Privacy Policy

Dr. Németh Samu Individual Lawyer (“Data Controller”), as the data controller, processes the personal data of natural persons (“Data Subjects”) involved with the lawyer’s retainer agreement (“Retainer Agreement”) and other agreements (“Other Agreements”) (collectively referred to as “Agreements”), or those who come into contact with the Data Controller for other purposes. This also applies to personal data of representatives or contact persons (“Contacts”) of legal entities dealing with the Data Controller, in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Infotv.”), and other relevant laws listed in section 2.

The terms used in this privacy policy, defined in the GDPR, have the same meanings as given in the GDPR.

2. APPLICABLE LAWS

The Data Controller’s data processing activities are based on the following laws:

a) GDPR (EU) 2016/679,
b) Infotv. (Act CXII of 2011),
c) Act LXXVIII of 2017 on the Legal Profession,
d) Act LIII of 2017 on the Prevention of Money Laundering and Terrorist Financing,
e) Act XCII of 2003 on the Rules of Taxation,
f) Act CXXVII of 2007 on Value Added Tax.

3. DATA CONTROLLER

Name: Dr. Németh Samu Individual Lawyer
Address: 1132 Budapest, Váci út 28. I. em. 5.
Phone: +36 70 451 4204
Email: samu@nemeth.law
Website: www.nemeth.law

4. DATA PROCESSING RELATED TO CONTRACT CONCLUSION AND FULFILLMENT

The purpose of the Data Controller’s data processing is to conclude and fulfill the Agreement, verify rights and obligations related to the Agreement, enforce related legal claims, and maintain contact regarding the performance of the Agreement.

Personal data processed for individual contracting parties: Name, Address, Tax identification number, Mailing address, Phone number, Email address, Additional personal data related to the performance of the Agreement.

Personal data processed for Contacts of contracting parties: Name, Type of representation/position/job title, Phone number, Email address, Additional data related to representation.

The legal basis for data processing for individual contracting parties is to take steps at the request of the data subject prior to entering into a contract and to perform the contract during its term. The legal basis for processing the Contacts’ data is the legitimate interest of the Data Controller to verify representation and maintain contact in relation to concluding and fulfilling the Agreement. Contacts have the right to object to this data processing.

If no contract is concluded, the Data Controller processes the personal data obtained in relation to the failed contract or after the termination of the contract based on its legitimate interest. The Data Controller’s legitimate interest is to be able to verify the adequacy of its procedures in case of non-conclusion or post-termination disputes.

Data retention period: If the contract is not concluded, the Data Controller retains the data for the period during which a claim related to the failed contract can be enforced, but at least for 5 years after the failure or the end of any related legal dispute. For concluded contracts, data is retained for the period during which a claim related to the contract can be enforced, but at least for 5 years after the contract’s termination or the end of any related legal dispute.

5. DATA PROCESSING DURING NON-CONTRACTUAL CONTACT

For individuals who contact the Data Controller but are not contracting parties or their Contacts, the Data Controller processes their personal data (e.g., name, contact details) provided by them or third parties for the purpose of establishing and maintaining contact based on legitimate interest. The legitimate interest of the Data Controller is to establish and maintain contact with the individuals. Individuals may object to this data processing.

Data retention period: Personal data processed for this purpose is retained until the termination of the contact by the Data Controller or until the data subject requests deletion or objects to the processing, unless the contact is related to enforceable claims, in which case data is retained for 5 years after the contact ends or after the resolution of any related legal dispute.

6. Data Processing Related to Legal Obligations

The Data Controller processes personal data of individual contracting parties, Contacts, and actual beneficial owners as defined by law to fulfill legal obligations related to Agreements.

Legal Basis: The legal basis for data processing is GDPR Article 6(1)(c) (compliance with a legal obligation).

Tax and Accounting-Related Data Processing:

According to VAT Act § 179, the Data Controller processes documents and related personal data necessary to ensure the completeness and accuracy of tax assessment until the right to assess tax expires.

According to Act XCII of 2003 § 78(3): To fulfill the legal obligation, the Data Controller processes documents and related personal data necessary to ensure the completeness and accuracy of tax assessment until the right to assess tax expires. For deferred tax, data is processed for 5 years from the end of the calendar year of the due date, and for legal disputes, for 5 years after resolution.

Client Identification-Related Data Processing:

According to the Legal Profession Act § 32(1), the Data Controller identifies individual clients and Contacts when concluding the Agreement, except for legal advice retainer agreements.

According to Legal Profession Act § 33(7): The Data Controller verifies client data against registered data and checks the validity of documents through electronic inquiries from various official registries. Data is retained for 8 years from the completion of the business relationship or up to 10 years for investigations by authorities.

Personal Data Processed:
– Natural person identification data
– Nationality, stateless status, refugee, immigrant, settled, or EEA citizen status
– Address
– Image
– Signature
– Facts related to documents (e.g., issuance, validity, loss, exchange)
– Registration or residence permit document number, type, validity, and extension
– Lost or stolen travel document, identity card, and residence permit type, ID, and reporting date
– Issued visa number, validity, and territorial scope
– Issued residence permit and mobility permit number, serial number, and validity

Client Records:

For mandatory legal representation cases under the Agreement, the Data Controller maintains a client record for 8 years from the completion of the business relationship or up to 10 years for investigations by authorities, based on Legal Profession Act § 33(1) and § 33(2).

Personal Data Processed:
– Natural person identification data
– Address
– Nationality, stateless status, refugee, immigrant, settled, or EEA citizen status
– ID document type and number used for identification
– Response identifier received during data requests
– Case ID for mandatory identification cases
– Data specified by the Pmt.

Case Records:

According to Legal Profession Act § 33(7), the Data Controller maintains case records for 5 years after the termination of the Agreement, 10 years for notarized documents, or 10 years from the registration of property rights, based on Legal Profession Act § 53(2) and § 53(3).

Personal Data Processed:
– Case ID generated by the lawyer
– Client name
– Case subject
– Date of Agreement conclusion
– Court case number or other procedure registration number related to the case

Notarized Documents Data Processing:

According to Legal Profession Act § 53(5), the Data Controller retains notarized documents and related documents created under the Agreement for 10 years from notarization unless otherwise specified by law or agreed upon by the parties.

Anti-Money Laundering and Terrorism Financing Data Processing:

According to Pmt. § 6, the Data Controller conducts client due diligence and processes personal data as specified by Pmt. § 7(2) and § 8(2) to prevent and combat money laundering and terrorism financing.

For verifying identity, the Data Controller copies documents containing the aforementioned data, except for the side of the address card containing the personal identification number. The Data Controller retains paper copies of the data obtained during due diligence and records the fact of due diligence in writing within the case files. Responses from central registers are retained separately from the case files in paper form, while responses to requests are stored electronically, and data required by Pmt. § 57 is recorded in the Data Controller’s records.

Data Retention Period: According to Pmt. § 56(2), data is retained for 8 years from the date of recording for one-time engagements or from the termination of the business relationship for continuous engagements. According to Pmt. § 58(1), data requested by supervisory authorities, financial intelligence units, investigative authorities, prosecutors, and courts are retained for the duration specified in the request but no longer than 10 years from the termination of the business relationship or completion of the transaction.

If data subjects do not consent to data recording or provide data, the Data Controller will refuse to cooperate.

Personal Data Processed:
–  Full name of clients, their authorized representatives, and actual beneficial owners
– Birth name
– Nationality
– Place and date of birth
– Mother’s birth name
– Address or residence
– ID document type and number

7. RECIPIENTS AND CATEGORIES OF RECIPIENTS OF DATA

The Data Controller involves data processors for operational support and transfers necessary personal data for fulfilling their tasks.

Data processors:

– Silicon Direct Zrt. (address: 2030 Érd, Bagoly utca 102) provides IT services for operational support.

Data processors act under a written agreement with the Data Controller and process personal data only based on the Data Controller’s instructions and for the specified purposes.

The Data Controller ensures that data processors provide adequate guarantees for compliance with GDPR and the protection of personal data.

Data transfer:

– The Data Controller is obligated to transfer personal data to institutions, authorities, and organizations as required by law. The Data Controller informs data subjects about such data transfers unless prohibited by law.

The Data Controller does not transfer data to third countries and does not engage in profiling.

8. DATA SECURITY MEASURES

The Data Controller takes all reasonable steps to prevent unauthorized access to personal data and the devices used for processing them. The Data Controller ensures the protection of personal data in compliance with GDPR through adequate physical and logical security measures for both paper-based and electronic data storage.

9. EXERCISING DATA SUBJECTS’ RIGHTS

According to GDPR Articles 15-22, data subjects may request access to, rectification, erasure, or restriction of their personal data processed by the Data Controller, and may object to the processing of such personal data. Data subjects also have the right to data portability.

Data subjects can exercise their rights by submitting a request to the Data Controller’s mailing address or email address provided in this privacy policy. The Data Controller may request additional information for verification if there are reasonable doubts regarding the identity of the requesting data subject.

The Data Controller responds to data subjects’ requests without undue delay and at the latest within 1 month of receipt. This period can be extended by 2 months if necessary, considering the complexity and number of requests. The Data Controller informs the data subject about the extension and reasons for the delay within 1 month of receiving the request.

If the Data Controller does not take action on the request, it informs the data subject within 1 month of receipt about the reasons for not taking action and the possibility of filing a complaint with a supervisory authority and seeking judicial remedy.

The Data Controller provides measures taken in response to data subjects’ requests free of charge. If the request is manifestly unfounded or excessive, especially due to its repetitive nature, the Data Controller may charge a reasonable fee or refuse to act on the request.

10. SUMMARY OF DATA SUBJECTS’ RIGHTS

Right of access: Data subjects have the right to obtain confirmation from the Data Controller as to whether their personal data is being processed. Upon request, the Data Controller provides a copy of the processed personal data and information specified in GDPR Article 15 (e.g., purpose of processing, categories of data, recipients, retention period).

Right to rectification: The Data Controller rectifies inaccurate personal data concerning the data subject without undue delay upon request.

Right to erasure (“right to be forgotten”): The Data Controller deletes personal data upon request or on its own initiative without undue delay if any of the conditions in GDPR Article 17 are met. If the data subject requests the deletion of publicly disclosed personal data, the Data Controller takes reasonable steps to inform other data controllers about the deletion request.

Right to restriction of processing: The Data Controller restricts processing upon request under the conditions specified in GDPR Article 18. If processing is restricted, personal data is only processed with the data subject’s consent or for legal claims or the protection of another’s rights or for important public interest.

Right to data portability: In accordance with GDPR Article 20, the Data Controller provides the personal data concerning the data subject in a structured, commonly used, and machine-readable format upon request, and transmits the data to another data controller if technically feasible.

Right to object: Data subjects may object to the processing of their personal data based on legitimate interest at any time, under GDPR Article 21. The Data Controller ceases processing unless there are compelling legitimate grounds for processing that override the data subject’s interests, rights, and freedoms, or for legal claims.

11. LEGAL REMEDIES

The Data Controller strives to ensure that personal data processing is lawful and secure. For any issues, it is recommended to contact the Data Controller directly for prompt resolution before seeking other remedies.

Data subjects have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) (address: 1055 Budapest, Falk Miksa u. 9-11; www.naih.hu, email: ugyfelszolgalat@naih.hu) or the supervisory authority of their usual place of residence, workplace, or the location of the alleged infringement if they believe their personal data processing violates GDPR. If the supervisory authority does not handle the complaint or does not inform the data subject within 3 months about the progress or outcome of the complaint, the data subject has the right to judicial remedy.

Data subjects can also seek judicial remedy. They can choose to bring the case before the court of the EU member state where the Data Controller operates or where the data subject has their habitual residence. In Hungary, the case can be brought before the court of the data subject’s residence or habitual residence.