Privacy Policy
INTRODUCTION
dr. Beatrix Bóné, Attorney-at-Law (hereinafter: the Data Controller or the Attorney) necessarily processes personal data in the course of her professional activities; however, she pays particular attention to the protection of personal data, compliance with mandatory legal provisions, and the secure and fair processing of such data.
The purpose of this Privacy Notice is to provide Data Subjects with all essential information and explanations in a concise, transparent, intelligible and easily accessible form, expressed clearly and in plain language, and to assist Data Subjects in exercising their rights.
The Data Controller processes the personal data of natural persons in connection with the conclusion and performance of attorney–client engagement agreements and other contracts concluded by her, as well as of persons who come into contact with her for other purposes, in accordance with:
the General Data Protection Regulation — Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: GDPR),
Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Infotv.),
Act LXXVIII of 2017 on Attorneys (Ügyvédi tv. / Act on Attorneys),
Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (Pmt.).
All processing activities are carried out in full compliance with these laws.
THE DATA CONTROLLER AND CONTACT DETAILS:
Name: Dr. Beatrix Bóné
Seat: 1039 Budapest, Temesvári u. 32.
E-mail: iroda@bonebeatrix.hu
Phone: +36 30 343 6182
I. DEFINITIONS
personal data: any information relating to the data subject which can be associated with the Data Subject or makes the Data Subject identifiable (e.g., name, phone number, online identifier, location data, facial image, voice, etc.) [Regulation Art. 4(1)]. Personal data retains this quality during processing as long as its connection with the Data Subject can be restored using the information and technical conditions held by the Data Controller;
processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
data controller: the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data;
consent of the data subject: any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
data transfer: making the data accessible to a specific third party;
data erasure: making the data unrecognizable in such a way that its restoration is no longer possible;
data marking: supplying the data with an identifying mark for the purpose of differentiation;
restriction of processing: the marking of stored personal data with the aim of limiting their processing in the future;
data destruction: the complete physical destruction of the medium containing the data;
data processor: a legal person which processes personal data on behalf of the data controller;
recipient: a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, whether a third party or not;
cookie: a small data packet (text file) sent by the web server and placed on the user's computer for a specified period, which, depending on its nature, the server may supplement upon subsequent visits—i.e., if the browser sends back a previously saved cookie, the provider managing the cookie has the opportunity to link the user's current visit with previous ones, but exclusively regarding its own content;
client: a natural or legal person who has concluded an engagement contract with the Attorney or a natural or legal person who uses the Attorney's services without concluding an engagement contract;
data subject: an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
third party: a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
IP address: in all networks where communication follows the TCP/IP protocol, server machines have an IP address, i.e., an identification number, which allows the identification of the given machines through the network;
objection: a statement by the data subject objecting to the processing of their personal data and requesting the termination of processing or the erasure of the processed data.
II. PRINCIPLES RELATING TO THE PROCESSING OF PERSONAL DATA
Personal data shall be:
a) processed lawfully, fairly, and in a transparent manner ("lawfulness, fairness, and transparency");
b) collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes ("purpose limitation");
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay ("accuracy");
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation");
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures ("integrity and confidentiality").
The data controller shall be responsible for, and be able to demonstrate compliance with, the above ("accountability").
III. LEGISLATION
The Data Controller processes all personal data handled by her in all cases in compliance with the current Hungarian and European legislation and data processing principles, ensuring the guarantee conditions necessary for secure data processing. Data processing procedures were developed based on, in particular, but not limited to:
Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
The Fundamental Law of Hungary
Act V of 2013 on the Civil Code (Ptk)
Act LXXVIII of 2017 on the Activities of Lawyers (Act on Attorneys )
Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Privacy Act)
Act C of 2000 on Accounting (Accounting Act)
Act LIII of 2017 on the Prevention and Combating of Money Laundering and Terrorist Financing (AML Act)
IV. RIGHTS OF THE DATA SUBJECT
Right of access: The Data Subject may receive feedback on the processing of their data, access the details of processing, and receive a copy of the data.
Right to rectification: The Data Controller shall rectify inaccurate data without undue delay upon request.
Right to erasure: The Data Subject may request erasure if the data is no longer necessary, consent is withdrawn, or processing is unlawful.
Right to be forgotten: The Data Controller shall strive to notify other controllers of the erasure request regarding data made public.
Right to restriction of processing: Processing may be restricted if accuracy is contested, processing is unlawful, or the data is needed for legal claims.
Right to data portability: The Data Subject may receive their data in a structured, machine-readable format.
Right to object: The Data Subject may object at any time to processing based on legitimate interest.
Responding to requests: Requests are examined within 30 days (15 days for objections).
Initiation of rights: via post (1039 Budapest, Temesvári u. 32) or e-mail (iroda@bonebeatrix.hu).
Right to lodge a complaint: Primarily to the Attorney, secondarily to the National Authority for Data Protection and Freedom of Information (NAIH).
Right to a judicial remedy: Data Subjects may turn to the competent court against binding decisions of the supervisory authority or in case of unlawful processing.
V. DATA SECURITY
The Data Controller minimizes processing to reduce risks and ensures transparency to detect incidents. Security measures include:
Password protection for electronic storage.
Physical protection (locks, alarms) for paper-based data and hardware.
Access restricted to authorized persons only.
Regular backups and antivirus software.
Compliance with attorney-client privilege regulations.
VI. PERSONAL DATA BREACH
A breach is a security violation leading to the destruction, loss, or unauthorized access of data. If detected, please notify the Attorney immediately. Breaches are reported to the authority within 72 hours unless they pose no risk. If high risk, Data Subjects are notified without delay.
VII. DATA PROCESSING ACTIVITIES
1. Data Processing Performed in the Course of Attorney Engagement and Client Identification
The Attorney processes personal data in the course of legal services pursuant to Section 27 of Act LXXVIII of 2017 on Attorneys. The scope of processed data may be determined by law (e.g., mandatory elements of a contract) or by the requirements of authorities or courts in specific proceedings.
Section 32 of the Act on Attorneys provides:
Section 32 (1) Except for engagements for legal advice, prior to concluding an engagement agreement, and prior to countersigning a contract between the client and the employer or a third party, the attorney (including in‑house counsel for the purposes of this section) shall identify the client, the contracting party of the employer, and any person acting on their behalf.
Section 32 (2) If the attorney does not know the natural person or has doubts regarding their identity, the attorney shall identify the person by inspecting an official identification document.
The attorney may request data from the personal identification and address register, the driving licence register, and the passport register to verify the accuracy and validity of the data and documents presented. Such data requests are carried out if doubts arise regarding the authenticity or validity of the documents or data.
Retention period: 8 years from termination of the engagement; in case of legal disputes, 5 years from the final conclusion of the dispute, if later.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Client’s name, address | Conclusion of the engagement agreement | GDPR Article 6(1)(b) – performance of the attorney–client contract |
| Client’s name, address | Invoicing | GDPR Article 6(1)(c) – legal obligation of the Data Controller; VAT Act Section 169; Accounting Act Sections 167 and 169 |
| Client’s telephone number, name | Communication and contact | GDPR Article 6(1)(b) – performance of the attorney–client contract |
| Data listed in Section 32(3) of the Act on Attorneys (in case of doubt) | Verification of identity data obtained during client identification | GDPR Article 6(1)(c) – legal obligation; Act on Attorneys Section 32(2)-(3) |
| Additional data necessary for the engagement, relating to the client | Representation of the client’s interests; performance of legal services | GDPR Article 6(1)(b) – performance of the attorney–client contract; cooperation obligation arising from the contract |
2. Case Register
The Attorney maintains a case register pursuant to Section 53 of the Act on Attorneys to ensure compliance with professional rules and to protect clients' rights if the attorney's authorisation ceases.
Retention period:
5 years after termination of the engagement
10 years after countersigning a document
10 years after registration of a right in the land register
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Data listed in Section 53(2) of the Act on Attorneys | Compliance with statutory obligation to maintain a case register | GDPR Article 6(1)(c); Act on Attorneys Section 53(1)-(2) |
3. Register of Cases Requiring Mandatory Legal Representation
The Attorney maintains a register of cases where legal representation is mandatory under Section 33 of the Act on Attorneys.
Retention period: 8 years from termination of the engagement.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Data listed in Section 33(2) of the Act on Attorneys | Compliance with statutory obligation to maintain the register | GDPR Article 6(1)(c); Act on Attorneys Section 33(1)-(2) |
4. Processing of Contact Persons' Data (Clients and Contracting Partners)
The Attorney processes the personal data of contact persons and representatives of her contractual partners and clients in the course of maintaining business relationships. Due to the nature of these data, it may be necessary to process personal data such as name, email address, and telephone number.
The Data Controller draws the attention of the contracting partner and the client to the obligation to inform the designated contact person or representative about the fact of the data processing.
Retention period: In the case of a contractual relationship or ongoing cooperation, processing continues until 30 June of the calendar year following the end of the cooperation (document destruction date). If the data appear in an engagement agreement, the data are stored for 8 years from the termination of the engagement, in accordance with the rules applicable to engagement agreements.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Name, contact details (telephone number, email address), and position of the contact person or representative | Ensuring effective cooperation with contractual partners and clients; maintaining data necessary for business communication | GDPR Article 6(1)(f) – the legitimate interest of the Data Controller to ensure the continuity and smooth operation of business relationships |
5. Data Processing Related to Countersigning Documents for Registration in Public Registers
The Attorney is required to identify clients when countersigning documents that serve as the basis for registration in a public register. The method of identification and the scope of processed data are defined in Section 32 of the Act on Attorneys.
Section 32 (7) of the Act on Attorneys: Before countersigning a document serving as the basis for registration in a public register, the Attorney shall — for the purpose of verifying identity and the validity of the presented document — identify the persons making the legal declaration, the organisations, and the persons acting on their behalf, in accordance with paragraphs (2)–(4) and (6).
Section 32 (2): If the Attorney does not know the natural person or has doubts regarding their identity, the Attorney shall identify the person by inspecting an official identification document.
Section 32 (3): For the purpose of verifying the accuracy of the natural person's data and the validity of the presented documents, the Attorney may electronically request data from the personal identification and address register, the driving licence register, the passport register, and the central immigration register, including:
a) natural personal identification data, b) citizenship, statelessness, refugee, immigrant, settled or EEA national status, c) address, d) facial image, e) signature, f) facts under Section 18(5) of Act LXVI of 1992 on the Register of Personal Data and Addresses, g) data under Section 24(1)(f) of Act XII of 1998 on Travel Abroad and the validity period of the document, h) data under Section 8(1)(b) ba)–bb) of Act LXXXIV of 1999 on Road Traffic Registers, i) data under Sections 76(d), 80(1)(b)–(c) of Act I of 2007 on the Entry and Residence of Persons with the Right of Free Movement and Residence, and Sections 95(1)(g), 96(1)(g), 100(1)(b)–(c) of Act II of 2007 on the Entry and Residence of Third‑Country Nationals.
Section 32 (6): If a representative acts on behalf of the client, separate identification of the client may be omitted if the power of attorney containing the client's personal identification data was countersigned by a Attorney, prepared by a notary, the signature was notarised, or the document was authenticated by a Hungarian consular officer or provided with an Apostille.
Retention period: If the Attorney countersigns a document, the Attorney shall retain the countersigned document and all related documents for 10 years from the date of countersigning, unless a longer retention period is prescribed by law or agreed by the parties.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Data listed in Section 32(3) of the Act on Attorneys | Carrying out client identification | GDPR Article 6(1)(c) – legal obligation of the Data Controller; Act on Attorneys Section 32(7); Section 53(5) |
6. Client Due Diligence under the AML Act (Pmt.)
The Attorney is required to carry out client due diligence under Section 6(1) of the AML Act in the following cases:
a) when establishing a business relationship; b) when performing a transaction reaching or exceeding HUF 4,500,000; c) for traders, when performing a cash transaction reaching or exceeding HUF 3,000,000; d) when performing a transaction qualifying as a funds transfer exceeding HUF 300,000; e) for organisers of non‑remote gambling, when paying out winnings of at least HUF 600,000; f) when any data, fact or circumstance indicating money laundering or terrorist financing arises; g) when doubts arise regarding the authenticity or adequacy of previously recorded client identification data; h) when changes in client identification data must be recorded and risk‑sensitive assessment requires repeated due diligence; i) when performing currency exchange transactions reaching or exceeding HUF 300,000.
Section 7(1): The service provider must identify the client, authorised representative, and any person acting on behalf of the client.
Section 7(2): The service provider must record the following data:
Natural persons:
full name,
birth name,
citizenship,
place and date of birth,
mother's birth name,
address or place of residence,
type and number of identification document.
Legal persons / organisations:
name and short name,
registered seat (or Hungarian branch office),
principal activity,
names and positions of authorised representatives,
data of delivery agent (if applicable),
company registration number or other registration number,
tax number.
Section 7(3): The service provider must verify the validity of the identification document and the authenticity of the document.
Retention period: 8 years from termination of the business relationship or completion of the transaction.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Data listed in Section 7(2) of the AML Act | Carrying out client due diligence and compliance with statutory obligations | GDPR Article 6(1)(c) – legal obligation of the Data Controller; AML Act Sections 6(1), 7(1)-(2) |
7. Data of Other Data Subjects
The data subjects of this processing activity include: participants in the proceedings, opposing parties, legal representatives of opposing parties, and third persons not participating in the proceedings (e.g., family members of the client).
If the personal data originate from the client, the client is required to declare that they are entitled to process and transfer the data to the Attorney and that they have a proper legal basis for such transfer and have fulfilled their information obligations.
Pursuant to Article 14(5)(a) GDPR — considering the information obligation fulfilled by the client — the Attorney is not required to provide separate information to the data subject.
The Attorney is not required to provide information where the processed personal data are covered by attorney‑client privilege (GDPR Article 14(5)).
Retention period: The retention period is determined by statutory obligations applicable to the Attorney for each type of case. The Attorney stores data strictly for the period prescribed by law.
Examples:
Act on Attorneys Section 46(5): electronic documents must be retained for 10 years.
Section 46(6): electronic copies of paper documents must be retained for 5 years.
Section 53(5): countersigned documents must be retained for 10 years.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Additional data necessary for the engagement relating to external persons | Representation of the client’s interests; performance of legal services | GDPR Article 6(1)(f) – legitimate interest of the Data Controller and the client in successful cooperation and effective legal representation |
8. Data Transfers to Cooperating Law Firms, Mandated Attorneys, Substitutes
The Attorney and the client (including cases where the client is not the data subject — particularly legal persons, organisations, or third‑party data subjects) have a legitimate interest in involving additional law firms, individual attorneys, European Community Attorneys, or other advisors specialising in the relevant field.
Clients are informed about the identity and, where necessary, the qualifications of the cooperating attorneys or advisors. The Attorney takes client preferences into account to the extent possible.
The scope of transferred data depends on the nature of the specific engagement.
Legal basis:
GDPR Article 6(1)(f) — legitimate interest of the Data Controller and the client in the successful performance of the engagement and the involvement of necessary experts.
9. Processing Related to Data Subject Requests
The Attorney is required to maintain a register of data protection requests and the data processed in connection with the exercise of data subject rights.
Retention period: 5 years from the request, considering the general limitation period for civil claims (Civil Code Section 6:22).
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Personal data relating to data protection requests: name, address, email address of natural persons / contact persons of legal entities, content of the request, steps taken in connection with the request, documents created in relation to the request | Compliance with statutory obligation to maintain a register of requests; ensuring accountability; enabling the exercise of rights under GDPR Articles 15–22 | GDPR Article 6(1)(c) – legal obligation of the Data Controller |
10. Processing Related to Personal Data Breaches
The Attorney must maintain a register of personal data breaches. This register enables the supervisory authority to verify compliance with the GDPR.
Retention period: 5 years from becoming aware of the breach.
| Scope of Processed Data | Purpose of Processing | Legal Basis |
|---|---|---|
| Facts relating to the personal data breach, its effects, and the remedial measures taken | Compliance with statutory obligation to maintain a breach register; ensuring accountability | GDPR Article 6(1)(c); GDPR Article 33(5) |
11. Data Processing Related to Website Operation
Legal basis: Contact initiated through the website. If the contact relates to legal advice, the personal data provided (name, email address, telephone number) are transferred to the Attorney with the data subject's consent.
The Attorney processes these data based on the legitimate interest of both parties (GDPR Article 6(1)(f)) to ensure effective communication and accurate data transfer.
Method of processing: Electronically, in the email system used by the Attorney.
Data processor: Webnode Kft., 1132 Budapest, Victor Hugo utca 18–22. Service: hosting Website: https://webnode.hu
Scope of processed data:
All personal data provided by the data subject.
Purpose:
Ensuring availability and proper operation of the website.
Retention period:
Until termination of the hosting agreement or deletion request submitted to the hosting provider.
Legal basis:
GDPR Article 6(1)(c) and (f); Section 13/A(3) of Act CVIII of 2001 on electronic commerce.
12. Client Communications and Other Processing Activities
If questions or issues arise during the use of the Attorney's services, the data subject may contact the Attorney via the methods provided on the website (telephone, email, social media, etc.).
The Attorney deletes emails, messages, and other communications — including the personal data provided therein — within 2 years from receipt.
For processing activities not listed in this Privacy Notice, information is provided at the time of data collection.
In exceptional cases, the Attorney is required to provide information, disclose or transfer data, or make documents available to authorities or other bodies authorised by law.
In such cases, the Attorney provides only the minimum amount of personal data necessary to fulfil the request.
VIII. COOKIE MANAGEMENT
For the proper functioning of our Website, in certain cases we place small data files (cookies) on the User's device, similar to most modern websites.
1. What is a cookie?
A cookie is a small text file that the Website places on the User's device (including mobile phones). This enables the Website to "remember" the User's settings (e.g., chosen language, font size, display preferences), so the User does not need to reconfigure them each time they visit.
2. Cookies used on the Website
| Cookie Source | Function | Expiration |
|---|---|---|
| Google Analytics (_ga; _gid; _gat_gtag_UA_215623440_) | Measuring website traffic | _ga – 2 years; _gid – 1 day; _gat_gtag_UA_215623440_ – 1 minute |
| Webnode | Ensuring website functionality | Continuous |
| GDPR Cookie Compliance (moove_gdpr_popup) | Storing cookie‑consent settings | Continuous |
These cookies may be deleted or blocked; however, in such cases the Website may not function properly. Cookies are not used to personally identify Users. They serve only the purposes described above.
3. No personal data processing
The Data Controller does not process personal data through the use of cookies.
4. Rights of the Data Subjects
Users may delete cookies in their browser settings, typically under the Privacy menu.
5. Legal basis for processing
No consent is required from the User where the sole purpose of using cookies is:
the transmission of communication over an electronic communications network, or
providing a service explicitly requested by the User, where the cookie is strictly necessary.
6. How to delete cookies
Users may delete cookies in their browser settings. Below are the official help pages (HTML‑safe list):
- Firefox: https://support.mozilla.org/hu/kb/weboldalak-altal-elhelyezett-sutik-torlese-szamito
- Google Chrome: https://support.google.com/chrome/answer/95647
- Internet Explorer: https://support.microsoft.com/help/278835
- Microsoft Edge: https://support.microsoft.com/help/4027947
- Opera: https://help.opera.com/Windows/10.20/hu/cookies.html
- Safari (iOS): https://support.apple.com/HT201265
Additional cookie policies:
- Google: https://policies.google.com/technologies/cookies
- Facebook: https://www.facebook.com/policies/cookies
IX. USE OF GOOGLE ADWORDS CONVERSION TRACKING
The Data Controller uses the online advertising program "Google AdWords" and, within its framework, the Google conversion tracking service. Conversion tracking is an analytics service of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
When a User reaches the Website via a Google advertisement, a cookie necessary for conversion tracking is placed on their device. These cookies are limited in validity and do not contain personal data.
If the User visits certain pages before the cookie expires, Google and the Data Controller can see that the User clicked on the advertisement.
Each Google AdWords client receives a different cookie; cookies cannot be tracked across AdWords clients' websites.
Information collected through conversion cookies is used to generate conversion statistics for AdWords clients. Clients learn how many Users clicked on their ads and were redirected to pages tagged with conversion tracking. No information is provided that would identify Users personally.
Users may opt out of conversion tracking by disabling cookie installation in their browser.
Further information and Google's privacy policy: www.google.de/policies/privacy/
X. SOCIAL MEDIA PAGES
The Website has a Facebook interface; therefore, if the User "likes" the page, the Data Controller may see all personal data that are publicly available on the User's profile. Data processing on these platforms is governed by the respective provider's privacy policy.
Joint controllership with Meta Platforms Ireland Ltd. Meta Platforms Ireland Ltd. (4 Grand Canal Square, Dublin 2, Ireland) provides Facebook services. The Meta terms and privacy policies apply to data processing on Facebook.
The Data Controller and Meta Platforms Ireland Ltd. are joint controllers for certain processing activities (e.g., audience creation, message delivery, content personalisation, product development, security).
GDPR compliance documents:
https://www.facebook.com/legal/Workplace_GDPR_Addendum
https://www.workplace.com/legal/WorkplaceEuropeanDataTransferAddendum
4.Meta is primarily responsible for informing Users and enabling the exercise of GDPR rights. Further information: https://www.facebook.com/about/privacy
5. For other processing activities, the parties act as independent controllers. Processing by the Data Controller is based on the User's consent (GDPR Article 6(1)(a)). Consent may be withdrawn at any time.
6. Purpose of processing: Sharing, liking, promoting content, products, promotions, or the Website on social media.
7. Duration, deletion, rights:
Data processing takes place on the social media platform; therefore, the platform's rules apply.
8. Legal basis:
User's voluntary consent to the processing of personal data on social media.
XI. CLIENT COMMUNICATIONS AND OTHER PROCESSING ACTIVITIES
Users may contact the Data Controller via the Website (telephone, email, social media, etc.).
Emails, messages, and other communications — including personal data — are deleted within 2 years from receipt.
For processing activities not listed in this Notice, information is provided at the time of data collection.
In exceptional cases, the Data Controller must provide information or transfer data to authorities or other bodies authorised by law.
Only the minimum amount of personal data necessary to fulfil the request is provided.