As data controller, we declare that the collected data is processed according to the applicable laws in accordance with the Fundamental Law of Hungary, Act 112 of 2011 on Informational Self-determination and Freedom of Information and Regulation (EU) no. 2016/679 of the European Parliament and of the Council of 27 April 2016 („GDPR”).

We respect the personal and confidential information of our members, employees and clients. All the obtained data and facts are handled confidentially, and are used solely on the basis of statutory requirements to operate the office and to provide legal representation.

 Personal information is only disclosed to third parties with the explicit consent of the person concerned, however if the authority or court requests data provision, we are required to comply if all the required conditions are met.

Legality of data processing

Our Privacy Statement is in line with current legislation on data protection.

The processing of personal data is lawful only if one of the following conditions is met:

  • the person concerned has given consent to the processing of his / her personal data for one or more specific purposes;
  • data processing is necessary for the performance of a contract in which the person concerned is a party, or before the signing of a contract, it is necessary to take action at the request of the person concerned;
  • data processing is necessary to fulfil the legal obligation for the data collector;
  • data processing is necessary for the protection of the vital interests of the concerned person or another natural person;
  • data processing is necessary for the performance of a task in the public interest or exercised by the data controller in the framework of public duty entitled thereto on;
  • data processing is necessary to enforce the legitimate interests of the data controller or a third party, unless the interests or fundamental rights and freedoms of the person concerned have priority and require the protection of personal data, especially, if the concerned person is a child.

Principles of data processing

The processing of personal data is handled in accordance with the following principles:

The processing is conducted in accordance with the applicable laws, fairly and transparently for the person concerned.

During the data procession, the principle of data minimization applies, based on which data procession must be appropriate and relevant to the purpose and limited to necessity.

Our data procession needs to be accurate and, if necessary, up-to-date. In this matter, we take all reasonable steps to ensure that inaccurate data is deleted or corrected without delay.

Personal data is stored for limited time, only for the period necessary for its purpose.

In the procession of personal data we ensure the protection against unauthorized or unlawful handling and accidental loss, destruction or damage of the data.

Personal data is only processed for the purpose and manner specified in the Privacy Statement, in order to exercise and fulfil the rights specified in the Privacy Statement. This purpose has to be met at all stages of the data procession.

Personal data is only processed if it is essential for the data procession to reach its purpose only to the extent and for the time needed to attain such.

Personal data is processed in particular when it is necessary to protect the vital interests of the person concerned, to perform the contract between the person concerned and the data controller, to enforce the legitimate interest of the data controller or third party.

Provision of information

Appropriate measures are taken to provide the person concerned with all the information on the management of personal data in a concise, transparent, understandable and easily accessible form, in a clear and unambiguous manner.

The obligation of information provision is fulfilled by compiling and publishing our Privacy Statement as well as by providing a shortened information statement and personal information sheets, as well as providing information boards.

Our employees and partners are subject to confidentiality upon handling processed data.

Interpretative provisions:

data security: a combination of technical, personnel and organizational measures and procedures for the security of data such as confidentiality, integrity and availability, protection.

data controlling: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

data controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;

Data controller:
name: Havas-Sághy and Partners Law Office 
registered seat: 37 Balzac str. 2nd fl. 2., 1136 Budapest Hungary
registration number: 3480
tax number: 18146097-2-41
represented by: Dr. Havas-Sághy Gábor ügyvéd
Bar association number: 36061323


mobile: (+36) 70 381 2222
telephone: (+361) 786 66 07
telephone and fax (+361) 786 63 91


data processing: performing technical tasks related to data management operations, irrespective of the method and device used to perform the operations and the place of application, provided that the technical task is carried out on the data;

data processor:  a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

In case of our office, the accounting firm located in Hungary, may have access to data related to billing and invoices.

data destruction: complete physical destruction of data-containing storage device;

data deletion: making data unrecognizable in such a way that their recovery is no longer possible;

data encryption: for the purpose of limiting the further handling of the data by means of an identification mark for a definite or fixed period of time;

personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

confidentiality (classified): the feature of the data that only permits access to a predefined user circle (authorized persons), the access of everyone else is illegal;

loss of confidentiality: loss of confidentiality may considered as discovery, where confidential data becomes accessible to unauthorized persons.

security event: any event that may have an adverse effect on the confidentiality, integrity or availability of an IT device or data stored there;

data concerning health: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;

genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

third party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;

consent: a voluntary, concrete and appropriate informed and explicit statement of the will of the person concerned by which he or she indicates the statement in question or a statement that expresses his / her affirmation by means of an unambiguous expression of his consent to the handling of personal data affecting him;

Information Act: Act CXII of 2011 on Informational Self-determination and Freedom of Information

public area of a private property: a private property that may be accessed without restriction by anyone, including the part of the public property to which it is entitled in the course of a civil law contract for the pursuit of personal and property protection, in particular in the context of a lease or lease, provided that: (a) is used in connection with the activity in the public domain of a private property guarded by a person or property protection activity, is of a continuity or assistance, or; (b) is intended to accommodate the data controller or the public in the public space of the private area;

disclosure: if the data is made available to someone;

profiling: any form of automated personal data processing where personal data are used to evaluate certain personal characteristics associated with a natural person, in particular characteristics related to work performance, economic status, health status, personal preferences, interest, reliability, behaviour, location or movement analysing or forecasting them;

integrity: the criteria of the existence, credibility, integrity, completeness of the data itself, which ensures that the data, information or program may only be changed by those entitled and may not be changed without notice;

Policy: the data processing policy of the data controller;

personal data: any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

right to objection: the statement of the person concerned with which he or she is objecting to the handling of his / her personal data and requesting the termination of data processing or the deletion of the data processed;

Office: the data controller, unless the Office only acts as data processor or the Office does not process data

property security technical system: for the purposes of property protection, an electronic signalling and visual monitoring system installed on property subject to the territorial scope of the Privacy Statement, including an unmanned electronic monitoring system (surveillance), an electronic access control system, a burglar alarm system or a surveillance system , a remote monitoring system, a security system for data and information security, and an electronic technical solution enabling other signals and images to be transmitted or signalled by light and/or sound;

guest: a natural person staying at the property with consent subject to the territorial scope of the Privacy Policy, who is not data controller’s employee or contractual agent.


Data procession of the data controller

Our legal activity (with the exception of legal counseling) is provided via retainer or by order of the court.

Mandate may be accepted from or established with a client, who personally appeared in the office and has been identified.

A natural person who is not known or whose identity is questionable has to be identified by the person’s identification documents.

Regarding the data specified by law, the data of the natural person in order to verify the consistency of the data with the data recorded and the validity of the documents presented by them may be obtained from the personal data and address register, the driver’s license register, the travel document register and the central alien register electronically by electronic means.

The personal information of our clients is processed solely for legal representation and for the purpose of issuing the invoice.

Prior to the singing of the retainer with the client for the procedure of registration into a public register, or for the purpose of editing a document that forms the basis for registration into a public register, it is our duty to request the client’s data relating to the document presented by a natural person before or in other cases when signing the retainer.

The data will be handled from the signing of the retainer, during the execution of the mandate and after the period of discarding required in the sectorial legislation.


Transparency, storing, using and forwarding of the data

The personal data stored about the persons concerned is only accessible to the person whom obligations require it.

It is ensured that the data is stored for the shortest period of time possible. In order to ensure that personal data is stored for the necessary length of time, the data controller sets out deletion or periodic review deadlines.

The handling of the data and documents received from contractual partners in the course of fulfilling the client due diligence obligation are kept for a minimum of eight years or until legal obligation demands it. The retention obligation begins with the recording of the data in case of a case-by-case mandate, and with the termination of the business relationship in the case of a permanent mandate.

The data, documents and copies (including their backups), which are hold during the execution of the client due diligence obligation, are immediately destroyed after the retention period.

During the storing obligation period, the retrieval of the documents received from clients or documents intended for the clients are assured, and are secured from unauthorized access and alteration, destruction of the original documents and attachments.

Use of the personal data as evidence in judicial or other official proceedings constitutes as utilization.

Anyone whose right or legitimate interest is affected by the recording of his/her personal data may, within three (3) business days from the date of recording his personal data, justify his/her right or legitimate interest to not discard the data or delete it. At the request of a court or other authority, the personal data must be sent to the court or the authority without delay. If, within 30 (thirty) days after the request for non-destruction is requested, the recorded images and/or sound recording and other personal data must be destroyed or deleted.

Personal data may be disclosed to third parties only in the case of a prior written consent of the person concerned. This does not apply to any statutory transfer of data, which may only take place in exceptional cases. We inform the persons concerned that data processors are used to process and store data in the employer’s human resource system and in our billing system.


Rights of the persons concerned and their validation

Information about the data subject, the data controller and the data processor, the scope of the data processed, the purpose, the rights and the validation possibilities of the data processed are provided in the Privacy Statement issued.

right of access ~ during the data processing, the data subject is entitled to access all data stored about him/her, and to be informed about the purpose, legal basis, storage and the duration of storage of his/her data. The right to information covers the rectification, erasure and restriction of processing concerning the processed data, and the option to file a complaint to the supervisory authority. Fulfilment of the request of the data subject to exercise his/her rights shall not be denied, unless it may be demonstrated that the data subject shall not be identified. For any further hard-copies requested by the data subject, we may charge a reasonable fee based on administrative costs.

right to rectification ~ the data subject is entitled to have any of his/her data that may be incorrect or incomplete, rectified.

right to erasure (”right to be forgotten”) ~ the data subject is entitled to have his/her data to be erased (forgotten), where at least one of the following conditions applies:

  • the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed;
  • the data subject has withdrawn his or her consent to the processing of personal data concerning him or her, and the data processing does not have other legal basis;
  • the data subject objects to the processing of personal data concerning him/her, and there is no other prioritized reason for the data processing;
  • the data processing was unlawful;
  • the data needs to be erased under applicable legislative duties.

Following the termination of the legal basis for the data processing, including the case in which the data subject withdraws his/her consent to the processing of personal data, any personal data processed by the data controller shall be erased within a short period of time.

right to limited access ~ Personal data shall be limited by access thereto, upon the request of the data subject, or if based upon the available information, it is assumable that erasing the data would prejudice the data subject’s legitimate interests.

Such personal data shall only be processed until the reason of said interest – preventing the erasure of personal data – stands.

right to restriction of processing ~ if the accuracy, lawfulness, or necessity of processing concerning the personal data is contested by the data subject, or if the data subject objects to the processing of personal data, the data subject is entitled to obtain from the controller restriction of processing, concerning his/her data.

right to obtain a copy of personal data ~ the data subject is entitled to obtain from the data controller a digital copy (pdf, doc, excel, txt) of the personal data undergoing processing, in order for the data to be provided to another data controller.

right to object ~ where personal data:

  • are processed for the exercise of rights of the controller or any third parties;
  • are processed or forwarded for direct marketing or statistical purposes, scientific or historical research;

and in the cases and under the conditions provided for by law, the data subject is entitled to object at any time to the processing of personal data concerning him or her.

The objection shall be without delay, and no later than 15 days:

  • examined,
  • the objection’s merits be decided, and
  • the objector be informed about the decision.


Data protection

Personal data shall be protected by adequate level of protection, from – in particular – unauthorised access, alteration, forwarding, disclosure, erasure or destruction, from accidental destruction and damage, and from inaccessibility caused by technical change.

We would like to inform you, that we proceed according to our information technology security policy and regulation in force, and we expect the same from our employees and contracting parties.

For any infringement of rights concerning personal data, we have developed our Data Protection Incident Protocol, which covers the option for the application concerning the infringement of data rights, the persons responsible for the prevention of such infringements, and the relevant time limits.

We keep record of all data protection incidents.

The data subject has the right to apply to the courts, should his/her rights be infringed. The court shall proceed in fastened procedure.

We shall compensate any damage which the data subject may suffer as a result of data processing that infringes his/her rights, or which is the result of violation of the requirement of data protection. The data subject may demand restitution for any non-financial damages he/she may suffered as a result of data  processing that infringes his/her rights, or which is the result of violation of the requirement of data protection.


About cookies and how we use them

On our website: all information and content can be accessed without providing any personal data.

Website may apply so-called cookies:

  • Session cookies – that only exist during the time of usage;
  • Necessary cookies – which serve the base functions;
  • Persistent cookies – which may persist after the time of usage;
  • Functional cookies – which save user preferences;
  • Performance cookies – which help increase the performance of the website, thus improving the user experience;
  • Statistical cookies – follows user behaviour, measures the accessibility of the website and the number of returning visitors;
  • Third-party cookies – provide advertisements according to the personal interest of visitors.

On the website we only use the following cookies:

  • Necessary cookies
  • Statistical cookies

The measurement and auditing of visitor statistics and other internet-analytical data are supported by third-party providers. (For further details, please visit:

We would like to inform our visitors, that the use of cookies used by our website requires the preliminary and informed consent of the user, by the Act 100 of 2003 on electronic communication, s4 Art 155. Therefore, upon the first visit of the website, on the bottom part of the screen, a notification appears, notifying the user about the cookies used by the website, and providing a link to this information message. To give consent to the use of cookies, the user must click on the „I agree” link.

On the website, links and icons of other websites (Facebook, LinkedIn and Google+ share button) are also present, which redirect the user to the specified websites. These websites also use cookies, of which information can be found on the certain website. The data controller does not oversee the websites of third parties, and shall not be liable for the content of third-party pages.

The purpose of the data stored within cookies is to improve the user experience and to develop the website’s online services. The cookies used by the website do not store any personal information.

In case you do not want to accept certain types of cookies, you have the option to set your internet browser to prevent it from sending your unique ID, or to notify you whenever a website wants to use cookies.

In case you would like to know more about these functions, and to specify the use of cookies, please visit the options of your internet browser, and follow the instructions of the helper windows. You can also visit the following link to help you turn the advertisements of certain internet providers on or off:

Firefox –

Chrome –

Safari –


Contact through our website

 Our clients and visitors are able to contact us by clicking the „contact” button, and by providing contact information.

Providing information is voluntary, by sending the e-mail, which we consider a consent regarding the above mentioned purposes to be given. The data controller may store the e-mails for years, under the relevant laws and legal interests, but with the expiry of the cause of data processing, the e-mails are erased.

This Declaration is in force as of 25th of May 2018


Should you have any more questions regarding the data processing, please inquire as per our Data Protection Regulation or ask your question directly.