Policy & Complaint policy

Our company, as a data controller, determines the purposes and means of personal data management independently or together with others, and also manages personal data.

The meaning of data management: any operation performed on personal data or data files in an automated or non-automated manner or all of them, i.e. the collection, recording, organization, segmentation, storage, transformation or change, query, insight, use, communication, transmission, distribution or other by way of making it available, coordination or connection, restriction, deletion or destruction.

Any information relating to an identified or identifiable natural person (“data subject”) shall be considered personal data. A natural person can be identified who, indirectly or directly, in particular on the basis of an identifier such as a name, number, location data, online identifier or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person can be identified.

As a data controller, our company fully respects the privacy of all persons who provide us with personal data, and is committed to protecting this data.

Our company establishes a separate data management policy on the management of employees’ data, and it provides for it.

  1. Based on Article 13 of the GDPR, our company provides the following information to the persons concerned:

The data controller:

Company name: Enterworks Human Resources Kft.

Headquarters, billing and postal address: 9027 Győr, Budai út 2. 3. em.

Contact: Váci út 30. VI. Floor, 1132 Budapest

Tax number: 25005679-2-08

Company registration number: 08-09-034667


Budai út 2, 3rd floor, 9027 Győr

Rákóczi utca 6. flat 1, 6000 Kecskemét

Data controller: Pavol Varga (an.: Tünde Varga)

Names of other members (depending on the company form): Róbert Mészáros (an.: Erzsébet Földes)

In order to fulfill its accounting and tax obligations, the data manager forwards the invoices to the data management company/private entrepreneur performing the accounting.

The electronic data of the data controller may only be accessed by the IT specialist when he/she acts in order to fulfill his/her tasks (data security, restoration, etc.).

Data Protection Officer:

Our company is obliged to appoint a data protection officer based on Article 37 of the GDPR.

The data protection officer: Csilla Jakab.

  1. The purposes, legal bases and duration of our company’s data management:

Data management purposes:

Our company performs data management for the following purposes in accordance with all legal regulations:

  • As a condition for the provision of our activities, we process the data of the employees and the users of the given service for the purpose of writing and fulfilling the contract, as well as our legal obligations;
  • Marketing activities for potential customers;
  • Use of the contact details of contractual partners for the purpose of fulfilling the contract;
  • Fulfilling the orders of customers/partners;
  • For the purpose of implementing the obligation defined by law.

Legal basis for data management:

Article 6, paragraph (1) point a) of the GDPR: consent of the data subject

Article 6 (1) point b) of the GDPR: conditions necessary for the performance of a contract

Article 6 (1) point c) GDPR: necessary to fulfill a legal obligation Article 6 (1) point f) GDPR: legitimate interest, consideration of interests is always required

The legal bases of individual data management activities:

  • Issuance of invoices in accordance with accounting legislation: legal basis: GDPR Article 6 (1) point c)
  • Contact: legal basis: GDPR Article 6 (1) point b).
  • Management of contractual partners’ data: legal basis GDPR Article 6 (1) point b).

The data subject has the right to object, so personal data will not be processed on the basis of this, provided that the data processing is justified by a compelling reason (e.g. fulfillment of a legal obligation).

Duration of data management:

Due to legal obligations, our company can keep the invoices for at least 8 years. The retention period of the documents on which the invoice is based is 8 years.

The possible retention period of the data provided for the purpose of maintaining contact is 1 year after the termination of the relationship.

Retention of data related to the performance of the contract: 5 years.

III. Rights concerned:

In relation to his personal data, the data subject has rights strictly defined by law. Affected rights are the following:

  1. a) right of access (knowledge of data, the fact of whether data is being processed);
  2. b) in the event that a piece of data is outdated or incorrect, then its adjustment;
  3. c) deletion (in the case of consent-based or illegal data processing);
  4. d) restriction of data processing;
  5. e) prohibiting the use of personal data for direct marketing purposes;
  6. f) the transfer of your personal data to an additional, i.e. third-party service provider, or the prohibition of this;
  7. g) requesting a copy of any personal data managed by the data controller;
  8. h) protest against the use of your personal data.
  9. ARC. Data protection incident:

It means the violation of data security that generates or results in the accidental or illegal destruction, loss, alteration, unauthorized disclosure of personal data handled, and unauthorized access to them. Our company ensures data security corresponding to the level of risk associated with data management from a physical, IT and administrative point of view. The procedures are determined by our company’s data security policy.

In the event of a breach of data security, the data controller or its representative shall notify the supervisory authority without delay and/or no later than 72 hours after becoming aware of it and inform the affected party.

After becoming aware of the data protection incident, our company will immediately take the necessary security measures to eliminate and restore the damage that is the basis of the data protection incident and for its purpose.

The person concerned will be notified of the measures already taken and their results.

  1. Website:

A cookie is specific data that the currently used website sends to the visitor’s browser so that it stores it, and the same website will be able to load its content in the future.

A user may store data on the terminal device of the electronic messenger only with the consent of the concerned user after clear, clear and comprehensive information covering all purposes of data management, or access to the data stored there (Act C of 2003 § 155.4/ ). Based on this, on the first visit to the Company’s website, a brief summary of the use of cookies must be provided to the visitor, and a link must be forwarded to the full information address. With this information, the Company ensures that the visitor can learn, before using the information society-related services of the website and at any time during the use, for which data management purposes the Company manages which data, including the management of information that cannot be directly linked to the applicant.

CVIII of 2001, containing many issues of electronic commerce and information society services. Act (Elkertv.) 13/A. § (3), the service provider may process the personal data that are technically absolutely necessary for the provision of the service for the purpose of providing the service. If the other conditions are the same, the service provider must choose and in any case operate the tools used in the provision of services related to the information society in such a way that the necessary personal information is only processed if this is necessary for the provision of the service and the other purposes specified in this law is essential for its fulfillment, but even then only to the extent and for a sufficient period of time.

Types of cookies:

  1. Technically absolutely necessary session cookies: without which the site would simply not function, they are used to identify the user, e.g. necessary to manage whether you entered, what you put in the basket, etc. This is usually the storage of a session ID, the rest of the data is stored on the server, which is therefore the most secure. It is of security importance, if the value of the session cookie is not generated correctly, there is a risk of a session-hijacking attack, so it is absolutely necessary that these values are generated correctly. Other terminologies call all cookies that are deleted when you exit the browser a session cookie (a session is a browser usage from start to exit).
  2. Usage-facilitating cookies: these are the cookies that the user chooses (for example, in what form the user wants to see the page). These types of cookies are actually the settings data stored in the cookie.
  3. Performance cookies: They don’t have much to do with “performance”, but that’s the name given to the cookies that collect information about the use of the visited website and the time spent there. These are typically third-party applications. These are suitable for profiling the visitor.

Acceptance of the use of cookies and their authorization are not mandatory. You can reset your browser settings to reject all cookies or to notify you when a cookie is currently being sent. However, it is possible that certain website functions or services will not function properly without cookies.

Information about the cookies used on the Company’s website and the data generated during the visit

The scope of data managed during the visit: When using the website, our company’s website can record/manage the following data about the visitor and the device used for browsing:

  • the IP address used by the visitor,
  • browser type
  • characteristics of the operating system of the device used for browsing (set language),
  • time of browsing,
  • the page, function or service visited.
  • click.

Our Company may retain this data for a maximum of 30 days, primarily for the purpose of investigating security incidents.

Cookies used on the website

  1. Technically necessary session cookies: The purpose of data management: to ensure the proper functioning of the website. These are needed so that visitors can browse the website and use its functions and services available through the website without hindrance and fully, including the commenting of the actions performed by the visitor on the given pages. The duration of these cookies only applies to the visitor’s momentary visit, this type of cookie is automatically deleted from his computer at the end of the session.

Their legal basis for data management is the CVIII of 2001 on certain issues of electronic commercial services and information society services. Act (Elkertv.) 13/A. § (3), based on which: for the purpose of providing the service, the service provider may process the personal data that are technically absolutely necessary for the provision of the service. If the other conditions are the same, the service provider must choose and in all cases operate the tools used in the provision of services related to the information society in such a way that personal data is only processed if this is absolutely necessary for the provision of the service and the fulfillment of other objectives defined in this law necessary, but also in this case only to the extent and for the necessary time.

  1. Usability cookies: These remember the user’s choices, including the form in which the user wants to see the page. These types of cookies actually represent the setting data stored in the cookie. The legal basis for data management is the consent of the browser.

The data management goals: Increasing the efficiency of the service, increasing the user experience, making the use of the website more convenient.

  1. Performance cookies: They collect information about the user’s activity within the visited website, the time spent, and all clicks. These are typically third-party applications (e.g. Google Analytics, AdWords). Legal basis for data management: the consent of the data subject.

Purpose of data management: analysis of the website and sending of advertising offers

  1. Legal remedy information:

In Hungary, the data protection supervisory authority is: The National Data Protection and Freedom of Information Authority (hereinafter: NAIH, address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, e-mail address: ugyfelszolgalat@naih.hu). The person concerned can submit a complaint to the NAIH if, based on his conviction, the processing of his personal data differs and does not correspond to the legal obligations. A judicial review can be initiated against the NAIH’s decision.

We would like to inform you that our company operates a whistleblower reporting system, in accordance with the provisions of Act XXV of 2023 on complaints, public interest disclosures, and rules related to reporting abuses (hereinafter: Whistleblower Protection Act).

The whistleblower reporting system enables eligible individuals listed in the information to report information regarding any suspected acts or omissions that may violate organizational integrity, be unlawful, or presumed to be unlawful, as well as other abuses they have observed.

The procedure for investigating reports made in the internal whistleblower reporting system can be found here.

The data processing information regarding the reporting system can be found here.