PRIVACY NOTICE
This privacy notice (hereinafter referred to as “Privacy Notice”) describes the data processing activities of
Dr. Peter Rostas Law Firm
(address: H-1134 Budapest, Váci út 47/E; tax number: 18753002-2-41;
e-mail address: info@rostaslegal.com; hereinafter referred to as:
“Law Firm” or “Controller”)
in relation to the operation of the website www.rostaslegal.com (hereinafter “Website”) with respect to the personal data of data subjects. Furthermore, this Privacy Notice includes information on the data subjects’ rights and remedies in connection with the Law Firm’s data processing.
CONTENTS
1.1. Logging on the rostaslegal.com server
1.2. Cookie management on the rostaslegal.com Website
1.3. Contact
1.4. Other data processing
3.1. Right to information
3.2. Right of access by the data subject
3.3. Right to rectification
3.4. Right to erasure
3.5. Right to restriction of processing
3.6. Right to data portability
3.7. Right to object
3.8. Automated decision-making in individual cases, profiling
3.9. Right to withdraw consent
3.10. Procedural rules
3.11. Damages and compensation
3.12. Right to apply to the courts
3.13. Procedure before the Data Protection Authority
I. EXTRACT
This Section I of the Privacy Notice contains an extract of the main components of the data processing activities in relation to the operation of the Website. More detailed information is provided in Section II below.
The Law Firm carries out its data processing for purposes such as responding to inquiries from interested parties in the context of establishing contact and client correspondence, distinguishing between them, and ensuring traceability; monitoring the operation of the Website and preventing abuse.
The legal basis for the processing for the above purposes is the legitimate interests of the Controller (in the case of maintaining contact or server logging).
The personal data processed by the Law Firm include in particular, the name and email addresses provided when contacting the Law Firm as well as other personal data included in the messages; IP address logged by the server.
Data Processor of the Law Firm is Rackforest Zrt. (1132 Budapest, Victor Hugo utca 11. 5. em. B05001. ajtó) providing web hosting services.
The Law Firm does not use cookies on the Website.
The data subject shall have the right to obtain from the Law Firm access to, rectification, erasure or restriction of processing of personal data concerning them, to object to the processing of such personal data and to obtain the personal data concerning the data subject and to have them transmitted to another controller (right to data portability).
The data subject may request the deletion or modification of personal data by sending an e-mail to info@rostaslegal.com. In the event of a breach of their rights, the data subjects may take legal action against the Controller at a court (competent according to the defendant’s registered office or the place of residence of the data subject, at the data subject’s discretion). Complaints may also be lodged with the National Authority for Data Protection and Freedom of Information (address: H-1055 Budapest, Falk Miksa utca 9-11.; telephone: +36 (1) 391-1400; e-mail: ugyfelszolgalat@naih.hu).
II. DETAILED NOTICE
Data protection guidelines relating to the Law Firm’s data processing are available on an ongoing basis at https://www.rostaslegal.com/privacy-notice. The Controller reserves the right to change this Privacy Notice at any time. The Law Firm will of course notify the data subjects of any changes in due time.
The Law Firm is committed to protecting the personal data of the visitors of the Website and attaches the utmost importance to respecting the visitors’ right to information self-determination. The Law Firm keeps personal data confidential and takes all security, technical and organizational measures to ensure the security of the data.
The Law Firm describes in detail below its data processing practices in relation to the operation of the Website:
1. THE SPECIFIC PROCESSING OPERATIONS CARRIED OUT BY THE CONTROLLER
The Law Firm sets out below its data processing principles in relation to each of its processing operations, the expectations it has set and adheres to in relation to itself as a controller. Its data processing principles are in line with the applicable data protection legislation, in particular the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “General Data Protection Regulation” or “GDPR”);
- Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Information Act”).
1.1. Logging on the rostaslegal.com server
When visiting the Website, the web server automatically logs the visitors’ activity.
The purpose of the data processing: when visiting the Website, the Controller records visitor data in order to monitor the operation of the services and prevent abuse.
Legal basis for processing: the Controller has a legitimate interest in identifying users and preventing abuse [Article 6(1)(f) GDPR].
Type of personal data processed: identification number, date and time of visit, address of the page visited and the previously visited page, IP address of the user’s computer.
Duration of processing: thirty days.
Data processor:
Name: Rackforest Zrt.
Registered seat: H-1132 Budapest, Victor Hugo utca 11. 5. em. B05001. ajtó
Processing task: Web Hosting Service
1.2. Cookie management on the rostaslegal.com Website
In order to provide a personalized service, website operators places a small data package, known as a cookie, on the user’s computer and reads it back during subsequent visits. If the user’s browser returns a previously saved cookie, the controller has the option of linking the user’s current visit to previous visits, but only in terms of its own content.
In terms of functions, we can distinguish between cookies that are essential for the operation of a website and non-essential cookies which, in terms of their purpose, may be statistical cookies (collecting technical data not necessary for immediate operation, used for future development of the service or measuring visitor numbers, etc.) or marketing cookies (tracking, advertising-related, etc.).
The Law Firm does not use any type of cookies on the Website.
1.3. Contact
If you wish to contact the Law Firm, you do so by using the contact details provided in this Privacy Notice or by filling in the Contact Form on the Website. The Law Firm will delete all messages received, together with the sender’s name, e-mail address, date, time and other personal data provided in the message, after a maximum of two years from the date of disclosure.
The purpose of the processing: is to answer questions from interested parties, to distinguish between them and to ensure traceability.
Legal basis for processing: the Controller has a legitimate interest in answering the questions of the interested parties, distinguishing between them and ensuring traceability [Article 6(1)(f) GDPR].
The data processed include: name, e-mail address, date, time and other personal data provided in messages.
Duration of data processing: two years.
Possible consequences of not providing the data: the data subject will not be able to contact the Controller.
1.4. Other data processing
Any processing not listed in this Privacy Notice will be disclosed at the time of collection.
Data subjects are informed that the Law Firm may be contacted by the courts, prosecutors, investigating authorities, law enforcement authorities, administrative authorities, the National Authority for Data Protection and Freedom of Information or other bodies authorized by law to provide information, data, or documents.
The Law Firm shall disclose to the authorities – provided that the authorities have indicated the precise purpose and scope of the data – personal data only in the quantity and to the extent strictly necessary for the purpose of the request.
2. METHODS OF STORAGE OF PERSONAL DATA, SECURITY OF PROCESSING
The Law Firm shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the scale of the risk, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the varying degrees of probability and severity of the risk to the rights and freedoms of natural persons.
The Law Firm shall select and operate the IT tools used for the processing of personal data in the provision of the service in such a way that the data processed:
- is accessible to those authorized to access it (availability);
- its authenticity and authentication are guaranteed (authenticity of processing);
- its integrity can be verified (data integrity);
- is protected against unauthorized access (data confidentiality).
The Law Firm shall take appropriate measures to protect the data against, in particular, unauthorized access, alteration, disclosure, publication, erasure or wipeout, accidental destruction, damage or loss, and inaccessibility resulting from changes in the technology used.
In order to protect the data files managed electronically in its various registers, the Law Firm shall ensure, by appropriate technical means, that the data stored cannot be directly linked and attributed to the data subject, except where permitted by law.
The Law Firm shall ensure the security of data processing, taking into account the state of the art, by technical and organizational measures which provide a level of protection appropriate to the risks associated with the processing.
In the course of processing, the Law Firm shall keep
- confidentiality (protecting information so that only those have access to it who are authorized to do so);
- integrity (protecting the accuracy and completeness of the information and the method of processing);
- availability (ensuring that when the authorized user needs it, they can actually access the information and has the means to do so).
The Law Firm’s and its partners’ IT systems and networks are protected against computer fraud, espionage, sabotage, vandalism, fire and flood, computer viruses, computer intrusions and denial of service attacks. The operator ensures security through server-level and application-level protection procedures.
Please be informed that electronic messages transmitted over the Internet, regardless of the protocol (e-mail, web, ftp, etc.), are vulnerable to network threats that could lead to fraudulent activity, contract disputes, or disclosure or modification of information. The Controller will take all reasonable precautions to counter such threats. It shall monitor systems in order to record any security discrepancies and provide evidence of any security incidents. System monitoring also allows the effectiveness of the precautions taken to be verified.
The Law Firm, as controller, keeps a record of any data breaches, indicating the facts related to the data breach, its effects and the measures taken to remedy it.
The Law Firm shall notify a potential data protection incident to the National Authority for Data Protection and Freedom of Information, if possible, without delay, but no later than 72 hours after the data protection incident has come to its attention, unless the data protection incident is unlikely to pose a risk to the rights and freedoms of natural persons.
3. DATA SUBJECTS’ RIGHTS, REMEDIES
The data subject may request information on the processing of his or her personal data, and may request the rectification, erasure, withdrawal or restriction of processing of his or her personal data, except for mandatory processing, and exercise his or her rights of retention and objection as indicated when the data were collected, at the above contact details of the Controller.
3.1. Right to information
At the request of the data subject, the Law Firm shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language.
3.2. Right of access by the data subject
The data subject shall have the right to obtain from the Controller feedback as to whether or not his or her personal data are being processed and, where such processing is taking place, the right to access the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom or with which the personal data have been or will be disclosed, including in particular recipients in third countries or international organizations; (d) the envisaged period of storage of the personal data; (e) the right to rectification, erasure or restriction of processing and the right to object; (f) the right to lodge a complaint with a supervisory authority; (g) information on the data sources; (h) the fact of automated decision-making, including profiling, and clear information on the logic used and the significance of such processing and the likely consequences for the data subject.
In the event of a transfer of personal data to a third country outside the European Union (EU) and/or European Economic Area (EEA) or an international organization, the data subject is entitled to be informed of the appropriate safeguards for the transfer.
The Law Firm shall provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. Upon the data subject’s request by electronic means, the Law Firm shall provide the information in a commonly used electronic format, unless the data subject requests otherwise.
Upon request, information may also be provided orally to the data subject, following a credible proof of identity and identification.
The right to information may be exercised in writing via the contact details of the Controller:
Name: Dr. Péter Rostás Law Firm
Address: H-1134 Budapest, Váci út 47/E
E-mail: info@rostaslegal.com
3.3. Right to rectification
The data subject may request the rectification of inaccurate personal data relating to them processed by the Law Firm and the completion of incomplete data.
3.4. Right to erasure
The data subject shall have the right to obtain, upon request and without undue delay, the erasure of personal data relating to them where one of the following grounds applies:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
- the personal data have been collected in connection with the provision of information society services.
The erasure of the data cannot be initiated if the processing is necessary: (a) for the exercise of the right to freedom of expression and information; (b) for compliance with an obligation under Union or Member State law to which the controller is subject to which requires the processing of personal data, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) on grounds of public interest in the field of public health; (d) for archiving purposes, scientific or historical research purposes or statistical purposes in the public interest; (e) or for the establishment, exercise or defense of legal claims.
3.5. Right to restriction of processing
At the request of the data subject, the Law Firm will restrict processing if one of the following conditions is met: (a) the data subject contests the accuracy of the personal data, in which case the restriction shall be for a period of time which allows the accuracy of the personal data to be verified; (b) the processing is unlawful and the data subject opposes the erasure of the data and requests instead that the use of the data be restricted; (c) the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defense of legal claims; or (d) the data subject has objected to the processing, in which case the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller override the legitimate grounds of the data subject.
Where processing is subject to restriction, personal data other than storage may be processed only with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or of a Member State.
The Law Firm shall inform the data subject in advance of the lifting of the restriction on processing.
3.6. Right to data portability
The data subject has the right to receive personal data relating to them which they have provided to the Controller in a structured, commonly used, machine-readable format and to transmit such data to another controller, provided that the processing is based on consent or on a contract and that the processing is carried out by automated means.
3.7. Right to object
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data under Sections 1.1 and 1.3 of this Privacy Notice if they consider that the Controller is processing their personal data in a way that is incompatible with the purposes for which it is collected. The Controller shall examine the lawfulness of the data subject’s objection and, if the objection is justified, shall terminate the processing and block the personal data processed and shall notify the objection and the action taken on it to all those to whom the personal data concerned by the objection have been disclosed.
In the event of an objection, the Controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such purposes, including profiling, where it is related to direct marketing.
In the event of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed by the Law Firm for such purposes.
3.8. Automated decision-making in individual cases, profiling
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. However, this right shall not apply where the processing is: (a) necessary for entering into, or the performance of, a contract between the data subject and the Controller; (b) permitted by Union or Member State law applicable to the Controller which also lays down appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or (c) based on the data subject’s explicit consent.
3.9. Right to withdraw consent
The data subject shall have the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.
3.10. Procedural rules
The Controller shall inform the data subject of the action taken on the request pursuant to Articles 15 to 22 of the GDPR without undue delay and in any event within one month of receipt of the request. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months.
The Controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request. Where the data subject has made the request by electronic means, the information shall be provided by electronic means, unless the data subject requests otherwise.
If the Controller does not act on the data subject’s request, the data subject shall be informed without delay and at the latest within one month of receipt of the request of the reasons for the non-action and of the possibility for the data subject to lodge a complaint with a supervisory authority and to exercise their right of judicial remedy.
The Controller shall provide the requested information and notification free of charge. Where the data subject’s request is manifestly unfounded or excessive, in particular because of its repetitive nature, the Controller may, taking into account the administrative costs of providing the information or information requested or of taking the action requested, charge a reasonable fee or refuse to act on the request.
The Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. The Controller shall inform the data subject, at their request, of these recipients.
The Controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. If the data subject has made the request by electronic means, the information shall be provided in electronic format, unless the data subject requests otherwise.
3.11. Damages and compensation
Any person who has suffered pecuniary or non-pecuniary damage as a result of a breach of the General Data Protection Regulation shall be entitled to receive compensation from the Controller or the processor for the damage suffered. A processor shall only be liable for damage caused by the processing if it has failed to comply with the obligations expressly imposed on processors by law or if it has disregarded or acted contrary to lawful instructions from the Controller.
Where more than one controller or more than one processor, or both controller and processor, are involved in the same processing and are liable for the damage caused by the processing, each controller or processor shall be jointly and severally liable for the total damage.
The controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
3.12. Right to apply to the courts
The data subject may bring an action against the Controller for infringement of their rights in courts (competent according to the defendant’s registered office or the place of residence of the data subject, at the data subject’s discretion). The court shall decide on the case out of turn. Legal proceedings relating to the protection of personal data shall be free of charge.
3.13. Procedure before the Data Protection Authority
Complaints can be lodged with the National Authority for Data Protection and Freedom of Information:
Name: National Authority for Data Protection and Freedom of Information
Registered office: 9-11, Falk Miksa Street, 1055 Budapest, Hungary.
Address for correspondence: 1363 Budapest, Pf. 9.
Phone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu
4. AMENDMENT OF THE PRIVACY NOTICE
The Law Firm is entitled to amend this Privacy Notice in case of changes in its data processing activities or in the legal environment. It will, of course, notify the data subjects of any such amendments in due time. The date of the last update of this Privacy Notice is indicated at the end of this document.
February 1, 2026