Please read the
Privacy Notice for Candidates
1. Name of the data controller
Data Controller: CF Pharma Gyógyszergyártó Kft. (hereinafter: Data Controller)
Registered seat: H-1097 Budapest, Kén utca 5.
Corporate registration number: 01-09-564467
Tax number: 12202209-2-43
Telephone: 06-1/280-3951 or 06-1/280-4445
2. General legislative provisions serving as a legal basis for data processing
➢ Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
➢ Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Act on Privacy)
3. Terms and definitions
Personal data: means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data includes in particular: name, address, place and date of birth, mother’s name.
Processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
4. Data processing related to the job application
a) Purpose of data processing: Verification of compliance with the conditions required for filling the position
b) Scope of personal data processed: personal information submitted by the candidate in the CV and its annexes, attesting compliance with the academic and professional requirements
d) Legal basis for processing: Article 6 (1) a) of the GDPR: the data subject’s consent
e) Duration of data processing: until withdrawal of the data subject’s consent, but up to 1 year following the job posting
5. Obtaining data: data is obtained from the data subject; the Data Controller shall not process personal data that is not collected from the data subject
6. Data processing through data processor: the Data Controller will not engage a data processor for the processing
7. Data transfer: the Data Controller will not transfer personal data to other recipients
8. Access to personal data: Personal data may be accessed by the Data Controller’s respective staff members for the purpose and to the extent of performing their tasks.
9. Data security measures
The Data Controller ensures that the data processed is protected against unauthorised access or alteration by way of appropriate IT, technical and personnel measures.
10. Rights of the data subjects relating to data processing
➢ Time limit
The Data Controller shall address the data subject’s request concerning the exercise of rights within one month of receiving the request. The day of receiving the request is not included in the time limit.
➢ Right of access
The data subject has the right to request information via the contact details provided in section 1 concerning whether his or her data is being processed, and if so, the data subject is entitled to know:
- what personal data is processed by the Data Controller;
- on what legal basis;
- for what processing purposes;
- for how long;
- who to, when, and based on which legislation was access provided to the data subject’s personal data, and who were they transmitted to;
- what sources were the data subject’s personal data obtained from;
- whether automated decision-making is applied by the Data Controller and the logic involved, including profiling;
At the request of the data subject, the Data Controller shall disclose a copy of the processed personal data, free of charge on the first occasion, and after that a reasonable fee may be charged based on the administrative costs.
For the purpose of the data security requirements and the protection of the data subject’s rights, the Data Controller shall verify that the personal identity of the data subject and the person wishing to exercise the right of access match, and in order to ensure this, any information provision, insight into the data, and releasing a copy of the data are all subject to the identification of the data subject.
➢ Right to rectification
The data subject may request from the Data Controller in writing the rectification of personal data via the contact details provided under section 1 (for example when the email address or other contact details are changed). If the data subject is able to verify the accuracy of the rectified data in a credible way, the Data Controller shall process the data subject’s request within one month and send it to the contact details provided by the data subject.
➢ Right to erasure
The data subject may request the erasure of his or her personal data from the Data Controller in writing via the contact details provided in section 1. The request for erasure will be rejected by the Data Controller if the Data Controller is obliged to retain the personal data under legislation. If, however, no such obligation prevails, the Data Controller will process the data subject’s request within a month and send it to the contact details provided by the data subject.
➢ Right to blocking (restriction of processing)
The data subject may request the blocking of his or her personal data from the Data Controller in writing via the contact details provided in section 1 (by clearly indicating the restricted nature of the processing and ensuring separate processing from other data) provided that:
- the data subject challenges the accuracy of his or her personal data (in this case the Data Controller will restrict the processing for a period enabling verification of the accuracy of the personal data);
- the data processing is unlawful and the data subject opposes to the erasure of the personal data and requests the restriction of their use instead;
- the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject objected to data processing (in this case the restriction applies until it is established whether the data controller’s legitimate interests are overridden by the interests of the data subject).
➢ Right to objection
The data subject may object to the processing of his or her personal data by the Data Controller in writing via the contact details provided in section 1, if the data subject considers that his or her personal data is processed by the Data Controller for purposes unrelated to those specified in this Privacy Notice.
11. Exercising rights relating to data processing
- the data subject can also contact the Data Controller in relation to exercising the rights to the protection of personal data, via the contact details indicated in section 1.
- in the event of breach of the data subject’s right to the protection of personal data, the data subject may seek legal remedy from the following authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
postal address: 1530 Budapest, Pf.: 5.
telephone: +36 (1) 391-1400
- engagement in legal proceedings: if the data subject experiences any unlawfulness in the processing of his or her personal data, a civil procedure can be initiated against the Data Controller. The judgement of the civil lawsuit falls under the competence of the tribunal. The lawsuit – according to the data subject’s choice – can also be brought before the tribunal of the place of residence of the data subject (please find the contact details of the tribunals at the following link: https://birosag.hu/torvenyszekek)
12. Update and availability of the Privacy Notice
The Data Controller reserves the right to unilaterally amend this Privacy Notice. This notice may be amended in particular if it is required due to legislative changes, data protection authority practice, business demand or newly explored security risk. Upon request of the data subject, the Data Controller will send a copy of the Notice in effect, in a form mutually agreed with the data subject.