This data processing was last reviewed or revised on May 24, 2024.

Company IST Hungary Kft. (hereinafter: “ Consultant”, “ Service Provider ”, “Controller” ), as the operator of the website accessible under the domain name isthungary.hu (hereinafter: “ Website ”, hereby publishes information about the processing of personal data in the framework of the provision of services related to the Website, other services provided by the Controller and specified in this document.

Users visiting the Website and using the services of the Controller ( hereinafter: “User” ) accept all the terms and conditions contained in this data processing document ( hereinafter: “ Regulation ” ), so please read this Regulation carefully and completely before using the Website and services.

1. Controller

Company IST Hungary Kft. (2636 Tésa, Ady Endre utca 11, Hungary, isthungary.hu, office@isthungary.hu, tel: +36205977777, tax number: 27966745-2-13), as controller, acknowledges the contents of these brochures are a must for yourself.

The purpose of this Regulation is to set out the principles of protection and processing of personal data, as well as the policy for the protection and processing of personal data applied by the Consultant.

In accordance with paragraph (1) of Article 37 of the GDPR, the Consultant is not required to appoint a data protection officer.

2. Scope of legislation on which the processing of personal data is based

— Law No. 53 of 2017 on the Prevention and Combating of Money Laundering and the Financing of Terrorism ( hereinafter: “ Pmt” ),

— Law No. 52 of 2017 on the application of financial and property restrictive measures prescribed by the European Union and the UN Security Council,

— Law No. 112 of 2011 on the right to information self-determination and freedom of information,

— Regulation 2016/679/ EU on the protection and processing of personal data of individuals and on the free movement of such data, and repealing Regulation No 95/46/ EC ( hereinafter: “ GDPR ”).

3. Principles of processing personal data

The Consultant undertakes that all processing of data related to his professional activities complies with the requirements set out in this Regulation, the GDPR, and applicable national law. The consultant makes every effort to protect the personal data of its clients and the personal data provided by them, as well as the rights of interested parties. The consultant treats personal information confidentially and takes all security measures, as well as technical and organizational measures to ensure the security of personal data.

Within the scope of the above, the Consultant takes appropriate steps to ensure that personal information about clients at all times:

— processed lawfully and fairly, and on an appropriate legal basis (lawfulness, fairness, and fairness );

— collected only for specified, clear, and legitimate purposes and not processed in a manner incompatible with these purposes ( purpose restrictions );

— limited to relevance and relevance, as well as necessity for the purposes of data processing ( data minimization );

— is accurate and, if necessary, updated; If possible, inaccurate personal data will be deleted or corrected without delay ( accuracy );

— stored in a form that allows clients to be identified only for as long as it is necessary for the purposes for which personal data is processed; storage of personal data for a longer period should only be carried out for statistical purposes, subject to the implementation of appropriate technical and organizational measures ( storage restrictions );

— processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, through the application of appropriate technical or organizational measures ( integrity and confidentiality ).

At the same time, clients are required to ensure that data subjects, including persons specified in the assignment agreement and acting on behalf of clients or other persons whose personal data is transferred to the Consultant, receive a privacy notice by Article 13 of the GDPR.

4. Definitions:

• “Personal data ” means any information relating to an identified or identifiable natural person ( “data subject” ); an identified natural person is one who can be identified directly or indirectly , in particular by reference to one or more factors such as name , number, location , online identifier or physical, physiological, genetic , mental , economic , cultural or social identity of an identifiable individual ;

  • Data processing” means any operation or set of operations on personal data or files , whether automated or manual , such as collection , recording , organization , sorting , storage , transformation or modification , retrieval, consultation, use , transmission , dissemination or otherwise coordination , interconnection, limitation , removal or destruction ;

• “Restriction of data processing ” means the marking of stored personal data with the aim of limiting their processing in the future ;

• “Controller” means the natural or legal person , public authority , agency or any other body which , alone or jointly with others, determines the purposes and means of the processing of personal data ; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for the appointment of a controller may be determined by Union or Member State law ;

• “ Processor ” means any natural or legal person, public authority, agency or any other body that processes personal data on behalf of the controller ;

• “Third party ” means any natural or legal person , public authority , agency or any other body that is not the data subject , controller , processor or persons who , under the direct control of the controller or processor, are authorized to process personal data ;

• “Data subject consent ” means a voluntary, specific , conscious and unambiguous statement by the data subject of consent to the processing of personal data concerning him or her by means of a statement or an unambiguous statement ;

• “Unauthorized access to personal data ” means a breach of security resulting in accidental or unlawful destruction, loss , alteration , unauthorized disclosure or unauthorized access to personal data transmitted , stored or otherwise processed ;

• “ Client ”: those who are interested in the Consultant’s services in person, on the Website, by telephone, or in any other way, or who have entered into an agency agreement with the Consultant.

5. Scope of personal data, purpose , legal basis, and duration of data processing

Processing of the Consultant’s data is based on contractual or legal obligations or voluntary consent .

The consultant processes the following personal data of clients for the purposes listed below :

5.1. Interest in consulting, intermediary , translation or other services by sending an email, in person, by phone , in instant messengers or otherwise

(a) name : information necessary to identify the client,

(b) email address, telephone number: information necessary to contact the client later,

(c) subject of interest ( eg details of the proposed transaction, other relevant data ) : data necessary to clarify the client’s interests and respond accordingly based on the client’s own communication.

The legal basis for data processing is the consent of the interested party . Data processing lasts for the period specified by the interested party or until consent is withdrawn.

Personal data processed by the Consultant may be disclosed to subcontractors and Consultant employees to the extent necessary to achieve the purpose of data processing specified in this section.

5.2. Individual request for service cost

(a) name: information necessary to identify the client

(b) email address, telephone number: information necessary to contact the client later,

(c) subject of interest ( circumstances of the case covered by a possible order ): data necessary to ascertain the client’s interest and respond accordingly, based on the client’s own communication.

The legal basis for data processing is the consent of the interested party. Data processing lasts for the period specified by the interested party or until consent is withdrawn.

5.3. Conclusion and execution of the contract of assignment to the Consultant

(a) name : information necessary to identify the client

(b) email address , telephone number: information necessary to contact by the client later ,

(c) information related to the subject of the contract ( for example , information about property , marital status , personal circumstances ): definition of the subject of the contract, data and circumstances necessary for the execution of the contract and the execution of the order ,

(d) mandatory data that must be registered mandatory and defined in the PMT ( for example , personal identification data , copies of identity cards , data on the quality of key government roles , data on the natural identity of beneficial owners ): data must be registered in accordance with with mandatory legal requirements .

The legal basis for data management is the execution of the contract and the provision of any legal disputes arising in connection with it , as well as the mandatory requirements of Pmt .

The duration of data processing is the duration of the contract plus 5 years ( the total period for fulfilling civil legal requirements ), in the case of generated and non-destroyable documents, the storage period is not limited, in the case of data collection on the basis of PMT 8 years from the date of termination of the assignment, which can be extended in exceptional cases provided by law .

In the absence of such a legal obligation, the Consultant will not verify the personal data provided to him . The person who provided the data bears full responsibility for the accuracy of the information provided . If the User or customer provides any of the email addresses involved , it is also their responsibility to ensure that they are the only one using the email address provided .

6. Addressees and categories of data processing addressees

The Advisor typically shares client personal information with the following third parties on a data controller to data controller basis :

— organizations providing services to the Consultant or clients ( for example, a law firm , law firm , translation companies , legal service providers , insurance companies , audit or IT services provider , etc. );

— third parties involved in the execution of the contract for consulting ( authorities , courts , experts , lawyers , accountants, translators , notaries or other service providers engaged by the Consultant or client );

— supervisory authority , other regulatory institutions and bodies .

Clients can request personal information about the processing of personal data processed by the Consultant in connection with them ( purpose of data processing, legal basis , volume of data , transfer of data, duration of processing ), via the following contacts: email: office@isthungary.hu ,

Tel .: +36 205977777,

Address: 1203 Budapest, Kinizsi utca 20. Fsz. 1. ajtó.

7. Method of storing personal data , security of personal data

The Consultant’s computer systems and other data storage locations are located at its registered office and on appropriate servers.

The consultant selects and uses IT tools used for processing personal data when providing services , so that the processed data :

— were available only to those who have the right to do so;

— have the ability to ensure their authenticity and authentication ; — would be verifiable for immutability ;

— were protected from unauthorized access .

The Consultant takes appropriate measures to protect data , in particular from unauthorized access , modification , transmission , disclosure , deletion or destruction , as well as from accidental destruction , damage or inaccessibility as a result of changes in the technology used .

Taking into account the current state of technology, the Consultant shall ensure that the security of data processing is protected by technical and organizational measures that provide a reasonable level of protection commensurate with the risks associated with data processing .

At the same time, the Controller brings to the attention of interested parties that electronic communications transmitted over the Internet , regardless of protocol ( e.g. email, Internet, etc. ) , are vulnerable to network threats that lead to fraud, contract disputes or disclosure or modification of information. To protect against such threats, the Consultant takes all precautions required of it .

Data processed by the Consultant is primarily accessible to its employees and subcontractors and is disclosed to third parties solely for the purpose of fulfilling the Consultant’s instructions or other legitimate interests ( eg debt collection ) , legal obligations or with the prior explicit consent of the data subject .

8. International transfer of personal data to a third country

Customers’ personal data may also be transferred to controllers and processors in countries outside the European Economic Area and within the European Union if this is necessary to fulfill an order or with the customer’s express consent based on information previously provided to him ( Article 49 GDPR).

Before concluding the contract, the Consultant informs the client that data transferred outside the European Union is adequately protected in relation to the recipient outside the European Union :

(a) through the general data protection provisions adopted by the Commission in accordance with the verification procedure referred to in paragraph (2) of Article 93 of the GDPR;

(b) through the general data protection provisions adopted by the supervisory authority and approved by the Commission in accordance with the verification procedure referred to in paragraph (2) of Article 93 of the GDPR;

(c) through an approved code of conduct in accordance with Article 40 of the GDPR and a legally binding and enforceable obligation on the controller or processor in the third country to apply appropriate security measures , including in relation to the rights of data subjects ;

(d) through an approved certification mechanism in accordance with Article 42 of the GDPR, together with a binding and enforceable undertaking by the third country controller or processor to apply appropriate security measures , including with regard to the rights of data subjects . In this context, the Consultant will endeavor to adopt the model contractual data protection clauses approved by the European Commission /NAIH with its third country partners.

9. Client rights

9.1 Customer access rights (Article 15 GDPR)

The client has access to his personal data. If the client requests that the Consultant provide feedback on whether it is processing his personal data, the Consultant is obliged to provide information within the framework established by law.

In some cases, the Consultant does not receive personal information from the data subject. In such cases, the Consultant assumes that the person from whom he received the data had the right to transfer it to the Consultant. If the Consultant does not receive data from the data subject, his or her obligation to inform the data subject is limited.

However, the Consultant is always at the disposal of the data subject in the event of a request from the data subject and provides the requested information within the limits of the law.

The client’s right to receive feedback on whether the Consultant processes his personal data applies to personal data relating to him but does not apply to personal data not related to him.

The Consultant will provide access and a copy of personal information to the requesting client upon request . If the client requests an additional / repeated copy of his/her personal data , the Consultant may charge a reasonable fee to cover the administrative costs incurred in connection with the request and borne by the client .

9.2 Customer’s right to rectification (Article 16 GDPR)

The client has the right to correct his personal data. This right applies to personal data concerning him; and does not apply to personal data that does not concern him.

At the request of the client, the Consultant undertakes, within the framework of the law, to appropriately correct or supplement his personal data, as well as to inform the recipients of such personal data ( if any ) about the correction of personal data, except in cases where this is impossible or disproportionate efforts are made to inform the recipients.

9.3 Customer’s right to cancel (Article 17 GDPR)

Under certain conditions, the client has the right to delete his personal data.

The Consultant is obliged to delete the personal data if the Consultant processes this personal data and the client requests the deletion of his personal data, and the personal data is not necessary for the purposes for which the Consultant processes the personal data.

The Consultant is obliged to delete the client’s personal data without undue delay if the Consultant processes the client’s personal data and the client requests the deletion of his personal data, and the client withdraws his consent on which the processing of his data is based, and there are no other legal grounds for the client’s data to be processed further.

The Consultant is obliged to delete the client’s personal data if the processing is necessary to protect the legitimate interests of the Consultant or a third party, and the client objects to the Consultant’s processing of his personal data, and the legitimate reason for the processing of such personal data does not take precedence over the customer’s protest.

The Consultant is obliged to delete the client’s personal data if the client requests the deletion of his personal data and the processing of such data by the Consultant is not illegal or the deletion is mandatory in accordance with applicable law, or the client’s data was collected in relation to information society services.

The consultant informs the recipients of such personal data ( if any ) about the deletion of the client’s personal data, except in cases where informing the recipients is impossible or disproportionate.

9.4 Client’s right to restriction of data processing ( Article 18 GDPR)

The client may, within the framework of the law, request restrictions of the processing of his personal data.

The client’s right to request restriction of the processing of his personal data applies to personal data relating to him ; and does not apply to personal data that does not concern him .

The Consultant restricts the processing of the client’s personal data for a period during which he or she verifies the accuracy of such data if the client requests restriction of the processing of his or her personal data and the client disputes the accuracy of such data .

The consultant limits the processing of the client’s personal data if the client requests to limit the processing of data , the processing of which is illegal , and the client objects to the deletion of such data .

The Consultant restricts the processing of the client’s personal data if the client requests to limit the processing of his personal data and this data is no longer needed by the Consultant for the purposes of data processing and the client requests his data to store , enforce or defend a legal claim .

The Consultant limits the processing of the client’s personal data if the client objects to the processing of personal data , which , however , is necessary for the legitimate interests of the Consultant, and the client expects confirmation of a legitimate reason for the Consultant to process the client’s personal data , which reason shall prevail over the client’s protest .

The Consultant informs the recipients of such personal data ( if any ) about any restrictions on the processing of the client’s personal data , except in cases where informing the recipients is impossible or disproportionate .

If the Consultant limits the processing of the client’s personal data , then he may store such personal data ,

— can process such personal data with the client’s consent ,

— may process personal data for the establishment , assertion or defense of legal claims or for the protection of human rights .

9.5 Customer right to data portability (Article 12 GDPR)

The Client has the right to receive personal data about himself provided to the data controller in a structured , commonly used machine-readable format and to transfer this data to another data controller without hindrance ( if technically possible ). to whom the personal data was provided , if the processing is based on consent or is necessary for the performance of a contract and the processing is carried out in an automated way .

The client’s right to data portability applies to personal data concerning him ; and does not apply to personal data that does not concern him .

9.6 Right to protest:

The data subject has the right to object to processing at any time on grounds relating to his or her situation , if this is necessary for the performance of a task in the public interest or within the framework of a public authority entrusted to the Data Controller , or if the Data Controller or a third party has a legitimate interest .

The consultant is obliged to provide the requested information in writing as soon as possible ( without undue delay ) from the date of submission of the application , but no later than within 30 days, or to delete the data in case of withdrawal of consent . In case of correction or deletion, the Consultant informs all recipients to whom the data was transferred .

If the Consultant is unable to comply with the data subject’s request , it must inform the data subject within 30 days .

The Consultant informs data subjects that withdrawal of consent to data processing does not affect the lawfulness of data processing carried out on the basis of consent prior to withdrawal .

10. Unauthorized access to personal data

If unauthorized access to personal data in the Consultant’s system may pose a high risk to the rights and freedoms of individuals , the Consultant will inform the data subject of the data security incident without undue delay .

to personal data is any event related to the unlawful handling or processing of personal data in connection with personal data processed , transmitted , stored or processed by the Data Controller , in particular unauthorized or accidental access , modification , transfer , deletion , loss or destruction , or accidental destruction resulting in injury .

The Controller shall, without undue delay and no later than 72 hours after becoming aware of unauthorized access to personal data , notify NAIH of the incident unless the Controller can demonstrate that the unauthorized access to personal data is unlikely to jeopardize individual rights and freedoms . If notice cannot be given within 72 hours , the reason for the delay must be stated and the required information can be provided in detail without further undue delay . The NAIH notice must contain at least the following information :

• the nature of unauthorized access to personal data , the number and category of data subjects and personal data ;

• name and contact details of the data controller ;

• probable consequences of unauthorized access to personal data ;

• measures taken or planned to eliminate , prevent or eliminate unauthorized access to personal data.

Where unauthorized access to personal data may pose a high risk , the Controller must notify data subjects of the data security incident via the Data Controller’s website within 72 hours of discovery of the data security incident . The information must contain at least the information specified in this paragraph .

The data controller maintains a record of incidents of unauthorized access to personal data in order to monitor measures related to the data security incident and inform data subjects . The register must contain the following information :

  • the scope of the relevant personal data ;
  • • circle and number of interested parties ;
  • • date of the incident related to unauthorized access to personal data ;
  • • circumstances and consequences of an incident with unauthorized access to personal data ;
  • measures taken to resolve an incident with unauthorized access to personal data .

The data contained in the register must be retained by the Data Controller for a period of 5 years from the date of detection of unauthorized access to personal data .

11. Relationships with clients

If the client has any comments , questions or problems with the management of the Consultant’s data or when using his services , he can contact him using the contact details on the Website.

12. Links to other websites

This site contains links to other providers that are not covered by this privacy statement. When a client leaves a Consultant’s website, it is recommended that you carefully review the privacy policies of all relevant websites that collect personal information.

13. Other

The Consultant reserves the right to unilaterally amend this Privacy Information with notice to interested parties.

The Consultant informs its clients that they may contact the Consultant to provide information, disclose data, or provide documents to an investigative body, the National Data Protection and Freedom of Information Authority, or other bodies authorized by law.

14. Rules of procedure

The controller must provide, delete, and correct personal data information within 30 days. If the Controller does not comply with such a request from the data subject, it must notify the reasons for the refusal in writing within 30 days.