act legal covers all major European business centres.
Budapest • Amsterdam • Bratislava • Brussels • Frankfurt • Madrid • Paris • Prague • Vienna • Warsaw


Meet us at www.actlegal.com

DATA PROTECTION POLICY

The highest-level protection of personal data is a priority for Dr. Gergely Bán Law Firm (act legal | Bán & Karika Attorney at Law, registered seat: 1117 Budapest, Alíz utca 1. A. épület 5. emelet, bar association ID: 36056992, represented by Dr. Gergely Bán, attorney at law, the “Data Controller”, which term includes the persons defined in Section 3.3 of the present Policy as well).

To ensure the safety of the personal data processed by the Data Controller, it has prepared the present policy (the “Policy”) based on the provisions of ACT CXII of 2011 on Informational Self-Determination and Freedom of Information Law (the “Info Act”) and Regulation (EU) 2016/679 of the European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”).

Browsing the website on the www.ban-karika.hu Internet address (the “Website”) or subscribing to the newsletter (the “Newsletter”) constitutes acceptance of the Policy.

 

Please read the Policy carefully and write to us at the budapest@actlegal-bk.com address if you have any questions.

 

Please note in advance that you may object to the processing of your personal data at any time where such processing is based on our legitimate interest or advertising, as explained below.

 

Please note that in respect of data processing by other websites visited by navigating from the Website (social networking sites such as Facebook or LinkedIn), the data controller identified in the data processing Policy on the social networking site is considered the data controller and that Dr. Gergely Bán Law Firm does not accept any responsibility for them.


1. Data controller

1.1. The operator of the Website and the controller of the personal data is the same.
       Name of the Data Processor: Dr. Gergely Bán Law Firm
       Address of Data Controller: 1117 Budapest, Alíz utca 1. A. épület 5. emelet
       Telephone number of Data Controller: +36 1 501 5360
       E-availability of Data Controller: gdpr@actlegal-bk.com
       Place of data processing: 1117 Budapest, Alíz utca 1. A. épület 5. emelet

2. Scope of the Policy

2.1. The Policy takes effect on 25 May 2018 and remains in full force and effect until further action by the Controller.

2.2. The material scope of the Policy covers all processes in all organisational units of the Data Controller, during which personal data, as defined in point 2 of Section 3 of the Info Act, are processed.

2.3. The material scope of the Policy covers all personal data processed by the Data Controller, regardless of their form of appearance or and location. This Policy applies to all stages of data processing. The personal scope of this Policy covers all employees of the Data Controller.

2.4. The material scope of the Policy does not apply to data processing related to the employees of the Data Controller and its cooperating partners identified in Section 3.3 of the present Policy. Data processing of this kind is governed by the Data Controller’s internal data protection policy(ies).

3. General provisions

3.1. The purpose of processing is the performance of the services offered on the Website (contacting the Data Controller, recording online requests, newsletter sending, etc.), mediation between the parties to the contract, data transfer, communication, preparation of related contracts or other documents, carrying out the client due diligence required by the law, enforcing the rights of the Data Controller and fulfilment of the legal regulations applicable to the Data Controller (e.g. keeping records based on Act LXXVIII of 2017 on the legal profession (hereinafter, the “LPA”)).

3.2. Scope of processed data: personal identification data (last name, first name, birth name, title, place and date of birth, mother’s name, nationality, identity card number and validity, number of address card), contact details (telephone number, e-mail address, permanent residence, place of stay) and other data voluntarily provided by the clients depending on the nature of the transaction and to the extent required for the performance of the service.

3.3. The provisions concerning the processing of the personal data covered by this Policy also apply to the following entities functioning as members of and cooperating with Bán & Karika Attorneys at Law: Dr. Márton Karika Law Firm (address: 1117 Budapest, Alíz utca 1. A. épület 5. emelet), Dr. Attila Brózmann, private attorney at law (address: 2310 Szigetszentmiklós, Losonczi utca 1.) Horváth G. Gábor Law Firm (1117 Budapest, Alíz utca 1. A. épület 5. emelet), Dr. István Solt, private attorney at law (office: 1117 Budapest, Alíz utca 1. A. épület 5. emelet and Dr. Dalma Guiditta Sipőcz, private attorney at law (office: Budapest, Alíz utca 1. A. épület 5. emelet).

 

4. Legal bases of processing personal data

4.1. The following are the legal bases for processing personal data:

a) Voluntary consent of data subjects: data subjects give informed consent to the processing of their personal for one or more specific purposes.

b) Legal requirement: They include, for example, Act LIII of 2017 on the prevention of money laundering and terrorist financing (“AML”), which requires the Data Controller to conduct due diligence on the persons considered as clients and record their personal data and retain such data and the related documents. The processing of personal data can also be based on laws on taxation or the retention of accounting documents.

c) Contract: Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

d) Exercising public authority: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred to the Data Controller.

e) Processing based on vital interests: the processing is necessary to protect the vital interests of the data subject or of another individual.

f) Processing based on legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

4.2. The Data Controller processes sensitive data for the purposes defined in this Policy only if such data are provided to it by the clients on a voluntary basis in each case depending on the nature of the transaction and to the extent required for the performance of the service.

 

5. Duty of confidentiality of attorneys at law

5.1. Attorney privilege means all facts, information and data the Data Controller, as the entity practising the legal profession, becomes aware during the exercise of that activity. Unless the LPA provides otherwise, the Data Controller is obliged to keep the attorney privilege. This duty of confidentiality extends to documents or other media containing the attorney privilege.

5.2. The duty of confidentiality of the entity exercising the legal practice is independent of the existence of the relationship created for practising the legal profession and shall survive without any time limit the completion of the exercise of the legal profession or the termination of the legal relationship. Therefore, the Data Controller agrees to keep the personal data obtained during the exercise of its profession indefinitely.

 

6. Rules of data processing

6.1. The Data Controller processes personal data disclosed to it by the data subjects (including the users) or otherwise acquired by the Data Controller as set out in the present Policy. In processing personal data, the Data Controller must at all times comply with the principles of legality, fair procedures and transparency, the principle of purpose limitation, the data-saving principle, the principle of accuracy and the principle of storage limitation, as well as the principles of integrity and confidentiality. The Data Controller is responsible for compliance with these principles and must be able to demonstrate such compliance.
6.2. The Data Controller processes personal data exclusively for a specific purpose in the performance of its duties in order to exercise rights and fulfil obligations, in the least extent and for the shortest period of time necessary to achieve the goal but no longer than revoked by the data subject. Nevertheless, the Data Controller draws attention to the fact that the Data Controller is required to retain the data provided by the data subjects according to the provisions of the AML and the LPA (electronic documents should be retained for 10 years, paper-based documents should be retained for 5 years, and countersigned documents and related documents should be retained for 10 years). The Data Controller is required to retain other personal data (obtained during the client due diligence) for 8 years after the termination of the business relationship or the completion of the business transaction. In case the transaction fails, the personal data will be erased after the failure, respectively, in the case of a general inquirer, after the lapse of 2 years of the inquiry.

6.3. Before recording any data, the Data Controller informs the data subject about the purpose and the legal basis of the data processing in all cases.

6.4. Data processing must in all phases conform to the purpose, and the data will be deleted if the purpose of the data processing ceased or the processing of the data otherwise becomes unlawful.

6.5. In order to ensure the safety of the personal data processed, the Data Controller takes all technical and organizational measures and establishes the rules of procedure that are required to enforce the Info Act and other domestic and international data protection legislation. The Data Controller is obliged to protect the personal data processed by it against unauthorized access, alteration, transfer, disclosure, erasure or destruction, as well as accidental destruction and damage.

6.6. The personal data provided may be accessed only by the Data Controller and the employees who absolutely need to know the personal data in order to attain the purpose of processing. Data transfer is governed by the provisions of Section 10.

6.7. The members of the Data Controller’s task engaged in processing and the staff members of the organisation engaged in data processing on behalf of the Data Controller and performing any operation thereof are obliged to process the personal data obtained in the manner defined in this Policy, the Info Act and the GDPR.

6.8. In carrying out their work, the staff of the Data Controller ensures that no unauthorized person can access the personal data and that the personal data are adequately protected against unauthorized access, alteration, transfer, disclosure, erasure or destruction, as well as the accidental destruction and damage or becoming inaccessible arising from changes in the applied technology.

6.9. The head of the Data Controller defines from time to time the organisation of data protection and the tasks and competences concerning data protection and related activities, taking into the specificities of the Data Controller, and assigns the person overseeing data processing (“Internal Data Protection Agent”).

6.10. The Internal Data Protection Agent:

a) Contributes to and assists in making decisions related to data processing and to the enforcement of the rights of data subjects;

b) Monitors compliance with other legislation concerning data protection and internal data protection and data security rules and data security requirements;

c) Investigates notices submitted to the Data Controller and, in case unauthorized data processing is detected, invited the Data Controller to stop the processing;

d) Prepares and, if necessary, modifies the internal data protection and data security policy;

e) Maintains the internal data protection register; and

f) Ensures the training on data protection.

6.11. Contact of the Internal Data Protection Agent: gdpr@actlegal-bk.com.
      

7. Enforcing the rights of data subjects (users)

7.1. In carrying out its data processing activity, the Data Controller ensures enforcing the rights of data subjects in accordance with the provisions of the GDPR, the Info Act and the LPA.

7.2. Data subjects may ask the Data Controller for access to the personal data concerning them, their rectification, erasure and, in certain cases, restriction of the processing of the data and object to the processing of personal data. Data subjects also have the right to data portability or submit a complaint to the supervisory authority and the right to redress.

7.3. Where processing based on consent, the data subject also has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

7.4. The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, be granted access to the personal data and the following information:

a) Purposes of the data processing;

b) Categories of the personal data concerned;

c) The recipients or categories of recipients to whom or which your personal data were disclosed or will be disclosed, including in particular third country recipients or international organizations;

d) Where applicable, the planned duration of storage of the personal data, or if it is not possible, the criteria for the definition of such period;

e) The right of the data subject to request from the Data Controller the rectification, erasure or restriction of the processing of his or her personal data, and to object to the processing of his or her personal data;

f) The right of submitting complaints addressed to the supervisory authority;

g) If the data was not collected from him or her, all available information regarding their source.

7.5. The Data Controller provides the requested information as soon as possible after the submission of the request and at the latest within 30 days in a clearly understandable form, in writing if so requested by the data subject. The information will be provided free of charge if the person requesting it has not submitted yet any request for information in relation to the same dataset during the year in question.

 

The Data Controller calls the attention to that the Data Controller may identify the data subject before fulfilling the data subject’s request in order to prevent the supply of data to unauthorized persons or the fulfilment of unauthorized requests (e.g. for data erasure).

 

7.6. Where the request of the data subject is manifestly unfounded or excessive (in particular because of its repetitive character), the Data Controller may, having regard to the administrative costs of providing the information or communication, or taking the action requested:

a) Charge a reasonable fee, or

b) Refuse to act on the request.

The Data Controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

7.7. On request, the Data Controller shall provide the Data Subject with one copy of the processed personal data. For any additional copies requested by the data subject, the Data Subject may charge a reasonable fee based on the administrative costs, which is 100 HUF, that is one hundred HUF + VAT per page. If the data subject submitted the request electronically, the requested information will be made available in widely used electronic format, unless the data subject expressly requested otherwise. Unless the data subject expressly requested otherwise, the Data Controller makes the information available in PDF format.

7.8. Data subjects are entitled to have the data controller rectify their incorrect personal data without delay. Taking into account the purpose of the data processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

7.9. In accordance with Article 17 GDPR, the data subject has the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay. Instead of erasure, the Data Controller must block the personal data if it can be assumed on the basis of available information that erasure would harm the legitimate interests of the data subject. Personal data blocked in this manner may only be processed for as long as the purpose of data processing that excluded the deletion of personal data prevails.

 

In some cases, retaining the personal data of the data subject for a specific period is required by the law while, in other cases, it is necessary to retain them for the enforcement of our legal claims. If there is any obstacle to erase your personal data, the Data Controller will notify the data subject thereof in detail.

 

7.10. The data subject has the right to obtain from the Data Controller restriction of processing in accordance with Article 18 GDPR. During the restriction period, the Data Controller and its data processors, if any, must not use the personal data for any purpose other than storage.

 

The Data Controller may lift the data restriction ordered at the request of the data subject and resume data processing if the data subject expressly consents to it or it is necessary for important reasons of public interest set forth by the law. In such a case, the Data Controller will inform the data subject in advance.

 

7.11. The data subject has the right to object to the processing of his or her personal data under Article 21 GDPR.

 

Where the Data Controller indicated its legitimate interest as the legal basis for data processing, it may process the personal data despite the data subject’s objection if able to prove that the processing of the data is inevitably necessary or is essential for the enforcement of its legal claims. In such a case, the Data Controller will inform the data subject thereof in advance.
 

 

8. Special provisions on specific data processing

8.1. Data processing on the Website

Anyone can access the Website and obtain information from the contents stored on the Website and from the Website and the sites linked to it freely and without restriction without disclosing his or her personal data or revealing his or her identity.

Unless otherwise stated, the contents of the Website are owned by and the copyrighted intellectual property of the Data Controller. The Data Controller reserves all right in this regard.

The content of the Website does not, in any case, constitute direct legal advice, but is placed by the Data Controller for information purposes only and excludes its liability in this regard. The Data Controller also excludes liability for any damage arising from the downloading or unavailability of the Website. Content downloaded by following any external link found on the Website is not under the influence of the Data Controller. The Data Controller excludes any liability in respect of the contents of offers, advertisements and information contained on the Website.

8.2. Use of cookies

The Data Controller uses the data generated while anonymously visiting the Website solely for the technical operation of the Website, for statistical purposes, to increase the security of the system, to ensure better and high-quality user experience and to send the Newsletter and improve the Website. These data are not considered personal data, and are not linked by the Data Controller with personal data; these data are not accessible by the public and cannot, in themselves, identify the person of the visitor.

The Data Controller uses so-called cookies to collect profile data and status data (e.g. IP address, browser type, date and time of visit, visited sites, sub-site, feature or service used, etc.). The use of cookies operated by the Website requires the prior informed consent of the data subjects within the meaning of Section 155 (4) of 155 of Act C of 2003 on electronic communications.

Cookies can be disabled in the browser used by the visitor.

8.3. Processing the data of newsletter subscribers

The Data Controller sends a Newsletter relating to its activities to the persons subscribing to it. The Newsletter can be subscribed on the Data Controller’s Website. The purpose of processing is to provide periodic information to the existing and potential clients about changes in legislation, legal curiosities and useful legal information. The Data Controller uses the name and e-mail addresses of the data subject in this regard.

The Data Controller stores the personal data electronically until the data subject unsubscribes, but at latest until the Data Controller terminates.

Data subjects (users) may unsubscribe the Newsletter for free without any restriction or giving a reason. They can do so by sending the Data Controller a request for erasure (by e-mail or post). In this case, the Data Controller will no longer send Newsletters to the user.

8.4. Managing contact data

All users can contact the Data Controller at all the public contacts of the Controller and by using the “Contact Us” menu item on the Website.

When making contact, the data subjects decide on the processing of the personal data he or she disclosed. The legal basis of processing is provided by the data subject by voluntarily disclosing, based on prior consent, his or her data to the Data Controller for the purposes of communication.

By sending the message, the Users that use the “Contact Us” menu item give voluntary, clear and explicit consent to the Data Controller processing their data electronically in the manner defined in the Info Act and the GDPR for up to 1 year from the date of making the contact.

By using the “Contact Us” menu item, users expressly consent to the Data Controller using their name, e-mail address and other personal data disclosed when making contact, telephone contact and the description of their case for the purpose stated when making the contact.

8.5. Data processing for business communication

In addition to client information, the Data Controller also processes and collects, both on paper and electronically, the contact information (telephone number, e-mail address) and additional data shown on the visit card (company name, position) of other persons for the purpose of business networking based on the voluntary consent of the data subjects.

8.6. Sending materials related to professional events

The Data Controller regularly organizes professional events for the clients and other business partners and invited guests with which it maintains relations. Based on the prior, voluntary, express and unambiguous consent of the data subjects, it sends invitations to such professional events and subsidiary materials and processes and keeps records of the name, telephone number, e-mail address and company name of the data subjects for that purpose.

 

9. Rights and remedies relating to data processing

9.1. Data subjects (users) have the right to obtain from the Data Controller: (a) information on the processing of their personal data, (b) rectification of their personal data, and (c) erasure or blocking of their personal data, except for any mandatory data processing.

9.2. If the data subject (user) believes his or her right to protection of personal data has been breached in the course of processing by the Data Controller, he or she may seek remedy from the competent bodies in accordance with the relevant legislation, that is:

a) He or she may submit a complaint to the National Authority for Data Protection and Freedom of Information (Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/ C; www.naih.hu), or

b) turn to the court.

9.3. A detailed description of the rights and remedies relating to data processing is contained in the Info Act and the GDPR.

 

10. Data processing

10.1. In processing personal data, the Data Controller does not make the personal data accessible by third parties without the consent of the data subjects, unless the data transfer is required by a legal requirement governing the Data Controller. The Data Controller informs the data subjects in advance of the use of a data processor.

10.2. The data protection obligations of the natural or legal person engaged in data processing activity on behalf of the Data Controller, if any, are laid down in the agency contract made with the data processor. The Data Controller uses only data processors who/that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure compliance with the requirements of data processing and the protection of data subjects’ rights. The data processor may not engage another data processor without the prior occasional or general written authorization of the Data Controller.

10.3. The data processor processes the data according to instructions from the Data Controller and must always act in accordance with instructions from the Data Controller while performing the processing. The data processor may not make a decision on the merits regarding the personal data it becomes aware of. The data processor is not authorized to perform data processing for its own purposes. During the data processing, the employees of the data processor may come to know the data, but neither the data processor nor its employees may transfer the data to third parties.

10.4. The Data Controller may transfer the data processed to the data processor identified in this Section for the purpose of operating the Website:

 

Name of data processor

Contact

Processing activity

Száray Lőrinc carpoon@carpoon.hu Website operation and maintenance
Pro Business Kft. adatvedelem@probusiness.hu Website operation and maintenance
EsterCom Kft. szorenyi.roland@estercom.hu Website operation and maintenance

 

10.5. The personal data of data subjects (name and e-mail address) are transferred to a data processor for sending Newsletters. Personal data are typically stored and transferred digitally, to which the data processor engaged in the sending of Newsletters necessarily has access:

 

Name of data processor

Contact

Processing activity

Mailchimp www.mailchimp.com Sending newsletters

 

11. Handling of personal data breaches

11.1. The Controller must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, except if able to prove, in accordance with the principle of accountability, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

11.2. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller informs the data subject of the personal data breach without undue delay.

11.3. It is not necessary to inform the data subject if any of the following conditions are met:

a) The Data Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access them;

b) The Data Controller took subsequent measures following the personal data breach that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialise;

c) The information would involve a disproportionate effort. In such a case, there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

12. Amendment of the Policy

12.1. The Data Controller reserves the right to modify this Policy in accordance with current legislation.

12.2. If an amendment to the Policy concerns the processing of the personal data of the users of the Website in any manner, the Data Controller informs the data subjects (users) of the changes via e-mail information. If, due to an amendment of the Policy, the details of data processing also change, the Data Controller will repeatedly ask for the data subject’s (user’s) consent to the continued processing of his or her data.

 

 12. Other issues

Matters not regulated in this Policy are governed by Info Act and the GDPR, as well as the current laws in force from time to time.

 

 25, May 2018
Dr. Bán Gergely Law Firm
Data Controller

1117 Budapest, Alíz u. 1.
Office Garden A épület 5. emelet

Laworld Opten HVCA