Privacy Policy
1. Introduction
Meijer&Co Korlátolt Felelősségű Társaság (registered office: 1065 Budapest, Révay köz 4.; company registration number at the Budapest Metropolitan Tribunal: 01-09-375152; hereinafter: the “Data Controller”) pays special attention to ensuring that its activities comply with the applicable legal requirements, particularly with regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the “Regulation” or “GDPR”) and the provisions of Act CXII of 2011 on the right to informational self-determination and freedom of information.
The Data Controller aims to ensure the transparency of its data processing activities with this privacy policy (hereinafter: “Privacy Policy”) and to inform all individuals subject to its data controlling activities about their rights concerning informational self-determination in relation to the recruiting and job placement activities of the Data Controller.
The data processing affects those natural persons who take part in the recruitment and job placement process as job applicants and candidates (hereinafter: the “Data Subjects”).
2. Scope of the Privacy Policy
This Privacy Policy applies to data processing related to the recruitment and job placement services of the Data Controller, which includes the collection, storage and sharing of the personal data of candidates with its potential employers and the contractual partners of the Data Controller. The personal data is processed digitally and stored securely in the IT system of the Data Controller.
The data processing relates to the following activities of the Data Controller: (i) processing of applications of the candidates; (ii) undertaking job interviews; (iii) transferring job opportunities to the candidates; (iv) processing of personal data of contractual contact persons, (v) maintaining a talent register, (vi) transfer of data to the contractual partners of the Data Controller, (vii) use of personal data for keeping accurate records and minutes of meetings with candidates (AI note-taking and voice recording) and (viii) contacting reference persons (reference check).
3. Principles of Data Processing
During data processing, the Data Controller is required to act in good faith and fairness, cooperating with the Data Subjects, and strive to conduct data processing activities in a transparent manner (principle of lawfulness, fairness, and transparency).
The Data Controller collects personal data only for specific, explicit, and legitimate purposes, and they process the Data Subjects’ data in a manner consistent with the purposes defined in this Privacy Policy. The Data Controller deletes personal data whenever the purpose of data processing ceases to exist, when deletion is a legal obligation, or if there is no legitimate interest in retaining and processing the data further (principle of purpose limitation).
The Data Controller ensures that personal data collected about Data Subjects is relevant to the purpose of processing and take measures to limit the scope of processed personal data to what is strictly necessary. The Data Controller does not process data that is unnecessary for the intended purpose. Additionally, whenever possible, the Data Controller aims to minimize data processing, considering the capabilities of their IT systems and the necessity of achieving their data processing objectives (principle of data minimization).
The Data Controller takes all reasonable measures to promptly delete or rectify inaccurate personal data based on the Data Subjects’ requests, ensuring the accuracy and up-to-date status of the data (principle of accuracy).
The Data Controller establishes retention periods to ensure that personal data is stored only for the necessary duration (principle of storage limitation).
The Data Controller protects personal data against unauthorized access, modification, transmission, disclosure, deletion, or destruction, as well as against accidental loss, damage, or technological obsolescence that could make the data inaccessible (principle of integrity and confidentiality).
Considering the state of the art, implementation costs, nature, scope, circumstances, and purposes of data processing, along with the risks to the rights and freedoms of the Data Subjects, the Data Controller implements appropriate technical and organizational measures. These measures are designed to ensure compliance with data protection principles, fulfill the requirements of the Regulation, and incorporate necessary safeguards for protecting the rights of the Data Subjects throughout the data processing operation (principle of accountability).
4. Purpose of data processing
4.1. In respect of the processing of applications of the candidates, the purpose of data processing is that the Data Controller can review CVs, and contact the candidates related to the consideration and transferring of the application, in order to fill the empty position at the potential employer.
4.2. In respect of undertaking job interviews, the purpose of the data processing is that the Data Controller can carry out the job interview, and to transfer the result of it to potential employers.
4.3. In respect of transferring job opportunities to the candidates, the purpose of the data processing is that Data Controller can identify the job opportunities pursuant to the search criteria, and to contact with the candidate in this respect.
4.4. In respect of processing of personal data of contractual contact persons, the purpose of the data processing is that the Data Controller can keep contact with the employer and perform its obligations pursuant to the contracts concluded with the employers.
4.5. In respect of maintaining a talent register, the purpose of the data processing is that the Data Controller can maintain an up-to-date talent register, and due to this it can provide services with sufficient quality to its clients. It is also the purpose of the data processing that in the case of a sufficient job opportunity, the Data Controller can inform candidates about the job opportunity.
4.6. In respect of transfer of data to the contractual partners of the Data Controller, the purpose of the data processing is that the Data Controller can transfer the personal data of the candidates to the contractual partners of the Data Controller in order to be able to get to the candidates as many job opportunities as possible.
The recipients of the data are required to process personal data only for recruitment-related purposes and in compliance with GDPR. Upon request of the data subject, the Data Controller informs candidates about the specific employers receiving his/her personal data. Candidates have the right to object to such transfers at any time, in which case the Data Controller will immediately notify the potential employer of the above and request the potential employer to delete the personal data in full.
Candidates are entitled to indicate specific employers to whom they do not wish their applications to be forwarded. If this is done before the transfer, the applications will not be forwarded to these potential employers, if after the transfer, the Data Controller will immediately notify the potential employer of the above and request the potential employer to delete the personal data in full.
4.7. In respect of the use of personal data for keeping accurate records and minutes of meetings with candidates (AI note-taking and voice recording), the purpose of the data processing is that such data processing supports the recruitment process, enabling the Data Controller to assess candidates fairly and accurately, and to recall meeting details for decision-making purposes. The use of an AI note-taking application and voice recording tool enhances the accuracy and reliability of the records.
4.8. In respect of contacting reference persons (reference check) provided by the candidate, the purpose of the data processing is that the Data Controller can verify the information relevant to the application or the candidate’s suitability for a position.
5. Legal basis for data processing, scope of processed data and duration of the processing
5.1. Legal basis: legitimate interest
The data processing with regard to points 4.1-4.6. and 4.8. is justified under Article 6 (1) (f) of the GDPR based on the following legitimate interest of the Data Controller: The Data Controller processes personal data to ensure an effective and structured recruitment and job placement process. Without the data processing, it would not be possible to assess candidates, match them with job opportunities, and facilitate communication between applicants and potential employers. There is no realistic alternative that would achieve the above objectives as effectively. The data processing is also limited to what is strictly necessary and does not place a disproportionate burden on candidates’ privacy rights.
The Data Controller has concluded a legitimate interest assessment with regard to the processing of personal data under the legal basis of legitimate interest. Upon request of the Data Subject, the Data Controller shall send the documentation of the legitimate interest assessment to the Data Subject.
| Purpose of data processing | Scope of processed data | Duration of the processing |
| Processing of applications of the candidates (point 4.1.) | a) Personal data included in the CVs and LinkedIn profiles of candidates (e.g., name, contact details, work experience, qualifications, skills, education); b) the strengths and weaknesses of the candidates (if the CVs of candidates are received from a contractual partner of the Data Controller); c) the reasons of the planned change of job; d) candidate expectations regarding preferred employment; e) wage demand; f) circumstances of the previous job change of the candidates (if provided by the candidate); g) Information on the actual employment relationship relevant from the aspect of the new employment relationship (e.g. termination period, possible non-compete clause) (if provided by the candidate); h) telephone number, e-mail address. | If the job application is successful and the candidate fills the vacant position, the Data Controller processes the personal data for maximum 12 (twelve) months following the candidate’s placement. If the job application is not accepted, personal data may be processed on the basis of legitimate interest as long as the legitimate interest exists and the data subject does not object. If the purpose is fulfilled or if the data subject objects and there are no compelling reasons to continue processing, the data shall be deleted. Moreover, the personal data related to the candidates shall be deleted after 5 (five) years from receiving such data, provided that the Data Subject does not explicitly consents to further data processing.
If the candidate fills the vacant position but he/she expressly consents to remain in the registry of the Data Controller for avoiding additional administration process in case of possible future job seeking, the Data Controller shall be entitled to process data in accordance with point 5.2 below. Personal data may only be transferred to under point 4.6. to contractual partners as long as the candidates’ personal data is included in the talent register. Contacting reference persons under point 4.8. is only possible as long as the candidates’ personal data is included in the talent register. |
| Undertaking job interviews (point 4.2.) | ||
| Transferring job opportunities to the candidates (point 4.3.) | a) Personal data included in the CVs of candidates (e.g., name, contact details, work experience, qualifications, skills, education); b) wage demand. | |
| Maintaining a talent register (point 4.5.) | a) Name of jobseeker; b) the name of employer; c) jobseeker’s interest in potential positions; d) the reasons of the planned change of job; e) wage demand; f) circumstances of the previous job change of the candidates (if provided by the jobseeker); g) Information on the actual employment relationship relevant from the aspect of the new employment relationship (e.g. termination period, possible non-compete clause) (if provided by the jobseeker); h) telephone number, e-mail address. | |
| Transfer of data to the contractual partners of the Data Controller (point 4.6.) | a) Personal data included in the CVs of candidates (e.g., name, contact details, work experience, qualifications, skills, education); b) the strengths and weaknesses of the candidates (if the CVs of candidates are received from a contractual partner of the Data Controller); c) the reasons of the planned change of job; d) candidate expectations regarding preferred employment; e) wage demand; f) circumstances of the previous job change of the candidates (if provided by the candidate); g) Information on the actual employment relationship relevant from the aspect of the new employment relationship (e.g. termination period, possible non-compete clause) (if provided by the candidate); h) telephone number, e-mail address . | |
| Contacting reference persons (reference check) (point 4.8.) | a) Name of the reference person; b) position; c) contact information (phone number, e-mail address); d) LinkedIn profile. | |
| Processing of personal data of contractual contact persons (point 4.4.) | a) Name of contact person; b) position; c) contact information (phone number, e-mail address); d) LinkedIn profile. | The Data Controller processes personal data for maximum 3 (three) months following that the person is not the contact person anymore, if the Data Controller has been notified of that change, or within 3 (three) months from the termination of the business relationship between the Data Controller and the client. |
5.2. Legal basis: consent
The data processing with regard to point 4.7. and partially with regard to point 4.3., 4.5. and 4.6. is justified under article 6 (1) (a) of the GDPR is based on the data subject’s explicit and prior consent to the processing of his/her personal data for one or more specific purposes.
With regard to points 4.3., 4.5. and 4.6., the explicit prior consent of the candidate is needed, if the candidate fills the vacant position, the 12-month guarantee period expires, but he/she would like to remain in the registry of the Data Controller for avoiding additional administration process in case of possible future job seeking.
| Purpose of data processing | Scope of processed data | Duration of the processing |
| Use of personal data for keeping accurate records and minutes of meetings with candidates (AI note-taking and voice recording) (point 4.7.) | a) The personal data that the candidate has shared with the Data Controller’s representative during the interviews and meetings, through AI note-taking application for the preparation of the minutes of the meetings; b) the voice of the candidate as personal data, through a voice recording tool in order to be able to recall without alteration what was said at the meeting or the interview. | The Data Controller processes personal data for maximum 1 (one) year following the recruitment process has concluded, unless the candidate withdraws his/her consent earlier. After this period, all relevant data will be securely deleted. |
| Transferring job opportunities to the candidates (point 4.3.) | a) Personal data included in the CVs of candidates (e.g., name, contact details, work experience, qualifications, skills, education); b) wage demand. | The Data Controller processes personal data for maximum 5 (five) years from the date of the consent, unless the candidate withdraws his/her consent earlier. After this period, all relevant data will be securely deleted. |
| Maintaining a talent register (point 4.5.) | a) Name of jobseeker; b) the name of employer; c) jobseeker’s interest in potential positions; d) the reasons of the planned change of job; e) wage demand; f) circumstances of the previous job change of the candidates (if provided by the jobseeker); g) Information on the actual employment relationship relevant from the aspect of the new employment relationship (e.g. termination period, possible non-compete clause) (if provided by the jobseeker). | |
| Transfer of data to the contractual partners of the Data Controller (point 4.6.) | a) Personal data included in the CVs of candidates (e.g., name, contact details, work experience, qualifications, skills, education); b) the strengths and weaknesses of the candidates (if the CVs of candidates are received from a contractual partner of the Data Controller); c) the reasons of the planned change of job; d) candidate expectations regarding preferred employment; e) wage demand; f) circumstances of the previous job change of the candidates (if provided by the candidate); g) Information on the actual employment relationship relevant from the aspect of the new employment relationship (e.g. termination period, possible non-compete clause) (if provided by the candidate); h) telephone number, e-mail address. |
6. Data Security
The personal data of the Data Subjects is stored on a cloud-based storage.
The Data Controller applies all technical safety measures that can be reasonably expected to store the data in a safe way, not accessible to third parties. The Data Controller takes all necessary and reasonable measures to ensure data security, safeguarding it from unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as from accidental destruction or damage.
An IT description of the safety measures, the technical and organizational measures taken to ensure the safety of data follows below: The Data Controller’s IT system is protected by continuously maintained firewall protection, virus scanner and spam filter.
The Data Controller protects its electronic devices by password.
The Data Controller does not store the paper-based CVs.
The Data Controller selects IT tools for data management that guarantee that the processed data is accessible only to authorized persons (availability), the authenticity of the data is ensured (data processing authenticity), its immutability is verifiable (data integrity), and it is protected against unauthorized access (data confidentiality).
The Data Controller also takes appropriate organizational measures to ensure data security. In the event of a data protection incident – except when it does not pose a risk to the rights and freedoms of natural persons – the Data Controller will notify the Data Subjects and the supervisory authority without undue delay, but no later than 72 hours.
To monitor actions taken regarding the data protection incident, inform the supervisory authority, and notify the Data Subjects, the Data Controller maintains a record of the incident. This record includes the scope of affected personal data, the range and number of affected individuals, the time, circumstances, and impact of the incident, as well as the measures taken to resolve it.
7. Rights and Legal Remedies
| Rights | Explanation | |
| 1. | Right to Information and Access to Personal Data | Data Subjects have the right to access their personal data stored by the Data Controller and related information (e.g., purpose of data processing, legal basis, data deletion schedule). In order to ensure that Data Subjects are aware of the rules applicable to data processing, the Data Controller publishes on its website the Privacy Policy. Data Subjects also have the right to request access to and a copy of the personal data related to them. |
| 2. | Right to Rectification and Completion of Personal Data | Data Subjects have the right to request the correction of inaccurate personal data without undue delay. Taking into account the purpose of the processing, Data Subjects have the right to request the completion of incomplete personal data, including by means of a supplementary declaration. |
| 3. | Right to Restrict Data Processing | Data Subjects have the right to request the restriction of data processing if: – They dispute the accuracy of the personal data, in which case the restriction applies while the Data Controller verifies accuracy. – The Data Controller no longer needs the personal data for processing, but the Data Subjects require it for legal claims. |
| 4. | Right to Erasure (“Right to be Forgotten”) | Data Subjects have the right to request the deletion of their personal data without undue delay if one of the following applies: – The personal data is no longer needed for the purposes it was collected or processed. – They withdraw their consent, and there is no other legal basis for processing. – The data was unlawfully processed. – Deletion is required under EU or national law. – The data was collected in relation to services offered directly to children.
– Freedom of expression and information. – Compliance with a legal obligation or public interest. – Public health. – Archival, scientific, historical, or statistical purposes where deletion would impair processing. – Legal claims. |
| 5. | Right to Data Portability | Data Subjects have the right to obtain and reuse their personal data provided to the Data Controller for their own purposes. However, this right applies only to data provided by the Data Subjects themselves, not to other types of data (e.g., statistical data). This right does not apply in this case due to the legal basis of data processing. |
| 6. | Right to Object to Personal Data Processing | Data Subjects have the right to object to the processing of their personal data at any time. The Data Controller will provide information about any actions taken in response to such a request without undue delay and within 30 days. If the request was submitted electronically, the response will also be provided electronically unless requested otherwise.
|
Data Subjects may contact the Data Controller with general questions regarding data protection by using one of the following contact details: e-mail: privacy@meijerandco.com; postal address: 1065 Budapest, Révay köz 4.
The Data Subjects may initiate proceedings with the National Authority for Data Protection and Freedom of Information (abbreviated: NAIH; headquarters: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf. 9., website: www.naih.hu, telephone: +36 (1) 391-1400, fax: +36 (1) 391-1410, central e-mail address: ugyfelszolgalat@naih.hu) or may apply to the court of law of their place of residence or abode (“right to remedy”).
8. Data processors
The Data Controller may transfer the personal data of the Data Subjects to third parties that perform data processing activities for the Data Controller.
The data processors to which the Data Controller transfers the personal data of the Data Subjects are as follows:
- Office workspace provider: Google workspace Ltd. (Seat: Claude Debussylaan 34, 1082 MD Amsterdam, Netherlands),
- ATS/CRM: Atlas Recruitment Technology Ltd of (seat: 7-12 Lynton house WC1H 9BQ, UK, Contact: Jordan Shlosberg),
- ATS/CRM: Loxo LLC. (Seat: Lohman’s Crossing Road Ste-504 #105 Austin TX 78734, USA, Contact: Daniel Kendall),
- ATS/CRM: Manatal.Co.Ltd. (seat: 16th Floor, 26/58 Orakarn Building, Khwaeng Lumphini, Khet Pathum Wan, Krung Thep Maha Nakhon 10330, Thailand, Contact: Marina Galindo Gomez),
- HR consultant: Glamorous Yard Korlátolt Felelősségű Társaság (seat: 2091 Etyek, Öreghegyi út 62., company registration number: 07-09-030334, represented by: Szőke Anna).
The Data Controller ensures that the personal data of the Data Subjects may only be processed by a data processor that complies with the Hungarian and European Union rules on the protection of personal data.
9. Other provisions
The Data Controller reserves the right to unilaterally amend this Policy by giving prior written notice to the Data Subjects.
Budapest, April 2025