Clinique-Elysium Korlátolt Felelősségű Társaság és Dental Group Korlátolt Felelősségű Társaság

PRIVACY NOTICE

Clinique-Elysium Korlátolt Felelősségű Társaság [Limited Liability Company] and Dental Group Korlátolt Felelősségű Társaság [Limited Liability Company], as Data Controllers and Service Providers („Data Controllers”), shall process personal data of natural persons („Data Subjects”) using its services („Services”), and provide the Data controllers with the following information on the processing of such data.

This Privacy Notice (the „Notice„) ensures that the Data Controllers comply with the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC („GDPR„) and the right to information of Data subjects as set out in Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information („the Information Act”).

PREAMBLE

This Notice describes in detail the data protection principles followed by the Data Controllers, the specific processing operations, including the legal basis, the purposes of processing, the expected duration of processing, the rights of the Data subjects and the means of enforcing those rights.

The company indicated on the contract/data request form acts as Data Controller for each processing operation.

The primary objective of Data Controllers is to comply with applicable legislation in their activities, and therefore amendments to this Notice may be necessary or required in the event of changes in legislation, specific data processing or data protection practices. Therefore, the Data Controller reserves the right to modify the Notice by providing the amended Notice to the Data subjects in the same way as the original Notice.

The subject matter of this Notice covers all processes involving the processing of personal data carried out by all organisational units of the Data Controllers. The Notice is effective until it is withdrawn. The Data Controllers reserve the right to unilaterally amend this Notice, with the amended Notice taking effect upon publication on the … website.

1. DATA CONTROLLERS/SERVICE PROVIDERS

1. A) Clinique-Elysium Korlátolt Felelősségű Társaság

Registered seat: 1023 Budapest, Frankel Leó út 21-23. B: semi-detached building 5th fl. 39

Company registration number: 01-09-425764,

Tax number: 32469172-2-41,

Telephone number: +36

Email: …

Service: aesthetic interventions

1. B) Dental Group Korlátolt Felelősségű Társaság

Registered seat: 1023 Budapest, Frankel Leó út 21-23. B: semi-detached building 5th fl. 39

Company registration number: 01-09-426802,

Tax number: 32487989-2-43,

Telephone number: +36

Email: …

Service: dental services

Website: www………hu („Website”)

1. DATA PROTECTION OFFICER

Name: Dr. Vivien Kiss

Address: … 

Telephone number: … 

Email: …

III. GENERAL DEFINITIONS

1. data subject (patient): a natural person identified or identifiable on the basis of any information (a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person);
2. personal data: any information relating to an identified or identifiable natural person (the Data subject) (such data that can be associated with the Data subject include, in particular, the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the Data subject, and the inferences that can be drawn from the data concerning the Data subject);
3. special categories: any data in special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons;
4. health data: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of the natural person;
5. health record: a record, register or any other form of record of health and personal data, irrespective of its medium or form, which comes to the attention of the healthcare provider during treatment;
6. data controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and implements the decisions concerning the processing (including the means used) or implements them with the processor, within the framework provided by law or by a legally binding act of the European Union;
7. data processing: any operation or set of operations which is performed upon data, regardless of the procedure used, in particular any collection, recording, organisation, storage, alteration, use, consultation, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, audio or video recordings, and recording of physical characteristics which can be used to identify a person (fingerprints, palm prints, DNA samples, iris scans);
8. data processor: a natural or legal person or an unincorporated body which processes personal data on behalf of or under the instructions of the controller, within the framework and under the conditions laid down by law or by a legally binding act of the European Union;
9. data breach: a breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed;
10. medical confidentiality: health and personal identification data that have come to the knowledge of the Data Controllers during the treatment, as well as other data relating to necessary or ongoing treatment or treatment that has been completed, and other data obtained in connection with the treatment.

Further legislation cited:

• Health Service Act [Eszt].: Act XLVII of 1997 on the processing and protection of health and related personal data,
• Accounting Act [Szvt.]: Act C of 2000 on Accounting.

III. DATA PROCESSING

3.1. Visiting the website

Information on the home page can be viewed without having to enter personal data. Data controllers use Google Analytics cookies to analyse visitors’ preferences to ensure the user-friendliness of the website. For example, cookies are used to record the following information: the number of visitors to the website and its subpages, the duration of the visit, the order in which pages are viewed, the search terms used to access the website, the type of browser used to access the website, the geographical location of the computer used to access the website. The Data Controllers do not collect personal data about visitors to the website. The cookies used on the website only record the anonymous IP address of the visitor’s computer and do not collect any personal data or information that would allow a real person to be identified. In connection with this activity, Data Controllers do not process any personal data other than the visitor’s anonymous IP address.

3.2. Data processing of Data subjects (patients)

Data processing is carried out for aesthetic and health services provided by the Data Controllers as service providers.

This requires the following information about the Data subjects: 

1. name (name at birth), 
2. mother’s name
3. place and date of birth,
4. permanent address (address for service),
5. email address.

A telephone number is also required for appointment notifications.

Data controllers only process personal data that is necessary for the provision of the Services they provide or that is adequate to achieve the purpose. Data controllers process personal data to the extent and for the duration necessary to achieve the purposes for which they are collected. The Data Controllers shall process the personal data provided by the Data subject until the Services are provided or become unavailable, or, except in the case of mandatory processing, until the date of deletion initiated by the Data subject. Data controllers shall ensure that only the patient care doctor, the institutional manager and the data protection officer are authorised to process health and personal data. 

Purpose of data processing: The purpose of processing of health and personal data is to promote the preservation, improvement and maintenance of health, to facilitate the effective medical treatment activities of the Data Controllers, including the professional supervision activities, and to monitor the health of the Data subject [Article 4 1) (a)-(c)].

Legal basis for data processing: The legal basis for data processing is the consent of the Data subject [Article 6(1)(a) and 9(1) and 9(2)(a) GDPR].

Duration of data processing: The period of data processing is 8 (eight) years after the performance of the contract with respect to the invoice issued to the Data subject, in accordance with the legal provisions on the retention of supporting documents under the Szvt., at least 30 (thirty) years from the date of data collection with respect to medical records, and at least 50 (fifty) years with respect to the final report, after which the Data Controllers shall destroy them. The Data Controllers shall keep the diagnostic imaging for 10 (ten) years from the date of its recording, and the diagnostic imaging report for 30 (thirty) years from the date of its recording.

3.3. Data processing of business and cooperation partners

Data Controllers are entitled to process the personal data of their suppliers, business and cooperation partners which are related to the offer and contract between the partner and the Data Controllers, including its establishment, registration and performance.

The data processed: the data provided in the request for quotation, order, contract, contact information and the data necessary for the issue of supporting documents.

Purpose of data processing: The purpose of data processing is exclusively related to the performance, conclusion, modification or termination of the contract. 

Legal basis for data processing: The legal basis for data processing is the consent of the Data subject [Article 6(1)(a) GDPR] and the conclusion of a contract between the partner and the Data Controllers [Article (1)(b) GDPR].

Duration of data processing: The period of data processing is 8 (eight) years after the performance of the contract, in accordance with the legal provisions on the retention of supporting documents under the Accounting Act.

3.4. Processing the data of job applicants

Data controllers process personal data contained in „incoming” and targeted CVs and other attached documents received directly or through a recruitment agency.

Scope of the data processed: personal data provided by the Data subject in CVs and other attached documents.

Purpose of data processing: The purpose of data processing is to inform the Data subject about job vacancies that best match his/her qualifications and interests, to arrange an appointment with the Data subject and to carry out the selection procedure.

Legal basis for data processing: The legal basis for data processing is the voluntary consent of the Data subject [Article 6(1)(a) GDPR], which is provided by the Data subject through the submission of his or her CV and related documents.

Duration of data processing: The duration of the data processing is the duration of the employment relationship in case of a successful application, in case of an unsuccessful application, the application file of the unsuccessful applicants will be deleted after the selection.

1. RIGHTS OF DATA SUBJECTS (PATIENTS)

4.1. Medical confidentiality

The Data Controllers, the employees of the Data Controllers and any other person having an employment or other legal relationship with the Data Controller shall be bound by the obligation of confidentiality with regard to all data and other facts relating to the health status of the Data subject and which come to their knowledge in the course of the provision of health care services, whether they have been obtained directly from the patient, during the examination or treatment of the patient, indirectly from medical records or by any other means, without time limitation.

The Data Controllers and the data processors of the Data Controllers are obliged to maintain medical confidentiality.

Data controllers are exempted from the obligation of confidentiality if

1. the patient or the patient’s legal representative has given his or her written consent to the transfer of the health and personal data, within the limits set out in the consent; and
2. the transfer of health and identity data is required by law.

Data controllers are also bound by the obligation of confidentiality towards other patient providers who have not been involved in the medical examination, diagnosis, treatment or surgery. This obligation does not apply where the communication of the data is necessary for diagnosing the pathology or for providing further medical treatment to the Data subject, such as transferring samples taken from the patient for laboratory testing.

4.2. Rights of Data subject (patient)

The Data subject has the right to be informed about data processing in the context of medical treatment, to obtain access to health and personal data, to consult and obtain (at his or her own expense) copies of health records. These rights are conferred on the person authorised in writing by the person concerned during the period of care and on the person authorised by a private document providing full evidence after the end of care. During the lifetime or after the death of the Data subject, the spouse, relative, sibling or life partner of the Data subject (upon written request) is entitled to exercise the above rights even if the health data is required for the purpose of discovering a reason affecting the life or health of the spouse, relative, sibling or life partner and their descendants or for the purpose of providing healthcare to those persons and it is not possible to obtain or infer the health data in any other way. The recording of health data is part of the treatment. It is up to the doctor providing the treatment to decide which health data (in addition to the mandatory data) should be recorded, in accordance with the professional rules. Other persons carrying out activities related to the treatment of the Data subject (patient) may collect health data in accordance with the instructions of the doctor providing the treatment and to the extent necessary for the performance of his or her tasks. The doctor providing the treatment will directly inform the Data subject about the health data relating to the Data subject that he or she has established and (unless the Data subject has explicitly refused) will transfer the data to the Data subject’s chosen general practitioner. The general practitioner will inform the person concerned (if requested) of the available health data. The doctor who provides the treatment to the Data subject (unless the Data subject has objected in writing) shall obtain access to the data concerning the health care provided by the Data subject under the compulsory health insurance scheme by means of an electronic consultation of the data by the health insurance body. The doctor providing the treatment will inform the Data subject in writing or orally about the right to object.

4.3. Obligation to provide information

The doctor providing treatment informs the Data subject of his/her state of health on a regular basis, as appropriate to the condition of the Data subject, to the best of his/her knowledge and to the best of his/her ability (if the patient is an incapacitated minor, a minor with limited capacity or a minor with partial capacity to exercise rights related to healthcare, the doctor also informs the legal representatives). 

4.4. Records of health and identity data

The health and identity data collected from the Data subject and their transfer are recorded by the Data Controllers. 

The record of the transfer shall include the recipient of the transfer, the method and time of the transfer and the scope of the data transferred. The doctor providing the treatment shall keep a record of the health data recorded by him or her or by the other health care provider and of his or her own activities and actions in relation to them. The record forms part of the register. It must be indicated in the health records:

1. the patient’s personal identification data as defined in the Act on the Processing and Protection of Health and Related Personal Data,
2. in the case of a patient with capacity, the name, address and contact details of the person to be notified and (if the patient so requests) the name, address and contact details of the sponsor under the Act on assisted decision making, and in the case of a minor or a patient under partial or full guardianship, the name, address and contact details of the legal representative,
3. medical history (if any),
4. the result of the first examination,
5. the results of the examinations used as a basis for the diagnosis and treatment plan, and the date when the examinations were carried out,
6. the name of the condition justifying the treatment, the underlying condition, any concomitant conditions and complications,
7. other medical conditions not directly justifying treatment, or a description of the risk factors,
8. the time and results of the interventions carried out,
9. medication and other therapies and their results,
10. data on the patient’s sensitivity to the medication,
11. the name of the health professional making the entry and the date of the entry,
12. the content of the information provided to the patient or other person entitled to receive the information,
13. the consent or refusal and the date of consent or refusal,
14. any other data and facts that may influence the patient’s recovery.

It should be kept as part of the health record:

1. the findings from each examination,
2. documents generated during treatment and consultation,
3. the care documentation,
4. records of diagnostic imaging procedures, and
5. tissue samples taken from the patient’s body.

1. PERSONS ENTITLED TO ACCESS THE DATA

The personal data may be accessed by employees of the Data Controllers who have access rights related to the purpose of the processing, or by persons or organisations carrying out processing or outsourcing activities for the Data Controllers on the basis of service contracts, to the extent necessary for the performance of their activities, as determined by the Data Controllers. Persons involved in the provision of Services by Data controllers carry out their activities under the following legal relationships:

• employment relationship;
• a subcontracting relationship (agency relationship);
• A cooperative relationship between the leasing contractor and the Data Controllers on the basis of a lease for a specific area of the Data Controllers.

Data controllers use the Services of the following data processors in the course of data processing under service contracts.

… (Registered seat) ….; tax number: …)

The above contractor provides accounting and payroll services for the Data Controllers, and thus performs data processing activities in relation to the data processed in connection with the documents issued by the Data Controllers (and the personal data processed on these documents) and payroll.

… (Registered seat) ….; tax number: …)

The above company is engaged in electronic data processing activities for the development and operation of the website.

VI. SECURITY OF DATA PROCESSING

In accordance with the data security requirements of the GDPR, Data Controllers shall implement appropriate technical and organisational measures to ensure a level of data security appropriate to the level of risk. When processing and handling health and personal data, the Data Controller shall ensure the security of the data against accidental or intentional destruction, loss, alteration, damage, disclosure and unauthorised access.

Accordingly, Data Controllers shall operate information technology systems that ensure that the data processed are protected against unauthorised access, are accessible only to those authorised to access them, and prevent their unauthorised alteration, destruction, accidental loss, damage or inaccessibility. Data controllers shall also require their processors and employees to comply with the above obligations.

The IT systems used by Data Controllers and their data processors provide a high level of protection against computer viruses, computer hacking and unauthorised information gathering. When transferring information, the Data Controllers shall endeavour to transfer the data in pseudonymised form and shall take other protective measures against unauthorised disclosure.

VII. MANAGEMENT OF DATA PROTECTION INCIDENTS

Data controllers shall notify a personal data breach to the National Authority for Data Protection and Freedom of Information without undue delay and, where possible, no later than 72 hours after becoming aware of the personal data breach, unless the personal data breach is unlikely to pose a risk to the rights and freedoms of natural persons.

VIII. THE RIGHTS OF THE DATA SUBJECT IN RELATION TO DATA PROCESSING

The rights listed in this point may be exercised by the Data subject through the contact details set out in point I. The information is provided by the Data controller after verifying the identity of the Data subject. The Data controller shall, without undue delay, and in any event within one month of receipt of the request, inform the Data subject of the action taken in response to the Data subject’s request concerning the rights set out in this point. If necessary, taking into account the complexity of the application and the number of requests, this deadline may be extended by a further two months.

Data subject’s right of access (Article 15 GDPR)

The Data subject shall have the right to obtain from the Data controller feedback as to whether or not personal data concerning him or her are being processed and, if such processing is being carried out, the right to access the personal data and the following information:

(i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom or which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; and the appropriate safeguards for the transfer (iv) the envisaged duration of the storage of the personal data; (v) the right to rectification, erasure, restriction of processing; (vi) the right to object and to lodge a complaint with a supervisory authority; (vii) if not collected from the Data subject, any information on the source of the data; (viii) the fact of automated decision-making; (ix) the fact of profiling, including the logic used and clear information on the significance of such processing and the likely consequences for the Data subject.

The Data Controllers (in case of joint processing, any of the designated Data Controllers) shall provide the Data subject with a copy of the personal data processed. The Data controller may charge a reasonable fee based on administrative costs for additional copies requested by the Data subject.

Right to rectification (Article 16 GDPR)

The Data subject shall have the right to obtain, at his or her request and without undue delay, the rectification by the Data controller of inaccurate personal data relating to him or her. Taking into account the purpose of data processing, the Data subject has the right to request the completion of incomplete personal data, including by means of a supplementary declaration.

Right to deletion (Article 17 GDPR)

The Data subject has the right to request the deletion of his or her personal data (subject to certain conditions) or, if the personal data have been disclosed, the right to have the Data controller notify other Data controllers processing the personal data of the request for deletion.

Right to restriction of data processing (Article 18 GDPR)

The Data subject has the right to request the restriction of his or her personal data (subject to certain conditions). If data processing is restricted, such personal data, except for storage, may be processed only with the consent of the Data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

Right to data portability (Article 20 GDPR)

The right to receive personal data concerning him or her in a structured, commonly used, machine-readable format and (subject to certain conditions) to request the transfer of such data to another Data controller.

Right to object (Article 21 GDPR)

The Data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data controller, or necessary for the purposes of the legitimate interests pursued by the Data controller or by a third party, including profiling based on those provisions.

In the event of an objection, the Data controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the Data subject or for the establishment, exercise or defence of legal claims.

If personal data are processed for direct marketing purposes, the Data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. In the event of an objection to the processing of personal data for direct marketing purposes, the data will not be processed by the Adatkezelők Kft [Data processing limited company] for this purpose.

Right to withdraw consent (Article 7 GDPR)

The Data subject has the right to withdraw his or her consent at any time if processing is based on consent. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to its withdrawal.

Right to lodge a complaint (Article 77 GDPR)

The Data subject has the right to lodge a complaint with the supervisory authority if he or she considers that data processing infringes the provisions of the GDPR or the Act on Informational Self-Determination and the Freedom of Information.

Judicial remedies

The Data subject may take the Data controller to court if his or her rights are infringed. The courts have jurisdiction to hear the case (see point 4 for a list of competent courts). The person concerned may also choose to bring the action before the court of the place of residence or domicile of the person concerned. The court is acting out of turn in the case.

Right to compensation

Any person who has suffered material or non-material damage as a result of a breach of this Regulation shall be entitled to receive compensation from the Data controller or processor for the damage suffered.

Each controller involved in the processing shall be liable for any damage caused by processing in breach of this Regulation. If the processing infringes the personal rights of the Data subject, the data subject may claim damages from the Data controller.

The Data controller or the Data processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage or that it is not liable for the damage caused by the intentional or grossly negligent conduct of the data subject.

1. DETAILS OF THE SUPERVISORY AUTHORITY

A Data subject may lodge a complaint about the processing of personal data with the following authority using the contact details provided below:

National Authority for Data Protection and Freedom of Information

Postal address: 1530 Budapest, Pf.: 5

Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c

Telephone: +36 (1) 391-1400

Fax: +36 (1) 391-1410

Email: ugyfelszolgalat@naih.hu

URL: http://naih.hu

In addition to the above, you may also have recourse to the courts to enforce your rights and claims relating to data processing. Proceedings can also be brought before the court of the place where you live or stay.