Hrtús Hrtúsová advokáti
Privacy Policy
The law firm Hrtús Hrtúsová advokáti, which is an association within the framework of which legal services are provided by Mgr. Pavel Hrtús, Attorney, and Mgr. Kateřina Hrtúsová, Attorney, uses this Policy to provide information about the processing of personal data of natural persons in connection with the provision of legal services, the operation of the office, communication with prospective clients, clients, and other persons, the sending of commercial communications, and the operation of the website.
This Policy applies in particular to clients, persons interested in legal services, persons acting on behalf of clients or other legal entities, opposing parties and other third parties affected by the provision of legal services, suppliers and their contact persons, job applicants, employees, trainee attorneys, interns, visitors to the office, and users of the controllers’ website. The Policy does not apply to data relating to legal entities as such – for example, their business name, company registration number, or registered office – but it does apply to the personal data of natural persons acting on behalf of or in relation to legal entities.
I. Data Controllers
Mgr. Pavel Hrtús, Attorney
Registered office: Klimentská 1652/36, 110 00 Prague 1
Company registration number: 714 63 429
Registered in the list of attorneys of the Czech Bar Association, reg. no.: 11416
Email: pavel.hrtus@hrtusadvokati.cz
Phone: +420 777 836 718
Mgr. Kateřina Hrtúsová, Attorney
Registered office: Klimentská 1652/36, 110 00 Prague 1
Company registration number: 05175569
Registered in the list of attorneys of the Czech Bar Association, reg. no.: 17058
Email: katerina.hrtusova@hrtusadvokati.cz
Phone: +420 777 070 821
In any specific client matter, the data controller is generally the attorney providing legal services in that matter. In activities related to the joint operation of the office, the website, IT systems, administration, marketing communications, and related support functions, the attorneys may act as joint controllers where they jointly determine the purposes and means of processing. In such cases, they allocate between themselves their respective shares of responsibility for fulfilling obligations under the GDPR, in particular with respect to the provision of information and the exercise of data subject rights.
The controllers have not appointed a Data Protection Officer. Any queries, requests, or exercise of data subject rights may be addressed to either controller using the contact details set out above; in the case of joint activities, the contact email provided in this Policy may also be used.
II. When We Process Personal Data
Personal data is processed in particular in the following activities:
- provision of legal services to clients, management of client files, legal analysis, representation, and related communications;
- processing of data of third parties affected by the provision of legal services, in particular opposing parties, participants in proceedings, witnesses, representatives, contact persons of clients’ contractual partners, and other persons referred to in the documents underlying the legal services;
- communication with persons interested in legal services by email, telephone, contact form, or other means of communication;
- management of accounting, tax, invoicing, and contractual records;
- fulfilment of obligations under legislation governing the legal profession, accounting, taxation, anti-money laundering, and other legal obligations, where applicable to the specific case;
- cooperation with suppliers, specialist consultants, cooperating attorneys, expert witnesses, interpreters, accountants, and tax advisers;
- human resources and recruitment activities;
- sending of commercial communications and legal updates, where the conditions for doing so are met;
- operation of the website, including the use of necessary cookies and any additional cookies or similar technologies in accordance with separate cookie policies.
III. Categories of Personal Data We Process
We process the categories of personal data listed below, always limited to the extent necessary having regard to the specific purpose of processing and the nature of the relationship with the data subject:
Identification and contact data: name, surname, academic title, date of birth, national identification number, permanent address, correspondence address, email address, telephone number, data mailbox ID, company registration number, VAT number, and similar data.
Extended personal data: identity document number, gender, nationality, marital status, place of birth, photograph, and other data required for the specific legal matter.
Payment and invoicing data: bank account number, payment information, invoicing data, and other data required for processing payments and maintaining accounting or tax records.
Financial and asset-related data: information about financial circumstances, payment behaviour, creditworthiness, and other facts relevant to the legal services provided.
Data concerning rights, legal claims, and proceedings: information about ongoing, concluded, or threatened judicial, administrative, enforcement, insolvency, or other proceedings and related legal relationships.
Special categories of personal data under Article 9 GDPR: in particular health data and, where applicable, other data within the scope of Article 9 GDPR, where necessary for the provision of legal services, the establishment, exercise, or defence of legal claims, the fulfilment of legal obligations, or another purpose permissible under the GDPR.
Data relating to criminal convictions, criminal offences, or related security measures: processed only where necessary for the provision of legal services or the fulfilment of legal obligations, and where such processing is permissible under Article 10 GDPR and applicable legislation.
Technical data related to website use: in particular IP address, device and browser type, date and time of visit, information on website usage, and data obtained through cookies or similar technologies as described in the cookie policy.
IV. Legal Basis and Purpose of Processing Personal Data
1. Client Matters
We process clients’ personal data primarily for the purpose of providing legal services, managing client files, communicating with the client, representing the client, conducting legal analysis, invoicing, and protecting the rights and legitimate interests of the client and the controllers.
The legal bases for processing include in particular:
- performance of the contract for the provision of legal services or the taking of steps prior to its conclusion pursuant to Article 6(1)(b) GDPR;
- compliance with legal obligations to which the controllers are subject pursuant to Article 6(1)(c) GDPR;
- legitimate interests of the controller or a third party pursuant to Article 6(1)(f) GDPR, in particular the protection of legal claims, debt recovery, prevention of damage, and the protection of the rights and legitimate interests of the controllers and clients;
- in the case of special categories of personal data, in particular the necessity for the establishment, exercise, or defence of legal claims pursuant to Article 9(2)(f) GDPR, or another applicable ground under Article 9(2) GDPR;
- in the case of data within the scope of Article 10 GDPR, only to the extent permissible under the GDPR and applicable legislation.
2. Third Parties
We process personal data of third parties affected by the provision of legal services — in particular opposing parties, participants in proceedings, representatives, witnesses, contact persons, and persons referred to in contracts, files, or other documents — to the extent necessary for the provision of legal services, the protection and enforcement of clients’ rights and legal claims, the fulfilment of legal obligations, and the protection of the rights and legitimate interests of the controllers.
The legal basis is primarily the legitimate interest pursuant to Article 6(1)(f) GDPR, consisting in the provision of legal services and the protection of the rights and legal claims of clients and controllers, or alternatively the fulfilment of a legal obligation pursuant to Article 6(1)(c) GDPR. Personal data of third parties is obtained in particular from clients, from documents and materials provided by clients, from public registers and records, from public authorities, from opposing parties, and from procedural or other legal documents.
In processing personal data of third parties and in responding to their requests, we take into account the statutory duty of professional secrecy.
3. Contact Form and Email Communications
Where you contact us by email, telephone, contact form, or other means, we process the personal data you provide for the purpose of handling your enquiry, communicating with you, and, where applicable, taking steps prior to the conclusion of a contract for the provision of legal services.
The legal basis is primarily the legitimate interest pursuant to Article 6(1)(f) GDPR, consisting in the ability to respond to incoming enquiries and communications, or alternatively the taking of pre-contractual steps pursuant to Article 6(1)(b) GDPR where the communication is directed towards the conclusion of a contract for the provision of legal services.
4. Sending Commercial Communications
Commercial communications and legal updates are sent by electronic means only under the conditions prescribed by applicable law. To persons who are not our clients, they are sent as a rule on the basis of their consent pursuant to Article 6(1)(a) GDPR.
To existing clients, we may also send commercial communications concerning our own similar services under the conditions set out in Section 7(3) of Act No. 480/2004 Coll., provided we obtained their electronic contact details in connection with the provision of services and the client has had and continues to have a clear, simple, and free option to opt out of such communications – both at the time of collection and in each individual message.
Every commercial communication will be clearly identified and will include a valid address or another simple means by which further sending can be refused.
5. Human Resources and Recruitment
We process personal data of job applicants, employees, trainee attorneys, and interns primarily for the purposes of conducting selection procedures, concluding and performing employment or similar contracts, complying with legal obligations, and protecting legal claims.
6. Cookies
We use cookies and similar technologies in the operation of our website. Technically necessary cookies are used without consent where they are required for the functioning of the website or for the provision of a service expressly requested by the user. Other cookies – in particular analytical or marketing cookies – are used only on the basis of prior freely given consent of the user.
Further details regarding the cookies used, their purposes, storage periods, providers, and the possibility of changing or withdrawing consent are set out in the separate cookie policy.
7. Provision of Personal Data
The provision of certain personal data may be a contractual requirement or a requirement necessary for the conclusion or performance of a contract for the provision of legal services. Certain data may also be required in order to fulfil the controllers’ legal obligations. If you do not provide the necessary data, we may be unable to provide the legal service, conclude or perform the contract, comply with legal obligations, or properly protect the rights and legal claims of the client or the controllers. Where processing is based on consent, the provision of data is voluntary and consent may be withdrawn at any time.
V. Retention Periods
Personal data is retained only for the period necessary to fulfil the purpose for which it was collected and for such period as its retention is required by law or is necessary for the protection of the rights and legal claims of the controllers, clients, or third parties.
Retention periods differ according to the specific activity, in particular as follows:
- data in client matters and client files is retained for the duration of the provision of legal services and thereafter for the period prescribed by applicable legislation and Bar regulations, or for the period necessary for the protection of rights and legal claims;
- accounting and tax documents are retained for the period prescribed by applicable accounting and tax legislation;
- data processed in order to fulfil AML obligations is retained for the period prescribed by those regulations, where applicable to the specific case;
- data of job applicants is retained for the duration of the selection procedure and subsequently only for the period necessary for the protection of legal claims or on the basis of the applicant’s consent;
- data from routine communications is retained for the period required to handle the enquiry or for the duration of the subsequent contractual or legal relationship;
- data processed for the purpose of sending commercial communications is retained until consent is withdrawn or further sending is refused, or for the duration of the relevant client relationship where sending is based on the statutory regime for existing clients.
Upon expiry of the applicable retention period, personal data will be deleted or anonymised, unless a legal obligation or the need to protect legal claims prevents this.
VI. Recipients of Personal Data
Personal data is disclosed only to the extent necessary and only where required for the purposes set out in this Policy, for the provision of legal services, the fulfilment of legal obligations, or the protection of rights and legal claims. Recipients of personal data may include in particular:
Courts, administrative bodies, and other public authorities — to the extent necessary for the conduct of proceedings and the fulfilment of legal obligations;
Cooperating attorneys, expert witnesses, interpreters, and specialist consultants — to the extent necessary for the provision of legal services;
Accountants, tax advisers, and auditors — to the extent necessary for the fulfilment of tax and accounting obligations;
IT service providers, hosting, software, and information systems management providers — to the extent necessary for the operation of the office and its systems;
Opposing parties and their representatives — to the extent necessary for the conduct of a dispute, negotiation, or the provision of legal services;
Postal and courier service providers — in connection with the delivery of correspondence.
Some recipients act as independent data controllers — in particular public authorities, courts, administrative bodies, opposing parties, or their legal representatives. Others may act as data processors — in particular IT, hosting, software, accounting, or administrative service providers. We enter into appropriate contractual arrangements with processors and bind them to protect personal data and maintain confidentiality.
When disclosing data to persons involved in the provision of legal services, the statutory duty of professional secrecy is always taken into account.
As a rule, personal data is not transferred to third countries outside the European Economic Area or to international organisations, unless this is necessary for the provision of legal services, the fulfilment of a legal obligation, the protection of legal claims, or the use of a specific service where such transfer is carried out in compliance with the GDPR. In the event that personal data is to be transferred to a third country, we will ensure that such transfer is based on an appropriate legal mechanism under the GDPR, in particular an adequacy decision, standard contractual clauses, or another permissible safeguard.
VII. Rights of Data Subjects
Data subjects have, in particular, the following rights vis-à-vis the controllers:
Right of access to personal data (Article 15 GDPR): the data subject has the right to obtain confirmation as to whether personal data concerning them is being processed and, if so, to receive a copy of that data together with information about the processing.
Right to rectification (Article 16 GDPR): the data subject has the right to have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Article 17 GDPR): the data subject has the right to have their personal data erased where the conditions set out in the GDPR are met. This right does not apply in particular where processing is necessary for the performance of a legal obligation or for the establishment, exercise, or defence of legal claims.
Right to restriction of processing (Article 18 GDPR): the data subject has the right to require restriction of the processing of their personal data under the conditions set out in the GDPR.
Right to data portability (Article 20 GDPR): the data subject has the right to receive the personal data they have provided to the controllers on the basis of consent or contract in a structured, commonly used, and machine-readable format.
Right to object (Article 21 GDPR): the data subject has the right to object at any time to the processing of their personal data carried out on the basis of legitimate interests, including processing for direct marketing purposes.
Right to withdraw consent: where consent to the processing of personal data has been given, it may be withdrawn at any time without affecting the lawfulness of processing carried out prior to such withdrawal.
Right to lodge a complaint with the supervisory authority: the data subject has the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz, where they consider that the processing of their personal data is in breach of the GDPR.
Each request from a data subject is assessed on an individual basis. The exercise of data subject rights may, in a specific case, be limited by the controllers’ legal obligations, the protection of rights and legal claims, the rights of third parties, and the statutory duty of professional secrecy.
The rights set out above may be exercised in writing at the registered offices of the controllers or by email to info@hrtusadvokati.cz. We respond to data subject requests without undue delay and at the latest within one month of receipt. Where necessary, having regard to the complexity or number of requests, this period may be extended by a further two months; the data subject will be notified of any extension and the reasons therefor.
In processing personal data, we do not carry out automated individual decision-making within the meaning of Article 22 GDPR, nor profiling that would have legal effects on the data subject or similarly significantly affect them.
VIII. Security of Personal Data
We have implemented technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, unauthorised disclosure, or other unlawful processing. These measures include in particular: management of access rights, security of devices and information systems, data backup, use of appropriate contractual obligations with suppliers, restriction of access to personal data to persons who require it for the performance of their duties, and a duty of confidentiality for persons involved in the provision of legal services.
Having regard to the nature of legal practice, personal data is also protected by the statutory duty of professional secrecy under Section 21 of the Act on the Legal Profession. This duty applies not only to attorneys but, to the extent prescribed by law, also to employees and other persons involved in the provision of legal services, and continues after the provision of legal services has ended.
IX. Changes to the Privacy Policy
The controllers reserve the right to update this Policy at any time, in particular in the event of a change in the applicable legislation or a change in the scope or method of processing personal data. The current version of the Policy is always available on the controllers’ website.
This Policy is effective as of 1 May 2026.
Hrtús Hrtúsová advokáti
Office address
Klimentská 36, 110 00 Praha 1