PRIVACY NOTICE (DATA PROCESSING INFORMATION)
“Best HR Solutions in V4 Countries” (the “Project”) – besthrpractices.org
“Best HR Solutions in V4 Countries” (the “Project”) – besthrpractices.org
Effective date: 1 October 2025
This Privacy Notice explains how personal data are processed in connection with the Project, its website (besthrpractices.org), and Project events (including domestic workshops and transnational events).
Website: https://besthrpractices.org/
1) Who is responsible for your personal data (Data Controller)
Data Controller:
Knowhouse Consulting Ltd. (“Knowhouse”)
Registered address:
1141 Budapest Pered u. 4.
Email (privacy contact):
edina.kalman@knowhouse.consulting
Representative:
Edina Ágnes Kálmán (Managing Director)
Company Registration No.:
01-09-419563
VAT Number:
HU32350847
Email (general):
info@knowhouse.consulting
Website operator :
Knowhouse Consulting Ltd. is the operator and data controller for besthrpractices.org, including all website analytics, cookies, and technical data processing.
Data Protection Officer / Privacy Contact:
Edina Ágnes Kálmán (Managing Director)
Email: edina.kalman@knowhouse.consulting
Telephone: +36 20 581 2822
2) Important note about Project partners (V4 consortium)
Partner data controllers:
For national (domestic) workshops, the hosting partner organisation may collect registrations via its own systems (e.g., Microsoft 365 / Microsoft Forms, Google Workspace / Google Forms, or other institutional tools).
In such cases:
- The partner acts as a separate Data Controller for the registration process and will provide its own privacy information at the point of registration
- Each partner remains responsible for the security and lawfulness of data collected through their own systems
- Participants should review the partner’s own privacy notice before providing data through their systems
Data sharing with Knowhouse:
Knowhouse may receive a limited dataset from partners where necessary for:
- Project coordination
- Grant reporting to the Visegrad Fund
- Community-building activities and follow-up communication
Limited data transferred:
Name, email address, organisation, position/role, country, participation status (registered/attended)
Legal basis for transfer:
Legitimate interest (Art. 6(1)(f) GDPR) for Project implementation and Visegrad Fund accountability
Data Processing Agreement:
All partner data sharing is governed by written Data Processing Agreements ensuring appropriate security and confidentiality.
3) What personal data we process
Depending on how you interact with the Project, we may process:
A) Website browsing and security (technical data)
- IP address
- Device and browser information (type, version, operating system)
- Log data (pages accessed, duration, referrer)
- Cookie preferences and consent records
- Basic analytics events (where enabled)
A/1) Cookies and similar technologies
We use cookies and similar tracking technologies on besthrpractices.org for the following purposes:
Essential / Technical cookies:
- Required for website functionality and security
- Examples: session management, load balancing, security tokens
- No user consent required (Art. 82(1) ePrivacy Directive)
Analytics cookies:
- To understand how visitors use the website (page views, user journey, engagement patterns)
- Examples: Google Analytics (if implemented)
- Legal basis: Your consent via cookie banner (Art. 6(1)(a) GDPR)
Preference / Functionality cookies:
- To remember your language choice and cookie consent preferences
- No separate consent required (functional to your interaction)
Marketing / Remarketing cookies:
- To show targeted Project-related content on other platforms (if applicable)
- Legal basis: Your consent via cookie banner (Art. 6(1)(a) GDPR)
For detailed information about all cookies used, their purposes, and how to manage them, please see our Cookie Policy or contact edina.kalman@knowhouse.consulting.
You can manage your cookie preferences at any time via our cookie banner or by adjusting your browser settings.
B) Contact and professional enquiries
- Name
- Email address
- Organisation
- Position/role
- Content of your message
- Any other personal data you voluntarily share in your enquiry
C) Event registration and participation (workshops and online events)
Typical registration / participation data may include:
- Name
- Email address
- Organisation
- Position/role
- Country
- Participation status (registered / attended)
- Participation history and follow-up communication
- Optional data you provide (e.g., dietary requirements, accessibility needs, dietary allergies for safe event management)
D) Attendance documentation
At in-person events we may use an attendance sheet containing:
- Name
- Position/role
- Organisation
- Email address
- Signature (for Visegrad Fund grant accountability)
Signature purpose: To provide proof of attendance for grant reporting to the Visegrad Fund, as required by the Grant Contract.
E) Photos / video and event documentation
- Group photos and documentation photos (e.g., workshop scenes, flipcharts, group outputs)
- Documentation photos for Project reporting (required by Visegrad Fund: minimum 2 photos per event)
- Video recordings or screenshots (online events), only where applicable and with prior notice
- Anonymised visual materials used in Project dissemination (charts, diagrams, anonymised participant feedback)
Important: Identifiable close-up photos intended for public dissemination (website, social media) are subject to separate, optional consent (see Section 4 and 6.6).
F) Financial and contractual data (where applicable for partners)
- For partner organisations: invoicing details, contact persons, financial transaction records
- Such data are processed for contract administration and grant payment purposes only
4) Why we process your data (purposes)
4.1 Website operation and security
- Operating and securing the Project website (technical functioning, performance monitoring)
- Preventing abuse and fraud
- Troubleshooting technical issues
- Website analytics to improve user experience
4.2 Communication and enquiries
- Responding to enquiries and professional communication about the Project
- Sending relevant Project updates and event invitations
- Managing newsletter subscriptions and professional network engagement
4.3 Event organisation and management
- Event registration and confirmation
- Sending event reminders, logistics information, and follow-up communication
- Managing attendance and participation records
- Organising accommodation, catering, and accessibility arrangements (where applicable)
4.4 Project documentation and grant compliance
- Creating attendance lists and participation records for Visegrad Fund reporting
- Documenting Project implementation through photos and event summaries
- Maintaining evidence of Project activities for grant audit purposes
- Preparing financial and narrative reports to the Visegrad Fund
4.5 Dissemination and communication of Project activities
- Updating the Project website with event summaries, news, and outputs
- Sharing Project results and best practices across the V4 region
- Publishing identifiable photos on public channels (website, social media) only with separate consent
- Creating promotional materials and newsletters about Project progress
4.6 Building and maintaining the V4 HR Professional Network
- Maintaining a CRM database of HR professionals and community members
- Sending newsletters, invitations, and updates about Project-related topics
- Fostering peer learning and professional exchange across V4 countries
- Building a sustainable network for follow-up collaboration after Project closure
5) Legal bases under GDPR
We process personal data based on one or more of the following legal grounds, depending on the specific processing activity:
Photos and visual documentation – detailed explanation
Internal documentation (legitimate interest): Group photos and documentation photos (e.g., flipcharts, workshop scenes) taken during Project events serve the legitimate interest of documenting Project implementation and fulfilling Visegrad Fund reporting requirements. These photos are stored internally and shared only with the Visegrad Fund and consortium partners for accountability purposes.
Public dissemination (consent-based): Publishing identifiable photos—especially close-ups where individuals are clearly recognizable—on the Project website, social media, or in public communications requires **separate, optional consent**.
- Consent is collected via a checkbox on the attendance sheet or separate consent form
- Participation in Project events is NOT conditional on granting photo consent
- You may withdraw photo consent at any time by contacting edina.kalman@knowhouse.consulting
Processing Activity
Legal Basis
GDPR Article
Notes
Website operation, security, and essential functions
Website operation, security, and essential functions
Art. 6(1)(f)
Necessary to maintain website performance and security
Website analytics and non-essential cookies
Consent
Art. 6(1)(a)
Via cookie banner; you can withdraw anytime
Responding to enquiries and professional communication
Legitimate interest
Art. 6(1)(f)
Necessary to answer your questions
Event registration and attendance management
Legitimate interest
Art. 6(1)(f)
Necessary to organize and manage Project events
Internal event documentation (group photos, workshop outputs, attendance sheets)
Legitimate interest
Art. 6(1)(f)
Necessary to document Project implementation
Compliance with Visegrad Fund grant reporting obligations (attendance sheets, financial records, photos, audit evidence)
Legal obligation / Contractual accountability
Art. 6(1)(c)
Mandatory for grant contract fulfillment
Publishing identifiable photos on public channels (website, social media, media outlets)
Consent (separate, optional)
Art. 6(1)(a)
Participation in events is NOT conditional on photo consent
V4 HR Professional Network (CRM, newsletters, professional outreach)
Legitimate interest (for existing contacts) OR Consent (for new opt-ins)
Art. 6(1)(f) or Art. 6(1)(a)
You can unsubscribe anytime
International data transfers to EU partner organisations
Legitimate interest (intra-EU transfer)
Art. 6(1)(f)
All partners are EU-based; no third-country transfers without additional safeguards
5.1 Photos and visual documentation – detailed explanation
Internal documentation (legitimate interest):
Group photos, workshop scenes, flipcharts, and documentation materials taken during Project events serve our legitimate interest in:
- Documenting Project implementation for accountability purposes
- Creating visual evidence for Visegrad Fund grant reporting (minimum 2 photos per event required)
- Archiving Project history and outputs
These photos are stored securely and shared only with:
- The Visegrad Fund (for grant reporting and audit)
- Consortium partners (for project coordination)
- Authorized Project staff
Public dissemination (consent-based):
Publishing identifiable photos—especially close-ups where individuals are clearly recognizable—on the Project website, social media (LinkedIn, Facebook), or in public communications requires separate, explicit, and optional consent.
Key principles:
- Consent is optional: Participation in Project events and activities is NOT conditional on granting photo consent
- Separate checkbox: Photo consent is collected via a specific checkbox on the attendance sheet or a separate consent form at the event
- Withdrawal: You may withdraw photo consent at any time by contacting edina.kalman@knowhouse.consulting
- Withdrawal effect: Withdrawal applies to future use; already-published photos may remain temporarily until removed (typically within 30 days of request)
Anonymised visual materials: We may use anonymised or heavily edited photos that do not identify individuals (e.g., workshop scenes with blurred faces, diagram illustrations based on discussions) for Project dissemination without separate consent.
6) Collaborating Partners and Data Sharing
6.1 Third-party organisations and data recipients
Knowhouse Consulting Ltd. collaborates with other organisations during the Project. Personal data may be transferred to:
Professional HR organisations: National Association of Human Resource Management (OHE, Hungary), National Association of HR Professionals (HSZOSZ, Hungary), HR professional bodies in Czech Republic, Poland, Slovakia
Academic and university partners: Matej Bel University (Slovakia), Silesian University (Czechia), University of Szczecin (Poland), Kodolnyi University (Hungary)
The Visegrad Fund: As the grant-awarding body, for reporting, monitoring, and audit purposes
External service providers and data processors: Web hosting, email platforms, event management tools, CRM systems (see Section 6.2)
6.2 Personal data shared with collaborating partners
The following personal data may be transferred to project partners and professional organisations:
- Name
- Email address
- Telephone number (where provided)
- Workplace/company details
- Position/role
- Country
- Participation status and event attendance records
- Food allergy information (if necessary for safe and accessible event management)
6.3 Data protection safeguards
All data sharing with partners is subject to:
Data Processing Agreements (DPAs): Written contracts requiring partners to process data only for Project purposes, with appropriate security measures
Confidentiality obligations: All partners and staff must maintain confidentiality
Restricted access: Partners access only the data necessary for their specific Project role
Purpose limitation: Data are used only for Project coordination, event management, dissemination, and Visegrad Fund accountability
Secure transfer: Data are transferred using secure, encrypted methods
6.4 Data processors and service providers
We may engage external service providers to support Project activities:
| Service Category | Examples | Data Processed | Legal Basis |
| Web hosting and technical infrastructure | Website provider, CDN services | IP logs, cookie data, user behaviour | Legitimate interest (website operation) |
| Email and communication platforms | Google Workspace, Microsoft 365, Mailchimp | Email addresses, communication records | Legitimate interest (event coordination) |
| Event management and registration tools | Google Forms, Microsoft Forms, Eventbrite (if used) | Registration data, attendance records | Legitimate interest (event management) |
| Analytics and tracking tools | Google Analytics, Hotjar (if implemented) | IP address, page views, user journey | Consent (cookie banner) |
| CRM and professional network tools | Mailchimp, HubSpot, or similar | Contact details, email preferences | Legitimate interest / Consent |
| Financial and payment processing (if applicable) | Bank transfer, accounting software | Invoice details, payment records | Legal obligation (accounting law) |
All service providers are bound by written Data Processing Agreements ensuring:
Processing only on our documented instructions
Confidentiality and security obligations for staff
Assistance with data subject rights (access, deletion, etc.)
Sub-processor notification and approval
Assistance with breach notification and investigations
Deletion or return of data upon contract termination
6.5 International data transfers (if applicable)
Currently, all Project partners and primary service providers are located within the European Economic Area (EEA): Hungary, Slovakia, Czechia, and Poland.
If data are transferred outside the EEA in the future, we will implement appropriate safeguards such as:
Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions recognising the third country’s data protection standards
Binding Corporate Rules (where applicable)
We will update this Privacy Notice and inform affected individuals if international transfers occur.
7) How long we keep your data (Retention periods)
We retain personal data only for as long as necessary to fulfil the purposes outlined in Section 4, or as required by law.
| Data Category | Retention Period | Legal Basis / Justification |
| Website technical logs (IP addresses, browser info) | 12 months | Security monitoring, abuse prevention, troubleshooting |
| Website analytics data (anonymised) | Indefinitely (anonymised) | Continuous website optimisation |
| Contact enquiry emails and messages | Until enquiry resolved + 1 year | Legitimate interest in maintaining communication records; potential follow-up |
| Newsletter subscription records (if opt-in) | Until unsubscribe OR 3 years of inactivity | Legitimate interest in maintaining professional network; data minimisation |
| Event registration data (name, email, organisation, country) | Duration of Project + 5 years after Project closure | Visegrad Fund grant accountability and audit requirements |
| Attendance sheets with signatures | Duration of Project + 5 years after Project closure | Visegrad Fund reporting obligation (Art. 6.2 Grant Contract); proof of participation |
| Photos used for internal reporting and grant documentation | Duration of Project + 5 years after Project closure | Visegrad Fund audit evidence requirement |
| Photos published with consent (website, social media, media) | Until Project website closure + 2 years (minimum) | Visegrad Fund Grant Guidelines (Section 5.4): website must remain active 2 years post-closure |
| V4 HR Professional Network CRM database (contacts, newsletters) | Until individual unsubscribes OR 3 years of inactivity | Legitimate interest in sustaining professional network after Project closure |
| Financial and contractual records | 8 years from end of financial year | Hungarian Tax Act and Accounting Act (legal obligation) |
| Partner contact details and communication records | Duration of Project + 1 year | Legal obligation (contract administration and potential disputes) |
7.1 Deletion and anonymisation after retention
After the retention period expires:
Personal data will be securely deleted using methods that prevent recovery (e.g., secure file deletion, physical destruction of records)
Alternatively, data may be anonymised for statistical or research purposes (anonymisation makes data irreversibly non-identifiable)
Photos will be removed from public channels (website, social media)
Archived data required for compliance (financial records) will be securely stored and deleted only after legal retention requirements expire
7.2 Project website retention obligation
Under the Visegrad Fund Grant Contract (Section 5.4 of Grant Guidelines), the Project website and online outputs must remain accessible to the public for a minimum of 2 years after the Project’s contractual period ends.
During this period:
Published content and photos (posted with consent) will remain online
Access to the database of HR tools and best practices will be maintained
Anonymised or non-personal Project outputs will continue to be available
After 2 years, the website may be archived, deactivated, or integrated into other platforms. We will provide advance notice if significant changes to website availability occur.
8) Your rights under GDPR
You have the following rights regarding your personal data processed by Knowhouse:
8.1 Right of access (Art. 15 GDPR)
You have the right to:
Obtain confirmation of whether we process your personal data
Receive a copy of the data we hold about you
Understand how, why, and for how long we process your data
Learn who we share your data with
How to request: Send a written request to edina.kalman@knowhouse.consulting with the subject line “Data Access Request.”
8.2 Right to rectification (Art. 16 GDPR)
You have the right to:
Correct inaccurate or incomplete personal data
Provide missing information
Example: If we have an incorrect email address or outdated job title, you can request correction.
How to request: Contact edina.kalman@knowhouse.consulting with details of the information to be corrected.
8.3 Right to erasure / “right to be forgotten” (Art. 17 GDPR)
You have the right to request deletion of your personal data if:
The data are no longer necessary for the purposes for which they were collected
You withdraw consent (where processing is based on consent) and there is no other legal ground
You object to processing based on legitimate interest, and we have no overriding legitimate grounds
The data have been unlawfully processed
You request deletion from the V4 HR Professional Network after participation ends
Important limitation: We may be unable to delete data required for Visegrad Fund grant reporting and audit compliance until the retention period expires (5 years after Project closure). These include:
Attendance sheets with signatures
Financial records
Event documentation and photos used for grant reporting
How to request: Contact edina.kalman@knowhouse.consulting with a clear explanation of why deletion is justified. We will advise you of any limitations due to legal obligations.
8.4 Right to restriction of processing (Art. 18 GDPR)
You have the right to:
Limit how we process your data in certain circumstances:
While we verify the accuracy of data you’ve contested
If processing is unlawful but you prefer restriction over deletion
If we no longer need the data, but you need it for legal claims
If you’ve objected to processing and we’re determining legitimate grounds
Effect: When processing is restricted, we store the data but do not actively use it (except with your consent or for legal claims).
How to request: Contact edina.kalman@knowhouse.consulting describing the circumstances requiring restriction.
8.5 Right to data portability (Art. 20 GDPR)
You have the right to:
Receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON)
Request transfer of your data directly to another organisation
Applies to: Data processed based on consent or contract, carried out by automated means.
Example: Your registration data for a V4 HR Network event.
Limitations: Does not apply to data processed for grant reporting obligations.
How to request: Contact edina.kalman@knowhouse.consulting stating you wish to exercise data portability.
8.6 Right to object (Art. 21 GDPR)
You have the right to object to processing based on legitimate interest, including:
Direct marketing or Project newsletters
Profiling or automated decision-making (if any)
Processing for scientific research or statistics (where not mandatory)
Effect: We will cease processing unless we demonstrate compelling legitimate grounds that override your interests (e.g., legal obligation, Project necessity).
How to request: Contact edina.kalman@knowhouse.consulting with the subject “Objection to Processing” and specify which processing activity you object to.
8.7 Rights related to automated decision-making and profiling (Art. 22 GDPR)
You have the right to:
Not be subject to purely automated decision-making with legal or similarly significant effects
Request human review of automated decisions
Current status: We do not use automated decision-making or profiling for participant selection or event management.
8.8 Right to withdraw consent (Art. 7(3) GDPR)
Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Applies to:
Photo publication consent
Analytics and non-essential cookies
Newsletter and CRM opt-in
Marketing communications
How to withdraw:
Click the “unsubscribe” link in newsletters
Manage cookie preferences via cookie banner
Email edina.kalman@knowhouse.consulting requesting withdrawal from the V4 HR Professional Network
8.9 How to exercise your rights
To exercise any of the above rights, please contact:
Email: edina.kalman@knowhouse.consulting
Postal address:
Knowhouse Consulting Ltd.
1141 Budapest, Pered u. 4.
Hungary
Response timeline: We will respond to your request within 30 calendar days. For complex requests, we may extend by 2 months, and will inform you of the delay and reason.
Verification: We may need to verify your identity before processing requests. You may be asked to provide proof of identity.
9) Right to lodge a complaint with the supervisory authority
If you believe that the processing of your personal data violates GDPR or Hungarian data protection law, you have the right to lodge a complaint with the competent supervisory authority:
Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Full name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Postal address:
1055 Budapest, Falk Miksa utca 9-11., Hungary
(Correspondence: 1363 Budapest, Pf. 9., Hungary)
Telephone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Website: http://naih.hu
Office hours: Monday–Thursday 08:00–16:00, Friday 08:00–13:30 (CET)
Judicial remedy
You also have the right to seek judicial remedies before the courts if you believe your rights have been infringed. Court proceedings may be initiated in your place of residence, the place where the alleged infringement occurred, or where the data controller is established.
10) Data security
We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.
10.1 Technical safeguards
Secure data storage: Password-protected systems and encrypted connections (HTTPS)
Access controls: Role-based permissions; only authorised Project staff and partners can access personal data
Secure transfers: Personal data are transferred using encrypted channels
Regular backups: Periodic backups ensure data can be recovered in case of loss
System monitoring: Continuous monitoring for suspicious activity and potential breaches
10.2 Organisational safeguards
Confidentiality obligations: All Project staff, partners, and service providers must sign confidentiality agreements
Data minimisation: We collect only data necessary for stated purposes
Staff training: Team members receive guidance on data protection and privacy best practices
Incident response plan: Procedures are in place to detect, respond to, and report data breaches
10.3 Data breach notification
In the event of a data breach (unauthorised or accidental processing, access, or disclosure) that poses a risk to your rights and freedoms:
We will notify the Hungarian NAIH within 72 hours of becoming aware of the breach
We will notify affected individuals without undue delay if the breach poses a high risk (e.g., financial harm, identity theft)
Notification will include information about the breach, potential consequences, and recommended actions (e.g., change passwords, monitor accounts)
11) Updates to this notice
For comprehensive information about the cookies we use on besthrpractices.org, their purposes, retention, and how to manage them, please see our dedicated:
→ Cookie Policy
Quick summary:
- Essential cookies: Required for website functionality (no consent needed)
- Analytics cookies: Help us understand website usage (consent required)
- Preference cookies: Remember your settings (consent required for some)
- You can opt-out anytime: Via cookie banner or browser settings
- Cookie banner: Displays on first visit; you can change preferences later
12) Changes to this Privacy Notice
We may update this Privacy Notice from time to time to reflect:
Changes in our data processing practices
New Project activities or outputs
Changes in legal obligations (GDPR updates, Hungarian law changes)
Updates to Visegrad Fund requirements
Improvements to privacy safeguards
Version history:
Current version: Effective as of 1 October 2025
Last updated: January 2026
Notification of changes:
If we make significant changes that affect your rights or substantially alter how we process your data:
We will notify you via email (if you provided contact details)
We will publish updates on the Project website (besthrpractices.org)
We will highlight the changes on this page
We recommend reviewing this Privacy Notice periodically (at least annually) to stay informed about how we protect your personal data.
Minor updates (clarifications, corrections, formatting) may be made without advance notice.
13) Contact and additional information
For questions about this Privacy Notice:
Email: edina.kalman@knowhouse.consulting
Telephone: +36 20 581 2822
Postal address:
Knowhouse Consulting Ltd.
1141 Budapest, Pered u. 4., Hungary
For Project information:
Website: https://besthrpractices.org/
Project email: [general contact email, if available]
Supervisory Authority:
For complaints or enquiries about data protection rights:
National Authority for Data Protection and Freedom of Information (NAIH)
Website: http://naih.hu
Email: ugyfelszolgalat@naih.hu
Phone: +36 (1) 391-1400
14) Legal framework
This Privacy Notice is based on compliance with:
GDPR (EU Regulation 2016/679): General Data Protection Regulation
Hungarian Information Act (Magyarország Alaptörvénye – Information Act): 2011. évi CXII. törvény az információs önrendelkezésről és az információszabadságról (Info tv.)
Hungarian Civil Code (Ptk.): Polgári Törvénykönyv – Articles on data protection
Hungarian Tax Act and Accounting Act: For financial data retention
Visegrad Fund Grant Contract and Grant Guidelines (2024): For Project-specific requirements
ePrivacy Directive (2002/58/EC): Rules governing electronic communications and cookies
This Privacy Notice is a binding legal document. By participating in Project events, registering on the website, or providing personal data to Knowhouse, you acknowledge that you have read and understood this Notice.
For accessibility: This document is available in English and will be translated into Hungarian, Polish, Czech, and Slovak upon request. Please contact edina.kalman@knowhouse.consulting for alternative formats (large print, audio, etc.).