Skip to content

Privacy Notice


The JDC Hungary Foundation is committed to protecting the privacy of all its customers and visitors. Accordingly, we will ensure that it is handled securely and that JDC Hungary Foundation processes personal data in accordance with the applicable legal requirements. By drafting and publishing this notice, we wish to fulfil our obligation to provide the information required by Articles 13-14 of the GDPR.

JDC Hungary Foundation, as data controller, acknowledges that it is bound by the contents of this notice. It also reserves the right to change the content of this notice, which will be communicated to the data subjects in due time.


The controller of your personal data:
JDC Hungary Foundation (“Foundation” or “Data Controller”)
registration number: 01-01-0012517

tax number: 18942408-2-42

registered office: Síp u. 12., 1075 Budapest, Hungary


Contact of the data protection officer:

Data Protection Office Kft. (“DPO”)




Personal scope: this information notice applies

  • to all visitors to the website (hereinafter referred to as the Website);
  • all of the Founder’s contractors, customers, suppliers, principals and subcontractors (i.e. all persons who may be associated with the Foundation’s activity); and
  • all persons applying for jobs advertised by the Foundation.

Material scope: this notice covers all personal data processing as described above, which

  • through or in connection with the operation of the Website;
  • in any way connected with the activity of the Foundation; and
  • whether in response to a call for applications from the Foundation or in the course of the assessment of applications received spontaneously.

Period of validity: the standard text of this notice entered into force on … 2024 and is valid from its publication until its withdrawal, but the Data Controller reserves the right to unilaterally modify this notice, after having informed the data subjects.



The Foundation’s data management policies and procedures are in compliance with the applicable data protection legislation in force, in particular, but not limited to:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (“GDPR“);
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive“);
  • Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (“Information Act”);
  • Act CVIII of 2001 on certain aspects of electronic commerce services and information society services (“E-commerce Act“);
  • Act V of 2013 on the Civil Code (“Civil Code”);
  • Act C of 2000 on Accounting (“Accounting Act“).



In accordance with EU data protection legislation, a legal basis is required for the processing of personal data. The applicable legal basis depends on the purposes for which the data are processed.

Please note that the Foundation currently processes your personal data on one of the following legal bases:

  • the processing is based on your consent [Article 6(1)(a) GDPR],
  • processing is necessary for compliance with a legal obligation to which the Controller is subject [Article 6(1)(c) GDPR];
  • processing is necessary for the purposes of the legitimate interests pursued by the Foundation as controller or by a third party [Article 6(1)(f) GDPR].

In some cases, your consent is therefore also required for the processing of data. Please note that if you have given your consent, you may withdraw it at any time, but please ensure that the withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

In other cases, the processing of personal data is necessary for us to comply with our legal obligations, in which case the applicable legal provision is specified in Chapter 10 of this notice.

It may also be the case that the processing of your personal data is based on the legitimate interests of the Foundation or a third party, in which case we will indicate the identified legitimate interests in Chapter 10 of this notice.



According to Article 6(1)(f) of the GDPR, a legal basis exists where processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

This means that the Foundation is only entitled to process your personal data on the basis of a legitimate interest if it first carries out an interest test to determine whether the legal basis is justified.

In doing so, the Foundation

  • identifies its own or a third party’s legitimate interest in the processing of the personal data;
  • identifies your interests and fundamental rights as a data subject;
  • weighs the fundamental rights and interests, thus carrying out a necessity-proportionality test.



As a rule, we collect personal data about you from you, i.e. directly from the data subject. In cases where we may also process personal data from other sources, we will indicate this separately in point 10 of this notice in the description of the relevant data processing operation; where there is no such description, the source of the data will be you.



There may be cases where the Foundation transfers your personal data to a third party, with appropriate information and data transfer guarantees. 

The person to whom the data is disclosed is the recipient of the transfer and may fall into one of the following categories based on his or her relationship with the Foundation as data controller:

  • The recipient of the transfer is a data processor, since they carry out the processing exclusively on behalf of the Foundation as data controller. They are typically external service providers who perform technical operations on the basis of instructions from the controller (e.g. accountant, payroll or system administrator);
  • The recipient of the transfer is an independent controller, since they determine the purposes and means of the personal data processing independently of the Data Controller and is in many cases subject to specific legal requirements. These are typically lawyers, doctors, but also public authorities and courts;
  • The recipient of the transfer is a joint controller with the Data Controller, as they jointly determine why and how personal data should be processed; often this is the case for affiliated companies.


  • Our independent controller recipients

In the performance of our obligations under the law and in the course of any dispute we may have with you, we may transfer data about you to the competent authorities, courts or our respective legal representatives who, as explained above.

  • Our joint controller recipients 

We would like to inform you that the Foundation does not carry out joint data management with other data controllers in connection with your data.

  • Our data processor recipients

The Foundation uses the services of external partners for the purpose of operating the Website, using hosting services, and performing accounting and invoicing. All service providers process the personal data on the basis of the mandate and instructions received from the Foundation, for the sole purpose of carrying out operations of a technical nature and are therefore considered as data processors in accordance with the provisions of the GDPR.


  • Accounting 

Data processor name: Niveus Consulting Group Kft.
Registered office: Bécsi út 3-5. 1. em. 1., 1023 Budapest, Hungary

Data processor name: Impuesto Kft.
Registered office: 1089 Budapest, Visi Imre utca 14., Hungary

  • Billing software provider

Data processor name: BMD Rendszerház Kft.
Registered office: 1138 Budapest, Madarász Viktor utca 47-49
Contact: Email:, Telefon: +36 1 235 7090

  • Hosting provider

Data processor name: 23VNET Kft.
Registered office: Liliom utca 24-26. II/5., 1094 Budapest, Hungary

  • System administrator

Data processor name: Rewaresoft Kft.
Registered office: Szerencse utca 8/A., 1185 Budapest, Hungary

In Chapter 10, in the details of each processing operation, we will inform you whether the Foundation transfers your data to third party recipient(s) in the course of that processing operation and, if so, the relationship of that person(s) with us for data protection purposes.



Please note that in certain cases, as set out in point 10, your personal data will be transferred to a third country outside the EU, so we will provide specific information on this fact in the description of the relevant process and indicate the safeguards under Articles 46-49 of the GDPR in relation to which the transfer to the third country may take place.



Automated decision making is the ability to make decisions using technology without human intervention, with or without profiling. Profiling is the collection of information about an individual (or group of individuals) and the assessment of their characteristics or behaviour with a view to classifying them into a category or group.

Article 22 of the GDPR prohibits, as a general rule, automated decision-making in individual cases, including profiling; this can only be done by the controller, subject to the safeguards set out in the GDPR, and with the data subject being informed.

Please be informed that the Foundation does not currently use automated decision-making or automated profiling when processing your personal data. If we intend to change this in the future, we will inform you in advance and we will also inform you of the legal basis under Article 22(2) GDPR before we start processing and provide you with a duly conducted data protection impact assessment.



The data processing for each of the Foundation’s activities are as follows:


The Foundation will process personal data only to the extent and for the purposes necessary for the fulfilment of its purposes determined in its deed of foundation, contractual obligations and legal compliance related to its activities, as follows:

a) Processing the data of contact persons

In the course of its activities, the Foundation works with a large number of contractual partners (typically legal entity customers and contractors), and processes personal data of the natural person contacts of these partners to enable fast and efficient communication.

The legal basis for the processing is based on the legitimate interest of the business partners contracting with the Foundation as third parties (in this case, the business partner’s interest in the conclusion and performance of the contract), and the Foundation will therefore apply an interest balancing test to determine whether the legal basis is justified, which will be provided to the data subjects at their request.

purpose of processing: to conclude commercial contracts and to maintain contact with the business partner during the performance of the contracts
scope of the data processed: name, position, contact details (typically telephone number and e-mail address) and any other data necessary for the performance of the contract by the contact person
legal basis for processing: the legitimate interest of the business partner in the conclusion and performance of the contract pursuant to Article 6(1)(f) of the GDPR
duration of data storage: until the termination of the contract with the business partner or the termination of the employment relationship between the contact person and the contractual partner
recipient(s) of the transfer: –
transfer to a third country: –

b) Billing-related data processing

Pursuant to paragraph 165 (1) of the Accounting Act, documents must be issued (prepared) for each economic operation or event that changes the stock or composition of assets or the sources of assets, and all documents reflecting the process of economic operations (events) must be recorded in the accounting records. In addition, Article 169(2) of the Accounting Act requires that accounting documents directly and indirectly supporting the accounting records must be kept for at least 8 years in a legible form, retrievable by reference to the accounting records.

In accordance with the above, the Foundation issues an invoice to the recipient of the service with the data content specified in Section 169 of the VAT Act and Section 167 (1) of the Accounting Act, and keeps the accounting documents directly and indirectly supporting the accounting for 8 years, as specified in Section 169 (2) of the Accounting Act.

The Foundation issues its invoices by means of an invoicing program, the respective service provider of which is considered to be a data processor of the Foundation. The Foundation forwards the invoices issued to its respective accountant for the purpose of carrying out the accounting tasks, who acts as a data processor of Foundation. 

purpose of processing: issuing and storing invoices in the course of commercial activities
scope of data processed: data content defined in Section 169 of the VAT Act and Section 167 (1) of the Accounting Act; of which personal data: name and address of the service recipient and, in the case of sole traders, the tax number
legal basis for processing: the fulfilment of a legal obligation on the employer pursuant to Article 6(1)(c) of the GDPR in accordance with Articles 165(1), 167(1) and 169(1) of the Accounting Act
data storage period: 8 years from the date of issue of the invoice
recipient(s) of the data transfer: the operator of the invoicing software, BMD Rendszerház Kft., and Niveus Consulting Kft. and Impuesto Kft., the accounting service provider of the data controller, as data processors
data transfers to third countries: –

 c) Enforcement, claims management

The Foundation will process the data of any natural person concerned by a dispute or claim against it, as well as in the course of enforcing its claims against others, in order to bring the dispute or claim to a successful conclusion.


Since the legal basis for the processing is based on the legitimate interest of the Foundation as data controller (in this case, the personal and financial interest in the resolution of the dispute and the successful assertion of claims), the Founder will apply a balancing of interests test to determine whether the legal basis is justified, which will be provided to the data subjects at their request.


purpose of processing: management of claims, settlement and resolution of disputes with others, effective assertion of claims
scope of data processed: any data relevant to the resolution of the dispute and the enforcement of claims
legal basis for processing: legitimate interest of the Founder as data controller (personal and financial interest in the resolution of disputes and the effective exercise of claims) as referred to in Article 6(1)(f) of the GDPR
duration of storage: until the dispute is settled or the claim is enforced
the recipient(s) of the transfer: competent authorities, courts and the legal representative of the Foundation in each case

data transfers to third countries: –



The Foundation might use the assistance of external contractors (e.g. recruitment agencies) to carry out complex recruitment tasks (recruitment, selection, evaluation, recommendation) in order to conduct and evaluate the job application efficiently and quickly. These partners are considered independent data controllers in all cases and are obligated to notify the data subjects of the processing of their personal data.

In the absence of explicit consent to the further storage of the CV, the Foundation will immediately cease to store the CV of the unsuccessful candidate after the evaluation of the application and will destroy the personal data it has stored. In order for further storage to take place, the Foundation must obtain the express consent of the data subject, which, if granted, will allow the continued storage of the CVs of unsuccessful candidates for a maximum period of 1 year from the date of receipt.

purpose of processing: selection of employees and ad hoc or permanent collaborators (contractors, agents) to fill vacancies or to carry out projects
the scope of the data processed: all personal data contained in the CV; typically: name, date of birth, mother’s name, address, education, previous jobs, portrait photo, salary requirements and other data voluntarily provided by the data subject
legal basis for processing: the data subject’s consent pursuant to Article 6(1)(a) of the GDPR
storage period: only until the application has been assessed or, in the case of consent to further storage, for a maximum of 1 year
recipient of the transfer: recruitment agencies contracted on a case-by-case basis, as independent data controllers

data transfers to third countries: –



a) Contact

Through the Website, visitors can contact the Data Controller under the “Contact” menu by providing the data necessary for contacting the Data Controller. This message will be sent to the e-mail address and the Foundation will either reply to the data subject from the same e-mail address or, if the data subject voluntarily provides a telephone number when contacting them, will contact them by telephone. 

purpose of processing: to reply to requests from data subjects, to contact them at their request
scope of the data processed: mandatory data: name, e-mail address and subject; optional data: any personal data voluntarily provided in the message
legal basis for processing: consent of the data subject pursuant to Article 6(1)(a) of the GDPR
duration of storage: until the data subject has replied to the request or until the purpose of the contact has been achieved

recipient of the transfer: the hosting provider and the system administrator as data processors

data transfers to third countries: –



The Foundation’s employees and contractors are bound by confidentiality obligations and receive regular training on the handling of personal data and other critical information.



The Foundation will make every reasonable effort to maintain physical, technical and regulatory security measures. These security measures are designed to protect against loss, unauthorized access, copying, modification or disclosure, as described below: 

a) Restricted access

Personal information provided by you or generated during the course of your relationship with the Foundation is only accessible within the Foundation to those persons within the Foundation who need to know it in order to perform their job duties.

The Foundation processes and stores your personal data on paper at its headquarters, using physical protection systems, electronically on its own server or on a server provided by a server provider, with strictly limited and protected access.

b) Backup

Whenever data is electronically processed, viewed or accessed, the Foundation will ensure that data is backed up on a regular basis to ensure that your personal data is not irretrievably damaged or lost.

c) Program protection, virus protection

During the electronic storage and handling of data, the Foundation takes care to prevent unauthorised access and attempts to access the data, including by using firewalls and anti-virus software. It will ensure that the risk of data theft, misuse of personal data and loss of data is minimised by involving an IT expert and by regular monitoring.

d) Password protection

In order to protect personal data, all employees and contributors of the Foundation protect their work equipment with an individual password, which they are obliged to change regularly at specified intervals.



You have the right under Articles 13-21 of the GDPR to 

a) request information from the Data Controller about the processing of your personal data within the duration of the processing (“right to information“). The Foundation will inform you in writing, in an intelligible form, within the shortest possible period of time from the date of the request, but not later than 1 month, about the data processed, the purposes, legal basis and duration of the processing, and, if the data have been transferred, who is or are receiving the data and for what purposes;

b) receive feedback from the Data Controller as to whether or not their personal data is being processed and, if such processing is taking place, have the right to access the personal data and basic information relating to them (purposes of the processing; categories of personal data concerned; recipients to whom or with which the personal data have been or will be disclosed; envisaged duration of the storage of the personal data); your right to request the Data Controller to rectify, erase or restrict the processing of personal data concerning you and to object to the processing of such personal data; your right to lodge a complaint with a supervisory authority; if the data have not been collected from the data subject, any available information on their source) (“right of access“). The Foundation will provide you with a copy of the personal data that is the subject of the processing. The right to obtain a copy must not adversely affect the rights and freedoms of others;

c) upon your request, the Foundation to correct inaccurate personal data concerning you without undue delay (“right to rectification“). Taking into account the purpose of the processing, you have the right to request the completion of incomplete personal data, including by means of a supplementary declaration;

 d) upon your request, the Foundation will delete personal data concerning you without undue delay (“right to erasure“) where

  • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • you have withdrawn your consent to the processing and there is no other legal basis for the processing;
  • you object to the processing and there is no overriding legitimate ground for the processing;
  • the personal data have been unlawfully processed;
  • the personal data must be erased in order to comply with a legal obligation under Union or Member State law applicable to the controller.

The right of erasure does not extend to data processed by the Foundation in the performance of a contract or legal obligation or on the basis of a legitimate interest;

e) upon your request, the Foundation restricts the processing (“right to restriction“) where

  • you contest the accuracy of the personal data (for a period of time until the accuracy of the data is established);
  • the processing is unlawful and you object to the erasure of the data and instead request the restriction of its use;
  • the Data Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
  • you have objected to the processing (pending the completion of the consideration of the objection).

If the processing is restricted, such personal data may be processed, except for storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the European Union or of a Member State.

f) receive personal data concerning you provided to the Foundation in a structured, commonly used, machine-readable format and have the right to transmit such data to another controller without hindrance from the Foundation (“right to data portability“);

g) object at any time, on grounds relating to your particular situation, to the processing of your personal data on the basis of the Foundation’s legitimate interest (“right to object“). In this case, the Foundation may no longer process the personal data unless you can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims;

h) withdraw your consent to the processing at any time, but please take note that the withdrawal of your consent does not affect the lawfulness of the processing based on your consent prior to its withdrawal.

Please send your request to exercise these rights to the DPO, at the contact set out in Chapter 1, by electronic mail. 

The Foundation will inform you without undue delay, but in any event within 1 month of receipt of your request, of the action taken on it (in the form in which you have addressed your request to us, in the event of a request to the contrary). If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Foundation will inform you of the extension, stating the reasons for the delay, within 1 month of receipt of the request.



a) What can you do if your request is rejected?

If the Foundation refuses your request, we will inform you in writing within one month of receipt of your request why we have been unable to comply with your request, inform you of your legal remedies and inform you that you can lodge a complaint with the National Authority for Data Protection and Freedom of Information.

b) What are your rights if you consider that the processing is unlawful?

If you believe that the processing of your personal data is unlawful, you may initiate an investigation procedure pursuant to Article 52 (1) of the Information Act at the National Authority for Data Protection and Freedom of Information (registered office: Falk Miksa utca 9-11, 1055 Budapest, Hungary; postal address: 1363 Budapest, Pf. 9., e-mail:; telephone: +36 (1) 391-1400).


Finally, we inform you that if the Foundation wishes to carry out further processing of your personal data for purposes other than those for which they were collected, you will be informed again of the different purposes and any other information relating to the processing prior to the further processing.