Privacy Notice

PRIVACY NOTICE

on data processing by MKIFK Magyar Közlönykiadó és Igazságügyi Fordítóközpont Zrt., as the Controller of data

concerning the National Legislation Database (hereinafter “NJT”) and the artificial intelligence-supported search tool (hereinafter: “AI Search Tool”)

 

1. Purpose of the Privacy Notice

The purpose of this Privacy Notice is to lay down the data protection and processing principles applied by the Controller concerning the National Legislation Database and the AI Search Tool.

2. The Controller's Details, Contact Information

Name: MKIFK Magyar Közlönykiadó és Igazságügyi Fordítóközpont Zrt.

Registered office: 1085 Budapest, Somogyi Béla utca 6.

Company registration number: 01-10-042469

Tax number: 10941908-2-42

Name of the court registering the company: Budapest-Capital Regional Court acting as Company Registration Court

Telephone: +36 (1) 235-4514 or +36 (1) 235-4550

Website: https://mkifk.hu

E-mail: ugyfelszolgalat@mkifk.hu; dpo@mkifk.hu

Name of the Controller's representative: Balázs Sándor Németh, CEO

The data protection officer's name: dr. Leila Melinda Hezam

3. Data Processing Activities

3.1. Description of the Data Processing Activities

MKIFK Zrt. operates, as a digital public service, the National Legislation Database, as well as a legal information search tool supported by artificial intelligence and based on the content of that Database, European Union legal acts, and in-depth analysis of court decisions (hereinafter “AI Search Tool”), in order to ensure broad accessibility to and comprehension of legislation, and to support access to justice. The National Legislation Database as a digital public service is an electronic collection of legislation containing consolidated texts of laws.

The National Legislation Database and the AI Search Tool are provided by MKIFK Zrt. to the public free of charge, online. Their content provider and operator is the Controller.

The operation of the National Legislation Database is governed by Section 29(1) of Act CXXX of 2010 on law-making1 and by Government Decree 338/2011 (29 December) on the National Legislation Database (hereinafter: “Decree”).

The rules governing the operation of the AI Search Tool are set out in Government Decree 338/2011 (29 December) on the National Legislation Database.

The Controller ensures access through a website or a mobile application, which include the NJT and the AI Search Tool. The Controller's mobile application is “Jogszabálytár” (Legislation Database), which can be downloaded and installed on compatible devices from Google Play Store and the Apple App Store.

The NJT is available to both unidentified and identified users. The use of the NJT does not differ depending on whether the user accesses it through the website or the mobile application.

3.1.1. Use of the NJT and the AI Search Tool without Identification

When the NJT and the AI Search Tool are used without identification, the Controller does not attempt to identify the user.

3.1.2. Use of the NJT and the AI Search Tool with Identification

An identified user may use the NJT and the AI Search Tool

  • following authentication via the Client Gate or the Central Identification Agent,
  • by registering through the NJT, or
  • by logging in via the Integrated Legislation System (hereinafter “IJR”)

Identified users may access the legislation database service developed for them at various service levels, as well as the related content and query service, along with other convenience features.

User identification is carried out

  • with the user's email address or other unique identifier returned by the Client Gate or Central Identification Agent, in case one of these systems are used for identification,
  • on the basis of personal data provided during registration,
  • or, in case of identification through the IJR, with the token assigned by the IJR authentication module. In this process, the identification data are stored on the database site. Identification is mandatory to meet data security requirements.
3.1.3. Other Processing Activities

During the user's activities, data incoming based on communication standards [such as the internet (IP) address of the user's computer] are logged by the Controller's system at all service levels, in a way that is not linked to the user's identity. The data are used for statistical data collection and analysis aimed at understanding how often the services of the NJT and the MI Search Tool are used, and how much time is spent there on each occasion. Internet addresses are used solely for statistical purposes, and the Controller does not associate them with any data, including personal data, so they do not result in identification.

3.2. Purpose of Processing

For an identified user, the processed data are necessary for user identification, and to ensure the provision of additional services available within the NJT and the AI Search Tool.

The Controller processes the user's data for specific purposes. The Controller does not and may not use the user's data for purposes other than those specified in this section.

The Controller does not verify the data. The person providing the data is solely responsible for the authenticity thereof. The Controller disclaims all liability regarding the authenticity of the data.

3.3. Legal Basis for Data Processing

The legal basis for data processing is

  • the user's consent pursuant to Article 6(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter: “GDPR”)2 in case of logging in after registration or through the Client Gate,
  • the performance of a contract pursuant to Article 6(1)(b) of the GDPR3 in case of logging in through the IJR.

In case of consent-based data processing, the user may withdraw their consent at any time by sending a letter to the specified email address, in which case the Controller will delete the user's data. The Controller shall delete personal data concerning the data subject without undue delay if there is no other legal ground for the processing.

3.4. Scope of the Data Processed

In relation to the use of the NJT and the MI Search Tool, the Controller processes the following data:

  • within the framework of a service open to anyone, upon logging in following identification
    • in case of identification through the Client Gate or the Central Identification Agent, the user's family name, given name, and Client Gate identification number,
    • when registering through the NJT, the user's family and given name, email address, username, and password,
  • in case of usage through the IJR: the user's family and given name, username, email address, organisation, and the activation code required for logging into the NJT.

In the above cases, the Controller records the user's search history, as well as the list of favourite documents and topics. The data saved in this way are intended solely to simplify usage for convenience purposes, and are not used by the Controller for automated decision-making or profiling. In the event of changes to laws and related documents pertaining to favourite documents and topics, the Controller will provide information in accordance with the method previously set by the user, either by email, push notification in the case of a mobile application, or solely on the NJT platform.

Data automatically recorded during the use of the NJT and the AI Search Tool: the data of the user's login computer that are generated during service usage, which are recorded by the Controller's system as an automatic result of technical processes. The automatically recorded data are logged automatically by the Controller upon logging in and out, without any separate statement or action by the user. These data may not be combined with other personal data of the user, except in cases mandated by law. Only the Controller has access to the data. The purpose of the automatically recorded data is the preparation of statistics, technical development of the IT system, and the protection of users' rights.

The Controller may collect data about the user's activity, which cannot be combined with other data provided by the user during registration, nor with data generated upon using other websites or services. Whenever the Controller intends to use the data collected in this manner for a purpose other than the original data collection purpose, the user shall be informed and their prior explicit consent shall be obtained, or they shall be given the opportunity to prohibit data usage.

In order to enhance user experience and better serve user needs, the Controller may place cookies on the user’s device suitable for accessing and using the NJT. The user can delete the cookies from their device and set their browser to disable the use of cookies.

The Controller does not collect any data over and above that, or any data not provided by the user, or data pertaining to the user from third parties.

3.5. Period of Data Processing

The Controller processes the data from their entry into the database until the termination of the user identifier. The Controller shall promptly delete the user's data from the database following the termination of the user identifier.

The logged data are stored by the Controller for six months from the time of logging, except for the date of last use, which is automatically overwritten.

3.6. Access to Data, Data Transmission, Data Processing

The data may be accessed by the Controller’s employees.

For the operation of the NJT, the Controller uses a data processor. Data processor's information:

Name: NISZ Nemzeti Infokommunikációs Szolgáltató Zrt.

Registered office: 1081 Budapest, Csokonai utca 3

Telephone: +36 (1) 459-4200

Website: https://www.nisz.hu

Email: info@nisz.hu

The Controller shall not be responsible for the data processing practices of the data processor. The Controller shall forward to the data processor all data processed about the user. Purpose of data transmission: operation of the NJT.

Beyond this, the Controller shall transfer the user's data to a third party or to a court or authority solely on the basis of authorisation by law, or with the user's prior and explicit consent.

3.7. General Description of Technical and Organisational Measures

The Controller undertakes to ensure the security of the data and to take the technical measures necessary so that the collected, stored, and processed data are protected, and does everything possible to prevent their destruction, unauthorised use, and unauthorised alteration. The Controller also undertakes to ensure that any third parties to whom it may transfer or transmit the data are likewise obliged to fulfil these obligations.

4. User Rights and Available Remedies

4.1. Right of Access

The user is entitled to request information from the Controller on whether the processing of their personal data is in progress. If so, the user is entitled to know

  • what personal data the Controller processes, on what legal ground, for what data processing purpose, and for how long,
  • to whom, when, and based on which law the Controller provided access to their personal data, to whom their personal data were transferred, and from which source their personal data originate,
  • whether the Controller uses automated decision-making, as well as its logic, including profiling.

The Controller shall provide a copy of the processed personal data to the user free of charge, upon the first request to this effect. Subsequently, a reasonable fee based on administrative costs may be charged. In order to comply with data security requirements and protect user rights, the Controller is obliged to verify the identity match between the user and the person wishing to exercise access rights. Accordingly, the provision of information, access to data, and issuance of copies are also subject to user identification.

4.2. Right to Rectification

The user may, through the contact channels provided by the Controller, request that the Controller should amend certain personal data of theirs. If the user can credibly demonstrate the accuracy of the corrected data, the Controller will fulfil the request within one month, and will notify the user via the contact channels provided.

4.3 Right to Restriction of Processing (Right to Restrict Data Processing)

The User may, through the contact channels provided by the Controller, request that the Controller should restrict the processing of their personal data to the storage of such data if

  • the user disputes the accuracy of their personal data (in this case the Controller restricts the processing for the period during which it verifies the accuracy of the personal data),
  • the data processing is unlawful, and the user requests the restriction of processing instead of their erasure
  • the Controller no longer needs the personal data for the purpose of processing, but the user explicitly requests their retention for the purpose of lodging, enforcing or defending a legal claim, or
  • the user objects to the data processing. (In this case, the restriction applies for the period of determining whether the Controller's legitimate reasons take precedence over the user's legitimate reasons.)

If the Controller restricts the processing of personal data at the user's request, the Controller shall inform the user in advance about the lifting of the restriction. During the period of restriction, the Controller shall not process the user's personal data in any way other than storage, except for one of the following cases:

  • the user has consented to the processing of personal data,
  • the processing of personal data is necessary for lodging, enforcing or defending a legal claim,
  • the processing of personal data is necessary for an important public interest.

4.4 Right to Protest

Concerning processing for the purpose specified in Section 3, considering the legal basis thereof, the user does not have the right to object.

4.5 Right to Erasure

The user may request the Controller to erase their personal data without undue delay if

  • the personal data are no longer necessary for achieving the purposes of processing,
  • the processing was based on the user's consent, and the user withdraws such consent, provided that there is no other legal basis for the processing of personal data,
  • the user objects to the processing of their personal data,
  • the Controller does not process the user's personal data lawfully,
  • the Controller is required by law to delete the user's personal data,
  • the Controller had collected the user's personal data in connection with an information society service, before the user reached the age of majority.

The Controller shall not comply with the user's request for the erasure of personal data in the following cases:

  • the processing of personal data is necessary for other persons to exercise their right to freedom of expression and information,
  • the Controller is obliged by law to process personal data,
  • the processing of personal data is necessary for public health purposes,
  • the processing of personal data is necessary for archival, scientific, historical research or statistical purposes,
  • the processing of personal data is necessary for lodging, enforcing or defending a legal claim.

4.6 Right to Data Portability

Regarding the processing, the user is entitled to receive their personal data which they have provided to the Controller, through the contact channels provided by the Controller, in a structured, commonly used and machine-readable format, and, if the relevant technical conditions are met, to have the data transferred by the Controller directly to another controller designated by the user.

The Controller shall not comply with the user's request if any of the following circumstances apply:

  • the processing of personal data is necessary for an important reason of public interest,
  • the fulfilment of the request would adversely affect the rights of others.

4.7 Right to Withdraw Consent

If the Controller processes the user's personal data based on the user's consent, the user is entitled to withdraw such consent at any time. In the event of withdrawal of consent, the Controller terminates the processing and erases the user's personal data, provided that there is no other legal basis for the processing of personal data.

Withdrawing consent will not have any consequences for the user. However, the withdrawal of consent shall not affect the lawfulness of data processing conducted based on the user's consent prior to its withdrawal.

4.8 Right to Remedy

If the user considers that the Controller has violated the applicable data protection provisions during the processing of their personal data, they are entitled to lodge a complaint with the data protection supervisory authority of any member state of the European Union. In Hungary, the data protection supervisory authority is the National Authority for Data Protection and Freedom of Information, with the following contact details:

Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/c.

Mailing address: 1530 Budapest, Pf.: 5.

Telephone: +36 (1) 391-1400

Website: https://naih.hu/

E-mail: ugyfelszolgalat@naih.hu

The user may enforce their rights by judicial means, where the court shall proceed with urgency in the matter. In this case, the user is free to decide whether to file their claim with the competent regional court of your permanent address, temporary residence, or the registered office of the Controller. See the website for the regional court that has jurisdiction at your permanent address or temporary residence.

4.9 Time Limit

The Controller shall fulfil the data subject's request to exercise their rights within one month from its receipt. The day of receiving the request is not included in the time limit.

The Controller may extend this time limit by two months if necessary, taking into account the complexity of the request and the number of requests. The Controller shall inform the data subject of any such extension, and the reasons for the delay, within one month from receiving the request.

5. Miscellaneous Provisions

The Controller reserves the right to unilaterally modify this Privacy Notice without prior notice to the user. Once the modification has taken effect, the user accepts the provisions of the modified Privacy Notice by way of implied conduct, by using the service.

 

Budapest, 9 March 2026

 

1 Section 29(1) of Act CXXX of 2010: The National Legislation Database is an electronic collection of legislation containing consolidated texts of laws, with the content and on the website specified in a Government Decree, operated as a digital public service accessible free of charge to anyone.

2 GDPR Article 6(1): Processing shall be lawful only if and to the extent that at least one of the following applies:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

3 GDPR Article 6(1): Processing shall be lawful only if and to the extent that at least one of the following applies:

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

Szechenyi Terv Plus Logo