Starschema Candidate Data Privacy Notice

Effective Date: 17 October 2022

INTRODUCTION

Starschema Kft. (“STS”) is committed to protecting and securing the privacy and confidentiality of the Personal Data which it collects directly or indirectly from you when applying for a job at STS either directly or through a third-party human resources agency. This notice (the “Notice”) outlines and explains how STS including its subsidiaries, local employing entities, associates and affiliated companies [collectively referred to as “STS”, “us,” “our”, or “we”] will process your Personal Data in accordance with applicable privacy legislation(s).

Please refer to ‘Annexure B’ for definitions.

What Does This Notice Cover?

The aim of this Notice is to provide you with information on what Personal Data we process, why we process your Personal Data, how we process your Personal Data including details on the principles we will abide by, as well as informing you of certain rights that you may be able to exercise on your Personal Data.

This Notice applies globally to all job applicant(s)/candidate(s) of STS, subject to local caveats which have been highlighted herein or as applicable otherwise.

In some cases, we may present to you an additional Personal Data processing notice, depending on the circumstances as they may exist. Typically, these additional notices would provide requisite information pertaining to, but not limited to, additional purpose(s) for processing of your Personal Data which are not covered under this Notice. Such a notice shall apply only for those respective cases referred to therein and shall not affect the validity of this Notice.

What Personal Data Do We Process?

For the purposes of this Notice, ‘Personal Data’ means any information about you from which you can be identified (whether derived from that information on its own or when combined with other information that we or another party may hold about you).

As part of your recruitment and/or on-boarding process, you may directly provide us or be requested to provide us your Personal Data. Personal Data may be either provided to us by you or collected through a third-party as part of your recruitment process with STS. Such Personal Data may include but is not limited to:

Identifying data, such as name, email address;

contact details, such as postal address and telephone number;

recruitment-related information, such as right to work authorisation, citizenship, date of birth, residency, previous work experience information (including previous employer references), qualifications and work history, educational background, language skills, professional skills and talents, professional membership, community engagement, geographic location preferences, and recruitment company reports (where available), salary expectations, interactions over emails, webchats, audio/video conversations; and

Any other Personal Data you voluntarily provide during the job application process for our consideration.

Why We process your Personal Data?

We process your Personal Data for specified purposes and on the following legal grounds, for the various situations which may arise during the job application process with us:
As it may be necessary for preserving our or a third party’s legitimate interests (please see ‘How do We use your Personal Data?’ section below.);
The processing is necessary for us to perform contractual obligation(s) in respect of your employment or engagement with STS e.g., the steps taken to enter into a contract with you, if your candidature is successful;
As it is, or if it becomes, necessary to comply with any legal obligation(s), including but not limited to, any local law(s), to the extent of the applicability of such law(s);
As is necessary to protect your vital interests when you are physically or legally incapable of giving consent; and
Data processing based on your consent.
In exceptional circumstances you may request us to disclose your personal data to third parties or organisations such as a law firm handling a data subject claim on your behalf, or otherwise.
There may also be exceptional circumstances, where you may explicitly consent to the processing of your personal data, but only if the consent is truly freely given and unambiguous e.g., consent to publish your photograph on marketing materials.

How We Use Your Personal Data?

We process your Personal Data, for the purposes including but not limited to the ones enlisted below, via both manual and automated means. We also use ATS (applicant tracking system) which stores your Personal Data once you have made an application in order to enable the relevant recruiting manager and recruiter to consider your application. We will always have human intervention in your candidacy assessment and never solely rely on automated decision-making, including profiling.

Talent Acquisition and onboarding:

We hold the following data about you:

personal identification data (name, address, mother’s name, place and date of birth, tax ID, social security number, etc.)
contact details;
data you have provided to us or the recruitment agency in your curriculum vitae, cover letter, or during the interviews.

Processing Purposes	Legal Basis	Categories of recipients with whom we may share your personal data outside of STS
If your application is successful and you agree to join STS, we need to capture personal data to complete your employment contract, legal and regulatory compliance, managing operations.	For taking steps at your request prior to entering into a contract and/or for performance of a contract. Compliance with legal obligations which we are subject to in relation to employment law	STS may use service providers acting on STSL's behalf to perform some of the services described above including for the purposes of verification / background checks. These service providers may be located outside the country in which you live or the country where the position you have applied for is located STS may sometimes be required to disclose your information to external third parties such as to local labour authorities, courts and tribunals, regulatory bodies and/or law enforcement agencies for the purpose of complying with applicable laws and regulations, or in response to legal process. STS will also share your personal information with other third parties to detect, prevent or otherwise address fraud, security or technical issues, or as otherwise required by law.
To determine an applicant’s/candidate’s eligibility for employment or engagement including but not limited to: Online skill assessments Interview process, including in person and online interviews Perform pre-employment background checks as part of your application, which would include but not limited to your legal right to work, carrying out criminal record subject to legal limits, and follow up references provided to us, including identification data, contact details, information about your qualification and employment history. Offering information and/or services to individuals who visit our web site or offer information about employment opportunities. Preventing fraud or criminal activity and to safeguard our IT systems. Customizing individuals’ online experience and improve the performance, usability and effectiveness of STS’s online presence. Meeting corporate and social responsibility obligations Improving our application and recruitment process. Assessing if you have worked for us or applied with us before Selecting, assessing and appointing suitable candidates for jobs, new and/or other roles. Suitability for attending site if required.	For preserving our legitimate interests in properly carrying out hiring and staffing procedures. For taking steps at your request prior to entering into a contract Compliance with legal obligations which we are subject to, particularly in relation to tax law, employment law, social security law and immigration law Necessary to carry out the obligations and to exercise specific rights STS or you in the field of employment and social security and social protection law as permitted by local data protection law; and Necessary for reasons of substantial public interest as permitted by local data protection law
To process your personal information in order to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency;	Compliance with legal obligations which we are subject to, particularly in relation to tax law, employment law, social security law and immigration law
Where relevant and appropriate subject to local data protection regulations: To conduct, and to analyse, our HR related marketing and branding activities. To analyse the diversity of our workforce. Also, to accommodate your application and interview and for compliance with legal obligations as well as to provide a suitable working environment, we may collect disabilities information.	Consent Compliance with legal obligations which we are subject to, particularly in relation to tax law, employment law, social security law and immigration law

Why We Share Personal Data

Only selected employees of STS – such as your potential future manager(s), employees of HR and IT (for maintenance purposes only) - and selected employees of our external service providers who support us with the admission of recruitment application, may have access to your Personal Data. Whenever we permit a third party to access Personal Data, we will make sure the data is used in a manner consistent with this Notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the data).

Please note, in some circumstances third parties may qualify as controllers who process your Personal Data for their own purposes. Please refer to these Controllers’ privacy notice or statement. Otherwise, all third parties are Processors acting on the instructions of STS. Wherever we engage a Processor, we require assurances that such Processors have implemented appropriate safeguards and controls in relation to the protection of your Personal Data. In addition to the third parties’ legal obligations, we require that such third parties be also contractually obligated to safeguard your Personal Data. Ongoing oversight is maintained on the relevant processing activities being carried out by the third party.

If required, we may conduct background checks prior to you commencing employment with us. In order to do so, STS may have a requirement to share your personal data with the relevant third parties. These checks will be performed by our Processors who conduct background screening on our behalf.

How Long Do We Retain your Personal Data?

We will retain your personal data for a period of 3 years after your last application date. If you are unsuccessful, we shall retain your personal data for 6 months or for a period of 3 years upon your explicit consent. After this period, we will securely destroy your personal data.

Post onboarding and pre-joining formalities your data will not be kept longer than necessary for the purpose for which it was processed. For example, we may need to retain your Personal Data to comply with Tax and other applicable Laws, for audit purposes and to exercise or defend any legal claims.

Is Your Data Transferred Across International Borders?

STS is part of the HCL group, a truly global organisation so your Personal data may be transferred for the any of the above stated purposes to different global locations. These transfers will be undertaken in compliance with applicable law(s) and regulation(s).

If it is necessary to transfer your Personal Data to countries that do not offer adequate protections, for example if Personal Data

originating from the EEA / EU will be transferred outside the EU/EEA then we will ensure that appropriate safeguards as required

by applicable laws are put in place prior to the transfer of the data.

To protect Personal Data when transferred outside the EU/EEA to countries which have not been deemed by the European Commission to adequately protect Personal Data, STS will implement appropriate safeguards in order to adequately safeguard any such transfers in line with the requirements enshrined in applicable laws, e.g. by incorporating standard contractual clauses (a copy of which can be obtained through the contact information included below) into contract(s) / data transfer agreement(s) established between the parties transferring the Personal Data.

What are your rights and how can you exercise them?

Depending on your relationship with STS you may have several rights in relation to your Personal Data. Please refer to the Annexure A for information on data subject rights. Please note, these rights are subject to exemption(s) and may not apply in all circumstances. If you wish to exercise these rights, then STS will provide you with the requested information or action your request within one month after receipt of your verified request, subject to any extensions that maybe required and communicated to you.

You can request more information about your rights at [email protected].

How Do We Safeguard your Personal Data We Have Collected from You?

We implement and maintain appropriate technical, organizational, and physical security measures to protect your Personal Data and these security measures are in line with industry best practices.

These include, but are not limited to:

Access to data is based on need to know and least privilege principle to ensure data is only accessible to authorized individuals for performance of their duties.
Layered security controls ranging from perimeter security to end user machine level controls such as Firewalls, Spam protection, Antivirus and Spyware solutions, security awareness trainings and incident management etc.
To further reduce the risk associated with data processing, we make use of pseudonymisation / Anonymization techniques where possible.
Using encryption mechanisms, where appropriate such as email encryption, encryption of data during transfer, secure VPN access and disk/file level encryption etc.
Third parties that process personal data on our behalf, do so based on written instructions and are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

What if you do not provide Personal Data?

During the job application and pre-joining formalities it is in yours and our best interest for you to provide STS with Personal Data, in particular certain information as mentioned above, such as contact details, education and professional experience details, and your right to work in a particular jurisdiction, have to be provided to enable STS to enter into a contract of employment with you.

Certain information may be necessary to fulfil legal obligation under employment, Tax and other applicable laws and regulations and to exercise your statutory rights.

If you do not provide the necessary information, this will impact our ability to manage the rights and obligations arising as a result

of the hiring and onboarding process effectively.

How Do We Update This Notice?

We may update this Notice from time to time. We will post any updated version of this Notice on the STS public facing websites and other relevant portal(s). We may also communicate changes to this Notice to you by email or by other necessary mean(s), if need be.

Except as otherwise stated in this Notice, any updates to this Notice will be effective from the date on which they are communicated to the relevant parties.

Our Data Processors

STS uses no Data Processor in relation to managing your personal data

Who can you contact?

Any questions or concerns about the operation of this document should be addressed to the relevant HR personnel who may have been in contact with you.

If you have any concerns about how your Personal Data has been processed then you can contact us via [email protected]

Notification of a personal data breach to the data subject

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller will communicate the personal data breach to the data subject without undue delay after taken notice of such personal data breach.

Notification of a personal data breach to the supervisory authority

In the case of a personal data breach, the controller shall without undue delay but, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Complaints

We want to address any concerns you may have in relation to the management of your personal data, therefore, please contact us in the first instance. You have a right to lodge a complaint with a data protection supervisory authority in particular in the jurisdiction of your habitual residence, place of work or place of the alleged infringement.

Complaints relating to STS’s use of personal data may be sent by email - with the details of your complaint to [email protected]. We will look into and respond to any complaints we receive within 30 days.

You also have the right to file a complaint with the National Authority for Data Protection and Freedom of Information or seek remedy at court if you are of the view that your rights relating to personal data have been violated. For further information on your rights and how to complain to the Authority, please refer to http://naih.hu/panaszuegyintezes-rendje.html.

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság

Address: 1055 Budapest, Falk Miksa utca 9-11. / 1363 Budapest, Pf. 9.

Phone: (+36-1) 391-1400

Fax: (+36-1) 391-1410

E-mail: [email protected]

In the event of a breach of your rights relating to personal data, or if you disagree with STS's decision, within 30 days of the receipt of the decision, - you may initiate a claim against the Data Controller directly at the ordinary courts having competence to such cases on the basis of STS’s seat (registered address) or other applicable laws. The court will have to act in an expedited procedure in such cases.

Annexure A

Data Subject Rights:

Your rights may differ depending on local laws applicable, but generally (as far as applicable laws provide you with such rights). You would be entitled to: object to the processing of Personal Data, access your data and have inaccurate data corrected, obtain a copy of Personal Data (in some cases in portable format), ask us about any relevant details of processing, ask for erasure or restriction of processing, and to lodge complaints with relevant authorities (in particular in the country where you live, work or where the alleged infringement took place).These rights can be summarised in broad terms with the EU General Data Protection Regulation as a baseline:

Right of access

You have the right to confirm with us whether your Personal Data is processed, and if it is, to request access to that Personal Data including the categories of Personal Data processed, the purpose of the processing and the recipients or categories of recipients. We can only provide you with your Personal Data, not Personal Data about another person. Also, where access would adversely affect another person’s rights, we’re not required to provide this. Due to legal privilege, there are some records we are not able to share in connection with a claim or legal proceeding.

Right to rectification

You may have the right to rectify inaccurate or incomplete Personal Data concerning you. We encourage you to review this information regularly to ensure that it is accurate and up to date.

Right to erasure (right to be forgotten)

You may have the right to ask us to erase Personal Data concerning you. The right to erasure does not apply where your information is processed for certain specified reasons, including for the exercise or defence of legal claims.

Right to restriction of processing

In certain situations, you have the right to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. We keep lists of people who have asked for further use of their Personal Data to be ‘blocked’ to make sure the restriction is respected in future. This may affect our ability to provide services to you.

Right to data portability

You may have the right to receive Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that data to another entity.

Right to object and rights relating to automated decision-making

Under certain circumstances you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data, including profiling, by us and we can be required to no longer process your Personal Data. This may include requesting human intervention in relation to an automated decision so that you can express your view and to contest the decision.

You are entitled to receive your Personal Data free of charge except in the following circumstances where we may charge a reasonable fee to cover our administrative costs of providing the Personal Data for:

manifestly unfounded or excessive/repeated requests, or
further copies of the same information.

To exercise any of the above-mentioned rights please submit your request through [email protected]

Annexure B – Definitions:

Applicable Law	Local laws applicable to STS.
Employer	The local entity which offers employment and/or is demarcated as employer on the employment agreement signed by the employee.
Controller	The entity/person who (either alone or jointly or in common with other entities/persons) determines the purposes for which and the manner in which any Personal Data are or are to be processed.
Processor	Any person or an entity who processes the data on behalf of the Controller.
Data Subject	Any identified or identifiable living individual natural person.
Personal Data	Any information relating to an identified or identifiable individual. An identifiable individual is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Special Categories of Personal Data	Any Personal Data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Data Processing	Any operation or set of operations which is performed on personal data, such as collecting, recording, organizing, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making the data available, aligning or combining data, or blocking, erasing or destroying data. Not limited to automatic means.
Encryption	The method by which plaintext or any other type of data is converted from a readable form to an encoded version that can only be decoded by another entity if they have access to a decryption key.
Automated decision making	Subject to local applicable law, every data subject has the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him.
Supervisory authority	Independent Authority or division associated with an Authority in any relevant jurisdiction, whose primary purpose and function is to regulate matters related to personal data.
Pseudonymisation	The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Anonymization	The process of either encrypting or removing personal data from a database, so that the individuals whom the data describe remain anonymous. This is done for the purpose of protecting individuals’ private activities while maintaining the integrity of the data gathered and shared.
Consent	Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Retention	The policies and processes used within STS for determining the time period for archiving and storing of personal data.
Profiling	Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Third Party	A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.