This Data Processing Agreement ("Agreement") is entered into between ODOL Consulting Kft ("Controller") and the individual partner ("Data Subject"), collectively referred to as "Parties."

1. SUBJECT MATTER

​

1.1. The Controller provides administrative services for residence permit applications and EU registration for employees coming to Hungary from other countries.

1.2. This Agreement records the data processing activities already carried out by the Controller in connection with these services.

 

2. TYPES OF DATA PROCESSED

​

2.1. The Controller processes the following types of personal data:

• Full Name

• Personal Information

• Address

• Mother’s Maiden Name

• Date of Birth

• Passport Data

• Copy of Travel Documents (Passport/National ID Card)

• Health Data related to HIV status and treatment (if applicable) 2.2. The Controller acknowledges that health data constitutes sensitive personal data under GDPR and applies additional safeguards to protect it.

 

3. PURPOSE OF PROCESSING

 

3.1. The Controller processes personal data solely for the purpose of assisting in residence permit applications and EU registration in Hungary. 3.2. The data is submitted to the Hungarian Immigration Service via the "Enter Hungary" system and to the Hungarian Taxation Office as required for the services provided.

 

4. DATA SHARING & TRANSFER

 

4.1. The Data Subject shares data via email and Microsoft Forms.

4.2. The Controller does not share the data with any third parties except Hungarian government offices, including the Immigration Service and the Hungarian Taxation Office, as required for the services provided.

4.3. No data is transferred outside of Hungary.

​

5. SECURITY MEASURES

​

5.1. The Controller applies appropriate technical and organizational measures to ensure data security, including:

• Use of Microsoft 365 with Multi-Factor Authentication (MFA) for all employees.

• Access controls ensuring only authorized employees handle personal data.

• Secure storage and handling of data.

• Additional safeguards for sensitive health data, including restricted access and encryption where applicable.

 

6. ACCESS & CONFIDENTIALITY

​

6.1. Only employees of the Controller have access to personal data.

6.2. All employees handling personal data are bound by confidentiality agreements and are obligated to protect the data.

6.3. The Controller ensures that employees handling personal data receive regular training on GDPR compliance and data protection best practices.

​

7. DATA RETENTION & DELETION

​

7.1. The Controller retains personal data only for the duration necessary to complete the administrative process and until the Data Subject receives their official residence permit.

7.2. Upon completion of the service, all personal data is permanently deleted.

​

8. COMPLIANCE WITH GDPR

​

8.1. The Controller complies with the General Data Protection Regulation (GDPR) and applicable Hungarian data protection laws.

8.2. Any data protection inquiries can be directed to the Controller’s designated contact person.

8.3. The Controller applies special protections for sensitive health data in compliance with GDPR requirements.

​

9. RIGHTS & OBLIGATIONS

​

9.1. The Data Subject retains full rights over their personal data and may request access, correction, or deletion of their data at any time.

9.2. The Controller notifies the Data Subject in case of a data breach affecting their personal data within 72 hours of becoming aware of the breach.

9.3. The Controller assists the Data Subject in responding to data subject requests regarding access, correction, deletion, or portability of their personal data.

​

10. RECORD-KEEPING OBLIGATIONS

​

10.1. The Controller maintains records of processing activities, including:

• Categories of data processed

• Purpose of processing

• Data retention policies

• Security measures implemented to protect personal data

​

11. INCIDENT RESPONSE PLAN

​

11.1. In the event of a data breach, the Controller:

• Immediately investigates and takes necessary measures to mitigate risks.

• Notifies the Data Subject within 72 hours of becoming aware of the breach.

• Provides details of the nature of the breach, affected data, potential risks, and steps taken to resolve the issue.

• Cooperates fully with authorities and the Data Subject to address the breach.

​​