DATA PROTECTION NOTICE
Kibit Solutions Limited Liability Company (hereinafter referred to as: Kibit Solutions Ltd.) provides the following information to data subjects regarding the processing of personal data during its activities:
Data Controller:
Name of the Data Controller: Kibit Solutions Ltd.
Company registration number: Cg.01-09-342197
Registered seat: 1036 Budapest, Bécsi út 52. 1/2.
Email: info@kibit.hu
Representatives of the Data Controller: Bence Boldizsár Kiss, Managing Director; Gábor Zsolt Bilek, Managing Director
The Data Controller participates in the execution of domestic and international IT-related projects. During these activities, tasks are performed by the company itself and by subcontractors, sole proprietors, and natural persons engaged by the Data Controller.
This data protection notice explains the principles and details of how personal data is processed during marketing communication, recruitment activities, the storage of submitted CVs, and within the framework of legal relationships between the Data Controller and its clients or applicants.
- DEFINITIONS
The following terms used in this Data Protection Notice have the following meanings:
“personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“data processing”: any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“data controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“data processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“data protection incident”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- DATA PROCESSING
1.)MARKETING COMMUNICATION
Purpose of data processing: Sending newsletters, thereby informing interested parties about the current projects of the Data Controller.
Legal basis of data processing: consent of the data subject (according to Article 6(a) of Regulation (EU) 2016/679).
Scope of processed data:
Processed Data | Purpose of Processing
Full name | Identification of the data subject
Email address | Contact
Duration of data processing: until 15 days after the withdrawal of consent.
Possible consequences of failure to provide data: the data subject will not receive proper information and promotions from the Data Controller.
2.)RECRUITMENT AND CV HANDLING FOR CURRENT PROJECTS
Purpose of data processing: To identify and recruit suitable candidates for current projects of the Data Controller.
Legal basis of data processing: The data subject’s consent (according to Article 6(a) of Regulation (EU) 2016/679), which also includes consent to forward personal data to clients of the Data Controller who have active projects matching the candidate’s skills.
Scope of processed data:
Processed Data | Purpose of Processing
Full name | Identification of the data subject
Email address | Contact information
Home address | Identification of the data subject
Educational background | Verification of the subject’s skills
Work experience and former employers | Verification of the subject’s skills
Photograph (if provided) | Identification of the data subject
Phone number | Contact information
Other personal data included in the CV | Identification and evaluation
Duration of data processing:
– In case of a successful application: until the end of the project.
– In case of an unsuccessful application: until the notification of the outcome.
– Generally: until the consent is withdrawn.
Possible consequences of failure to provide data: The data subject cannot apply for projects. If consent is withdrawn before the project concludes or before notification is given, the candidate may be excluded from the project or may not receive updates on the application status.
3.)CV HANDLING IN THE ABSENCE OF CURRENT PROJECTS
Purpose of data processing: To build a candidate database that enables the Data Controller to proactively match applicants to future project opportunities.
Legal basis of data processing: The data subject’s consent (according to Article 6(a) of Regulation (EU) 2016/679), which also includes consent to forward personal data to current or future clients of the Data Controller who may have relevant projects that match the candidate’s skills.
Scope of processed data:
Processed Data | Purpose of Processing
Full name | Identification of the data subject
Email address | Contact information
Home address | Identification of the data subject
Educational background | Verification of the subject’s skills
Work experience and former employers | Verification of the subject’s skills
Photograph | Identification of the data subject
Phone number | Contact information
Other personal data included in the CV | Identification and evaluation
Duration of data processing: Until the withdrawal of consent.
Possible consequences of failure to provide data: The Data Controller will not be able to recommend the data subject for potential future projects.
4.)CANDIDATE ASSESSMENT AND INVOLVEMENT
Purpose of data processing: To assess the capabilities of applicants responding to the Data Controller’s advertisements and, if deemed suitable, to involve them in projects for the Data Controller’s clients.
Legal basis of data processing: The data subject’s consent (according to Article 6(a) of Regulation (EU) 2016/679).
Scope of processed data:
Processed Data | Purpose of Processing
Full name | Identification of the data subject
Email address | Contact information
Educational background | Verification of the subject’s skills
Work experience and former employers | Verification of the subject’s skills
Photograph | Identification of the data subject
Phone number | Contact information
Other personal data included in the CV | Identification and evaluation
Duration of data processing:
– If the Data Controller’s client does not wish to involve the candidate: until the candidate is notified.
– If the client does involve the candidate: until the end of the cooperation between the candidate and the client.
Possible consequences of failure to provide data: The candidate may not be able to showcase their abilities and may miss out on potential job opportunities.
5.)WEBSITE USAGE
The Data Controller processes data as follows during the use of its website (kibit.hu):
Cookie Types and Their Purpose
Cookie Type | Data Processed | Purpose | Duration
Necessary
rc::a | Page visit recording | Distinguishes between human and bot visitors for accurate traffic reporting | Persistent
rc::b | Page visit recording | As above | Session
rc::c | Page visit recording | As above | Session
Statistics
vuid | Visited pages | Provides insight into which pages and subpages users visit and how they interact with them | 2 years
Marketing
NID | Unique device ID | Registers a unique ID to recognize returning users and personalize advertising | 6 months
Legal basis of data processing: The user’s voluntary consent, according to Article 6(1)(a) of the GDPR.
Possible consequences of failure to provide data: Inaccurate analytics and the lack of relevant targeted advertisements.
6.)CLIENTS AND POTENTIAL CLIENTS
Purpose of data processing: To establish and maintain business relationships between the Data Controller and its potential or existing clients.
Legal basis of data processing: Performance of a contract (according to Article 6(b) of Regulation (EU) 2016/679).
Scope of processed data:
Processed Data | Purpose of Processing
Full name / Contact person’s name | Identification
Email address | Contact
Phone number | Contact
Other personal data provided by the data subject | Business communication
Duration of data processing: Until the termination of the contractual relationship with the client.
Possible consequences of failure to provide data: The data subject cannot enter into a contractual relationship with the Data Controller and cannot become a client.
- DATA PROCESSORS
In accordance with applicable laws, the Data Controller may use data processors for specific tasks. These processors act solely on instructions from the Data Controller and are not authorized to make independent decisions regarding personal data.
The following individuals act as data processors in recruitment activities:
Dorottya Ilku – Email: dorottya.ilku@kibitsolutions.com, Phone: +36 70 315 1740 – Activities: recruiting applicants, contacting and interviewing candidates.
Mercédesz Minich – Email: mercedesz.minich@kibitsolutions.com, Phone: +36 70 550 8812 – Activities: recruiting applicants, contacting and interviewing candidates.
Márk Csizmadia – Email: mark.csizmadia@kibitsolutions.com, Phone: +36 70 674 2982 – Activities: recruiting applicants, contacting and interviewing candidates.
Gábor Barta – Email: gabor.barta@kibitsolutions.com, Phone: +36 70 595 1150 – Activities: interviewing and coordinating with candidates.
- DATA TRANSFERS TO THIRD COUNTRIES
In certain cases, the personal data provided by data subjects may be shared with clients classified as third-country entities under applicable law. The Data Controller relies on adequacy decisions issued by the European Commission to determine whether a third country provides an adequate level of data protection. In other cases, standard contractual clauses approved by the European Commission or applicable legal exemptions are used to govern such transfers.
- RIGHTS OF THE DATA SUBJECT
Data subjects may request information regarding the processing of their personal data, request the correction or deletion of their data via cv@kibit.hu, request restriction of processing, and have the right to data portability and to seek legal remedy. In Hungary, complaints can be submitted to the National Authority for Data Protection and Freedom of Information (NAIH), or the data subject may turn to a court of law.
1.RIGHT TO INFORMATION AND ACCESS
The data subject has the right to know what personal data the Data Controller stores and how it is processed. Requests must be submitted in writing (email or post). The Data Controller will respond in a commonly used electronic format unless otherwise requested in writing. No oral information is given by phone.
Access includes information on:
– the scope, purpose, duration, and legal basis of processing
– data transfers: to whom data has been or will be transferred
– data source identification
The first copy of the personal data will be provided free of charge. Additional copies may incur a fee based on administrative costs. Electronic requests will receive electronic responses unless otherwise specified by the data subject.
2.RIGHT TO RECTIFICATION
Upon written request, the Data Controller will correct any inaccurate personal data or supplement incomplete data without undue delay. All recipients of the data will be informed of the rectification unless this proves impossible or requires disproportionate effort. The data subject will be informed of these recipients upon request.
3.RIGHT TO RESTRICTION OF PROCESSING
The data subject may request restriction of processing if:
– they contest the accuracy of the personal data (restriction applies while accuracy is verified);
– the processing is unlawful, but deletion is opposed, and restriction is requested instead;
– the controller no longer needs the data for processing, but the data subject requires it for legal claims;
– the data subject objects to processing pending verification of overriding legitimate interest by the controller.
If restriction is applied, the Data Controller may only store the data unless:
– the data subject consents to further processing;
– the data is required for legal claims;
– the data is needed to protect another natural or legal person;
– or processing is mandated by public interest law.
The data subject will be notified in advance if the restriction is lifted.
4.RIGHT TO ERASURE (‘RIGHT TO BE FORGOTTEN’)
Upon request, the Data Controller will delete the data subject’s personal data without undue delay if:
– the data is no longer needed for the original purpose;
– the data subject withdraws consent and there is no other legal basis;
– the data subject objects to processing and there are no overriding legitimate grounds;
– the data was processed for direct marketing (including profiling);
– the data was processed unlawfully;
– the data relates to a child under information society services.
This right may not be exercised if processing is necessary for:
– freedom of expression and information;
– public health interests;
– archiving, research, or statistical purposes, where deletion would render the processing impossible;
– legal claims.
5.RIGHT TO DATA PORTABILITY
The data subject may receive and reuse their personal data (provided by them to the controller) across different services. This applies only to data the data subject submitted directly and not derived or inferred data. The Data Controller may require in-person identity verification before fulfilling such requests. This right does not imply automatic deletion from the controller’s systems.
6.RIGHT TO OBJECT
The data subject may object in writing to processing based on:
– public interest (Article 6(1)(e) GDPR), or
– legitimate interests (Article 6(1)(f) GDPR).
Processing must cease unless the Data Controller can demonstrate compelling legitimate grounds overriding the data subject’s interests or necessary for legal claims. Objections are assessed by the Managing Director, who informs the data subject of the result in writing.
- REQUEST HANDLING DEADLINES AND PROCEDURES
The Data Controller must respond to any of the above requests within one month. In complex cases or high volumes, this deadline may be extended by two months, with notification within the first month. If requests are unfounded or excessive, the Data Controller may charge a reasonable fee or refuse the request. Responses are provided in the same format the request was received (electronic if emailed).
- ENFORCEMENT OPTIONS
Requests may be submitted via email or post. The Data Controller may verify identity before fulfilling requests. If identification is not possible, the request may be rejected. Legal remedies include submitting complaints to NAIH (Hungary) or pursuing claims in court.
- DAMAGES AND LIABILITY
Anyone who suffers material or non-material damage due to a GDPR violation may claim compensation from the Data Controller or processor. Processors are liable only if they acted outside instructions or violated specific obligations. Liability is waived if the party proves no responsibility for the damage.
- DATA PROTECTION INCIDENT HANDLING
A data protection incident is a breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. The Data Controller maintains a log with details of such incidents. Unless the incident poses no risk to rights and freedoms, both the data subject and supervisory authority will be notified within 72 hours.
- BACKUP POLICY
The Data Controller ensures regular secure backups to enable recovery. Backups are stored in cloud infrastructure, retained for 5 years, and managed via anonymized logs and automatic deletion policies. Access to backups is restricted to authorized personnel with authentication.
- OTHER PROVISIONS
The Data Controller reserves the right to unilaterally amend this Privacy Notice. Changes take effect as stated unless objected to in writing. Data accuracy is the responsibility of the data provider. The applicant is responsible for ensuring proper legal basis and informing data subjects (e.g., referees) before submitting their data.
Data Protection Contact:
Name: Gábor Zsolt Bilek
Phone: +36 20 984 9532
Email: gabor.bilek@kibit.hu
Effective date of this Privacy Notice: 1 July 2023