1. INTRODUCTION
Please read this Notice carefully in order to understand how we process your personal data and to become familiar with your rights in relation to data processing.
In the course of our professional activities as attorneys, the members of our Association necessarily process data. However, we pay particular attention to the protection of personal data, compliance with mandatory legal provisions, and ensuring secure and fair data processing.
Bíró, Hauck, Kotmayer and Németh Law Firm Association was established by DR. ÁDÁM BÍRÓ Law Office, Dr. Arvid Hauck, Attorney at Law, Kotmayer Law Office, and Németh and Németh Law Office, with the aim of providing our clients with the broadest possible range of legal services. The members of our Association have jointly developed the framework governing data processing, and all members process the personal data of data subjects in accordance with the same procedures and under the same conditions.
This Privacy Notice applies to all members of our Association in their capacity as independent data controllers (attorneys or law offices). It also applies where the engagement is accepted by the acting attorney on behalf of our Association. Where the engagement relates exclusively to the appointed attorney or law office, the appointed attorney or law office shall qualify as an independent data controller; where the engagement is accepted in the name of the Association, the members of our Association shall qualify as joint data controllers (in both cases hereinafter referred to as the “Controller”).
As Controllers, we inform natural persons about the principles, processes, and safeguards relating to data processing. We acknowledge the right of natural persons to exercise control over their own personal data. At the same time, we draw attention to the fact that the right to the protection of personal data is not absolute; it must be considered in accordance with the principle of proportionality and balanced against other fundamental rights.
Detailed information regarding specific data processing activities can be found in the annex to this document.
2. DETAILS OF THE DATA CONTROLLERS
| Dr. Ádám Bíró Law Office | |
| Registered office: | 1118 Budapest, Ménesi út 24. |
| Email: | adam.biro@bhknpartners.hu |
| Phone: | +36 30 350 2972 |
| Contact attorney: | dr. Ádám Bíró |
| Dr. Arvid Hauck, Attorney at Law | |
| Registered office: | 1027 Budapest, Fő utca 79. |
| Email: | arvid.hauck@bhknpartners.hu |
| Phone: | +36 20 940 2434 |
| Contact attorney: | dr. Hauck Arvid ügyvéd |
| Kotmayer Law Office | |
| Registered office: | 1118 Budapest, Ménesi út 24. |
| Email: | zalan.kotmayer@bhknpartners.hu |
| Phone: | +36 30 960 3977 |
| Contact attorney: | dr. Zalán Kotmayer |
| Németh and Németh Law Office | |
| Registered office: | 1022 Budapest, Alvinci út 46. I/3. |
| Email: | franciska.nemeth@bhknpartners.hu |
| Phone: | +36 20 354 9411 |
| Contact attorney: | dr. Franciska Németh |
Notwithstanding the above, any data protection-related request (including complaints or declarations concerning the exercise of data subject rights, etc.) may be submitted to any member of our Association.
3. YOUR RIGHTS
You may address your requests, questions, complaints, or comments regarding the Controller’s conduct directly to the designated contact person of the Controller at any of the contact details specified in Section 2 of this Notice.
You may exercise your rights relating to data processing by submitting a request to the Controller. The Controller shall respond to any request submitted through any of its contact details without undue delay, and in any event within 30 days. You are entitled to exercise your rights as set out below:
– Right to prior information and right of access (Articles 13–14 of the Regulation) és a hozzáférés joga (Rendelet 13-14. cikke)
You are entitled to receive confirmation, upon request, as to whether your personal data are being processed. At your request, the attorney shall provide you with a copy of the personal data processed by him/her and, at the same time, inform you of the information specified in Article 15 of the GDPR (such as: the purposes of processing, categories of personal data concerned, categories of recipients to whom the data have been or will be disclosed, and the envisaged period of data processing).
– Right to rectification (Article 16 of the Regulation) (Rendelet 16. cikke)
Upon request, the attorney shall, without undue delay, rectify inaccurate personal data concerning you that are processed by him/her.
– Right to erasure (Article 17 of the Regulation) (Rendelet 17. cikke)
Pursuant to Article 17 of the GDPR, in the cases specified therein, the attorney shall, upon your request—or even without a specific request where required—erase your personal data without undue delay. If you request the erasure of personal data that have been made public by the attorney, the attorney shall take all reasonable steps to inform other controllers processing such data that you have requested the erasure of your personal data.
– Right to restriction of processing (Article 18 of the Regulation) (Rendelet 18. cikke)
Upon your request, and subject to the provisions set out in Article 18 of the GDPR, the attorney shall restrict the processing of your personal data in certain cases. Where processing has been restricted at your request, such personal data shall, with the exception of storage, only be processed with your consent, or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest.
– Right to data portability (Article 20 of the Regulation) (Rendelet 20. cikke)
In the case of processing carried out by automated means based on a contract or consent, the attorney shall, upon your request, provide you with the personal data concerning you that you have previously provided to the attorney, in a structured, commonly used, machine-readable format. Upon your request, and where technically feasible, such data shall be transmitted directly to another controller.
– Right to object (Article 21 of the Regulation)
Where the attorney processes your personal data on the basis of legitimate interest, you shall have the right, on grounds relating to your particular situation, to object at any time to such processing in accordance with Article 21 of the GDPR. In such a case, the Controller shall no longer process the personal data, except in exceptional cases provided for by law.
– Notification obligation in connection with the rectification or erasure of personal data, or restriction of processing (Article 19 of the Regulation)
– Communication of a personal data breach to the data subject (Article 34 of the Regulation)
– Right to lodge a complaint
You have the right to lodge a complaint in relation to data processing, primarily with the Controller or its representative, and secondarily with the supervisory authority of the Member State of your habitual residence, place of work, or the place of the alleged infringement. The contact details of the supervisory authority in Hungary are as follows:
- Name: National Authority for Data Protection and Freedom of Information
- Postal address: 1374 Budapest, P.O. Box 603
- Address: 1055 Budapest, Falk Miksa utca 9-11
- Phone: +36 (1) 391-1400
- Fax: +36 (1) 391-1410
- Email: ugyfelszolgalat@naih.hu
- Website: http://naih.hu
– Right to an Effective Judicial Remedy (Articles 78–79 of the Regulation)
You have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning you, or where the supervisory authority does not handle your complaint or fails to inform you within three months of the progress or outcome of the complaint. You may exercise this right before the competent court (regional court).
Please contact us in electronic form where possible.The Controller will respond to data protection requests in electronic form where feasible, unless the Data Subject expressly requests another method of communication or the Controller does not have the Data Subject’s electronic contact details.
Please note that if complying with a request for the provision of data would result in disproportionate additional costs for the Controller (for example, due to the format requested), the Controller shall be entitled to charge the Data Subject the reasonable costs associated with providing the data. The Controller shall inform the Data Subject in advance of any such costs that may arise.
Please note that, in the case of persons under the age of 18, their legal representative is entitled to act on their behalf.
4. DATA SECURITY
The Controller aims to minimise the processing of personal data in order to reduce data processing risks. Personal data are processed in a transparent and verifiable manner to enable the immediate detection of any data protection incidents.
Within the scope of its data security responsibilities, the Controller:
- ensures password protection for electronically stored personal data;
- ensures the physical protection of paper-based personal data in order to prevent access by unauthorised persons (e.g. secured office premises with locks and alarm systems);
- ensures the physical protection of data carriers used for electronically processed data (e.g. office computers kept in locked premises);
- ensures that access to data is granted exclusively to authorised persons (e.g. through password protection);
- provides for the regular backup of electronic data;
- ensures compliance with data protection and confidentiality legislation, with particular regard to the provisions of Act LXXVIII of 2017 on the Legal Profession;
- ensures the protection of electronic data through the use of antivirus software.
5. A SZEMÉLYES ADATOK CÍMZETTJEI
Your personal data may be accessed by the Attorney, the Attorney’s employees (e.g. trainee lawyers, legal assistants), and any cooperating or substitute attorneys approved by you in the engagement agreement or power of attorney. Where the engagement is accepted in the name of the Association, all members of the Association and their respective employees may also have access to the data.
Personal data may be transferred for processing purposes to the Attorney’s archival service provider, as well as to accounting and IT service providers. In the case of postal delivery, address data may be transferred to the Hungarian Post or to the courier service engaged. Billing data are shared with the company responsible for the Attorney’s bookkeeping. Depending on the purpose of the engagement and the data processing, personal data may also be transferred to competent authorities, courts, opposing parties, or third parties. Where the Attorney performs the engagement in cooperation with another attorney or law office, personal data shall be transferred to such cooperating attorney. Personal data may further be disclosed to other persons involved in the performance of the legal engagement (e.g. experts), or to other persons engaged in connection with the mandate, whose involvement has been approved by the client. If the regional bar association appoints an office administrator pursuant to Section 85 of Act LXXVIII of 2017 on the Legal Profession, such administrator shall be entitled to represent the Attorney and to inspect the files. Your personal data may also be disclosed, in the context of litigation or administrative proceedings, to competent authorities (e.g. investigating authorities, data protection supervisory authorities, courts) and to opposing parties.
In cases prescribed by law, the Attorney is obliged to transfer personal data specified by law to the institutions, authorities, or organisations designated by law, and shall inform the data subjects of such transfer unless prohibited by law.
In the course of data transfers, the Attorney shall act strictly in accordance with Act LXXVIII of 2017 on the Legal Profession, the ethical rules applicable to attorneys, and the relevant procedural laws. Processors may process personal data solely on the basis of a written agreement concluded with the Attorney, exclusively in accordance with the Attorney’s instructions and only for the purposes specified above, and no later than until the termination of the data processing agreement and the transfer or deletion of the processed data, or for such period during which the Attorney is authorised or obliged to process the data.
The Attorney shall engage only such processor(s) that provide sufficient guarantees to implement appropriate technical and organisational measures ensuring compliance with the GDPR and the protection of the personal data of data subjects.
The Controller engages a data processor for the operation of the Association’s website (including hosting services and data entry via the website), with whom a data processing agreement is concluded.
Details of the Processor:
- Name: Tárhely.eu Szolgáltató Kft.
- Registered office: 1144 Budapest, Ormánság utca 4. X. emelet 241.
- Email: support@tarhely.eu
- Phone: 36 1 789 2 789
- Privacy policy
Data processed by the Processor: data uploaded to the website and data submitted to the Controller via the website (completion of data request forms/questionnaires).
As a general rule, the Controller does not transfer personal data to third countries. Should such transfer occur on an ad hoc basis, the Controller shall transfer personal data only to a third country that ensures an adequate level of protection pursuant to an adequacy decision of the European Commission. In the absence of such an adequacy decision, the Controller shall transfer personal data to a third country only where the conditions set out in Articles 46 or 49 of the GDPR are fulfilled.
6. PERSONAL DATA BREACH
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed [Article 4 of the Regulation].
If you become aware of a personal data breach or the risk thereof in connection with any of our data processing activities, please notify the Attorney immediately using the contact details provided in this Notice.
In the event of a personal data breach, we shall notify the competent authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the assessment indicates that the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Subject shall be informed without undue delay.
Each personal data breach shall be investigated, and appropriate measures shall be taken to prevent similar incidents from occurring in the future.
A record of personal data breaches shall be maintained, containing all relevant circumstances of the incident.
Budapest, 1 May 2024.
DATA PROCESSING ACTIVITIES
a. Data processing carried out in the context of a legal engagement and attorney identification. 9
c. Case register for matters subject to mandatory legal representation. 10
d. Processing of contact details of clients and contractual partners. 11
f. Client due diligence pursuant to the AML Act (Pmt.). 13
g. Data of additional data subjects 15
h. Attorney escrow register. 16
i. Data transfers to cooperating law offices, mandated attorneys, and substitute attorneys. 17
j. Data processing related to data subject requests. 17
k. Data processing related to personal data breaches. 18
l. Data processing carried out via the website, cookies. 18
Detailed information on each data processing activity is provided below:
a. Data Processing Carried Out in the Context of a Legal Engagement and Attorney Identification
The Attorney processes personal data in the course of legal activities performed pursuant to Section 27 of Act LXXVIII of 2017 on the Legal Profession.
The scope of processed data may be determined by applicable legislation (e.g. mandatory elements of a contract) or by a request from an authority in administrative or judicial proceedings.
Pursuant to Section 32 (1) of Act LXXVIII of 2017, with the exception of mandates for legal advice, prior to concluding an engagement agreement, and prior to countersigning a contract between the client’s employer and a third party, the attorney (including, for the purposes of this subsection, in-house counsel) shall carry out the identification of the client, the person contracting with the in-house counsel’s employer, or the person acting on their behalf.
Pursuant to Section 32 (2), the attorney shall identify any natural person who is not personally known to him/her, or whose identity raises doubts, by inspecting an official identification document suitable for personal identification.
For the purpose of verifying the consistency of the natural person’s data with registered records and the validity of the documents presented, the attorney may request data from the personal data and address register, the driving licence register, or the travel document register. The attorney shall request such data where doubts arise regarding the validity or authenticity of the data or documents provided.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| client’s name, address | conclusion of the engagement agreement | performance of the legal engagement agreement pursuant to Article 6(1)(b) of the Regulation |
| billing | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Section 169 of the VAT Act; Sections 167 and 169 of the Accounting Act) | |
| client’s telephone number, name | communication / contact purposes | performance of the legal engagement agreement pursuant to Article 6(1)(b) of the Regulation |
| the client’s data pursuant to Section 32(3) of Act LXXVIII of 2017, in the event of doubt | verification of the data recorded during the client identification process | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Section 169 of the VAT Act; Sections 167 and 169 of the Accounting Act) |
| additional data necessary for the engagement, relating to the client as data subject | representation of the client’s interests and performance of the legal services | performance of the legal engagement agreement pursuant to Article 6(1)(b) of the Regulation |
Duration of data processing: 8 years from the termination of the contract; in the event of a legal dispute, if later, 5 years following the final resolution of the dispute.
b. Case register
Pursuant to Section 53 of Act LXXVIII of 2017 on the Legal Profession, the Attorney maintains a register in order to ensure the verifiability of compliance with the rules governing legal practice and, in the event of termination of the entitlement to practise law, to safeguard the rights of clients.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| data pursuant to Section 53(2) of Act LXXVIII of 2017 on the Legal Profession | compliance with the statutory obligation to maintain the case register | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Section 53(1) and (2) of Act LXXVIII of 2017 on the Legal Profession) |
Duration of data processing: 5 years following the termination of the engagement; in the case of countersigning a document, 10 years from the date of countersigning; in matters concerning the registration of a right relating to real estate in a public register, 10 years from the date of registration of the right.
Section 53(2) of Act LXXVIII of 2017 on the Legal Profession provides that the register maintained on cases shall contain the following data:
a) the case identifier assigned by the attorney,
b) the client’s name,
c) the subject matter of the case,
d) the date of conclusion of the engagement agreement and
e) the court case reference number relating to the matter, or the registration number of other proceedings.
Duration of data processing: 5 years following the termination of the engagement; in the case of countersigning a document, 10 years from the date of countersigning; in matters concerning the registration of a right relating to real estate in a public register, 10 years from the date of registration of the right.
c. Case register for matters subject to mandatory legal representation
Pursuant to Section 33(1) of Act LXXVIII of 2017 on the Legal Profession, the Attorney maintains a register of cases in which legal representation is mandatory.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| data pursuant to Section 33(2) of Act LXXVIII of 2017 on the Legal Profession | compliance with the statutory obligation to maintain the case register | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Section 33(1) and (2) of Act LXXVIII of 2017 on the Legal Profession) |
Section 33(1) of Act LXXVIII of 2017 on the Legal Profession provides that, in cases where legal representation is mandatory, the Attorney shall maintain a register of natural persons identified at least by inspecting an identification document suitable for personal identification, as well as of legal entities and other organisations, in order to promote the security of legal transactions and to ensure compliance with the limitations applicable to the legal profession.
(2) The register maintained on identified natural persons shall contain the following data:
a) natural personal identification data,
b) address of residence,
c) citizenship, stateless status, refugee status, immigrant status, settled status, or EEA national status,
d) the type and number of the identification document used for identification,
e) the identifier of the response received in the course of the data request pursuant to Section 32(3),
f) the case identifiers of the matters in which identification of the natural person is mandatory,
g) the data specified in the Act on the Prevention and Combating of Money Laundering and Terrorist Financing.
(3) If, on the basis of the verification pursuant to Section 32(8), the Attorney establishes a change in the data specified in points (a)–(d) and (g) of subsection (2), the Attorney shall record the amended data, indicating the date of the verification, in such a manner that the previously registered data remain subsequently identifiable.
(7) The Attorney shall process the data specified in subsections (2) and (4) for the period defined in the Act on the Prevention and Combating of Money Laundering and Terrorist Financing.
Duration of data processing: 8 years from the termination of the contract.
d. Processing of contact details of clients and contractual partners
In the course of maintaining relationships with contractual partners and clients, the Attorney processes the contact details and representative data of such partners. By their nature, this may require the processing of personal data (name, email address, telephone number). The Controller calls upon its contractual partners and clients to inform the designated contact persons and representatives provided by them of the fact of such data processing.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| name, contact details (telephone number, email address), and position of the contact person or representative | ensuring effective cooperation with contractual partners and clients, and maintaining the data necessary for business communication | legitimate interest of the Controller pursuant to Article 6(1)(f) of the Regulation in ensuring the continuity and uninterrupted nature of its business relationships |
Data processing shall continue for the duration of the contractual relationship or, in the case of ongoing cooperation, until 30 June of the calendar year following the termination of the cooperation (document destruction reference date). Where the data are included in the engagement agreement, such data shall be retained for 8 years from the termination of the contract in accordance with the rules applicable to the engagement agreement.
e. Data processing related to the countersigning of documents serving as the basis for entry into public registers
The Attorney is required to identify clients when countersigning a document serving as the basis for entry into a public register. The method of identification and the scope of the data processed are determined by Section 32 of Act LXXVIII of 2017 on the Legal Profession.
Üttv. 32. § (7) Section 32(7) of Act LXXVIII of 2017 on the Legal Profession provides that, prior to countersigning a document serving as the basis for entry into a public register, the Attorney shall, for the purpose of verifying identity and the validity of the document, identify the persons or organisations making the legal declaration, as well as the persons acting on their behalf, by applying subsections (2)–(4) and (6).
32. § (2) Section 32(2) provides that the Attorney shall identify any natural person who is not personally known to him/her, or whose identity gives rise to doubt, by inspecting an official document suitable for personal identification.
(3) For the purpose of verifying the consistency of the natural person’s data with registered records and the validity of the documents presented, the Attorney may electronically request the following data from the personal data and address register, the driving licence register, the travel document register, and the central immigration register:
a) natural personal identification data,
b) citizenship, stateless status, refugee status, immigrant status, settled status, or EEA national status,
c) address of residence,
d) facial image,
e) signature,
f) the facts specified in Section 18(5) of Act LXVI of 1992 on the Registration of the Personal Data and Address of Citizens,
g) the data specified in Section 24(1)(f) of Act XII of 1998 on Travel Abroad, and the validity period of the document,
h) the data specified in Section 8(1)(b), subpoints (ba)–(bb), of Act LXXXIV of 1999 on the Road Traffic Register,
i) the data specified in Section 76(d), Section 80(1)(b) and (c) of Act I of 2007 on the Entry and Residence of Persons with the Right of Free Movement and Residence, and in Section 95(1)(g), Section 96(1)(g), and Section 100(1)(b) and (c) of Act II of 2007 on the Entry and Residence of Third-Country Nationals.
(6) If a duly authorised representative acts on behalf of a natural person client, the Attorney may dispense with the separate identification of the client, provided that the power of attorney containing the client’s personal identification data has been countersigned by an attorney, executed by a notary, the principal’s signature has been certified by a notary, or the power of attorney has been certified or legalised by the competent Hungarian consular authority at the place of signing, or has been provided with an Apostille certificate.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| the client’s data as set out in Section 32(3) of Act LXXVIII of 2017 on the Legal Profession | ügyfél azonosításának elvégzése | Rendelet 6. cikk (1) bekezdés c) pontja szerint Adatkezelőre vonatkozó jogi kötelezettség Üttv. 32. § (7) bekezdés |
Üttv. 53. § (5) In the case of countersigning a document, the attorney shall retain the document countersigned by him/her, as well as other documents generated in connection with the matter involving the countersigning, for ten years from the date of countersigning, unless legislation provides for a longer retention period or the parties have agreed on a longer period of retention.
Duration of data processing: 8 years from the termination of the contract.
f. Client due diligence pursuant to the AML Act (Pmt.)
the client’s data as set out in Section 32(3) of Act LXXVIII of 2017 on the Legal Profession
a) at the time of establishing the business relationship;
b) upon the performance of a transaction mandate amounting to HUF 4,500,000 or more;
c) in the case of a trader in goods, upon the performance in cash of a transaction mandate amounting to HUF 3,000,000 or more;
d) upon the performance of a transaction mandate exceeding HUF 300,000 that qualifies as a funds transfer within the meaning of Article 3(9) of the Regulation;
e) in the case of an organiser of betting not qualifying as remote gambling, upon the payment of winnings amounting to HUF 600,000 or more in the case of betting not qualifying as remote gambling organised without the use of electronic communications devices and systems, and upon the payment from a player’s balance amounting to HUF 600,000 or more in the case of betting not qualifying as remote gambling organised through electronic communications devices and systems;
f) in the event that data, facts, or circumstances indicating money laundering or terrorist financing arise, where customer due diligence has not yet been carried out pursuant to points (a)–(e) or (i);
g) if doubt arises as to the authenticity or adequacy of the previously recorded client identification data.
h) where a change in the client identification data is recorded and, based on a risk-sensitive approach, repeated customer due diligence is required;
i) in the case of currency exchange transactions amounting to HUF 300,000 or more.
7. § (1) The service provider shall, in the cases specified in Section 6(1)(a) and (e)–(h), identify the client, the client’s authorised representative, the person authorised to dispose at the service provider, as well as the representative acting before the service provider, and shall verify their identity.
(2) During identification, the service provider shall record the following data:
a) in the case of a natural person
aa) family name and given name,
ab) birth family name and given name,
ac) citizenship,
ad) place and date of birth,
ae) mother’s birth name,
af) address of residence, or in the absence thereof, place of stay,
ag) type and number of the identification document;
b) in the case of a legal entity or an organisation without legal personality
ba) name and abbreviated name,
bb) registered seat, and in the case of a foreign undertaking, the address of its Hungarian branch, if any,
bc) principal activity,
bd) names and positions of persons authorised to represent it,
be) if applicable, the data of its delivery agent as specified in points aa) and af) of subsection (a).
bf) in the case of a legal entity registered in the company register, its company registration number; in the case of another legal entity, the number of the decision on its establishment (registration or entry into the register) or its registration number,
bg) its tax number.
(3) For the purpose of verifying identity, the service provider shall require the presentation of the following documents, or shall be entitled to retrieve data from an official public register:
a) in the case of a natural person
aa) in the case of a Hungarian citizen, an official identity card suitable for personal identification and an official certificate of address, the latter where the person’s place of residence or stay is in Hungary,
ab) in the case of a foreign citizen, a travel document or identity card, provided that it entitles the holder to reside in Hungary, a document evidencing the right of residence or authorising residence, and an official certificate of address in Hungary where the person’s place of residence or stay is in Hungary;
b) in the case of a legal entity or an organisation without legal personality, in addition to the document specified in point a) of the person authorised to act in its name or on its behalf, a document not older than thirty days certifying that
ba) the company has been registered by the company court, or that the application for registration has been submitted; in the case of a sole trader, that notification of the commencement of sole trader activity has been made or that the sole trader has been registered,
bb) in the case of a domestic legal entity not falling under point ba), where its establishment requires registration by an authority or court, such registration has taken place,
bc) in the case of a foreign legal entity or organisation without legal personality, it has been duly registered or entered into a register in accordance with the laws of its own country;
c) prior to the submission of an application for registration to a court or authority, the instrument of incorporation of the legal entity or organisation without legal personality.
(3a) Verification of the data specified in § 7 (2) a) points ab)–ac) and ae) may be omitted if the document presented for the purpose of identity verification does not contain such data.
(3b) In the case specified in § 7 (3a), the service provider shall record that the data specified in § 7 (2) a) points ab)–ac) and ae) were recorded without verification.
(5) For the purpose of verifying identity, the service provider shall verify the validity of the identity document presented pursuant to § 7 (3) and, in doing so, shall ascertain the authenticity of the document.
6) During the identity verification process, the service provider shall verify, in the case of an authorised representative, the validity of the power of attorney, the disposal right of the person authorised to dispose, and the representative’s authority to act.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| the client’s data as set out in Section 32(3) of Act LXXVIII of 2017 on the Legal Profession | performance of customer due diligence and compliance with statutory obligations | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Section 169 of the VAT Act; Sections 167 and 169 of the Accounting Act) |
Duration of data processing: 8 years from the termination of the contract.
Pmt. 57. § (1) The service provider shall retain – in the register maintained by it – data not qualifying as personal data that come into its possession in the course of fulfilling the obligations set out in this Act and in legislation adopted pursuant to its authorisation, including data obtained during electronic identification, as well as any other data generated in connection with the business relationship, for eight years from the termination of the business relationship or from the performance of the transaction mandate.
(2) The service provider shall retain – in the register maintained by it – documents, or copies thereof, obtained in the course of fulfilling the obligations set out in this Act and in legislation adopted pursuant to its authorisation, including documents obtained during electronic identification, as well as documents, or copies thereof, evidencing the fulfilment of reporting obligations and data provision pursuant to § 42, the suspension of the performance of a transaction pursuant to §§ 34 and 35, and any other documents, or copies thereof, generated in connection with the business relationship, for eight years from the termination of the business relationship or from the performance of the transaction mandate.
g. Data of additional data subjects
Data subjects concerned by the processing: other participants in the proceedings, opposing parties, the legal representatives of opposing parties, and third parties not participating in the proceedings (e.g. family members of the client).
Where personal data originate from the client, the client shall declare that he/she is entitled to process and transfer such data to the Attorney, that an appropriate legal basis exists for the data transfer, and that the relevant information obligations have been fulfilled. Pursuant to Article 14(5)(a) of the Regulation, and in view of the information obligation fulfilled by the client, the Attorney shall not provide separate information to the data subject.
The Attorney shall not be subject to an information obligation where the processed personal data are covered by legal professional privilege (Article 14(5) of the GDPR).
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| additional data necessary for the engagement, relating to a third-party data subject | representation of the client’s interests and performance of the legal services | legitimate interest of the Controller and the client pursuant to Article 6(1)(f) of the Regulation in ensuring successful cooperation in relation to the mandate and the effective performance of legal services |
Duration of data processing: The retention period is determined by the statutory obligations applicable to the Attorney in respect of the specific types of cases. The Attorney shall retain data only for the period prescribed by law.
Üttv. 46. § (5) The Attorney shall retain an electronic document – unless the parties have agreed on a longer retention period – for ten years from the date of making the copy.
(6) The Attorney shall retain a paper-based document countersigned by him/her and converted into electronic form – unless the parties have agreed on a longer retention period – for five years from the date of conversion.
53. § (5) In the case of countersigning a document, the Attorney shall retain the document countersigned by him/her, as well as other documents generated in connection with the matter involving the countersigning – unless legislation provides for a longer retention period or the parties have agreed on a longer period of retention – for ten years from the date of countersigning.
h. Attorney escrow register
The Attorney maintains a register of attorney escrow in accordance with Section 7.4 of Regulation No. 7/2018 (III. 26.) of the Hungarian Bar Association on Attorney Escrow Management and the Escrow Register.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| the subject matter of the escrow, the type of escrow, the date of conclusion and amendment of the escrow agreement, the date of termination of the escrow agreement, where the escrow is deposited with a custodian organisation the name and registered seat of such custodian organisation, in the case of judicial deposit the fact and date thereof, data relating to the performance of the escrow, and in the case of money received from a third party for the benefit of the client the date of receipt, the amount received, and the legal title of receipt. | compliance with the statutory obligation to maintain the escrow register | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Section 158 of Act LXXVIII of 2017 on the Legal Profession and Section 7.4 of Regulation No. 7/2018 (III. 26.) of the Hungarian Bar Association on Attorney Escrow Management and the Escrow Register) |
Duration of data processing: 10 years from the termination of the escrow agreement pursuant to the referenced Regulation of the Hungarian Bar Association (MÜK).
i. Data transfers to cooperating law offices, mandated attorneys, and substitute attorneys
The Attorney and the client (including cases where the client is not the data subject, in particular in the case of legal entity or other organisational clients, and with regard to data of persons other than the client) have a legitimate interest in engaging additional law firms, individual attorneys, European Community lawyers, or other advisors specialised in the relevant field for a given matter. Clients are informed – taking into account the specifics of communication – about the identity and, where necessary, the professional qualifications of such additional law firms, individual attorneys, European Community lawyers, and advisors, and the Attorney shall, to the extent possible, take the client’s requests into account when selecting such persons.
The scope of data processed in the course of such data transfer depends on the nature of the specific engagement.
The legal basis for the data transfer is the legitimate interest of the Controller and the client pursuant to Article 6(1)(f) of the Regulation in the successful performance of the mandate and the involvement of necessary experts.
j. Data processing related to data subject requests
The Attorney is required to maintain a register of data protection requests and of the data processed in the course of the exercise of data subject rights.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| personal data related to data protection requests: in the case of natural persons, and in the case of legal entities or other organisations the contact details necessary for communication of the contact person (in particular: name, address, email address), the content of the request, as well as the steps taken in relation to the request and the documents prepared in connection with the request | compliance with the statutory obligation to maintain a register of requests in accordance with the principle of accountability | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation, namely enabling the exercise of data subject rights set out in Articles 15–22 of the Regulation and documenting the steps taken in connection with the request |
Duration of data processing: in the absence of differing guidance from the data protection authority, 5 years from the date of the request, taking into account that within this period the enforcement of potential data protection claims before the supervisory authority or a court may reasonably be expected (Section 6:22(1) of the Civil Code – unless otherwise provided by the Civil Code, claims shall become time-barred after 5 years).
k. Data processing related to personal data breaches
The Attorney is required to maintain a register of personal data breaches. This register enables the data protection authority to verify compliance with the requirements of the Regulation.
| Scope of Processed Data | Purpose of Data Processing | Legal Basis of Data Processing |
| the facts relating to the personal data breach, its effects, and the measures taken to remedy it | compliance with the statutory obligation to maintain a register of incidents in accordance with the principle of accountability | compliance with a legal obligation applicable to the Controller pursuant to Article 6(1)(c) of the Regulation (Article 33(5) of the Regulation) |
Duration of data processing: in the absence of differing guidance from the data protection authority, 5 years from the date of becoming aware of the personal data breach, taking into account that within this period the enforcement of potential data protection claims before the supervisory authority or a court may reasonably be expected (Section 6:22(1) of the Civil Code – unless otherwise provided by the Civil Code, claims shall become time-barred after 5 years).
l. Data processing carried out via the website, cookies
Our website uses cookies in order to enhance the user experience and ensure the proper functioning of the website. A cookie is a piece of data sent by the website to the data subject’s browser, whereby the browser stores certain information so that the website can reload the original settings upon subsequent visits. When visiting the website, the Data Subject is informed about the cookies used on the site. The Data Subject uses the website with this information at his/her disposal.
The purpose of cookies is to enhance the user experience during the use of the website and to provide information to the Controller for monitoring the operation of the site.
The cookies used are not suitable for identifying the Data Subject. Refusal to consent to the use of cookies does not result in any disadvantage for the Data Subject.
The Data Subject may delete cookies from his/her own computer and may also prevent their use in the browser settings. These options are browser-dependent but are typically available under the Settings / Privacy menu. Upon entering the website, the Controller provides a “Cookie Notice”.
Further information on the configuration options of individual browsers:
- Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
- Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
- Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
- Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
- Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
- Safari: https://support.apple.com/hu-hu/HT201265
