Privacy Policy

1. Introduction

Kölcsey-Rieden & Partners Law Office, as the data controller (hereinafter referred to as the “Data Controller“), is subject to Article 20 (1) and (2) of Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Information Act“) and Articles 12 and 13 of the GDPR. The data controller informs the data subjects about the details of the processing of their data in relation to its website and the sending of the newsletter, as well as about the data subjects’ rights in relation to the processing and the possibilities of legal remedies against the controller’s conduct, as set out in this privacy notice (hereinafter referred to as the “Notice“).

2. Data of the Data Controller

Name: Kölcsey-Rieden & Partner Law Office

Located at: 1055 Budapest, Stollár Béla utca 22.

Registration number: Budapest Bar Association, 2706

E-Mail: office@colaw.hu

Phone: +36-1-2793030

3. Website data management

The Data Controller operates this website for the purpose of informing its customers, presenting its activities and cooperation, and personal data is processed when visiting the website.

Processed personal data: access logs (access log: IP address of the visitor’s computer, date and time of visit, URL (address of the page visited), browser version used), PHPSESSID and Google Analytics cookies.

The data subject makes the data available to the Data Controller by contacting the Data Controller through the website.

Anyone can visit the website without having to provide any personal data beyond the technically automatic data processing.

The purpose of data processing is to provide online content, to operate the website, to identify the visitor, to maintain contact with the visitor, to identify the services the visitor can use, to produce statistics and analyses, to protect the rights of visitors, to enforce the legitimate interests of the data controller, to improve the technical development of the IT system, to prevent and detect abuse and malicious attacks, to produce statistics – visitor measurements / analyses, to check the correct functioning of the pages.

Legal basis for processing: consent of the data subject (Article 6 (1) (a) GDPR)

Duration of storage of personal data: access logs are stored for 30 days, PHPSESSID cookies are stored until the end of the work phase. Google Analytics cookies are stored for up to 2 years, depending on their functionality; or before that time if delete is requested.

For storage beyond this period, the Company will seek the specific consent of the data subject.

The personal data may be accessed by: employees of the Data Controller whose job involves processing the data or whose processing is strictly necessary for the performance of their job.

Personal data will be transferred to the following persons/organisations (data processors):

• online hosting provider (email system operator): Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) https://policies.google.com/privacy?hl=hu; and Websupport Magyarország Kft., 1132 Budapest, Victor Hugo utca 18-22.;
• technical support services (system administrator and system monitoring): name: Websupport Magyarország Kft., registered office: 1132 Budapest, Victor Hugo utca 18-22.

Data processing operations carried out by persons having access to personal data: collection, recording, storage, organisation, use, consultation, transmission

Method and circumstances of data processing: paper-based and electronic.

On the website there are links to external sites not operated by the Company on which personal data may also be processed. For information on the processing of personal data on these external sites, the user should consult the information notices on the external site or contact the operator of the external site.

The www.colaw.hu, like most websites, uses cookies. Cookies are packets of data placed on a user’s computer by the website. They are used to collect anonymous statistical information to improve the functionality and performance of the website and to measure the number of visitors. The use of cookies can be enabled, restricted or possibly disabled in the browser settings. Before changing your settings, please note that some websites can only provide the maximum user experience by using cookies and that the full functionality of the website can only be accessed if cookies are enabled. For information on the most popular browsers and how to manage cookies, please refer to the help and support menu of your browser.

The PHPSESSID cookie identifies the user session on www.colaw.hu.

For more information about Google Analitycs cookies, please visit www.google.com/intl/en/policies/privacy. Google Analytics is an application for measuring and generating website traffic statistics. The basic purpose of using Google Analytics cookies is to detect and measure (new) visits, to distinguish between visits and sessions.

4. Sending a newsletter

Personal data processed: name, e-mail address, date of subscription, IP address at the time of subscription, analytical data related to the sending, delivery and opening of messages (e.g. date and time of activity)

The data subject provides the Data Controller with the data himself by subscribing or opening the newsletter.

Purpose of the processing: identification, enabling subscription to the newsletter, sending newsletters prepared by the Company on its updates, providing information, maintaining contact, carrying out technical operations, compiling statistics

Legal basis for processing: consent of the data subject (Article 6 (1) (a) GDPR)

Duration of storage of personal data: the controller shall store personal data until the data subject’s consent is withdrawn, but for a maximum of 3 years from the date of consent and shall review the personal data at least annually.

For storage beyond this period, the Company will seek the specific consent of the data subject.

The personal data may be accessed by: employees of the Data Controller whose job involves processing the data or whose processing is strictly necessary for the performance of their job.

The following persons/organisations have access to the personal data (as data processors):

– online hosting provider: name: Websupport Magyarország Kft., registered office: 1132 Budapest, Victor Hugo utca. 18-22.;

– technical support services (administrator and system monitoring tasks; physical and operating system operation of the data controller’s servers: Websupport Magyarország Kft. (headquarters: 1132 Budapest, Victor Hugo utca. 18-22.)

The data controller sends the newsletters using the MailChimp service, which is operated by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 500, Atlanta, GA 30308 USA (https://mailchimp.com)

There are no other data transfers.

Data processing operations carried out by persons having access to personal data: collection, recording, storage, organisation, use, consultation, transmission

Method and circumstances of processing: electronically

5. The rights of the data subject

The data subject may request the Controller to:

• information about the personal data processed (the specific data will be provided by the Data Controller),
• the right of access to your personal data,
• rectification of your personal data processed,
• deletion of his or her personal data processed, except for mandatory processing (with indication of the specific personal data),
• object to be forgotten,
• restriction of processing, identification of personal data processed,
• the right to data portability.

Prior information about the personal data processed:

At the request of the data subject, the controller shall, before the processing starts, provide information to the data subject on at least the following:

• the identity and contact details of the controller and its representative,
• the Data Protection Officer and contact details,
• the purposes for which the personal data are intended to be processed,
• and the legal basis for the processing,
• in the case of processing based on legitimate interests, the legitimate interests of the controller or third parties,
• the recipients of the personal data,
• in the case of transfers to third countries, an indication of the appropriate and suitable safeguards and a reference to the means of obtaining a copy of the data or their availability.

Where the personal data have not been obtained by the controller from the data subject, the controller shall provide the data subject with at least the following information:

• the identity and contact details of the controller and its representative,
• the purposes for which the personal data are intended to be processed and the legal basis for the processing,
• the categories of personal data concerned,
• the recipients of the personal data,
• where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation
• where applicable, the fact that the controller intends to transfer the personal data to a recipient in a third country or to an international organisation
• the right of the data subject to obtain from the controller access to, rectification, erasure or restriction of the processing of personal data relating to him or her and to object to the processing of personal data and the right of data portability
• the source of the personal data and, where applicable, whether the data originate from publicly accessible sources

Right of access of the data subject:

The data subject is entitled to receive feedback on whether his or her personal data are being processed. If so, he or she has the right to access the personal data and the following information:

• the purposes of the processing,
• the categories of personal data concerned,
• the recipients or categories of recipients to whom the personal data have been or will be disclosed (including in particular recipients in third countries or international organisations and the safeguards for such transfers),
• the duration of the storage of the personal data or, where this is not specifically possible, the criteria for determining the duration,
• information on the rights of the data subject (rectification, erasure, restriction of processing, objection, lodging a complaint with the data protection/supervisory authority),
• if the data were not collected from the data subject, information on their source
• the fact of automated decision-making, including profiling.

The Data Controller shall provide the data subject with a copy of the personal data processed upon request.

For additional copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise. This right to request a copy should not adversely affect the rights and freedoms of others.

Correction of data

If the personal data is not accurate and the accurate personal data is available to the Data Controller, the Data Controller shall correct the personal data without undue delay.

The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

Objection to the processing of personal data

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data based on Article 6 (1)(e) or (f) of the GDPR, including profiling based on those provisions. In such a case, the controller may no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Right to be erased and forgotten

The data subject shall have the right to obtain from the controller the erasure of personal data relating to him or her without undue delay at his or her request, and the controller shall be obliged to erase personal data relating to him or her without undue delay if one of the following grounds applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR and there is no other legal basis for the processing;
• the data subject objects to the processing on the basis of Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing on the basis of Article 21(2) GDPR;
• the personal data have been unlawfully processed;
• the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject

the personal data have been collected in connection with the provision of information society services referred to in Article 8(1). In the event of the data subject being forgotten, the Controller shall delete the personal data processed from all records at its disposal, shall take measures to make the personal data disclosed inaccessible to the greatest possible extent and shall also delete the personal data from its own backups. The Data Controller shall inform the data subject of the measures taken to ensure the erasure.

If the controller has disclosed the personal data and is obliged to delete it, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the controllers that process the data that the data subject has requested the deletion of the links to or copies or replicas of the personal data in question, inform the data subject of the request and arrange for the deletion of the personal data.

In exceptional cases, the Data Controller may refuse to carry out the erasure if it is necessary for the purposes of exercising the right to freedom of expression and information, if the processing of personal data is required by law, or if the retention of the data is necessary for the performance of other obligations, the establishment, exercise or defence of legal claims, or if the law allows the refusal of the erasure.

Right to restriction of processing

The Controller shall mark the personal data it processes if the data subject contests the accuracy or correctness of the personal data, but the inaccuracy or incorrectness of the contested personal data cannot be clearly established.

The designation must be notified to the data subject and to all those to whom the data were previously disclosed for processing. The notification may be omitted if this does not undermine the legitimate interests of the data subject having regard to the purposes of the processing.

Right of data portability

Where the legal basis for processing is the data subject’s voluntary consent or where the data are necessary for the performance of a contract and the processing is carried out by automated means, the data subject shall have the right to data portability. The data subject may request the disclosure of data relating to him or her which he or she has made available to the controller, or the transfer of data by the controller to another controller.

The data will be provided by the Data Controller in a format that is machine-readable by the data subject or by another organisation receiving the data.

The Data Controller shall be entitled to refuse the transfer of data if the exercise of the right of the data subject would cause a violation of the rights and freedoms of another natural person, or if the processing is necessary for the exercise of tasks in the public interest or the exercise of official authority.

Fulfilling the rights of the person concerned

The controller shall facilitate the exercise of the above rights by the data subject. The controller shall, without undue delay and in any event within one month of receipt of the request, inform the data subject of the measures taken in response to any of the above requests.

If necessary, taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months. The data controller shall inform the data subject of the extension of the time limit within one month of receipt of the request, stating the reasons for the delay.

Where the data subject has made the request by electronic means, the information shall be provided by electronic means where possible, unless the data subject requests otherwise.

6. Consequences of unlawful processing and remedies available to the data subject

If the data subject experiences unlawful processing of his or her personal data and the Data Controller causes damage to the data subject, the Data Controller is obliged to compensate the data subject (the data subject may bring an action for damages in court).

The data subject may claim damages from the Data Controller in case of violation of his/her personal rights.

If the data subject experiences unlawful processing of his or her personal data, he or she may lodge a complaint with the National Authority for Data Protection and Freedom of Information (headquarters: 1055 Budapest, Falk Miksa utca 9-11.; mailing address: 1374 Budapest, Pf. 603.; telephone: 06 -1- 391-1400; fax: 06-1-391-1410; e-mail: ugyfelszolgalat@naih.hu).

The data subject may also take legal action against unlawful processing of his or her personal data. The action may be brought before the courts for the place where the Controller has its registered office or, at the choice of the data subject, the place where the data subject resides or is domiciled.

7. Final provision

The Data Controller reserves the right to unilaterally amend this Privacy Policy, in particular if required by changes in legislation. This does not imply any processing of personal data for other purposes. The Controller shall notify employees of any changes to this Policy and make the version being im force available to them.

9 November 2022, Budapest