Finders Consulting Kft.
Effective from: 21 May 2026
Finders Consulting Kft. (hereinafter referred to as the "Controller" or "Finders") is committed to protecting the personal data it processes and to respecting the privacy of natural persons. The purpose of this Privacy Notice (hereinafter referred to as the "Notice") is to provide data subjects with clear, intelligible and transparent information about the circumstances of the processing of their personal data prior to such processing.
In preparing this Notice, the Controller ensures compliance with the following statutory and relevant regulatory provisions:
Regulation (EU) 2016/679 of the European Parliament and of the Council (the "GDPR");
Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the "Privacy Act");
Act V of 2013 on the Civil Code (the "Civil Code");
Act I of 2012 on the Labour Code (the "Labour Code");
Act C of 2000 on Accounting (the "Accounting Act");
Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services (the "E-Commerce Act");
Act XLVIII of 2008 on the Basic Requirements of and Certain Restrictions on Commercial Advertising Activity (the "Advertising Act");
Regulation (EU) 2024/1689 of the European Parliament and of the Council on Artificial Intelligence (the "EU AI Act"), with particular regard to its provisions concerning high-risk AI systems and applications falling within the scope of employment and worker management.
| Company name | Finders Consulting Kft. |
|---|---|
| Registered seat | 2100 Gödöllő, Kard utca 17. 2., Hungary |
| Office / correspondence address | 1146 Budapest, Zichy Géza u. 5., Hungary |
| Company registration number | 13 09 207228 |
| Registering authority | Court of Registry of Pest County |
| Tax number | 28744517-2-13 |
| Legal representative | Mátyás Bíró, Managing Director |
| info@findersconsulting.com | |
| Telephone | +36 20 420 3557 |
| Website | www.findersconsulting.com |
Data Protection Officer (DPO): Pursuant to Article 37 of the GDPR, the Controller's activities do not require the designation of a Data Protection Officer, given that the Controller is not a public authority, its core activities do not require regular and systematic monitoring of data subjects on a large scale, and it does not process special categories of personal data within the meaning of Article 9 on a large scale. The Controller has, however, designated a contact person for data protection matters, who can be reached at info@findersconsulting.com.
The terms used in this Notice shall bear the meaning ascribed to them under Article 4 of the GDPR. The most relevant definitions are as follows:
Personal data: any information relating to an identified or identifiable natural person.
Data subject: the natural person whose personal data is processed by the Controller.
Processing: any operation performed on personal data (collection, recording, storage, use, transmission, erasure, etc.).
Controller: the entity that determines the purposes and means of the processing of personal data.
Processor: the entity that processes personal data on behalf of the Controller (e.g. hosting provider, ATS system operator).
Consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes.
Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.
The Controller processes personal data in relation to three principal categories of data subjects. This section presents the processing activities grouped according to these categories.
| Purpose of processing | Responding to enquiries received via the website, communication with the enquiring person, exploring potential business cooperation opportunities. |
|---|---|
| Categories of data processed | Name, e-mail address, telephone number (optional), company name (optional), other information voluntarily provided in the message. |
| Legal basis of processing | Article 6(1)(f) GDPR — the Controller's legitimate interest in responding to enquiries addressed to it and in developing business relationships. A balancing test has been performed. |
| Duration of processing | 2 years from the date of the last substantive contact, unless the data subject requests erasure before this period or a business relationship is established, in which case processing shall continue pursuant to section 4.3. |
| Data transfers | Data is transferred to the processors listed in section 7 (hosting, e-mail services). No data is transferred to third countries. |
| Purpose of processing | Sending newsletters, professional content (articles, webinar invitations, market insights) based on the data subject's voluntary subscription. |
|---|---|
| Categories of data processed | Name, e-mail address, optionally: name of organisation, position held. |
| Legal basis of processing | Article 6(1)(a) GDPR — the data subject's voluntary consent, which is also consistent with Section 6(1) of the Advertising Act. Consent shall be given by ticking a separate, dedicated checkbox (no pre-ticked box). |
| Duration of processing | Until withdrawal of consent. Withdrawal may be initiated via the unsubscribe link at the bottom of each newsletter, or at info@findersconsulting.com. |
| Rights of the data subject | The withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. |
The website uses cookies for its operation. Detailed information on the use of cookies is provided in the separate Cookie Notice, available on the website.
In the course of its executive search and talent solution services, the Controller processes the personal data of applicants and candidates (jointly referred to as "Candidates"). Candidate data may originate from three sources: (a) direct application for a specific position; (b) general expression of interest / unsolicited application; (c) proactive approach initiated by the Controller (direct search).
| Purpose of processing | Evaluation of the Candidate's application, assessment of the Candidate in relation to the advertised position or the position represented by the Controller, communication with the Candidate during the selection process. |
|---|---|
| Categories of data processed | Name, date of birth, contact details (e-mail, telephone, address), data contained in the CV (work experience, qualifications, skills, language skills), motivation letter, salary expectations, interview notes, references (solely with the Candidate's consent). |
| Legal basis of processing | Article 6(1)(b) GDPR — steps taken prior to entering into a contract at the request of the Candidate. For stored Candidate profiles, Article 6(1)(a) GDPR — consent of the data subject. |
| Duration of processing | 6 months following the closure of the selection process (unless the Candidate has consented to longer retention — see section 4.2.4). |
| Data transfers | With the Candidate's express prior notification, the Controller forwards the Candidate's data to the client (prospective employer). The Candidate shall in all cases be informed of such transfer before it takes place. |
| Purpose of processing | Registration of the Candidate in the Controller's candidate database, contacting the Candidate in the event of future relevant positions. |
|---|---|
| Categories of data processed | Data as specified in section 4.2.1. |
| Legal basis of processing | Article 6(1)(a) GDPR — consent of the data subject. |
| Duration of processing | Until the withdrawal of consent, but no longer than 3 years, after which the Controller shall seek confirmation from the Candidate as to the continuation of processing. |
In the course of its executive search activities, the Controller may identify potential candidates from publicly available professional sources (in particular LinkedIn, participant lists of professional conferences, publicly communicated professional appearances) for the purpose of fulfilling a specific engagement.
| Purpose of processing | Identification and approach of potential candidates for the purpose of fulfilling a specific engagement represented by the Controller. |
|---|---|
| Categories of data processed | Professional data available from public sources (name, current position, work experience, public contact details). |
| Legal basis of processing | Article 6(1)(f) GDPR — the legitimate interest of the Controller and its client in fulfilling the engagement. The balancing test has concluded that the processing of exclusively publicly available professional data, for explicitly professional purposes, with storage limited to the first point of contact, does not disproportionately restrict the privacy of the data subject. |
| Information to the data subject | At the time of first contact — within the one-month period set forth in Article 14(3) GDPR — the data subject shall receive comprehensive information by way of reference to this Notice. |
| Duration of processing | Should the data subject fail to respond, or decline the approach, the data shall be erased within 6 months of the last contact. Should the data subject express an intention to cooperate, processing shall continue pursuant to section 4.2.2. |
| Purpose of processing | Following the closure of the selection process, retention of the Candidate's data in the long-term candidate database based on the Candidate's voluntary consent, for the purpose of future relevant opportunities. |
|---|---|
| Legal basis of processing | Article 6(1)(a) GDPR — express, voluntary consent. |
| Duration of processing | 3 years from the granting of consent, after which the Controller shall seek confirmation; in the absence of confirmation, the data shall be erased. |
In relation to Candidates, the Controller does not employ solely automated decision-making. Every decision producing legal effects concerning a Candidate, or similarly significantly affecting them (e.g. the recommendation to the client), is preceded by a human expert decision.
Where the Controller uses AI-based supporting tools to assist in the preparation of Candidate evaluations (e.g. CV structuring, preliminary skills-based fit screening), the output of such tools shall serve solely as input to the human expert decision. The Controller selects such tools in compliance with the requirements imposed by the EU AI Act on the field of employment and worker management, and ensures their transparent, auditable operation. The Candidate may request the human review of any output generated by such supporting tools and may submit a written objection thereto.
| Purpose of processing | The processing of personal data of the employees, as well as the representatives, of the cooperating partner or client, in order to enable the Controller to deliver the business and organisational development engagement, as well as the executive search / talent solution engagement; communication, preparation, performance, documentation and invoicing of the engagement, and post-engagement follow-up. |
|---|---|
| Categories of data subjects | The management, HR leadership, project owners, contact persons of the client / partner company, as well as all employees who come into contact with the Controller in the course of fulfilling the engagement. |
| Categories of data processed | Name, position, organisational unit, business contact details (corporate e-mail, telephone), content of written communication during the engagement, meeting notes, other professional information required for the performance of the engagement. |
| Legal basis of processing | Article 6(1)(b) GDPR — performance of the service agreement, where the data subject is a party to the agreement. For other representatives and employees, Article 6(1)(f) GDPR — the legitimate interest of the Controller and the client in the performance of the agreement. |
| Duration of processing | 5 years following the termination of the service agreement (general limitation period under Section 6:22 of the Civil Code), and for data falling within the scope of accounting records, 8 years pursuant to Section 169(2) of the Accounting Act. |
| Data transfers | Data is transferred to the processors listed in section 7. |
| Purpose of processing | Compliance with the document retention obligation laid down in the Accounting Act. |
|---|---|
| Categories of data processed | Data appearing on invoices: name, address, tax number (in the case of sole traders). |
| Legal basis of processing | Article 6(1)(c) GDPR — compliance with a legal obligation (Section 169 of the Accounting Act). |
| Duration of processing | 8 years. |
The Controller processes personal data:
lawfully, fairly and in a transparent manner;
collected solely for specified, explicit and legitimate purposes;
to the extent and for the duration necessary to achieve such purposes (data minimisation);
kept accurate and up to date;
protected against unauthorised or unlawful processing, accidental loss or destruction by appropriate technical and organisational measures.
Pursuant to Chapter III of the GDPR, the data subject is entitled to the following rights:
The exercise of these rights may be initiated at info@findersconsulting.com, or by sending a postal letter to the Controller's registered seat. The Controller shall respond to such request within one month of its receipt, which period may be extended by a further two months in the case of complex or numerous requests; in such case the Controller shall inform the data subject of the extension and its reasons within one month.
In the course of its activities, the Controller engages the following processors:
| Processor | Activity / Location of processing |
|---|---|
| dotroll.hu | Website hosting — EU |
| Google LLC | E-mail service (Google Workspace) — EU / USA (under adequacy decision) |
| dotroll.hu | Applicant Tracking System (proprietary system) — EU |
| OREO-TAX Kft. | Accounting and payroll services — Hungary |
The complete and up-to-date list of processors shall be made available to data subjects upon request.
Recipients may further include: client companies (with respect to Candidate data), authorities (where required by law), and the Controller's contracted legal representative.
The Controller does not transfer personal data to third countries (outside the European Economic Area) on a systematic basis. Where the infrastructure of certain processors (e.g. Google Workspace) partly involves the United States, such data transfer is based on an adequacy decision of the European Commission (EU-U.S. Data Privacy Framework) or, in its absence, on the EU Standard Contractual Clauses (SCC).
In order to ensure the security of personal data, the Controller applies the following technical and organisational measures:
password-protected systems with multi-level access control;
encrypted data transmission (HTTPS) for the website and communication channels;
regular data backups;
data protection and data security training for staff;
data processing agreements concluded with processors in compliance with Article 28 GDPR;
a register of and procedures for handling personal data breaches.
In the event of a personal data breach, the Controller shall — where the breach is likely to result in a high risk to the rights and freedoms of data subjects — notify the data subjects without undue delay, and shall report the breach to the Hungarian National Authority for Data Protection and Freedom of Information within 72 hours of becoming aware of it.
Where the data subject considers that the processing of their personal data does not comply with statutory requirements, the following remedies are available:
Address: 1055 Budapest, Falk Miksa utca 9-11., Hungary
Postal address: 1363 Budapest, Pf. 9., Hungary
Telephone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: www.naih.hu
The Controller reserves the right to amend this Notice unilaterally, in particular in the event of legislative changes or changes in its processing activities. The amended Notice shall enter into force upon publication on the website. In the event of material changes, the Controller shall give prior notification to data subjects through the channels of the ongoing relationship.
Effective from: 21 May 2026