Privacy Policy
your data is secure with us
Medicolink Consultancy Tanácsadó Kft. (hereinafter: „Data Controller”) is committed to fully respecting their clients’ (doctors and medical personnel, hereinafter „Data Subject” or „Candidate”) rights concerning data controlling. Accordingly, we manage the Data Subjects’ personal data in agreement with the European Union’s Act of 2016/679 on the protection of natural persons and natural persons’ data management, and the free flow of this data (hereinafter: General Data Protection Regulation or „GDPR”).
Data Controller’s contact data:
The purpose of data management is to successfully recruit the Data Subjects to hospitals in the European Economic Area (hereinafter: „Recruitment”), and the transaction of relocation to the aim countries (hereinafter: „Relocation”), including its full administration (hereinafter: „Services”). The Data Controller manages the Data Subjects’ data from initial contact (using basic contact information) through successful Recruitment to the transaction of Relocation, to the extent necessary for certain Services. This whole process can last for over two years. After having completed the Services, of the data management, in the interest the follow-up processing of rights and obligations concerning the contract (hereinafter: „Follow-up procedures”) (based on the contract with the hospital, follow-up on the candidate, legal obligations), and in the interest of information and marketing, continues.
Follow-up procedures will make data management necessary even after the completion of Services in order to upkeep legal obligations (local, and possibly Hungarian law) and depending on the legal relationship established with the given hospital.
Furthermore, we will store the data necessary for contacting the Data Subject, for further informing the Data Subject, or to inform them about further services similar to the Services, ie. marketing.
The actual content of data controlling, the scope of personal data, its time of preservation will be discussed service phase by phase in this privacy policy separately.
In all phases of the process it is the particular (in case of special category personal data) and voluntary consent of the Data Subject based on their previous information. Furthermore, the legal basis of data controlling can be:
The controlling of the personal data, its communication towards the Data Controller happens in order to successfully provide the Services, these personal data are reasonably necessary for the Data Controller’s Services, thus not providing data can result in the incompletion of the Services.
The Data Controller’s main activity is recruiting doctors and medical personnel to member countries of the European Economic Area, for which activity the Data Controller establishes contact with doctors and medical personnel with a degree from one of the member countries of the European Economic Area. These criteria are necessary because of the accepting country’s authorization processes. The Data Controller contacts the Data Subjects by using publicly available data, or the voluntary applicants’ given contact data, to offer opportunities that can advance them financially, in their standard of living regarding their careers, and their personal life as well.
The Data Subject’s name, and contact data (phone number, email address), the candidate’s medical specialty, and subspecialty, other degrees, professional experience, language knowledge, sex, nationality, the CV provided by the Data Subject, whether it is in Hungarian, English, or another language, and the pictures of the Data Subject.
In order to provide our Services, we control data on public social media sites (LinkedIn, Facebook, Xing, and other social media sites) also concerning the data published by the Data Subject, on their own profile, which includes the registration date in the given public database.
Primarily based on the previous information of the Data Subject, their specific (in case of special category personal data) and voluntary consent, both with regards to publicly available data, and the data provided to us by the Data Subject. Furthermore, the legal basis of data controlling can be:
The duration of Service providing, which can exceed two years.
Furthermore, besides the legal bases listed in point 3 above (completion of contract, legitimate interest, and the completion of the Data Controller’s legal obligation) require that the scope of personal data (basically the data required for personal identification and contact) be controlled even after the completion of Service providing.
According to GDPR forwarding data to member states of the European Economic Area does not have data security risks, thus the Data Subject’s specific consent is not necessary from this standpoint.
For technical processing and storing, the personal data is controlled by a data processor whose servers are in the United States of America (the state of California). Based on our experience we can maximize the effectiveness of our inner processes with this service provider. Considering that data forwarding outside the European Economic Area requires permission, we ask for the Data Subject’s consent for this particular forwarding.
Given that our Services are complex, time-consuming activities requiring special expertise, we use subcontractors to provide them. We are accountable for our subcontractors the same way we are for ourselves. Subcontractors acting on our behalf will also treat the personal data of the Data Subjects in the following cases. In the words of GDPR, they are considered to be Data Processors.
During the contacting phase the data processing areas (where the controlling of the personal data is done by subcontractors):
We only use data processors who provide appropriate guarantee compliance with the data controlling requirements of GDPR, and proper technical and organizational measures that ensure the protection of the Data Subjects’ rights.
The Data Controller prepares professional material about the candidates included in the recruitment process. This document contains the candidates’ professional background, education, and acquired employment experience. The Data Controller manages this data in a form that they comply as much as possible with the recruitment destination country’s inner standards. The documents are prepared in a form that maximizes the Data Subject’s possibility of employment in the destination country. The primary objective of data controlling is to provide the most comprehensive picture of the Data Subject for potential future employers, and to provide them with new employment possibilities.
Those data controlled according to point 5.1.2, and the Data Controller also manages those data contained in the Data Subject’s CV and motivation letter. These can be birthday, address, language knowledge, Skype account, notice period, relationship status, or profile picture. Besides these data, the Data Controller manages detailed information on the Data Subject’s professional knowledge and educational background. For medical activities, official documentation is necessary in the European Economic Area, thus Medicolink manages the Data Subject’s practice permit and medical diploma to ensure regulatory compliance. In case the Data Subject is from outside the European Economic Area, their certificate of conformity and homologation is managed as well.
Primarily based on the previous information of the Data Subject, their specific (in case of special category personal data) and voluntary consent, both with regards to publicly available data, and the data provided to us by the Data Subject. Furthermore, the legal basis of data controlling can be:
The time necessary to provide the Services, which could exceed two years.
Furthermore, besides the legal bases listed in point 3 above (completion of contract, legitimate interest, and the completion of the Data Controller’s legal obligation) require that the scope of personal data (basically the data required for personal identification and contact) be controlled even after the completion of Service providing.
Contact data will be retained for marketing purposes until the Data subject does not request their erasure.
Your personal data will be forwarded to healthcare institutions in the European Economic Area member states for the provision of the Service, of which we will inform the Data Subject. If the Data Subject expressly consents to this, your personal information will be passed on to other intermediary companies, thereby increasing the scope for employment possibilities.
According to GDPR forwarding data to member states of the European Economic Area does not have data security risks, thus the Data Subject’s specific consent is not necessary from this standpoint.
For technical processing and storing, the personal data is controlled by a data processor whose servers are in the United States of America (the state of California). Based on our experience we can maximize the effectiveness of our inner processes with this service provider. Considering that data forwarding outside the European Economic Area requires permission, we ask for the Data Subject’s consent for this particular forwarding.
Given that our Services are complex, time-consuming activities requiring special expertise, we use subcontractors to provide them. We are accountable for our subcontractors the same way we are for ourselves. Subcontractors acting on our behalf will also treat the personal data of the Data Subjects in the following cases. In the words of GDPR, they are considered to be Data Processors.
During the recruitment phase the data processing areas (where the controlling of the personal data is done by subcontractors):
We only use data processors who provide appropriate guarantee compliance with the data controlling requirements of GDPR, and proper technical and organizational measures that ensure the protection of the Data Subjects’ rights.
The purpose of data controlling is for the Data Controller to be able to present a more comprehensive picture about the Data Subject to the potential employers, for this they prepare a detailed professional material called a Portfolio, thus aiding the Data Subject’s search for employment. Due to the international travels that are included in the interview process, the Data Controller manages data necessary for flights, car rentals, and accommodation bookings to make the Data Subject’s stay in the destination country easier.
Those data controlled according to point 5.2.2 and all that is said by the Data Subject during the motivational interview concerning their motivation, dedication, and personal preferences, and the data covered in the personality test. Furthermore, the Data Controller manages those data that are necessary for the organization of international travels, for example, the Data Subject’s ID number, or passport information.
A so-called NEO PI-R test is applied for the personality test, during which the Data Subject’s answers (considered personal data) are processed and evaluated by a software (considered profiling). The data given during testing is used to analyze or predict professional performance, possibly state of health, personal preferences, interests, trustworthiness, behavior, thus during the use of NEO PI-R medical data is controlled as well.
Primarily based on the previous information of the Data Subject, their specific (in case of special category personal data) and voluntary consent, both with regards to publicly available data, and the data provided to us by the Data Subject. Furthermore, the legal basis of data controlling can be:
Time necessary for the provision of Services, foreseeably 36 months.
Furthermore, besides the legal bases listed in point 3 above (completion of contract, legitimate interest, and the completion of the Data Controller’s legal obligation) require that the scope of personal data (basically the data required for personal identification and contact) be controlled even after the completion of Service providing.
Your personal data during the provision of Services will be forwarded to medical facilities in the European Economic Area, of which we will send the Data Subjects regular summaries.
According to GDPR data forwarding to the member states of the European Economic area does not have data security risks, so no consent is needed from the Data Subject. The Data Subject’s personal data, including the NEO PI-R test, and the data given in it, will be sent to Psychological Assessment Resources – PAR, Inc. in the USA, which agrees with the conditions in Article 1 of the EU Committee 2016/1250 Act, thus they can guarantee GDPR compatible data protection for this type of data forwarding. For this reason, the Data Subject’s specific consent is not necessary for the forwarding of the test and the personal data given in it.
Given that our Services are complex, time-consuming activities requiring special expertise, we use subcontractors to provide them. We are accountable for our subcontractors the same way we are for ourselves. Subcontractors acting on our behalf will also treat the personal data of the Data Subjects in the following cases. In the words of GDPR, they are considered to be Data Processors.
During the interview level data controlling the data processing areas are (where data controlling is done by our subcontractors)
We only use data processors who provide appropriate guarantee compliance with the data controlling requirements of GDPR, and proper technical and organizational measures that ensure the protection of the Data Subjects’ rights.
The Data Controller handles the preparation and certification of official documents necessary for international employment and settlement, and the language preparation of the Data Subject, which are included in the Services. The Data Controller manages the administration of personal documentation prepared by international authorities, so that the Data Subjects face fewer challenges during relocation and integration.
Documents for authorization:
Residence permit (To the destination country’s authorities):
Social security (to the Local Municipality Service):
Tax card:
Language preparation:
Data controlling during the relocation process, concerning accommodation:
Primarily based on the previous information of the Data Subject, their specific (in case of special category personal data, and regarding that the Data Subject can be a child under 16, as a family member) and voluntary consent, both with regards to publicly available data, and the data provided to us by the Data Subject. Furthermore, the legal basis of data controlling can be:
In case of a child under 16, data controlling is only legal if the parent or legal guardian has allowed it and given consent.
Time necessary for the provision of relocation services, foreseeably 36 months.
Furthermore, the legal bases listed next to consent in point 3 (completion of contract, legal interest, and the completion of the Data Controller’s legal obligations) require, that a certain scope of personal data (data necessary for personal identification, and contact) be controlled after the completion of the relocation services. The contact data will be used for marketing purposes, until the Data Subject requests its erasure.
Data forwarding is possible to these institutions by request of the Data Subject:
According to GDPR forwarding data to member states of the European Economic Area does not have data security risks, thus the Data Subject’s specific consent is not necessary from this standpoint.
For technical processing and storing, the personal data is controlled by a data processor whose servers are in the United States of America (the state of California). Based on our experience we can maximize the effectiveness of our inner processes with this service provider. Considering that data forwarding outside the European Economic Area requires permission, we ask for the Data Subject’s consent for this particular forwarding.
Given that our Services are complex, time-consuming activities requiring special expertise, we use subcontractors to provide them. We are accountable for our subcontractors the same way we are for ourselves. Subcontractors acting on our behalf will also treat the personal data of the Data Subjects in the following cases. In the words of GDPR, they are considered to be Data Processors.
Data processors necessary for relocation, integration related data controlling (where the data controlling is done by our subcontractors):
We only use data processors who provide appropriate guarantee compliance with the data controlling requirements of GDPR, and proper technical and organizational measures that ensure the protection of the Data Subjects’ rights.
The Data Controller will take the necessary technical and organizational measures and establish appropriate procedural rules to ensure the security of personal data throughout the entire process of data management.
The Data Controller chooses and controls the IT tools used for the management of personal data in a way that the handled data:
The Data Controller
In the light of the current state of the art, the Data Controller provides technical, organizational and corporate measures to protect the security of data management, which provides a level of protection that corresponds to the risks associated with data management.
The Data Controller records any possible privacy incidents, indicating facts tied to these, their effects, and measures taken as remedies. The Data Controller reports the possible incidents without delay, preferably within 72 hours of realizing the occurrence of the privacy incident, to the National Data Protection and Freedom of Information Authority (hereinafter: Authority), unless the privacy incident is not likely to pose a risk to the rights and freedoms of natural persons.
The Data Subject may request information concerning the management of their personal data, and the rectification of their personal data, furthermore, they may request the deletion of their personal data– except for statutory data management – as specified during the data collection process, or through the customer service.
At the request of the Data Subject, the Data Controller shall provide information on the data, source of the data, purpose of the data processing, legal basis, duration of the data processing, the name and address of the Data Processor, and the activities concerning data processing of the data managed by the Data Controller, or by the assigned Data Processor, furthermore, in case the Data Subject’s data has been forwarded, on the legal basis and addressee of the transmission. The data controller shall provide the information in writing, in a clear form, within the shortest possible time from the submission of the request, but not later than within 25 days. Information is free of charge if the requested information has not yet been filed with the Data Controller for the same data field in the current year. In other cases, reimbursement can be determined. The Data Controller may refuse to inform the Data Subject only in statutory cases In the event of non-disclosure, the data controller shall inform the data subject in writing that refusal of the information has been made under the provisions of the Information Act. In the case of information refusal, the Data Controller notifies the Data Subject about the possibility of legal redress, and of turning to the Authority.
If the personal data does not comply with reality and the personal data corresponding to reality is available to the Data Controller, the personal data will be corrected by the Data Controller.
Personal data must be erased if its handling is illegal; if the Data Subject requests it (except for compulsory data management); if it is incomplete or incorrect, and this cannot be legally remedied, provided that erasure is not legally forbidden; if the purpose of data management has ceased, or if the legally declared deadline for data storing has expired; if it has been ordered so by the court or the Authority.
Instead of being deleted, the Data Controller will block the personal data if the Data Subject so requests or if, on the basis of the information available to him, it is assumed that the deletion would harm the legitimate interests of the Data Subject. Personal data so locked up can only be handled as long as there is a data management purpose that excludes the erasure of personal data. The Data Controller shall indicate the personal data they manage if the Data Subject disputes its correctness or accuracy, but the incorrect or inaccurate nature of the disputed personal data can not be clearly identified.
The Data Controller informs the Data Subject regarding correction, restriction and erasure. Notification may be omitted if it does not prejudice the legitimate interest of the Data Subject for the purpose of data handling. If the Data Controller fails to complete the Data Subject’s request for rectification, restriction or erasure, they shall within 30 days acknowledge the factual and legal grounds for refusal of the correction, restriction or erasure request. In the case of refusal of an application for rectification, erasure or restriction, the Data Controller shall inform the Data Subject of the judicial remedy and of the possibility of appeal to the Authority.
The Data subject is entitled to object any time for reasons concerning their own situation to the processing of data necessary for the execution of a task performed in the public interest or in the exercise of a public authority exercised on the Data Controller or for the treatment of the legitimate interests of the data controller or a third party, including profiling based on those provisions too.
In the event of an objection, the Data Controller shall not process the personal data unless it is justified by compelling reasons of lawfulness which prevail over the interests, rights and freedoms of the Data Subject, or which relate to the submission, enforcement or protection of legal claims.
The Data Controller shall examine the objection within the shortest time possible, but at most within 15 days of the submission of the request, decide on the matter of its validity and inform the applicant in writing. If the Data Controller establishes the validity of their objection, data management – including further data collection and data transfer – will terminate and data shall be locked, moreover, the Data Controller informs those about the measures taken who have been previously sent the data which is the subject of the objection, and those who are obligated to take measures in order to enforce the right to objection. If the Data Subject disagrees with the decision of the Data Controller or if the Data Controller fails to comply with the statutory deadline, the concerned party may refer the case to the court within 30 days from the date of notification of the decision or from the last day of the deadline. The Data Controller can also sue the Data Subject. The Data Controller can not erase the relevant data if the data processing is ordered by law. However, the data can not be forwarded to the data receiver if the Data Controller agrees to the objection or the court has found the objection rightful.
The Data Subject shall have the right to receive the personal data that they have commissioned to the Data Controller in a fragmented, widely used machine-readable format and forward this data to another Data Controller.
In the event of violation of their rights and in the cases specified by law, the Data Subject may turn to the court against the Data Controller. The court proceeds in urgency.
If the Data Subject has suffered material or non-material damage as a result of the breach of the Data Protection Regulation, they are entitled to compensation for the damage sustained by the Data Controller or the Data Processor. The Data Controller or the Data Processor shall be exempt from liability if they prove that the damage was caused by an unavoidable cause outside the scope of data management. There is no need to reimburse the damage in so far as it is due to the intentional or gross negligence of the injured party.
Submitting an objection or complaint does not affect the other rights – regulated in the data protection acts – of the Data Subject.
The Data Protection Officer (hereinafter: DPO) is involved in the processing of the complaint. The Data Subject can submit a complaint to: