Dr. Dániel Necz Law Firm and
Madocsai Law Firm
Last modified: 1 November 2021
1. GENERAL INFORMATION
This Policy provides information on the processing of such personal data and on the data subjects’ rights and legal remedies in relation to the processing.
Law Firms’ contact details:
Dr. Necz Dániel Law Firm
Registered seat: Hungary, 1096 Budapest, Lenhossék street 3. 1H:E 1st floor 1.
Registration number at the Budapest Bar Association: 36066103
The Law Firm is registered at the Budapest Bar Association.
The representative of the Law Firm and his contact details: dr. Dániel Necz attorney-at-law, please see his contact details above.
Madocsai Law Firm
Registered seat: Hungary, 1078 Budapest, Hernád street 12. GF. 8.
Registration number at the Budapest Bar Association: 36072460
The Law Firm is registered at the Budapest Bar Association.
The representative of the Law Firm and her contact details: dr. Kinga Madocsai attorney-at-law, please see her contact details above.
The website of the Law Firms: https://simplegal.hu/ (“Website”).
What data are considered personal data?
Personal data is any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Thus, for example, personal data include the name, e-mail address of the data subject (e.g. a client, opponent or contracting party’s representative) and data related to the engagement for that client (e.g. the fact and nature of the engagement). In addition, the rules applicable to legal privilege apply to data relating to the lawyer’s engagement, including non-personal data.
What personal data are classified as special categories of personal data?
Special categories of personal data include personal data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Who can be a data subject?
The Law Firms may, in particular, but not exclusively, process the data of the following natural persons:
- potential client (principal), their proxies, representatives or contact persons
- persons requesting an offer for services, their proxies, representatives or contact persons
- client (principal)
- natural persons related to clients (e.g. relative, representative, proxy, contact person, beneficial owner)
- other natural person participating in the proceedings related to the subject of the engagement (e.g. opposing party, legal counsel)
- a person applying for or participating in an event organised by the Law Firm
- the person contacting the Law Firm, as well as their representatives, proxies and contact persons
- a whistle-blower contacting the Law Firm within the framework of the system of lawyers engaged for the protection of whistle-blowers pursuant to Act CLXV of 2013 on Complaints and Policies of Public Interest (the “Complaint Act”) and the person involved in the whistleblowing (whose conduct or omission gave rise to the report by the whistle-blower or who may have substantive information about the contents of the report).
This Data Processing Policy does not contain information related to the data processing carried out in connection with the personal data of employees or applicants for jobs advertised by the Law Firm.
The role of the Law Firms in relation to processing of personal data:
Controller refers to the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; and where two or more controllers jointly determine the purposes and means of processing, they are joint controllers and joint processing takes place. The controller is primarily responsible for the processing, while joint controllers are jointly and severally liable, i.e. the data subject may enforce his or her rights against any of the joint controllers.
Processor refers to the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor is only liable for damages caused by the processing if it did not comply with the obligations specifically imposed on processors in the GDPR or other mandatory statutory provisions, or if it disregarded or acted contrary to the controller’s legitimate instructions.
The above Law Firms act as joint controllers in the case of joint lawyers’ retainers (where both Law Firms have been retained) or other jointly concluded contracts (e.g. contracts concluded jointly by both law offices with a joint service provider), in accordance with Article 26 of the GDPR. In such cases, data subjects may exercise their rights under the GDPR and Section 7 of this Policy in respect of each Controller and against each Controller. In view of the above, data subjects may send their data protection-related requests to either Controller to the Controller’s contact details provided in this Policy. The request is fulfilled by the recipient or by the Controller concerned (e.g. the Controller carrying out the relevant data processing or storing the data), which provides information and responds to the data subject.
In cases where only one Law Firm handles personal data (including in particular where only one law office has been retained or entered into a contract with a service provider or supplier), that Law Firm is considered an independent controller and data subjects may submit their data protection-related requests to that Law Firm, at the contact details provided in this Policy.
We emphasise that, unless the circumstances clearly indicate otherwise, of which the Law Firms will inform the data subject, any lawyer or law firm acting as a substitute in the performance of a given engagement is subject to the provisions applicable to the processor, as the controller in this case is the attorney-at-law or Law Firm being substituted, in whose name the substitute lawyer is acting. If the engagement of the substitute lawyer is directly from the client (and authorises such lawyer to carry out processing), i.e. if the lawyer has not just been designated as a substitute or authorised to substitute in the retainer agreement or the lawyer has a separate engagement from the client – such lawyer is also considered a controller.
We also emphasise that the Law Firms do not qualify as joint controllers with their clients and, not including those exceptional cases where the Law Firms carry out ancillary activities to practicing law, nor do they act as processors for the clients or for other persons, but rather as independent controllers, as set forth in this Policy, provided, however, that the Law Firms are considered joint controllers (exclusively) with each other. In exceptional cases where the Law Firms or one of them would qualify as a processor of the client, the relevant client, as the controller, must inform the data subjects in consultation with the Law Firms or Law Firm, and in cases where the Law Firms or any of them act as joint controllers together with a third party, the joint controllers will prepare and provide separate data protection policies to the data subjects.
2. UPDATE AND AVAILABILITY OF THE POLICY
The Law Firms reserve the right to unilaterally amend this Policy with effect from the date of such amendment, subject to the restrictions set out in the applicable laws, and with prior policy to data subjects, as appropriate.
This Policy may be amended, in particular, as a result of a change in the law, data protection authority practices, a business need, a new data processing purpose, a newly discovered security risk or data subject feedback. When communicating regarding matters concerning this Policy or data protection issues, as well as otherwise in contact with data subjects, the Law Firms may use the contact details of data subjects provided to the Law Firms for contact and communication purposes. Upon request, the Law Firms will, for example, send a copy of the Policy in force at any time to data subject or certify that data subjects are aware of the Policy.
3. SPECIFIC DATA PROTECTION TERMS
In the course of their data processing activities, the Law Firms must, in addition to their other legal obligations, comply with the legal obligations provided for in the following laws and Bar Association regulations:
- “Money Laundering Act” – Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing
- “Act on Attorneys” – Act LXXVIII of 2017 on the professional activities of attorneys-at-law
- “Accounting Act” – Act C of 2000 on accounting
- “Act on Rules of Taxation” – Act CL of 2017 on the Rules of Taxation. The Law Firms are obliged to keep the data supporting tax-related documents.
- “Privacy Act” – Act CXII of 2011 on Informational Self-Determination and Freedom of Information
- Act LII of 2017 on the Implementation of Financial and Proprietary Restrictive Measures ordered by the European Union and the UN Security Council
- bar association regulations, in particular MÜK Regulation No. 2014/2018 (VI.25) on the performance of obligations defined by, risk assessment under, supervision procedures and guidelines specified in Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing and Act LII of 2017 on the Implementation of Financial and Proprietary Restrictive Measures ordered by the European Union and the UN Security Council
These laws and bar association regulations define in detail and comprehensively the operations that involve the processing of personal data. The purpose of this Policy is to outline these processing operations in a comprehensible manner, however, it is not possible to describe certain details for reasons of length, so we have provided a short form only to the extent required for data subjects to have a general understanding, with a reference to the relevant statutory provision. The Law Firms are able to provide further details of the processing operations specified in the above rules and all other processing operations at the above contact details, as well as if you contact the Law Firms in person (for example, when performing client identification in person).
The Law Firms obtain any personal data relating to their clients primarily from the client – the client’s freely given data disclosure – or with respect to the client from a third party authorised to provide the personal data by the client and/or a person authorised to disclose data by statutory authorisation. Other sources of data processed by the Law Firms may be, for example, a public register, a court, an authority, or another data subject.
If a person is not entitled to provide certain personal data on their own, they must obtain the consent of the third party (e.g. a legal representative, guardian or other person on whose behalf they are acting) or provide another appropriate legal basis for providing the data, and to comply with any other data protection and data security requirements. In this context, the person providing the data must consider whether the consent of the third party is required in connection with the provision of the personal data in question. On occasion, the Law Firms will not come into direct contact with the data subject, so compliance with this clause must be ensured by the person providing the personal data concerning the data subject. Nevertheless, the Law Firms have the right to check, at all times, whether the appropriate legal basis for the processing of any particular personal data exists. For example, if the person providing the data acts on behalf of a third party, the Law Firms have the right to request the power of attorney and/or the due consent of the data subject with regard to the specific case.
4. DESCRIPTION OF DATA PROCESSING OPERATIONS – SCOPE OF DATA PROCESSED BY THE LAW FIRMS, PURPOSES OF PROCESSING, LEGAL BASIS FOR THE PROCESSING AND DURATION OF THE PROCESSING
For a detailed description of the scope of data processed by the Law Firms, the purposes of, the legal basis for, the duration and other circumstances of the processing please refer to the table that can be downloaded from the link below.
If processing is necessary for the purposes of the legitimate interests pursued by the Law Firms or by a third party, the interest assessment test used to establish the legitimate interest will be provided by the Law Firms upon a request submitted to one of the above contact details.
The Law Firms expressly draw the attention of data subjects to the fact that the data subject shall at any time have the right to object on grounds relating to his or her particular situation to processing of personal data based on the ground of the Law Firms’ legitimate interest. In such case, the Law Firms shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
The primary purpose of the processing of personal data concerning a client and third parties in connection with the engagement of the Law Firms is to perform the engagement and to comply with the instructions of the client and to carry out any operations directly connected with the engagement and the purpose and interests of the client, as well as to comply with all applicable laws, including performance of any decision of any person, organisation or public body entitled to issue an official, court or other binding mandatory regulation.
The duration of each processing activity is essentially determined on the basis of the Act on Attorneys and the applicable Bar Association regulations, as well as the following statutes:
- Act on the Rules of Taxation – the Law Firms process any data supporting tax-related documents for 5 years from the last day of the calendar year in which the tax return, data reporting or reporting should have been made, or in the absence of a tax return, data report or report, the tax should have been paid (Section 78 (3), Section 202 (1)).
- “Civil Code” – Act V of 2013 on the Hungarian Civil Code. If the Policy specifies the limitation period for the enforceability of a claim as the duration of processing, any act interrupting the limitation period extends the duration of the processing until the new date of the limitation period (Section 6:25 (2) of the Civil Code). If the limitation period is suspended, the claim may be enforced within a time limit of one year or, for limitation periods of up to one year, three months after the obstacle ceases to exist even if the limitation period has already expired or only a period of less than the above duration remains of it. (Section 6:24 (2)of the Civil Code).
- Accounting Act – for accounting documents, the data retention period is 8 years (Sections 168-169 of the Accounting Act).
- According to the Money Laundering Act, the data retention period is 8 years form the performance of the end of the “business relationship” or the execution of the “transaction order”. Paragraph 44 of Section 3 of the Money Laundering Act refers to a “transaction order” as a temporary relationship between a client and a service provider pertaining to the services of the service provider falling within its professional activities specified in Section 1 (1) a)-e), g)-h) and j)-r) (including the practice of law as performed by the Law Firms). Paragraph 45 of Section 3 of the Money Laundering Act refers to a “business relationship” as, inter alia, a long-term relationship established by contract between a client and a service provider pertaining to the services of the service provider falling within its professional activities specified in Section 1 (1) a)-e), g)-h) and j)-r) (including the practice of law as performed by the Law Firms).
5. DATA PROCESSORS
The Law Firms use the services of the following contractual partners to perform tasks related to data processing operations. The contractual partner acts as a so-called “processor”: it processes the personal data specified in this Policy on behalf of the Law Firms.
The Law Firms may only use processors that provide adequate guarantees, in particular in terms of expertise, reliability and resources, that they will implement technical and organisational measures to ensure compliance with the requirements of the GDPR, including the security of processing. The specific tasks and responsibilities of the processor are regulated by the contract between the Law Firms and the processor. After processing the data on behalf of the Law Firms, the processor shall, at the choice of the Law Firms, return or erase the personal data unless the EU or Member State law applicable to the processor provides for the storage thereof.
Németh Numerus Adótanácsadó Kft.
1146 Budapest, Dózsa György út 11. fszt. 2., Hungary
|Preparation of tax returns and tax and accounting advice to the Law Firms, based on a service agreement concluded for an indefinite term. In performing her tasks, the processor has access to the data processed by the Law Firms that is relevant for the purpose of accounting, as well as data necessary for answering the specific tax and accounting question. This is primarily data concerning all economic events whose impact on the assets or profits of the Law Firms must be disclosed under the Accounting Act.|
3 Minervastrasse, 8032 Zürich, Switzerland
|The ultra-safe cloud service provider of the Law Firms, specifically designed to guarantee the protection of clients’ digital assets and the files handled by the Law Firms through the highest security-rated cloud technology, end-to-end encryption and zero-knowledge protection. Tresorit enables cloud-based file transfer (data sharing) via encrypted links for clients who share personal data and documents (such as contracts) with the Law Firms for the purpose of electronic data sharing, as part of the lawyers’ engagement through the “file request” function of the Tresorit application.|
Havnegade 39 1058 Copenhagen, Denmark
|The GDPR compliant cookie banner service provider of the Law Firms registers and stores the state of the cookie consent of the Website’s users. A user consent is logged and documented by the registration of the user’s anonymized IP number, browser user agent, website URL, date and time of consent and a unique, encrypted key that is stored in a data center with Cybot’s cloud vendor, Microsoft Ireland Operations Ltd. in Dublin, Ireland. After 12 months, the consent is automatically deleted from Cybot A/S’s log.|
6. DATA TRANSFER TO OTHER CONTROLLERS
The Law Firms transfer personal data to the following additional controllers. The organisations act as controllers, i.e. they can determine the purpose of the processing of personal data, either individually or together with others, and may make and implement decisions regarding data processing (including the device) or have them implemented by the processor they use.
Recipient of data transfer: Law firms cooperating with the Law Firms in certain cases, individual attorneys, European Community lawyers and advisers, substitute lawyers, other experts.
Activity: practicing law, European Community legal or other advisory assistance and, where appropriate, the provision of expertise.
Legal basis of data transfer: GDPR Article 6 (1) (f) (legitimate interest of the Law Firms or third parties, in particular that of the client (principal) concerned). It is in the legitimate interest of the Law Firms to seek the assistance of law firms, individual lawyers, European Community lawyers or other advisers when necessary for the provision of expert or other specialist advice. All this is, of course, also the legitimate interest of the client concerned in the specific case, considering that in the absence of such consultation the engagement could not be, or would not be properly performed. Contracting partners will be informed of the identity, and, where appropriate, the qualifications of additional law firms, individual lawyers, European Community lawyers and advisers, taking into account the specificities of the contact, and the Law Firms will take the utmost account of the requests of their contracting partners when selecting the above persons.
In addition to the above, in connection with the following solutions, the following service providers have access to the data of the data subjects related to the use of the given solution:
- For Outlook, Office and Microsoft Teams, and Skype, Microsoft acts as a data processor for the Law Firms. The data protection officer Microsoft is available at the following contact information: Microsoft EU Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, DP18 P521, Ireland, telephone number: +353 (1) 706-3117. We emphasize that Microsoft acts as a data controller in certain cases (including, in particular, data processing by Microsoft based on its own legitimate business interests). We further emphasize that Microsoft’s terms for certain solutions, services and users also include Standard Contractual Clauses that provide adequate guarantees for the transfer of data to third countries outside the European Union. For questions about Microsoft’s privacy practices, visit the following page: Ask a question about privacy at Microsoft. You can find further information on the following pages: Microsoft Privacy Statement; Safeguard individual privacy with cloud services from Microsoft.
- In connection with the Zoom solution, Zoom Video Communications, Inc. has access to personal data as a data controller when applying the solution. Data subjects may submit a request to the company at the following contacts in order to exercise their data protection rights: email@example.com, Zoom Video Communications, Inc., Data Privacy Officer, 55 Almaden Blvd, Suite 600, San Jose, CA 95113, United States of America. We further emphasize that Zoom’s terms also include Standard Contractual Clauses, which provide adequate guarantees for the transfer of data to third countries outside the European Union.
7. DATA PROTECTION RIGHTS AND REMEDIES OF THE DATA SUBJECTS
7.1 Data protection rights and remedies of the data subjects
The data protection rights and remedies of the data subjects are listed in the relevant provisions of the GDPR (in particular Art. 15, 16, 17, 18, 19, 20, 21, 77. 78, 79, 80 and 82 of the GDPR). The following is a summary of the key provisions and, accordingly, the Law Firms will inform data subjects about their rights and remedies regarding data processing. The Law Firms specifically draw the attention of the data subjects to their right to object (please see point 7.8).
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
The Law Fims shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Law Firms shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
If the Law Firms do not take action on the request of the data subject, the Law Firms shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
7.2 Right of access by the data subject
The data subjects shall have the right to obtain from the Law Firms confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or an international organisation, data subjects shall have the right to be informed of the information and appropriate safeguards relating to the transfer.
The Law Firms shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the Law Firms may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by him or her, the information shall be provided in a commonly used electronic form.
The data subject’s right of access may be exercised within the limits of the confidentiality rules of attroney-client priviledged information.
The Law Firms underline that they do not use automated decision-making or profile the data subjects based on the data available to them. Should automated decision-making or profiling occur in the future, Law Firms will inform those concerned by amending this data protection notice or by providing information tot he data subjects separately in accordance with the GDPR and other applicable legal provisions.
7.3 Right to rectification
The data subject shall have the right to obtain from the Law Firms without undue delay the rectification of inaccurate personal data concerning him or her. Furthermore, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
7.4 Right to erasure („right to be forgotten”)
Data subjects have the right to request that the Law Firms delete personal data concerning them immediately if one of the following reasons applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws his or her consent on which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Law Firms are subject;
- the personal data have been collected in relation to the offer of information society services.
Where the Law Firms have made the personal data public and are obliged to erase the personal data, the Law Firms, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The above provisions shall not apply to the extent that processing is necessary, among others:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the Law Firms are subject;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
- for the establishment, exercise or defence of legal claims.
7.5 Right to restriction of processing
The data subject shall have the right to obtain from the Law Firms restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the Law Firms to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the Law Firms no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
- the data subject has objected to processing pending the verification whether the legitimate grounds of the Law Firms override those of the data subject’s.
Where processing has been restricted based on the above provisions, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
A data subject who has obtained restriction of processing shall be informed by the Law Firms before the restriction of processing is lifted.
7.6 Notification obligation regarding rectification or erasure of personal data or restriction of processing
The Law Firms shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Law Firms shall inform the data subject about those recipients for request.
7.7 Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the Law Firms, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the Law Firms to which the personal data have been provided, where
- the processing is based on consent or on a contract; and
- the processing is carried out by automated means
In exercising his or her right to data portability based on the above, the data subject shall have the right to have the personal data transmitted directly from one controller to another (e.g. from the Law Firms to another controller), where technically feasible.
The exercise of the right to data portability shall not be without prejudice to the right to erasure („right to be forgotten”) and shall not adversely affect the rights and freedoms of others.
7.8 Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on the legitimate interest of the Law Firms or is necessary for the performance of a task carried out in the exercise of official authority. In this case, the Law Firms shall no longer process the personal data unless they demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for there purposes.
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
7.9 Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to you infringes the GDPR.
Further information regarding the supervisory authorities that are competent in the Member States can be found on the European Data Protection Board’s website by clicking here.
The competent authority in Hungary: Hungarian National Authority for Data Protection and Freedom of Information (website: www.naih.hu; address: Hungary,1055 Budapest, Falk Miksa street 9-11.; postal address: Hungary, 1363 Budapest, p.o.b. 9.; phone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: firstname.lastname@example.org).
7.10 Right to an effective judicial remedy against a supervisory authority
The data subject shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.
The data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent or outcome of the complaint lodged does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
7.11 Right to an effective judicial remedy against the Law Firms
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with this GDPR.
Proceedings against the Law Firms shall be brought before the courts of the Member State where the Law Firms operate (in Hungary). Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence. Such a lawsuit falls within the competence of the regional courts (törvényszék) in Hungary. The action may also be brought before the court competent at the place where the data subjects resides or stays. More information on the competent regional courts and their contact details can be found on the following website: www.birosag.hu.
7.12 Charging of a reasonable fee in connection with answering data protection inquiries and completing data subject requests, refusal of taking the requested action
Information provided on the processing of personal data (information under GDPR Articles 13 and 14) and any communication and any actions taken in connection with data subject rights (under Articles 15 to 22) and personal data breaches (under Article 34) shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the Law Firms may – taking into account the administrative costs of providing the information or communication or taking the action requested – either:
- charge a reasonable fee taking; or
- refuse to act on the request.
The Law Firms shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.