en
Data Controller or Employer, in accordance with Regulation (EU) 2016/679 of theEuropean Parliament and of the Council on general data protection (hereinafter: ‘GDPR’) and Act CXII of 2011 on theRight of Informational Self-Determination and on Freedom of Information, here by notifies their Employees (hereinafter: ‘Employee’ or ‘Data Subject’) who use the Company’s Application called Blue Colibri (hereinafter: ‘Application’), which aims to improve internal communication and engagement, about the data processing carried out in relation to the provision of the service. The terms used in this Policy are in accordance with the definitions provided in the GDPR. Data Controller reserves the right to amend this Policy at anytime. Furthermore, should there be a change in the scope of data processed and/or any relevant circumstances of the processing, pursuant to the provisions of the GDPR this Data Processing Policy shall be amended and published before the modified data processing commences. Amendments shall be published in the full, consolidated version of this Policy, with the changes indicated.
Kindly read the applicable Data Processing Policy and its amendments in order to familiarise yourself with the rules governing data processing.
Under contract, Data Controller uses the services of the following Data Processors during the provision of the Application:
1. Application Operator:
Blue Colibri International Korlátolt Felelősségű Társaság
Registered office: Tölgyfa utca 24. II. em, 1027 Budapest, Hungary
Registry number: Cg.01-09-370771
Phone number: +36 709355045
E-mail address: hello@bluecolibriapp.com
During the provision of the Application, Data Controller carries out the following data processing operations. In order to ensure transparency, the operations are listed one-by-one, indicating the type of data processed, the purpose of data processing, the basis for processing, the source of the data, the data recipients and the storage period.
1. Data recorded in the system by the Employer
Data Controller shall send their Employees’ login IDs to the Data Processor operating the Application, whereafter Data Processor creates an initial login ID for each Data Subject. Data Controller shares the login IDs with the Employees so that they can log into the Application for the first time. Employees can first log into the system with their employee IDs, whereafter they can generate a password. Employees may use the Application on a voluntary basis, however, in order to provide access to the application processing of these data is strictly necessary, otherwise Data Subject is unable to use the Application.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Providing first-time access to the system
Name Employee ID
Providing Data Subject with access to the system
Legitimate interest: the operation of the application, providing access for all Employees who wish to use it
Data Controller, as the Employer
Data Processors indicated above
Until the end of the employment relationship, in the course of which the Employee may decide to use the system at any time
2. Creating user profiles in the system
When generating the login ID, the Employer/ Data Processor operating the Application shall upload the Employee’s company data related to the employment relationship into the Application system. In order to facilitate efficient communication in the workplace, these data will be available to all other users, regardless of whether the Employee in question has logged into the system or has been using the system.
The Employee may voluntarily upload further information to complete their profile. When uploading data voluntarily, kindly make sure you only upload data which you wish to share with other persons using the Application.
Please keep in mind the following when choosing and uploading your profile picture and when writing your bio: profile pictures and texts which (i) are obscene, (ii) contain sexual content, (iii) offend against good taste, (iv) incite hatred or contain religious, political or otherwise offensive images or language, (v) have been downloaded from a website or by any other means, (vi) serve promotional purposes, (vii) damage the reputation of the Employer, (viii) infringe a third person’s copyright or (ix) are unlawful shall not be published.
Data Controller may examine photos and bios of the above nature and may delete them at their own discretion without giving notice to the Employee. Moreover, such conduct may subject the Employee to disciplinary proceedings.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Creating user profiles in the system
Data uploaded in advance by Data Controller Data uploaded or made public voluntarily: any data uploaded by Data Subject
Communicati on with Data Subject, facilitating communicatio n between the Data Subjects
In case of data uploaded in advance by Data Controller: The operation of the Application is a legitimate interest In case of data uploaded voluntarily by the Employee: The Employee’s consent, which is considered to have been given by voluntarily uploading the data
In case of data uploaded in advance by Data Controller: Data Controller, as the Employer In case of data uploaded voluntarily by the Employee: Data Subject
Data Processors indicated above Employees registered in the Application
Until the end of the employment relationship Data Subject may delete voluntarily uploaded data at any time
3. Notifications
The Employee can sign up to receive short work-related news items/notifications from Data Controller. In the Application the Employee may set whether they wish to receive such notifications, and if yes, in what form: internal notifications in the Application, text message notifications or e-mail notifications.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Short news items sent by Data Controller, as the Employer Name Depending on the settings:
Phone number, e-mail address The time of receiving and reading the notification
Sending notifications to Data Subject Data Subject’s consent, which Data
Subject gives with special settings in the Application Data Controlle r, as the Employe r
Data Processors indicated above Until consent is withdrawn (in case of push notifications)
Until the end of the employment relationship In case of private phone
numbers and private e-mail addresses, until these are deleted by Data Subject
4. News
Employees have the opportunity to receive news summaries about the company’s activities, either in the Application, or, if they have enabled their e-mail address for this purpose in the Application, via e-mail.
Employees may like and comment on news items in the Application, moreover, should Data Controller enable this function, are free to share them on Facebook or LinkedIn. Should the Employee comment on a news item, the Employer excludes liability for the contents thereof; in such cases, the Employee publishing the comment shall have sole liability. Content published may be examined by Data Controller, and may be blocked or removed at Data Controller’s discretion. Data which (i) contain vulgar or obscene phrases, (ii) contain sexual content, (iii) offend against good taste, (iv) incite hatred or contain religious, political or otherwise offensive language, (v) have been downloaded from a website or by any other means, (vi) serve promotional purposes, (vii) damage the reputation of the Employer, (viii) infringe a third person’s copyright or (ix) are unlawful shall not be published.
The Data Processor operating the Application shall provide Data Controller only with a statistical summary on the delivery of news in the system, i.e. how many Employees have read/ opened, liked and shared the news item in question. Employees cannot be identified based on these statistical data, therefore, this statistical summary does not constitute data processing.
Data Controller is able to send news summaries to Data Subject’s private e-mail address until the Employee deletes their private e-mail address from the system.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Sending news items
In case sent to an e-mail address, the Employee’s e-mail address The time the news item was sent
Informing Employees about the company’s activities
Legitimate interest Data Subject’s consent, in case of a private e-mail address has been provided
Data Subject
Data Processors indicated above
Until the profile is deleted Until the private e-mail address is deleted by the Employee
5. Document database
In order to cultivate a more effective working relationship with the Employee, the Employer may make available training materials and various policies in the document database function of the Application. If it is necessary to document if and when the Employee has read and understood the contents of a document, the system makes a record of the Employee doing so, also recording the time of the event, by requiring them to push the ‘read and understood’ button.
If the material uploaded only aims to assist the Employee in their work, the Employer receives only a statistical summary from the Data Processor operating the Application on the number of Employees who have downloaded the material. Given that the Employee is not identified, in this latter case no data processing takes place.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Having the Employee read and understand training materials and policies
The Employee’s name Their unique identifier The acceptance of the document
Having the Employee read and understand training materials and policies
Legitimate interest: easy access to training materials and policies
Data Subject
Data Processors indicated above
A period of 3 years from the end of the employment relationship (the general term of limitation under the Hungarian Labour Code)
6. Calendar
The Employer may send invitations to the Employee to various events and functions.
Data Controller shall receive statistics from the Data Processor operating the Application on how many Employees have been sent the invitation, how many have seen it, how many have accepted, how many have declined and how many have not responded. Furthermore, in case of accepting or declining an invitation, the Employee’s name is recorded in the system in a format downloadable by the organisers. Should the Employer ask a question from the users, the replies received are also stored in a format downloadable by the organisers.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Notifying the Employee about events
Name Whether the Employee wishes to attend the event or not
Notifying the Employee about events
Data Subject’s consent, which is considered to have been given by responding to the invitation
Data Subject
Data Processors indicated above The users invited to the event In case of events pertaining to all Employees, all users
A period of 60 days from the end of the event
7. Gallery
In the Gallery the Employer may upload photos taken at company and other events, of colleagues who have given their consent to being photographed and to the photos being shared in this manner. Downloading photos from the Application is not allowed due to privacy concerns.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Uploading photos into the Application
Photos
Documenting social events
Data Subject’s consent
Data Subject
Data Processors indicated above Other Employees using the Application
Until consent is withdrawn
8. Questionnaires
The Employer may send anonymous and non-anonymous questionnaires to the Employee. The completion of questionnaires is voluntary. In case of anonymous questionnaires, no data processing takes place, as the Employee is not identifiable. In case of non-anonymous questionnaires, the name and answers of the Employee is recorded.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Questionnaire s
Name Answers
Asking for Employees’ opinions in order to improve working conditions and workplace atmosphere
Data Subject’s consent, which is considered to have been given by completing the questionnaire
Data Subject
Data Processors indicated above
A period of 60 days from the deadline for completion
9. Quiz
In the quiz function the Employer may provide the Employee with access to training materials, anonymous and non-anonymous quizzes and games which aim to improve the atmosphere at the workplace — and which may reward Employees with the highest scores — in the Application. Participation in quizzes and games is voluntary.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
The assessment of online training outcomes Quiz games
Name Answers Scores
Assessment of training courses Improving workplace atmosphere
Legitimate interest: assessing the effectiveness of training courses Data Subject’s consent, which is considered to have been given by participating
Data Subject
Data Processors indicated above Employees can see each other’s scores
A period of 3 years from the end of the employment relationship (the general term of limitation under the Hungarian Labour Code) A period of 30 days from conducting the game
10. Contact list
For easier searches, the Application has a contact list function. The contact list function allows Data Subject to see colleagues who use the Application and may contact them in or outside the Application with the help of the contact information provided. The contact information uploaded in user profiles are automatically visible in the contact list.
Description of data processing
Scope of data processed
Purpose of processing
Basis for processing
Source of data
Data recipients
Storage period
Employees’ contact information
Data uploaded in advance by Data Controller Data uploaded or made public voluntarily: any data uploaded by Data Subject
Facilitating communication within the company
Legitimate interest: in case of company contact information Data Subject’s consent: in case of private e-mail addresses and private phone numbers
Data Controller , as the Employer Data Subject
Data Processors indicated above Other Employees using the Application
Until the end of the employment relationship In case of private contact information, until these are deleted by Data Subject
11. Chat
In the contact list function the Employee may start a chat conversation with another colleague. The conversation between the Parties is not visible to either Data Controller or the Data Processor operating the Application, it is encrypted in storage.
Given that neither Data Controller nor Data Processor can access them, no data processing takes place with respect to these conversations.
12. Highlights
Data Controller may send highlights to Employees in the form of short messages running on the Application’s platform. The highlights remain visible until the Employee ‘okays’ them. Given that the Data Processor operating the Application only provides Data Controller with a statistical summary on the number of Employees who have ‘okayed’ the highlight and, therefore, Data Subject is not identifiable, no data processing takes place in relation to this function of the Application.
13. Communities
In the app, you’ll have the option to create groups according to specified topics or interests. Anyone can create a group. You have two options, you can either create a public group or a private group. In the case of public groups, everyone can see the name, description, rules, and members of the group, but posts will only be made visible once membership is confirmed. Private groups can only be seen by users who have received an invitation from the administrators. Platform administrators can also create ‘universal groups,’ whose parameters the employer can decide. In this case, the selected Members of the group are automatically added and cannot leave.
If a Member’s profile is deleted, their posts stay visible in the group under the name “deleted user,” but if they voluntarily leave the group and keep their profile, then their name will continue to appear next to the post (Members have the option to delete their posts before leaving the group).
With the exception of ‘global groups’ created by an Employer, joining and leaving groups can take place at any point on a voluntary basis. Group members can upload photos, links, and share videos. Users that aren’t in the group can’t see the communication that takes place within groups. The rules regarding content and comments still act as a guide and the person who posted and commented the content will be held responsible for it.
Platform administrators can review shared content, and delete or block it as needed. Posts that contain (i) vulgar, obscene language, (ii) sexual content, (iii) offensive content, (iv) language that discriminates against religion, politics, or other forms of hate speech, (v) downloads from a website or other channel, (vi) advertisements, (vii) brand slandering content, (viii) content that violates copyright law, (ix) illegal content, is prohibited.
Data management
Managed user data
Purpose of data management
Legality of data management
Source of data
Data management end users
Length of data storage
Public groups in the communities feature
Name Posted content
supporting community building by maintaining an active forum
Member’s acceptance into the group is considered agreement
Member User admnistrators indicated above
Users that are other employees
Until the profile is deleted
Until the group is deleted
Private groups in the communities feature
Name Posted content
supporting community building by maintaining an active forum
Member’s acceptance into the group is considered agreement
Member User admnistrators indicated above
Other group members
Until the profile is deleted
Until the group is deleted
Groups created by the employer
Name Posted content
Maintaining a forum for defined projects
Employer’s rightful interest to maintain a direct and easily manageable forum
Member User admnistrators indicated above
Users, other employees (if it’s a closed group, only the group members need to be selected)
Until the profile is deleted
Until the group is deleted the employer
In relation to these data processing operations, Data Subject has the following rights:
1. Right to access personal data: You have the right to receive information from Data Controller on whether your personal data is being processed, and if such processing is in progress, you have the right to access your personal data and the information specified in legislation. Consequently, you have the right to contact Data Controller and ask for information on the processing of your data and request access to the data.
2. Right to rectification: Should there be a change in your personal data, you may obtain the rectification of your data at any time by providing the accurate data.
3. Right to erasure: You have the right to obtain from Data Controller the erasure of personal data where data processing is no longer necessary in relation to the purposes for which the data were collected, where the 8 processing is unlawful or where the erasure of data is prescribed by legislation.
4. Right to restriction of processing: You have the right to obtain restriction of processing where the processing is unlawful or where Data Controller no longer needs the personal data for the purposes of the processing, but you would like to use them for the establishment of a legal claim. Restriction of processing means that until the restriction is lifted the data shall only be stored or shall only be used to establish a legal claim.
5. Right to object to data processing: You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data. In such cases, Data Controller shall individually examine whether there is a legitimate basis which justifies the necessity of processing.
6. Right to data portability: You have the right to receive from Data Controller the personal data concerning you and processed by Data Controller in a structured, commonly used and machine-readable format and you have the right to transmit those data to another controller without hindrance from the Data Controller. In exercising your right to data portability, you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
7. Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information. (Contact: 1125 Budapest, Szilágyi Erzsébet fasor 22/C., 1530 Budapest, Pf. 5., +36 13911400, ugyfelszolgalat@naih.hu).
8. Right to bring proceedings: You have the right to bring proceedings before a court if you feel that your personal data have been processed in violation of data processing regulations by Data Controller or by the Data Processor acting on behalf of or under the instructions of Data Controller.
SECURITY OF PERSONAL DATA
Data Controller ensures the security of personal data. In order to do so, Data Controller shall implement appropriate technical and organisational measures, and lay down rules of procedure which are required to enforce the applicable legislation, and rules on data protection and confidentiality. Data Controller shall take appropriate measures to protect the data from unauthorised access, alteration, transmission, disclosure, erasure or destruction, accidental destruction or damage, and becoming inaccessible due to a change in the technology used. Data Controller (further) ensures that the rules on data security are enforced with the application of internal policies, instructions and rules of procedure, which are distinct in their content and form from this Policy. When determining and implementing the measures ensuring data security, Data Controller shall have regard to the current state of technological advancement, and when facing a choice between multiple data processing solutions, shall choose the solution which ensures the higher level of protection of personal data, unless this would present disproportionate difficulties.
The existence of automated decision-making, profiling
We hereby inform you that no automated decision-making or profiling takes place during the use of the service.
