CONTACT DETAILS OF THE DATA CONTROLLER:
Healthcare provider: Déli Dental Kft.
Company registration number: Cg.: 01-09-953567
Address: 1123 Budapest, Kék Golyó utca 6
Tax registration number: 23112748-1-43
Phone: +36 20 486 7959
1.1 The Purpose and Scope of the Regulation
The purpose of these Regulations is to ensure that the data management of the Déli Dental dental clinic (healthcare provider: Déli Dental Kft., Data Controller) complies with the legal and professional regulations concerning the processing of health data, and is in line with other legal provisions related to data management. Accordingly, the purpose of these Regulations is to comply with Article CXII. (Infotv.) and the GDPR policy of 25 May 2018 (regulation 2016/679 of the European Parliament and of the Council), as well as Act XLVII of 1997 on the processing and protection of health and related personal data (Eüak.).
The personal and material scope of the Regulations covers:
the organization providing health care services (Data Controller), all its employees, as well as the organization performing professional supervision and control and a natural person,
a natural person who has come into contact with or comes into contact with the Data Controller or uses its services (patient or parties otherwise concerned),
to an external service provider that handles or comes into contact with personal data belonging to the scope of activities of the Data Controller providing dental care,
health and personal data relating to the data subject processed in accordance with Eüak tv.
the scope of these regulations does not cover data management related to an employment relationship with the Data Controller.
1.2. The Purpose of the Management of Health Data
The purpose of processing health and personal data (Eüak tv. 4. § paragraph (1)):
promoting the preservation, improvement and maintenance of health,
promoting the effective treatment of the patient by the healthcare provider, including specialist supervision,
monitoring the health status of the patient,
taking the measures necessary in the interests of public health, public health and epidemiology,
enforcement of patients' rights,
data transmission to social security in the case of an OEP-funded service.
In addition to the above, in accordance with Eüak tv. 4. § paragraph (2), health and personal data may be managed - in the cases specified by the law - for the following purposes:
the training of healthcare professionals,
health professional and epidemiological examination, analysis, health care planning, organization, cost planning,
anonymisation for impact assessment, scientific research,
to facilitate the work of organizations performing official or legality control, professional or legality supervision of the body or person handling health data, if the purpose of the control cannot be achieved in any other way, and to perform the tasks of organizations financing health care services,
determination of social security or social benefits, if it is based on health status,
examining the ordering and provision of services available to those entitled to health care at the expense of compulsory health insurance and monitoring compliance with the rules for ordering economical medical aids and medical care,
and the provision of benefits provided to beneficiaries under a contract under a separate legal act , as well as the settlement of price support,
law enforcement, as well as crime prevention in accordance with the actions determined by act XXXVI. of 1994 considering police action,
the facilitation of tasks determined by act CXXV. of 1995 considering national security services, within the scope received therein,
placement and care of the patient in a non-health care institution,
determination of fitness for work regardless of whether this activity is in the framework of an employment relationship, a civil servant and a civil service relationship, a professional employment relationship or another legal relationship,
determination of suitability for education and training for the purposes of public education, higher education and vocational training,
determination of suitability for military service or fulfillment of military obligations,
unemployment benefits, aiding employment and related controls.
For purposes other than those set out above, health and personal data may be managed with the written consent of the data subject or their legal or authorized representative (hereinafter: the legal representative), based on appropriate information. For the purposes of data processing as defined above, only as much and such health and personal data as are strictly necessary for the fulfillment of the purpose of data processing may be managed.
1.3. Legal Basis for Data Management
Legal basis for data management is determined by Eüak tv and Eü tv., data transmission to relevant authorities (including mandatory data transmission to OEP in case the patient recieves healthcare at the expense of social security ) is determined by GDPR article 6, paragraph 1, point c: compliance with mandatory legal obligations. In all other cases, the defining clause is article 6, paragraph 1 point b, determining obligation to comply with the contract between the parties. The basis of managing data acquired for the purpose of subscription for newsletters is the mutual consent of both parties, while the basis for managing data related to cameras placed in the Data Controller’s office is the Data Controller’s right of property security determined by GDPR article 6. paragraph 1 point f.
Data Subject: natural person that came into contact with the Data Controller (or using its services), regardless of any illness (or lack of).
Health data: information on the physical and mental condition and any harmful habits of the Data Subject, his or her pathological condition and the circumstances of illness or death, the cause of death, communicated by them or by another person, or detected, examined, imaged or derived data; and any data (e.g. behavior, environment, occupation) that may be related to the above and affect them.
Personal identification data: surname and first name, maiden name, sex, place and time of birth, mother's maiden name and forename, place of residence, social security identification number (TAJ number) all or any of the above, if it is or may be suitable for the identification of the Data Subject.
Therapeutic treatment: any activity done for the purpose of maintaining health, as well as prevention, early recognition and diagnosis, healing of conditions; or the maintaining or improving of conditions acquired because of other conditions of the Data Subject, such as examination, treatment, care, medical rehabilitation or, in order to achieve the above, the management of the Data Subject’s examination data, including the provision of medicine, medical tools, and medical bath services, ambulance and patient transportation services, and obstetrical services.
Medical secret: health and personal identification data that has been brought to the knowledge of the Data Controller during treatment, as well as other information about required or ongoing or completed treatment, as well as other information about the treatment.
Medical records: notes, records or any other recorded information, regardless of its medium or form, containing medical and personally identifiable data that has been brought to the knowledge of the carer during treatment.
Carer: the medical practitioner or healthcare professional performing the treatment, or any other person performing activities related to the medical treatment of the Data Subject.
Healthcare provider network: an organization or natural person providing healthcare services or professional supervision or oversight.
Next-of-kin: spouse, relative of the ascendant line, adopted and stepchildren, adopter, steparents, sibling or domestic partner.
Third party: a natural or legal person, public authority, agency or any other body other than the Data Subject, the Data Controller, the data processor or persons who have been authorized to process personal data under the direct control of the Controller or processor.
Urgent need: a sudden change in the state of health which, in the absence of immediate medical care, would put the Data Subject in immediate danger of life or suffer serious or permanent damage to their health.
Data Management: Any operation or set of operations performed on personal data or data files in an automated or non-automated manner, such as collecting, recording, organizing, segmenting, storing, transforming or altering, retrieving, viewing, using, communicating, transfering, distributing or otherwise making available, harmonization or interconnection, restriction, deletion or destruction.
Data processing: the application of technical operations related to data management operations, regardless of the method and means used to perform the operations and the place of application.
Data transfer: when the data is made available to a specific third party.
Medium: any material or device capable of recording, storing and retrieving data
Data controller: The healthcare provider, its manager, the staff employed by the service provider who, alone or together with others, are authorized to process health and related personal or personal identification data for data management purposes, and who or what that determines the purpose of data processing, and makes and executes the decisions involving data management (including the device used), or delegates tasks to the data processor.
Data processor: natural or legal person, or organisation without legal personality, who or what is authorised by the Data Controller - including authorisation based on legal regulations - to process personal data.
1.5 Managed data sets
Making appointments, keeping contact and providing information:
Making appointments for dental treatment, information prior to the treatment via e-mail or phone, SMS notification
Legal basis for data management: consent of the Data Subject
Permanent residence address
Year of birth
Dental services for the benefit of natural persons:
Identification of the person, distinction from other customers, users and potential customers
Making and storing of patient diary, findings of prior symptoms
Legal basis for data management: legal
Permanent residence address
Year of birth
Billing of dental service
Basis of data management: legal
Social security account invoice
Social security card number, the name and address of the provider.
Basis of data management: legitimate interest and settlement with the social security provider
Card holder name
EP card number
Advertising service(s), providing information for registered users about new or renewed services, direct business acquisition or marketing inquiries with advertising content customer satisfaction survey
Basis for data management: consent of the Data Subject
The Data Subject gives written consent, or using the checkbox on the Data Controller’s website to manage their personal data.
Supplementary information given by the user
Operating electronic surveillance system in order to guard:
The safety of the Data Controller’s offices
The property of the Data Controller
The physical safety and property of the Data Controller’s employees and visitors
To investigate the circumstances of potential accidents and crimes
Basis for data management: Consent of the Data Subject, which is given by entering Data Controller’s domain which is signed to have camera surveillance.
The activity by the Data Controller is in accordance with the CXXXIII. Act of 2005. determining the provisions of the Act on the Protection of Persons and Property and the Rules of Private Investigative Activity (Szvtv).
Images, both motion picture and sound recording (together: recordings) of natural persons.
II. THE RIGHTS OF THE DATA SUBJECTS AND THEIR ENFORCEMENT
2.1. Rights of the Data Subject against the Data Controller:
to request information about the management of their personal data,
to request the correction, or - except for legally mandatory data management- deletion of their data,
to protest about the management of their personal data,
to turn to a court in case of any violation of their rights.
2.2 Right to receive information:
At the request of the Data Subject, the Data Controller shall provide information on the data managed by the Data Controller or by a third party commissioned by the Data Controller, their source, the purpose of the data management, the legal basis, timeframe, data management being in process, the name, address and relevant activity of the data manager, the circumstances of the data protection incident, its effects and the measures taken to obviate, as well as - in case of transmitting the personal data of the Data Subject - the legal basis of the transmission and its recipient. The Data Controller is obliged to provide the information in writing in a comprehensible form as soon as possible after the submission of the request, but no later than within 25 days. The information is free of charge if the person requesting the information has not yet submitted a request for information to the Data Controller for the same data set in the current year. In other cases, a fee may be determined. The Data Controller may only refuse the information in accordance with the provisions of the legislation in force at any time related to data protection.
2.3 The correction and deletion of data:
The Data Subject shall have the right, at their request, to have inaccurate personal data concerning them corrected without undue delay. Taking into account the purpose of the data processing, the Data Subject has the right to request that the incomplete personal data be supplemented, inter alia, by means of a supplementary declaration.
Personal data is required to be deleted