1. Preamble
Data controller
How the Institute works
The Institute carries out supplementary education and training activities with the main objective of providing out-of-school professional and academic training for talented students. The aim of the Institute is to identify talented students, assist them in finding the path of study that’s right for them and then build up a knowledge base from which they can launch successful entrepreneurial and social initiatives. The mission of the Institute is to empower the next generation of Hungary’s prospective leaders by providing them with the knowledge and the intellectual community necessary for living in a responsible manner.
The Institute also carries out consulting and adult education activities for corporate clients. These activities are carried out under the adult education registration number B/2020/001976.
This Privacy Policy, together with our terms of use for this website and our cookies policy, sets out how exactly we use and protect your personal information.
All information is used in compliance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Hungary), and, as of 25 May 2018, with the General Data Protection Regulation (EU) 2016/679 (hereafter ‘GDPR’).
What principles do we follow in our data management?
The Institute follows the following data management principles:
Why does the Institute handle your personal data?
What if you choose not to provide personal data?
You do not have any legal or contractual obligation to provide data to the Institute (except where the collection of data is based on statutory requirements). However, if you choose not to provide the information in question, we may not be able to process your request or your application properly, or in some cases at all.
2. Definitions
Personal data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 GDPR)
Processing: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 GDPR)
Data controller: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Art. 4 GDPR)
Data processor: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (Art. 4 GDPR)
Third party: ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. (Art. 4 GDPR)
Consent: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (Art. 4 GDPR)
3. Your rights
According to the law on data protection, you are entitled to:
The contact details of the Hungarian supervisory authority (hereafter ‘the Authority’) are as follows:
Nemzeti Adatvédelmi és Információszabadság Hatóság
Seat: Szilágyi Erzsébet fasor 22/c, 1125 Budapest, Hungary
Address: 1530 Budapest, Pf.: 5.
Phone: +36 (1) 391-1400
Fax: +36 (1) 391-1410
Email: ugyfelszolgalat@naih.hu
Website: https://naih.hu/
At your request, you are entitled to obtain the following information about your personal data:
We will provide information in the shortest possible time, and no later than 1 month after the submission of the request. Information may only be denied in cases provided by law, in which case we will indicate the place of law, as well as the possibility of judicial remedy and access to the Authority. No administration fee will be charged for the assessment and execution of the request.
In the event of any rectification, blocking, marking and deletion of personal data, the Institute will inform you and those parties to whom we have forwarded your personal data for data processing.
You may withdraw your consent for data management at any time.
If you object to the processing of your personal information, we will examine the objection within 1 month of the request and inform you of our decision in writing. If we have decided that your objection is well founded, the management of the data in question will be terminated and the data will be blocked. Those parties to whom we have forwarded the personal data and who are affected by the data management termination will be notified.
If we are unable to comply with your request for rectification, blocking or cancellation, we will provide you with written reasons within one month and will inform you of the possibility of judicial review and referral to the Authority.
We will refuse to execute the request if we are able to prove that the data management is justified by compelling legitimate reasons that take precedence over your interests, rights and freedoms, or which are related to the submission, validation or protection of legal claims. If you do not agree with our decision, or if we fail to comply with the deadline, you may apply to the court within 30 days of the date of the decision or the last day of the deadline.
Judicial review of data protection law falls within the jurisdiction of the Authority, and may be initiated by you before the court of your place of residence. A foreign citizen may also lodge a complaint with the competent supervisory authority of his/her place of residence.
Before contacting the Authority or the court with your complaint, you are kindly requested to consult the Institute in order to resolve the problem amicably as soon as possible.
What are the main laws guiding our activities?
4. Use of data processors
In the course of data management, the Institute only transfers data to individuals or freelancers/companies who have a contractual relationship with the Institute for employment or other work. In each case, this is done in parallel with a data processing contract and an assignment contract. If the assignment contract is terminated, the data processing right will also be ceased.
In order to perform its educational activities, the Institute relies on the following types of data processors for data management:
Name and description | Method of data processing | Duration | Managed data |
Mentor The mentor assigned to the student has access to a range of personal data provided by the student to perform the mentoring tasks |
Data processing contract | For the duration of the student contract |
Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number); Recruitment data and results at the Institute (recruitment scores, notes); Data on education at the Institute (modules, results, class participation, mentoring data, information on other educational activities) Information about further education (university application, information required for applying) |
Module leader Module leaders have access to a range of personal data provided by the student to perform tasks related to module teaching |
Data processing contract | For the duration of the student contract |
Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number); Recruitment data and results at the Institute (recruitment scores, notes); Data on education at the Institute (modules, results, class participation, mentoring data, information on other educational activities) Information about further education (university application, information required for applying) |
Interviewer During the admission process, interviewers will have access to the personal data provided by the student for this purpose |
Data processing contract | Until the end of the admission process |
Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number); Information about the student’s schooling (name of secondary school, exam subjects, study results) |
Mock interviewer During the senior year, the individuals who conduct mock interviews or otherwise prepare students for university admission will have access to the personal data provided by the student for this purpose |
Data processing contract | Until the end of the mock interview process |
Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number); Recruitment data and results at the Institute (recruitment scores, notes); Data on education at the Institute (modules, results, class participation, mentoring data, information on other educational activities) Information about further education (university application, information required for applying) |
Should we modify the scope of our data processors, we will amend this Privacy Policy accordingly and inform all affected parties.
5. Managed data
The Institute manages data only if the purpose for doing so is defined and justified by law. Data are only stored for the timeframe specified in this Privacy Policy. If the assignment contract is terminated, any data related to the action will also be deleted.
In order to perform its educational activities, the Institute relies on the following types of data processors for data management:
Name and purpose of action | Legal basis | Managed data | Duration |
Website visits To ensure the proper operation of the website To verify and improve our services To identify malicious visitors to our website To measure web traffic For statistical purposes |
Legitimate interest of the Institute (Art. 6 (f) GDPR) |
Visitor’s IP addresses Date and time of visit Details of the subpages visited The type of operating system and browser used |
12 months |
Job applications For recruitment purposes, to maintain a database of contacts |
Voluntary consent (Art. 6 (a) GDPR) |
Applicant ID and contact information (name, place of residence, mailing address, email address, phone number) Recruitment data (personal data voluntarily provided in the CV, educational attainment, academic and professional qualifications, name of the institution issuing the qualification) |
Until the end of the recruitment procedure/2 years in the case of voluntary consent |
Employment To comply with the provisions of the employment contract and its annexes between the employee and the Institute |
Contract (Art. 6 (b) GDPR) |
Recruitment data (personal data voluntarily provided in the CV, educational attainment, academic and professional qualifications, name of the institution issuing the qualification) Applicant ID, personal and contact information (family name, first name, surname at birth, nationality, mother’s maiden name, place of birth, birth date, TAJ number, tax identification number, educational attainment; academic and professional qualifications; registration number of the diploma, number of children) Address and other contact details (registered address, place of residence, mailing address, telephone number, email address) Employment data (start date of employment, duration of employment contract, employee’s salary, position, probationary period, FEOR number, information about the weekly hours of work, full-time or part-time employment, work schedule, method of wage payment, other 36-hour employment (if any), other long-term employment, sick leave dates, days off, overtime); Financial data (bank name, bank account number, private pension fund membership, name of pension fund, date of entry, identification number of the private pension fund, deduction of performance-related fees, retirement age, annual pension amount expected); Other financial data (contributions, wages and salaries related to the employee’s wage) |
Duration of the contract/5 years in the context of compliance with tax obligations |
Educational activities To provide the services detailed in the contract and its annexes between the student, the legal representative and the Institute |
Contract (Art. 6 (b) GDPR) |
Student’s identity and contact information (name, date of birth, place of residence, mailing address, mother’s maiden name, email address, phone number) Parent’s identity and contact information (name, email address, phone number) Information about the student’s school (secondary school name, name and availability of referee, exam subjects) Institute recruitment data and results (recruitment scores, notes) Data on education at the institute (modules, grades, participation, mentoring data, other educational activities) Information about further education (university application, information required for applying) |
Duration of contract |
Test centre To forward data to the test centre |
Voluntary consent (Art. 6 (a) GDPR) |
Student’s identity and contact information (name, date of birth, place of residence, mailing address, mother’s maiden name, email address, phone number) | 1 year |
Alumni network To maintain a database of contacts |
Voluntary consent (Art. 6 (a) GDPR) |
Student’s identity and contact information (name, date of birth, place of residence, mailing address, mother’s maiden name, email address, phone number) Information about the student’s school (secondary school name, name and availability of referee, exam subjects, school results) Information about further education (university application, information required for applying) |
Until withdrawal |
Newsletter service To maintain a database of contacts |
Voluntary consent (Art. 6 (a) GDPR) |
Full name Email address |
Duration of subscription |
Market research, focus group research To carry out surveys and research in accordance with customer needs |
Voluntary consent (Art. 6 (a) GDPR) |
Gender Age Data included in specific questionnaire responses |
Duration of external contract |
Administration, complaints To respond to comments and complaints |
Legal obligation of the Institute (Art. 6 (c) GDPR) |
Full name Email address Phone number Mailing address Personal messages, as relevant |
5 years |
Should you require any additional information on data management, you may contact the Institute by email or post, as indicated above, and we will respond to your request within 1 month.
6. How we protect your data
The Institute has taken all reasonably necessary steps to make sure that your data are treated securely and in accordance with this Privacy Policy.
Your personal information will not be retained by the Institute for longer than is necessary to carry out the purposes for which it was originally collected, or for which it was processed further. Your data may only be transmitted within the limits set by law and, in the case of our data processors, based on contractual terms that have been designed to prevent your personal data from being used for purposes contrary to your consent.
Since all personal information is provided voluntarily by you during your interactions with the Institute, we ask you to continuously monitor the authenticity, correctness and accuracy of your data. Incorrect, inaccurate or incomplete data may make it impossible for us to provide our contractual services.
If you provide personal information other than your own, we assume that you have the necessary authority or permission to do so.
In the case of misleading personal data, or if a visitor to our sites commits a crime or attacks the Institute’s systems, the data of that visitor will be retained for the purpose of establishing civil liability or conducting criminal proceedings.
The contributors and employees of the Institute who are involved in data management and/or data processing are only entitled to know your personal data to the extent that was previously established, subject to the obligation of confidentiality.
Your personal data will be protected by appropriate technical and other measures, and we will ensure the security, availability and protection of your data against unauthorised access, alteration, damage or disclosure, as well as any other unauthorised use.
In the framework of organisational measures, we control physical access to our facilities, train our employees continuously, and store paper-based documents with adequate protection measures in place. We use encryption, password protection and anti-virus software as part of our technical measures. However, no data transmission over the internet can ever be considered fully secure. While the Institute will do its utmost to make its processes as secure as possible, we cannot take full responsibility for the transmission of data through our website. Once your data have been received by the Institute, we will comply with all legal requirements to protect your data and prevent any unauthorised access.
7. Data storage and data management systems
The Institute does not operate its own server and instead stores data on different cloud-based platforms. The Institute’s internal policies ensure that only appropriately qualified employees have access to the data and that all access is on a ‘need-to-know’ basis, meaning that employees only have access to data that is strictly necessary for the performance of their tasks.
The Institute may utilise the services of various data processors and external service providers to handle and process your personal data for specific purposes. The personal information collected from you may be transferred to, and stored at, a destination outside the European Economic Area (‘EEA’). It may also be processed by individuals operating outside the EEA who work for us or are working on our behalf. This includes staff engaged in, among other things, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing and processing of your data at a location outside the EEA.
Where we use an external service provider to act on our behalf, we will disclose only the personal information necessary to deliver the service and will have a contract in place that requires the provider to comply with the Institute’s data protection and information security requirements. This information is processed in accordance with all applicable legislation and is disclosed to third parties only with your consent, or where the Institute is under a statutory or legal obligation to disclose the data.
The court, the prosecutor’s office and other authorities (e.g. the police, the tax office or the National Data Protection and Freedom of Information Authority) may contact the Institute for information, disclosure or access to documents. In these cases, we must fulfil our reporting obligations, but only to the extent strictly necessary to achieve the purpose of the request, and will inform you accordingly.
The Institute uses the following systems to store and manage data:
The processing of data by these third parties may also be governed by their own privacy policies. Please review the privacy policies on the third party websites directly for more information about their data processing practices.
Our website may include links to other websites, not owned or managed by the Institute. Whilst we try our best to only link to reputable websites, we cannot be held responsible for the privacy of data collected by sites not managed by the Institute, nor can we accept responsibility or liability for those policies.
8. Cookies
We use cookies to ensure the efficient functioning of our website, and we capture and store IP addresses to provide you with a more personalised service.
What are cookies and how do we handle them?
Cookies are small text files that are downloaded to your browser when you visit our site. Most standard browsers (Chrome, Firefox, etc.) will accept and allow the download and use of cookies by default. However, you can refuse or disable cookies by changing your browser settings, and you can also delete the cookies already stored on your device. For more information on the use of cookies, see the ‘Help’ menu of each browser.
Some cookies do not require your prior consent. At the start of your first visit to our website, we will briefly inform you about the cookies we use. The same is true for cookies that do require your consent, in which case we will inform you accordingly and ask for your consent during your first visit to our website.
The Institute does not use or allow cookies that enable third parties to collect data without your consent.
The acceptance of cookies is not mandatory, but if you disable them, you may have to manually adjust some preferences every time you visit our site and some services and functionalities may not work.
What cookies do we use?
Type | Name | Consent | Description | Purpose | Duration |
System cookies |
__cfduid; wordpress_google _apps_login; wordpress_test _cookie |
Not required | Web application firewall session cookie to prevent abuse of cross-references | To ensure the functioning of the website | End of browser session |
Analytical cookies | _ga; _gid; _gat | Required | To enable Google Analytics to distinguish between users and sessions | Analytics for statistical purposes | Specified by third party |
Remarketing cookies | _fbp; _fr | Required | To identify users during the operation of Facebook Pixel | Facebook ads targeting | Specified by third party |
For more information about these third party cookies, see https://www.google.com/policies/technologies/types/ and https://www.facebook.com/business/help/471978536642445, respectively.
You can find out more about how Google and Facebook manage your data here https://www.google.com/analytics/learn/privacy.html?hl=en_US and here https://developers.facebook.com/docs/facebook-pixel/implementation/gdpr/
9. Direct marketing and newsletter management
You may consent to your personal information being used for marketing purposes by making a statement at the time of registration or by modifying your personal data at a later date. Until the consent is withdrawn, we may process your data for the purpose of direct marketing and/or the sending of newsletters, and we may send you promotional and other mailings as well as newsletters (Section 6 of Grtv.).
The Institute relies on the following types of registration:
Type of registration | Legal basis | Description and purpose | Duration |
General newsletters for website visitors | Voluntary consent (Art. 6 (a) GDPR) | Signing up for our newsletter in order to receive the latest Milestone news | Duration of subscription |
Newsletters for prospective students/ their guardians | Voluntary consent (Art. 6 (a) GDPR) | Subscribing for newsletters as a prospective student or their guardian in order to receive the latest news for which they have specifically have signed up | Duration of subscription |
Mailings to current students/their guardians | Contract (Art. 6 (b) GDPR) | All students and their guardians may receive emails in order to inform them about all programme-related tasks, opportunities and news | Duration of contract |
Mailings to staff and faculty members |
Contract (Art. 6 (b) GDPR) |
All staff and faculty members (module leaders, mentors) may receive emails in order to inform them about all job-related tasks, opportunities and news | Duration of contract |
Having registered as a website visitor or prospective student/their guardian, you may consent to your personal information being used for direct marketing purposes and/or the sending of newsletters, and you may withdraw it at any time.
Should you decide to cancel your registration, this will automatically be considered as withdrawal of your consent. Withdrawal of consent for the purposes of direct marketing and/or the sending of newsletters shall not be construed as withdrawal of the data management consent related to our website. All registrations are for a specific purpose, and registration on the website and signing up for the newsletter constitute two separate purposes, with two separate databases.
For technical reasons, it may take up to 15 working days for cancellations of individual registrations to become effective.
By signing the contract, you, as a current student/guardian or employee of the Institute, have agreed that the Institute may send you emails at any time. Consent for these mailings may not be withdrawn before the end of the contract/assignment, but upon termination of the contract, the Institute’s right of inquiry will automatically cease.
10. Disclosure
The Institute reserves the right to change this Privacy Policy at any time. Information on modifications can be obtained on the Institute’s updated website. Each time you visit our site, you should consult this Privacy Policy to verify that no changes have been made to any sections that are of importance to you. Where appropriate, we will notify you of any changes by email.
Milestone Institute, 27/05/2019