Generic StandardGS2 – Data Privacy for Applicants

1. Scope

At ABESSE we recognize the importance of candidate trust in our brand. Our privacy policy sets out how we handle the information we receive from customers and everyone who uses our products and services. We take this seriously and will always treat this information with the utmost respect and care. We expect you, as our supplier, to do the same.

2. Summarization

At Abesse, we take privacy very seriously. We do need your information so that we can provide world class HR services to you, however protecting your information and respecting your privacy is fundamental to maintaining your trust.

• We need to obtain and use some of your personal information so that we can:

• recruit and retain the best people;

• manage your working relationship with Abesse and run our business in the best possible way;

• protect you, the company and our assets; and

• to comply with our policies and legal and regulatory obligations.

We will always take appropriate measures to keep your personal information confidential, secure and protected, including when we need to share it with our trusted partners.

APPLICANT NOTICE ON DATA PROCESSING

This applicant notice on data processing (“Notice”) will provide you with information on our data processing activities with respect to individually identifiable information about applicants applying for positions at the Abesse.

1. INFORMATION ON THE CONTROLLER

You can find the relevant contact details of Abesse entity identified in the vacancy for which you are applying on www.abesse.hu. Abesse is the data controller with respect to the data processing activities detailed in this Notice.

2. YOUR PERSONAL DATA/PURPOSES AND LEGAL BASIS OF THE PROCESSING

We will process personal data about you collected during the application and job interview process from yourself, or authorized third parties (i.e., recruitment agencies).

3. Categories of Personal Data

The personal data categories that we process are as follows (“Personal Data”):

• Full name, gender, contact details (address, phone number, email address), place and date of birth;

• Professional and educational experience;

• Test scores;

• Language skills;

• Eligibility to work in the country you are applying; and

• Any other information you provide in your CV, cover letter and/or the documents you provide with your application and/or in the job interview.

The provision of Personal Data is necessary for the decision whether an employment contract with you will be concluded (hiring decision). The provision of Personal Data by you is voluntary. However, if you do not provide your Personal Data, the application process may be delayed and/or we may reject your application.

4. Processing Purposes

We process your Personal Data to the extent permitted or required under applicable law, for the following purposes. Furthermore, Abesse relies on the following legal grounds for the processing, of your Personal Data:

Determining your suitability for the position you are applying for as part of the application process:

• The processing of your Personal Data is necessary to determine whether an employment contract will be entered into and is based on Art. 6 para. 1 lit. b) GDPR and the corresponding provisions in local data protection law relating to the (pre-)employment relationship.

Protect the legal interests of Abesse, in particular as required to defend against legal claims:

• The processing is necessary for the purposes of the legitimate interests pursued by Abesse (Art.6(1)(f) GDPR) as indicated above.

Complying    with    applicable    laws     and    pre- employment-related requirements along with the administration of those requirements, such as employment and immigration laws:

• The processing is necessary for compliance with a legal obligation to which Abesse is subject (Art. 6(1) (c) GDPR).

• The processing is necessary for the purposes of the legitimate interests pursued by Abesse (Art. 6(1) (f) GDPR) as indicated in the first column.

Responding to and complying with requests and legal demands from regulators or other authorities in or outside of your home country.

• The processing is necessary for compliance with a legal obligation to which Abesse is subject (Art. 6(1) (c) GDPR).

• The processing is necessary for the purposes of the legitimate interests pursued by Abesse (Art. 6(1) (f) GDPR) as indicated in the first column.

III. DATA TRANSFERS AND RECIPIENTS

1. Recipients

To other group companies: We may transfer your Personal Data to other parties, as permitted pursuant to Art. 6 para. 1 lit. f) GDPR for the legitimate interests of Abesse (i.e. in light of our global structure to allow for global recruitment and to allow all relevant managers and recruiters which may be located at different companies to review the application).

Third parties: Abesse and/or other Abesse group companies may also transfer your data to governmental agencies and regulators, courts, and government authorities, all in accordance with applicable law based on Art. 6 (1) (c) GDPR and to external advisors acting as controllers (e.g., lawyers, accountants, auditors etc.) based on Art. 6 (1) (f) GDPR.

2. Service providers (within and outside Abesse group): Abesse contracts with third party service providers or other Abesse group companies as part of its normal business operations to carry out certain human resources-related or IT-related tasks, global HR management (i.e., global recruitment, to provide secure global systems and networks as a service provider to the companies in Abesse group where all or some Abesse group companies can process Personal Data).Cross-Border Data Transfers

We transfer your Personal Data outside of the country you are located. Some recipients of your Personal Data are located in another country for which the European Commission has not issued a decision that this country ensures an adequate level of data protection, namely: such as the U.S., Serbia, the Philippines, Tunisia.

Some recipients located outside of the European Economic Area (“EEA”) are certified under the EU-U.S. Privacy Shield and others are located in countries for which the European Commission has issued adequacy decisions (which may include Andorra, Argentina, Canada (for non-public organizations subject to the Canadian Personal Information Protection and Electronic Documents Act), Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay, and New Zealand). In each case, the transfer is thereby recognized as providing an adequate level of data protection from a European data protection law perspective (Art. 45 GDPR).

By way of entering into appropriate data transfer agreements based on Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC) as referred to in Art. 46 (5) GDPR or other adequate means, which are accessible via the below contact details, we have established that all other recipients located outside the EEA will provide an adequate level of data protection for the Personal Data and that appropriate technical and organizational security measures are in place to protect Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. Any onward transfer (including our affiliates outside the EEA) is subject to appropriate onward transfer requirements as required by applicable law.

3. RETENTION PERIODS

Personal Data processed for the purposes hereunder will be stored only to the extent necessary during application process and a following reasonable period (taking into account statutory limitation periods) as required or permitted under applicable law (e.g., as necessary to defend against claims in relation to the application process, or to comply with Abesse’s obligations regarding data retention as established in the applicable laws). If a judicial or disciplinary action is initiated, the Personal Data may be stored until the end of such action, including any potential periods for appeal, and will then be deleted or archived as permitted by applicable law.

In principle we will retain your Personal Data as long as required or permitted by applicable law. Afterwards, we will remove your Personal Data from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it.

4. YOUR STATUTORY RIGHTS

Under the conditions set out under applicable law, (e.g., GDPR), you have the following rights:

1. Right of access: You have the right to obtain from us confirmation as to whether or not Personal Data concerning you is being processed, and, where that is the case, to request access to the Personal Data. The access information includes – inter alia – the purposes of the processing, the categories of Personal Data concerned, and the recipients or categories of recipients to whom the Personal Data have been or will be disclosed.

You have the right to obtain a copy of the Personal Data undergoing processing. For additional copies requested by you, we may charge a reasonable fee based on administrative costs.

1. Right to rectification: You have the right to obtain from us the rectification of inaccurate Personal Data concerning you. Depending on the purposes of the processing, you have the right to have incomplete Personal Data completed, including by means of providing a supplementary statement.

2. Right to erasure (right to be forgotten): You have the right to ask us to erase your Personal Data, in which case we have to comply.

3. Right to restriction of processing: You have the right to request the restriction of processing your Personal Data. In this case, the respective data will be marked and may only be processed by us for certain purposes.

4. Right to data portability: You have the right to receive the Personal Data concerning you which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit those Personal Data to another entity without hindrance from us.

5. Right to object: Please note that the aforementioned rights might be limited under the applicable national data protection law. In case of complaints you also have the right to lodge a complaint with the competent supervisory authority, in particular in the Member State of your habitual residence or alleged infringement of the GDPR.

6. CONTACT US

If you wish to exercise your data subject rights or if you have any other questions concerning this Notice, please address your request to the controller (see Section I. above) or the data protection officer, who can be contacted at adatvedelem@Abesse.com

VII. CHANGES

Please note that this Notice will be amended in case such is necessary to reflect changes in Abesse’s handling of your Personal Data. You will be informed in an appropriate form about such a new version.