Privacy notice (data processing)
Dr. Szakály-Varga Dóra Erika, attorney at law (sole practitioner)
Effective: 1 May 2026.
This privacy notice remains in force until withdrawn. The Controller reserves the right to amend this notice in line with applicable law.
This notice informs visitors about processing related to use of this website (www.szvdugyved.hu) and informs clients about processing related to the provision of legal services.
Controller
Controller: Dr. Szakály-Varga Dóra Erika, attorney at law (sole practitioner)
Registered seat: H-4026 Debrecen, 37 Darabos Street
E-mail: info@szvdugyved.hu
This notice is provided in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR), concerning the protection of natural persons with regard to personal data.
Legal bases for processing
Consent of the data subject (GDPR Article 6(1)(a)).
Performance of the attorney engagement agreement (GDPR Article 6(1)(b)).
Compliance with a legal obligation (GDPR Article 6(1)(c)).
Legitimate interests of the Controller (GDPR Article 6(1)(f)).
Purposes and scope of processing
Processing serves the provision of legal services, performance of mandates and compliance with statutory rules governing attorneys.
As Controller, I process client data as follows:
| Activity | Data subject | Personal data processed | Purpose of processing | Retention period | Legal basis |
|---|---|---|---|---|---|
| Client identification | Client | Surname, given name, mother's name, address, place and date of birth, ID card number, address card number, tax identification number, personal identification number, passport number. | Compliance with a legal obligation — identification of the data subject under the rules governing attorneys' practice. | 5 years after termination of the mandate; 10 years if electronic documents are concerned; 10 years if documents bear countersignature. | GDPR Article 6(1)(c). |
| Customer due diligence | Client and other participants in the procedure | Surname, given name, mother's name, address, place and date of birth, ID card number, address card number, tax identification number, personal identification number, passport number. | Fulfillment of obligations under Act LIII of 2017 on the prevention and combating of money laundering and terrorist financing (AML Act), including identification of the data subject. | 8 years from termination of the mandate or performance. | GDPR Article 6(1)(c). |
| Submission of offers | Person requesting an offer | Surname, given name, telephone number, e-mail address, facts communicated. | Preparation of an offer. | 5 years from receipt of the request. | GDPR Article 6(1)(b). |
| Legal advice | Client, opposing party and other participants | Surname, given name; further data and facts provided in connection with the matter. | Performance of the contract and provision of legal services. | For advisory matters: 5 years after termination of the mandate; 10 years for electronic documents; 10 years if documents bear countersignature. | GDPR Article 6(1)(b). |
| Drafting documents | Client, opposing party and other participants | Surname, given name, ID card number, address card number, tax identification number, address. | Performance of the contract and provision of legal services. | 5 years after termination of the mandate; 10 years for electronic documents; 10 years if documents bear countersignature. | GDPR Article 6(1)(b). |
| Legal representation | Client, opposing party and other participants | Surname, given name, ID card number, address card number, tax identification number, address, place of stay; further data provided during the proceedings. | Performance of the contract and provision of legal services. | 5 years after termination of the mandate; 10 years for electronic documents; 10 years if documents bear countersignature. | GDPR Article 6(1)(b). |
As Controller, I process website visitor data as follows:
Where visitors contact the Controller, personal data voluntarily provided will be processed for communication purposes. The legal basis is consent under GDPR Article 6(1)(a), given by initiating contact.
| Data subject | Personal data processed | Purpose | Retention | Legal basis |
|---|---|---|---|---|
| Visitors contacting via the website | E-mail address, IP address, telephone number, name; other personal data provided by the data subject. | Establishing contact. | 5 years from the contact. | GDPR Article 6(1)(a). |
Security of processing
Personal data may be accessed only by the Controller and persons cooperating personally with the Controller.
IT systems and other storage locations are at the Controller's seat, in paper and electronic form.
The Controller applies appropriate physical, technical and organisational measures to prevent unauthorised third-party access.
Electronically stored data are protected by measures appropriate to the state of the art; personal data are write-protected.
Rights relating to processing
| Right | Description |
|---|---|
| Right to rectification | Upon request, the Controller shall without undue delay rectify inaccurate personal data concerning the data subject. |
| Right of access | The data subject has the right to obtain confirmation as to whether personal data are processed and, where that is the case, access to the data and the information listed in GDPR Article 15(1). |
| Right to erasure (‘right to be forgotten’) | The data subject may obtain erasure without undue delay where grounds under GDPR Article 17 apply, including where data are no longer necessary, objection succeeds, processing was unlawful, or erasure is required by EU or Member State law. |
| Right to restriction of processing | The data subject has the right to obtain restriction of processing where one of the following applies: a) the accuracy of the personal data is contested — restriction applies for a period enabling the Controller to verify accuracy; b) the processing is unlawful and the data subject opposes erasure and requests restriction instead; c) the Controller no longer needs the data for processing purposes but the data subject requires them for legal claims; or d) the data subject has objected to processing — restriction applies until it is verified whether the Controller's legitimate grounds override those of the data subject. |
| Right to object | The data subject may object on grounds relating to his or her situation; the Controller shall no longer process the data unless it demonstrates compelling legitimate grounds overriding interests, rights and freedoms, or processing is necessary for legal claims. |
| Right to data portability | Where processing is based on consent under Article 6(1)(a) or Article 9(2)(a), or on a contract under Article 6(1)(b), and processing is automated, the data subject has the right to receive personal data concerning him or her in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance. When exercising portability, the data subject may where technically feasible request direct transmission between controllers. |
How to exercise your rights
You may submit requests or questions regarding processing by e-mail to info@szvdugyved.hu or by registered mail with acknowledgment of receipt to the postal seat above. The Controller will respond without undue delay and within one month of receipt at the latest; this period may be extended by two further months where necessary due to complexity or number of requests.
If you consider your rights infringed by the Controller or processors, you may bring proceedings before the competent regional court at the Controller's seat or, at your choice, before the court of your habitual residence or place of stay.
You may also lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information (NAIH).
Address: H-1055 Budapest, Falk Miksa utca 9–11.
Postal address: H-1363 Budapest, P.O. Box 9.
Telephone: +36 1 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: www.naih.hu