Data Protection Policy - Tivadar Law Firm

DATA PROTECTION POLICY

for clients and partners

Tivadar Law Firm wishes to ensure the lawfulness of its data processing. To that end, it wishes to inform its clients and partners (data subjects) on the details of the processing of the personal data provided by them. The purpose of this policy is to provide you with sufficient information about the conditions, guarantees and deadlines under which our firm processes your personal data before providing them.

1. Data Controller

Name: Tivadar Law Firm

Address: 1025 Budapest, Szeréna út 5/3., Hungary

Registration number: 01-002719

Website: https://www.drtivadar.hu/ (hereinafter: “Website”)

E-Mail address: drtivadar@drtivadar.hu

Phone numbers: + 36 1 240 0677 and +36-20/339-2430

Head of the office: Dr. Krisztián András Tivadar

(hereinafter: “Data Controller”)

2. Applicable legal provisions

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; “GDPR”);
Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
Act V of 2013 on the Civil Code (“Civil Code”);
Act C of 2000 on Accounting (“Accounting Act”);
Act CL of 2017 on Tax Administration Procedure;
Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising;
Act CVIII of 2001 on certain issues of electronic commerce services and information society services;
Act LXXVIII of 2017 on the Activities of Lawyers (“Lawyer Act”);
Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (“Anti-Money Laundering Act”).

3. The aim of the data processing, the scope of personal data processed, the legal basis and duration of processing

3.1. Data processing through the Website as well as social media pages maintained by the Data Controller (Facebook, LinkedIn)

Anyone may access the Website as well as social media pages maintained by the Data Controller without disclosing his/her personal data or revealing his/her identity, and may acquire information from the content stored on them freely and without limitation.

Some of the links on the Website and social media profiles may lead to other websites operated by third parties. The Data Controller does not undertake any responsibility or liability for any damage resulting from using such information.

3.1.1. Cookies on the Website

The Website collects information not connected to any person – with the assistance of Google Analytics – regarding visitors automatically, and to that end, it sends and registers cookies to the visitors’ computers which send them back to the Website when visiting it again. No personal data can be acquired from such information. You can find more information on the activity of Google Analytics at https://support.google.com/analytics/answer/4597324?hl=en.

For more information on how to set the preferences for cookies via your browser, refer to the following instructions:

You can modify your cookie preferences regarding the Website in the Cookie Settings.

Cookies used by the Website:

Strictly Necessary Cookies:

These cookies provide functions, in absence of which the Website cannot be used as intended.

No such cookies are currently available on the Website.

Functionality and Performance – Third Party – Cookies

These cookies that originate from Google Analitycs, collect – anonym – data about the Website’s visitors through a client ID code that the cookies randomly generate for statistical purposes.

„_ga”

google-analytics.com

Pixel

to distinguish between the Website’s visitors

2 years from visiting the Website

„_ga_ ZVVKGLETD3”

google-analytics.com

Pixel

to persist session state

2 years from visiting the Website

3.1.2. “Google reCAPTCHA”

Under the “Contact” menu, the Website uses a service provided by Google Ireland Limited (registered and operating under the law of Ireland; registration No.: 368047; taxation No.: IE6388047V; seat: Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter: „Google”) called “Google reCAPTCHA” in order to prevent automatic systems and bots from sending messages, and to filter spam messages out.

You can find more information about this data processing in Google’s data protection policy: https://policies.google.com/privacy

For further information, please follow this link: https://developers.google.com/recaptcha.

3.1.3. Data Controller’s Facebook page

The Data Controller has a Facebook page on https://www.facebook.com (hereinafter: “Facebook”) under https://www.facebook.com/tivadarugyvediiroda/ (hereinafter: “Facebook Page”).

Data Controller primarily shares articles and other posts on the Facebook Page to which anyone – whether or not they liked the Facebook Page – may send comments. In addition to this, the visitors of the Facebook Page may directly contact the Data Controller via Messenger messages. Section 3.2 of this policy is applicable to the latter data processing.

Regarding the Facebook Page, the Data Controller and the operator of Facebook qualify as joint data controllers. Meta Platforms Ireland Limited (Block J, Serpentine Avenue, Dublin 4, Írország) operates Facebook.

Implicitly, by using their services, Data Controller accepted Meta Platforms Ireland Limited’s Controller Addendum to ensure the security of your personal data (https://www.facebook.com/legal/controller_addendum). The Controller Addendum sets out the obligations and responsibilities under GDPR with regard to joint data controlling.

The Facebook Page operates under Facebook’s data protection guidelines. You can find Facebook’s data protection policy here: https://www.facebook.com/policy.php.

3.1.4. Data Controller’s LinkedIn page

The Data Controller has a LinkedIn page on https://www.linkedin.com (hereinafter: “LinkedIn”) under https://linkedin.com/company/tivadar-law-firm (hereinafter: “LinkedIn Page”).

Data Controller primarily shares articles and other posts on the LinkedIn Page to which anyone – whether or not they follow the LinkedIn Page – may send comments. There is no option on LinkedIn to directly contact the Data Controller, however, visitors may directly contact the LinkedIn Page’s administrator through LinkedIn’s messaging function. Section 3.2 of this policy is applicable to the relevant data processing.

Regarding the LinkedIn Page, the Data Controller and the operator of LinkedIn qualify as joint data controllers. LinkedIn Ireland Unlimited Company (Gardner House, 5 Wilton Park, Dublin 2, Ireland) operates LinkedIn in Europe.

The LinkedIn Page operates within LinkedIn’s data protection guidelines. You can find LinkedIn’s data protection policy here: https://www.linkedin.com/legal/privacy-policy.

3.2. Making contact

Activities of the Data Controller: data controlling of personal data transmitted while making contact.

Purpose of processing: making and maintaining contact.

Legal basis of processing: consent of the data subject [GDPR Article 6 subsection (1) point a)], processing is necessary in order to take steps at the request of the data subject prior to entering into a contract with him/her [GDPR Article 6 subsection (1) point b)]

Persons under the age of 16 may only give their consent to data controlling through the holders of parental responsibility or with their authorization.

Scope of data subjects: natural persons contacting the Data Controller via e-mail, via phone or sending a message through the “Contact” page on the Website, through the Facebook Page via Messenger or through LinkedIn’s messenger function.

Scope of processed personal data: any personal data disclosed while making contact, in particular name (first and family name), e-mail address, telephone number, the description of the presented matter and information on the possible solution, the provided physical and/or electronic documents.

The Data Controller shall not use the provided personal data for purposes different from the one described above. The Data Processor shall not share the personal data with third persons or authorities, unless with the data subject’s prior explicit consent or unless any law stipulates otherwise.

Duration of processing: until the fulfilment of the purpose of processing, or until the mandate agreement between the data subject and the Data Controller is concluded.

Data processors:

Name:

Seat:

Tasks of the data processor:

MEDIACENTER HUNGARY Kft.

6000 Kecskemét, Sosztakovics utca 3. 2. em. 6., Hungary

Online hosting (maintaining the e-mail system)

Dr. Járai Gábor Ügyvédi Iroda

1025 Budapest, Szeréna út 5/3., Hungary

Providing technical background (providing telephone assistance, carrying out network administrating and monitoring duties)

Persons having access to the personal data within the Data Controller: head of the office

Other data transfer: –

Possible consequences of failure to provide personal data: The data subject cannot make contact with the Data Controller.

3.3. Legal professional activities

Activities of the Data Controller: carrying out legal professional activities (e.g.: representation of clients, legal advice, preparing legal documents).

Purpose of processing: performing the mandate agreement concluded with the clients, complying with legal obligations, including the communication with the clients, as well as the invoicing.

Legal basis of processing:

(i) processing is necessary for the performance of a contract to which the data subject is party [GDPR Article 6 subsection (1) point b)];

(ii) compliance with a legal obligation based on Article 28 subsection (1) of the Lawyer Act, Article 1 subsection (1) point e) and Articles 6-7 of the Anti-Money Laundering Act and Article 169 subsections (1)-(2) of the Accounting Act [GDPR Article 6 subsection (1) point c)];

(iii) concerning the contact persons, the Data Controller’s legitimate interest to make and maintain contact with its clients through the contact person without delay in order to fulfil the mandate [GDPR Article 6 subsection (1) point f)];.

The Data Controller has conducted a balancing exercise in connection with the above data processing. As a result of this, the Data Controller has concluded that its legitimate interest overrides the fundamental rights and freedoms of the contact persons.

Scope of data subjects: clients (principals) of the Data Controller

Scope of processed personal data: name, address, temporary residence, mother’s maiden name, place and date of birth, e-mail address, phone number, nationality, identification number (ID and passport), address card number, tax identification number, picture, contact person’s and/or representative’s name, e-mail address and phone number, statement of facts represented by the client (including the following: the description of the represented case, information on the ways of solution, physical documents and electronic documents, depending on the nature of the case: special categories of personal data).

The Data Controller shall not use the provided personal data for a purpose different from the one described above. The Data Processor shall not share the personal data with third persons or authorities, unless with the data subject’s prior explicit consent or unless any law stipulates otherwise.

Duration of processing:

(i) 5 years from the cessation of the mandate agreement (limitation period),

(ii) 10 years from countersigning in case of countersigning of documents,

(iii) 10 years from registration in case of registration into the land registry concerning real properties [Lawyer Act Article 53 subsection (3)],

(iv) in connection with personal data regarding the fulfilment of the Data Controller’s obligations pursuant to the Anti-Money Laundering Act 8 years from the cessation of the mandate agreement, or in case of a request of a court or authority for the period specified in the request, but at the latest 10 years from the cessation of the mandate agreement,

(v) 8 years from the preparation of the annual account on the financial year, of the annual report and of the accounting documents in case of invoicing,

(vi) in case of a legal dispute, until the legally binding end of the court or authority proceeding, if extraordinary remedies are possible until the expiry of the deadline for submitting such extraordinary remedy or the end of the extraordinary remedy proceeding.

Data processors:

Name:	Seat:	Tasks of the data processor:
FORTÉLY Kft.	1134 Budapest Csángó u. 20/c., Hungary	Carrying out accounting duties
Dr. Járai Gábor Ügyvédi Iroda	1025 Budapest, Szeréna út 5/3., Hungary	Providing technical background (providing telephone assistance, carrying out network administrating and monitoring duties)
MEDIACENTER HUNGARY Kft.	6000 Kecskemét, Sosztakovics utca 3. 2. em. 6., Hungary	Online hosting (maintaining the e-mail system)
Billingo Technologies Zrt.	1133 Budapest, Árbóc utca 6., I. em., Hungary	Operating the billing program, Billingo, that is used by the Data Controller

Persons having access to the personal data within the Data Controller: head of the office.

Other data transfer:

(i) For the sake of fulfilling the mandate, the Data Controller may transfer the documents concerning the relevant case to its contributors (e.g.: attorney-at-law, expert). The Data Controller undertakes to inform the data subject about the contribution of another attorney-at-law.

Legal basis of data transfer: the data transfer is necessary for the performance of a contract to which the data subject is party [GDPR Article 6 subsection (1) point b)].

(ii) In case of a legal dispute arising from the mandate, the Data Controller may transfer the documents concerning the legal dispute (in particular the mandate agreement, invoices) to its legal representative (law firm) and – if there is a court or administrative proceeding – to the competent court or authority.

Legal basis of data transfer: the data transfer is necessary for the performance of a contract to which the data subject is party [GDPR Article 6 subsection (1) point b)].

Possible consequences of failure to provide personal data: The data subject may not conclude a mandate agreement with the Data Controller, thus, the Data Controller may not provide legal services to the data subject.

3.4. Processing regarding partners

Activities of the Data Controller: fulfilling the contract concluded with partners (e.g.: agents, contractors)

Purpose of processing: contracting with partners (e.g.: agents, contractors) and billing concerning the contracts concluded with partners

Legal ground of processing:

(i) processing is necessary for the performance of a contract to which the data subject is party [GDPR Article 6 subsection (1) point b)];

(ii) compliance with a legal obligation based on Article 169 subsections (1)-(2) of the Accounting Act [GDPR Article 6 subsection (1) point c)];

(iii) concerning the contact persons, the Data Controller’s legitimate interest to make and maintain contact with its partners through their contact persons without delay [GDPR Article 6 subsection (1) point f)].

Scope of data subjects: natural person partners (e.g.: agents, contractors) and representatives and contact persons of legal person partners.

Controlled personal data: the natural person partners’ name, address, e-mail and phone number, the legal person partners’ name, e-mail address and phone number of the representatives and/or contact persons

Duration of processing:

(i) 5 years from providing personal data (limitation period), or

(ii) 8 years from the preparation of the annual account on the financial year, of the annual report and of the accounting documents in case of invoicing,

(iii) in case of a legal dispute, until the legally binding end of the court or authority proceeding, if extraordinary remedies are possible until the expiry of the deadline for submitting such extraordinary remedy or the end of the extraordinary remedy proceeding.

Data processors:

Name:	Seat:	Tasks of the data processor:
FORTÉLY Kft.	1134 Budapest Csángó u. 20/c, Hungary	Carrying out accounting duties
Dr. Járai Gábor Ügyvédi Iroda	1025 Budapest, Szeréna út 5/3., Hungary	Providing technical background (providing telephone assistance, carrying out network administrating and monitoring duties)
MEDIACENTER HUNGARY Kft.	6000 Kecskemét, Sosztakovics utca 3. 2. em. 6., Hungary	Online hosting (maintaining the e-mail system)
Billingo Technologies Zrt.	1133 Budapest, Árbóc utca 6., I. em., Hungary	Operating the billing program, Billingo, that is used by the Data Controller

Persons having access to the personal data within the Data Controller: head of the office.

Other data transfer: In case of a legal dispute arising from the contract concluded with the partner, the Data Controller may transfer the documents concerning the legal dispute (in particular the contract, invoices) to its legal representative (law firm) and – if there is a court or administrative proceeding – to the competent court or authority.

Legal basis of data transfer: Legal basis of data transfer: the data transfer is necessary for the performance of a contract to which the data subject is party [GDPR Article 6 subsection (1) point b)].

Possible consequences of failure to provide personal data: The partner may not conclude a contract with the Data Controller.

4. The rights of data subjects

The Data Controller shall ensure the rights of the data subjects as detailed below.

The Data Controller shall give opportunity for data subjects to submit their request in any of the following ways: via (i) post, (ii) e-mail, (iii) telephone.

The Data Controller shall fulfil the data subject’s request without undue delay and in any event within one month of receipt of the request, and shall inform the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If the Data Controller refuses to act upon the request, it shall decide and inform the data subject about the refusal, its reasons and the data subject’s options for remedy within this period.

As a general rule, the Data Controller shall fulfil the data subject’s request via e-mail, however, in case the data subject – giving his/her address or telephone number – specifically asks so, the Data Controller may fulfil the request via post or telephone. At the request of the data subject, information may be given via telephone, if the identity of the data subject is proven. The Data Controller shall not use the data subject’s address or phone number for any other purpose.

The Data Controller shall not charge any fees for fulfilling the below-detailed requests of the data subject. In case another request arrives within one year from the previously fulfilled request concerning the same personal data, the Data Controller reserves the right to charge a fee for the fulfilment proportional to the workload arising in connection with the fulfilment.

a) Information and access to personal data:

At the request of the data subject, the Data Controller shall provide the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language:

whether or not personal data concerning him or her are being processed;
the name and contact details of the Data Controller;
the processing, and the name and contact details of processors described in Sections 3.2-3.4.;
the purpose of the processing for which the personal data are processed as well as the legal basis for the processing;
the recipients or categories of recipients of the personal data for whom the Data Controller has transferred or will transfer the personal data, including especially a third country or international organization;
the consequences of data processing;
the rights of the data subjects;
the eventual circumstances of personal data breach, effects and measures taken to address the personal data breach.

In the absence of the data subject’s request, the Data Controller shall provide information – via e-mail – to the data subject about the substantive changes occurring compared to this policy, about the circumstances of the occurred personal data breach, its effects and the measures taken to address the personal data breach.

b) Right to rectification

At the request of the data subject, the Data Controller shall rectify the inaccurate personal data concerning him/her.

The Data Controller shall inform each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. At the request of the data subject, the Data Controller shall inform him/her about those recipients.

c) Right to erasure

At the request of the data subject, the Data Controller shall erase any personal data concerning the data subject if any of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
the personal data have been unlawfully processed by the Data Controller;
the personal data have to be erased for compliance with a legal obligation in the Union or Hungarian law to which the Data Controller is subject.

d) Right to restriction of processing

At the request of the data subject, the Data Controller shall restrict the processing if one of the following grounds applies:

the accuracy of the personal data is contested by the data subject, for a period enabling the Data Controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
the Data Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.

e) Right to data portability

At the request of the data subject, the Data Controller shall provide him/her with the personal data concerning the data subject, which he or she has provided to the Data Controller previously. Further, the Data Controller undertakes to allow the data subject to transfer those data to another controller without hindrance from the Data Controller.

f) Right to object

If the legal basis of data processing is Article 6 subsection (1) point (f) of the GDPR, the data Controller’s legitimate interest, the data subject may object to the processing of his/her personal data on grounds relating to his/her particular situation.

In this case, the Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

g) Right to remedy

If the data subject reckons that the Data Controller has violated his/her right to protection of personal data in the course of the processing, the data subject may seek legal remedy at the competent authorities in accordance with the relevant regulations, namely through submitting a complaint to the National Authority for Data Protection and Freedom of Information (address: 1055 Budapest, Falk Miksa utca 9-11., Hungary; postal address: 1363 Budapest, Pf.9., Hungary; website: www. naih.hu; e-mail address: ugyfelszolgalat@naih.hu, telephone number: +36-1/391-1400, fax number: +36-1/391-1410) or turning to the competent court.

5. Miscellaneous provisions

The Data Controller declares that all of its processing activities meet the expectations determined in this policy, its internal regulation – which stipulates the same requirements as this policy –, as well as the current legal regulations.

The Data Controller reserves the right to amend this policy at any time, it informs the data subjects about the changes concerning all processing activities by posting the updated information on the Website – under the Articles and Publications section –, as well as by sending a newsletter to the newsletter subscribers as described in Section 3.3.

last updated: 1 September 2023