Data protection, cookie management

I. NAME OF THE CONTROLLER

NAME: Illés and Szabó Lawyers Association

Represented by Dr. Géza Illés Márton Law Office

Chamber registration number: T-370/2024 (BÜK), 1332 (MÜK)

Location: Hungary, 1024 Budapest, Lövőház utca 2-6.

Tel: +36 1 210 79 10

E-mail: [email protected]

Website: goldenvisalawyers.hu

Data Protection Officer: none (hereinafter referred to as "Data Controller")

II. IDENTIFICATION OF DATA PROCESSORS

IT service provider data processor name: Capitol Reef Consulting Kft.

Registered office: H-2462 Martonvásár, Radnóti Miklós utca 15.

E-mail: [email protected]

Website: https://capitolreef.consulting/

Data Protection Officer: none (hereinafter referred to as the "Data Processor")

III. INFORMATION ON CERTAIN DATA PROCESSING

The data subject shall be informed of the purposes, legal basis and other circumstances of the processing carried out by the Data Controller at the time of the receipt of the data or at the time of the first contact.

Certain data processing

1. Cookie management on the website

Our website uses cookies to facilitate use and to provide you with a better user experience.Cookies are necessary for logging in and using the shopping cart functions. The legal basis for the processing of these cookies is the legitimate interest of the controller. During our advertising campaigns, we also use cookies to measure our advertisements, if you consent. Our website uses Google Analytics and Facebook's pixel metering application for marketing purposes. Google Analytics uses internal cookies to generate reports for its customers on the habits of visitors to the website. Google will use this information to evaluate the use of the website by visitors. In addition, it generates reports on website activity for the website owner so that it can provide additional services. The data will be stored by Google in encrypted form on its servers in order to ensure data security. Website users who do not want Google Analytics to generate JavaScript reports about their data can install the Google Analytics disable browser extension. If you do not want to use Google Analytics JavaScript (ga.js, analytics.js, and dc.js), you should not allow Google Analytics to send information to your browser. The browser extension can be used in most recent browsers. The Google Analytics browser add-on does not prevent data from being sent to the website itself and other web analytics services. Google's privacy policy is available by clicking on the link. More detailed information on the use and protection of data can be found at the links above.

You can read more about Google's privacy policy here and Facebook's privacy policy here. For more information on how Facebook manages and sets your data, click here.

2. Data processing in connection with registration on the website

The purpose of registration on the website and the related data processing is to provide the services offered on the website, billing, contact, secure login, identification.

Legal basis for processing: consent of the data subject (Article 6 /1/ a./ GDPR).

Registration is voluntary. On the website, the natural person registering can give his/her consent to the processing of his/her personal data by ticking the relevant box. It is prohibited to tick the box in advance.  The data subject has the right to withdraw his/her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal. The data subject must be informed before consent is given. The withdrawal of consent shall be made possible in the same simple manner as the giving of consent. Consequences of not providing the data: registration on the website is not possible.

Data subject: a person who registers on the website, typically a service user or, in the case of a legal person, a contact person.

The data processed are: name, address, telephone number, e-mail address, billing and mailing name and address, taxpayer identification number for individuals, online identifier.

The data controller does not carry out automated decision-making, profiling, and does not classify or categorise data subjects.

The recipients of personal data - who may access the data - and the categories of recipients: employees of the controller, persons under the control of the Processor as processors.

Data transfers to third countries: none.

Duration of storage of personal data: until the registration is maintained or until the data subject's consent is withdrawn (request for erasure).

The registration and data of inactive users must be deleted by 31 December of the 3rd year following the last activity. A user is inactive if he/she does not use his/her registered user account, does not perform any activity or does not log in.

3. Data processing related to the billing of services ordered on the website

The purpose of the processing of data related to the invoicing of services ordered on the website is to comply with the tax and accounting obligations required by law (accounting records, taxation).

Legal basis for processing: performance of a legal obligation (Article 6 /1/ c./ GDPR).

The consequence of not providing the information: the natural person who has bought the goods cannot receive a registered invoice, which - except in cases of exemption from issuing an invoice (Article 165 of the VAT Act) - constitutes an obstacle to the purchase.

Person concerned: the buyer is an individual.

The data processed are: name, address, tax number of the taxable person in the case of an individual taxable person, tax status (e.g. self-employed, self-employed person) and other data required by law to be included in the invoice, place and time of performance, consideration, VAT amount, amount payable.

Governing legislation: § 169 and § 202 of Act CXXVII of 2017 on Value Added Tax, § 167 of Act C of 2000 on Accounting. Act CXVII of 1995 on Personal Income Tax.

The data controller does not carry out automated decision-making, profiling, and does not classify or categorise data subjects.

The recipients of personal data - who may access the data - and the categories of recipients: employees of the controller, the IT service provider or a designated person under the control of the accounting service provider. Invoices issued by a taxable person to an individual are required by law to be reported to the tax authority (Annex X of the VAT Act).

Data transfers to third countries: none.

Duration of storage of personal data: 8 years.

4. Data processing in relation to the Contact menu of the website

 The purpose of the data processing related to the use of the Contact menu of the website is to answer questions, comments, complaints and to process orders.

Legal basis for processing: consent of the data subject (Article 6 /1/ a./ GDPR).

Use of the Contact menu is optional. The data subject has the right to request from the Data Controller access to, rectification, erasure or restriction of processing of personal data and to object to the processing of such personal data, as well as the right to data portability.

The consequence of not providing the data: it is not possible to contact you using the Contact menu on the website.

Person concerned: who sends a message using the Contact menu on the website.

Data processed: name, telephone number, e-mail address.

The data controller does not carry out automated decision-making, profiling, and does not classify or categorise data subjects.

The recipients of personal data - who may access the data - and the categories of recipients: an employee of the controller and a person under the control of the IT service provider.

Data transfers to third countries: none.

Duration of storage of personal data: data must be deleted after 3 years from the 31 December following the date of contact.

5. Processing of data relating to the mandate of a lawyer

The purpose of the processing of data related to the lawyer's mandates ordered on the website is the execution of the lawyer's mandate, the identification of the client, the client due diligence and reporting obligations in transactions related to the transfer of real estate property, the acquisition of the data on which the facts are based.

Legal basis for processing: performance of a legal obligation (Article 6 /1/ c./ GDPR).

The consequence of not providing the data: refusal to execute the order.

The person concerned is: customer, party to a contract with a customer.

The data processed include: name, name at birth, place and date of birth, mother's name at birth, address, address of residence, personal identification number, social security number, tax identification number, tax number, tax status (e.g. self-employed, self-employed farmer), e-mail address, telephone number, bank account number and other data required by law.

Governing legislation: Act LIII of 2017 on the Prevention and Suppression of Money Laundering and Terrorist Financing, Act LXXVIII of 2017 on the Activities of Lawyers

The data controller does not carry out automated decision-making or profiling, does not classify or categorise data subjects, but keeps records as required by the applicable legislation.

The recipients of the personal data - who may access the data - and the categories of recipients are: employees of the controller, members of the law firm or lawyer involved in the performance of the mandate of the Illés and Szabó Lawyers Association, their employees, the Data Processor and the designated person under the control of the accounting service of the persons involved in the performance of the mandate of the lawyer. Invoices issued by a taxable person to an individual must be reported to the tax authority in accordance with the law (Annex X of the VAT Act).

Data transfers to third countries: none.

Duration of storage of personal data: 10 years.

The engagement of a lawyer is a mandate to act as a lawyer. The contract of engagement must be in writing unless it is for the provision of legal advice only.

The legal basis for the processing of the data of the relative, legal representative and contact person who gives the order on behalf of the client is the legitimate interest of the lawyer who is the controller pursuant to Article 6(1)(f) of the GDPR. The lawyer also processes the data of third parties, such as witnesses and experts, necessary for the performance of the mandate on the basis of legitimate interest.

The data will be transferred to the lawyer's archiving, accounting and, in the case of electronic communication, IT service provider for processing. In the case of postal delivery, the address data will be transferred to the Hungarian Post or the appointed courier service.

Recipients: personal data may be disclosed to competent authorities, courts, third parties, according to the purpose of the processing and the purpose of the processing. The lawyer may use a substitute lawyer in the performance of the mandate, the data may be transferred to the substitute lawyer. The data may be communicated to the lawyer's employees.  The personal data may be disclosed to persons assisting the lawyer in the performance of the mandate or to other persons engaged in connection with the performance of the mandate whose assistance or engagement has been approved by the client.

If the regional bar association appoints a bailiff, the bailiff is entitled to represent the lawyer and to inspect the files.

In the case of countersigning a document, the Data Controller shall keep the document countersigned by a lawyer and other documents relating to the matter of countersigning the document for ten years from the date of countersigning, unless a longer retention period is provided for by law or the parties have agreed to a longer retention period.

Personal data is considered a lawyer's privilege and the lawyer takes enhanced security measures to protect it.

The client, as the natural person concerned by the processing of the lawyer's data, has the right to transparent information, communication and facilitation of the exercise of his or her rights in connection with the processing.  The data subject shall have the right of access and rectification, the right to be informed of a personal data breach, the right to lodge a complaint with a supervisory authority (right of official redress), the right to an effective judicial remedy against a supervisory authority, the right to an effective judicial remedy against a controller or processor.  The right to erasure ('right to be forgotten'), the right to restriction of processing, the right to data portability, the right to object, the right to automated decision-making, the right to profiling, subject to the conditions and limitations set out in data protection legislation. Detailed rules on the rights of the natural person concerned are set out in the EU General Data Protection Regulation. The data subject has the right to lodge a complaint with the supervisory authority (National Authority for Data Protection and Freedom of Information).

IV. INFORMATION ON DATA SECURITY MEASURES

The Data Controller has taken the technical and organisational measures and established the procedural rules necessary to enforce the GDPR in order to ensure the security of personal data for all purposes and for all lawful purposes. The Data Controller shall take appropriate measures to protect the data against accidental or unlawful destruction, loss, alteration, damage, unauthorised disclosure or access.

Data protection information

V. INFORMATION ON DATA SUBJECTS' RIGHTS

Data subjects have the following rights. A brief summary of the data subject's rights:

Transparent information, communication and facilitation of the exercise of data subject rights

Right of access of the data subject

The right to rectification

Right to erasure ("right to be forgotten")

Right to restriction of processing

Obligation to notify the rectification or erasure of personal data or restriction of processing

The right to data portability

The right to protest

Automated decision-making on individual cases, including profiling

Informing the data subject about the personal data breach

The right to lodge a complaint with a supervisory authority (right to official redress)

Right to an effective judicial remedy against the supervisory authority

The right to an effective judicial remedy against the controller or processor

The data subject's rights in detail and in full:

Below you will find full information about your data subjects' rights.

Transparent information, communication and facilitation of the exercise of data subject rights

1.1 The controller shall provide the data subject with all information and any particulars relating to the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular in the case of any information addressed to children. The information shall be provided in writing or by other means, including, where appropriate, by electronic means. At the request of the data subject, information may be provided orally, provided that the identity of the data subject has been verified by other means.

1.2 The controller must facilitate the exercise of the data subject's rights.

1.3 The controller must inform the data subject of the measures taken in response to his or her request to exercise his or her rights without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months under the conditions laid down in the Regulation.

1.4 If the controller does not act on the data subject's request, the controller must inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise his or her right of judicial remedy.

1.5 The data controller shall provide the information and the information and action on the rights of the data subject free of charge, but may charge a fee in the cases provided for in the GDPR.

The detailed rules can be found under Article 12 of the Regulation.

Right of access of the data subject

2.1 The data subject shall have the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if such processing is taking place, the right to access the personal data and related information (Article 15 of the Regulation).

2.2 Where personal data are transferred to a third country or an international organisation, the data subject is entitled to be informed of the appropriate safeguards for the transfer in accordance with Article 46 of the Regulation.

2.3 The controller must provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Detailed rules on the data subject's right of access are set out in Article 15 of the Regulation.

The right to rectification

3.1 The data subject shall have the right to obtain from the Data Controller, upon his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her.

3.2 Taking into account the purpose of the processing, the data subject shall also have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

These rules are set out in Article 16 of the Regulation.

Right to erasure ("right to be forgotten")

4.1 The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay if.

(a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;

(c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing,

d) the personal data have been unlawfully processed;

(e) the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

(f) the personal data were collected in connection with the provision of information society services directly to a child.

4.2 The right to erasure cannot be exercised if the processing is necessary

a) for the exercise of the right to freedom of expression and information;

(b) to comply with an obligation under Union or Member State law to which the controller is subject or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) on the basis of public interest in the field of public health;

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or

(e) for the presentation, exercise or defence of legal claims.

Detailed rules on the right to erasure are set out in Article 17 of the Regulation.

Right to restriction of processing

5.1 In the event of restriction of processing, such personal data, with the exception of storage, may only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.5.2 The data subject shall have the right to obtain, at his or her request, restriction of processing by the Controller where one of the following conditions is met:

(a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for the period of time necessary to allow the Controller to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;

(c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or

(d) the data subject has objected to the processing; in this case, the restriction shall apply for the period until it is established whether the legitimate grounds of the controller override those of the data subject.

The relevant rules are set out in Article 18 of the Regulation.

Obligation to notify the rectification or erasure of personal data or restriction of processing

The controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject, at his or her request, of these recipients.

These rules can be found under Article 19 of the Regulation.

The right to data portability

7.1 Subject to the conditions set out in the Regulation, the data subject shall have the right to obtain the personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which he or she has provided the personal data, if.

(a) the processing is based on consent or on a contract; and

(b) the processing is carried out by automated means.

7.2 The data subject may also request the direct transfer of personal data between data controllers.

The detailed rules are set out in Article 20 of the Regulation.

The right to protest

8.1 The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data based on the public interest, the performance of a public task (Article 6(1)(e)) or a legitimate interest (Article 6(f)), including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. Under the balancing of interests test, the controller shall disclose the content of the legitimate interest and shall consider how the pursuit of the legitimate interest affects the interests or fundamental rights and freedoms of the data subject. The latter must then be weighed against the legitimate interest of the controller, in particular where the data subject is a child. If, in the balancing exercise, the interests of the data subject require the protection of personal data - the processing should not be continued.

8.2 Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing.  If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for those purposes.

8.3 These rights must be explicitly brought to the attention of the data subject at the latest at the time of the first contact with the data subject and the information must be clearly displayed and separated from any other information.8.4..5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

The relevant rules are set out in Article 21 of the Regulation.

Automated decision-making on individual cases, including profiling

9.1 The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Further rules are set out in Article 22 of the Regulation.

Informing the data subject about the personal data breach

10.1 Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay. This information shall clearly and plainly describe the nature of the personal data breach and shall include at least the following:

(a) the name and contact details of the Data Protection Officer or other contact person who can provide further information;

b) describe the likely consequences of the data breach;

(c) describe the measures taken or envisaged by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate any adverse consequences of the personal data breach.

10.2 The data subject need not be informed if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the personal data breach, in particular measures, such as the use of encryption, which render the data unintelligible to persons not authorised to access the personal data;

(b) the controller has taken additional measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise;

c) the information would require a disproportionate effort. In such cases, the data subject shall be informed by means of publicly disclosed information or by a similar measure ensuring that the data subject is informed in an equally effective manner.

Further rules are set out in Article 34 of the Regulation.

The right to lodge a complaint with a supervisory authority (right to official redress)

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the Regulation.  The supervisory authority with which the complaint has been lodged must inform the data subject of the procedural developments and the outcome of the complaint, including the right of the data subject to judicial remedy.

These rules are set out in Article 77 of the Regulation.

Right to an effective judicial remedy against the supervisory authority

11.1 Without prejudice to any other administrative or non-judicial remedy, any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.

11.2 Without prejudice to other administrative or non-judicial remedies, any data subject shall have the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint lodged or of the outcome of the complaint.

These rules are set out in Article 78 of the Regulation.

The right to an effective judicial remedy against the controller or processor

12.1 Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, any data subject shall have an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in accordance with this Regulation.

12.2 Proceedings against the controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in its exercise of official authority.

These rules are set out in Article 79 of the Regulation.

The HUNGARIAN GOLDEN VISA LAWYERS team

Illés and Szabó Lawyers Association
represented by: dr. Géza Márton Illés, lawyer
data controller