Data processing - Szecskay Attorneys at Law

Szecskay Attorneys at Law (seated at HU-1055 Budapest, Kossuth Lajos tér 16-17) (the “Firm“) is hereby giving the following information concerning the processing of personal data as is required under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR“).

1. The purpose and legal basis for data processing, the personal data processed, the duration of data processing, persons having access to data, data transfers

1.1 Processing of data of persons submitting a CV

In order for the Firm to be able to evaluate your CV, interview you and provide you with feedback on it, it is necessary to process the data contained in your CV (and any motivation letter you may have submitted).

The legal basis for this processing is your consent (Article 6 (1) (a) of the GDPR), which you give us by submitting your CV.

The Firm will process the data contained in your CV (motivation letter) submitted to the Firm, such as your surname, first name, telephone number, address, email address, photograph, description of professional experience, language(s) spoken, hobbies. Please do not provide any special category data (e.g. health data, genetic data)!

For the purposes set out above, the Firm will process your personal data as defined above until it makes a decision on whether to make you an offer of employment. If it does not, it will delete the data immediately after informing you of this, unless, at that point, you give your consent to the processing of the data contained in your CV for an additional 6 months, so that, should a vacancy occur, the Firm can review the CV and, if the vacancy is of interest to you, contact you. To this end, the Firm will carry out profiling to the extent necessary to draw your attention to a job opportunity that may be of interest to you. After a period of 6 months, the Firm will delete the data.

Within the Firm’s organisation, access to the data will be limited to the staff members who need to have access in order to carry out their work (office manager, deputy office managers, HR officer, recruitment staff of the Firm) and for the time necessary. The Firm will not transfer personal data to third parties (either within or outside of the EU/EEA).

The data may be accessed by processors providing IT services to the Firm as necessary.

By submitting your CV, you consent to the processing of your data in accordance with this clause 1.1 (except for the additional processing for 6 months to which we can ask for your consent at the point in time as indicated above).

1.2 Data processing related to the performance of the mandates

The purpose of the processing is the performance of the mandate received.

If the Firm and you or your employer enter into an attorney-client mandate agreement, for the purpose of performing such an agreement, the Firm processes the following personal data:

the personal data of you, the client’s representative, the respondents, witnesses, experts and other natural persons processed related to the performance of the given mandate, the subject matter of the case, the case identifier, the date of conclusion of the mandate contract, the registry number of the court proceedings or other proceedings relating to the case, personal data in connection with the mandate.

If the client is a natural person, the legal basis of the data processing is Article 6 (1) b) of the GDPR (performance of a contract), whereas if the client is not a natural person, the legal basis of processing is Article 6 (1) c) of the GDPR (compliance with a legal obligation) and Section 1 (1) of the Act on Legal Practice.

The scope of persons (positions) having access to the data: the members, junior lawyers and the of-counsels of the Firm; depending on the nature of the mandate, the access is restricted to certain members and employees of the Firm.

The data processors providing IT background services and, respectively, accounting services have access to the personal data to the necessary extent. If necessary, the Firm may engage a translation company (as a data processor) with the translation of the documents related to the mandate, the legal basis of which processing is the legitimate interest of the Firm in being able to fulfil the assignment efficiently (Article 6 (1) (f) of the GDPR).

Transfer of data takes place where the given case requires so (e.g. sending the data of the respondent, witness or expert to the client represented in lawsuit being resident out of the EEA territory).

The duration of the data processing is 5 years or 10 years (Section 53 (3) and (5) of the Act on Legal Practice): the data are kept by the Firm for five years after the termination of the mandate, in case of countersigning a document, for ten years after the countersigning of the document, and in case of registration of a right to real estate in the public register, for ten years after the registration of the right. In the case of countersignature of a deed, the Firm will keep the deed countersigned by it and other documents relating to the matter of countersignature of the deed for a period of ten years from the date of countersignature, unless a longer period is provided for by law or the parties have agreed to keep them for a longer period. The data related to the mandate not included in the mentioned subsections are stored by the Firm until the end of the limitation period, with the proviso that the Firm keeps the documents that constitute accounting documents supporting the accounting statements for eight years from the date of their creation (Section 169 (2) of the Accounting Act).

If necessary, the Firm may entrust the translation of the documents related to the assignment (which documents may also contain personal data) to a translation company (as a data processor), the legal basis for which is the legitimate interest of the Firm in being able to fulfil the assignment efficiently (Article 6 (1) (f) of the GDPR). For these data processing operations, as the case may be, the Firm may use the machine translation software “DeepL”, operated by DeepL SE (Maarweg 165, 50825 Cologne, Germany).

If the text to be translated is entered as a plain text message in the corresponding window of the deepl.com website (i.e. using the free program “DeepL Translator”), we take care that such text does not contain any personal data.

If the text to be translated is sent as a file to the company operating the translation program (i.e. using the paid program “DeepL Pro”), personal data may be sent (except for special data (e.g. health data), which will not be sent). These texts to be translated will be processed by DeepL SE solely for the purpose of the translation and the data and also the translation will be deleted once the translation is completed. If we send the text to be translated as a .docx or .pptx file, the translation will be done by DeepL SE itself within the EEA. If the text to be translated is sent as a pdf file, the translation is also carried out by DeepL SE, in principle within the EEA, but in such case, it uses Adobe Systems Software Ireland Limited (4-6 Riverwalk, City West Business Campus, Dublin 24, Republic of Ireland) (“Adobe API”) as a sub-processor, which is responsible for converting the pdf document into translatable text and, once the translation is completed, converting it back into a pdf document. The Adobe API uses Adobe Inc. (345 Park Ave, San Jose, CA 95110, USA) for this conversion. The Adobe companies will store the document on their server for no longer than 24 hours. DeepL SE has entered into a data processing agreement with Adobe API and the Adobe companies have entered into the relevant EU’s Standard Contractual Clauses between data processors.

1.3 Data processing related to the due diligence of the client

If client due diligence is carried out, the Firm processes the data below related to the due diligence of the client:

data defined in Section 7 (2) and (8) of the Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (“AML”) (name and surname, name and surname at birth, nationality, date and place of birth, mother’s name at birth, residential address or, in the absence of a residential address, place of residence, type and number of identification document; in the case of a legal person or an unincorporated body, the names and functions of the persons authorised to represent it, and the particulars of its agent for service of documents, if any, specified in this paragraph, except the type and number of the identification document). The Firm is obliged to make a copy of the document containing the information and of the official document proving the residential address, except for the page showing the personal identity number.

In such cases, the ground for data processing is Article 6 (1) c) of the GDPR (compliance with a legal obligation) and Sections 7-11 of the AML, and in certain cases Sections 17-21 of the AML.

The scope of persons (positions) having access to the data: the members, junior lawyers of the Firm, and colleagues of our billing department.

The data are transferred in the cases prescribed by the AML (to the regional bar association under Section 74 (1), to the financial information division operating in the Hungarian Customs and Tax Authority (“HCTA”) under Section 75 (1) of the AML).

The data are not transferred to outside the EEA. The data may be accessed as necessary by the data processors providing IT services to the Firm.

The Firm stores the data for 8 years following the performance of the mandate (Section 56 (2) and 57 (2) of the AML).

1.4 Data processing related to client identification

If client identification is carried out, the Firm processes the data below related to the client identification:

data defined in Section 32 (3) and (7) and Section 33 (2) of the Act on Legal Practice (e.g. surname, first name, date and place of birth, mother’s name, nationality, statelessness, refugee, immigrant, settled or EEA national status, address, facial image, signature, type and number of identification document used for identification).

In such cases, the grounds for data processing is Article (6) (1) c) of the GDPR (compliance with a legal obligation) and Sections 32-33 of the Act on Legal Practice.

The scope of persons (positions) having access to the data: the members, junior lawyers of the Firm, and colleagues of our billing department.

The data are transferred in the cases prescribed by the Act on Legal Practice (Sections 30-31 of the AML) to the financial information division operating in the HCTA.

The data are not transferred outside the EEA. The data may be accessed as necessary by the data processors providing IT services and, respectively, accounting services to the Firm.

The Firm retains the data for 8 years following the performance of the mandate (Section 33 (7) of the Act on Legal Practice, Section 56 (2) and Section 57 (2) of the AML Act).

1.5 Data processing related to case registry

To the extent required by law, the Firm processes the data below related to the registration of cases:

data defined in Section 53 (2) of the Act on Legal Practice (case identifier generated by the lawyer, name of the client, subject matter of the case, date of the mandate contract, the register number of the court proceedings or other proceedings relating to the case).

In such cases, the grounds for data processing is Article (6) (1) c) of the GDPR (compliance with a legal obligation) and Sections 32-33 of the Act on Legal Practice.

The scope of persons (positions) having access to the data: the members, junior lawyers of the Firm, and colleagues of our billing department.

The data are transferred in the cases prescribed by the Act on Legal Practice (Section 53 (4) of the Act on Legal Practice) to the competent body of the professional bar.

The data are not transferred outside the EEA. The data may be accessed as necessary by the data processors providing IT services to the Firm.

1.6 Data processing related to contracts concluded with business partners

If the Firm and your employer concluded a contract, the Firm processes the personal data of yours as a contact person for the purpose of the performance of the contract:

your family name, first name, post, phone number and email address.

In such cases, the grounds for the data processing is Article 6 (1) b) of the GDPR (performance of a contract), Article 6 (1) c) of the GDPR (compliance with a legal obligation).

The scope of persons (positions) having access to the data: the members, junior lawyers of the Firm, and colleagues of our billing department.

No data is transferred to third parties. The data may be accessed as necessary by the data processors providing IT services and, respectively, accounting services to the Firm.

The Firm retains the data for five years following termination of the contract and, respectively, for 1 year following the change of the contact person.

1.7 Data processing for the purpose of the operation of employee share ownership scheme (ESOP) organization and the implementation of the remuneration policy

If the Firm participated in the operation of ESOP organization, it processes the following data:

the family name, first name, address, name at birth, maiden name, tax number, social security number, place of birth, date of birth, sex, citizenship, the bank maintaining his bank account, bank account number, the time of the removal from under the scope of the accepted remuneration policy, the member’s shares and its nominal value, the number and value of shares processed in respect of the member’s shares of the employees participating in the ESOP organization.

In such cases, the grounds for the data processing is Article 6 (1) c) of the GDPR (compliance with a legal obligation), Section 24/G (1) of the Act XLIV of 1992 on the Employee Stock Option Plans, Section 46 (3), 50 (1) b) and (2) and 79 of the Act CL of 2017 on Taxation.

The scope of persons (posts) having access to the data: the members, junior lawyers of the Firm.

No data is transferred to third parties. The data may be accessed as necessary by the data processors providing IT services and, respectively, accounting services to the Firm.

The Firm stores the data necessary for determining the pension for 5 years after the respective person reaches the retirement age, the data related to taxation are stored until the end of the 5 years long tax law limitation period and the data related to accounting (receipts) are stored for 8 years, meanwhile, other data processed in connection with the contract are stored for 3 years following the termination of employment (until the end of the limitation period).

1.8 Maintaining registration regarding the expiry of trademarks

The Firm maintains the registration regarding the expiry of trademark protection for the purpose of calling the attention of the client in time (when the renewal becomes due), and in such scope processes the data below:

name of the proprietor of the trademark, the due date of the renewal, registration number, registered trademark, comments regarding the trademark protection.

In such cases, the legal basis for the data processing is Article 6 (1) b) of the GDPR (performance of a contract).

The scope of persons (positions) having access to the data: the members, junior lawyers of the Firm.

No data is transferred to third parties. The data may be accessed as necessary by the data processors providing IT services and, respectively, accounting services to the Firm.

The Firm stores the data until the end of the termination period following the termination of the mandate (5 years).

1.9 Data management in relation to the deposit

If the Firm enters into an escrow agreement, it will process the following data concerning the client:

the data specified in Article 51 (2) of the Act on Legal Practice: the name and Bar identification number of the depositary lawyer, the case identifier of the deposit contract, the type of deposit, the subject of the deposit, if the depositary lawyer places the deposit in a sub-account, the sub-account number, in case of a deposit of money, the amount and currency of the money actually deposited, the date of conclusion, amendment or termination of the deposit contract, the date of recording the data in the deposit register or the date of amendment of the recorded data.

The processing of data in relation to the escrow is based on Article 6(1)(c) of the GDPR and the provisions of Section 51 (1) and (2) of the Act on Legal Profession.

The scope of persons (positions) with access to the data: members of the firm, lawyers and billing staff.

The data will be transmitted to the Budapest Bar Association.

The data will not be transferred outside the EEA. The data may be accessed as necessary by data processors providing IT services and, respectively, accounting services to the Firm.

The Firm keeps the data for 10 years after the termination of the escrow (Section 51. (4) of the Act on Legal Practice).

1.10 Inviting clients, business partners, colleagues to a Firm event

The Firm may send email invitations to its own events to clients, business partners and colleagues. The data processed: name and email address of the invitee.

The legal basis for sending the email is the legitimate interest of the Firm (Article 6(1)(f) of the GDPR), which is to hold an event of the Firm, for example, to give a presentation on a topic or to report on an important event related to the Firm. The Firm has prepared the respective balancing test.

Identification of the persons (job titles) with access to the data: the head of the Firm, the member/employee designated by the head, the person in charge of marketing.

The Firm typically sends out the emails itself, with the participation of the Office’s IT host as a data processor where appropriate. The Firm does not transfer the data to any other party, either within or outside the EEA.

The Firm will not further process the data for this purpose after the date of the event.

2. The data controller

The Firm acts as controller of your personal data as listed above. In respect of the above defined data processing, the Firm in respect of the data processing defined in the above Point 1.7 the Firm is a joint controller together with the legal person establishing the ESOP organization and the ESOP organization and other legal person participating in the operating of the ESOP organization.

3. Storing of data and description of technical and organisational measures applied in order to maintain data safety

Your personal data are stored at the Firm’s seat (1055 Budapest, Kossuth Lajos tér 16-17.).

The Firm applies all technical safety measures that can be reasonably expected to store the data in a safe way, not accessible to third parties.

An IT description of the safety measures, the technical and organizational measures taken to ensure the safety of data follows below: The Firm’s IT system is protected by appropriate firewall, virus scanner and spam filter. Computers can only be accessed with a custom password.

The Firm undertakes the appropriate protection measures, however, we call your attention to the fact that cyber-attacks cannot be prevented or combated in every case.

4. Your rights in connection with data processing:

In connection with data processing, you have the following rights:

a) right of access (Article 15 GDPR): You are entitled to obtain from the Firm confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the information contained herein.

Per your request, the Firm provides a copy of the personal data undergoing processing. For any further copies you request, the Firm may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless you request otherwise, the information will be provided in a commonly used electronic form.

b) right to rectification (Article 16 GDPR): You have the right to obtain from the Firm without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

c) right to erasure (Article 17 GDPR): You have the right to obtain from the Firm the erasure of personal data concerning you without undue delay and the Firm shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
You object to the processing and there are no overriding legitimate grounds for the processing;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Firm is subject.

d) right to restriction of processing (Article 18 GDPR): You have the right to obtain from the Firm restriction of processing where one of the following applies:

You contest the accuracy of the personal data, for a period enabling the Firm to verify the accuracy of the personal data;
the Firm no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.

e) right to receive information on the above rights (Article 12 GDPR): the Firm provides you with information on action taken on your request as per clauses a)-d) above without undue delay and in any event within one month of receipt of your request. The information is provided in a concise, transparent, intelligible and easily accessible form. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Firm informs you of any such extension within one month of receipt of the request, together with the reasons for the delay.

f) right to lodge a complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR. The complaint can be filed with the National Data Protection and Freedom of Information Authority (NAIH) (address: 1055 Budapest, Falk Miksa u. 9-11.; telephone: +36 1 391 1400; fax: +36 1 391 1410; www.naih.hu; ugyfelszolgalat@naih.hu).

*******************************************************************************************************

g) right to object (Article 21 GDPR): you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation if the Firm’s legitimate interest serves as a legal basis of the processing. In this case, the Firm may no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In case of the data processing as per Section 1.6 above, in view of the limited scope of the data processed and the fact that the Firm has a legitimate interest in the performance of the contracts it has concluded, the objection does not result in the termination of such data processing. With regard to Section 1.10 above, you have the right to object to the processing of your personal data. This objection does not need to specify the reason for the objection in relation to your situation. In the event of an objection, the Firm will no longer process your data for the purposes indicated in Section 1.10 above.

*******************************************************************************************************

h) Right to data portability (Article 20 GDPR): You have the right to receive personal data in respect of you which you have provided to the Firm, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Firm. Furthermore, you have the right to have the personal data transmitted directly from the Firm to another data controller, where technically feasible.

i) Right to withdraw your consent (Article 7 GDPR): You have the right to withdraw your consent at any time at any of the contact details in this privacy policy, in which case the Firm will no longer process your data. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. You may request information on the processing of your personal data via the channels and from the person below:

You may request further information in connection with the processing of your personal data from Mr. András Szecskay, via mail (1055 Budapest, Kossuth Lajos tér 16-17.) or email (info@szecskay.com). Per your request, verbal information may also be given in which case, minutes have to be taken. If you request verbal information (e.g. via phone (+36 1 472 3000), you are required to prove your identity towards the Firm. If you wish to exercise your rights above, you have to contact Dr. András Szecskay.

Budapest, June 2022