DATA PROCESSING NOTICE
on the rules and practice of data processing by the members of KUN & PARTNER
ASSOCIATION OF ATTORNEYS-AT-LAW
Pursuant to Articles 13 and 14 of Regulation (EU) 216/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46EC (hereinafter referred to as ’General Data Protection Regulation’ or ’GDPR Regulation’), the members of KUN & PARTNER Association of Attorneys-at-Law as Joint Controllers (hereinafter referred to as ’Association of Attorneys-at-Law’) provide the following information about the recording and processing of your personal data.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
a) the controller or processor is established on the territory of the Member State of that supervisory authority;
b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the processing; or
c) a complaint has been lodged with that supervisory authority;
‘JÜB’ stands for Data Delivering Frame System to Strengthen the Security of Legal Affairs and means a service provider system within the Central Office for Administrative and Electronic Public Services which provides data via electronic means for lawyers, notaries and court enforcement officers for the purpose of strengthening the security of legal affairs from personal and document records as well as from vehicle records for personal identification and document validation as well as vehicle data identification and address inquiries.
Name of controller : Kun Péter Law Office
Registered office and postal address : H–1114 Budapest, Bartók Béla út 15/C fe. 28.
Telephone number: +36-1-411-2160
Registration number: Budapest Bar Association, No. 1474
Name of Controller : Kertész Éva Law Office
Registered office and postal address: H–1114 Budapest, Bartók Béla út 15/C fe. 28.
Telephone number: +36-1-411-2160
Registration number: Budapest Bar Association, No. 3447
The members of Kun & Partner Association of Attorneys-at-Law, Kun Péter Law Office, Kertész Éva Law Office as joint controllers (hereinafter referred to as ‘Law Offices’ or ‘Members of the Association of Attorneys-at-Law’) accept to be bound by the contents of this notice. The members and employees of the Law Offices contributing to the provision of services to clients commit themselves in accordance with this notice to the compliance of all data processing related to their activities with all requirements set out in current legislation.
Pursuant to Article 26 of the GDPR Regulation, the Law Offices shall be joint controllers, having regard to the fact that they jointly determine the purposes and means of processing data specified in this Data Processing Notice. The purpose of the cooperation between and the joint processing by the members of the Association of Attorneys-at-Law, as joint controllers, is to complete the preparation processes of agency contracts and to efficiently provide services to clients. The Law Offices shall be jointly entitled to joint processing.
III. Data Processing activities
With regard to the data processing activities specified in this section, the controller Law Offices shall act jointly and severally, by creating shared infrastructure. The members of the Association of Attorneys-at-Law shall process personal data in the following cases, for the following data processing purposes:
1. Application for job advertisements
Purpose of data processing: to process the data of applicants for a post during the recruitment process. Data shall not be transmitted to any third parties.
Legal basis of data processing : by sending an application for the post advertised by the Association of Attorneys-at-Law, the data subject gives his or her explicit consent to the processing of the data included in his or her curriculum vitae in relation to the job advertisement. In this case, the consent of the Data Subject shall form the legal basis of data processing, pursuant to Article 6(1)(a) of the GDPR Regulation.
Period of data processing: if your application is successful and you fill the advertised post, the members of the Association of Attorneys-at-Law shall no longer process the data included in your curriculum vitae for the above purposes and shall erase them in respect of this purpose. The data of applicants not recruited for the post will be retained for a further year after the date of the decision made on filling the post, in case the post advertised becomes vacant again. Your personal data included in your curriculum vitae shall be erased after the lapse of one year from the date of submission.
2. Processing of data in relation to the performance of an agency
If an agency contract is concluded between any member of the Association of Attorneys-at-Law and you, your employer or a business organisation in which you have an interest, the personal data of the client, the representatives of the client, the opposing parties, witnesses, experts and other natural persons related to the performance of the specific agency shall be processed by the Law Offices in order to fulfil the agency contract.
Purpose of data processing : to perform the agency contract, to represent the legal interests of the client, and to communicate in relation to that.
In case of certain mandates, data processing is mandatory and the attorney-at-law is obliged to record and process the personal data of his or her client pursuant to Sections 32 and 33 of Act LXXVIII of 2017 on the professional activities of attorneys-at-law (‘Attorneys’ Act’) and Sections 6 to 21 and subsection (1) of Section 73 of Act LIII of 2017 on the prevention and combating of money laundering and terrorist financing (‘Anti-Money Laundering Act’).
Legal basis of data processing : Article 6(1)(b) of GDPR Regulation (performance of a contract), and Article 6(1)(c) of GDPR Regulation (compliance with a legal obligation): Subsection (1) of Section 1 and Sections 32 and 33 of the Attorneys’ Act, and Sections 6 to 21 and Subsection (1) of Section 73 of the Anti-Money Laundering Act.
Types of personal data processed:
In relation to natural persons:
- natural identification data;
- address of domicile, or habitual residence in the absence thereof;
- citizenship, refugee status, stateless status, immigrant status, etc.;
- type and number of the document used for identification purposes;
- facial image and signature;
- the identification number of the reply received to JÜB data request;
- identification number of the cases where identification of natural persons is mandatory.
In relation to legal persons or unincorporated associations:
- name, abbreviated name;
- registered office, branch in Hungary;
- company registration number or other registration number;
- in the absence thereof, the name and identification number of the registration body, or the number of the decision on the establishment, registration or entry;
- main activities;
- personal identification data and position of any natural person acting as a representative thereof;
- data that are suitable for the identification of their agent of service of process;
- identification number of the cases where the identification of legal entities is mandatory.
Further personal data required for the purpose of fulfilling obligations under the agency contract:
- contact data (telephone number, e-mail address);
- personal identification number;
- tax number and tax identification number of client;
- bank account number of client.
The personal data processed by the Law Offices may be transmitted to the financial intelligence unit operated within the National Tax and Customs Administration in cases required by the Attorneys Act, and shall be transmitted to the regional bar association, pursuant to Subsection (1) of Section 74 of the Anti-Money Laundering Act, and to the financial intelligence unit operated within the National Tax and Customs Administration, pursuant to Subsection (1) of Section 75 of the Anti-Money Laundering Act.
For customer due diligence measures carried out by other service providers under Subsection (1) of Section 22 of the Anti-Money Laundering Act, identification data recorded during the due diligence procedure shall be disclosed by the agent.
Furthermore, data may be transferred in order to perform the agency or if the case requires (e.g. sending the data of the parties with opposing interests, witnesses, experts to a non-EEA national client represented in a lawsuit or transferring the documents of the case on which the agency is based to another attorney involved in performing an attorney’s agency contract). In such cases you shall be informed individually.
Period of data processing: the Law Offices shall process data recorded in their register of cases for five years from the termination of the agency, while in relation to cases where legal representation is mandatory the data specified in Subsection (2) of Section 33 of the Attorneys’ Act shall be processed for eight years from the termination of the business relationship established with a client or the date of carrying out the transaction order . In the event of countersigning a document while performing an agency, data shall be processed for ten years from the countersigning of the document, or in cases concerning the recording of a right relating to real estate into a publicly certified register, for ten years from the date of entry of that right (Subsections (3) and (5) of Section 53 of the Attorneys’ Act, Subsection (7) of Section 33 of the Attorneys’ Act, Subsection (2) of Section 56 of the Anti-Money Laundering Act, Subsection (2) of Section 57 of the Anti-Money Laundering Act).
3. Compliance with other regulatory requirements
In addition to the cases set out in Section 2 above – depending on the content of the agency –the processing of further data may be made mandatory by legislation.
Purpose of data processing : to comply with regulatory requirements; to fulfil record keeping and reporting obligations; to comply with investigations of authorities and other requirements of the government, the authorities or the bar associations.
Types of personal data processed : pursuant to Sections 32 and 33 of the Attorneys’ Act and Sections 6 to 21 of the Anti-Money Laundering Act, in addition to record keeping obligations to which attorneys shall be subject to, further record keeping and reporting obligations may be imposed by various procedural or financial laws and regulations of bar associations when each agency is performed. The members of the Association of Attorneys-at-Law may process or transfer data in order to comply with investigations of authorities and other requirements of the government, the authorities or the bar associations to the extent required by legislation.
In such cases, the types of data to be processed, the purpose and conditions of data processing, the accessibility and transferability of data, and the period of data processing or a periodic review of its necessity shall be set out by the law prescribing data processing or other legal acts, upon which our clients shall be individually informed, in accordance with the speciality of the agency.
Types of personal data processed: data required for issuing the invoice and data included in the invoice.
In relation to natural persons: name, address of domicile, tax identification number;
in relation to organisations: name, registration number, tax number, registered office, bank account number.
Furthermore, in documents of movements of inventories and liquid assets receipts, the signature of payer.
Period of data processing: personal data processed in relation to compliance with legal acts on accounting and taxation shall be processed for eight years, pursuant to Subsection (1) of Section 169 of Act C of 2000 on Accounting (‘Accounting Act’).
Accordingly, the Law Office engaged by the client shall disclose the personal data of the clients to P.I.K. Audit Kft., as processor (company registration number: 01-09- 974966, registered office: H–1115 Budapest, Somogyi út 20. 2. em. 1.), in order to comply with legal acts on accounting and taxation, to issue invoices and to fulfil its obligations related to paying taxes, contributions and other public charges.
Purpose of data processing: to send a newsletter edited by our staff members to our clients/business partners.
By sending the newsletter, the aim of the Association of Attorneys-at-Law is to provide our clients with information about the publications of our fellow attorneys. The newsletter shall be sent exclusively to clients and business partners who give their consent thereto. Such consent may be given in person or by providing e-mail details. You may withdraw your consent at any time, without limitation or explanation, free of charge, by sending a message with this subject onto the e-mail address provided for communication, following which the members of the Association of Attorneys-at-Law shall no longer be allowed to send any further newsletters. Data processed on these grounds shall not be transmitted to third parties.
Legal basis of data processing: Article 6(1)(a) of the GDPR Regulation (giving consent).
Types of personal data processed: name and e-mail address of client.
Period of data processing: until consent is withdrawn.
IV. Website and cookies
The shared website ( www.kunadvocate.hu) and mailing system of the members of the Association of Attorneys-at-Law are operated by Kun Péter Law Office (hereinafter referred to as ‘Website and Mailing System’).
The Website maintained by Controllers may be accessed and information may be freely retrieved from all contents stored therein by anybody without disclosing their personal data or revealing their identity. We shall not wish to uniquely identify the visitors of the Website or the participants of the Mailing System unless they provide their data voluntarily on the Website or via the Mailing System in some manner. On the Website and in the Mailing System, personal data may be collected solely through sending e-mails containing personal data (e.g. curriculum vitae).
V. Data security measures
Personal data shall be stored in the registered office of the Association of Attorneys-at-Law, located at H–1114 Budapest, Bartók Béla út 15/C fe 28. in an office, in a closed information technology system. The members of the Association of Attorneys-at-Law shall take all reasonably expectable technical precautions in order to store data in a secure manner and inaccessibly by third parties; however, please note that potential internet-based attacks cannot always be prevented or deterred.
The circle of individuals with access to data is limited. Processors providing IT services for the Law Offices and our partners performing accounting tasks may have access to the data, where necessary. Our staff members and partners providing services are subject to a contractual secrecy obligation to the members of the Association of Attorneys-at-Law, in accordance with which processors are obliged to respect the security and confidentiality of data and maintain these during their activities.
VI. Rights of clients in relation to the processing of data
You may exercise your rights under the GDPR Regulation in relation to and against any controller Law Offices. An exception to these is made for any right or obligation to which explicitly only one controller is subject to under this notice or the agency contract concluded with you.
The controller Law Offices shall designate Kun Péter Law Office (mailing address: H–1114 Budapest, Bartók Béla út 15/C fe 28.; telephone number: +36-1/411-2160; e-mail address: firstname.lastname@example.org) as their joint point of contact (hereinafter referred to as ‘Point of Contact’) for the purposes of completing inquiries from data subjects.
In relation to the processing of your personal data, you shall have the following rights:
a) right of access ( Article 15 of the GDPR Regulation) : you shall have the right to obtain from the Point of Contact designated in this Notice of the Association of Attorneys-at-Law information as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information included in this Notice.
Upon your request, the Point of Contact shall provide a copy of the personal data undergoing processing. For any further copies that you requested, we may charge a reasonable fee based on administrative costs and labour. If you have made the request by electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested.
b) right to rectification ( Article 16 of the GDPR Regulation) : you shall have the right to obtain from the Law Offices without undue delay the rectification of inaccurate personal data concerning you. You shall also have the right to have incomplete personal data completed.
Clients shall assume sole responsibility and obligation to inform the Law Office that they have instructed about any changes to their data. Clients shall be obliged to fulfil this obligation within five days from the date of the change.
c) right to erasure (Article 17 of the GDPR Regulation): you shall have the right to obtain from the members of the Association of Attorneys-at-Law the erasure of personal data concerning you without undue delay and the members of the Association of Attorneys-at-Law shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- you withdraw your consent;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Law Offices are subject.
d) right to restriction of processing (Article 18 of the GDPR Regulation): you shall have the right to obtain from the members of the Association of Attorneys-at-Law restriction of processing where one of the following applies:
- the processing is unlawful, and you oppose the erasure of the personal data and request the restriction of their use instead;
- the members of the Association of Attorneys-at-Law no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims.
e) right to information about the above rights (Article 12 of the GDPR Regulation): the members of the Association of Attorneys-at-Law shall provide information in a concise, transparent, intelligible and clear form about the circumstances relating to the processing of data without undue delay and in any event within one month of receipt of your request under the above Sections a) to d). That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The members of the Association of Attorneys-at-Law shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
Communication shall be provided free of charge. Where your requests are manifestly unfounded or excessive, in particular because of their repetitive character, the members of the Association of Attorneys-at-Law may either: i) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or ii) refuse to act on the request. The members of the Association of Attorneys-at-Law shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
f) right to lodge a complaint ( Article 77 of the GDPR Regulation): you hall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR Regulation. The complaint may be lodged at the National Authority for Data Protection and Freedom of Information (address: H–1125 Budapest, Szilágyi Erzsébet fasor 22/C.; telephone number: +36 1 391 1400; fax: +36 1 391 1410;www.naih.hu; email@example.com).
g) right to an effective judicial remedy ( Article 79 of the GDPR Regulation): you shall have the right to an effective judicial remedy where you consider that your rights under the GDPR Regulation have been infringed as a result of the processing of your personal data in non-compliance with the GDPR Regulation. Proceedings against the members of the Association of Attorneys-at-Law shall be brought before the courts of the Member State where the Law Office concerned has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where you have your habitual residence.
h) right to data portability (Article 20 of the GDPR Regulation): you shall have the right to receive the personal data concerning you, which you have provided to a member of the Association of Attorneys-at-Law, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the member of the Association of Attorneys-at-Law, where the processing is based on consent or on a contract. Furthermore, you shall have the right to have the personal data transmitted directly from the member of the Association of Attorneys-at-Law to another controller, where technically feasible.
VII. Updating the Data Processing Notice
Controllers shall reserve the right to amend this Data Processing Notice any time unilaterally. This Notice may be amended in particular when it is required by any changes to legislation, practices of the data protection authorities, business needs or other circumstances.