PRIVACY POLICY
For clients and partners
The Karsai Dániel Law Office wants to ensure that the personal data which it handles is processed in a lawful manner. Accordingly, it wishes to inform its clients and partners (data subjects) about how it handles the personal data which they disclose to it. The aim of this Privacy Policy is for you to, before you disclose your personal data, receive appropriate information as to the conditions and guarantees applicable to the handling of your data as well as for how long the Karsai Dániel Law Office handles it.
Processor
Name: Karsai Dániel Law Office
Headquarters: 1056 Budapest, Nyáry Pál utca 10.
Registration number: 3714
Website: https://www.drkarsai.hu (hereinafter: “Website”)
Email address: karsai.daniel@drkarsai.hu
Telephone number: +36-30-363-41-78
Represented by: Dr Dániel András Karsai
(hereinafter: “Processor”)
Applicable legislation
Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Regulation (EC) No 95/46 (GDPR);
Act CXII of 2011 on information self-determination and freedom of information;
Act V of 2013 on the Civil Code;
Act C of 2000 on accounting (“the Accounting Act”);
Act CL of 2017 on taxation;
Act XLVIII of 2008 on the basic conditions and certain restrictions applying to commercial advertising activities;
Act CVIII of 2001 on e-commerce services and on certain issues related to services in an information society;
Act LXXVIII of 2017 on the activities of attorneys (“the Attorney Act”);
Act LIII of 2017 on the prevention and countering of money laundering and the financing of terrorism (“the Money Laundering Act”).
Purpose of data processing, scope of personal data handled, legal basis and duration of processing
3.1 Data processing on website
Anyone may, by providing their personal data, and without disclosing their identity, may have access to the Website maintained by the Processor, and may have free and unrestricted access to the information on the Website and to any content stored thereupon.
Some of the links appearing on the Website may lead to websites operated by others. The Processor does not assume any liability whatsoever for the content of the latter, or for any damages resulting from the use of information found on these sites.
With the help of Google Analytics, the Website automatically collects anonymous information about visitors. To this end, it sends cookies and saves them on the computers of visitors, which visitors then send back to the Website on subsequent visits. However, no personal information can be gained from these data. For more information on the activities of Google Analytics, see: https://policies.google.com/privacy
For more information on browser settings for cookie preferences, see the following pages:
Internet Explorer
Firefox
Chrome
Safari
3.2 Contact
Activity performed by the processor: handling of personal data disclosed when contact is first established
Purpose of data processing: to establish and maintain contact
Legal grounds for data processing: consent by the data subject [GDPR Article 6 (1) a)], as well as taking steps at the request of the data subject prior to entering into a contract for data processing [GDPR Article 6 (1) b)].
Persons who have not yet 16 years of age may only give consent to data processing via the persons exercising parental rights in their regard or through the consent of the latter.
Scope of data subjects: Natural persons establishing contact with the Processor by email or telephone, or by sending a message from the “Contact Us” menu point on the Website
Personal data processed: name (given and family names), place and date of birth, residential address, telephone number, other data disclosed when contact was established, the description of the case at bar and information, documents and electronic documents for its resolution.
The Processor may not use the personal data disclosed, nor permit it to be used by others, for any purposes other than those specified above. The prior and explicit consent of the data subject is required for the release of personal data to a third person or to government authorities, unless otherwise stipulated by law.
Duration of data processing: until the purpose of establishing contact is fulfilled or until the contract for services with the person initiating contact is signed
Controllers:
Name Headquarters Controlling task
Mozilla Corporation 331 E. Evelyn Ave, Mountain View, CA 94041 Online storage provider (operation of email system)
ITEX SOLUTIONS KFT. 1044 Erdősor u. 2, 2. Emelet 11. Technical support services (provision of system administration and system management services)
Rights of data subjects: in accordance with the provisions of section 4, data subjects
a) may request information with regards to the processing of their personal data, and for access to these personal data,
b) may request their correction,
c) may request their deletion,
d) may request a restriction on the handling of personal data,
e) may object to the handling of personal data,
f) may exercise the right to data portability. In accordance with the latter right, the data subject is entitled to receive the personal data related to him or her, and is entitled to request that the Processor forward these data to another processor.
g) have the right to legal remedy. Data subjects may file a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: “NAIH”) or with the court having jurisdiction.
3.3 Blog sending
Activity performed by the processor: The Processor handles the data of Blog subscribers
Purpose of data processing: to provide Blog subscribers with regular information on new blog posts
Legal grounds for data processing: consent by the data subject [GDPR Article 6 (1) a)]
Persons who have not yet 16 years of age may only give consent to data processing via the persons exercising parental rights in their regard or through the consent of the latter.
Scope of data subjects: natural persons having subscribed to the Processor’s Blog
Personal data handled: name (given name and family name), email address
The Processor may not use the personal data disclosed, nor permit it to be used by others, for any purposes other than those specified above. The prior and explicit consent of the data subject is required for the release of personal data to a third person or to government authorities, unless otherwise stipulated by law.
Duration of data processing: until the date when the data subject unsubscribes from the Blog
Controller:
Name Headquarters Controlling task
ITEX SOLUTIONS KFT. 1044 Erdősor u. 2, 2. Emelet 11. Storage of newsletter sending list and operation of newsletter sending system
Rights of data subjects: in accordance with the provisions of section 4, data subjects
a) may request information with regards to the processing of their personal data, and for access to these personal data,
b) may request their correction,
c) may request their deletion,
d) may request a restriction on the handling of personal data,
e) may object to the handling of personal data,
f) may exercise the right to data portability. In accordance with the latter right, the data subject is entitled to receive the personal data related to him or her, and is entitled to request that the Processor forward these data to another processor.
g) have the right to legal remedy. The data subject may file a complaint with the NAIH or with the court having jurisdiction.
3.4 Legal activities
Activity performed by the processor: provision of legal services (e.g. representation of clients, legal advisory services, drafting of documents)
Purpose of processing: performance of contract for services entered into with clients, fulfilment of legal obligations, including maintaining contact with clients and invoicing
Legal grounds for processing: necessity to perform a contract to which the data subject is a party [GDPR Article 6 (1) b)], as well as the performance of the legal obligations stipulated by Section 28 (3) of the Attorney Act, Section 1 (1) e), 6 and 7 of the Money Laundering Act, as well as Section 169 (1) and (2) of the Accounting Act [GDPR Article 6 (1) c)]
Scope of data subjects: the Processor’s clients
Personal data processed: name, permanent address, place of residence, mother’s maiden name, place and date of birth, email address, telephone number, citizenship, ID document (personal ID or passport) number, address card number, personal identifier, tax number, photograph, contact person and representative’s name, email address and telephone number, facts of case as given by the client (including the following: description o the case, and information, documents and electronic documents regarding means of resolution).
The Processor may not use the personal data disclosed, nor permit it to be used by others, for any purposes other than those specified above. The prior and explicit consent of the data subject is required for the release of personal data to a third person or to government authorities, unless otherwise stipulated by law.
Duration of data processing: five years following the termination of the contract; in the case of countersigned documents, ten years from date on which countersigned; for cases related to real property rights, ten years from the date of registry of the right to the real property in the public registry [Section 53 (3) of the Attorney Act]. Where an invoice is issued, the duration of data processing shall be of eight years from the date of the annual report, business report or accounting report for the given year.
Controllers:
Name Headquarters Controlling task
HRUVÁR Bt. 2225 Üllő, Mező utca 30. Accounting services provided by
ITEX SOLUTIONS KFT. 1044 Erdősor u. 2, 2. Emelet 11. Technical support services (provision of system administration and system management services)
Mozilla Corporation 331 E. Evelyn Ave, Mountain View, CA 94041 Online storage provider (operation of email system)
Rights of data subjects: in accordance with the provisions of section 4, and except for compulsory data processing, data subjects
a) may request information with regards to the processing of their personal data, and for access to these personal data,
b) may request their correction,
c) may request their deletion,
d) may request a restriction on the handling of personal data,
e) may object to the processing of personal data,
f) may exercise the right to data portability. In accordance with the latter right, the data subject is entitled to receive the personal data related to him or her, and is entitled to request that the Processor forward these data to another processor.
g) have the right to legal remedy. The data subject may file a complaint with the NAIH or with the court having jurisdiction.
Rights of data subjects
The Processor shall ensure that the rights of data subjects are enforceable as follows.
The Processor shall provide data subjects with the possibility to submit a request in connection with the exercise of their rights as data subjects in the following ways: (i) by post, (ii) by email, and (iii) by telephone.
The Processor must respond to the data subject’s request without any undue delay, at the latest within one month of receipt of the request, in a concise, transparent, understandable and easily accessible format, expressed in clear non-technical language. If the Processor should decide to refuse this request, it must do so within the same time limit, and must in this case inform the data subject of the rejection of the request, the reasons therefore as well as the legal recourses open to the data subject.
As a general rule, the Processor shall respond to the data subjects request via email. However, if the data subject specifically requests to be contacted by post or telephone and has provided relevant contact information, the Processor shall respond in kind. Response to the data subject’s request by telephone may only be given once the data subject has proven his/her identity. The Processor may not use the data subject’s postal address or telephone number for any other purpose.
The Processor may not charge any fees or demand any compensation for responding to data subject requests. If however the data subject submits another request regarding the same set of data within one year of a request that was already fulfilled, the Processor shall reserve the right to set a proportionate amount of compensation for the work required to fulfil said request.
a) Right to information and access:
The Processor must respond to the data subject’s request in a concise, transparent, understandable and easily accessible format, expressed in clear non-technical language, providing the following information:
whether any of his or her personal data are currently being processed by the Processor;
the name and contact information of the Processor;
whether data is being controlled, and the name and contact information of the controllers specified in sections 3.2-3.4, above;
the personal data and source of the data subject’s data that are being processed by the Processor;
the purpose and legal grounds for the processing of the personal data;
the duration of data processing;
the addressees or categories of addressees to whom the Processors has or will disclose the personal data, including in particular addressees in a third country or international organisations;
the consequences of data processing;
the rights of the data subject;
the circumstances, effect and measures taken to counter any personal data breach that may have occurred.
Even in the absence of a request by the data subject, the Processor shall provide information (by email) to the data subject of any substantial changes to the original information provided, of the circumstances, effect and measures taken to counter any personal data breach that may have occurred.
b) Right to rectification:
At the request of the data subject, the Processor shall correct any inaccurate personal data relating to the data subject.
The Processor shall inform all addressees of the correction to whom it has disclosed the personal data, except if this proves impossible or requires disproportionate effort. At the request of the data subject, the Processor shall inform the data subject of the addressees.
c) Right to erasure:
At the request of the data subject, the Processor shall delete any personal data connected to the data subject, if any of the following conditions are present:
the personal data are no longer needed for the purpose for which they were collected or processed in any other manner;
the data subject objects to the data processing;
the Processor unlawfully processed the personal data;
under applicable EU or Hungarian law, the Processor has an obligation to delete the personal data.
The Processor shall inform all addressees of the deletion to whom it has disclosed the personal data, except if this proves impossible or requires disproportionate effort. At the request of the data subject, the Processor shall inform the data subject of the addressees.
d) Right to restriction of processing:
At the request of the data subject, the Processor will restrict processing, if any of the following occur:
the data subject disputes the accuracy of the personal data – in this case, the restriction applies to the duration of processing, thereby permitting the Processor to verify the accuracy of the personal data;
processing is unlawful, but the data subject objects to the erasure of data, and instead requests the restriction of their use;
the Processor no longer needs the personal data for processing purposes, but the data subject requests the latter for the purpose of asserting, enforcing or defending legal claims.
The Processor shall inform all addressees of the restriction to whom it has disclosed the personal data, except if this proves impossible or requires disproportionate effort. At the request of the data subject, the Processor shall inform the data subject of the addressees.
e) Right to data portability:
At the request of the data subject, the Processor shall place all personal data relating to the data subject and disclosed by the latter at the disposal of the data subject. The Processor further agrees that the data subject may forward these personal data to another processor without any interference on the part of the Processor.
f) Right to a judicial remedy:
Insofar as the data subject believes that, in the course of data processing, the Processor has violated his or her right to the protection of personal data, the data subject may avail himself or herself of the statutory judicial remedies offered by the competent legal authorities, or may file a complaint with the NAIH (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.; postal address: 1530 Budapest, Pf.: 5.; website: www.naih.hu; email address: ugyfelszolgalat@naih.hu; telephone number: +36-1/391-1400), or may file a claim with the competent tribunal. The Processor agrees to, in the course of these proceedings, cooperate in every respect with the tribunal in question or the NAIH, and to deliver to the tribunal in question or the NAIH any data related to the data processing.
The Processor further agrees that it shall have the obligation to provide compensation for any damages caused by the unlawful processing of the personal data, or for any processing conducted in violation of data security requirements. In the event that the right of a data subject has been violated, the data subject may make a claim for damages. The Processor shall be relieved from liability in the event that these damages were sustained as a result of an unavoidable cause falling outside of the control of the processing, or if the damage or the injury caused by the violation of a personality right was due to the intentional or gross negligence of the data subject.
Miscellaneous provisions
The Processor agrees that it shall have the obligation to ensure that, in connection with its activities, all its data processing complies with the present Privacy Policy, the internal regulations of the Processor – based on requirements identical to those in this Privacy Policy – as well as the requirements stipulated by legislation currently in force.
The Processor shall reserve the right to make changes to this Privacy Policy at any time, but shall be bound to inform data subjects of any changes on its Website.