1. Principal information

1.1. The purpose of this document is to set forth the data processing and data protection principles of Emese Janosi Mozes (Address: Álvarez Quintero, 11. Zip: 41710 City: Utrera (Sevilla), Spain) (hereinafier: “Data controller'”) related to the legal practice involving personal data processing defined in this Policy that the Data controller commits to be bound by.

1.2. During the creation of the provisions of the Data Processing Policy (hereinafier: “Policy”) the Data controller paid special attention to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”), Act CXII of 2011 on the Right of infonnational Self-Determination and on Freedom of information (“Privacy Act”), Act LIII of 2017 on the Prevention of and combating against Money Laundering and Terrorism Financing (“Pmt.”) Act LXXYIII of 2017 on Legal Practice (“Attorney Act”).

1.3. Data controller states that during its Iegal practice it will comply with and will have, in the scope under its control, others comply with the mandatory provisions of the applicable data protection law. ln this context the Data controller will process the personal data of the Data Subjects confidentially and will ensure their protection, moreover, it states to take the required technical and organisational measures and establish the procedural rules required to inlplement the GDPR and other confidentiality legislation.

1.4. The scope of personal data concerned by the data processing described in this Policy may vary according t.o the assignment, however, such data are primarily the personal data provided by the principal to the Data controller in the Assignment, and all other data provided to and/or became known by the Data controller in the course of the performance; such data may also include the sensitive data of the principal or other person, within the frameworks of law.

2. Purpose and Principles of the data processing

2.1. The main purpose of the processing of the personal data of the client and of third persons is the performance of the legal service based on the assignment and of the instructions of the principal, as well as the performance of every other operation in direct relation thereto and serving the principal’s interests, and the compliance with the pertinent provisions of law including the implementation of the persons entitled to issue administrative, judicial and other mandatory normative acts.

2.2. The Data controller processes the personal data of the natural persons representing the legal person as contracting party, including the data provided in the course of the performance of the contract, and of the natural person as contracting party, including his/her address, email address and phone number for the purpose of communication and or the performance of obligations arising from contract. ln case any changes occur regarding such data, the principal shall notify the Data controller without delay.

2.3. The Data controller processes the name, address, email address of the natural person (non-signatory) indicated as contact person in the contract concluded with the Data controller, for the purpose of contacting, and exercising rights and fulfilling obligations arising from a contract with regards to that the contact person is in employment relationship with the contracting party, thus, the said data processing is not detrimental to the rights of the dara subject. The Principal shall inform the contact person as data subject of the data processing in such regard. ln case any changes occur in the said data, the Principal shall notify the Data Controller properly and without delay.

2.4. The Data controller processes the Personal data in line with the principles of good faith, fairness and transparency in accordance with provisions of the relevant laws and this Policy.

2.5. The Dara controller processes indispensable personal data in order to achieve the aforementioned purposes strictly limited to tbe purposes described in this Policy.

2.6. The Data controller processes personal data solely for the purposes set forth by this Policy and law. The scope of the personal data processed is proportionate to the purpose of the data processing and cannot be exceeded.

2.7. The Data controller does not transfer the personal data to any third parties other than the Data processors set forth in this Policy, except in the event of a compulsory data provision. The Data Controller shall not transfer the data of the Data Subjects to third countries (non-EU, non-EEC countries), unless if the Data Subject expressly consents thereto and under the conditions determined in the written statement of the parties, along with ensuring the safeguards prescribed in GDPR.

3. The legal basis for processing, source of data

3.1. During the perfomance of the personal data processing for the purpose described in Point 2.1. above, the legal basis for the data processing arc the following Points of Article 6 (1) of GDPR: given consent (Point a)); the necessity of the data processing in order to perform a contract (Point b)). During the legal services the processing of personal data of the Client or third persons might be necessary for both complying with legal obligations (in these cases the processing is based on Point c)) and for protection of vital interests of the data subjects (Point d)). ln case of the processing of the sensitive data, legal basis described in Points a); f) and g) of Article 9 (2) of GDPR might be applicable as well.

3.2. In the case of the data processing purposes set forth in Points 2.2. and 2.3. above, the legal basis of the processing of the contact persona) dala is either the performance of the right and obligations arising from the contract (based on Point b) of Article 6 (1) of GDPR) or after the termination of the contract the legitimate interest of the Data Controller as set forth in Point 1) of Article 6 (1) of GDPR.

3.3. ln addition to these statutory bases of processing the Data controller processes the personal data in line with the provisions of the Privacy Act.

3.4. The Data controller primarily obtains any personal data concerning the principal from the principal voluntarily or from third persons authorised for the data provision. ln all other cases the source of the data in particular but without limitation is a public registry, court, authority or other data subject.

4. Duration of the data processing

4.1. In the case of the personal data processing described in Point 2.1. above, the period of data processing is the duration of the contract (the assignment), thereafter, based on Subsection (3) of Article 53 § of the Attorney Act the Data controller shall be obliged to keep the data that are processed in com1ection with the contract for five (5) in case of electronic deeds, for ten {10) years of the terrnu1ation of the assignment, and shall keep the documents concerning the countersigning of deeds for ten (10) years.

4.2. In the case of the personal data processing described in Points 2.2 and 2.3 above, the duration of the personal data processing is connected to the fulfilment of tbe purpose, but it can be no longer than 8 years aft er the termination of the contract.

5. Recipients of the data, Data Processors

5.1. Regarding all data subjects, the recipients of the personal data shall be the Data Controller’s attorney or attorneys, employees, contact persons, and its data processors performing duties regarding accounting and taxes.

5.2. The Data Controller, if necessary, shall transfer the persona( data to the accounting firm assigned by the company for purposes regarding taxes and accounting, to the Correos (Spanish national postai service provider) for posting and transfer purposes, or to the legal representative of the Data controller.

5.3. The data processor does not make independent decisions, it may only proceed in accordance with the provisions of the contract concluded with the Data controller and the instructions thereof.

6. Data protection measures

6.1. The Data controller processes data primarily in paper form, secondarily by automatic processing, the physical location of which is, in each case, the registered seat of the Data controller.

6.2. The Data controller ensures the safety of the processed data and makes all the technical and operational measures necessary for the adaptation of the data and secret protection regulations, in particular the Data controller protects them against unauthorized access, alteration, transfer, disclosure, deletion or erasure, involuntary destruction and damages as well as against unavailability due to the modification of the technology used. The Data controller stores the personal data at locations protected by permanent security measures, in a locked room with enhanced data security measures by the Data controller on the computers at the seat of the Data controller, thus it is ensured that unauthorized persons do not have access to the data or make copies of them.

6.3. The Data controller keeps the footages in line with the applicable 1aw ensuring that only those employees, other persons acting on behalf of the Data controller (Data processors) have access to the footages who need the access in order to perform their job or tasks.

7. Data subject rights and enforcement

7.1. The principal or any further data subject shall be entitled to exercise their following Data Subject rights stemming from data protection laws:

  • Right to information and access to personal data (GDPR A1ticles 13-15): the controller shall provide the data subject with the information described in GDPR, and the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.
  • Right to rectification and right to erasure (“Right to be forgotten”) (GDPR Articles I 6-17): The data subject shall have the right to obtain from the controller without undue delay the rectification or ersaure of personal data concerning him or her.
  • Right to restriction of processing (GDPR Article 18): The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
    (a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
    (b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of tbeir use instead;
    (c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
    (d) the dala subject has objected to processing pursuant to Article 21 (1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
  • Right to data portability (GDPR Article 20): The data subject shall have the right to receive the personal data conceming him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
  • Right to object (GDPR Article 21 ): The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning hím or her.

The Data Controller shall examine the objection in the shortest possible time, but no later than within fifteen (30) days of the submission thereof, it decides on the grounds of the objection and informs the applicant of such decision.

If the data subject disagrees with the Data Controller’s decision, or if the Data Controller fails to meet the aforementioned deadline, the data subject shall be entitled to seek remedy in court within thirty (30) days of the communication of the decis ion or of the last day of the deadline.

7.2. In case the rights of the Data Subject are violated in relation to the processing of their personal data, the enforcement of such rights can be exercised before the district court of competence based on the data subject’s place of residence, and may tum to the Agency of Data Protection, Spain (Agencia Española de Protección de Datos (“AEPD”) – Address: C/Jorge Juan, 6, 28001 Madrid, Spain; Telephone: +34 901 100 099 / +34 91 266 35 17;  Website: www.aepd.es). The court hears such cases in priority proceedings.

16. june, 2022