Privacy Notice
Dr. Hernádi Law Firm (registered office: 6800 Hódmezővásárhely, Hősök tere 1. fszt 2..; KASZ:
36061479; represented by Dr. Gyula Hernádi, attorney-at-law; “Data Controller”, which term
includes the person defined in Point 3.3. of this Policy) attributes great importance to the highest
level of personal data protection.
In order to ensure personal data protection by the Data Controller, the Data Controller has
adopted the following policy (the “Policy”), in accordance with the provisions of Act CXII of
2011 on the Right of Informational Self-Determination and on Freedom of Information
(“Infotv.”) and Regulation (EU) 2016/679 of the European Parliament and of the Council on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(“GDPR”). By browsing the website located at www.ban-karika.hu (“Website”), you agree to be
bound by the Policy.
1. THE DATA CONTROLLER
1.1. The operator of this Website and the Data Controller are the same.
AName of the Data Controller: Dr. Tanács Law Firm
Registered seat of the Data Controller: 6800 Hódmezővásárhely, Hősök tere 1. fsz. 2.
Phone number of the Cata Controller: +3662658450
E-mail address of the Data Controller: iroda@drhernadilaw.hu
Location of data processing: 6800 Hódmezővásárhely, Hősök tere 1. fsz. 2.
2. THE SCOPE OF THE POLICY
2.1. The Policy shall enter into force on September 1, 2022, and shall remain in force and effect
until further action by the Data Controller.
2.2. The marital scope of this Policy shall cover all activities carried out by all units of the Data
Controller in the course of which processing of personal data defined in Section 3(2) of the
Infotv. occurs.
2.3. The material scope of this Policy shall cover all personal data processed by the Data
Controller, regardless of the form in which it is stored, or the place where it is located. The
Policy applies to all stages of data processing. The personal scope of this Policy shall cover all
employees of the Controller.
2.4. The material scope of this Policy shall not cover the processing of personal data in relation
to the employees of the Data Controller and its cooperating partners, as defined in point 3.3 of
this Policy. The Data Controller’s internal policie(s) shall govern such processing.
3. GENERAL PROVISIONS
3.1. The purpose of data processing is to provide the services on the website (e.g., first
communication with the Data Controller, registration of online requests for information, sending
newsletters, etc.), mediation between contractual parties, data transfer, communication,
preparation of related contracts or other documents, performance of client due diligence
prescribed by law, practicing the Data Controller’s legitim interest, and compliance with thelegal requirements applicable to the Data Controller [e.g., record keeping pursuant to Act
LXXVIII of 2017 on the Professional Activities of Attorneys-t-law (“Act.”)].
3.2. Scope of processed data: personal identifiable information (surname, first name, birth name,
title, place and date of birth, mother's maiden name, citizenship, ID card and its expiration date,
residence card number), contact information (telephone number, email address, permanent
residence, temporary residence), as well as other information voluntarily provided by clients
depending on the nature of the transaction and to the extent that is necessary for the performance
of the service.
4. THE LEGAL BASIS FOR PROCESSING PERSONAL DATA
4.1. The legal basis for personal data processing is as follows:
a) The data subject has given consent to the processing of his or her personal data for one or
more specific purposes.
b) Legal obligation: such as the Act LIII of 2017 on Preventing and Combating Money
Laundering and Terrorist Financing, which requires the Data Controller to conduct due diligence
on persons who are clients and to record and retain certain personal data and related documents.
In addition, the processing of personal data may be based on laws relating to taxation or
accounting records retention.
c) Contract: data processing is necessary for the performance of a contract in which the data
subject is one of the parties, or it is necessary for taking steps at the request of the data subject
prior to the conclusion of the contract.
d) Exercise of official authority: data processing is necessary for the performance of a task
carried out in the public interest or in the exercise of official authority vested in the controller.
e) Vital interest: processing is necessary in order to protect the vital interests of the data subject
or of another natural person.
f) Data processing based on legitimate interests: data processing is necessary for the purposes of
the legitimate interests pursued by the Data Controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and freedoms of the data subject,
which require protection of personal data, in particular where the data subject is a child.
4.2. The Data Controller shall process specific data for the purposes set out in this Policy only if
the client has voluntarily provided it to the Data Controller in each case, depending on the nature
of the transaction and to the extent that data processing is necessary.
5. CONFIDENTIALITY
5.1. All facts, information, and data of which the Data Controller practicing the profession
activities of an attorney-at-law gained knowledge in the course of carrying out its professional
activities, shall qualify as attorney-client privileged information. Unless otherwise provided in
this Act., the Data Controller practicing the professional activities of an attorney-at-law shall
keep all attorney-client privileged information confidential. This confidentiality obligation shall
also apply to any document or other medium containing attorney-client privileged information.
5.2. The confidentiality obligation of the person performing the professional activities of an
attorney-at-law shall not be subject to the legal relationship of practicing as an attorney-at-law,
and it shall persist after discontinuing such practice or upon termination of that legal relationship
for an indefinite period. In view of this, the Data Controller undertakes to keep the obtained
personal data in the course of its activities for an unlimited period of time.
6. RULES OF DATA PROCESSING
6.1. The Data Controller shall process personal data of the data subjects (including the user)
disclosed to the Data Controller or otherwise obtained by the Data Controller in accordance with
the provisions of this Policy. The Data Controller shall at all times comply with the principles of
lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy and storage
limitation, integrity, and confidentiality in data processing. The Data Controller shall be
responsible for compliance with these principles and shall be able to demonstrate such
compliance.
6.2. The Data Controller shall process personal data only in the course of the performance of its
tasks, for specified purposes, in the exercise of its rights, and for the fulfillment of obligations, to
the minimum extent necessary for the purposes of the tasks and for the shortest period of time
necessary for those purposes, and at the latest until the withdrawal of the data subject’s consent.
At the same time, the Data Controller draws attention to the fact that the Data Controller is
obliged to retain the data provided by the data subject in accordance with the provisions of the
Pmt. and the Act. (electronic documents must be retained for 10 years, paper documents for 5
years, and countersigned documents and related documents for 10 years). The Data Controller is
obliged to retain other personal data (data obtained during client due diligence) for 8 years from
the termination of the business relationship or the execution of the transaction. In the event of the
failure of the transaction, the personal data shall be deleted after the failure or, in the case of a
general enquirer, after 2 years following the inquiry.
6.3. The Data Controller shall, in any case, inform the data subject of the purpose and the legal
basis for the data processing before the data are recorded.
6.4. At all stages of data processing, the data must comply with the purpose for which it has been
collected, and if the purpose for which the data was collected ceases to exist or the processing is
otherwise unlawful, the data will be erased.
6.5. The Data Controller shall take all technical and organizational measures and establish
procedural rules necessary to enforce Infotv. and other domestic and international data protection
laws in order to ensure the security of the data processing. The Data Controller shall protect the
personal data processed against unauthorized access, alteration, transmission, disclosure to the
public, erasure, or destruction, as well as against accidental or unlawful destruction.
6.6. Only the Data Controller and its employees who have a need to know the personal data in
order to fulfill the purpose of data the processing shall have access to the provided personal data.
Point 10. applies to the data transmission.
6.7. Employees who carry out data processing at the Data Controller and employees of
organizations engaging in data processing on behalf of the Data Controller and carrying out any
of its operation of the Data Controller shall process the obtained personal data in the manner set
out in this Policy, the Infotv., and the GDPR.
6.8. The employees of the Data Controller, in the course of their work, shall ensure that personal
data cannot be accessed by unauthorized persons and that personal data are protected from
unauthorized access, alteration, transmission, disclosure to the public, erasure, accidental or
unlawful destruction, and destruction due to the change in the applied technology.
7. ENFORCEMENT OF THE DATA SUBJECT’S RIGHTS (USER)
7.1. In the course of its data processing activities, the Data Controller shall ensure the
enforcement of the rights of the data subject in accordance with the provisions of the GDPR,
Infotv., and the Act.
7.2. The data subject may request from the Data Controller access to and rectification or erasure
of personal data or restriction of processing in relation to the data subject and to object to
processing as well as the right to data portability. The data subject shall have the right to data
portability as well as the right to lodge a complaint with a supervisory authority, and the right to
obtain judicial redress.
7.3. Where processing is based on consent, the data subject shall also have the right to withdraw
his or her consent at any time, without affecting the lawfulness of processing based on consent
before its withdrawal.
7.4. The data subject shall have the right to obtain from the Data Controller confirmation as to
whether or not personal data concerning him or her is being processed and, where that is the
case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be
disclosed, in particular recipients in third countries or international organizations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not
possible, the criteria used to determine that period;
(e) the existence of the right to request from the Data Controller rectification or erasure of
personal data or restriction of processing of personal data concerning the data subject or to object
to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g ) where the personal data are not collected from the data subject, any available information as
to their source;
7.5. The Data Controller shall provide the requested information in writing to the data subject
without undue delay and, in any event, within 30 days of receipt of the request. The information
shall be provided free of charge if the person requesting the information has not yet submitted a
request for information in the current year for the same set of data.
7.6. Where requests from a data subject are manifestly unfounded or excessive, in particular
because of their repetitive character, the Data Controller may either:
(a) charge a reasonable fee, taking into account the administrative costs of providing the
information or communication or taking the action requested; or
(b) refuse to act on the request.
7.7. The Data Controller shall provide a copy of the personal data undergoing processing. For
any further copies requested by the data subject, the Data Controller may charge a reasonable fee
based on administrative costs, which shall be HUF 100 per page, i.e., HUF 100 + VAT. Where
the data subject makes the request by electronic means, and unless otherwise requested by the
data subject, the information shall be provided in a commonly used electronic form. The Data
Controller makes the information available in PDF format unless the data subject explicitly
requests otherwise.
7.8. The data subject shall have the right to obtain from the Data Controller without undue delay
the rectification of inaccurate personal data concerning him or her. Taking into account the
purposes of the processing, the data subject shall have the right to have incomplete personal data
completed, including by means of providing a supplementary statement.
7.9. The data subject shall have the right to obtain from the Data Controller the erasure of
personal data concerning him or her without undue delay, in accordance with Article 17 of the
GDPR. Instead of erasure, the data controller shall block the personal data if, on the basis of the information available to it, it is likely that erasure would harm the legitimate interests of the data
subject. Processing blocked personal data is only possible as long as the processing purpose that
precluded the erasure of the personal data persists.
7.10. The data subject shall have the right to obtain from the Data Controller without undue
delay the restriction of data processing in accordance with Article 18 of the GDPR. For the
period of restriction, the Data Controller and its processors, if any, shall not use the personal data
for any purpose other than storage.
7.11. The data subject shall have the right to object to the processing of his or her personal data
in accordance with Article 21 of the GDPR.
8. SPECIFIC PROVISIONS REGARDING CERTAIN PROCESSING OPERATIONS
8.1. Website Processing
Anyone may access the Website without disclosing his or her personal data or identity and may
freely and without restriction obtain information from all the content of the Website and its
linked pages.
Unless otherwise indicated, the content of the Website is the property of the Data Controller and
is protected by copyright. The Data Controller reserves all rights in this respect.
In no event does the content of the Website constitute direct legal advice and is provided for
informational purposes only by the Data Controller, and the Data Controller disclaims any
liability in this respect. The Data Controller also excludes any liability for any damages resulting
from the downloading or unavailability of the website. The content downloaded by following
external links on the website is not under the control of the Data Controller. The Data Controller
excludes all liability for the content of any offers, notices, advertisements, or other information
displayed on the Website.
8.2. Processing of data related to contacting
All users may contact the Data Controller through all public contact information of the Data
Controller and through the “Contact” bar of the Website.
When initially contacting the Data Controller, the data subject shall decide on the processing of
the personal data provided by him or her. The legal basis for the data processing is provided by
the data subject through voluntarily providing his or her data to the Data Controller for the
purpose of initially contacting him or her.
Users who use the “Contact” bar, by sending a message voluntarily, explicitly, and expressly
consent to the Data Controller processing their data electronically in the manner specified in the
Infotv. and GDPR for a maximum period of 1 year from the date of contact.
By using the “Contact” bar, the user expressly consents to the processing of his or her name,
email address, other personal data disclosed during the initial contact, phone contact information,
and the description of the case he or she has presented by the Data Controller for the purposes
indicated during the initial contact.
8.3. Data processed for business communication purposes
In addition to the client’s data, the Data Controller also processes and collects contact
information (phone number, email address) and additional data (company name, title) of other
persons indicated on business cards, both in paper and electronic form, for the purpose of
business communications, based on the data subject’s voluntary consent.
9. RIGHTS AND REMEDIES IN RELATION TO DATA PROCESSING
9.1 The data subject (user) may request the Data Controller to: (a) inform him or her about the
processing of his or her personal data; (b) rectify his or her personal data; and (c) erase or restrict
his or her personal data except for mandatory processing.
9.2. If the data subject (user) believes that his or her right to the protection of personal data was
infringed in the processing of his or her personal data by the Data Controller, he or she may seek
judicial remedy in accordance with the applicable law from the competent bodies, namely
(a) lodge a complaint with the National Authority for Data Protection and Freedom of
Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.; www.naih.hu), or
b) go to a court.
9.3. The rights and remedies in relation to data processing are set out in details in the Infotv. and
GDPR.
10. PROCESSING OF DATA
10.1. The Data Controller shall not disclose personal data to third parties without the consent of
the data subjects, unless the disclosure is required by law. The Data Controller shall inform the
data subjects in advance of engaging another data processor.
10.2. The data protection obligations of natural or legal persons who may act as data processors
on behalf of the Data Controller shall be set out in the engagement contract with the processor.
The Data Controller shall use only processors providing sufficient guarantees to implement
appropriate technical and organizational measures in such a manner that processing will meet the
requirements and ensure the protection of the rights of the data subject. The processor shall not
engage another processor without the specific or general written authorization of the lawyer.
10.3. The processor processes the personal data only on the Data Controller’s documented
instructions and acts only on the Data Controller’s documented instructions when processing the
data. The processor shall not take any substantive decisions on the personal data that he or she
become aware of. The processor shall not carry out data processing for its own purposes. In the
course of the data processing, the data may be disclosed to the employees of the processor, but
neither the processor nor the employees of the processor may disclose the data to third parties.
11. HANDLING DATA BREACHES
11.1. In the case of a personal data breach, the Data Controller shall, without undue delay and,
where feasible, not later than 72 hours after becoming aware of it, notify the competent
supervisory authority of the personal data breach, unless it can demonstrate, in accordance with
the principle of accountability, that the personal data breach is unlikely to result in a risk to the
rights and freedoms of natural persons.
11.2. When the personal data breach is likely to result in a high risk to the rights and freedoms of
natural persons, the Data Controller shall communicate the personal data breach to the data
subject without undue delay.
11.3. Communication with the data subject shall not be required if any of the following
conditions are met:
a) The Data Controller has implemented appropriate technical and organizational protection
measures, and those measures were applied to the personal data affected by the personal data
breach, in particular those that render the personal data unintelligible to any person who is not
authorized to access it, such as encryption;
b) The Data Controller has taken subsequent measures to ensure that the high risk to the rights
and freedoms of the data subjects is no longer likely to materialize;
c) It the communication would involve disproportionate effort. In such a case, there shall instead
be a public communication or similar measure whereby the data subjects are informed in an
equally effective manner.
12. AMENDMENT OF THE RULES
12.1. The Data Controller reserves the right to amend this Policy in accordance with the
applicable law.
12.2. If the modification of the Policy, in any way, affects the processing of personal data of the
Website’s users, the Data Controller will inform the data subject (user) of the changes via email.
If the details of the data processing are also changed as a result of the amendment of the Policy,
the Data Controller will again request the data subject’s (user’s) consent to the further processing
of his or her data.
With respect to matters not covered by this policy, the provisions of the Infotv., the GDPR and
the law in force shall apply.
Dr. Hernádi Law Office
Data Controller
