INFORMATION NOTICE ON DATA PROCESSING
1. Data Protection
1.1. The Service Provider, as the data controller (in this chapter, hereinafter: “Data Controller”) declares that in relation to this document and the assignment, it will comply with the compulsory provisions of the effective data protection regulations – especially the effective Act on Information and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”) – and requires others to do the same to the extent under its scope of competence; the Service Provider will process the data of the Client – including the contact persons as the Data Subjects – confidentially, by protecting such data and by taking the necessary technical and organisational measures and developing the procedural rules required for enforcing the GDPR and other data protection and confidentiality regulations.
1.2. The Data Controller processes data primarily by paper-based processing and secondly, by machine processing, the location of which is the Service Provider’s registered seat in both cases. The types of personal data subject to processing may vary by assignment, by they primarily include the personal data of the Client indicated in this document and the annexes, as well as all other information the Service Provider receives and/or becomes aware of during the performance, which may cover the special data of the Client or other data subjects within the frameworks specified in the legal regulations and in this document.
1.3. The Data Controller may not transfer the personal data of the data subjects to third countries or international organisations (outside the European Union, non-EEA countries), except if the Data Subject has given his expressed consent, and under the terms specified in the written statement of the parties, with the safeguards complying with the provisions of the GDPR. This provision shall not apply to the cases described in Article 45 of the GDPR, pursuant to which if the recipient of the data transfer is a state and/or an international organisation having the Commission’s adequacy decision, no separate permit is required for the data transfer. On the day of signing this agreement, the following third countries have approved adequacy decisions: Andorra, Argentina, Faroe Islands, Guernsey, Israel, Jersey, Canada, the Isle of Man, Switzerland, Uruguay, USA (Privacy Shield), New Zealand – in case of Japan and South Korea, the adequacy procedure is pending –.
1.4. The Service Provider informs the Client that the primary purpose of processing the personal data of the Client and third parties is to perform the assignment and the Client’s instructions together with all other operations directly related to the service, serving the Client’s interests, as well as to allow the Service Provider to comply with the relevant legal regulations – including the fulfilment of the decisions of persons, organisations, public bodies entitled to issue authority, court or other compulsory normative acts –.
1.5. Considering the foregoing, the legal basis of the Service Provider’s data processing is included in the following sections of Article 6 (1) of the GDPR:
a) – “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” –
b) – “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract” – ,
c) – “processing is necessary for compliance with a legal obligation to which the controller is subject” –
d) – “processing is necessary in order to protect the vital interests of the data subject or of another natural person” –
f) – ”processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”;
in case of special data, the following sections of Article 9 (2) of the GDPR apply:
a) – “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in Chapter II, Article 9, paragraph 1 may not be lifted by the data subject”,
f) – “processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”,
g) – “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.
1.6. The Service Provider draws the attention of the Client to the fact that it is entitled and obliged to process the data which are not processed exclusively with reference to the legal basis specified in Article 6 (1) a) and Article 9(2) a) irrespectively of the Client’s assignment, even if the Client’s consent is withdrawn – and such data are part of lawful processing –.
1.7. The Service Provider collects the personal data related to the Client primarily from the Client – voluntary disclosure by the Client –, or from third parties – entitled to disclose such data on the basis of the Client’s consent and/or statutory authorisation. In any other cases – especially but not limited to, if the data source is a public register, court, authority or other data subjects – the Service Provider informs the Client in accordance with Article 14 (3) of the GDPR.
1.8. Duration of processing: for the duration of the assignment, and following this, pursuant to Section 53 of Act LXXVIII of 2017 on the professional activities of lawyers, the Service Provider shall process and keep the data received in relation to the assignment for five (5) years following the termination of the assignment, while in the case of documents and data subject to countersigning, for ten (10) years – in accordance with Article 6 (1) c) of the GDPR, while for special data, with Article 9 (2) g) of the GDPR –.
1.9. Duration of processing: until the duration of the assignment, and following this, pursuant to Sections 46 and 53 of Act LXXVIII of 2017 on the professional activities of lawyers, the Service Provider shall process and keep the data received in relation to the assignment for five (5) years following the termination of the assignment or for ten (10) years for electronic deeds, while in the case of documents and data subject to countersigning, for ten (10) years – in accordance with Article 6 (1) c) of the GDPR, while for special data, with Article 9 (2) g) of the GDPR –.
1.10. The Service Provider informs the Client that considering the closing sentence of section (91) of the preamble of the GDPR, no impact assessment has been carried out and no data protection officer has been appointed.
1.11. The Data Controller’s Data Protection Policy contains the detailed provisions of processing governing this assignment, and the Client and the other data subjects may request information on the processing of their data, may request the rectification and – except for processing required by law – the erasure of their data by contacting the Service Provider at the aforesaid contact details. The Service Provider shall provide free and easy to understand information in writing without delay, but no later than within fifteen (15) days.
The Client and other data subjects are entitled to have access to their personal data and the following information:
· Copy of the personal data (costs will be charged for more copies)
· Purpose of processing
· Data categories
· Data concerning automated decision-making and profiling
· Information concerning the source in case of data receipt
· Recipients, to whom the data have been/will be communicated
· Information and safeguards concerning data transfer to third countries
· Duration and aspects of data storage
· Rights of the data subjects
· Right to contact the authorities
1.12. The Client and the other data subjects may object to the processing of their personal data, especially
· if the processing or transfer of personal data is only required for the performance of a legal obligation of the Controller or for the enforcement of the legitimate interests of the Controller, the recipient or a third party, except for compulsory processing;
· if the processing or transfer of the personal data is required for direct marketing, opinion polls or scientific research; and
· in other cases specified by law.
The Controller shall assess the objection as soon as possible, but within fifteen (15) days at the latest following the request, it shall make a decision whether it is justified and shall inform the data subject in writing. For the duration of the assessment, for a maximum of five (5) days, the Controller suspends processing. If the objection is justified, the manager of the organisational unit processing the data shall act in accordance with the provisions of the GDPR.
If the Client or other data subject does not agree with the Service Provider’s decision, or if the Service Provider fails to comply with the deadline, the Client or the other data subjects may turn to court within thirty (30) days following the notification on the decision or the last day of the deadline.
1.13. If their data processing rights are violated, the Client or other data subjects may enforce their rights before the competent courts operating at the place of residence of the data subject, and in accordance with the provisions of the relevant legal regulations, they may contact the Hungarian National Authority for Data Protection and Freedom of Information (mailing address: 1534 Budapest, Pf.: 834; address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.). The court rules on the case as a matter of urgency.
1.14. By signing this document, the Client expressly accepts the data processing of the Controller, as the Service Provider and declares that in relation to the above, the Service Provider has given detailed information and explanation following the joint interpretation of its Data Protection Policy; the Client has understood the contents of this document and the related explanation. The Client provides his expressed consent to the processing and use of his personal data and special data provided to the Service Provider during the performance of the assignment in accordance with the above and to the extent specified herein, and agrees that such data be shared with the employees of the Service Provider and/or with the persons acting lawfully on behalf of the Service Provider. This consent shall not apply to information the processing of which is obviously not compatible with the subject of the assignment. In case of doubt, the Controller, or the Service Provider shall inform the Client and/or the other data subjects without delay and shall act according to their replies/statements.