Milestone Institute Data Handling Policy

1. Preamble

Data controller

  • Milestone Consulting Kft (Milestone Institute), hereafter: the Institute
  • Registered address: Bajza utca 44, 1062 Budapest, Hungary
  • Website: www.milestone-institute.org
  • Email: info@msinst.org
  • Phone: +36 30 567 5499
  • Tax number: 22946632-2-42

How the Institute works

The Institute carries out supplementary education and training activities with the main objective of providing out-of-school professional and academic training for talented students. The aim of the Institute is to identify talented students, assist them in finding the path of study that’s right for them and then build up a knowledge base from which they can launch successful entrepreneurial and social initiatives. The mission of the Institute is to empower the next generation of Hungary’s prospective leaders by providing them with the knowledge and the intellectual community necessary for living in a responsible manner.

This Privacy Policy, together with our terms of use for this website and our cookies policy, sets out how exactly we use and protect your personal information.

All information is used in compliance with Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Hungary), and, as of 25 May 2018, with the General Data Protection Regulation (EU) 2016/679 (hereafter ‘GDPR’).

What principles do we follow in our data management?

The Institute follows the following data management principles:

  • We treat personal information in a lawful, fair and transparent manner.
  • We treat and process personal data only for specific, clear and legitimate purposes. We also ensure that data are not treated in any way that is incompatible with the stated purposes, and that our data management activities are limited to what is strictly necessary for these purposes.
  • The Institute shall take all reasonable steps to ensure that the data we manage are accurate and, where necessary, kept up to date, and that inaccurate personal data are deleted or corrected without delay.
  • We store your personal information in a form that permits us to identify you only for as long as is necessary to achieve the purposes for which your personal data have been collected.
  • We ensure that your personal data are adequately protected against unauthorised or unlawful handling, accidental loss, destruction or damage by applying appropriate technical and organisational measures.

Why does the Institute handle your personal data?

  • The Institute manages your information on the basis of your pre-informed and voluntary consent, only to the extent necessary and in all cases in a targeted manner.
  • In some cases, the collection of personal data is based on statutory requirements and is therefore mandatory, in which case we will draw your attention to this fact.
  • In some cases, your personal data may be of legitimate interest to the Institute or to a third party, for example as regards the operation, development and security of our website.

What if you choose not to provide personal data?

You do not have any legal or contractual obligation to provide data to the Institute (except where the collection of data is based on statutory requirements). However, if you choose not to provide the information in question, we may not be able to process your request or your application properly, or in some cases at all.

2. Definitions

Personal data: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Art. 4 GDPR)

Processing: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (Art. 4 GDPR)

Data controller: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Art. 4 GDPR)

Data processor: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (Art. 4 GDPR)

Third party: ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data. (Art. 4 GDPR)

Consent: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (Art. 4 GDPR)

 

3. Your rights

According to the law on data protection, you are entitled to:

  • Request access to your personal data,
  • Ask for the rectification, modification, portability or addition of any personal data we manage,
  • Object to the processing of your personal data and ask for the deletion or restriction thereof (except in the case of mandatory data management),
  • Appeal to a court,
  • Make a complaint to the Hungarian supervisory authority or initiate proceedings (see https://naih.hu/panaszuegyintezes-rendje.html).

The contact details of the Hungarian supervisory authority (hereafter ‘the Authority’) are as follows:

Nemzeti Adatvédelmi és Információszabadság Hatóság

Seat: Szilágyi Erzsébet fasor 22/c, 1125 Budapest, Hungary

Address: 1530 Budapest, Pf.: 5.

Phone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

Website: https://naih.hu/

At your request, you are entitled to obtain the following information about your personal data:

  • The categories of personal data stored about you,
  • The source(s) of the personal information,
  • The purposes of the collection, processing, use and storage of your personal data,
  • The envisaged period of storage for your personal data and the rationale for determining the storage period,
  • The recipients (name, address) or categories of recipients to whom your personal data has been or may be transmitted, along with the location of those recipients.
  • The circumstances and effects of data protection incidents and the measures taken to prevent any data protection incidents,
  • The legal basis and the addressee of the transfer of your personal data,
  • The use of any automated decision-making and/or profiling.

We will provide information in the shortest possible time, and no later than 1 month after the submission of the request. Information may only be denied in cases provided by law, in which case we will indicate the place of law, as well as the possibility of judicial remedy and access to the Authority. No administration fee will be charged for the assessment and execution of the request.

In the event of any rectification, blocking, marking and deletion of personal data, the Institute will inform you and those parties to whom we have forwarded your personal data for data processing.

You may withdraw your consent for data management at any time.

If you object to the processing of your personal information, we will examine the objection within 1 month of the request and inform you of our decision in writing. If we have decided that your objection is well founded, the management of the data in question will be terminated and the data will be blocked. Those parties to whom we have forwarded the personal data and who are affected by the data management termination will be notified.

If we are unable to comply with your request for rectification, blocking or cancellation, we will provide you with written reasons within one month and will inform you of the possibility of judicial review and referral to the Authority.

We will refuse to execute the request if we are able to prove that the data management is justified by compelling legitimate reasons that take precedence over your interests, rights and freedoms, or which are related to the submission, validation or protection of legal claims. If you do not agree with our decision, or if we fail to comply with the deadline, you may apply to the court within 30 days of the date of the decision or the last day of the deadline.

Judicial review of data protection law falls within the jurisdiction of the Authority, and may be initiated by you before the court of your place of residence. A foreign citizen may also lodge a complaint with the competent supervisory authority of his/her place of residence.

Before contacting the Authority or the court with your complaint, you are kindly requested to consult the Institute in order to resolve the problem amicably as soon as possible.

What are the main laws guiding our activities?

  • Regulation (EU) 2016/679 of the European Parliament and of the Council on the processing of personal data of natural persons (GDPR)
  • Act CXII of 2011 on Information Self-Determination and Freedom of Information – (Info tv.)
  • Act V of 2013 of the Civil Code (Civil Code)
  • Act CVIII of 2001 on certain aspects of electronic commerce and information society services (Eker tv.)
  • Act C of 2003 on Electronic Communications (Ehtv.)
  • Act CLV of 1997 – the Consumer Protection Act (Fogyv tv.)
  • Act CLXV 2013 on Complaints and Notifications of Public Interest (FAs)
  • Act XLVIII on the basic conditions and limits of economic advertising * (Grtv.)

 

4. Use of data processors

In the course of data management, the Institute only transfers data to individuals or freelancers/companies who have a contractual relationship with the Institute for employment or other work. In each case, this is done in parallel with a data processing contract and an assignment contract. If the assignment contract is terminated, the data processing right will also be ceased.

In order to perform its educational activities, the Institute relies on the following types of data processors for data management:

Name and description Method of data processing Duration Managed data

Mentor

The mentor assigned to the student has access to a range of personal data provided by the student to perform the mentoring tasks

Data processing contract For the duration of the student contract

Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number);

Recruitment data and results at the Institute (recruitment scores, notes);

Data on education at the Institute (modules, results, class participation, mentoring data, information on other educational activities)

Information about further education (university application, information required for applying)

Module leader

Module leaders have access to a range of personal data provided by the student to perform tasks related to module teaching

Data processing contract For the duration of the student contract

Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number);

Recruitment data and results at the Institute (recruitment scores, notes);

Data on education at the Institute (modules, results, class participation, mentoring data, information on other educational activities)

Information about further education (university application, information required for applying)

Interviewer

During the admission process, interviewers will have access to the personal data provided by the student for this purpose

Data processing contract Until the end of the admission process

Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number);

Information about the student’s schooling (name of secondary school, exam subjects, study results)

Mock interviewer

During the senior year, the individuals who conduct mock interviews or otherwise prepare students for university admission will have access to the personal data provided by the student for this purpose

Data processing contract Until the end of the mock interview process

Identity and contact details of the student (name, mother’s maiden name, place and date of birth, place of residence, mailing address, email address, telephone number);

Recruitment data and results at the Institute (recruitment scores, notes);

Data on education at the Institute (modules, results, class participation, mentoring data, information on other educational activities)

Information about further education (university application, information required for applying)

Should we modify the scope of our data processors, we will amend this Privacy Policy accordingly and inform all affected parties.

5. Managed data

The Institute manages data only if the purpose for doing so is defined and justified by law. Data are only stored for the timeframe specified in this Privacy Policy. If the assignment contract is terminated, any data related to the action will also be deleted.

In order to perform its educational activities, the Institute relies on the following types of data processors for data management:

Name and purpose of action Legal basis Managed data Duration

Website visits

To ensure the proper operation of the website

To verify and improve our services

To identify malicious visitors to our website

To measure web traffic

For statistical purposes

Legitimate interest of the Institute (Art. 6 (f) GDPR)

Visitor’s IP addresses

Date and time of visit

Details of the subpages visited

The type of operating system and browser used

12 months

Job applications

For recruitment purposes, to maintain a database of contacts

Voluntary consent

(Art. 6 (a) GDPR)

Applicant ID and contact information

(name, place of residence, mailing address, email address, phone number)

Recruitment data

(personal data voluntarily provided in the CV, educational attainment, academic and professional qualifications, name of the institution issuing the qualification)

Until the end of the recruitment procedure/2 years in the case of voluntary consent

Employment

To comply with the provisions of the employment contract and its annexes between the employee and the Institute

Contract

(Art. 6 (b) GDPR)

Recruitment data

(personal data voluntarily provided in the CV, educational attainment, academic and professional qualifications, name of the institution issuing the qualification)

Applicant ID, personal and contact information (family name, first name, surname at birth, nationality, mother’s maiden name, place of birth, birth date, TAJ number, tax identification number, educational attainment; academic and professional qualifications; registration number of the diploma, number of children)

Address and other contact details (registered address, place of residence, mailing address, telephone number, email address)

Employment data (start date of employment, duration of employment contract, employee’s salary, position, probationary period, FEOR number, information about the weekly hours of work, full-time or part-time employment, work schedule, method of wage payment, other 36-hour employment (if any), other long-term employment, sick leave dates, days off, overtime);

Financial data (bank name, bank account number, private pension fund membership, name of pension fund, date of entry, identification number of the private pension fund, deduction of performance-related fees, retirement age, annual pension amount expected);

Other financial data (contributions, wages and salaries related to the employee’s wage)

Duration of the contract/5 years in the context of compliance with tax obligations

Educational activities

To provide the services detailed in the contract and its annexes between the student, the legal representative and the Institute

Contract

(Art. 6 (b) GDPR)

Student’s identity and contact information (name, date of birth, place of residence, mailing address, mother’s maiden name, email address, phone number)

Parent’s identity and contact information (name, email address, phone number)

Information about the student’s school (secondary school name, name and availability of referee, exam subjects)

Institute recruitment data and results (recruitment scores, notes)

Data on education at the institute (modules, grades, participation, mentoring data, other educational activities)

Information about further education (university application, information required for applying)

Duration of contract

Test centre

To forward data to the test centre

Voluntary consent

(Art. 6 (a) GDPR)

Student’s identity and contact information (name, date of birth, place of residence, mailing address, mother’s maiden name, email address, phone number) 1 year

Alumni network

To maintain a database of contacts

Voluntary consent

(Art. 6 (a) GDPR)

Student’s identity and contact information (name, date of birth, place of residence, mailing address, mother’s maiden name, email address, phone number)

Information about the student’s school (secondary school name, name and availability of referee, exam subjects, school results)

Information about further education (university application, information required for applying)

Until withdrawal

Newsletter service

To maintain a database of contacts

Voluntary consent

(Art. 6 (a) GDPR)

Full name

Email address

Duration of subscription

Market research, focus group research

To carry out surveys and research in accordance with customer needs

Voluntary consent

(Art. 6 (a) GDPR)

Gender

Age

Data included in specific questionnaire responses

Duration of external contract

Administration, complaints

To respond to comments and complaints

Legal obligation of the Institute

(Art. 6 (c) GDPR)

Full name

Email address

Phone number

Mailing address

Personal messages, as relevant

5 years

Should you require any additional information on data management, you may contact the Institute by email or post, as indicated above, and we will respond to your request within 1 month.

 

6. How we protect your data

The Institute has taken all reasonably necessary steps to make sure that your data are treated securely and in accordance with this Privacy Policy.

Your personal information will not be retained by the Institute for longer than is necessary to carry out the purposes for which it was originally collected, or for which it was processed further. Your data may only be transmitted within the limits set by law and, in the case of our data processors, based on contractual terms that have been designed to prevent your personal data from being used for purposes contrary to your consent.

Since all personal information is provided voluntarily by you during your interactions with the Institute, we ask you to continuously monitor the authenticity, correctness and accuracy of your data. Incorrect, inaccurate or incomplete data may make it impossible for us to provide our contractual services.

If you provide personal information other than your own, we assume that you have the necessary authority or permission to do so.

In the case of misleading personal data, or if a visitor to our sites commits a crime or attacks the Institute’s systems, the data of that visitor will be retained for the purpose of establishing civil liability or conducting criminal proceedings.

The contributors and employees of the Institute who are involved in data management and/or data processing are only entitled to know your personal data to the extent that was previously established, subject to the obligation of confidentiality.

Your personal data will be protected by appropriate technical and other measures, and we will ensure the security, availability and protection of your data against unauthorised access, alteration, damage or disclosure, as well as any other unauthorised use.

In the framework of organisational measures, we control physical access to our facilities, train our employees continuously, and store paper-based documents with adequate protection measures in place. We use encryption, password protection and anti-virus software as part of our technical measures. However, no data transmission over the internet can ever be considered fully secure. While the Institute will do its utmost to make its processes as secure as possible, we cannot take full responsibility for the transmission of data through our website. Once your data have been received by the Institute, we will comply with all legal requirements to protect your data and prevent any unauthorised access.

 

7. Data storage and data management systems

The Institute does not operate its own server and instead stores data on different cloud-based platforms. The Institute’s internal policies ensure that only appropriately qualified employees have access to the data and that all access is on a ‘need-to-know’ basis, meaning that employees only have access to data that is strictly necessary for the performance of their tasks.

The Institute may utilise the services of various data processors and external service providers to handle and process your personal data for specific purposes. The personal information collected from you may be transferred to, and stored at, a destination outside the European Economic Area (‘EEA’). It may also be processed by individuals operating outside the EEA who work for us or are working on our behalf. This includes staff engaged in, among other things, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing and processing of your data at a location outside the EEA.

Where we use an external service provider to act on our behalf, we will disclose only the personal information necessary to deliver the service and will have a contract in place that requires the provider to comply with the Institute’s data protection and information security requirements. This information is processed in accordance with all applicable legislation and is disclosed to third parties only with your consent, or where the Institute is under a statutory or legal obligation to disclose the data.

The court, the prosecutor’s office and other authorities (e.g. the police, the tax office or the National Data Protection and Freedom of Information Authority) may contact the Institute for information, disclosure or access to documents. In these cases, we must fulfil our reporting obligations, but only to the extent strictly necessary to achieve the purpose of the request, and will inform you accordingly.

The Institute uses the following systems to store and manage data:

  • Salesforce, Salesforce.com Inc., San Francisco, California, USA
  • Google (apps, mailing), Google LLC, Mountain View, California, USA
  • Canvas, Instructure Inc., Salt Lake City, Utah, USA

The processing of data by these third parties may also be governed by their own privacy policies. Please review the privacy policies on the third party websites directly for more information about their data processing practices.

Our website may include links to other websites, not owned or managed by the Institute. Whilst we try our best to only link to reputable websites, we cannot be held responsible for the privacy of data collected by sites not managed by the Institute, nor can we accept responsibility or liability for those policies.

 

8. Cookies

We use cookies to ensure the efficient functioning of our website, and we capture and store IP addresses to provide you with a more personalised service.

What are cookies and how do we handle them?

Cookies are small text files that are downloaded to your browser when you visit our site. Most standard browsers (Chrome, Firefox, etc.) will accept and allow the download and use of cookies by default. However, you can refuse or disable cookies by changing your browser settings, and you can also delete the cookies already stored on your device. For more information on the use of cookies, see the ‘Help’ menu of each browser.

Some cookies do not require your prior consent. At the start of your first visit to our website, we will briefly inform you about the cookies we use. The same is true for cookies that do require your consent, in which case we will inform you accordingly and ask for your consent during your first visit to our website.

The Institute does not use or allow cookies that enable third parties to collect data without your consent.

The acceptance of cookies is not mandatory, but if you disable them, you may have to manually adjust some preferences every time you visit our site and some services and functionalities may not work.

What cookies do we use?

Type Name Consent Description Purpose Duration
System cookies

__cfduid;

wordpress_google

_apps_login;

wordpress_test

_cookie

Not required Web application firewall session cookie to prevent abuse of cross-references To ensure the functioning of the website End of browser session
Analytical cookies _ga; _gid; _gat Required To enable Google Analytics to distinguish between users and sessions Analytics for statistical purposes Specified by third party
Remarketing cookies _fbp; _fr Required To identify users during the operation of Facebook Pixel Facebook ads targeting Specified by third party

For more information about these third party cookies, see https://www.google.com/policies/technologies/types/ and https://www.facebook.com/business/help/471978536642445, respectively.

You can find out more about how Google and Facebook manage your data here https://www.google.com/analytics/learn/privacy.html?hl=en_US and here https://developers.facebook.com/docs/facebook-pixel/implementation/gdpr/

 

9. Direct marketing and newsletter management

You may consent to your personal information being used for marketing purposes by making a statement at the time of registration or by modifying your personal data at a later date. Until the consent is withdrawn, we may process your data for the purpose of direct marketing and/or the sending of newsletters, and we may send you promotional and other mailings as well as newsletters (Section 6 of Grtv.).

The Institute relies on the following types of registration:

Type of registration Legal basis Description and purpose Duration
General newsletters for website visitors Voluntary consent (Art. 6 (a) GDPR) Signing up for our newsletter in order to receive the latest Milestone news Duration of subscription
Newsletters for prospective students/ their guardians Voluntary consent (Art. 6 (a) GDPR) Subscribing for newsletters as a prospective student or their guardian in order to receive the latest news for which they have specifically have signed up Duration of subscription
Mailings to current students/their guardians Contract (Art. 6 (b) GDPR) All students and their guardians may receive emails in order to inform them about all programme-related tasks, opportunities and news Duration of contract
Mailings to staff and faculty members

Contract

(Art. 6 (b) GDPR)

All staff and faculty members (module leaders, mentors) may receive emails in order to inform them about all job-related tasks, opportunities and news Duration of contract

Having registered as a website visitor or prospective student/their guardian, you may consent to your personal information being used for direct marketing purposes and/or the sending of newsletters, and you may withdraw it at any time.

Should you decide to cancel your registration, this will automatically be considered as withdrawal of your consent. Withdrawal of consent for the purposes of direct marketing and/or the sending of newsletters shall not be construed as withdrawal of the data management consent related to our website. All registrations are for a specific purpose, and registration on the website and signing up for the newsletter constitute two separate purposes, with two separate databases.

For technical reasons, it may take up to 15 working days for cancellations of individual registrations to become effective.

By signing the contract, you, as a current student/guardian or employee of the Institute, have agreed that the Institute may send you emails at any time. Consent for these mailings may not be withdrawn before the end of the contract/assignment, but upon termination of the contract, the Institute’s right of inquiry will automatically cease.

 

10. Disclosure

The Institute reserves the right to change this Privacy Policy at any time. Information on modifications can be obtained on the Institute’s updated website. Each time you visit our site, you should consult this Privacy Policy to verify that no changes have been made to any sections that are of importance to you. Where appropriate, we will notify you of any changes by email.

 

Milestone Institute, 27/05/2019