Facebook

Privacy policy

Kecser ügyvédi iroda

Last modified 13 March 2026.

1, GENERAL INFORMATION

 Kecser Law Office (hereinafter collectively referred to as „Law Firm” or „Data Controller”) with their principals and contractors and their representatives, contacts and other persons to whom this privacy notice („Factsheet”) (collectively: „person(s) concerned”) in relation to the EU General Data Protection Regulation 2016/679 („GDPR”) Article 4(1) states that „personal data” are handled.

This Notice provides information on the processing of these personal data and on the rights and remedies of data subjects in relation to data processing.

Contact details of the Law Office:

The Law Office is located at 1097 Budapest, Nádasdy utca 12, 6th floor. 613.

The Bar Association registration number: 4549

The Law Office is registered with the Budapest Bar Association

The email address of the Law Office is: gyorgy@kecser.com 

The representative and contact details of the Law Firm are Dr. György Kecser, attorney-at-law, see above.

The website of the Law Firm: https://kecser.com/ (“Website”).

Website operated by the Law Firm.

What data is personal data?

Personal data is any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For example, personal data include the name, e-mail address of the data subject (e.g. a client/client, opponent or contractual partner representative), or data relating to the engagement of a particular client (e.g. the fact and nature of the engagement). In addition, the rules on legal professional privilege apply to data relating to the engagement of a lawyer, including non-personal data.

Which personal data fall into special categories of personal data?

Special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic or biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons.

Who can be considered as affected?

In particular, but not exclusively, the Law Firm may process the data of the following natural persons:

  • the potential client (principal), its agents, representatives, contact persons
  • the applicant, its agents, representatives, contact persons
  • customer (client)
  • natural persons related to the client (principal) (e.g. relative, representative, agent, contact person, beneficial owner)
  • any other natural person appearing in proceedings relating to the subject matter of the mandate (e.g. opposing party, legal representative)
  • a person attending or registering for an event organised by the Law Firm
  • the person requesting the Law Firm and his/her representatives, agents, contacts
  • Act CLXV of 2013 on complaints and notifications of public interest („Complaint.”), the whistleblower contacting the Law Firm and the person concerned by the whistleblowing (whose conduct or omission gave rise to the whistleblowing or who may have material information about the facts contained in the whistleblowing).

 This Privacy Notice does not include information about the processing of personal data of employees or applicants for the positions advertised by the Law Firm.

The role of the Law Firm in relation to data management:

A controller is a natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, and where the purposes and means of processing are determined jointly by two or more controllers, they are referred to as joint controllers and joint controllers. The controller is primarily responsible for the processing and the joint controllers are jointly and severally liable, i.e. the data subject can enforce his or her rights against any of the joint controllers.

A processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. A processor shall be liable for damage caused by processing only if it has failed to comply with the obligations specifically imposed on processors by the GDPR or other mandatory legal provisions or if it has disregarded or acted contrary to lawful instructions from the controller.

The Law Firm acts as an independent data controller, and data subjects may send their data protection requests to the Law Firm that is the data controller using the contact details of that Law Firm as set out in this Notice. 

It is also emphasized that the Law Firm is not a joint controller with its clients, nor, except in exceptional cases where the Law Firm carries out an additional activity in addition to its legal practice, a processor of the clients or of another person, but acts as an independent controller as described in this Notice. In exceptional cases where the Law Firm would be a data processor of the client, the relevant client as data controller will provide information to the data subjects as agreed with the Law Firm or Law Firm, and in cases where the Law Firm would act as a joint data controller with another person, the joint data controllers will prepare and provide a separate privacy notice to the data subjects.

2, UPDATING AND AVAILABILITY OF THE PROSPECTUS

 The Law Firm reserves the right to unilaterally amend this Policy, with effect from the date of amendment, subject to the restrictions set out in the applicable legislation, if necessary by informing the data subjects in due time in advance.

In particular, this Notice may be amended if necessary due to changes in legislation, data protection authority practices, business needs, new data processing purposes, newly identified security risks or feedback from data subjects. When communicating with data subjects in relation to this Notice or data protection issues, or otherwise in contact with data subjects, the Law Firm may use the contact details of the data subjects available to the Law Firm for contact and communication purposes. For example, upon request, the Law Firm may provide data subjects with a copy of the current version of the Notice or confirm that the data subject has read the Notice.

3, SPECIFIC DATA PROTECTION CONDITIONS

In the course of its data processing activities, the Law Firm is obliged to comply with the legal obligations provided for in the following legislation and regulations of the Bar Association, in addition to its other legal obligations:

  • Pmt.” - Act LIII of 2017 on the Prevention and Suppression of Money Laundering and Terrorist Financing.
  • Lawyers Act” or „Üttv.” - Act LXXVIII of 2017 on the Activities of Lawyers.
  • Accounting Law” or „Svt.” - Act C of 2000 on Accounting.
  • Art.” - Act CL of 2017 on the Rules of Taxation. The data supporting the tax documents must be kept by the Law Firm
  • Infotv.” - Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information.
  • GDPR.
  • Act LII of 2017 on the implementation of financial and property restrictive measures imposed by the European Union and the UN Security Council.
  • the Chamber's regulations, in particular Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing and Act LII of 2017 on the Implementation of Financial and Asset Restriction Measures by the European Union and the United Nations Security Council, on the fulfilment of obligations, risk assessment, supervisory procedures and guidelines.

These laws and chambers' regulations provide detailed and comprehensive definitions of operations that involve the processing of personal data. The present Notice also aims to describe these processing operations in a clear and comprehensible manner, but for reasons of space it is not possible to describe certain detailed rules, except in the form of a brief description or by reference to the relevant legal provisions, to the extent required to provide the data subject with clear information. The details of the processing operations as defined by the above rules and of any other processing operations can be obtained from the Law Firm at the above contact details or by contacting the Law Firm in person (for example, when carrying out a personal customer identification).

The Law Firm obtains any personal data concerning the client of the Law Firm primarily from the client - voluntary disclosure by the client - or from a third party with respect to the client - the client and/or a third party authorized to disclose data by law. The source of the data processed by the Law Firm may also be, for example, a public register, a court, a public authority or any other data subject.

If a person is not individually entitled to provide personal data, he or she must obtain the consent of the third party (e.g. a legal representative, guardian or other person on whose behalf he or she is acting) or provide another appropriate legal basis for providing the data and comply with any other data protection and data security requirements. In this context, the person providing the data must consider whether the consent of a third party is necessary in the context of the provision of the personal data. It may be the case that the law firm will not have any personal contact with the data subject, in which case compliance with this point must be ensured by the person providing the data subject's data. Notwithstanding the above, the Law Firm shall at all times be entitled to verify whether the legal basis for the processing of personal data is available. For example, where the person providing the data is acting on behalf of a third party, the Law Firm is entitled to request the power of attorney and/or the appropriate consent of the data subject to the processing in question.

4, DESCRIPTION OF THE PROCESSING OPERATIONS - THE SCOPE OF THE DATA PROCESSED BY THE LAW FIRM, THE PURPOSES OF THE PROCESSING, THE LEGAL BASIS FOR THE PROCESSING AND THE DURATION OF THE PROCESSING

The scope of the data processed by the Law Firm, the purposes of the processing, the legal basis for the processing, the duration of the processing and other circumstances of the processing are described in detail in the table at the end of the prospectus.

If a processing purpose is necessary for the purposes of the legitimate interests pursued by the Law Firm or a third party, the interest balancing test used to determine the legitimate interest will be made available by the Law Firm upon request to one of the contact details above.

The Law Firm expressly draws the attention of the data subject to the fact that he or she has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of legitimate interest. In such a case, the Law Firm will no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

The primary purpose of the processing of personal data relating to the client and third parties in connection with the mandate of the Law Firm is the fulfilment of the mandate and the instructions of the client of the Law Firm, as well as any directly related operations for this purpose and in the interests of the client, and the compliance of the client with the relevant legal requirements, including the fulfilment of the decision of the person, entity or public body entitled to issue an official, judicial or other mandatory normative act.

The duration of each data processing is basically determined on the basis of the Lawyers Act and the applicable rules of the Bar Association, as well as the following legislation:

  • Art. - the data supporting tax documents shall be kept by the Law Firm for 5 years from the last day of the calendar year in which the tax should have been declared, reported or notified, or in the absence of declaration, reporting or notification, the tax should have been paid (Art.
  • Ptk.” - Act V of 2013 on the Civil Code. If the period of processing is the limitation period for the enforcement of a claim, the act interrupting the limitation period extends the period of processing until the new date of the limitation period (Civil Code. 6:25 (2)). In the event of the expiry of the limitation period, the (civil law) claim may be enforced within a period of one year from the date of the removal of the obstacle - three months if the limitation period is one year or less - even if the limitation period has already expired or is less than the above period (Civil Code, Art. 6:24. § (2)).
  • The data retention period for accounting documents is 8 years (§§ 168-169 of the Accounting Act).
  • According to the Pmt., the data retention period is 8 years from the termination of the „business relationship” or the execution of the „transactional order”. According to Section 3 (44) of the Pmt., a transaction is a transaction between the client and the service provider which is a case-by-case legal relationship for the use of services within the scope of the professional activities of the service provider (including the activities of the law firm as a lawyer) as specified in Section 1 (1) (a) to (e), (g) to (h) and (j) to (r). A business relationship shall be deemed to be, inter alia, according to Article 3(45) of the Pmt., „a) a lasting legal relationship entered into between the client and the service provider by means of a contract for the provision of services falling within the scope of professional activities (including the activities of a law firm) specified in points (a) to (e), (g) to (h) and (j) to (r) of Article 1(1).

 

5, DATA PROCESSORS

The Law Firm uses the following contractual partners to carry out tasks related to data processing operations. The contracted partner acts as a so-called „data processor”: it processes the personal data specified in this Notice on behalf of the Law Firm.

The Law Firms may only use data processors that offer adequate guarantees, in particular in terms of expertise, reliability and resources, to implement technical and organisational measures to ensure compliance with the requirements of the GDPR, including the security of data processing. The specific tasks and responsibilities of the processor shall be governed by the contract between the law firm and the processor. After the processing has been carried out on behalf of the Law Firm, the processor shall, at the choice of the Law Firm, return or delete the personal data, unless the storage of the personal data is required by the applicable Union or Member State law.

6, TRANSFERS TO OTHER DATA CONTROLLERS

 The Law Firm transfers personal data to the following additional data controllers. These entities act as data controllers, i.e. they may, individually or jointly with others, determine the purposes for which personal data are processed, take and implement decisions regarding the processing (including the means) or have them implemented by a processor they use.

Recipients of the transfer: law firms, individual lawyers, European Community lawyers and consultants, substitute lawyers, other experts cooperating with the Law Firm on a case.

 Activity: the provision of legal, European Community legal or other advisory assistance and, where appropriate, expertise.

Legal basis for the transfer: Article 6(1)(f) GDPR (legitimate interest of the law firm or third parties, in particular the client (principal) concerned). The law firm has a legitimate interest in seeking the assistance of law firms, individual lawyers, European Community lawyers or other advisers where necessary to provide expert or other specialist advice. This is also, by analogy, in the legitimate interest of the client (the client) interested in the case in question, given that the mandate could not be carried out or could not be carried out properly without such interest. The contracting partners will be informed of the identity and, where necessary, the qualifications of other law firms, individual lawyers, European Community lawyers and consultants, taking into account the specificities of the relationship, and the law firm will take the contracting partners' requests into account as far as possible when selecting such persons.

In addition to the above, the following service providers have access to the data of the data subjects in relation to the use of the following solutions:

  • For Outlook, OneDrive, Office and Microsoft Teams, Microsoft acts as the data processor for the Law Firm. Microsoft's Data Protection Officer can be contacted at Microsoft EU Data Protection Officer, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, DP18 P521, Ireland, telephone +353 (1) 706-3117. We also emphasise that Microsoft's contractual terms and conditions for certain services and users include Standard Contractual Clauses that provide adequate safeguards for data transfers to third countries outside the European Union. You can ask questions about Microsoft's data practices on the following page: Ask questions about Microsoft's privacy practices. You can also find more information on the following pages: Microsoft Privacy StatementProtect your personal data with Microsoft cloud services.

7, DATA SUBJECTS' DATA PROTECTION RIGHTS AND REMEDIES

7.1 Data protection rights and remedies

The data subjects' data protection rights and remedies are set out in detail in the relevant provisions of the GDPR (in particular Articles 15, 16, 17, 18, 19, 20, 21, 22, 77, 78, 79, 80 and 82 of the GDPR). The following summary contains the most important provisions and the Law Firm will inform data subjects accordingly about their rights and remedies in relation to data processing. The Law Firm also draws the attention of data subjects to the exercise of their right to object (see point 7.8).

The information must be provided in writing or by other means, including electronic means where appropriate. Information may also be provided orally at the request of the data subject, provided that the identity of the data subject has been verified by other means.

Without undue delay, but in any event within one month of receipt of the data subject's request to exercise his or her rights (see Articles 15-22 GDPR), the Law Firm will inform the data subject of the measures taken in response to his or her request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Law Firm shall inform the person concerned of the extension, stating the reasons for the delay, within one month of receipt of the request. If the person concerned has made the request by electronic means, the information shall, as far as possible, be provided by electronic means, unless the person concerned requests otherwise.

If the Law Firm does not take action on the request of the data subject, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to act and of the possibility to lodge a complaint with a supervisory authority and to exercise his or her right to judicial remedy.

7.2 Right of access of the data subject

The data subject is entitled to receive feedback from the Law Firm on whether his or her personal data are being processed. If such processing is ongoing, the data subject is entitled to access to the personal data and the following information:

  1. the purposes of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipients to whom the personal data have been or will be disclosed by the Law Firm;
  4. where applicable, the envisaged period of storage of the personal data or, if this is not possible, the criteria for determining that period;
  5. the data subject's right to request the Law Firm to rectify, erase or restrict the processing of personal data concerning him or her and to object to the processing of such personal data;
  6. the right to lodge a complaint with a supervisory authority;
  7. if the data were not collected from the data subject, any available information on their source;
  8. the fact of automated decision-making, including profiling, and, at least in these cases, the logic used and clear information on the significance of such processing and its likely consequences for the data subject.

If personal data are transferred to a third country or an international organisation, the data subject has the right to be informed of the information and appropriate safeguards regarding the transfer.

The Law Firm will provide the data subject with a copy of the personal data processed. For additional copies requested by the data subject, the Law Firms may charge a reasonable fee based on the administrative costs. Where the data subject has made the request by electronic means, the information shall be provided in a commonly used electronic format, unless the data subject requests otherwise.

The data subject may exercise his or her right of access within the limits of the obligation of legal professional privilege.

The Law Firm emphasises that it does not use automated decision-making and does not profile data subjects from the data available. Should automated decision-making or profiling nevertheless take place in the future, the Law Firm will inform the data subjects by means of an amendment to this Notice or by means of a separate communication in accordance with the GDPR and other applicable legal provisions.

 

7.3 Right to rectification

The data subject shall have the right to obtain from the Law Firm the rectification of inaccurate personal data relating to him or her without undue delay at the request of the data subject. The data subject shall also have the right to request that incomplete personal data be completed, inter alia, by means of a supplementary declaration.

7.4 Right to erasure („right to be forgotten”)

The data subject shall have the right to obtain, at his or her request and without undue delay, the erasure of personal data concerning him or her by the Law Firm, if one of the following grounds applies:

  1. the personal data are no longer necessary for the purposes for which they were collected or otherwise processed by the Law Firm;
  2. the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
  3. the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
  4. the personal data have been unlawfully processed;
  5. the personal data must be deleted in order to comply with a legal obligation under EU or Member State law applicable to the Law Firm; or
  6. personal data are collected in connection with the provision of information society services.

 

If the Law Firm has disclosed the personal data and is obliged to delete them as described above, it will take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform the data controllers that the data subject has requested the deletion of the links to or copies of the personal data in question.

 

The above provisions of this point shall not apply where the processing is necessary, inter alia:

  1. to exercise the right to freedom of expression and information;
  2. for the purposes of complying with an obligation under EU or Member State law that requires the processing of personal data applicable to the Law Firm;
  3. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right of erasure would be likely to render such processing impossible or seriously jeopardise it; or
  4. to bring, enforce or defend legal claims.

7.5 Right to restriction of processing

The data subject is entitled to have the processing limited by the Law Firm at his or her request if one of the following conditions is met:

  1. the data subject contests the accuracy of the personal data, in which case the limitation applies for the period of time that allows the Law Firm to verify the accuracy of the personal data;
  2. the data processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;
  3. the Law Firm no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
  4. the data subject has objected to the processing; in this case, the restriction applies for the period until it is established whether the legitimate grounds of the law firm prevail over those of the data subject.

Where processing is restricted pursuant to the preceding paragraph of this point, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

The Law Firm shall inform in advance the data subject, at whose request it has restricted the processing on the basis of the above, of the lifting of the restriction.

7.6 Obligation to notify the rectification or erasure of personal data or restriction of processing 

The Law Firm will inform all recipients of any rectification, erasure or restriction of processing to whom or with which the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the data subject will be informed by the Law Firm of these recipients.

7.7 Right to data portability 

The data subject has the right to receive personal data concerning him or her which he or she has provided to the Law Firm in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without the Law Firm's hindrance, if:

  1. the processing is based on consent or on a contract; and
  2. the processing is carried out by automated means.

In exercising the right to data portability as set out above, the data subject has the right to request, where technically feasible, the direct transfer of personal data between data controllers (such as the Law Firm and other data controllers).

The exercise of the right to data portability must not infringe the provisions on the right to erasure („right to be forgotten”) and must not adversely affect the rights and freedoms of others.

7.8 The right to object 

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of his or her personal data on the basis of legitimate interest, or on grounds of public interest or necessary for the performance of a task carried out in the exercise of official authority vested in the Law Firm. In this case, the personal data shall no longer be processed by the Law Firm, unless it is proved that the processing is justified by compelling legitimate grounds which override the interests, rights and freedoms of the data subject or are related to the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data relating to him or her for such purposes.

If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for these purposes.

 In the context of the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means based on technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

7.9 Right to lodge a complaint with a supervisory authority 

The data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR. For more information on the competent supervisory authorities in each Member State on the website of the European Data Protection Board by clicking here find. The competent supervisory authority in Hungary is the National Authority for Data Protection and Freedom of Information (website: http://naih.hu/; address: 1055 Budapest, Falk Miksa utca 9-11.; postal address: 1363 Budapest, Pf. 9.; telephone: +36-1-391-1400; fax: +36-1-391-1410; e-mail: ugyfelszolgalat@naih.hu).

7.10 Right to an effective judicial remedy against the supervisory authority 

The data subject has the right to an effective judicial remedy against a legally binding decision of the supervisory authority concerning him or her.

The data subject has the right to an effective judicial remedy if the competent supervisory authority does not deal with the complaint or does not inform the data subject within three months of the procedural developments concerning the complaint or the outcome of the complaint.

Proceedings against the supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

7.11 Right to an effective judicial remedy against the Law Firm 

Without prejudice to the administrative or non-judicial remedies available, including the right to lodge a complaint with a supervisory authority, the data subject has the right to an effective judicial remedy if he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in a way that does not comply with the GDPR.

Proceedings against the Law Firm must be brought before the courts of the Member State where the Law Firm is established (Hungary). Such proceedings may also be brought before the courts of the Member State of habitual residence of the person concerned. In Hungary, such proceedings fall within the jurisdiction of the court of law. The action may also be brought, at the option of the person concerned, before the competent court of the place of residence or domicile. You can find out the jurisdiction and contact details of the courts (tribunals) on the following website: www.birosag.hu.

7.12 Charging a reasonable fee for providing the requested information or taking the requested action or refusing to act on the request 

The Law Firm shall provide information (pursuant to Articles 13 and 14 GDPR) and the exercise of data subjects' rights (Articles 15-22 GDPR) in relation to the processing of personal data and the information and action to be taken in relation to the notification of a personal data breach (pursuant to Article 34 GDPR) free of charge. However, if the data subject's request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Law Firm shall, subject to the administrative costs of providing the information or information requested or of taking the requested action:

  1. charge a reasonable fee, or
  2. may refuse to act on the request.

The burden of proving that the request is manifestly unfounded or excessive lies with the Law Firm.

8, SÜTIK 

 For more information about the cookies used on the Website and the terms of use of the Website, please refer to the Website Cookie Notice.

Detailed information notice for certain processing operations in tabular form