Recruitment Privacy Notice

Effective: 12 June 2026

Version 1.0

This notice explains how Avenir Facility Management Kft. processes the personal data provided in job applications. Its purpose is to give applicants concise, transparent and intelligible information before they submit an application. This notice is based in particular on Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Infotv.), and Act I of 2012 on the Labour Code (Mt.), in particular its Section 10. This notice covers job applications initiated through the Career section of the www.afm.hu website and applications sent directly to the published application email addresses — including applications sent voluntarily, independently of an advertised position. It does not cover employee data processing after an employment relationship is established, which is governed by a separate notice. Authoritative language: the authoritative version of this notice is the Hungarian text published at https://www.afm.hu/hu/palyazoi-adatkezeles. The English version is provided for the convenience of non-Hungarian-speaking readers; in the event of any discrepancy between language versions, the Hungarian text prevails.

1. Controller

Controller: Avenir Facility Management Kft. Legal name: Avenir Facility Management Szolgáltató Korlátolt Felelősségű Társaság Registered office: Királyok útja 291, building B, door 15, 1039 Budapest, Hungary Company registration number: 01-09-328046 Tax ID: 26395124-2-41 Email: info@afm.hu Phone: +36 70 316 8218 Website: https://www.afm.hu

2. Data Protection Officer (DPO)

Data Protection Officer: Fanni Csegény Email: dpo@afm.hu Phone: +36 70 622 6242 Postal contact: Királyok útja 291, building B, door 15, 1039 Budapest, Hungary The Data Protection Officer can be contacted with questions about applicant data processing and the exercise of data subject rights.

3. Scope and How Applications Are Submitted

The Career section of the website displays the open positions. The "Apply" button opens the applicant's own email client; the website itself does not record or store application data, does not request CV uploads, and does not operate a separate application form. Applicants send their application material by email to the published application address. Processing takes place through the handling of the received emails and their attachments.

4. Data Subjects

Natural persons who apply for an advertised position or who voluntarily send application material to the Controller (hereinafter: applicants).

5. Categories of Personal Data Processed

- the applicant's name; - contact details (email address, phone number); - data voluntarily provided in the CV, cover letter and their attachments (such as education, professional experience, previous employers); - the position applied for; - the content of the correspondence related to the application. The Controller does not request data from applicants that is not necessary for assessing the application. Providing personal data is not a statutory or contractual obligation; it is voluntary. However, without the data necessary for assessing the application, the application cannot be assessed and the Controller cannot contact the applicant.

6. Purpose of Processing

- receiving and recording job applications; - assessing applications and conducting the selection process; - keeping in contact with the applicant during the selection process; - with the applicant's express consent, retaining the application material for future, similar positions (Section 8). The Controller does not make decisions based solely on automated processing and does not carry out profiling when assessing applications.

8. Retention Period

In the case of an unsuccessful application, the Controller deletes the application material and the related correspondence after the relevant selection process closes. After the selection process closes, application material may be retained for the purpose of contacting the applicant about future, similar positions only if the applicant has expressly consented to this. The consent-based retention period is 1 year from the date the consent is given; upon its expiry, the Controller deletes the data unless the applicant renews the consent. Consent may be withdrawn at any time (Section 11). In the case of a successful application, the data necessary for the employment relationship is processed in accordance with the separate employee privacy notice.

9. Recipients, Access and Processor

Within the Controller's organisation, application material is accessible only to the persons involved in the selection process: - staff performing HR tasks; - the managers responsible for the relevant position; - employees taking part in the selection process. Applications received by email are handled through the Controller's email system, operated with the following processor: Microsoft 365 — Microsoft Ireland Operations Limited Role: email and office services; storage and handling of application emails and their attachments. Registered office: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland Third-country transfer safeguard: at the time of preparing this notice, Microsoft Corporation (USA) is listed under the EU–U.S. Data Privacy Framework, so transfers may take place on the basis of an adequacy decision under GDPR Article 45; in addition, Microsoft's data processing terms include the standard contractual clauses (SCC) adopted by Commission Decision (EU) 2021/914, together with supplementary technical and organisational measures. The Controller does not transfer application data to third parties unless required by law.

10. No Unnecessary Special-Category Data

Please do not include special-category data (such as health data), criminal-offence data, or detailed private-life information about third parties in your application where it is not necessary for assessing the application. If a submitted application contains such data, the Controller may delete the data not necessary for the assessment, or may ask the applicant to resubmit the application without such data. Where a statutory requirement applies to a specific position (for example a certificate of good conduct), the Controller provides separate information in that selection process.

11. Rights of the Applicant

Applicants may use the contact details in this notice — primarily dpo@afm.hu — to request: - access to their personal data; - rectification of their data; - erasure of their data; - restriction of processing; - portability of their data (GDPR Article 20), where its statutory conditions are met; - and they may object to processing based on GDPR Article 6(1)(f). Consent given to the retention of application material (Section 8) may be withdrawn at any time; withdrawal does not affect the lawfulness of processing carried out before the withdrawal. The Controller responds to requests without undue delay, but within one month of receipt at the latest. Where necessary, taking into account the complexity and number of the requests, this period may be extended by two further months; the Controller informs the applicant of any such extension within one month. A detailed description of data subject rights is provided in Sections 9 and 11 of the Controller's Privacy Policy.

12. Remedies

For any question or complaint relating to data processing, applicants may first turn to the Controller or the Data Protection Officer. Supervisory authority: National Authority for Data Protection and Freedom of Information (NAIH) Address: Falk Miksa utca 9-11, 1055 Budapest, Hungary Postal address: P.O. Box 9, 1363 Budapest Phone: +36 1 391 1400 Email: ugyfelszolgalat@naih.hu Web: https://www.naih.hu Applicants may also turn to the courts. At the applicant's choice, the action may be brought before the regional court (törvényszék) of their place of residence or stay.

Version history: Version 1.0 - Effective from 12 June 2026. First publication.