Data protection

1. Data Controller and Contact Information

The Tréki-Tóth Law Firm acts as the data controller (hereinafter: Data Controller) concerning the personal data of current, former, and prospective clients, as well as related individuals (hereinafter collectively: client or clients).

Data Controller Name: Tréki-Tóth Law Firm
Registered Office: 1055 Budapest, Honvéd u. 22. I. em. 1.
Email Address: iroda@trekitothlaw.eu
Phone Number: +36 30 331 0150
Website: http://www.trekitothlaw.hu

2. Legal Basis for Data Processing

• Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (hereinafter: AML/CFT Act);
• Act LXXVIII of 2017 on Attorneys (hereinafter: Attorneys Act);
• Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter: Info Act);
• Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter: GDPR);

3. Scope, Purpose, Legal Basis, and Duration of Data Processing

Inquiries About Services via Website, In-Person, Phone, or Other Means

Scope of Data Processed:

• Name
• Email Address
• Phone Number
• Subject of Inquiry

Purpose of Data Processing:

• Identifying the inquirer
• Maintaining contact
• Providing personalized responses to inquiries

Legal Basis for Data Processing:

• The inquirer’s consent

Retention Period:

• The data is retained for the duration specified by the inquirer or until the consent is withdrawn.

Request for a Personalized Quote

Scope of Data Processed:

• Name
• Email Address
• Phone Number
• Subject of Inquiry

Purpose of Data Processing:

• Identifying the inquirer
• Providing a quote

Legal Basis for Data Processing:

• The inquirer’s consent

Retention Period:

• The data is retained for the duration of the offer's validity, but no longer than 3 months.

Conclusion and Fulfillment of an Attorney Engagement Contract

Scope of Data Processed:

• Name
• Email Address
• Phone Number
• Data Related to the Subject of the Contract (e.g., property details)
• Mandatory Data Under the AML/CFT Act and the Attorneys Act (e.g., personal identification data, ID copies, information on politically exposed persons, beneficial owner data)

Purpose of Data Processing:

• Identifying the client
• Concluding and fulfilling the contract
• Providing legal services (e.g., drafting and submitting documents, representing clients in legal or administrative proceedings, enforcing potential claims)
• Compliance with legal obligations

Legal Basis for Data Processing:

• Contractual fulfillment

Retention Period:

• Five years following contract fulfillment (general statute of limitations in civil law);
• 10 years in cases involving notarization, electronic documents, or entries in public registers regarding real estate, or mediation proceedings.

Retention periods may be extended if personal data is necessary for ongoing or future legal proceedings. In such cases, the retention period extends until the relevant legal process is concluded or fails.

Certain documents containing data may not be disposed of under special legal provisions or by mutual agreement of the parties.

Client Identification via Videoconference

Scope of Data Processed:

• The content of identification documents presented via electronic communication networks (Skype) and recorded by video
• The recorded image and voice of the subject
• The entire videoconference session

Purpose of Data Processing:

• Client identification and verification

Legal Basis for Data Processing:

• The subject's explicit consent

Retention Period:

• Data collected under the AML/CFT Act and the Attorneys Act are retained for eight years following the termination of the engagement, extendable in exceptional cases defined by law.

Signature or Acknowledgment of Signature on Documents via Recorded Videoconference for Attorney Certification (so-called remote signing or remote presence) and Completion of Client Identification Obligations via Recorded Videoconference

Scope of Data Processed:

• Contact Information (name, email, phone number)
• Data Related to the Subject of the Contract

Purpose of Data Processing:

• Identification of the client
• Contractual fulfillment in the case of a natural person
• The legitimate interest of the Data Controller in the case of the contact person of a legal entity

Legal Basis for Data Processing:

• Contractual fulfillment
• Legitimate interest

Retention Period:

• The recorded video session must be retained for 10 years according to the applicable regulations.

Billing Data Processing

Scope of Data Processed:

• Name, registered office/residence, tax number

Purpose of Data Processing:

• Issuing invoices, fulfilling orders, and complying with tax obligations

Legal Basis for Data Processing:

• Compliance with accounting rules and tax obligations

Retention Period:

• Eight years from the issuance of the invoice.

Processing of Personal Data Related to Marketing Photos and Videos

Scope of Data Processed:

• The subject’s image in marketing photos and videos

Purpose of Data Processing:

• Publishing the content on the Data Controller’s website and social media platforms

Legal Basis for Data Processing:

• The subject’s explicit consent

Retention Period:

• One year after the content was created. If consent is withdrawn before this period ends, the content will be deleted and removed from the platforms.

Attorney Trust Account Records

Scope of Data Processed:

• Subject of the trust
• Type of trust
• Dates of trust agreement creation, modification, and termination
• Details of deposit with the custodian, name and registered office of the custodian, fact, and time of deposit with the court (in the case of a court deposit)
• Information related to the fulfillment of the trust, such as receipt date, amount received, and the legal basis for receipt

Purpose of Data Processing:

• Compliance with legal obligations for maintaining trust account records

Legal Basis for Data Processing:

• Legal obligation: Section 51 of the Attorneys Act; Regulation 7/2018 (III. 26.) of the Hungarian Bar Association on Attorney Trust Account Management

Retention Period:

• 10 years from the termination of the trust agreement according to the mentioned Bar Association regulation.

Data Processing Related to Our Website

Scope of Data Processed:

• Personal data provided by the website visitor via the "Contact" form: name, email address, phone number

Purpose of Data Processing:

• Responding to inquiries submitted through the “Contact” form

Legal Basis for Data Processing:

• The subject’s explicit consent via checkbox

Retention Period:

• If the inquiry relates to the preparation of a contract with the subject, personal data will be processed for the general statute of limitations in civil law (5 years). Otherwise, personal data will be processed until the communication initiated by the inquiry is closed.

Data Captured by Cookies on the Website

Details regarding the cookies used on the website can be found under the "Details" section of the Cookie popup.

Our website uses cookies to enhance the user experience and ensure the proper functioning of the site. A cookie is a piece of data sent by the website to the user's browser, which stores certain information, enabling the website to reload the original settings during subsequent visits. The subject is informed about the cookies used on the site when visiting the website. The subject uses the website based on this information. The purpose of cookies is to enhance the user experience during website use and to provide the Data Controller with information to monitor the site's operation.

Legal Basis for Data Processing:

• The Data Controller’s legitimate interest [GDPR Article 6(1)(f)] for cookies necessary for the operation of the website and/or the subject's consent [GDPR Article 6(1)(a)] for functional (personalization), analytical, and marketing cookies.

When the subject visits the website, their consent for the use of cookies is requested. The subject may withdraw or modify their consent for the use of cookies at any time. Additionally, the subject can manage cookie settings, except for essential cookies necessary for the operation of the website. All information about the use of cookies is available in the "settings" section.

The cookies used are not capable of identifying the subject. Refusing to allow the use of cookies does not disadvantage the subject. The subject can delete cookies from their own computer or prevent their application in their browser. These options are generally found in the "Settings/Privacy" menu, depending on the browser.

Further information on browser settings:

• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/hu-hu/HT201265

4. Recipients or Categories of Recipients of Personal Data

Recipients are organizations to whom the Data Controller may transfer personal data in certain cases.

The Data Controller generally shares clients' personal data with the following third parties:

• Organizations providing services to the Data Controller or clients (e.g., insurance companies, IT service providers). The purpose of data transfer is to ensure certain technical conditions indispensable for the operation of the Data Controller (e.g., remote identification, data storage, client identification operations support);
• Third parties involved in fulfilling the engagement contract (opposing parties, authorities, courts, experts, legal or other service providers involved by the client or us, notaries). The purpose of data transfer is to provide services, prepare expert opinions;
• Supervisory and other authorities, regulatory bodies. The purpose of data transfer is to conduct relevant legal procedures;
• Collaborating attorneys, law firms. Categories of personal data shared with recipients include client identification, contact, and case-related (factual) data. The purpose of data transfer is professional collaboration in the provision of legal services by the Data Controller.

5. Processing of Special Categories of Data

The Data Controller only processes special personal data of the subject if it is absolutely necessary in connection with the legal service (e.g., representation in litigation related to health status). In such cases, the Data Controller is entitled to process the data under Article 9(2)(f) of the GDPR, given that the processing is necessary for the establishment, exercise, or defense of legal claims. If this provision does not apply, special data can only be processed based on the explicit consent of the subject, according to Article 9(2)(a) of the GDPR.

6. Rights of the Data Subject

Right of Access

If the subject requests the Data Controller to confirm whether it is processing their personal data, the Data Controller is obliged to provide information within the limits defined by law.

The subject’s right to receive confirmation from the Data Controller regarding whether their personal data is being processed:

• Covers personal data related to them;
• Does not cover anonymous data;
• Does not cover personal data not related to them;
• Includes pseudonymized data that is clearly related to the subject.

At the request of the applicant, the Data Controller provides access to and a copy of their personal data. If the client requests additional/repeat copies of their personal data, the Data Controller may charge a reasonable fee (50 HUF per page) to cover the administrative costs of fulfilling the request, which the client is obliged to bear.

Right to Rectification

The Data Controller rectifies or completes personal data concerning the subject upon request. If there is any doubt about the rectified data, the Data Controller may request the subject to substantiate the corrected data appropriately, primarily with documents. If the personal data affected by this right have been shared with another person, the Data Controller will notify those persons without delay after rectification unless this is impossible or requires disproportionate effort from the Data Controller. At the subject's request, the Data Controller will inform them of these recipients.

Right to Erasure

If the subject requests the erasure of some or all of their personal data, the Data Controller will erase them without undue delay if:

• The Data Controller no longer needs the personal data for the purpose for which they were collected or otherwise processed;
• The data processing is based on the subject’s consent, but the consent is withdrawn, and there is no other legal basis for the processing;
• The data processing is based on the legitimate interest of the Data Controller or a third party, but the subject has objected to the data processing, and there is no overriding legitimate ground for the processing;
• The Data Controller has processed the personal data unlawfully; or
• Erasure is required for compliance with a legal obligation.

If the personal data affected by this right has been shared with another person, the Data Controller will notify those persons without delay after the erasure, unless this is impossible or requires disproportionate effort from the Data Controller. At the subject's request, the Data Controller will inform them of these recipients. The Data Controller is not obliged to erase personal data in all cases, especially if the processing is necessary for the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing

The subject may request the restriction of the processing of their personal data in the following cases:

• The subject contests the accuracy of the personal data – in this case, the restriction applies for the period necessary for the Data Controller to verify the accuracy of the personal data;
• The processing is unlawful, but the subject opposes the erasure of the data and requests the restriction of their use instead;
• The Data Controller no longer needs the personal data for processing purposes, but the subject requires them for the establishment, exercise, or defense of legal claims;
• The subject has objected to the data processing – in this case, the restriction applies for the period necessary to determine whether the Data Controller's legitimate grounds override those of the subject.

Restricting data processing means that the Data Controller does not process the personal data affected by the restriction except for storage, or only processes them within the scope to which the subject has consented. The Data Controller may process these data without consent if it is necessary for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State. The Data Controller will inform the subject in advance of the lifting of the restriction on processing. If the personal data affected by this right has been shared with another person, the Data Controller will notify those persons without delay after the restriction, unless this is impossible or requires disproportionate effort from the Data Controller. At the subject's request, the Data Controller will inform them of these recipients.

Right to Data Portability

The subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data were provided, where technically feasible, if the processing is based on consent or necessary for the performance of a contract and the processing is carried out by automated means.

We note that our legal practice is subject to strict professional confidentiality obligations. In this context, the right to data portability can only be exercised if we receive a waiver from our confidentiality obligation from the subject, as the person entitled to dispose of the attorney-client privilege, to the extent necessary for the data transfer.

Right to Object

If the legal basis for the processing of personal data concerning the subject is the legitimate interest of the Data Controller or a third party, the subject has the right to object to the processing of their personal data. The Data Controller is not obliged to comply with the objection if it proves that:

• The processing is necessary for compelling legitimate grounds that override the interests, rights, and freedoms of the subject, or
• The processing is necessary for the establishment, exercise, or defense of legal claims.

Timeframe for Responding to Subject’s Requests

The Data Controller responds to the following requests within the timeframes below:

Subject’s Request	Timeframe
Right to Information	When the data is collected (if provided by the subject) or within one month (if not provided by the subject)
Right of Access	One month
Right to Rectification	One month
Right to Erasure	Without undue delay
Right to Restriction of Processing	Without undue delay
Right to Data Portability	One month
Right to Object	Upon receipt of the objection

Right to Lodge a Complaint and Seek Legal Remedy

If the subject believes that the processing of their personal data by the Data Controller violates the applicable data protection laws, particularly the GDPR, they have the right to lodge a complaint with the data protection supervisory authority in the Member State of their habitual residence, place of work, or place of the alleged infringement.

In Hungary, a complaint can be submitted to the National Authority for Data Protection and Freedom of Information (hereinafter: NAIH).

NAIH Contact Information:

• Website: http://naih.hu/
• Address: 1055 Budapest, Falk Miksa utca 9-11.
• Postal Address: 1363 Budapest, Pf.: 9.
• Phone: +36-1-391-1400
• Fax: +36-1-391-1410
• Email: ugyfelszolgalat@naih.hu

In addition to or independently of the right to lodge a complaint, the subject may also seek legal remedy in court. The subject has the right to bring an action against a legally binding decision of the supervisory authority concerning them. The subject is also entitled to judicial remedy if the supervisory authority fails to address a complaint or does not inform the subject within three months about the progress or outcome of the complaint.

7. Modifications to This Privacy Notice

The Data Controller reserves the right to modify this Privacy Notice at any time. The Data Controller will notify clients of such modifications by letter or email and, in all cases, in accordance with the applicable legal requirements.

Effective Date: 31 May 2024