Szabó Kelemen and Partners Andersen Attorneys’ Data Processing Notice
1. The Data Controller and Contact Details
The present document contains the data processing notice of Szabó Kelemen and Partners Andersen Attorneys (seat: 1016 Budapest, Mészáros utca 58/A, tax number: 12184206-2-41, phone: 06-1-288-8200, webpage: hu.AndersenLegal.com) and of Szabó Kelemen and Partners Andersen Attorneys’ Association, the latter comprising of the attorneys and attorney’s offices cooperating with Szabó Kelemen and Partners Andersen Attorneys at all times (Szabó Kelemen and Partners Andersen Attorneys and Szabó Kelemen and Partners Andersen Attorneys’ Association hereinafter referred to as the “LAW FIRM”) in relation to the processing of the personal data of current, former, and prospective clients as well as any persons associated with such clients (hereinafter jointly a “client” or “clients”).
The purpose of the present notice is to lay down the privacy and data processing principles applied by the LAW FIRM and the privacy and data processing policy of the LAW FIRM.
Pursuant to Article 37 section (1) of GDPR, the LAW FIRM is not obliged to designate a Data Protection Officer.
2. Legal Regulations on Which Our Data Processing is Based
– Act CXXXVI of 2017 on the Prevention and Hindrance of Money Laundering and Terrorism (“AML Act”),
– Act LII of 2017 on the Implementation of Restrictive Measures on Assets and Financial Interests Imposed by the European Union and the UN Security Council,
– Act LXXVIII of 2017 on Legal Practice (“Act on Legal Practice”),
– Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information,
– Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”).
3. Principles of Data Processing
The LAW FIRM undertakes to ensure that all data processing related to its activities complies with the requirements set forth in the present notice, the GDPR, and the applicable national legislation. The LAW FIRM shall do its utmost to protect the personal data of its clients, the personal data they provide, and the data subjects’ rights. The LAW FIRM shall treat personal data confidential and shall take all safety, technical, and organizational measures necessary for guaranteeing the security of such data.
In relation to the above, the LAW FIRM shall take appropriate measures to ensure that personal data relating to its clients are always
– processed lawfully, fairly, and transparently (lawfulness, fair process, and transparency);
– collected for specific, pre-defined, and legitimate purposes and not processed further in a manner incompatible with such purposes;
– adequate, relevant, and limited to what is necessary in terms of the purposes of the data processing (data minimization);
– accurate and, where necessary, kept up to date; every reasonable step shall be taken in order to ensure that inaccurate personal data are promptly erased or rectified (accuracy);
– kept in a form which permits identification of clients for no longer than is necessary for the purposes for which the personal data are processed; personal data may only be stored for longer periods of time for statistical purposes and subject to the implementation of appropriate technical and organizational measures (storage limitation);
– processed in a manner that ensures appropriate security of the personal data using appropriate technical or organizational measures, including but not limited to protection against unauthorized or unlawful processing, accidental loss, destruction, or damage (integrity and confidentiality).
Meanwhile, clients are required to ensure that data subjects, including contact persons specified in engagement contracts, persons acting on behalf of clients, or any other persons whose personal data are transferred to the LAW FIRM, are provided with the data protection information under Article 13 of the GDPR.
4. Definitions
- “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
- “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
- “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
- “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
- “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
- “consent of the data subject” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
- “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- “client” means any person who makes an enquiry about the services of the LAW FIRM via its website, by phone or by any other means, and any person who enters into an engagement contract with the LAW FIRM.
5. The Scope of Personal Data, the Purpose of Data Processing, Legal Basis and Term
5.1 The LAW FIRM’s data processing is based on contractual or statutory obligation, or on freely given consent.
5.2 For the data processing purposes listed below, the LAW FIRM processes the following personal data about clients:
5.2.1 Making an Enquiry about Legal Services via the Website, Phone, in Person or by Any Other Means
(a) name; data essential for identifying the client
(b) e-mail address, phone number; data essential for subsequently reaching out to the client
(c) subject matter of the enquiry (e.g. details of the planned transaction and other information relating to the case); data necessary to identify the client’s request more accurately and for an appropriate, personalized response, based on the client’s own communication
(d) car license plate number; information required for parking in our office building, if necessary.
Data processing is based on the consent of the person making the enquiry. Data processing lasts for a term specified by the person making the enquiry or until the withdrawal of the consent.
5.2.2 Individual Call for an Offer
(a) name; data essential for identifying the client
(b) e-mail address, phone number; data essential for subsequently reaching out to the client
(c) subject matter of the enquiry (circumstances of the case concerning the potential engagement); data necessary to identify the client’s request more accurately and for an appropriate, personalized response, based on the client’s own communication
(d) car license plate number; information required for parking in our office building, if necessary.
Data processing is based on the consent of the person making the enquiry. Data processing lasts for a term specified by the person making the enquiry or until the withdrawal of the consent.
5.2.3 Conclusion and Performance of the Attorney’s Engagement Contract
(a) name; data essential for identifying the client
(b) e-mail address, phone number; data essential for subsequently reaching out to the client
(c) data relating to the subject of the contract (e.g. details of the property concerned, marital status, personal circumstances); determining the subject of the contract, the details and circumstances necessary to perform the contract
(d) data, the recording of which is prescribed as mandatory by the AML Act and the Act on Legal Practice (e.g. data identifying the natural person, copies of ID cards, data qualifying a person as a politically exposed person (PEP), data qualifying a natural person as beneficial owner) – data to be registered pursuant to statutory requirements.
The legal basis of data processing is the performance of the contract and the settlement of related legal disputes, as well as the mandatory requirements set forth by the AML Act and the Act on Legal Practice.
The term of the data processing lasts for 5 years reckoned from the performance of the contract (the general civil law claim assertion term), is unlimited for generated non-disposable documents, and lasts for 8 years reckoned from the termination of the engagement for data collected based on the AML Act and the Act on Legal Practice, which term may be extended in specific, exceptional cases prescribed by law.
6. Profiling
The LAW FIRM does not apply automated decision-making techniques, does not profile based on the data available about the data subjects, and does not use the data of the data subjects for direct marketing purposes.
7. Recipients of Personal Data and Categories of Recipients
The LAW FIRM generally shares client personal data with the following third parties, on a ‘controller to controller’ basis:
– organizations providing services to the LAW FIRM or the clients (e.g. insurance companies, audit, or IT service providers, etc.);
– third parties involved in the performance of the engagement contract (counterparties, authorities, courts, experts, legal or other service providers engaged by us or the client, notaries);
– supervisory and other authorities, regulatory authorities and bodies.
Clients may request personalized information regarding the processing of their personal data by the LAW FIRM (purpose, legal basis, scope of data, data transfer, duration of the processing) via the following channels: e-mail: info@hu.AndersenLegal.com, phone: +36-1-288-8200, address: 1016 Budapest, Mészáros utca 58/A.
8. Personal Data Storage, Security of Data Processing
Computing systems and other data storing facilities of the LAW FIRM are located at its headquarters and on its respective servers.
The LAW FIRM selects and operates the IT tools used to process personal data during the provision of services so that the data processed
– may only be accessed by authorized persons;
– the authenticity and certification of such data are ensured;
– the unchanged nature of such data may be verified;
– is protected from unauthorized access.
By applying appropriate measures, The LAW FIRM protects the data especially from unauthorized access, change, transmission, disclosure, deletion or destruction, as well as against accidental loss or damage, and against becoming inaccessible due to the change of technique applied.
The LAW FIRM applies such state of the art technical and organizational measures that ensure the protection of the security of data processing and provide a reasonable level of protection vis-á-vis the risks associated with data processing.
Nevertheless, we inform data subjects that electronic messages transmitted over the Internet, irrespective of the protocol (e.g. e-mail, web, etc.), are vulnerable to network threats that may cause dishonest actions, contract disputes, or the disclosure or modification of the information concerned. The LAW FIRM shall take all reasonably expectable precautionary measures in order to protect data subjects against such threats.
The data processed by the LAW FIRM is primarily disclosed to our competent internal staff (lawyers, trainee lawyers, employees of the law firm, etc.) and shall not be handed over to third parties unless in connection with an attorney’s mandate, due to another legitimate interest (e.g. debt collection), resulting from a legal obligation, or if the data subject has given his/her prior consent.
9. International Data Transfer to Third Countries
The personal data of clients may be transferred to controllers and data processors in third countries outside of the European Economic Area either if the transfer is necessary for the performance of the engagement or if the client has explicitly consented to the transfer pursuant to the preliminary information provided (Article 49 of GDPR).
The LAW FIRM informs the client prior to the conclusion of the contract that the appropriate protection of the transmitted data is ensured in respect of the recipient residing outside of the European Union to whom the client’s data is transmitted:
a) through the general data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 (2) of the GDPR;
b) through the general data protection clauses adopted by the supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93 (2) of the GDPR;
c) the approved Code of Conduct pursuant to Article 40 of the GDPR, together with a binding and enforceable commitment by the third country data controller or data processor to apply appropriate safeguards, including those relating to the rights of the data subjects; or
d) the approved certification procedure pursuant to Article 42 of the GDPR, together with a binding and enforceable commitment by the third country data controller or data processor, to apply appropriate safeguards, including those relating to the rights of the data subjects. In this respect, the LAW FIRM strives to have its third country partners accept the contractual data protection sample clauses approved by the European Commission / NAIH (Hungarian National Authority for Data Protection and Freedom of Information).
10. Rights of the Client
10.1 Rights of Access by the Client
The may access his/her personal data. If the client so requests, the LAW FIRM is obliged to inform him/her, within the framework of the applicable legal regulations, as to whether or not personal data pertaining to him/her are being processed.
In some cases, the LAW FIRM receives personal data from a source other than the data subject. In such cases, we assume that the person from whom we received the data was entitled to transfer such data to us. If we do not receive the information from the data subject, the scope of our obligation to inform the data subject is limited.
Nevertheless, the LAW FIRM is always at the disposal of the data subjects and provides the requested information, within the framework of the applicable legal regulations.
The client’s right to receive feedback on whether or not his/her personal data are processed by the LAW FIRM shall only extend to the personal data relating to him/her and does not extend to the personal data that do not relate to him/her.
Upon the client’s request, the LAW FIRM shall provide access to and copy of the personal data of the client. If the client requests further/repeated copies of his/her personal data, the LAW FIRM may charge a reasonable fee for the administrative costs incurred in connection with the fulfillment of the request, which fee shall be borne by the client.
10.2 The Client’s Right to Rectification
The client is entitled to the rectification of his/her personal data. This right shall only extend to the personal data relating to him/her and does not extend to the personal data that do not relate to him/her.
Upon request of the client, the LAW FIRM shall, within the framework of the applicable legal regulations, adequately rectify or supplement his/her personal data and inform the recipients of such personal data (if any) of the rectification of the personal data of the client unless informing the recipients proves to be impossible or would require disproportionate efforts.
10.3 The Client’s Right to Erasure
Under certain conditions, the client is entitled to the erasure of his/her personal data.
The LAW FIRM shall erase the client’s personal data without undue delay if such data are processed by the LAW FIRM, the client requests the erasure of his/her personal data, and the personal data are no longer necessary in relation to the purposes for which they were processed by the LAW FIRM.
The LAW FIRM shall erase the client’s personal data without undue delay if such data are processed by the LAW FIRM, the client requests the erasure of his/her personal data, the client withdraws his/her consent on which the processing is based, and there is no other legal ground for the further processing of the client’s data.
The LAW FIRM shall erase the client’s personal data without undue delay if processing is necessary for the purposes of the legitimate interests pursued by the LAW FIRM or by a third party but the client objects to such processing by the LAW FIRM, and there are no legitimate grounds for the processing overriding the client’s objection.
The LAW FIRM shall erase the client’s personal data without undue delay if the client requests the erasure of his/her personal data and the personal data have not been unlawfully processed by the LAW FIRM, if the personal data have to be erased in order to comply with a legal obligation, or if the personal data have been collected in relation to the offer of information society services.
The LAW FIRM shall inform the recipients of the client’s personal data (if any) of the erasure of the client’s personal data unless informing the recipients proves to be impossible or would require disproportionate efforts.
10.4 The Client’s Right to Restriction of Processing
The client may request a restriction of the processing of his/her personal data within the framework of the applicable legal regulations.
The client’s right to restriction of processing shall only extend to the personal data relating to him/her and does not extend to the personal data that do not relate to him/her.
The LAW FIRM shall restrict the processing of the client’s personal data if the restriction of the processing of personal data is requested by the client or if the accuracy of such data is contested by the client for such period that enables the LAW FIRM to verify the accuracy of the personal data.
The LAW FIRM shall restrict the processing of the client’s personal data if the client requests the restriction of the data’s processing and the processing of such data is unlawful but the client opposes its erasure.
The LAW FIRM shall restrict the processing of the client’s personal data, if the restriction of the processing of personal data is requested by the client and the LAW FIRM no longer needs such personal data for the purposes of the processing, but the client requires the data for the establishment, exercising, or in defense of a legal claim.
The LAW FIRM shall restrict the processing of the client’s personal data, if the client objects to the LAW FIRM processing the data if, at the same time, the processing is necessary for the purposes of the legitimate interests pursued by the LAW FIRM and the client awaits confirmation as to whether there is a legitimate reason for the LAW FIRM’s processing of the client’s personal data that overrides the client’s objection to the processing.
The LAW FIRM shall inform any recipients of the client’s personal data (if any) of the restriction of the processing of the client’s personal data unless informing the recipients proves to be impossible or would require disproportionate efforts.
If the LAW FIRM restricts the processing of the client’s personal data, then it may
– store such personal data,
– process such personal data pursuant to the client’s consent,
– process such personal data for the purposes of submitting, asserting, or defending its legal claims, or the rights of a third person.
10.5 The Client’s Right to Data Portability
Where the processing is based on consent pursuant or required for the performance of a contract and the processing is carried out by automated means, the client has the right to receive, in a structured, commonly used and machine-readable format, the personal data pertaining to him/her, which he/she has provided to a controller, and has the right to transmit such data to another controller (where technically feasible) without hindrance from the controller to which the personal data have been provided.
The client’s right to data portability only extends to the personal data relating to him/her and does not extend to the personal data that do not relate to him/her.
11. Personal data breach
Should a personal data breach occur within the LAW FIRM’s system that is likely to result in a risk to the rights and freedoms of natural persons, the LAW FIRM shall without undue delay notify the data subject about the personal data breach.
12. Client Relationship
If you have any comments, questions, or concerns regarding the services provided by our LAW FIRM and our data processing, please do not hesitate to contact us via contact details on our website.
13. Links to Other Websites
Our website may contain links to other service providers that the present privacy notice does not extend to. When you leave the website of the LAW FIRM, we encourage you to carefully read the privacy policy of such personal data collecting websites.
14. Miscellaneous
Our LAW FIRM reserves the right to modify the present Data Processing Notice unilaterally, subject to the notification of the data subjects.
We inform our clients that, based on the authorization of the investigating authority, the National Privacy and Data Protection Authority, or the law, other agencies may request the LAW FIRM to provide information, disclose data, transfer data, or file documents.
15. Procedural Rules
The controller has 30 days to erase, rectify, or provide information relating to personal data. If the controller fails to comply with the data subject’s such requests, it shall communicate the reasons for the rejection in writing within 30 days.
16. Data Protection Authority
Complaints may be lodged with the National Authority for Data Protection and Freedom of Information:
National Authority for Data Protection and Freedom of Information
Seat: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mail address: 1530 Budapest, Pf.: 5.
Phone no.: 06.1.391.1400,
Fax no.: 06.1.391.1410,
E-mail: ugyfelszolgalat@naih.hu
Webpage: http://www.naih.hu