391 1410; Email: ugyfelszolgalat@naih.hu; Website: http://www.naih.hu], or with the competent court based on their residence or place of stay.