Privacy Policy | drkuthylawfirm

PREAMBLE

In accordance with Hungary Fundamental Law, and the provisions of Act CXII of 2011 on Informational Self-Determination and Freedom of Information (hereinafter: Info Act) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: GDPR), Dr. Kuthy Law Firm (hereinafter: Data Controller) in order to ensure the protection of personal data, determines data processing as follows rules:

Main data and contact details of the Data Controller:

Name: dr. Kuthy Law Firm
headquarters: 1027 Budapest, Kacsa Street 11., 5/Floor.
Tax number: 18599433-1-41
E-mail address: K@drkuthy.com
Phone number: +36 20 2263719

1. Definitions

processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
data processing: performing technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;
data processor: a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the Data Controller;
data destruction: complete physical destruction of the data medium containing the data;
data erasure: making data unrecognizable in such a way that their recovery is no longer possible;
data transfer: if the data is made available to a specific third party;
personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
GDPR: General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
consent: any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Info Act: Act CXII of 2011 on Informational Self-Determination and Freedom of Information;
personal data: any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
objection: the statement of the data subject by which he objects to the processing of his or her personal data and requests the termination of data management or the deletion of the processed data;

2. Legal basis for data processing

The legal basis for data processing in connection with the use of services available on the Website is the voluntary consent of the User pursuant to Article 6 (1) (a) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The User may withdraw his/her consent to data management at any time, in which case the Data Controller deletes all personal data of the User from the system. In the absence of revocation, the duration of data processing is the deadline specified in this prospectus in certain cases involving data processing.

3. Principles and method of data processing

The processing of personal data is handled by the Data Controller taking into account the following principles:

Data processing is carried out lawfully, fairly and in a transparent manner for the Recipient.

Data processing is subject to the principle of data minimisation, according to which it must be adequate, relevant and limited to necessity in relation to the purpose of data processing.

Data processing must be accurate and, where necessary, up-to-date. In this context, the Data Controller and the Data Processors shall take all reasonable measures to ensure that inaccurate data are erased or rectified without delay.

Personal data will be stored for a limited period of time necessary to achieve its purpose.

During the processing of personal data, the Data Controller ensures protection against unauthorized or unlawful processing of data and against accidental loss, destruction or damage.

Personal data are processed by the Data Controller only for the purpose and in the manner specified in this Prospectus, in order to exercise the rights and fulfil the obligations specified in the Prospectus. Data processing must comply with this purpose at all stages.

The Data Controller processes only such personal data that is essential for the realization of the purpose of data processing, suitable for achieving the purpose, and only to the extent and for the time necessary to achieve the purpose.

4. Scope of processed personal data

The Data Controller processes data in the following registration systems:

Enquiry
Manage email addresses

The Data Controller records the data processed in each registration system, the data management purposes, the requirements for storing data and the storage periods in its Data Management Register.

Data provided during the inquiry

Requests for quotation are possible for the legal services indicated on the Website, during which the User may provide his/her personal data indicated on the given request form to dr. Kuthy Law Office of his/her own accord.

Manage email addresses

Dr. Kuthy Law Office pays special attention to the legality of the use of the e-mail addresses managed by it, so it uses them only in the manner specified here to send information or advertising e-mails. The processing of e-mail addresses primarily serves the identification of the Data Subject and communication during the use of the services provided by Dr. Kuthy Law Office (e.g. request for quotation), this is primarily why e-mails are sent.

5 Rights of the Data Subject and how to enforce them

5.1 Information and access to personal data

The User shall receive information about the identity of the Data Controller and the Data Processor, the scope and purpose of the processed data, their rights and the possibilities of their enforcement from the Privacy Policy issued by the Data Controller.

The User has the right to access the personal data stored by the Data Controller and the information related to their processing; to check what data the Data Controller records about him/her, and he/she has the right to have access to personal data. The User is obliged to send his/her request for access to the data to the Data Controller in writing (by e-mail or post). The Data Controller shall provide the information to the User in a widely used electronic format, unless the User does not request it in writing, in paper form. Verbal information is not provided by the Data Controller via telephone in case of exercising access. Where the right of access is exercised, the information shall include:

definition of the scope of processed data, purpose, time and legal basis of data processing regarding the scope of processed data,
data transfer: to whom the data have been or will be transmitted subsequently,
mark up a data source.

The Data Controller shall provide the User with a copy of the personal data free of charge for the first time. For further copies requested by the Data Controller, the Data Controller may charge a reasonable fee based on administrative costs. If the Data Controller requests the release of copies electronically, the information shall be provided to the Data Controller by e-mail, in a commonly used electronic format. After being informed, if the User does not agree with the data management or the correctness of the processed data, he/she
may request the rectification, completion, erasure or restriction of processing of personal data concerning him or her, object to the processing of such personal data, or initiate the procedure specified in Section 5.8 as follows.

5.2 Right to rectification and completion of processed personal data

At the written request of the User, the Data Controller shall rectify without undue delay any inaccurate personal data indicated by the User, in writing or in person in one of the Data Controller's stores, or complete the incomplete data with content indicated by the User. The Data Controller shall inform all recipients to whom the personal data have been disclosed about the rectification or completion, unless this proves impossible or involves disproportionate effort. The User shall inform him of the data of these recipients if he requests this in writing.

5.3 Right to restriction of processing

The User may, by written request, request the Data Controller to restrict the processing of his/her data if the - User disputes the accuracy of the personal data, in which case the restriction applies for a period enabling the Data Controller to verify the accuracy of the personal data,- the processing is unlawful and the User opposes the erasure of the data and requests the restriction of their use instead,- the Data Controller no longer needs the personal data for the purposes of data processing, but the User requires them for the establishment, exercise or defence of legal claims.

The User objects to data processing: in this case, the restriction applies for the period until it is established whether the legitimate reasons of the Data Controller take precedence over the legitimate reasons of the User.

Personal data subject to restriction may, with the exception of storage, only be processed with the consent of the User or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State during this period. The Data Controller shall inform the User, at whose request the restriction of data processing has been restricted, in advance of the lifting of the restriction of data processing.

5.4 Right to erasure (right to be forgotten)

At the request of the User, the Data Controller shall delete the personal data concerning the User concerned without undue delay if one of the specified grounds applies: i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed by the Data Controller; ii) The User withdraws his/her consent on which the processing is based and there is no other legal basis for the processing; iii) The User objects to the processing on grounds relating to his or her particular situation and there is no legitimate reason for the processing, iv) The User objects to the processing of personal data concerning him or her for direct marketing purposes, including profiling if it is related to direct marketing, v) the personal data are unlawfully processed by the Data Controller; (vi) the personal data have been collected in connection with the offer of information society services directly to a child. The User may not exercise his or her right to erasure or forgetfulness if data processing is necessary i) for exercising the right to freedom of expression and information; (ii) for reasons of public interest in the area of public health; iii) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as exercising the right to erasure would render impossible or seriously impair the achievement of the objectives of that processing; or iv) for the establishment, exercise or defence of legal claims.

5.5 Right to data portability

Data portability enables the User to obtain and further use "his" data provided by the User in the Data Management System, for his own purposes and through various service providers determined by him. In all cases, the right is limited to the data provided by the User, portability of other data is not possible. (e.g. statistics, etc.) The User's personal data contained in the Data Management system relating to him/her:

receive it in a structured, commonly used and machine-readable format,
the right to transfer to another controller,
request the direct transfer of data to the other controller – if technically feasible in the Data Manager's system.

The Data Controller shall comply with the request for data portability only on the basis of a request written by e-mail or post. In order to fulfill the request, it is necessary for the Data Controller to be sure that the authorized User wishes to exercise this right. For this, it is necessary for the User to appear personally at the registered office of the Data Controller after the signal, in order for the Data Controller to be able to identify the requesting User using the data in its system. Within the framework of this right, the User may request the portability of data that he or she has providedto the Data Controller. The exercise of this right does not automatically result in the deletion of data from the Data Management systems, therefore the User may continue to use the Data Controller's service even after exercising this right.

5.6 Objection to the processing of personal data

The User may, on grounds relating to his/her particular situation, object at any time to the processing of his/her personal data, including profiling, or the User shall have the right to object at any time to the processing of personal data concerning him or her for direct marketing purposes, including profiling. If the User objects to the processing of personal data, the personal data will be deleted from the User's system by the Data Controller. User can object in writing (by e-mail or post).

5.7 Deadline for fulfilling the request

The Data Controller shall inform the User of the measures taken without undue delay, but in any case no later than one month from the receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this deadline may be extended by another two months, but in this case, the Data Controller shall inform the User within one month of receipt of the request, indicating the reasons for the delay. If the User submitted the request electronically, the information shall be provided electronically by the Data Manager, unless otherwise requested by the User.

5.8 Enforcement options

The User may exercise his/her rights by sending a written request by e-mail or post. The User cannot enforce his/her rights if the Data Controller proves that he/she is not in a position to identify the User. If the User's request is manifestly unfounded or excessive (especially considering the repetitive nature), the Data Controller may charge a reasonable fee for fulfilling the request or refuse to take action. The burden of proof shall lie with the Data Controller. If the Data Controller has doubts about the identity of the natural person submitting the request, the Data Controller may request the provision of additional information necessary to confirm the identity of the applicant. The User may turn to the Info.tv, the Decree and the Civil Code (Act V of 2013).

National Authority for Data Protection and Freedom of Information (1055 Budapest, Falk Miksa utca 9-11.; www.naih.hu)
Court:
- In case of violation of his rights, the Data Subject may turn to court. The court shall deal with the case as a matter of priority. The case falls within the jurisdiction of the General Court. According to the choice of the Data Subject, the lawsuit may also be brought before the court of the Data Subject's domicile or residence.
- The Data Controller shall compensate for any damage caused to others by the unlawful processing of the Data Subject's data or by violating the requirements of data security. If the Data Controller violates the Data Subject's personality rights by unlawfully processing the Data Subject's data or violating the requirements of data security, the Data Subject may claim grievance fees from the Data Controller.
- The Data Controller shall also be liable to the Data Subject for any damage caused by the Data Processor. The Data Controller shall be exempted from liability if it proves that the damage was caused by an unavoidable cause outside the scope of data processing. There is no need to compensate for the damage and no grievance fee can be claimed to the extent that the damage resulted from the intentional or grossly negligent conduct of the injured party or the violation of personality rights.

6 Purpose of data processing, storage, use and transmission of data

6.1 Purpose of data processing

Dr. Kuthy Law Office stores and processes the data provided by the User for a specific purpose, exclusively for the purpose of fulfilling requests for quotations, keeping contact, enabling invoicing - if applicable, and later proving the terms of the concluded contract. The purpose of the automatically recorded data is to compile statistics and to develop the Website technically.
Dr. Kuthy Law Office will not use the personal data provided for purposes other than those specified above. The disclosure of personal data to third parties or authorities is possible - unless otherwise provided by law - with the prior, express consent of the Data Subject. In all cases where
Dr. Kuthy Law Office intends to use the provided data for a purpose other than the purpose of the original data collection, it shall inform the User thereof and obtain his or her prior, express consent or provide him or her with the opportunity to prohibit data processing.

6.2 Storage of data

The Data Controller shall ensure that the storage of data is limited to the shortest possible period. In order to ensure that the storage of personal data is limited to what is necessary, the controller should take into account statutory storage periods and establish periods for erasure and periodic review.

After carrying out the processing, the Data Processor shall return or delete the personal data in accordance with the instructions of the Data Controller or the consent of the Data Subject, unless the law applicable to the Processor requires their storage.

The data shall be stored in a form which permits identification of data subjects only for the time necessary to achieve the purpose for which the personal data are processed, and storage for longer periods may only take place for archiving purposes in the public interest, scientific and historical research or statistical purposes, unless otherwise provided by law.

6.3 Use of information

A person whose right or legitimate interest is affected by the recording of his/her personal data may, within 3 (three) working days from the recording of his/her personal data, request that the data controller not destroy or delete the data by proving his/her right or legitimate interest. At the request of a court or other authority, personal data must be sent to the court or authority without delay. If the request is not made within 30 (thirty) days of the request not to destroy, the recorded image and/or sound recording and other personal data shall be destroyed or deleted.

The data of the database of photographs and video recordings may only be handed over to the investigating authority or the misdemeanour authority if suspicion of a crime or administrative offence is detected, or upon request. The following persons are entitled to access the recordings: a lawyer managing the office or persons authorised by him.

Copies and prints of photographs, videos and personal data are made only under controlled conditions documented by logging in case of any high-risk data processing, only in case of suspected misuse or criminal offences, for evidentiary purposes. At the conclusion of the internal procedure, the stored data will be destroyed under documented and controlled conditions. The recordings must not fall into the hands of unauthorized persons. It shall also be transferred to the competent authority in a controlled and documented form. Data storage devices that may be indelible due to damage shall also be destroyed in a controlled and documented form in an individual report.

6.4 Data transfer

Personal data may only be disclosed to third parties with the prior written consent of the data subject. When entering into a legal relationship related to data transfer to third parties, the Data Controller expects its contractual data processing partners to comply with the provisions of the Privacy Act, the GDPR and the data protection legislation in force at any time during the processing of personal data, but at least to the extent guaranteed by this Policy. The Data Controller requests the separate consent of the data subjects in all cases where the data transfer is to a country outside the EEA. Both the information and the declaration of consent must include the exact identity of the processor (name and address or company name and registered office), the scope of the data transferred, the exact physical location of the data storage and processing.

In order to check the lawfulness of the data transfer and to inform the data subjects, the Data Controller shall keep a record of the higher risk data transfer involving a significant data set, which includes the date of transfer of the personal data processed, the legal basis and recipient of the data transfer, the definition of the scope of the transferred personal data, and other data specified in the law prescribing data processing.

7 Data security, data breach

In particular, the data must be protected by appropriate measures against unauthorised access, alteration, transmission, disclosure, erasure or destruction, as well as against accidental destruction or damage, as well as against inaccessibility due to changes in the technology used. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

When defining and applying measures for the security of data, the Data Controller and the Data Processor shall take into account the current state of the art. Among several possible data processing solutions, the one that ensures a higher level of protection of personal data should be chosen, unless this would cause disproportionate difficulty for the Data Controller.

In the event of a personal data breach, the Data Controller has developed a data protection incident policy, which specifies the possibility of reporting a data protection breach, the persons responsible for remedying the data protection breach, and the applicable deadlines.

In order to control the measures related to the personal data breach, to inform the supervisory authority and to inform the User, the Data Controller shall keep records, which contain the scope of personal data affected by the incident, the scope and number of data subjects, the date, circumstances, effects of the incident and the measures taken to remedy it. In the event of an incident – except where the incident does not entail a risk to the rights and freedoms of natural persons – the Data Controller shall inform the User and the supervisory authority of the personal data breach without undue delay, but no later than within 72 hours.

8 Data processing on the Website operated by the Data Controller

8.1 Cookie Policy

It is possible to view the content published on the https://www.drkuthy.com Website accessible to anyone without providing personal data.

Data of the Data Subject's login computer generated during the use of the service and recorded by the Service Provider's system as an automatic result of technical processes. These are, in particular, the date and time of the visit, the IP address of the Data Subject's computer, the type of browser. The automatically recorded data are automatically logged by the system upon entry or exit without any separate statement or action by the Data Subject. These data may not be linked to other personal user data, except in cases required by law. Only
Dr. Kuthy Law Office has access to the data. The Service Provider uses the following cookie:

Security cookie.
Transient (session) cookie: They are automatically deleted after the visit of the data subject.
Persistent cookie: These cookies are stored for a longer period of time in your browser's cookie file. The duration of this depends on the setting used by the Data Subject in his or her internet browser.

Some of these cookies serve to make the Service Provider's Website work more efficiently and safely, they are essential for certain functions of the Website or certain applications to work properly. While other cookies are placed for a better user experience (e.g. to provide optimized navigation). External servers facilitate the independent measurement and auditing of website traffic and other web analytics data (Google Analytics). Data controllers can provide detailed information to the Data Subject about the processing of measurement data. Contact details: www.google.com/analytics/

The purpose of processing data stored in cookies is to improve user experience and improve the online services of the website. The cookies used on the website do not store personally identifiable information.

During the visit to the website, the user can remove cookies placed on his computer at any time from his own computer or disable the use of cookies in his browser.

8.2 Contact

The Data Subject may send a direct message to the Data Controller online (by providing his name and email address) under the "contact" menu item through the Website.

Furthermore, the Data Subject may request an appointment from the Data Controller (providing his name and e-mail address) through the Website for faster contact.

The provision of data is voluntary, the Data Controller considers the consent to data processing for the above purposes to be given by sending the message/time request.

E-mails containing ideas, opinions and comments are kept by the data controller for a maximum of 1 year, if the purpose of data management ceases to exist earlier, the e-mail will be deleted upon its occurrence.

9 Other provisions

The Data Controller reserves the right to unilaterally amend this Privacy Policy by notifying Users using Homepage through Honpage. The changes shall enter into force against the User on the date specified in the notification, unless the User objects to the modifications. By using the Honsheet, the User accepts the contents of the amended Privacy Policy by so-called implied conduct. If the User has provided data of a third party in the course of using the service or has caused damage in any way during the use of the Website,
the Data Manager is entitled to enforce compensation against the User. The Data Controller does not verify the personal data provided to him. The person providing the data is solely responsible for its compliance. When providing the e-mail address of any User, he/she also assumes responsibility that only he/she uses the service from the provided e-mail address. Date of entry into force of this Privacy Policy: 25 May 2018.

Postal address: 1027 Budapest, Kacsa Street 11., 5/floor
Email: K@drkuthy.com
Phone: +36 20 2263719