Get in Touch
Magyarország zászlaja

Privacy Policy

for Attorney–Client Engagements

Data Controller:

  1. dr. Czotter Regina, Attorney at Law

Hungarian Bar Association ID (KASZ): 36081411

Tax number: 90485767-1-33

Registered office: 2100

Gödöllő, Lomb utca 32.

Phone: +36 70 677 6623

E-mail: drczotterregina@gmail.com

 

The principal legal acts governing data processing:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation -GDPR);

• Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act);

• Act LXXVIII of 2017 on Attorneys at Law (Attorney Act);

• Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing;

• Act CL of 2017 on the Rules of Taxation;

• Act CXXX of 2016 on the Code of Civil Procedure;

• Act V of 2013 on the Civil Code;

• Act V of 2006 on Public Company Information, Company Registration and Winding-up Proceedings;

• Act LIII of 1994 on Judicial Enforcement;

• Act L of 2009 on Payment Order Proceedings;

• Act CCXXII of 2015 on the General Rules of Electronic Administration and Trust Services.

 

  1. Purpose of data processing related to the attorney-client engagement: The purpose of data processing is the performance of the legal engagement and the fulfillment of legal obligations applicable to attorneys. The attorney is entitled to process data in connection with the preparation of contracts between clients. I also inform my clients that the attorney may countersign documents even if one of the parties to the contract has not granted a mandate to the attorney preparing the document; in such cases, no attorney-client relationship is established between that party and the drafting attorney.

  2. Legal basis of data processing related to the attorney-client engagement: Data processing is carried out pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), in particular Article 6(1)(b) and (c), for the performance of a contract and compliance with legal obligations applicable to the attorney.

    Where the data subject is not a natural person, the legal basis for processing personal data is Article 6(1)(a) of the GDPR (consent of the data subject). Data relating to legal entities and other organisations do not qualify as personal data.

    In relation to close relatives acting on behalf of the Client (Section 28(2) of the Attorney Act), as well as legal representatives and contact persons of legal entities, the legal basis for processing is the legitimate interest of the data controller pursuant to Article 6(1)(f) GDPR. On the same legal basis, the attorney may process the personal data of third parties (e.g. witnesses, experts) where necessary for the performance of the engagement.

  3. Attorney-client privilege: All facts, information and data that come to the knowledge of the Data Controller in the course of practising the legal profession qualify as attorney-client privileged information. Unless otherwise provided by the Attorney Act, the Data Controller is obliged to maintain confidentiality. This obligation extends to documents and other data carriers containing privileged information. The confidentiality obligation is independent of the existence of the attorney-client relationship and remains in force without limitation in time, even after the termination of the engagement.

    The confidentiality obligation does not apply towards persons authorised by law to access such information under Sections 10(3)-(4) of the Attorney Act; however, such persons are also bound by confidentiality.

  4. Categories of data processed in connection with the engagement: Name, birth name, place and date of birth, mother’s name, address, email address and/or telephone number.

    In matters relating to real estate transactions or public registers, as well as in cases requiring client identification, additional data may be processed, including: nationality, tax identification number, personal identification number, bank account number, identity document number for the purpose of client due diligence, and ID card number.

    The attorney’s internal records may contain the following data: internal client identification number assigned by the attorney, client’s name, subject matter of the case, date of conclusion of the engagement agreement, and reference number of proceedings related to the engagement.

    In other cases, the scope of personal data processed depends on the subject matter of the engagement, the applicable legal requirements and the data necessary for the provision of the legal service. In all cases, only data necessary and proportionate to the nature of the legal matter are processed.

  5. Recipients of the data: Personal data may be transferred, in accordance with the purpose of the engagement and data processing, to competent authorities, courts, opposing parties and third parties. During the performance of the engagement, the attorney may appoint a substitute attorney (Section 17 of the Attorney Act), in which case personal data may be transferred to the substitute attorney, who shall act as a data controller. Data may also be transferred to attorney employees and persons assisting in the performance of the engagement.

    Personal data may be processed by third parties involved in the performance of the engagement and may be transferred to external service providers assisting the attorney, including archival services, accounting service providers and IT service providers. In case of postal delivery, address data may be transferred to the Hungarian Post or to the contracted courier service.

  1. Retention period of personal data: Personal data are retained for 5 years following the termination of the engagement; in the case of countersigned documents, for 10 years following the countersignature; and, in matters relating to real estate transactions subject to registration in a public register, for 10 years from the date of registration (Section 53 of the Attorney Act).

    For the purpose of fulfilling legal obligations, including statutory accounting and taxation obligations, the attorney processes the client’s name, address and tax number in accordance with applicable legislation. In such cases, personal data are retained for 8 years following the termination of the legal relationship serving as the legal basis for processing.

    The recipients of personal data in this context are the attorney’s data processors responsible for accounting and taxation services.

  2. Data Protection Officer: Pursuant to Article 37(1)(a) of the GDPR, the attorney (law office), as data controller, is not required to appoint a data protection officer, as an attorney (law office) does not qualify as a public authority or public body.

  3. Rights of the Client: As a natural person affected by data processing in connection with the attorney-client relationship, the Client has the right to transparent information and communication, as well as to the facilitation of the exercise of their rights.

    The data subject has the right of access and the right to rectification, the right to be informed about data protection incidents, the right to lodge a complaint with the supervisory authority – the National Authority for Data Protection and Freedom of Information – and the right to an effective judicial remedy against the supervisory authority. The data subject also has the right to an effective judicial remedy against the data controller or data processor.

    Where data processing is based on consent, the data subject may withdraw their consent at any time. Such withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal of consent.

    Subject to the conditions and limitations set out in applicable data protection legislation, the data subject also has the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to data portability, the right to object, and rights related to automated decision-making and profiling. Detailed provisions concerning the rights of data subjects are set out in the GDPR.

  4. Handling of data protection incidents: The Data Controller shall report any data protection incident without undue delay, and where feasible not later than 72 hours after having become aware of it, to the competent supervisory authority, unless the Data Controller can demonstrate, in accordance with the principle of accountability, that the data protection incident is unlikely to result in a risk to the rights and freedoms of natural persons.

    Where the data protection incident is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the data subject without undue delay. The data subject need not be informed if one of the following conditions is met:

    • The Data Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the incident, in particular measures such as encryption that render the data unintelligible to any person not authorised to access them;

    • The Data Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;

    • Providing the information would involve disproportionate effort. In such cases, a public communication or similar measure shall be used to inform the data subjects in an equally effective manner.