Privacy policy

Preambulum

The Magyar Law Office (seat: 1143 Budapest, Stefánia út 37, III. floor 3, Budapest Bar Association identification number: 571, hereinafter referred to as the “Data Controller”) is subject to the provisions of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Infotv. ), the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) 95/46/EC (hereinafter referred to as “GDPR”), and other legal requirements related to data processing, in particular the provisions of Act V of 2013 on the Civil Code (hereinafter referred to as “Civil Code”), as amended by Act V of 2013 on the Civil Code (hereinafter referred to as “Civil Code”). ) and the rules on attorney-client privilege of Act LXXVIII of 2017 on the activities of lawyers (hereinafter referred to as the “Act on Attorney-Client Privilege”), the clients of the Magyar Law Office and the www.magyarugyvediiroda. hu (hereinafter collectively referred to as “Data Subjects”) on its practices regarding the personal data processed, on the organizational and technical measures taken to protect personal data, on the exercise and enforcement of the Data Subjects’ rights related to data processing and, in addition, on the relevant rules on attorney-client privilege and business secrets:

I. Scope of the Privacy Notice

This Privacy Notice applies only to the personal data of natural persons Data Subjects; data of legal persons or other entities are not considered personal data.

II. Legal basis for data processing

-Act LXXVIII of 2017 on the activity of lawyers (Act on the Activity of Lawyers),

-Act LII of 2017 on the implementation of financial and property restrictive measures imposed by the European Union and the UN Security Council,

-Act LIII of 2017 on the Prevention and Suppression of Money Laundering and Terrorist Financing (Pmt.),

Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information,

-Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation – GDPR).

III. Principles of data management

With regard to the safeguards set out in Article 5 of the GDPR, personal data may only be processed for specified purposes, for the exercise of a right and for the performance of an obligation. At all stages of processing, the processing must be compatible with the purposes for which it is carried out, and processing incompatible with those purposes may not be carried out. The collection and processing of data must be lawful, fair and transparent to the data subject. Processing by law shall be carried out only for the purposes specified in the law which authorised it.

Only personal data which is necessary for the purpose of the processing and therefore adequate for the purpose may be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose.

The personal data shall retain this quality during the processing for as long as its relationship with the data subject can be re-established. The link with the data subject can be re-established if the controller has the technical conditions necessary for the re-establishment of the link.

The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.

The data should be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by implementing appropriate technical and organisational measures.

Where this is possible, the processing of personal data should be avoided and, where the processing of personal data is unavoidable, the Controller should be able to demonstrate at all times its compliance with the principles set out in this point. Appropriate procedures should be established to ensure that the lawfulness of the processing of all personal data processed by the Controller can be demonstrated.

In view of the above, the Controller shall ensure a level of data security appropriate to the level of risk, including, where appropriate, the pseudonymisation or encryption of personal data, taking into account the state of science and technology, the cost of implementation, the nature, scope, context and purposes of the processing and the potential risks.

The effectiveness of the technical and organisational measures taken to ensure the security of data processing shall be regularly monitored and, where a deficiency is detected, measures shall be taken to remedy it as soon as possible.

With regard to the data processed in the context of the activities of the Data Controller, the Data Controller shall be responsible for providing the data subjects with appropriate information before the inclusion of their data. The information is adequate if it is clear, detailed and complete, i.e. it covers all relevant circumstances of the processing, in particular its purposes, legal basis, duration, the identity of the controller and, where different from the controller, of the processor, the possible transfer of the data to a third party, the means of withdrawal of consent and the possible consequences. The information shall also cover the rights and remedies of the data subject in relation to the processing. In the case of mandatory processing, the information may also be provided by making public a reference to the legal provisions containing the foregoing information.

The information given to the data subject shall clearly and precisely specify the purposes for which the data are processed, in particular where the duration of the processing of personal data is specified as the time for achieving the purposes of the processing without specifying a specific time limit.

IV. Purpose of this privacy notice

The Magyar Law Office is a data controller in the processing of data on the website magyarugyvediiroda.hu, as well as in the publication and evaluation of job applications and the provision of legal services, and therefore wishes to provide detailed information to Data Subjects on the processing of personal data.

V. Data Controller’s data

a) Name of Data Controller: Magyar Law Office

b) Data Controller’s seat: 1143 Budapest, Stefánia út 37, III. floor 3

c) Contact telephone and fax numbers of the Data Controller: telephone: +36 1 333 55 99, fax: +36 1 700 43 40

d) Electronic contact details of the Data Controller: office@magyarugyvediiroda.hu;

e) Website of the Data Controller: www.magyarugyvediiroda.hu (hereinafter referred to as the Website)

f) Controller’s identification number: 571 (Budapest Bar Association)

VI. Scope of the data processed

The website magyarugyvediiroda.hu can be visited free of charge, without providing any personal data. The Data Subjects can obtain information about the Services provided by the Data Controller on the Website without registration. The Data Subjects shall be responsible for the data provided by the Data Subjects and for the content uploaded by them, and the Data Controller excludes any liability in this regard.

1) Data processed in the course of automated data collection in relation to the Website

We use cookies and other software solutions on the Website in order to understand the needs of the users of the Website, their habits of using the Website and to improve the Website on the basis of these, as well as to compile anonymous statistics on visits to the Website. The following describes the information that may be collected on the Site during the automatic collection of data about a visit:

– Category of Data Subjects: Data Subjects who visit the Website,

– The categories of data processed: IP address, country, browser used, type and version of device and operating system, language settings, time of visit and information about visits to the Site (pages viewed, time spent, clicks and opens),

– Data source: automatically collected by Google Analytics

– Legal basis for processing: Article 6(1)(f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by the controller

– Data storage period, date of deletion: 2 years from the date of the visit

– Purpose of data processing: statistics, website development, knowledge of users’ habits

The above processing is in the legitimate interest of the Data Controller, because it enables it to further develop the Website and make it more secure. The scope of the data processed and collected is not significant, the Data Controller uses them only for anonymised statistics, analysis, does not collect behavioural preferences, no automated decision-making is made on the basis of these, the Data Controller does not send personalised offers to the Data Subjects, the fundamental rights and freedoms of the Data Subjects are not disproportionately affected by the processing.

When visiting the Website and using the services provided by the Website, cookies are placed on the Data Subjects’ browsers and HTML-based emails as described in this Privacy Notice. A cookie is a small file consisting of letters and numbers that is sent to the Data Subjects’ device by the Data Controller’s server.

The cookie enables the Data Subject to know when he or she last logged on to the Website, its main purpose being to enable the Data Subject to have a user experience that meets his or her personal needs when using the Website.

The purpose of the cookies used by the Data Controller:

a) Security: to support and enable security and to assist the Data Controller in detecting infringing behaviour

b) Preferences, features and services: cookies are able to inform the Data Controller about the Data Subject’s language preference, the Data Subject’s communication preferences and to help the Data Subject fill in any forms on the Website

c) Performance, analytics and research: such cookies help the Controller to understand how the Website is performing in different areas

The Data Controller may also use cookies to evaluate and improve the Website and the features and services available on it.

2) Where the Data Subject uses the messaging function of the Website, the processing of the data provided in this context is as follows:

– Category of Data Subjects: Data Subjects sending messages to the Data Controller by using the messaging function of the magyarugyvediiroda.hu website.

– Category of data processed: name, telephone number, e-mail address and the data provided by the Data Subject in the “Message” field.

– Source of data: the message written by the Data Subject

– Legal basis for processing: Article 6(1)(a) GDPR: the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes

– Data storage period, date of erasure: 2 years from the date of the visit to the website

– Purpose of the processing: to identify the Data Subject, to know the reason for contact.

When browsing the Website, the type of browser and operating system used by the visitor and the time of the visit may be recorded. These data are not considered personal data under applicable law, are not linked by the Data Controller to personal data and are not accessible to the public.

VII. Purpose of the processing

If the Data Subject uses the messaging function of the Website, the Data Controller processes the Data Subject’s personal data for the purposes of maintaining contact with visitors to the Website and enabling visitors to use the free services available on the Website.

The Data Controller will not use the personal data for purposes other than those indicated, and the processing of the data is carried out with the voluntary consent of the Data Subjects.

VIII. Consent to data processing

By contacting the Data Controller and by their actions (sending a message or registering) clearly specified in the information provided by the Data Controller when using the services provided on the website, the data subjects expressly consent to the processing of their personal data by the Data Controller in accordance with the purposes of the processing.

In the context of automatic data collection in relation to the Website, by accessing the Website and using its functionalities, the Data Subjects consent to the processing of data through automatic data collection without any further legal declaration.

IX. Legal basis for data processing

The legal basis for processing is the consent of the data subjects, subject to Article 6(1)(a) of the GDPR.

X. Duration of processing

The Controller shall store the personal data for the period necessary to achieve the purpose set out in point VII or until the withdrawal of the data subjects’ consent.

XI. Processing of data relating to applicants for a competition launched by the Controller

The CVs and other information submitted by candidates applying for a vacancy advertised by the Data Controller shall be processed by the Data Controller as set out below:

By submitting their CVs and applications, applicants to the Controller’s job advertisements give their consent to the processing and storage of their personal data by the Controller for recruitment, job offer, contact and identification purposes and to the sending of messages and notifications to the contact details provided.

The personal data provided by the applicant when applying for a specific position will be processed by the Data Controller for the duration of the recruitment process and all data of unsuccessful applicants will be deleted at the end of the recruitment process.

Candidates may also have the possibility to provide their CV and other data to the Data Controller for future recruitment and job offer purposes, independently of the advertised job offer or without an advertisement.

If the applicant declares in writing that he or she does not consent to further processing or does not make a written declaration within 30 calendar days of the Data Controller’s request to that effect, the Data Controller shall delete all data relating to the applicant. If an employment relationship is established between the applicant and the Data Controller, the employee shall be informed of the processing of data relating to the employment relationship at the time of the conclusion of the employment contract.

The legal basis for the processing of the data shall be per category of data and per purpose of processing:

Type of data processed: data contained in the CV (education, previous jobs, professional experience, hobbies, etc.), name, telephone number, e-mail address, place of residence, date and place of birth, nationality, photo, language skills, any publications, social media data, personality traits observed during the interview, references, awards, prizes.

Data source: applicant, recruitment agency, CV

Purpose of data processing: recruitment, referral, contact, identification

Legal basis for processing: Article 6(1)(a) GDPR: the data subject has given his or her consent to the processing of his or her personal data

Use of public data available on social media platforms:

During the evaluation of the application, the Data Controller may view the applicant’s activity on social media platforms, including Facebook, LinkedIn, Xing or other profiles, the applicant’s posts, comments in order to make an informed assessment of the applicant’s suitability for the position applied for. In this context, only publicly available information about the applicant related to the position to be filled in the application process will be considered, not information available in closed groups or other non-public or restricted public places. The Controller does not save, store or record social media profiles of applicants, nor does it process sensitive or special data based on social media profile data.

XII. Security of data processing

The Data Controller shall ensure the secure storage of the data provided by the data subjects in accordance with Articles 5(f) and 25 of the GDPR. The Data Controller shall apply technical and organisational measures and procedural rules in the processing of the data to ensure that unauthorised access to personal data, alteration, transmission, disclosure, deletion or destruction of data is prevented and thus to enforce the GDPR, the Infotv. and other data protection and confidentiality rules.

XIII. Persons entitled to data processing

Only the Controller and its authorised employees, agents and partners (data processors) who are contractually bound to the Controller are entitled to process data.

XIV. Processing of data

The Data Controller shall not disclose personal data to third parties without the consent of the data subjects, unless the disclosure is required by law applicable to the Data Controller.

Data Processors

The following processors process your data:

1) Our data storage service provider INTEGRITY Informatikai Korlátolt Felelősségű Társaság (company registration number 07-09-003739)

– Data processing purpose: Server rental, server hosting, web hosting, hosting services.

– Category of data subjects: users/contactees visiting the website,

– Data processed: IP address, name, e-mail, telephone number

– Source of data: automatically collected by the Service Provider

– Legal basis for processing: Article 6(1)(f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by the controller

– Data retention period, date of deletion: 2 years from the date of the visit

– Purpose of data processing: statistics, website development, user identification, knowledge

2) Google Analytics provider: Google LLC (USA, Google Data Protection Office, 1600 Amphitheatre Pkwy Mountain View, California 94043 – Google Analytics)

– Purpose of data processing: Google Analytics

– Category of data subjects: users/contactees visiting the website,

– Data processed:IP address, country, browser used, type and version of device and operating system, language settings, time of visit; Website visit data (pages viewed, time spent, clicks, opens),

– Data source: automatically collected by the Service Provider

– Legal basis for data processing: Article 6(1)(f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by the controller

– Data retention period, date of deletion: 2 years from the date of the visit

– Purpose of data processing: statistics, website development, user identification, knowledge

3) Our financial institution service provider: K&H Bank (1095 Budapest, Lechner Ödön fasor 9., registered office, company registration number and court of registration: Cg. 01-10-041043 – Court of Budapest General Court, activity licence number: ÁPTF 969/1997/F, activity licence date: 26 November 1997)

– Purpose of processing: processing of data relating to the financial operations of the Magyar Law Office

– Category of data subject: Person carrying out a financial transaction with the Magyar Law Office

– Scope of data processed: Data relating to a financial transaction related to an account

– Data source: Contract underlying the financial transaction

– Legal basis for processing: Article 6(1)(b) GDPR: processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into the contract;

– Duration of data retention, date of erasure: 2 years from the date of the visit

4) Our telecommunication service providers: Magyar Telekom Nyilvánosan Működő Részvénytársaság (Registered Office: 1097 Budapest, Könyves Kálmán körút 36., Company Registration Number: 01-10-041928, Telephone Number: 1414, E-mail: ugyfelszolgalat@telekom.hu) and Telenor Magyarország Zrt. (Registered Office: 2045 Törökbálint, Pannon út 1., Company Registration Number: 13-10-040409, Telephone Number: 1220)

– Purpose of data processing: fast and efficient communication

– Category of data subjects: persons contacted via the telephone contact details provided by the Magyar Law Office

– Data processed: telephone number, name

– Source of data: Contract underlying the financial transaction

– Legal basis for processing: Article 6(1)(b) GDPR: processing is necessary for the performance of a contract to which the data subject is a party or for taking steps at the request of the data subject prior to entering into the contract;

– Duration of data retention, date of erasure: 2 years from the date of the visit

5) Postal Service Provider: Hungarian Postal Service (Headquarters: 1138 Budapest, Dunavirág u. 2-6., Phone: +36 1 767 8282, E-mail: ugyfelszolgalat@posta.hu)

– Purpose of data processing: delivery of parcels and letters with the assistance of a public postal operator

– Category of data subjects: recipients and senders of letters sent and received by the Magyar Law Office

– Scope of data processed: names, permanent address or residence, telephone numbers of addressees and senders

– Source of data: Contract underlying the financial transaction

– Legal basis for processing: Article 6(1)(f) GDPR: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party

– Data retention period, date of erasure: 2 years from the date of the visit

XV. Rights of data subjects and their enforcement

The data subject has the right to obtain from the controller feedback as to whether or not his or her personal data are being processed and, if so, to be informed of the data processed by the controller or by a processor appointed by the controller or on his or her behalf and of any relevant information concerning the processing.

The data subject may request the Controller to correct inaccurate personal data relating to him or her without undue delay.

The data subject may request the erasure of his or her personal data, except where the processing is necessary for compliance with the controller’s legal obligations or for the establishment, exercise or defence of legal claims. The Controller, and its processors acting on its instructions, shall delete personal data without undue delay where the processing is unlawful, incomplete or inaccurate, the purpose of the processing has ceased or the storage period has expired, or where a court or public authority has ordered it, or where its deletion is necessary for compliance with a legal obligation to which the Controller is subject.

The data subject may withdraw his or her consent at any time. Unless there is no other legal basis for the processing, the Controller (and its processors) shall delete the personal data concerned by the withdrawn consent.

A data subject shall have the right to obtain from the controller, at his or her request, restriction of processing where

– the data subject contests the accuracy of the personal data – for the time necessary to verify the accuracy;

– the processing is unlawful but the data subject opposes the erasure of the data and requests the restriction of use;

– the controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims.

During the restriction period, the Controller and its processors shall not use the personal data for any purpose other than storage.

The Controller shall inform the data subject, without undue delay and at the latest within one month of receipt of the request, and free of charge, of the measures taken or not taken in response to the data subject’s request concerning the processing of his or her personal data, indicating the reasons and the remedies available. If necessary, in view of the complexity of the request or the number of requests, this period may be extended by two months. The Controller shall inform the data subject of any extension within one month of receipt of the request.

Data subjects may object to the processing of their personal data in accordance with Article 21(1) to (2) of the GDPR. The Controller shall examine the request, decide on its merits and inform the applicant in writing of its decision within the shortest possible period, but not later than one month from the date of the objection. If the objection is justified, the Controller may no longer process the personal data concerned by the objection.

Without prejudice to any other administrative or judicial remedy, data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the GDPR Regulation.

Without prejudice to available administrative or non-judicial remedies, data subjects shall have the right to an effective judicial remedy if they consider that their personal data have not been processed in accordance with the GDPR Regulation, as a result of which they consider that their rights under the GDPR Regulation have been infringed.

Proceedings against the Service Provider or the data processor used by us must be brought before the competent court of the place where the Service Provider or the data processor is established or may be brought before the courts of the Member State in which the data processor is habitually resident.

XVI. Definitions, interpretative provisions

The following terms used in this Privacy Notice shall be understood as follows

a) Data Controller: the Magyar Law Office, as a legal entity established for the purpose of carrying out the activities of a lawyer, which determines the purposes for which the data are processed, takes and implements the decisions concerning the processing (including the means used) or has the data processed by a data processor;

b) ‘processing’ means any operation or set of operations which is performed upon the data, whatever the procedure used, in particular any collection, recording, recording, organisation, storage, structuring, alteration, use, retrieval, disclosure, transmission, dissemination or otherwise making available to the public or otherwise making accessible, alignment or combination, restriction, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and recording of physical characteristics which permit identification of a person;

c) Transmission of data: making data available to a specified third party;

d) Consent: a freely given, explicit and unambiguous indication of the data subject’s wishes, based on specific and adequate information, by which he or she signifies his or her agreement to the processing of personal data relating to him or her, either in full or in part, by an act which unambiguously expresses his or her consent;

Consent shall be deemed to be given when the data subject, when consulting an Internet website, ticks a checkbox or makes technical settings to that effect, or by any other statement or action which, in the relevant context, unambiguously indicates his or her agreement to the intended processing of personal data.

e) Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;

f) Erasure: the rendering of personal data unrecognisable in such a way that it is no longer possible to retrieve it;

g) Restriction of processing: the affixing of an identification mark to data in order to restrict their further processing either permanently or for a limited period of time during which only their storage is lawful;

h) Destruction of data: the total physical destruction of the storage medium containing the data;

i) ‘processing’ means the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

j) Data Subjects: any natural person identified or identifiable, directly or indirectly, on the basis of personal data, and, for the purposes of this Privacy Statement, all customers, partners of the Controller, natural and legal persons who have contacted the Controller by electronic means, by post or otherwise, and visitors to the Controller’s website;

k) GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation), which sets out the legal requirements for the protection of personal data and whose provisions apply mutatis mutandis to this Privacy Notice.

l) Website: the website www.magyarugyvediiroda.hu;

m) InfoTv.: Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, which supplements the legal requirements of the GDPR on the protection of personal data and whose provisions apply accordingly to this Privacy Notice;

n) Civil Code: Act V of 2013 on the Civil Code,

o) Act on the Legal Profession: Act LXXVIII of 2017 on the activities of lawyers, which sets out the legal requirements for the confidentiality of lawyers and whose relevant provisions shall apply mutatis mutandis to this Privacy Notice;

p) Personal Data: information relating to an identified or identifiable natural person (data subject) which can be associated with him or her, in particular the name, the identification mark and one or more physical, physiological, mental, economic, cultural or social identities of the data subject, and the inference that can be drawn from the data concerning the data subject;

q) Trade secret: The secret set out in Section 2:47 of the Civil Code and in point XV of this Privacy Notice.

r) Attorney-client privilege: The obligation of confidentiality imposed on the Data Controller by Section 9 of the Act on the Protection of Personal Data and Section XVI of this Privacy Notice.

XVII. Processing of data to prevent and deter money laundering and terrorist financing

The Magyar Law Office is obliged to carry out client due diligence pursuant to Article 6 of the Money Laundering Act, for the purpose of fulfilling its statutory obligation, under the conditions set out therein, and in this context it processes the personal data of the Clients, their authorized Contact Persons and beneficial owners of natural persons as defined in Article 7 (2) of the Money Laundering Act and Article 8 (2) of the Money Laundering Act.

The Law Firm shall make a copy of the documents containing the above data for the purpose of verifying the identity of the Client, in order to prevent and deter money laundering and terrorist financing, to properly fulfil the obligations set out in the Pmt., to fully implement the client due diligence obligation and to effectively perform the supervisory activity. The Law Firm shall keep a paper copy of the data obtained in the course of the client due diligence measures, record the fact of the due diligence in writing in the case file, in the case of a request for data from the central register, keep the paper copy of the reply separate from the case file, store the reply to the request in electronic form and include the data provided for in Article 57 of the Pmt. in the register kept by the Law Firm. The duration of data processing is eight years from the date of data recording in the case of ad hoc assignments, or from the termination of the business relationship in the case of long-term assignments, depending on the assignment contract, pursuant to Section 56 (2) of the Act on the Protection of Personal Data, or pursuant to Section 58 (1) of the Act on the Protection of Personal Data, pursuant to Section 5. § 5 of the Pmt, the financial information unit, the investigating authority, the prosecution and the court for the period specified in the request, but not more than ten years from the termination of the business relationship or the execution of the transaction. If the data subjects do not give their consent to the recording of the data or do not provide the data, the Law Firm shall refuse to cooperate.

XVIII. Right to legal remedy

The Data Subject may lodge a request regarding the processing of his/her personal data by sending an e-mail to iroda@magyarugyvediiroda.hu or by post to the Data Controller’s headquarters.

The Data Subject may assert his/her rights to the protection of his/her personal data before a civil court – the competent court of law (Metropolitan Court of Budapest) or (at his/her option) the competent court of law of the place of residence or, failing that, of the place of abode of the Data Subject – or before the National Authority for Data Protection and Freedom of Information (address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c; postal address: 1530 Budapest, Pf. : 5.; telephone number: +36 1/391-1400; e-mail address: ugyfelszolgalat@naih.hu).

XIX. Trade secrets

A trade secret is any fact, information or other data relating to an economic activity, and any compilation thereof, which is not publicly known or not easily accessible to persons engaged in the economic activity concerned, the acquisition, use, disclosure or disclosure of which to unauthorised persons would harm or jeopardise the legitimate financial, economic or market interests of the right holder, provided that the right holder is not responsible for its safekeeping and that the right holder is not legally entitled to it.

In accordance with the provisions of the Civil Code, technical, economic or organisational knowledge, experience or a compilation thereof (hereinafter referred to as ‘proprietary information’) which is recorded in an identifiable manner and which is of pecuniary value shall be protected in the same way as trade secrets if it is acquired, used, communicated or disclosed in a manner contrary to the principles of good faith and fair dealing. Such protection shall not be invoked against a person who has acquired the proprietary knowledge or similar knowledge substantially substitutable for it by means of development independent of the rightholder or by examining and analysing a lawfully acquired product or a lawfully used service, nor shall it be invoked against a person who has acquired the trade secret or proprietary knowledge from a third party in the course of trade in good faith and for valuable consideration.

The Data Controller shall treat all trade secrets of which it becomes aware in accordance with the above.

XX. Confidentiality obligations of the Data Controller

In addition to the above, the Data Controller is under an obligation of confidentiality with regard to all data, information and facts of which it has become aware in the course of its activities as a lawyer, subject to the provisions of Section 9 of the Act. This obligation is independent of the existence of a legal relationship for the exercise of the profession of lawyer and shall continue to apply without time limit after the termination of the practice of the profession of lawyer or the termination of the legal relationship.

The obligation of professional secrecy shall also apply to any other document prepared by the Data Controller and in his possession, if it contains facts, information or data covered by the obligation of professional secrecy. In the course of an investigation by a public authority carried out at the premises of the Data Controller, the Data Controller shall not disclose documents and data relating to his client, but shall not obstruct the proceedings of the public authority.

The client, its legal successor and its legal representative may grant a waiver of the obligation of confidentiality. Even in the case of a waiver, the lawyer may not be questioned as a witness about facts and data of which the lawyer of the Data Controller has knowledge in his capacity as a defence counsel.

The obligation of professional secrecy shall apply mutatis mutandis to the Data Controller as a law firm and its employees, to the lawyers’ bodies, their officers and employees, and to natural and legal persons who store, archive, preserve or process electronic or paper documents containing data covered by the obligation of professional secrecy.

A document prepared for the purpose of a defence pursuant to Section 13(2) of the Act may not be used as evidence in official, judicial or other public proceedings and may not be examined, seized or copied by public authorities, nor may its production, disclosure or access be refused. These rights may be waived by the person concerned, except where the document relates to the defence in criminal proceedings.

XXI. Other provisions

This Privacy Notice is effective from 17 May 2021 until its withdrawal, the Data Controller reserves the right to amend this Privacy Notice.

In matters not covered by this Privacy Notice, the GDPR and the provisions of Hungarian law, in particular the Infotv. and other relevant legislation, shall apply.