Privacy Policy

1. Joint Controllers and Contact Details

This privacy notice applies to the processing of personal data in connection with subscribing to the newsletter available on the NBLEGAL.HU website and contacting us via the website. In the course of this processing, the following law firm and attorney act as joint controllers within the meaning of Article 26 of the GDPR (hereinafter together: the "Joint Controllers"):

1.1. First Joint Controller

Name: Nagy-Baranyi Law Firm
Registered office: H-1027 Budapest, Bem József utca 1/B. 3rd floor
Bar registration number: 4402

1.2. Second Joint Controller

Name: Dr. Boglárka Borbély, sole practitioner attorney
Address: H-1221 Budapest, Kálváriahegy utca 6.
Bar registration number: 36057899

The Joint Controllers' joint contact address for data protection related enquiries: office@nblegal.hu

The Joint Controllers have concluded a joint controllership agreement pursuant to Article 26 of the GDPR. The essence of that agreement is set out in this notice.

2. Nature of Joint Controllership, Allocation of Responsibilities Between the Joint Controllers

2.1. Information and Transparency (Articles 13–14 GDPR)

Nagy-Baranyi Law Firm has primary responsibility for preparing this privacy notice and publishing it on the website.
The other Joint Controller must ensure that all processing operations carried out by it are in line with this notice, and will assist in updating the information where necessary.

2.2. Operation of the Newsletter System and Technical Data Processing

Nagy-Baranyi Law Firm has primary responsibility for the technical collection of newsletter subscriptions and for the operation of the newsletter sending system (software administration, settings, operation, IT security measures).

2.3. Content and Sending of Newsletters

The content of the newsletters is determined jointly by the Joint Controllers.
Nagy-Baranyi Law Firm has primary responsibility for scheduling and actually sending the newsletters, subject to the approval of the other Joint Controller.

2.4. Handling of Contact Requests Submitted via the Website

Nagy-Baranyi Law Firm has primary responsibility for operating the contact form available on the website and for the technical receipt and storage of the data provided there.
Responsibility for responding substantively to incoming queries lies with both Joint Controllers, depending on the subject of the query; the Joint Controller receiving the query may involve the other Joint Controller if the query relates to the latter's field of activity.

2.5. Exercise of Data Subject Rights and Handling of Requests

Nagy-Baranyi Law Firm has primary responsibility for receiving and responding to your requests relating to your data protection rights (access, erasure, objection, withdrawal of consent, etc.).
However, you may exercise your rights with either Joint Controller; the Joint Controller receiving your enquiry must involve the other Joint Controller and provide a coordinated response.

2.6. Data Security and Incident Management

Nagy-Baranyi Law Firm has primary responsibility for the technical and organisational data security measures in connection with the operation of the newsletter system.
Each Joint Controller is responsible for the data security measures applied within its own IT system and organisation, as well as for jointly investigating and reporting any personal data breaches that may occur.

3. Categories of Personal Data Processed

3.1. Personal Data Processed When Subscribing to the Newsletter

Name – provision of your name is not mandatory; you may subscribe without providing it
E-mail address (mandatory for the delivery of the newsletter)
Date and time of subscription and of giving consent
IP address and technical metadata of the subscription (for system security and logging purposes)
Date and method of unsubscribing

3.2. Personal Data Processed When Contacting Us via the Website

E-mail address (mandatory for replying to you)
Name (not mandatory)
Subject and text of your message (which may contain personal data to the extent you decide to include them, including personal data of third parties)
Date and time of contacting us
IP address and other technical log data (for system security and logging purposes)

4. Purpose and Legal Basis of the Processing

4.1. Purpose and Legal Basis of Newsletter Data Processing

Sending you newsletters, professional updates, legal articles, publications, event invitations, and information relating to legal services provided by the Joint Controllers by electronic means.
The legal basis of the processing is your prior, freely given, specific and informed consent, pursuant to Article 6(1)(a) of the GDPR.
The sending of newsletters also qualifies as direct marketing; therefore, the relevant provisions of Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities under Hungarian law apply.
Provision of your personal data is voluntary; however, without providing your e-mail address, we will not be able to provide you with the newsletter service.

4.2. Website Contact – Purpose and Legal Basis

Receiving and responding to queries submitted via the contact form available on the website (or via the e-mail address provided on the website), maintaining contact with you and – where your query is aimed at this – preparing and arranging our legal services.
Where your query is aimed at the use of legal services or is directly related thereto (e.g. request for a fee quote, arranging a consultation), the legal basis of the processing is Article 6(1)(b) of the GDPR: taking steps at your request prior to entering into a contract.
Where your query is of a general nature (e.g. does not lead to the conclusion of an engagement letter), the legal basis of the processing is our legitimate interest in accordance with Article 6(1)(f) of the GDPR: receiving, responding to and maintaining professional communication with enquiries and clients.
On the basis of our legitimate interest and a balancing of your rights and freedoms, we consider that this type of processing is in line with your reasonable expectations, the scope of the data and the retention period are limited, and the processing does not constitute a disproportionate interference with your privacy.
Where your query results in the conclusion of an engagement letter, the primary legal bases of the subsequent processing are the performance of the contract (Article 6(1)(b) GDPR) and compliance with the legal obligations applicable to attorneys (Article 6(1)(c) GDPR); the details of this are set out in a separate privacy notice for attorney activities.

5. Source of the Data

You provide the data directly by filling in the newsletter subscription form, or through another electronic channel expressly provided by the Joint Controllers for this purpose.

The subject and text of the message you provide on the contact form may, at your discretion, contain further personal data (including data of third parties); the provisions of Section 4.2 of this notice apply to the processing of such data.

6. Processors and Data Transfers

To carry out the newsletter sending, the Joint Controllers may use one or more processors, in particular:

E-mail service provider: Google Ireland Limited

The processors process personal data solely on the basis of the instructions of the Joint Controllers and within the framework of a data processing agreement concluded with them.

Data transfers to third countries (outside the EU/EEA):

Where the newsletter service provider or another IT service provider is located in a third country (outside the EU/EEA), data transfers are carried out only subject to appropriate safeguards in compliance with the GDPR (such as the European Commission's standard contractual clauses).
Upon your request, we will provide detailed information on current data transfers and the safeguards applied.

7. Duration of Processing

We will process your personal data for as long as your newsletter subscription remains valid, i.e. until you withdraw your consent (unsubscribe), or until we discontinue the newsletter service.
Following the withdrawal of your consent, we will delete your personal data, except for those log data (e.g. date and time of giving and withdrawing consent) that we retain for the limitation period of civil claims (generally 5 years) for the purpose of evidencing a potential dispute and complying with our legal obligations.
Personal data provided in the course of contacting us via the website – where the query does not lead to an engagement letter – will be retained for a maximum of 6 months, after which they will be deleted, unless it is necessary to process them for a longer period for the establishment, exercise or defence of legal claims.
If, on the basis of your contact, we conclude an engagement letter with you, the data contained in your enquiry will form part of the case file relating to the attorney's engagement and will be retained in accordance with the retention periods laid down in the legislation applicable to attorney activities (in particular the Act on Attorneys and the bar association rules), which are typically longer. Detailed information on this is provided in a separate privacy notice.

8. Data Security

The Joint Controllers apply appropriate technical and organisational measures to ensure the security of personal data, in particular:

access control and restriction of access rights
logging and system monitoring
regular data backups
encrypted data transmission (e.g. HTTPS)
antivirus protection, firewalls, updates

Responsibility for the specific implementation of data security measures lies with the Joint Controller responsible for operating the newsletter system and the IT infrastructure, as well as with both Joint Controllers in respect of their own systems.

9. Your Rights and How to Exercise Them

Under the applicable data protection legislation, in particular the GDPR, you have the following rights:

Right of access: you may request information on whether we process your personal data, and if so, you may request access to those data and to information relating to the processing.
Right to rectification: you may request the rectification of inaccurate data and the completion of incomplete data.
Right to erasure ("right to be forgotten"): in certain cases you may request the erasure of your personal data, in particular if you withdraw your consent to the sending of newsletters.
Right to restriction of processing: in specific cases you may request the restriction of processing (e.g. in the event of a dispute).
Right to data portability: you may request to receive the personal data you have provided to us, which we process on the basis of consent, in a structured, commonly used and machine-readable format, and you may request that those data be transmitted to another controller.
Right to withdraw consent: you have the right to withdraw your consent at any time, without giving any reason. This does not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint: you may lodge a complaint with the supervisory authority (see Section 10).

The sending of newsletters does not involve automated decision-making, including profiling.

10. Remedies

If you consider that the processing of your personal data infringes the applicable data protection legislation, in particular the provisions of the GDPR, you have the following remedies:

10.1. Complaint to the Supervisory Authority

Hungarian National Authority for Data Protection and Freedom of Information (NAIH)

Address: H-1055 Budapest, Falk Miksa utca 9–11.
Postal address: H-1363 Budapest, Pf. 9.
Telephone: +36 (1) 391-1400
E-mail: ugyfelszolgalat@naih.hu
Website: https://www.naih.hu

10.2. Judicial Remedy

In the event of a violation of your rights relating to data processing, you have the right to bring an action before a court. The action may – at your choice – be brought before the regional court having jurisdiction over your place of residence or stay.

11. How to Exercise Your Rights, Contact

11.1. Means of Contact

To exercise your rights, you may contact us using the following details:

Joint data protection contact e-mail: office@nblegal.hu
By post (to the address of either Joint Controller)

We may, where justified, request that you appropriately verify your identity in connection with your request (e.g. by replying from the e-mail address you have previously used).

11.2. Time Limits

The Joint Controllers will respond to your request without undue delay and at the latest within 1 month. In justified cases, this period may be extended by a further 2 months; in such a case, we will inform you of the reasons for the delay within the original 1-month period.

11.3. Unsubscribing from the Newsletter

You may unsubscribe from the newsletters at any time and free of charge:

by clicking on the "Unsubscribe" link at the bottom of the newsletters, or
by sending an e-mail to office@nblegal.hu.

Unsubscribing will terminate the sending of newsletters for the future; we will process the unsubscription as soon as possible, but no later than within 24–72 hours.

12. Amendments to this Privacy Notice

The Joint Controllers reserve the right to amend this privacy notice in the event of changes in the legal environment or in the circumstances of the processing. The amended notice will be published on the website, and where the amendments are significant, data subjects who have previously subscribed to the newsletter will also be informed separately by e-mail.

13. Website Usage Statistics

Our website collects anonymous usage statistics (e.g. number of page views, button clicks) for the sole purpose of improving the user experience.

We do not process any personal data when collecting statistics: we do not use cookies, we do not record your IP address, browser identifier or other personally identifiable information. The data is stored only in aggregated, anonymised form and is not suitable for individual identification.

Since the collected data is not considered personal data, it is not subject to the GDPR, so consent is not required.

Date of the current version of this notice: 5 December 2025.