Kapolyi Law Firm (“Data Controller“) shall continuously ensure that the personal data it manages shall be lawfully and appropriately processed.

The purpose of this notice is to give those who provide personal data on the website www.kapolyi.com with adequate information about the conditions, time and guarantees under which the Data Controller processes their data.

The Data Controller’s data processing complies with the relevant legislation, in particular with the following:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, hereinafter “GDPR”)

Act CXII of 2011 on Informational Self-Determination and Freedom of Information (“Privacy Act”)

Contact details of the Data Controller:
Name: Kapolyi Law Office
Registered seat: 1051 Budapest, József nádor tér 5-6. III. floor, Hungary
Phone number: +36-1-267-3975
E-mail: info@kapolyi.com
Website: www.kapolyi.com (“Website”)

1. Contacting the Data Controller

The Data Controller provides the possibility for the data subject to contact the Data Controller using any of the contact details (postal address, telephone number, e-mail address) provided on the website.
Controller of personal data: the Data Controller
Purpose of the processing: contacting
Legal basis for processing: as the case may be, the data subject’s consent pursuant to Article 6(1)(a) of the GDPR and the performance of a contract pursuant to Article 6(1)(b) of the GDPR , and the legitimate interest of the Controller pursuant to Article 6(1)(f) of the GDPR.
Scope of personal data processed: name; e-mail address; subject and content of the message, other.
Duration of data processing: five years from the time of the ending of the particular case’s proceedings. If no assignment results from the contact, then six months from the time of sending the message.

Use of a data processor: -.

Providing the information is optional, but the possible consequences of not providing it are: unsuccessful contact.

Rights of the data subject:
may request access to personal data concerning him or her,
request rectification of personal data,
request the erasure of personal data concerning him or her,
may request the restriction of the processing of personal data (i.e. that the Controller does not erase or destroy the data until a court or public authority requests it, but for a maximum period of thirty days, and that the data are not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
if it would be necessary for the processing to be carried out also on the basis of the legitimate interests of the Controller, to object to the processing of the personal data,
exercise their right to data portability. Pursuant to the latter right, the data subject has the right to receive personal data relating to him or her in MS Word or Excel format and the right to have those data transmitted to another controller by the Controller at his or her request.

2. Application for a job advertisement

The Data Controller provides the opportunity for the data subject to send their job application to the email address provided on the Data Controller’s website:
Controller of the personal data: the Data Controller
Purpose of the processing: application for a job advertisement
Legal basis of the processing: consent of the data subject pursuant to Article 6(1)(a) GDPR and preparation of a contract pursuant to Article 6(1)(b) GDPR.
Scope of the personal data processed: full name; e-mail address; telephone number, personal data included in the CV and cover letter uploaded (typically: photo, contact details, educational background, work experience), other.
Duration of processing: the period of the interview or offer following the application, up to a maximum of six months.
Use of a data processor: –

Providing the information is optional, but the possible consequences of not providing it are: unsuccessful job application.

Rights of the data subject:
may request access to personal data concerning him or her,
request rectification of personal data,
request the erasure of personal data concerning him or her,
request the restriction of the processing of personal data (i.e. that the Controller does not erase or destroy the data until a court or public authority requests it, but for a maximum period of thirty days, and that the data are not processed for any other purpose beyond that period), subject to the conditions set out in Article 18 of the GDPR,
if it would be necessary for the processing to be carried out also on the basis of the legitimate interests of the Controller, to object to the processing of the personal data.

3. Sending newsletters

The Data Controller sends newsletters to its clients and partners.

Controller of personal data: the Data Controller
Purpose of the processing: the Data Controller provides information to its clients and partners about current events and happenings that it considers important.
Legal basis for processing: legitimate interest of the controller Article 6(1)(f) GDPR
Scope of personal data processed: e-mail address. E-mail addresses are not collected by the Data Controller on its website.
Duration of the processing: for the entire duration of the sending of the newsletter, until the data subject objects.
Use of data processor: Dániel Balog, individual entrepreneur.

The provision of data is optional, possible consequences of not providing it: not receiving the newsletter

The data subject may object to the processing of the data at any time by contacting the Data Controller or unsubscribe from the newsletter at the bottom of the newsletter.

4. Organisation of events

The Data Controller organizes events with the participation of its clients, prospective partners, other persons interested in the subject of the event.
Controller of personal data: the Data Controller
Purpose of the processing: the successful organization and execution of events held by the Data Controller.
Legal basis for processing: legitimate interest of the controller Article 6(1)(f) GDPR.
The scope of the personal data processed: name and e-mail address, which are provided by the data subject to the Data Controller or directly to the data processor through individual registration.
Duration of data processing: the data will be stored by the Data Controller for 1 year after the event (or, in case of cancellation of the event, from the scheduled date) and then deleted.
Data processor: Myo Group Kft.

Providing the information is not compulsory, but the possible consequences of not providing it are: the person cannot participate in the event.
The data subject may object to the processing of the data at any time by contacting the Data Controller, or withdraw his or her participation in the event at any time.

5. Rights of data subjects, remedies

The data subject may request information about the processing of his or her personal data and access to the data, as well as request the rectification, erasure or withdrawal of his or her personal data, except for mandatory data processing, and exercise his or her right to data portability and objection in the manner indicated when the data were collected, or at the above contact details of the Data Controller.
Upon the request of the data subject, the information will be provided electronically without delay, but no later than within one month. The Data Controller fulfills the requests aimed at the exercise of the rights of the data subjects below free of charge.

Right to information:
The Data Controller shall take appropriate measures to provide data subjects with all the information referred to in Articles 13 and 14 of the GDPR and each of the disclosures referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in a clear and plain language, but in a precise manner.

The right of access of the data subject:
The data subject has the right to access (obtain a copy of) his or her personal data and to receive feedback from the Data Controller as to whether his or her personal data are being processed. Where personal data are being processed, the data subject has the right to obtain access to the personal data and to the following information listed below.
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom or with whom the personal data have been or will be disclosed, including in particular recipients in third countries (outside the European Union) or international organisations;
the envisaged duration of the storage of the personal data;
the right to rectification, erasure or restriction of processing and the right to object;
the right to lodge a complaint with a supervisory authority;
information on the sources of the data; the fact of automated decision-making, including profiling, and clear information on the logic used and the significance of such processing and its likely consequences for the data subject.

Right of rectification:
Anyone may, by law, request the correction of inaccurate personal data relating to him or her processed by the Data Controller and the completion of incomplete data.

Right to erasure:
The data subject shall have the right to obtain, upon his or her request, the erasure of personal data relating to him or her without undue delay where one of the following grounds applies:
the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing;
the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
unlawful processing of personal data can be established;
the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;
the personal data have been collected in connection with the provision of information society services.
The erasure of data cannot be initiated if the processing is necessary for the following purposes:
for the exercise of the right to freedom of expression and information;
to comply with an obligation under Union or Member State law to which the controller is subject to which the processing of personal data is subject or to carry out a task carried out in the public interest or in the exercise of official authority vested in the controller;
for archiving purposes, scientific and historical research purposes or statistical purposes in the public interest in the field of public health;
or for the establishment, exercise or defence of legal claims.

Right to restriction of processing:
At the request of the data subject, processing may be restricted under the conditions set out in Article 18 of the GDPR:
the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the accuracy of the personal data to be verified;
the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use
the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or
the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the Controller prevail over the legitimate grounds of the data subject.
Where processing is restricted, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the European Union or of a Member State. The data subject shall be informed in advance of the lifting of the restriction on processing.

Right to data retention:
The data subject has the right to receive the personal data concerning him or her that he or she has provided to the Data Controller in a structured, commonly used, machine-readable format and to transmit such data to another Data Controller. The Data Controller may grant such a request in MS Word or Excel format. The right to data portability is subject to the condition that the processing is automated and its legal basis is consent or a contract.

Right to object:
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the case of an objection to the processing of personal data for direct marketing purposes, the data shall not be processed for those purposes. The right to object shall be available to the data subject where the processing is based on the legitimate interests of the controller, but the discretion to comply with the request shall be exercised according to which party’s rights prevail in accordance with Article 21(1) of the GDPR.

Right of withdrawal:
The data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

Rules of Procedure:
The Data Controller shall inform the data subject of the action taken on the request without undue delay and in any event within one month of receipt of the request. If necessary, taking into account the complexity of the request and the number of requests, this time limit may be extended by a further two months. The Data Controller shall inform the data subject of the extension of the time limit, stating the reasons for the delay, within one month of receipt of the request.

If the data subject has made the request by electronic means, the information will be provided by electronic means unless the data subject requests otherwise.
If the Data Controller does not take action on the data subject’s request, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the failure to act and of the right to lodge a complaint with the supervisory authority and to seek judicial remedy.

The Data Controller shall inform each recipient to whom or with which the personal data have been disclosed of any rectification, erasure or restriction of processing that it has carried out, unless this proves impossible or involves a disproportionate effort. Upon request, the Controller shall inform the data subject of these recipients.

If the data subject’s rights of informational self-determination have been violated by the Data Controller, the data subject has the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information or to initiate legal proceedings before the competent court.
postal address: 1530 Budapest, Pf.: 5.

Phone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: http://naih.hu