Privacy Policy

• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”);
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information;
• Act V of 2013 on the Civil Code;
• Act C of 2000 on Accounting (“Accounting Act”);
• Act CL of 2017 on the Rules of Taxation;
• Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities;
• Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services;
• Act LXXVIII of 2017 on the Practice of Law (“Attorneys Act”);
• Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing.

3.1.Website

Anyone may access the Website maintained by the Data Controller and freely obtain information from all content stored on the Website without disclosing their personal data or identity.

Some links on the Website may lead to websites operated by third parties; however, the Data Controller accepts no liability for their content or for any damage arising from the use of such information.

The Website — using Google Analytics — automatically collects non-personally identifiable information from visitors by sending and storing cookies on visitors’ computers, which are returned to the Website on subsequent visits. No personal data can be derived from this information. For more information on Google Analytics, visit: https://policies.google.com/privacy.

For information on managing cookie preferences in your browser, please visit the support pages of:

• Internet Explorer
• Firefox
• Chrome
• Safari

3.2.Enquiries / Contact

Activity carried out by the Data Controller: processing of personal data disclosed during contact

Purpose of processing: establishing and maintaining contact

Legal basis for processing: the data subject’s consent [GDPR Article 6(1)(a)], and processing necessary for taking steps at the data subject’s request prior to entering into a contract [GDPR Article 6(1)(b)]

Persons under the age of 16 may only consent to processing through or with the permission of the person exercising parental authority over them.

Categories of data subjects: natural persons who contact the Data Controller by e-mail or by telephone

Categories of personal data processed: name (family name and given name), e-mail address, telephone number, any other personal data disclosed during contact, description of the matter presented and information relating to its resolution, documents and electronic records

The Data Controller does not use or may not use the personal data provided for purposes other than those specified above. Personal data may only be disclosed to third parties or authorities — unless otherwise required by law — with the prior, express consent of the data subject.

Retention period: until the purpose of the contact is achieved, or until a retainer agreement is concluded with the person making contact

Processors:

Rights of the data subject: as set out in Section 4, the data subject may:
a) request information about and access to the personal data processed,
b) request rectification of their personal data,
c) request erasure of their personal data,
d) request restriction of processing,
e) object to processing,
f) exercise the right to data portability — i.e. receive their personal data and have it transmitted to another controller at their request,
g) exercise the right to remedy — by lodging a complaint with the National Authority for Data Protection and Freedom of Information (hereinafter: “NAIH”) or by turning to the competent court.

3.3.Legal Services

Activity carried out by the Data Controller: provision of legal services (e.g. client representation, legal advice, drafting of documents)

Purpose of processing: performance of the retainer agreement concluded with clients, fulfilment of legal obligations, including client communication and invoicing

Legal basis for processing: performance of a contract to which the data subject is a party [GDPR Article 6(1)(b)]; fulfilment of legal obligations under the Attorneys Act Section 28(3), the Anti-Money Laundering Act Section 1(1)(e) and Sections 6–7, and the Accounting Act Section 169(1)–(2) [GDPR Article 6(1)(c)]

Categories of data subjects: clients (principals) of the Data Controller

Categories of personal data processed: name, home address, place of residence, mother’s name, place and date of birth, e-mail address, telephone number, citizenship, identity document (identity card, passport) number, address card number, personal identification number, tax identification number, photograph, name, e-mail and telephone number of contact persons or representatives, factual account provided by the client (including: description of the matter and information relating to its resolution, documents and electronic records)

The Data Controller does not use or may not use the personal data provided for purposes other than those specified above. Personal data may only be disclosed to third parties or authorities — unless otherwise required by law — with the prior, express consent of the data subject.

Retention period: five years after the termination of the retainer; ten years after the countersignature of a deed; ten years from the registration of a right in a public property register in cases involving registration of a right in a land registry [Attorneys Act Section 53(3)]. Where an invoice is issued, the retention period is 8 years from the preparation of the annual financial statements or accounting records for the given business year.

Processors:

Rights of the data subject: as set out in Section 4, except in relation to mandatory processing, the data subject may:
a) request information about and access to the personal data processed,
b) request rectification of their personal data,
c) request erasure of their personal data,
d) request restriction of processing,
e) object to processing,
f) exercise the right to data portability,
g) exercise the right to remedy — by lodging a complaint with the NAIH or by turning to the competent court.

3.4.Partners

Activity carried out by the Data Controller: performance of contracts with partners (contractors, service providers)

Purpose of processing: maintaining contact and invoicing in relation to contracts with partners (contractors, service providers)

Legal basis for processing: performance of a contract to which the data subject is a party [GDPR Article 6(1)(b)]; fulfilment of legal obligations under the Accounting Act Section 169(1)–(2) [GDPR Article 6(1)(c)]

Categories of data subjects: natural person partners (contractors, service providers) and natural person representatives and contact persons of legal entity partners

Categories of personal data processed: name, home address, e-mail address and telephone number of natural person partners; name, e-mail address and telephone number of representatives and contact persons of legal entity partners

The Data Controller does not use or may not use the personal data provided for purposes other than those specified above. Personal data may only be disclosed to third parties or authorities — unless otherwise required by law — with the prior, express consent of the data subject.

Retention period: 5 years from performance of the contract (limitation period) from the date on which personal data was provided. Where an invoice is issued, the retention period is 8 years from the preparation of the annual financial statements or accounting records for the given business year.

Processors:

Rights of the data subject: as set out in Section 4, except in relation to mandatory processing, the data subject may:
a) request information about and access to the personal data processed,
b) request rectification of their personal data,
c) request erasure of their personal data,
d) request restriction of processing,
e) object to processing,
f) exercise the right to data portability,
g) exercise the right to remedy — by lodging a complaint with the NAIH or by turning to the competent court.

The Data Controller ensures that the following rights of data subjects are exercisable as described below.

The Data Controller provides data subjects with the possibility to submit requests relating to the exercise of their rights by any of the following means: (i) by post, (ii) by e-mail, (iii) by telephone.

The Data Controller fulfils the data subject’s request without undue delay and in any event within one month of receipt of the request, and informs the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The Data Controller also decides within this deadline whether to refuse a request and informs the data subject of the refusal, its reasons and the available remedies.

The Data Controller fulfils the data subject’s request by e-mail as a default; however, if the data subject expressly requests postal or telephone fulfilment by providing their postal address or telephone number, the Data Controller will comply accordingly. Telephone responses may only be provided if the data subject has verified their identity. The Data Controller does not use the data subject’s postal address or telephone number for any other purpose.

The Data Controller does not charge any fee or cost for fulfilling data subjects’ requests as described below. However, if a new request relating to the same data is received within one year of a previously fulfilled request, the Data Controller reserves the right to charge a fee proportionate to the administrative burden of fulfilment.

a) Right of access and to be informed:

Upon the data subject’s request, the Data Controller provides information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, on the following:

• whether their personal data is being processed by the Data Controller;
• the name and contact details of the Data Controller;
• processing activities and the names and contact details of processors specified in Sections 3.2–3.5 above;
• the personal data processed by the Data Controller and its source;
• the purpose and legal basis of processing;
• the retention period;
• the recipients or categories of recipients to whom or which personal data has been or will be disclosed, including in particular recipients in third countries or international organisations;
• the consequences of processing;
• the rights of the data subject;
• the circumstances, effects and measures taken in relation to any personal data breach.

Even without a request, the Data Controller will notify the data subject by e-mail of any material changes to the processing described in this notice, and of any personal data breach, its effects and the measures taken.

b) Right to rectification:

The Data Controller rectifies inaccurate personal data relating to the data subject upon their request.

The Data Controller informs all recipients to whom personal data has been disclosed of any rectification, unless this proves impossible or involves a disproportionate effort. Upon the data subject’s request, the Data Controller informs them of those recipients.

c) Right to erasure:

The Data Controller erases personal data relating to the data subject upon their request if any of the following grounds apply:

• the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
• the data subject objects to the processing;
• the personal data has been unlawfully processed;
• the personal data must be erased to comply with a legal obligation under EU or Hungarian law.

The Data Controller informs all recipients to whom personal data has been disclosed of any erasure, unless this proves impossible or involves a disproportionate effort. Upon the data subject’s request, the Data Controller informs them of those recipients.

d) Right to restriction of processing:

The Data Controller restricts processing upon the data subject’s request if one of the following applies:

• the data subject contests the accuracy of personal data — in this case the restriction applies for the period enabling the Data Controller to verify the accuracy;
• the processing is unlawful, but the data subject opposes erasure and requests restriction instead;
• the Data Controller no longer needs the personal data but the data subject requires it for the establishment, exercise or defence of legal claims.

e) Right to data portability:

Upon the data subject’s request, the Data Controller provides the personal data concerning the data subject that the data subject has provided in a structured format. The Data Controller also undertakes to transmit this data to another controller at the data subject’s request without hindrance.

f) Right to remedy:

If the data subject believes that the Data Controller has infringed their right to the protection of personal data during processing, they may seek remedy under applicable legislation before the competent authorities, i.e. lodge a complaint with the NAIH (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; postal address: 1530 Budapest, Pf.: 5.; website: www.naih.hu; e-mail: ugyfelszolgalat@naih.hu; telephone: +36-1/391-1400), or turn to the competent court. The Data Controller undertakes to cooperate fully with the court or NAIH in such proceedings and to disclose all data relating to the processing to the competent court or NAIH.

The Data Controller also undertakes to compensate for any damage caused by unlawful processing of the data subject’s personal data or by a breach of data security requirements. In the event of infringement of the data subject’s personality rights, the data subject may claim damages. The Data Controller is exempt from liability if the damage was caused by an unavoidable event outside the scope of processing, or if the damage or infringement of personality rights resulted from the intentional or grossly negligent conduct of the data subject.

The Data Controller undertakes that all processing activities carried out in connection with its operations comply with the requirements set out in this notice, in the Data Controller’s internal policy (which imposes the same requirements as this notice), and in applicable legislation.

The Data Controller reserves the right to amend this notice at any time, with the proviso that data subjects will be informed of any changes in respect of each processing activity by way of a notice published on the Website.