Data Protection Information Notice for Applicants for Job Positions or Internship Programs

Name of the Data Controller: BDO Magyarország Vagyonkezelő és Szolgáltató Kft. (hereinafter: the Data Controller), and the respective BDO Hungary Group member company advertising the position
Registered Office: 1103 Budapest, Kőér utca 2/A, Building C
Company Registration Number: Cg. 01-09-865069
Represented by: Zoltán István Gerendy, Managing Director, acting independently
Website: https://www.bdo.hu
Contact details regarding data protection: 1103 Budapest, Kőér utca 2/A, Building C
adatkezeles@bdo.hu
 

Brief introduction of the Data Controller:

The Data Controller is a business entity engaged in auditing, accounting, payroll, and related financial, legal, and compliance services. In order to carry out its tasks and provide its services, it periodically relies on recruitment activities and employs interns. In connection with the recruitment activities preceding employment, it processes personal data concerning the applicants, who are considered data subjects. The purpose of this privacy notice is to provide information on such data processing. In drafting this notice, special attention has been paid to clarity and transparency.
Should you have any further questions related to data protection, please do not hesitate to contact us via the above contact details.

 

KEY DEFINITIONS IN DATA PROCESSING

Below, we introduce basic terms that are essential for understanding this privacy notice. General definitions of data protection-related terms can be found in the subsequent sections of this notice.

Term Definition
GDPR The abbreviation of the General Data Protection Regulation No. 2016/679, governing the processing and protection of personal data
EDPB The abbreviation of the European Data Protection Board, which interprets the provisions of the GDPR
Data Controller In this privacy notice, the Data Controller is BDO Magyarország Vagyonkezelő és Szolgáltató Kft., as it plays a key administrative role within the BDO Hungary Group. However, the BDO Hungary Group comprises several other economic entities, and thus, the relevant BDO Hungary group member company acting as a potential employer may also qualify as a Data Controller. In this respect, data may be transferred among the group members acting as joint controllers.
BDO Hungary Group
  • BDO Magyarország Vagyonkezelő és Szolgáltató Kft. (Company Registration No.: Cg. 01-09-865069)

  • BDO Magyarország Compliance Szolgáltatások Kft. (Cg. 01-09-683046)

  • BDO Magyarország Könyvvizsgáló Kft. (Cg. 01-09-867785)

  • BDO Magyarország Digitális Szolgáltatások Kft. (Cg. 01-09-942171)

  • BDO Legal Jókay Law Office (registered under No. 4179 with the Budapest Bar Association)

  • BDO Magyarország ESG Tanácsadó Kft. (Cg. 01-09-404930)

  • BDO Magyarország FDI Tanácsadó Kft. (Cg. 01-09-411470) 
Recipient Any external party (not part of the company’s internal organisational structure) to whom personal data is transferred. A recipient may act either as a data controller or a data processor. While the former (data controller) is an independent entity with its own decision-making powers and obligations under data protection law, the latter (data processor) acts under the instructions and supervision of the controller and is not permitted to process personal data for its own purposes. Typical recipients in this context include HR software providers, IT service providers, or external legal counsel.
Data Subject The natural person (the applicant) whose personal data is processed by the data controller.
Labour Code (Mt.) Act I of 2012 on the Labour Code of Hungary
 

APPLICATION PROCESS

The Data Controller primarily makes its open positions available via its online platform: https://www.bdo.hu/hu-hu/karrier-a-bdo-nal. However, this Privacy Notice also extends to cases where an individual (data subject) contacts the Data Controller by email for the purpose of establishing an employment relationship or internship, or submits their application via email.

As a first step in the application – if carried out via the online platform – registration is required. To do this, you are required to provide at minimum your name, contact details (email address and phone number), and a password. The email address provided during registration must be verified by the applicant. Until verification has been completed, the registration cannot be used.

Following this, or as a separate step by clicking on the “Registration” tab, you may provide us with additional information relevant to establishing an employment relationship (identification data, contact details, residential address, qualifications, language proficiency, work experience, references, uploaded documents, etc.). Providing this data is voluntary, but it may serve your interests, as it enables us to better assess your suitability.

During the application process, information relating to the position (e.g. expected start date, salary expectation), the applicant’s professional qualifications, education, experience, and suitability are also processed.

The duration of personal data processing is up until the evaluation of the applications and the selection of the suitable candidate, and the dispatch of written notification thereof. Until that time, the legal basis for the processing is the consent of the data subject pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn at any time without justification. In such cases, the Data Controller shall delete the electronically submitted application.

The Data Controller may request the data subject’s consent to retain the application for an additional period of one year. This typically occurs when the applicant was not selected for a given position, but the Data Controller, acting as the employer, would be open to establishing an employment relationship with the applicant in the event of future vacancies.

Following the selection, the Data Controller retains the application materials for an additional 3 years – the statutory limitation period for labour law claims (Section 286(1) of the Labour Code) – based on the legal basis of legitimate interest under Article 6(1)(f) of the GDPR, and stores them separately. At this point, withdrawal of the application is no longer possible, but the data subject may object to the data processing on grounds relating to their particular situation.

In limited cases, your personal data may be transferred to third parties. For processing purposes, the Data Controller uses the “HR master” human resources software, provided by Evolution Consulting Kft. (Registered office: 3515 Miskolc, Egyetemváros AFKI building, 2nd floor; Company reg. no.: Cg.05-09-014424; Privacy Policy: https://hrmaster.hu/adatkezelesi-tajekoztato), acting as data processor.

BDO Magyarország Vagyonkezelő és Szolgáltató Kft. is also involved as a data processor, providing IT services, as well as Microsoft Corporation, primarily as the provider of email and office software services. Further details can be found in our summary below.

Please do not attach any photographs, document copies, or copies of personal identification to your application.

Processing of Your Personal Data Typically Occurs as Follows:
Purpose of the data processing: Filling a vacant or newly created job or internship position, identifying and selecting the appropriate candidate, evaluating competencies, and potentially maintaining the data in a labour database for a limited time.
Legal basis for the processing:

Consent pursuant to Article 6(1)(a) of the GDPR.
The data subject (applicant) may withdraw their consent at any time, without justification, until the evaluation of the application. In such cases, the Data Controller deletes the electronically stored data.

Labour law claims become time-barred after three years in accordance with Section 286(1) of Act I of 2012 on the Labour Code. During this limitation period, the Data Controller stores application materials separately, based on legitimate interest pursuant to Article 6(1)(f) of the GDPR.

 
Name of the legitimate interest: Enforcement of labour law claims, documentation of the recruitment process, and the ability to demonstrate compliance with legal requirements.
Categories of data subjects: Natural persons submitting an application to the Data Controller are considered data subjects; their personal data is processed by the Data Controller (employer).
Categories of personal data processed:

The name of the data subject, the minimum data required for registration (email address, password), other registration data and uploaded professional materials provided by the data subject, contact details, educational background, qualifications, professional experience, and other relevant personal data necessary for filling the position, as well as the name of the internal referee.

Please DO NOT attach photocopies of documents, personal identification documents, or photographs as part of the application. Should the Data Controller receive such personal data, it will be deleted.
Source of personal data: The personal data is provided directly by the data subject and thus the data subject is considered the source of the personal data.
Duration of data processing:

The employer retains the personal data for 3 years following the notification regarding the outcome of the application process, unless the applicant withdraws their consent before evaluation. In that case, the personal data will be deleted.

It is possible that the Data Controller (as employer) may request renewed consent from the data subject to retain the personal data for an additional 2 years.

The application materials of successful candidates become part of their employment documentation, for which a separate privacy notice will be provided to employees.
Recipients (Entities to Whom Data May Be Disclosed):

The member company of the group advertising the position.

Evolution Consulting Kft. (Registered office: 3515 Miskolc, Egyetemváros AFKI Building, 2nd floor, Company reg. no.: Cg.05-09-014424) as the provider of the HR master software, acting as data processor.
Privacy Policy: https://hrmaster.hu/adatkezelesi-tajekoztato

Brussels Worldwide Services BV
(Address: The Corporate Village, Elsinore Building, Leonardo Da Vincilaan 9 - 5/F, Zaventem 1930, BELGIUM), the international BDO Group headquarters, providing IT services as a data processor.
As sub-processors, the following entities are involved:
Microsoft Inc., BDO Solutions, Reiz Tech, BISTEC Global PTY LTD, Twilio, Google Ireland, Cloudflare Inc., and Kingland Systems LLC.

The Data Controller uses Microsoft Corporation’s (WA 98052, Redmond, 1 Microsoft Way; Data Protection Officer: Jadzia Pierce – dpoffice@microsoft.com) email and office applications.
Transfer to Third Countries:

Due to services provided by Brussels Worldwide Services BV, data transfers to third countries may occur.

Microsoft Corporation is a third-country service provider but is a participant in the EU–U.S. Data Privacy Framework, and is therefore considered to have an adequate level of protection.
Automated Decision-Making / Profiling: Does not occur.
Is Providing Data Mandatory? Providing data is voluntary. However, the scope of the provided data may affect the eligibility of the application for evaluation.
Consequences of Not Providing Personal Data: In the absence of data provision, the job application may not be evaluated or may be inadequately assessed.
 

RIGHTS OF THE DATA SUBJECT

Below we present the rights that the data subject—whose personal data is processed by the controller—may exercise in relation to the data processing:

The rights of data subjects in connection with data processing:

  • the right to information,

  • the right of access,

  • in certain cases, the right to data portability (when data processing is based on the performance of a contract or consent),

  • the right to rectification, deletion, and to request restriction of processing of personal data concerning the data subject,

  • the right to object to the processing of personal data (in the case of processing based on legitimate interest),

  • the right to lodge a complaint with the supervisory authority (National Authority for Data Protection and Freedom of Information: mailing address: 1055 Budapest, Falk Miksa u. 9-11., 1363 Budapest, P.O. Box: 9., phone: +36 (30) 683-5969, +36 (30) 549 6838, email: ugyfelszolgalat@naih.hu, website: www.naih.hu),

  • and the right to turn to the court.

Finally, specific information must be provided to the data subject in the case of data processing based on automated decision-making or profiling.

Explanation of the above rights:

Right to information:
You may request information from the data controller regarding the processing of your personal data.

The data controller is obligated to provide you with all information concerning the processing of your personal data in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.

The data controller provides the information without undue delay, but no later than within one month from the receipt of the request, in writing. At the data subject’s request, the information may be provided orally, provided that the identity of the data subject has been verified by other means.

If the request is complex or there are a large number of requests, the one-month deadline may be extended by two additional months. The data controller must inform the data subject of the extension and its reasons within one month from receiving the request. If the request was submitted electronically, the response should preferably be given electronically, unless the data subject requests otherwise.

If the data controller does not take action on the data subject’s request, it must inform the data subject without delay and no later than one month from receiving the request, about the reasons for not taking action and about the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.

Right of access to personal data and information related to data processing:
The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed, and if so, access to the personal data and the following information:

  • the purposes of the processing;

  • the categories of personal data concerned;

  • the recipients or categories of recipients to whom the personal data have been or will be disclosed;

  • the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

  • the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing, and the right to object to such processing;

  • the right to lodge a complaint with the supervisory authority (NAIH);

  • where the personal data are not collected from the data subject, any available information as to their source;

  • the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

The controller reiterates that personal data will not be transferred to a third country or to an international organization under any circumstances.

Right to obtain a copy:
The controller provides a copy of the personal data undergoing processing upon request by the data subject. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the request is submitted electronically, the information must be provided in a commonly used electronic form, unless otherwise requested.

However, the right to obtain a copy must not adversely affect the rights and freedoms of others.

Right to data portability:
The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, provided that:

  • the processing is based on consent or on a contract, and

  • the processing is carried out by automated means.

Where technically feasible, the data subject may request the direct transmission of personal data from one controller to another.

However, this right must not adversely affect the rights and freedoms of others.

Right to rectification:
The data subject has the right to request the rectification of inaccurate personal data concerning them without undue delay. Incomplete personal data must be completed, including by means of providing a supplementary statement.

Right to erasure (“right to be forgotten”):
The data subject has the right to request the erasure of personal data concerning them without undue delay, and the controller is obliged to erase personal data without undue delay where one of the following grounds applies:

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

  • the data subject withdraws consent (or explicit consent) on which the processing is based, and there is no other legal ground for the processing;

  • the data subject objects to processing based on public interest or legitimate interest, and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes;

  • the personal data have been unlawfully processed;

  • the personal data must be erased to comply with a legal obligation under Union or Member State law applicable to the controller.

If the controller has made the personal data public and is obliged to erase them, it shall take reasonable steps, including technical measures, taking account of available technology and the cost of implementation, to inform other controllers processing the data that the data subject has requested the erasure of any links to, or copies or replications of, those personal data.

Data cannot be erased where processing is necessary for:

  • exercising the right of freedom of expression and information;

  • compliance with a legal obligation requiring processing by Union or Member State law applicable to the controller, or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  • reasons of public interest in the area of public health;

  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes if the right to erasure would seriously impair or render impossible the achievement of the objectives of that processing;

  • the establishment, exercise, or defense of legal claims.

Right to restriction of processing:
The data subject has the right to obtain restriction of processing from the controller where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims;

  • the data subject has objected to processing; in this case, the restriction applies for the period until it is verified whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.

The controller must inform the data subject before lifting the restriction of processing.

Right to object to processing:
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on legitimate interest or the performance of a task carried out in the public interest or in the exercise of official authority.

If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In other cases, the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.

Right to lodge a complaint:
The data subject has the right to lodge a complaint with the supervisory authority if any of the above rights are infringed.

The supervisory authority is the National Authority for Data Protection and Freedom of Information (mailing address: 1055 Budapest, Falk Miksa u. 9-11., 1363 Budapest, P.O. Box: 9., phone: +36 (30) 683-5969, +36 (30) 549 6838, email: ugyfelszolgalat@naih.hu, website: www.naih.hu), where you can lodge a complaint or submit a report indicating that your personal data has been unlawfully processed or there is a direct risk thereof, or if any of your rights have been violated.

We also inform you that you may turn directly to the courts if your rights regarding the processing of personal data have been violated or are at direct risk of being violated.

You may also express your remarks, questions, or complaints through our data protection contact.

LEGISLATION, DEFINITIONS AND PRINCIPLES

Relevant Legislation

The following are the key pieces of legislation that fundamentally determine the manner in which personal data is processed, and the rights and obligations of the parties:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – GDPR)

For interpretation of the rules, the following may provide assistance:

  • Opinions of the European Data Protection Board (https://edpb.europa.eu)

  • Guidelines of the European Data Protection Supervisor (https://edps.europa.eu)

  • Decisions, opinions, and ad hoc resolutions of the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) (www.naih.hu)

  • Decisions of the Court of Justice of the European Union (https://curia.europa.eu)

  • Decisions of supervisory authorities of Member States

The applicable legal regulations are available free of charge at the National Legislation Database (https://www.njt.hu), and via the European Commission’s legal portal (EUR-Lex).

Definitions

The purpose of the definitions is to clarify who the subjects of the regulation are and what specific meanings are assigned to certain terms within the regulatory framework. The most important terms are as follows:

  • "Personal data": any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • "Health data": personal data related to the physical or mental health of a natural person, including data relating to the provision of healthcare services which reveal information about that person’s health status.

  • "Genetic data": personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that person and which result, in particular, from an analysis of a biological sample from the person in question.

  • "Biometric data": personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

  • "Sensitive data": a category of personal data established in data protection practices and case law, involving increased risk in processing, although not qualifying as special category data or criminal data. This includes, for example, bank card information, data relating to minors, geolocation data, interests, data potentially harmful to one’s reputation, or the combination of many data types.

  • "Processing": any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • "Restriction of processing": the marking of stored personal data with the aim of limiting their processing in the future.

  • "Controller": the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

  • "Processor": a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

  • "Recipient": a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.

  • "Third party": a natural or legal person, public authority, agency or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

  • "Profiling": any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

  • "Pseudonymisation": the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

  • "Filing system": any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

  • "Consent of the data subject": any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

  • "Data breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

  • "Undertaking": a natural or legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in economic activity.

  • "Supervisory authority": an independent public authority established by a Member State pursuant to Article 51.
    In this case, the supervisory authority is the Hungarian National Authority for Data Protection and Freedom of Information (1363 Budapest, Pf.:9., ugyfelszolgalat@naih.hu).

Principles of Data Processing

The processing of personal data must be carried out, and is carried out by the Controller, in accordance with the following principles:

a) Lawfulness, fairness and transparency – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject;
b) Purpose limitation – Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Data minimisation – Processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Accuracy – Personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data are erased or rectified without delay;
e) Storage limitation – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; longer storage is permitted only for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to appropriate safeguards;
f) Integrity and confidentiality – Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Controller is responsible for compliance with these principles and must be able to demonstrate such compliance (accountability principle).

Date of last modification of this privacy notice: August 1, 2025