Privacy Notice

The operator and data controller of the website https://goodtolaw.eu:

Vikor Áron Dávid Law Office
Registered office: 1034 Budapest, Viador utca 11.
Registered by: Budapest Bar Association
Bar Association ID: 36071388
Tax number: 19164261-2-41
Telephone: +36 30 498 0444
Email: info@goodtolaw.eu
Website: https://goodtolaw.eu

Last updated: 15 September 2023

General Information

Purpose of this Privacy Notice:

The purpose of this Privacy Notice is to provide information on the principles and rules governing the processing and protection of personal data by the Data Controller in relation to visitors of the website https://goodtolaw.eu and individuals who contact the Data Controller in connection with the goods and services offered on the site.

In drafting this Privacy Notice, the Data Controller has paid particular attention to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as the “GDPR”), Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter referred to as the “Info Act”), and other applicable legislation.

Definitions Related to Data Processing

The definitions used in connection with the processing of personal data are determined by the GDPR. For the sake of transparency and clarity, the most important terms are set out below, as adopted from the GDPR:

  • “personal data”: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • “special categories of personal data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data for the purpose of uniquely identifying a natural person, health data, and data concerning a natural person’s sex life or sexual orientation. As a general rule, the processing of such data is prohibited.
  • “processing”: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • “restriction of processing”: the marking of stored personal data with the aim of limiting their processing in the future;
  • “controller”: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • “processor”: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
  • “recipient”: a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • “third party”: a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • “consent of the data subject”: any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • “enterprise”: a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;
  • “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • “supervisory authority”: an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR;

    Principles Relating to the Processing of Personal Data
    Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
    Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Processing must be based on a lawful legal basis, such as the performance of a contract, compliance with a legal obligation, protection of vital interests, the performance of a task carried out in the public interest, or the legitimate interests pursued by the controller or a third party.

Personal data processing must, at every stage, be consistent with the purpose of the processing. The collection and processing of personal data must be fair and lawful. Only personal data that is essential for the fulfilment of the purpose of processing and is suitable for achieving that purpose may be processed.

Personal data shall be processed only to the extent and for the duration necessary to achieve the intended purpose.

The Data Controller ensures that personal data are accurate and kept up to date. The Data Controller shall take every reasonable measure to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.

The Data Controller shall store personal data in a form that permits identification of data subjects only for as long as necessary for the purposes for which the personal data are processed, subject to any statutory retention obligations defined by applicable law.

Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Data Controller shall be responsible for compliance with the above principles and shall be able to demonstrate such compliance.

Data Processing Activities

3.1. Data Processing Related to Contacting the Controller

3.1.1. Contact via Email and Online Contact Form

Purpose of processing:
To initiate and maintain contact with the data subject based on their inquiry. The Data Controller shall use the personal data provided by the data subject exclusively for the purpose of responding to the inquiry. Personal data will not be disclosed to third parties unless required by law or unless the data subject has given prior and explicit consent.

Legal basis for processing:
Voluntary consent of the data subject pursuant to Article 6(1)(a) of the GDPR.

Processing is based on the data subject’s freely given, specific, informed and unambiguous consent, provided by sending the inquiry and the personal data contained therein to the Data Controller, to the extent necessary to respond to the inquiry (e.g., providing information).

Consent is deemed given by the data subject when voluntarily submitting the relevant data, and in the case of online forms, by completing the form and ticking the appropriate checkbox.

Scope of personal data processed:

  • name (first and last name)
  • email address
  • message content

The Data Controller does not verify the personal data provided. The person submitting the data is solely responsible for its accuracy.

Duration and Method of Data Processing

The processing of personal data provided in connection with initiating or maintaining contact shall continue:

  • until the data subject withdraws their consent,
  • but no longer than one year from the date of submission.

Method of data storage: electronic.

3.1.2. Contact via Telephone

Purpose of processing:
The data subject may also contact the Data Controller by telephone. In such cases, the Data Controller may become aware of the caller’s first and last name and telephone number. The purpose of the data processing is to enable communication with the data subject based on their inquiry.

During telephone contact, the Data Controller shall verbally inform the data subject of the availability of this Privacy Notice and shall notify the caller that their personal data can only be processed if the caller provides written confirmation that they have read and accepted the contents of this notice.

Legal basis for processing:
Voluntary consent of the data subject pursuant to Article 6(1)(a) of the GDPR.

Processing is based on the data subject’s voluntary, informed consent, which is deemed given by providing the necessary data to the Data Controller in order to respond to the inquiry and manage the request.

Consent is granted by the data subject through the voluntary provision of the relevant data.

Scope of personal data processed:

  • name
  • telephone number

The Data Controller does not verify the personal data provided. The person providing the data is solely responsible for its accuracy.

Duration and method of data processing:
The processing of personal data provided in connection with initiating or maintaining contact shall continue:

  • until the data subject withdraws their consent,
  • but no longer than one year from the date of submission.

Method of data storage: electronic.

Data Processing Related to Purchases via the Website

Purpose of processing:
The data subject is a person who places an order for a product or service via the Data Controller’s website or through an email inquiry. The website offers the possibility to order various products and services (such as e-books, e-documents, and participation in webinars). The data subject indicates their intent to purchase by selecting the desired product and/or service, placing it in the shopping cart, entering billing details, selecting a payment method, and submitting the order to the Data Controller.

The purpose of processing is to fulfil the order and maintain proper documentation.

Legal basis for processing:
Article 6(1)(b) of the GDPR – performance of a contract and steps taken prior to entering into a contract.

Scope of personal data processed (billing data required to submit the order):

  • Name
  • Country
  • (Optional) County
  • Billing address (city, postal code, street name, house number)
  • Telephone number
  • Email address

Duration and method of data processing:
Data is stored electronically.

Duration of processing: 5 years from the date of placing the order.

Data Processing Related to Invoicing

Purpose of processing:
To collect payment for the products sold and services provided by the Data Controller, to issue accounting documents (invoices), and to ensure their retention in accordance with applicable accounting regulations.

Legal Basis for Data Processing

Legal basis:
Article 6(1)(c) of the GDPR (compliance with a legal obligation)
and Section 169(e) of Act CXXVII of 2007 on Value Added Tax (VAT Act).

In the absence of the mandatory data content required by law for invoicing, the legal obligation to issue an invoice cannot be fulfilled, and thus the data processing cannot be lawfully performed.

Scope of personal data processed:

  • Name
  • Country
  • (Optional) County
  • Billing address (city, postal code, street name, house number)
  • Email address
  • Telephone number

Duration of data processing:
Pursuant to Section 169 of Act C of 2000 on Accounting, the retention period for invoicing data is 8 years.

3.4. Data Processing for Newsletter Subscription

Purpose of processing:
To send marketing and informational newsletters, including promotional communications, to data subjects about the Data Controller, its products and services, as well as for direct marketing purposes.

Pursuant to Section 6 of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter: Advertising Act), the User (Data Subject) may give prior and explicit consent for the Data Controller to contact them with promotional offers and other marketing communications at the contact details provided. Additionally, the Data Subject may consent to the processing of their personal data necessary for the purpose of sending such offers, in accordance with this Privacy Notice.

Legal basis:
Article 6(1)(a) of the GDPR – the data subject’s voluntary consent.

Processing is based on the data subject’s freely given, specific, informed and unambiguous consent, which is granted by subscribing to the newsletter (by ticking the relevant checkbox).

Scope of personal data processed:

  • First name and last name
  • Email address

Duration and method of data processing:
Until the data subject withdraws their consent, which may be done by clicking the unsubscribe link at the bottom of the newsletter, but no longer than one year from the date of subscription.

Method of data storage: electronic.

Access to Personal Data and Data Processors

To support the continuous improvement of its services and operations, the Data Controller may engage data processors (“External Service Providers”) from time to time. These processors act on behalf of the Data Controller and process personal data solely on the basis of a written agreement and in accordance with the instructions provided by the Data Controller, and in compliance with the applicable legal requirements.

The Data Controller engages only such processors who provide sufficient guarantees to implement appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and ensures the protection of the rights of data subjects. Once transferred, the data is processed separately by each processor.

Apart from the cases specified in this Privacy Notice, the Data Controller does not disclose personal data to other third parties. Access to the data is limited to employees of the Data Controller who are directly involved in providing the relevant services to the User.

The Data Controller informs the User that in the event of any changes regarding the data processors, it reserves the right to transfer data to the current processors in accordance with the purposes of the processing. Changes to the list of data processors will be communicated to the User by amending this Privacy Notice.

The Data Controller transfers personal data to the following data processors:

Temarketinged Kft.
Registered address: 4024 Debrecen, Wesselényi utca 1.
Tax number: 32037704-2-09
Company registration number: 09-09-034197
IT partner – providing website development and maintenance services

Profitárhely Kft.
Registered address: 6000 Kecskemét, Szolnoki út 23.
Tax number: 23173080-2-03
Company registration number: 03-09-121889
Hosting services – for proper website operation

KBOSS.hu Kft.
Registered address: 1031 Budapest, Záhony utca 7.
Company registration number: 01-09-303201
Tax number: 13421739-2-41
Billing activities – invoicing is conducted via Számlázz.hu

Business Tax Plus Bt.
Registered address: 1165 Budapest, Veres Péter út 152.
Company registration number: 01 06 753439
Tax number: 21472761-2-42
Accounting services – to fulfil tax and accounting obligations

Rights of the Data Subject

The data subject has the following rights:

a) to request information regarding the processing of their personal data and access to such data,
b) to request the rectification of inaccurate data,
c) to request the erasure of their personal data,
d) to request the restriction of processing,
e) to object to the processing of their personal data,
f) to exercise their right to data portability,
g) to exercise their right to legal remedy.

The data subject may file a complaint with the National Authority for Data Protection and Freedom of Information (NAIH) or initiate legal proceedings before the competent court, as specified at the end of this Privacy Notice.

Exercising Data Subject Rights

The Data Controller ensures the effective exercise of data subject rights as follows:

The data subject may submit their request regarding the exercise of their rights using any of the following channels and contact details provided in this Privacy Notice:
(i) by post,
(ii) by email,
(iii) by telephone.

  • Phone: +36 30 498 0444
  • Email: info@goodtolaw.eu
  • Postal address: 1034 Budapest, Viador utca 11.

The Data Controller will respond to the request without undue delay, but no later than 30 days from the receipt of the request. The response will be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

If the request is rejected, the Data Controller will notify the data subject within the same deadline, providing the reasons for the refusal and information on available remedies.

Requests are generally fulfilled via email, unless otherwise requested by the data subject. Telephone information is provided only if the data subject’s identity has been confirmed. The Data Controller does not use the data subject’s postal address or telephone number for any other purpose.

The Data Controller does not charge a fee for fulfilling requests. However, in the event of manifestly unfounded or excessive requests, particularly if repeated within one year and concerning the same set of data, the Data Controller reserves the right to charge a reasonable fee proportionate to the administrative burden or to refuse to act on the request with appropriate justification.

Right to Information and Access

Upon the data subject’s request, the Data Controller shall provide clear, concise, transparent, intelligible, and easily accessible information regarding the following:

  • whether personal data concerning the data subject is being processed by the Data Controller;
  • the identity and contact details of the Data Controller;
  • the personal data processed and their source;
  • the purpose and legal basis of the data processing;
  • the duration of the data processing;
  • the recipients or categories of recipients to whom the personal data has been or will be disclosed;
  • the rights of the data subject;
  • any personal data breaches, including their nature, consequences, and the remedial measures taken.

Right to Rectification

The Data Controller shall rectify inaccurate personal data concerning the data subject upon their request.
The Data Controller shall notify each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients upon request.

Right to Erasure (“Right to be Forgotten”)

The Data Controller shall erase personal data concerning the data subject without undue delay if any of the following grounds apply:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • the data subject objects to the processing;
  • the personal data has been processed unlawfully;
  • erasure is required for compliance with a legal obligation under Union or Hungarian law applicable to the Data Controller.

The Data Controller shall notify each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients upon request.

Right to Restriction of Processing

The Data Controller shall restrict processing upon the data subject’s request if any of the following conditions apply:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
  • the Data Controller no longer needs the personal data for the purposes of the processing, but the data subject requires it for the establishment, exercise, or defence of legal claims.

The Data Controller shall notify each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The Data Controller shall inform the data subject about those recipients upon request.

Right to Data Portability

Upon request, the Data Controller shall provide the data subject with the personal data concerning them, which they have provided to the Data Controller, in a structured, commonly used and machine-readable format.
The Data Controller shall also, at the data subject’s request, transmit those data to another controller without hindrance.

Right to Legal Remedy

If the data subject believes that their rights under data protection legislation have been violated during the processing of their personal data, they may exercise their right to legal remedy by submitting a complaint to the Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Alternatively, the data subject may also seek remedy through the competent court.

The Data Controller undertakes to fully cooperate with the court or the NAIH during such proceedings and to provide all relevant data relating to the processing in question.

Furthermore, the Data Controller shall compensate any damage caused by unlawful data processing or by breaching data security requirements. In the event of a violation of the data subject’s personal rights, the data subject may claim non-material damages (compensation for emotional distress).
The Data Controller shall be exempt from liability if the damage was caused by an unavoidable event outside the scope of data processing, or if the damage or violation was caused by the data subject’s own intentional or grossly negligent conduct.

Data Security Measures

The Data Controller ensures the security of personal data. It has implemented appropriate technical and organisational measures and established internal procedures to protect personal data that is collected, stored, or otherwise processed, and to prevent their destruction, unauthorised use, or alteration.

The Data Controller also instructs third parties to whom personal data has been transferred to comply with data security requirements.

The Data Controller ensures that unauthorised persons do not gain access to personal data, and that such data is not disclosed, transferred, altered, or deleted without authorisation.

All reasonable efforts are made to prevent the loss or damage of personal data. These commitments apply to all employees, partners, and data processors acting on behalf of the Data Controller who are involved in data processing activities.

Handling of Personal Data Breaches

If the Data Controller becomes aware of an event or incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed (hereinafter collectively referred to as a “personal data breach”), it shall act in accordance with Articles 33 and 34 of the GDPR. This includes notifying the competent supervisory authority – the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) – and informing the affected data subject(s) if the breach is likely to result in a high risk to the rights and freedoms of natural persons.

Anyone who becomes aware of such a breach may report it to the Data Controller at info@goodtolaw.eu.

The report should include:

  • the name of the reporting person;
  • their contact details (telephone number and/or email address);
  • indication of whether the breach concerns a specific software component or service.

The Data Controller shall review the report within 1 business day, or immediately if deemed serious, and may request further information from the reporting person. If required, the Data Controller shall notify the NAIH within 72 hours of becoming aware of the breach.

The notification must include:

  • the nature of the personal data breach, including the categories and approximate number of data subjects concerned, and the categories and approximate number of data records affected;
  • the name and contact details of the person providing further information;
  • the likely consequences of the personal data breach;
  • the measures taken or proposed by the Data Controller to address the personal data breach, including measures to mitigate its possible adverse effects.

If further investigation is required, the Data Controller shall involve appropriate professionals to assess the actual and potential impact of the breach. These experts will prepare a report, including recommended technical and security measures necessary to remediate the breach.

The final decision on implementing such measures rests with the Data Controller.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Data Controller shall inform the affected data subjects without undue delay, in clear and plain language, describing:

  • the nature of the breach;
  • the name and contact details of the person providing further information;
  • the likely consequences of the breach;
  • the measures taken or proposed by the Data Controller to mitigate any possible adverse effects.

Notification of the data subject is not required if:

  • the Data Controller has implemented appropriate technical and organisational protection measures (e.g., encryption), and such measures have been applied to the data affected by the breach, rendering it unintelligible to any person not authorised to access it;
  • the Data Controller has taken subsequent measures which ensure that the high risk to the data subject’s rights and freedoms is no longer likely to materialise;
  • such communication would involve disproportionate effort due to the number of data subjects. In this case, the Data Controller shall instead issue a public communication or similar measure to inform the data subjects in an equally effective manner.

Record of Data Breaches

The Data Controller shall maintain a register of personal data breaches.

This register must contain:

  • the scope of personal data concerned;
  • the number and categories of affected data subjects;
  • the date and time of the incident;
  • the circumstances and effects of the incident;
  • measures taken to remedy the incident;
  • any other details as required by applicable data protection laws.

Records of data breaches involving personal data must be retained for 5 years, and those involving special categories of data must be retained for 20 years.

Right to Legal Remedy

The Data Controller can be contacted regarding any questions or concerns related to data processing via the contact details provided in this Privacy Notice.

Complaints and reports can also be submitted to the supervisory authority:

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)
Address: H-1055 Budapest, Falk Miksa utca 9–11.
Mailing address: 1363 Budapest, Pf. 9.
Phone: +36-1-391-1400
Fax: +36-1-391-1410
Website: www.naih.hu
Email: ugyfelszolgalat@naih.hu

If the data subject believes that the processing of their personal data has violated their rights, they may also bring the case before a competent court. Legal proceedings shall be conducted as a matter of urgency. It is the responsibility of the Data Controller to prove that the data processing complied with applicable laws. The lawsuit falls within the jurisdiction of the regional court and may also be initiated before the court of the data subject’s place of residence or habitual abode.

The Data Controller undertakes to fully cooperate with the court or the supervisory authority during such proceedings and to provide all relevant information concerning the data processing in question.

Furthermore, the Data Controller agrees to compensate any damage caused by the unlawful processing of personal data or by a breach of data security. In the event of a violation of the data subject’s personal rights, non-material damages (compensation) may be claimed.
The Data Controller is exempt from liability if the damage was caused by an unavoidable external cause beyond its control, or if the damage or personal rights violation resulted from the data subject’s intentional or grossly negligent conduct.

Right to Modify the Privacy Notice

The Data Controller reserves the right to amend this Privacy Notice at any time.

en_GBEN
hu_HUHU en_GBEN
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.