Legal Notice

Data Processing Policy

Kristóf Berényi Law Firm (registered office: 2040 Budaörs, Ifjúság utca 18. 1/6.; tax number: 19311391-2-13; telephone number: +36-30-177-16-79; e-mail: office@berenyi-law.hu; hereinafter: Controller) in order to ensure full compliance with the applicable legal provisions, adopts this data processing policy (hereinafter: Policy).

The Controller processes the personal and special category data and information provided by clients in full compliance with the applicable European Union and Hungarian data protection legislation (in particular Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, Act LXXVIII of 2017 on Legal Practice) and other applicable laws. When developing the provisions of the Policy, the Controller paid particular attention to the provisions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: General Data Protection Regulation or GDPR).

Persons visiting the Controller's website (https://www.berenyi-law.hu), or coming into contact with the Controller in any way, and following such contact possibly entering into an engagement (hereinafter: Legal Relationship) (hereinafter: Client), shall be informed by this Policy, prior to the start of the processing, about questions concerning the processing of the personal and special category data voluntarily provided, including the facts related to the processing of the data, the purpose, legal basis, duration of the data processing, the scope of persons authorized to access the personal data, and the data processing. This Policy also covers the Client's rights and legal remedies relating to data processing. The Controller emphasizes that it stores the processed data securely and, upon the Client's request, provides information about the data stored; the Client may request the deletion of the data at any time, free of charge and without justification—unless recording, storage, retention, or transmission is required by law.

1. Controller's details

The controller of the data is the Kristóf Berényi Law Firm
Registered office 2040 Budaörs, Ifjúság utca 18. 1/6.
Registering bar association Bar Association of Pest County
Contact details E-mail: office@berenyi-law.hu Telephone: +36-30-177-16-79

2. Applicable rules

The Controller undertakes to carry out its activities in accordance with the legislation in force at any given time. At the time of adoption of this Policy, these are in particular, but not limited to, the following:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council (27.04.2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
  • Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information.
  • Act LXXVIII of 2017 on Legal Practice
  • Act C of 2000 on Accounting

3. Definitions

Based on Section 3 of Act CXII of 2011

1. Data subject: any natural person identified or – directly or indirectly – identifiable based on personal data;

2. Personal data: data that can be related to the data subject – particularly the data subject's name, identifier, and one or more pieces of information characteristic of his or her physical, physiological, mental, economic, cultural or social identity – as well as conclusions that can be drawn from the data concerning the data subject;

3. Special category data: (a) Personal data relating to racial origin, membership of a national or ethnic minority, political opinion or party affiliation, religious or other philosophical belief, membership in interest-representation organizations, sexual life; (b) Personal data relating to health status, addiction, as well as criminal personal data;

4. Criminal personal data: personal data related to a criminal offense or criminal proceedings that are generated during or prior to criminal proceedings at bodies authorized to conduct criminal proceedings or uncover criminal offenses, as well as at the penitentiary organization, that can be linked to the data subject, and data concerning a criminal record;

5. Data of public interest: any information or knowledge recorded in any way or form that is processed by, and pertains to the activities of, a body or person performing state or local government tasks, as well as other public tasks defined by law, or that is generated in connection with the performance of public tasks, and does not fall under the concept of personal data, irrespective of the method of processing, and whether independent or collected in a set;

6. Data public on grounds of public interest: all data not falling under the concept of data of public interest for which a law orders public disclosure, accessibility, or availability in the public interest;

7. Consent: the voluntary and definite expression of the data subject's will, based on adequate information, by which the data subject gives unambiguous consent to the processing of personal data relating to him or her – covering all or certain operations;

8. Objection: the declaration of the data subject whereby he or she objects to the processing of his or her personal data, and requests the termination of processing or the erasure of the processed data;

9. Controller: the natural or legal person, or organization without legal personality, who or which, alone or jointly with others, determines the purposes of data processing, makes and implements decisions regarding data processing (including the means used), or has them implemented by the processor commissioned by it;

10. Processing: any operation or set of operations performed on data, regardless of the procedure applied, including in particular collection, recording, registration, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or linking, blocking, erasure and destruction, as well as preventing further use of the data, making photo, sound or image recordings, and recording physical characteristics suitable for identifying the person;

11. Data transfer: making data available to a specified third party;

12. Disclosure: making data available to anyone;

13. Erasure: rendering data unrecognizable in such a way that their restoration is no longer possible;

14. Data marking: the provision of an identifying mark to data for the purpose of distinction;

15. Data blocking: the provision of an identifying mark to data for the purpose of restricting further processing definitively or for a specified period;

16. Data destruction: the complete physical destruction of the data carrier containing the data;

17. Data processing: the performance of technical tasks related to processing operations, regardless of the method and means applied for performing the operations, as well as the place of application, provided that the technical task is performed on the data;

18. Processor: the natural or legal person, or organization without legal personality, who or which, on the basis of a contract concluded with the controller – including contracts concluded pursuant to legal provisions – performs the processing of data;

19. Data owner: the public body that produced the data of public interest to be mandatorily published by electronic means, or in the course of whose operation this data was generated;

20. Data publisher: the public body that – if the data owner does not itself publish the data – publishes on a website the data received from the data owner;

21. Data set: the entirety of data managed in one register;

22. Third party: a natural or legal person, or organization without legal personality, who or which is not identical with the data subject, the controller, or the processor;

23. EEA state: a Member State of the European Union and another state party to the Agreement on the European Economic Area, as well as a state whose nationals enjoy the same status as nationals of a state party to the Agreement on the European Economic Area under an international agreement concluded between the European Union and its Member States and a state not party to the Agreement on the European Economic Area;

24. Third country: any state that is not an EEA state.

4. Principles of data processing

  • The data subject consents to it (pursuant to GDPR Article 6(1)(a)) and, in the case of special category data, pursuant to GDPR Article 9(2)(a))
  • it is necessary for the performance of a contract (GDPR Article 6(1)(b)), or
  • it is required by law or – based on authorization by law, within the scope defined therein – by a local government decree (GDPR Article 6(1)(c)).

For statements by persons lacking legal capacity and minors with limited capacity, the consent of their legal representative is required, except for those parts of the service where the statement aims at registrations that commonly occur in everyday life and require no particular consideration.

Personal and special category data may only be processed for a specified purpose, for exercising a right and for performing an obligation. The processing must comply with this purpose at every stage.

Only personal and special category data that are indispensable for the realization of the purpose of processing and suitable for achieving that purpose may be processed, only to the extent and for the duration necessary to achieve the purpose.

Personal and special category data may only be processed with consent based on appropriate information. The Client must be informed – clearly, comprehensibly, and in detail – of all facts related to the processing of his or her data, in particular the purpose and legal basis of processing, the person authorized to control and process the data, the duration of processing, and who may become acquainted with the data. The information must also extend to the Client's rights and remedies relating to data processing.

The processed personal and special category data must meet the following requirements:

  • Their collection and processing are fair and lawful;
  • They are accurate, complete, and, if necessary, up to date;
  • Their storage method is suitable to identify the data subject only for the time necessary for the purpose of storage. The use of general and uniform personal identifiers is prohibited.

Personal and special category data may be transferred if the data subject has consented thereto or a law permits it. Data transfers to EEA states shall be treated as if the transfer took place within the territory of Hungary.

5. Data processed by the Controller and legal basis

Data Source of data Purpose of processing Legal basis of processing Duration of processing
name Client
  • a) contact
  • b) request for quotation
  • c) appointment booking
  • d) creation of contract
  • e) performance of contract
  • f) invoicing
  • data subject's consent: for purposes a) b) c)
  • performance of contract: for purposes d) e) f)
  • until request for erasure: a) b) c)
  • 5 years after performance of contract: d) e)
  • 8 years as defined by the Accounting Act: f)
  • 5 or 10 years after performance of contract (Legal Practice Act): d) e)
place and date of birth Client
  • a) creation of contract
  • b) performance of contract
 performance of contract: for purposes a) b)
  • 5 years after performance of contract (Civil Code limitation)
  • 5 or 10 years after performance of contract (Legal Practice Act)
mother's name Client
  • a) creation of contract
  • b) performance of contract
 performance of contract: for purposes a) b)
  • 5 years after performance of contract (Civil Code limitation)
  • 5 or 10 years after performance of contract (Legal Practice Act)
tax number, tax identification number Client
  • a) creation of contract
  • b) performance of contract
 performance of contract: for purposes a) b)
  • 5 years after performance of contract (Civil Code limitation)
  • 5 or 10 years after performance of contract (Legal Practice Act)
personal identification number Client
  • a) creation of contract
  • b) performance of contract
 performance of contract: for purposes a) b)
  • 5 years after performance of contract (Civil Code limitation)
  • 5 or 10 years after performance of contract (Legal Practice Act)
special category data Client
  • a) contact
  • b) request for quotation
  • c) creation of contract
  • d) performance of contract
  • performance of contract: a) b) c) d)
  • data subject's consent: a) b) c) d)
  • 5 years after performance of contract
  • 5 or 10 years after performance of contract (Legal Practice Act)
e-mail address Client
  • a) request for quotation
  • b) contact
  • c) appointment booking
  • d) creation and performance of contract
  • e) communication
  • data subject's consent: a) b) c) e)
  • performance of contract: d)
  • until request for erasure: a) b) c) e)
  • 5 years after performance of contract: d)
  • 5 or 10 years after performance of contract (Legal Practice Act): d)
telephone number Client
  • a) contact, communication
  • b) request for quotation
  • c) creation and performance of contract
  • data subject's consent: a) b) c)
  • performance of contract: c)
  • until request for erasure: a) b) c)
  • 5 years after performance of contract: c)
  • 5 or 10 years after performance of contract (Legal Practice Act): c)
residential address Client
  • a) creation of contract
  • b) performance of contract
  • c) invoicing
  • performance of contract: a) b)
  • legal obligation (invoicing): c)
  • 5 years after performance of contract: a) b)
  • 8 years as defined by the Accounting Act: c)
  • 5 or 10 years after performance of contract (Legal Practice Act): a) b)
bank account data (name, number) Client
  • a) creation of contract
  • b) performance of contract
  • c) invoicing
  • d) payment of consideration
 performance of contract: a) b) c) d)
  • 5 years after performance of contract: a) b) d)
  • 8 years as defined by the Accounting Act: c)
  • 5 or 10 years after performance of contract (Legal Practice Act): b) d)

Cookies:

The website uses cookies. A cookie is an alphanumeric information package of variable content sent by the web server, stored on the Client's computer, and retained for a predefined period of validity. The purpose of cookies is to ensure the proper functioning of the website, to provide basic and convenience functions, and they also play a role in increasing the security of the website, developing the website, and creating visitor statistics. Cookies are used only if enabled by the Client's browser. Enabling depends on the settings of the Client's browser. By opening the website, the Client consents to the enabling of cookies.

6. Processors, persons authorized to access personal data

The Controller and the processors engaged by it are authorized to access personal data in accordance with the applicable legislation. The processing of data is performed by the following processors acting on behalf of the Controller:

MORGÓ-Family Bt. (accountant)

  • Registered office: 1161 Budapest, Körvasút sor 30. 2. em. 10. ajtó
  • Company registration number: 01-06-784331
  • Tax number: 23369809-1-42
  • Type of data transferred: client's name, address, bank account data.
  • Purpose of processing: performing accounting tasks.

Magyar Hosting Kft. (hosting service provider)

  • Registered office: 1132 Budapest, Victor Hugo utca 18-22.
  • Company registration number: 01-09-968314
  • Tax number: 23495919-2-41
  • Type of data transferred: client's name, e-mail address
  • Purpose of processing: operation of the messaging system on the Controller's website

The Controller reserves the right to engage additional processors in the future, of which it shall inform the Client by amending this Policy.

7. Rights of the Client

The Client may request the Controller to provide information about the processing of his or her personal data, may request the rectification of his or her personal data, and may request the erasure or blocking of his or her personal and special category data – except for mandatory data processing – as well as data portability. Below is a brief description of the individual rights of the data subject:

Access to personal and special category data

Upon the Client's request, the Controller shall inform the Client whether processing is being carried out in relation to his or her personal data, and shall provide access to the data, making a copy thereof available free of charge. The deadline is one month from the submission of the request.

Rectification of processed data

The Client may request the Controller to rectify inaccurate personal data or to supplement incomplete data, which the Controller shall carry out without undue delay.

Erasure and blocking of processed data

The Client may request the erasure of his or her data if the purpose of processing has ceased, consent has been withdrawn, the Client objects to the processing, or the processing is unlawful (except for mandatory data retention prescribed by law).

Restriction of processed data

The Client is entitled to request the restriction of processing, e.g. in the case of disputing accuracy, or if the processing is unlawful but the Client opposes erasure.

Right to object

The Client may object to the processing of his or her personal data. In such a case, the Controller may no longer process the data, unless compelling legitimate grounds justify it.

8. Data security

The Controller undertakes to ensure the security of the data and to take the technical and organizational measures necessary to ensure that the recorded data are protected.

  • Paper-based data carriers are stored in lockable premises.
  • Computer data carriers are equipped with surge protection.
  • Computer systems are protected by firewalls and antivirus software.
  • The computer user account is password-protected.
  • The Controller has a document shredder.

9. Management and notification of data protection incidents

A data protection incident means the unauthorized access to, alteration or erasure of personal data. The Controller shall, without undue delay and no later than 72 hours after becoming aware thereof, report the incident to the NAIH, unless it does not pose a risk. The Controller shall also inform the data subjects within 72 hours through the Controller's website. A record of incidents shall be maintained for 5 years.

10. Legal remedies

If the Client believes that his or her right to the protection of personal data has been violated, a complaint may be lodged at the following contact details:

National Authority for Data Protection and Freedom of Information (NAIH)

  • Registered office: 1055 Budapest, Falk Miksa utca 9-11.
  • Postal address: 1363 Budapest, Pf.: 9.
  • Telephone: +36 (1) 391-1400
  • Website: https://naih.hu

Judicial enforcement: The case falls within the jurisdiction of the regional court. The action may also be brought before the regional court of the data subject's domicile or habitual residence.

Damages and compensation for non-material harm: In the case of unlawful processing, the data subject may claim compensation for non-material harm. The Controller shall be exempt from liability if the damage was caused by an unavoidable cause beyond the scope of data processing, or if it resulted from the intentional or grossly negligent conduct of the injured party.

This Data Processing Policy version v2.0 is effective from 01 March 2026.