Privacy Policy

MP Solutions Kft. (hereinafter referred to as: Company) shall act in compliance with this Privacy Policy (hereinafter referred to as: Policy) when processing personal data relating to job applicants, and its customers/contractual partners (hereinafter referred to as: data subjects).

1. General Provisions

1.1 The data controller’s:

  • name: MP Solutions Kft.
  • company registration number: Cg. 01-09-914023
  • registered by: Budapest Metropolitan Court as Court of Registration
  • contact details:
    • registered office: 1088 Budapest, Bródy Sándor utca 2. 2. em. 8B.
    • represented by: Dávid Pelle Executive Manager
    • phone number: +36 1 429 0029
    • E-mail: [email protected],hu
    • website: www.mphil.hu


1.2 Purpose of the Policy

The purpose of this Policy is to ensure the protection of personal data of data subjects processed by the Company, the privacy of the data subjects, and respect the informational self-determination of the data subjects in respect of their personal data, and for this purpose to protect the data against accidental or deliberate destruction, alteration, damage, disclosure, or access by unauthorised persons, in compliance with the following rules.

Furthermore, the purpose of the Policy is to inform the data subject - prior to the start of the data processing - about the method the Company processes the data, and about any facts, rights or obligations related to the data processing. To this end, the Company makes this Policy accessible for the data subjects on its website (see Section 1.1).

By accepting this Policy, the data subjects agree that the Company will process the personal data of data subjects in accordance with this Policy.

1.3 Scope of the Policy

The material scope of the Policy covers all personal data processed by the Company, regardless of the location, time and form of the processed personal data.

The personal scope of the Policy covers all colleagues/employees of the Company, any external data processors involved in the data processing by the Company, and all contractual partners of the Company (agents, suppliers), as well as all applicants who applied to any job opening of the Company, or were directly contacted by the Company with a job offer.

1.4 Legal background of the Policy

General Data Protection Regulation (GDPR); Regulation 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.

Act CXII of 2011. on the right of informational self-determination and the freedom of information (Freedom of Information Act).

1.5 Principles of data processing

In the course of data processing the Company ensures that all Hungarian and EU regulatory requirements on the processing of personal data are complied with, such as:

  • personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject (principles of lawfulness, fairness and transparency).
  • personal data may only be collected and processed for unambiguous and lawful purposes (principle of purpose limitation);
  • the collected personal data must be suitable for the purpose of the data processing, as well as relevant and limited to the necessary purpose (principle of data minimisation);
  • personal data must be accurate and where necessary, updated; any inaccurate data must be deleted or rectified immediately (principle of accuracy);
  • personal data may only be stored for the period it is necessary to achieve the purpose of the data processing (principle of storage limitation);
  • the Company shall ensure the security of personal data, including the protection against unauthorized or unlawful handling, accidental loss, destruction or damage to data (principle of integrity and confidentiality) by appropriate technical and organizational measures.
  • the Company shall at all times maintain a management system that enables it to certify that its data processing activity is in compliance with the above principles (principle of accountability).


1.6 The legal basis of data processing

In the course of its data processing activity the Company shall exclusively process personal data it is entitled to process on the basis of (i) the prior consent of the data subject, or (ii) statutory authorization.

Prior to the start of the data processing the Company shall - within the framework of providing prior information to the data subject - notify the data subject whether the data processing is based on consent or statutory authorization.

The data subject shall be entitled to withdraw his or her consent at any time; however, it does not affect the lawfulness of the processing of data carried out before. Where appropriate, the Company may continue the data processing on the grounds of statutory authorization, in particular in cases when it is necessary to fulfil a legal obligation, or for the purposes of the legitimate interests of the Company.

Data processing is in particular based on statutory authorization if:

  • the data processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; (point b) of Article 6(1) of the GDPR);
  • the data processing is necessary for the Company’s compliance with a legal obligation (point c) of Article 6(1) of the GDPR; point b) of Section 5 (1) of the Freedom of Information Act);
  • the data processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data (point f) of Article 6(1) of the GDPR), that is, pursuing such interests is proportional to the limitation of the right to protect personal data (point b) of Section 6 of the Freedom of Information Act). 


1.7 Sources of data collection

In general, the Company collects data processed by the Company directly from the data subject (applicant, contractual partner, supplier, etc.), or from third parties. In case the applicant applying for an open position has a profile published on any social networking site, the Company has the right to view such public social site, however - without the expressed consent of the data subject - it may not save, store it, with particular regard to the fact that such site may also include other data not related to the job application or the position that are not relevant for the Company regarding the recruitment of the applicant.

Without the expressed consent of the applicant the Company shall not contact the applicant’s former employer, and similarly, it shall not provide personal data if requested by a future employer of such applicant - without the expressed consent of the applicant.

1.8 The purpose of data processing

The Company shall process personal data relating to the applicants and the contractual partners of the Company for the purpose of providing services and for improving the quality of such services, and within the framework of its legal obligations as specified in “Records of Data Processing Activity”.

2. Data subjects and the categories of the personal data concerned:

2.1 Data processing related to applicants

The data processing - related to the applicants - performed by the Company, as a market operator providing recruitment/executive search services is limited to the areas, personal scope, processed data, and the data processing periods specified in detail in the “Records of Data Processing Activity“ as amended from time to time, in accordance with the purposes set out in the “Records of Data Processing Activity”.

The Company only collects such data from the applicants that are necessary for keeping contact and finding the suitable employment opportunity for the applicant. If the applicant chooses to provide any optional - or special data where applicable (health status, political views, criminal record, etc.), the data processing shall cover these data as well, however, prior to processing such sensitive data, the Company shall separately obtain the consent of the applicant.

If such separate consent is provided by the applicant, in addition to the current recruiting, the Company may use the data for later marketing activities, profiling, recruitment, or offering different positions.

The Company shall be entitled to share the personal data relating to the applicant (i) with the principals - prospective employers of the applicant - the recruitment is being performed for; (ii) with other third persons offering similar recruitment/executive search services who are in a position to outsource the applicant to their own principals - prospective employers of the applicant; (iii) with persons/agencies meeting the references provided by the applicant.

The Company processes the data of the applicants for a period of up to two years. In case during such period of two years the Company was unable to offer suitable positions for the applicant, the Company shall erase all data files relating to the applicant. In case during such period of two years either the Company or the applicant confirms its willingness to cooperate (e.g. the applicant updates his or her curriculum vitae, responds to any marketing campaign or other offer of the Company, or the Company offers a position to the applicant), the data processing period of two years shall start from the date of such contact.

2.2 Data processing related to the users of the Company’s website

Anyone visiting the Company’s website - mostly applicants interested in the services offered by the Company - provides data while browsing the website. The Company’s - as a market operator providing recruitment/executive search services - data processing activity related to the users of its website is limited to the IP address and cookies of the data subject, necessary for tracking user activity. The purpose of such data processing is to track the online habits/activity of visitors viewing the website, in order to increase the economic/business activity of the Company, and to ensure protection against cyberattacks. The legal basis of data processing is the legitimate interest of the Company.

In case in addition to browsing, the website user also uploads data to the website, the data processed by the Company - in particular data received in connection with registration on the website, consent to receiving job newsletters, uploading CVs, application for a job - are considered personal data. In such case the legal basis of the data processing is the explicit and voluntary consent of the user to the processing of data provided by him or her - in accordance with the terms of this Policy. If the user chooses not to provide his or her personal data, the user acknowledges that he or she will not be able to access certain parts of the Company’s services, or any parts thereof.

The Company is unable to verify the authenticity or accuracy of the personal data/CV and other content provided by the user on the website; exclusively the user (applicant) shall be held responsible for such data.

2.3 Use of cookies

The Company's website uses cookies. Cookies are small text files that are placed on the user’s computer when visiting a website.  Cookies are used for the purpose of the effective operation of websites, or for providing web services and functions. There are permanent cookies stored on the computer for a pre-determined period - provided that the user does not delete them - and temporary cookies that are not stored on the computer, and are deleted automatically when the browser is closed.

Data files recorded by the cookies is almost impossible to assign to the user for identification purposes; however, the Company finds it important to provide information on the use of cookies in terms of how cookies provide certain data on the website visitor for the purposes of website functionalities and measuring the number of viewers of the website.

The so-called session cookies assist the operation of the website by recording the name of the users registering on the website, to facilitate login next time and to allow the easier use of the site. Such cookies will not send any data outside the system.

Third-party Google Analytics cookies developed by Google, Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and used world-wide register the activity of users on the website anonymously, without identifying the specific user. With the use of Google Analytics the Company may be provided with information and analysis on site visits that can help improve the Company’s website and services. Such information may include the number of visitors; from which websites were the visitors directed to the Company’s website; which pages were viewed by the visitor and in what order, etc.

The user may block/disable the cookies on his/her computer; however, as a result, several functions of the website - or even the website as a whole - will not be accessible or usable until the use of cookies is enabled again.

2.4 Data processing related to contractual partners

The data processing - related to the contractual partners (principals, suppliers) - performed by the Company, as a market operator providing recruitment/executive search services is limited to the purposes of performing contracts/enforcing demands, for organizing promotions/advertising campaigns, events, and for documenting/video recording events.

In general, data processing related to contractual partners/suppliers is limited to contact data necessary for keeping business contact with the partners, such as the name, phone number, and e-mail address of the contact persons.

Legal basis of data processing related to contractual partners: (i) data processing necessary for the purposes of the legitimate interests pursued by the Company as a service provider; (ii) data processing necessary for the performance of the contract concluded between the data subject and the Company; (iii) data processing based on the voluntary consent of the data subject.

2.5 Data processing related to sending letters/e-mails

If the data subject sends a letter to the Company using the contact option on the website or otherwise, it is also considered the voluntary contribution provided by the data subject allowing the Company to process his/her personal data contained in the message/letter, to use such data in connection with the subject of the request, and to contact the data subject at the provided contact details.

3. Transfer of data abroad, data processing, scope of data recipients:

3.1 The Company does not transfer data to third persons registered abroad.

3.2 Where necessary, the Company - based on separate data processing agreement concluded with each partner - shall only involve such data processors for performing certain tasks in connection with the data processing operations which guarantee that they have the required professionalism, reliability, and available resources to execute the technical and organizational measures ensuring compliance with the data security and other requirements of the GDPR.

The data processors involved by the Company are included in Annex 2.

The data processors perform the assigned data processing activities on behalf of the Company as data controller. After completing the data processing service, the data processor - pursuant to the decision made by the data controller, and unless otherwise provided by legislation - shall delete or return all personal data to the data controller.

The Company shall be responsible for the activity of the data processor, i.e. for any damage or infringement of personal rights caused by the data processor. The Company shall be exempted from liability if (i) it proves that the damage or infringement was the result of an unavoidable cause outside the scope of the data processing, or (ii) the damage or the data breach suffered by the data subject was caused by the intentional or negligent conduct of the data subject.

3.3 Personal data processed by the Company may only be disclosed to persons - agents, employees - specified in Annex 1.

4. Technical and organisational security measures for ensuring data processing security:

According to Article 32(1) of the GDPR, the Company as data controller and the involved data processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. When assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

The data controller shall make the following technical/organizational measures:

Lockable drawers and cabinets, offices equipped with safety locks, key or coded locks to the gate of the building. Password protected personal computers; the HR software database may only be used after two-stage identification (password and token sent to email address). Common drives may only be accessed from the office area, via password-protected internal wireless Internet connection. Applicants and customers are not allowed to enter the office workspace, and work devices are not available for them.

5. Procedure in case of personal data breach:

In case in spite of following the above data protection practice, personal data processed by the Company are breached, and in case such breach is likely to have a high risk to the rights and freedoms of the data subject, the Company shall notify the supervisory authority of such breach immediately after such incident was revealed, but no later than within 72 hours. At the same time the Company shall notify the data subjects about the data breach, indicating the probable consequences of the breach, and the performed of planned measures for the remedy/mitigation of the situation.

The Company is not required to notify the supervisory authority of any personal data breach not likely to have a high risk. Notifying the data subject is not required either if the conditions specified in Article 33 of the GDPR apply, that is, (i) the Company has taken measures which make the data involved in the breach unintelligible for unauthorized parties; or (ii) as a result of the measures taken, the personal data breach is unlikely to result in a high risk; or (iii) if the notification would require disproportionate effort. In this latter case, the Company shall notify the data subjects publicly.

The Company shall keep record of supervising the measures taken in connection with the data breach, and for the purpose of informing the data subject.

6. Rights of the data subject and legal remedies:

6.1 Right to receive transparent information

The data subject is entitled to receive appropriate information from the Company in accordance with Articles 13-14, 15-22 and 34 of the GDPR.  Such information addressed to the public or to the data subject shall be concise, easily accessible and easy to understand, and that clear and plain language should be used, including electronic communication.

6.2 Right to access

The data subject has the right to be informed by the Company if any of his/her personal data are being processed, and if so, the data subject - pursuant to Article 15 of the GDPR - has the right to access such personal data and receive information on the data content. In particular information on the purpose of data processing, the categories of personal data concerned, the recipients to whom the personal data have been disclosed, the envisaged period for which the personal data will be stored, any rights related to data processing, the right to lodge a complaint with a supervisory authority, any available information as to their source, the fact of any automated decision making.

6.3 Right of rectification

The data subject has the right to have the Company rectify his/her incorrect personal data without delay, or to supplement missing data.

6.4 Right to erasure

The data subject has the right to obtain from the Company the erasure of personal data concerning him/her without undue delay, which request must be complied with by the Company, if

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • the data subject has withdrawn his/her consent on which the data processing is based, and there is no other legal ground for the processing;
  • the data subject objects to the data processing, and there is no priority legitimate reason for the data processing;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Hungarian law to which the data controller is subject;
  • the personal data have been collected in relation to the offer of information society services for children.


The data subject may not request the erasure of data, and the Company shall not be obliged to erase data if the data processing is required for reasons pursuant to Article 17(3) of the GDPR, in particular if data are required for (i) exercising the right of freedom of expression and information, or for (ii) compliance with a legal obligation of the Union or Hungary requiring the processing of personal data applicable for the data controller.

6.5 Right to restriction of processing

During the period of the restriction, the blocked personal data - except for storage - may only be processed with the consent of the data subject, or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.  The data subject may request the restriction of data processing if:

  • the data subject contests the accuracy of the personal data; such restriction shall be valid for a period enabling the Company to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the Company no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • the data subject has objected to processing; in this case such restriction shall be valid for a period it is determined whether the legitimate grounds of the Company override those of the data subject.


6.6 Right to data portability

If the legal basis for the processing is (i) the data subject's consent, or (ii) a contract in which one party is concerned, or in case of (iii) automated data processing, the data subject may request that the data being processed concerning him or her shall be provided for him or her, and he or she shall be entitled to transfer them to another controller. In such case the data controller shall provide the personal data for the data subject or the data controller specified by the data subject in a structured, commonly used, machine-readable and interoperable format.

6.7 Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her for (i) public interest or for exercising public authority vested in the data controller, or (ii) if processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling.  In case of such objection the Company may only continue to process data if the Company demonstrates (i) compelling legitimate grounds for the processing which override the interests and rights of the data subject, or (ii) are needed for the establishment, exercise or defence of legal claims.

Where processing is performed for direct marketing purposes, and the data subject has objected to it, the personal data shall no longer be processed for such purposes.

6.8 Right to object automated decision making

The data subject shall have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning him or her or similarly significantly affects him or her. The data subject shall not be entitled to this right if (i) the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, (ii) is authorised by Union or Hungarian law, or (iii) the decision is based on the data subject's explicit consent. In cases referred to in point (i) and (ii) the Company shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human (manual) intervention on the part of the controller, to express his or her point of view and to contest the decision.

6.9 Right to withdraw consent

The data subject shall have the right to withdraw his or her consent at any time; however, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

6.10 Initiating measures by the Company

The Company is required to facilitate the exercising of rights of the data subject in respect of asserting its right, and shall make all necessary efforts to eliminate or remedy violations. If the Company has reasonable doubts concerning the identity of the natural person, it may request the provision of additional information necessary to confirm the identity of the data subject.

The Company shall, without undue delay, but in any event within one month following the receipt of the request, inform the data subject about the measures determined in respect of the request. Where necessary, e.g. due to the complexity or great numbers of the request, such deadline may be further extended by two months. Where a request was submitted electronically, the Company - unless otherwise requested by the data subject - shall possibly provide the information electronically as well.

If the Company does not take action on your request, the Company shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

In respect of enforcement, the Company shall bear all costs related to providing information and taking measures. Where the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive character, the Company may either charge a reasonable fee, or refuse to act on the request.

6.11 Right to seek remedy at the data protection authority

 Contact data of the local supervisory authority:

  • National Authority for Data Protection and Freedom of Information (NAIH)
  • 1125 Budapest, Szilágyi Erzsébet fasor 22/C
  • telephone: 1-391-1400
  • fax: 1-391-1410
  • E-mail: [email protected]
  • website: www.naih.hu


6.12 Right to an effective judicial remedy

In case his or her rights are violated, the data subject shall have the right to judicial remedy against an action of the data controller, within the available legal frameworks.

Such proceedings may be brought before the courts competent for the place of residence or place of stay of the data subject.

Pursuant to Section 21(4) of the Freedom of Information Act, the data subject may refer to the court against a decision by the Company on the right to object of the data subject within 30 days.

Such court proceedings shall be conducted under priority. The Company should be the party to prove that the challenged data processing complies with the relevant laws.

The Company shall reimburse any damage caused to a data subject as a result of unlawful processing or by any breach of data security requirements, or in case personal rights are violated, the Company shall be required to pay penalty.

7. Definition of the main terms of data processing included in this Policy

  • data subject: any specified natural person identified or identifiable directly or indirectly by personal data;
  • personal data: means any information relating to a natural person (‘data subject') - in particular the name, identification number, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning a natural person’s sex life or sexual orientation; b) data concerning health or personal data relating to criminal convictions and offences.
  • personal data relating to criminal convictions and offences: personal data relating to a data subject generated by competent investigation and enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including criminal records;
  • consent of the data subject: means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • objection:: statement made by the data subject objecting the processing of his/her personal data and requesting the deletion or erasure of the data processed;
  • data controller: means the natural or legal person, business entity without legal personality, which, alone or jointly with others, determines the purposes of the processing of personal data; makes decisions relating to the data processing (including the tools of such processing) and executes thereof, or has the data processor perform execute them;
  • data processing: means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; as well as the prevention of further use, audio or video recordings, and the recording of physical characteristics suitable for the identification of a person (finger or palm prints, DNS sample, iris imaging);
  • data transfer: making any data available to a specified third party;
  • disclosure: making the data accessible for anyone;
  • data erasure: making any data unrecognisable in a way such data may no longer be restored;
  • pseudonymisation: means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  • data identification: assigning identifiers to data with the purpose of distinguishing them;
  • data blocking: assigning an identifier to the data with the purpose of limiting - permanently or for a fix term - the further processing of such data;
  • data erasure: complete physical destruction of the media containing the data;
  • data control: performing technical tasks in connection with data processing activities, regardless of the methods and tools used for executing the operations, or the location where they are performed, provided that such technical tasks are performed on data;
  • data material: all data processed within one registry;
  • private data breach: unlawful processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, erasure or destruction, as well as accidental destruction and damage.
  • recruitment: finding the right position and employer for the right candidate, or finding the applicant meeting the needs of the employer, or connecting the applicant and the employer in order to establish an employment relationship.
  • applicant: individuals applying for positions advertised by the Company, or persons providing their personal data and curriculum vitae for later job openings in order to access such positions, as well as those who have been selected and contacted by the Company directly or indirectly with the purpose of offering a specific position.

Let's Talk

+36 30 677 1990

Our Location

1088 Budapest, Bródy Sándor utca 2. II. em. 8/b.

Drop A Line

Pelle Dávid
[email protected]