Privacy

Privacy Notice
of
Réti, Várszegi & Partners Law Firm
on data processing related to legal services and the website
https://www.retivarszegipartners.hu

1.1. Name and contact details of Data Controller

Name of data controller: Réti, Várszegi & Partners Law Firm (hereinafter the “Data Controller”)

Registered seat: 1055 Budapest, Bajcsy-Zsilinszky út 78.
E-mail address: rvp.central@hu.pwclegal.com
Phone number: (+36 1) 461 9888
Website: retivarszegipartners.hu

Appointed contact person of the Data Controller:

Name:
Dr. Zoltán Várszegi, managing partner
Dr. András Csenterics, attorney at law, data protection officer
Postal address: 1055 Budapest, Bajcsy-Zsilinszky út 78.
E-mail address:
zoltan.varszegi@pwc.com
andras.csenterics@pwc.com
Phone number: (+36 1) 461 9506 

1.2. Scope of the processed personal data, purpose, legal basis of the data processing, the period for which the personal data are stored

A) Processing of the personal data of natural persons

Categories of personal data Purpose of data processing Legal basis of data processing Period for which the personal data are stored
Personal data provided in the course of the preparation and conclusion of the engagement, including the type, number and copy of the personal identification documents as well as the data requested in relation to the restrictions on the engagement; in this regard, the personal data could be obtained from public databases (e.g. registries on the address and personal data of citizens)  Establishing the engagement Preparation and performance of the contract on the provision of legal services, legal obligation prescribed by the Hungarian act on attorney services 8 years from the completion of the engagement or the termination of the business partnership; 10 years in the case of mediation or the countersigning of documents or electronic documents or the registration of rights over real properties in public registries
Client identification performed in accordance with Sections 6 and 73 of the AML Act, updating registry on identified persons Obligations prescribed by the Hungarian legal acts on the prevention of money laundering and financing of terrorism and on attorney services 
Transfer of the data of the AML-compliant client identification procedure to other service provider(s) in order for the other service provider to conduct its own client identification procedure Consent
Conduct and completion of risk assessment procedures, checks on restrictions on the provision of legal services, obtainment of permission to provide legal services necessary for cooperation with the PricewaterhouseCoopers group of companies  Preparation and performance of  the contract on the provision of legal services
Personal data provided in relation to the engagement (especially: name, address, mother’s name, name by birth, tax identification number, identity card number, passport number, personal identification number, place of temporary residence/postal address) Provision of legal services, especially the preparation, submission and registration of documents with the competent authority, enforcement of claims arising from the services (if applicable) Preparation and performance of the contract on the provision of legal services, legal obligation prescribed by the Hungarian act on attorney services For the statutory storage period applicable to attorneys[1]
Data on the specifics of the case (statement of facts), especially data on assets Provision of legal services Preparation and performance of the contract on the provision of legal services, legal obligation prescribed by the Hungarian act on attorney services For the statutory storage period applicable to attorneys
Contact details (phone number, e-mail address) Liaison in relation to the legal services rendered under our contract Preparation and performance of the contract on the provision of legal services Until the business partnership established for the provision of legal services is terminated, except if the contact data are part of the documents that include the data processed for the above purposes 
Personal data necessary for the issuance of invoices, statements Fulfillment of tax obligations, completion of orders, issuance of invoices/statements Fulfilment of obligations arising from tax law and accounting regulations 8 years from the date of the invoice
Name, address, telephone number, email address of private clients Client management in the context of providing legal services (via the Salesforce system) Our legitimate interest related to processing client data in a system introduced by the PricewaterhouseCoopers international group of firms, allowing for safe and unified client management, efficient provision of services and sharing information within the network During the existence of the client contact

B) Processing of the personal data of natural persons acting for legal entities (representative, member, beneficial owner, contact person, etc.)

Categories of personal data Purpose of data processing Legal basis of data processing Period for which the personal data are stored
Contact data (especially: name, e-mail address, phone number, position) Initiating and maintaining business liaison Our legitimate interest related to the maintenance of the business partnership and the performance of the contract concluded with the legal entity client Until the termination of the business partnership or if it happens earlier, until the data subject’s legal relationship with the legal entity is terminated, provided that the Data Controller learns about this
Personal identification data (in relation to the representative, member and beneficial owner of the legal entity) Client identification performed in accordance with Sections 6 and 73 of the AML Act, updating registry on identified persons Obligations prescribed by the Hungarian legal acts on the prevention of money laundering and financing of terrorism and on attorney services  8 years from the completion of the engagement or the termination of the business partnership; 10 years in the case of mediation or the countersigning of documents or electronic documents or the registration of rights over real properties in public registries
Transfer of the data of the AML-compliant client identification procedure to other service provider(s) in order for the other service provider to conduct its own client identification procedure Legitimate interest of the legal entity client related to the facilitation of its identification by another service provider
Provision of legal services (especially: preparation, submission and registration of corporate documents with the competent authority) Legitimate interest of the legal entity client to use legal services for the respective matter, or if applicable, the performance of the contract concluded between the data subject and the legal entity client
Conduct and completion of risk assessment procedures, checks on restrictions on the provision of legal services, obtainment of permission to provide legal services necessary for cooperation with the PricewaterhouseCoopers group of companies  Our legitimate interest related to compliance with the restrictions and rules of the PricewaterhouseCoopers global group of companies on providing services to audit clients
Name, title, telephone number and email address of private persons acting as representatives of the client Client management in the context of providing legal services (via the Salesforce system) Our legitimate interest related to processing client data in a system introduced by the PricewaterhouseCoopers international group of firms, allowing for safe and unified client management, efficient provision of services and sharing information within the network During the existence of the client contact

C) Processing of the data of other natural persons affected by the legal services (e.g. other party to a contract or a lawsuit, or his/her representative)

Categories of personal data Purpose of data processing Legal basis of data processing Period for which the personal data are stored
Personal identification and other transactional data (the source of the data is our client or the data subject) Performance of legal services (e.g. the preparation of contract) Legitimate interest of our client to use legal services, legal obligation prescribed by the Hungarian act on attorney services For the period applicable to attorney services1

D) Data processing related to the website HTTPS://WWW.RETIVARSZEGIPARTNERS.HU

Categories of personal data Purpose of data processing Legal basis of data processing Period for which the personal data are stored
Personal data provided by the visitor on the website through the “Contact” option Responding to persons contacting the Data Controller via the “Contact” option on the website If the Data Controller is contacted in relation to the preparation of an engagement with the data subject, the legal basis for the data processing will be taking the steps necessary to enter into the engagement.

If the purpose of contacting the Data Controller differs from the above, the legal basis for data processing will be the Data Controller’s legitimate interest related to responding to messages it receives through “Contact”

If the Data Controller is contacted in relation to taking the steps necessary to enter into an engagement, the personal data involved will be processed until the end of the general civil law statutory limitation period (5 years.)

If the Data Controller is contacted for any purpose other than the above, the personal data involved will be processed until the end of the communication started as a result of contacting the Data Controller.

In regard to the above cases of data processing, the Data Controller hereby notes that the provision of the data of data subjects that the Data Controller processes on the basis of legal obligations, contracts to be concluded with the Data Controller, the preparation or performance of the business partnership is mandatory in respect of the establishment of the engagement or certain obligations arising from the engagement on the provision of legal services. Without the necessary data, the Data Controller cannot comply with its contractual or legal obligations; in certain cases (especially in relation to client identification performed on the basis of the AML Act), if the necessary data are not provided, we cannot even accept or complete the engagement.

In respect of data processed on the basis of the Data Controller’s or third person’s legitimate interest, the Data Controller specifically notes that data subjects are granted the right to object to data processing (additional rules are laid down in Point 1.5 E).

1.3. Recipients of personal data, categories of recipients

Data processor:

Name of data processor Category of personal data transferred to recipients Activity requiring the involvement of the data processor
PwC Könyvvizsgáló Kft. Personal data stored on IT servers (especially e-mails, electronic documents, invoices). The data processor performs the operations that the Data Controller has specified to provide full scope IT and accounting services (including the supply of the accounting software).

Independent data controllers:

Name of independent data controller Category of personal data transferred to recipients Activity that the independent data controller performs
Cooperating attorneys, law firms Client identification, contact and case-related data (statement of facts) Professional participation in the provision of the Data Controller’s legal services
PwC Könyvvizsgáló Kft. Conflict of interest data (audit client status or other) Checking restrictions on services that may be provided to clients
PwC European Regional Center Identification data of natural person clients, data of representatives, members and beneficial owners of legal entities Regional risk assessment and management, permission of services
Translators Documents containing personal data at the client’s request or to an extent necessary for the performance of the engagement Preparation of translations
Authorities, courts, other official bodies Personal data incorporated in documents to be submitted to the competent authority/court, personal data necessary for the performance of the engagement Conduct of the related legal procedures or proceedings
Judicial or private experts If the engagement requires the involvement of an expert, the personal data in the documents to be provided to the expert Preparation of expert’s opinion
Budapest Bar Association All the data subject to attorney services Exercise of disciplinary powers or supervisory audits

1.4. Processing of special categories of personal data

The Data Controller only processes special categories of personal data if it is absolutely required for the provision of legal services (e.g. legal representation in a lawsuit related to the medical conditions of the client). In such cases, the Data Controller is entitled to process the data on the basis of Section 9 (2) Point f) of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council) directly applicable in Hungary, as the data processing is required for the establishment, exercise and defense of legal claims. 

1.5. Rights of data subjects

The data subject may request the Data Controller to grant access to his/her personal data, the rectification of inaccurate personal data, the erasure of personal data, and in certain cases, the restriction of the processing, and may object to the processing of his/her personal data. The data subject is also granted the right to data portability, the right to file a complaint with the supervisory authority and the right to an effective judicial remedy. In the case of automated decision-making applied in specific cases, the data subject is granted the right to not be subject to the decision or the right to request human intervention.

During the course of the consent-based data processing, the data subject is also entitled to withdraw his/her consent at any time, however the withdrawal has no impact on the lawfulness of the data processing performed prior to the withdrawal.

A) Right to access

The data subject is entitled to request information at any time about whether and how the Data Controller processes his/her personal data, including the purposes of the data processing, the recipients to whom the data have been disclosed or the period for which the personal data will be stored, any right of the data subject, in addition, information on automated decision-making, profiling, and in the case of transferring personal data to any third countries or any international organization, information on the related guarantees. During the exercise of the right to access, the data subject is also entitled to request copies of the personal data; in the case of requests submitted electronically, the Data Controller, in lieu of a request from the data subject that says otherwise, provides the requested information electronically (in pdf format). If the right to access of the data subject has detrimental effects on the rights and freedoms of other persons, especially the business secrets or intellectual property of others, the Data Controller is entitled to refuse to comply with the request to the necessary and proportionate extent. If the data subject requests several copies of the personal data, the Data Controller charges HUF 200 per copy/page as a reasonable amount of fee that is proportionate to the administrative costs of preparing the additional copies.

B) Right to rectification

At the request of the data subject, the Data Controller corrects or completes the personal data of the data subject. If any doubt arises from the corrected data, the Data Controller may request the data subject to certify the corrected data to the Data Controller appropriately, primarily by documents. If the Data Controller has disclosed such personal data of the data subject that are subject to this right to other persons (e.g. the recipient as data processor), the Data Controller shall immediately inform the affected persons after correcting the data, provided that such notification is possible or it does not require a disproportionate amount of effort from the Data Controller. At the request of the data subject, the Data Controller informs him/her about these recipients.

C) Right to erasure (“right to be forgotten”)

If the data subject requests the erasure of any or all of his/her personal data, the Data Controller shall erase such data without unjustified delay if

  • the Data Controller does not need the personal data in question any more for the purpose for which the data were collected or otherwise processed;
  • the request affects data processing that was based on the consent of the data subject, but the data subject has withdrawn the consent and the data processing has no other legal basis;
  • the request affects data processing that had been based on the legitimate interests of the Data Controller or any third party but the data subject has objected to the data processing and, with the exception of objection to data processing for direct marketing purposes, there are no legitimate grounds for the data processing that would take priority;
  • the Data Controller processed the personal data unlawfully, or
  • the erasure of personal data is necessary for the fulfillment of legal obligations.

If the personal data under this right have been disclosed by the Data Controller to another party (e.g. the recipient as, for example, the data processor), the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients. The Data Controller is not required to delete personal data in all the cases, especially if, for example, the data processing is necessary for the establishment, exercise or defense of legal claims.

D) Right to restriction of data processing

The data subject may request the restriction of the processing of his/her personal data in the following cases:

  • the data subject contests the accuracy of the personal data – in this case, the restriction affects the period during which the data controller is able to check the accuracy of personal data;
  • the data processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  • the data controller no longer needs the personal data for the purposes of the processing, but the personal data are needed for the establishment, exercise or defense of legal claims; or
  • the data subject has objected to the data processing – in this case, the restriction affects the period until which it is verified whether the legitimate grounds of the Data Controller override those of the data subject.

The restriction of data processing means that the Data Controller will not process the personal data subject to the restriction except for storage, or such data are only processed to the extent to which the data subject consented, or even if without such consent, the Data Controller may process those personal data that are necessary for the establishment, exercise or defense of legal claims or for the protection of the rights of other natural persons or legal entities, or that are necessary for the important public interests of the European Union or any European Union member state. The Data Controller informs the data subject in advance about releasing the restriction on the data processing. If personal data under this right have been disclosed to other persons (e.g. the recipient, for example, as the data processor), the Data Controller shall immediately inform such persons about the restriction of data processing, the Data Controller shall immediately inform such persons after the erasure, provided that such notification is possible or it does not require a disproportionate amount of efforts from the Data Controller. At the request of the data subject, the Data Controller informs them about these recipients.

E) Right to object

If the legal basis for the data processing related to the data subject is the legitimate interest of the Data Controller or any third party, the data subject is entitled to object to the data processing. The Data Controller is not required to accept the objection if the Data Controller can evidence that 

  • the data processing is justified by legitimate and compelling causes that take precedence over the interests, rights and freedoms of the data subject, or
  • the data processing relates to the data for the establishment, enforcement or defense of Data Controller’s legal claims.

F) Right to lodge a complaint, right to an effective judicial remedy

If the data subject comes to the conclusion that the processing of his/her personal data by the Data Controller infringes the applicable data protection regulations, especially the General Data Protection Regulation, the data subject has the right to file a complaint with the competent data protection supervisory authority in the Member State of his/her habitual residence, place of work or the place of the alleged infringement. In Hungary, this authority is the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”). The contact details of NAIH are as follows:

Website: http://naih.hu/
Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.
Mail address: 1530 Budapest, PO Box: 5.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

The data subject, regardless of his/her right to file a complaint, may also bring proceedings before a court for such infringement. The data subject is entitled to bring proceedings against the binding decision of the supervisory authority concerning the data subject. The data subject is also entitled to an effective judicial remedy if the supervisory authority fails to address the complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

1.6. Automated decision-making, profiling

No automated individual decision-making or profiling is performed in the course of the data processing of the Data Controller concerning the data subjects.

* * *

Effective from 25 May 2018

[1] 10 years in the case of mediation or the countersigning of documents or electronic documents or the registration of rights over real properties in public registries, 5 years in any other cases. In special cases prescribed by law or upon the parties’ specific agreement, some documents containing the personal data might not be discarded.