Legal notice

Privacy Notice

Effective from 15 February 2024

This is an English-language courtesy translation of the Hungarian original. In the event of any discrepancy, the Hungarian version shall prevail.

Dr. Zoltán Puskás Law Office (registered office: 5 Vörösmarty Square, 2nd Floor, Budapest 1051, Hungary; hereinafter: the Controller) processes the personal data of its clients in connection with its legal engagements in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: GDPR) and Act CXII of 2011 on the Right to Informational Self-Determination and on Freedom of Information (hereinafter: Info Act), as set out below.

1. The Controller

Name
Dr. Zoltán Puskás Law Office
Registered Office
5 Vörösmarty Square, 2nd Floor, Budapest 1051, Hungary
Registered by
Budapest Bar Association
Bar registration no.
36067500
Tax number
18259058-2-41
E-mail
zoltan.puskas@avocat.hu
Telephone
+36 20 33 11 668
Representative
Dr. Zoltán Puskás, attorney-at-law

2. Client identification and related record-keeping obligations

Categories of personal data:

  • natural person identification data;
  • nationality, statelessness, refugee, immigrant, settled or EEA-national status;
  • address, facial image, signature;
  • data specified in Section 18(5) of Act LXVI of 1992 on the register of personal data and addresses of citizens;
  • data specified in Section 24(1)(f) of Act XII of 1998 on travelling abroad and the validity period of the document;
  • data specified in Section 8(1)(b)(ba)–(bb) of Act LXXXIV of 1999 on the register of road traffic;
  • data specified in Acts I and II of 2007 (on free movement/residence and on the entry and stay of third-country nationals);
  • number of identification documents and of the address card;
  • personal identification number, tax identification number.

Data subjects: the Controller's natural person clients whose identification is required by law.

Purpose: compliance with the client identification obligation prescribed by Act LXXVIII of 2017 on the legal profession and by the 2017 Act on the prevention and combating of money laundering and the financing of terrorism.

Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

Retention: 10 years from the termination of the business relationship or the completion of the mandate.

3. Processing related to the legal engagement agreement

Categories of personal data (natural person clients):

  • natural person identification data, ID document number, personal ID card number, address card number, tax number, tax ID;
  • e-mail address, telephone number, address;
  • internal case reference number assigned by the law office, subject of the case;
  • court case numbers and file numbers of other proceedings related to the case.

Data subjects: natural person clients.

Purpose: compliance with the record-keeping and document-retention obligations under Sections 33 and 53 of Act LXXVIII of 2017 on the legal profession.

Legal basis: compliance with a legal obligation to which the Controller is subject (Art. 6(1)(b) GDPR).

Retention:

  • Data in the case register and identification register: 8 years after termination of the engagement.
  • Personal data linked to engagements not requiring identification: until the 5th year after termination of the engagement agreement.
  • In case of counter-signing a deed: 10 years from the counter-signature.
  • In matters affecting the registration of rights in respect of real estate in the public register: 10 years from registration of the right.
  • Electronic deeds: 10 years (unless a longer retention period was agreed with the client).
  • Counter-signed paper documents converted to electronic form: 5 years (unless a longer retention period was agreed with the client).

4. Contact persons of corporate clients

Categories of personal data: name, telephone number, e-mail address, name and address of the employer.

Data subjects: contact persons of legal-entity clients.

Purpose: establishing, maintaining and terminating the contractual relationship with legal-entity clients.

Legal basis: the Controller's legitimate interest in being able to communicate with its corporate clients for the purposes of the engagement, and in being able to prove the content of the engagement's performance until the limitation period expires (Art. 6(1)(f) GDPR).

Retention: 5 years from the termination of the business relationship or the completion of the mandate.

5. Processing related to issued invoices

Categories of personal data: name, address, bank account, tax identification number.

Data subjects: natural person clients.

Purpose: compliance with tax and accounting obligations.

Legal basis: compliance with a legal obligation (Act CL of 2017 on the rules of taxation; Act C of 2000 on accounting) — Art. 6(1)(c) GDPR.

Retention: 8 years following the year of issuance of the invoice or of the document evidencing its payment.

6. Whistleblowing-lawyer activity

Data subjects: the reporting person; the person whose conduct or omission gave rise to the report; and any person who may have substantive information about the report.

Purpose: operating the internal whistleblowing system established by the employer and investigating the reports submitted through it.

Legal basis: compliance with a legal obligation to which the Controller is subject (Art. 6(1)(b) GDPR); Act XXV of 2023 on complaints, public-interest reports and rules relating to reports of abuses.

Retention: 5 years following the termination of the engagement.

7. Recipients and data transfers

  • Invoices are transferred by the Controller to its accounting service provider (acting as a processor); the Controller has entered into a prior agreement with the accounting firm expressly drawing attention to the duty of legal-professional secrecy.
  • Investigated reports are forwarded to the recipients designated by law in accordance with Act XXV of 2023.

8. Security measures

The Controller and its processors keep the personal data of data subjects confidential and comply with the applicable data-protection legislation. The Controller ensures that no unauthorised person can access the data of the data subject and applies reasonable physical, electronic and administrative safeguards against unauthorised access, alteration, transmission, disclosure, deletion or destruction, and against accidental loss or damage.

Paper documents are kept in a physically lockable location; the storage location is protected by an alarm system. Digitally stored data is password-protected and its systems are protected by a firewall and antivirus software. Only authorised persons may access the data.

The Controller takes all necessary precautions to ensure that its employees, associates, contractual partners and processors handle the data in accordance with this notice and applicable data-protection legislation, and that they undertake a duty of confidentiality.

9. Rights of data subjects

9.1. Right to information and access

The data subject may request information — in writing or by e-mail — as to whether personal data concerning them is being processed and, if so, which data, on which legal basis, for what purpose, from which source, for how long, and to whom it has been disclosed. The Controller shall reply within 30 days at the latest.

9.2. Right to rectification

The data subject may request the rectification of inaccurate data or completion of incomplete data; the Controller shall reply within 30 days at the latest.

9.3. Right to erasure ("right to be forgotten")

The data subject may request erasure of their personal data without undue delay where, among other things, the data is no longer necessary; consent has been withdrawn and there is no other legal basis; the data subject objects and there is no other lawful ground; the processing was unlawful; erasure is required by a legal obligation applicable to the Controller.

9.4. Right to restriction of processing

The data subject may request restriction of processing where they contest the accuracy of the data; the processing is unlawful but the data subject opposes erasure; the Controller no longer needs the data but the data subject requires it for the establishment, exercise or defence of legal claims; or the data subject has objected to the processing.

9.5. Right to data portability

Where processing is based on consent or on a contract and is carried out by automated means, the data subject has the right to receive the personal data they have provided in a structured, commonly used, machine-readable format and to transmit it to another controller.

9.6. Right to object

The data subject may at any time object to the processing of their personal data based on legitimate interest. In such case, the Controller shall no longer process the data, unless it demonstrates compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or which relate to the establishment, exercise or defence of legal claims.

9.7. Enforcement

If unlawful processing is observed, it is advisable to first contact the Controller. The data subject may then lodge a complaint with the supervisory authority or initiate court proceedings.

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Registered office: 9–11 Falk Miksa Street, Budapest 1055, Hungary

Postal address: 1363 Budapest, Pf. 9, Hungary

E-mail: ugyfelszolgalat@naih.hu

Telephone: +36 (1) 391-1400 · Fax: +36 (1) 391-1410

Website: www.naih.hu

In the case of unlawful processing, the data subject may also bring a civil action, which — at the data subject's choice — may be initiated before the regional court of their place of residence. Contact details of the regional courts: birosag.hu/torvenyszekek.

Budapest, 15 February 2024.