privacy and security policy
INTRODUCTION
Dental Angels Kft. (hereinafter referred to as: Data Controller), the operator of Dental Angels Budapest Dental Center, as a patient care provider, hereby informs its clients and visitors to its website and social media pages (hereinafter collectively referred to as: data subject(s) or user(s)) that it respects the personal rights of data subjects and therefore acts in accordance with the following data processing regulations (hereinafter referred to as: Regulations) when processing data. The Data Controller reserves the right to change the Regulations due to their coordination with the legal background and other internal regulations that may be amended in the meantime. The electronic version of the Regulations, which is in force at all times, is available at http://dentalangels.hu/ It is available on the website and in paper form at the reception of the Clinic. Based on the above, the Data Controller considers the provisions of the Regulations to be binding on itself and acts in accordance with them during its operations.
1. DEFINITION
1. The Data Controller uses the following terms in this Policy and its annexes, therefore it recommends a detailed overview of the terms.
– Data Subject or User: any specific natural person identified or identifiable – directly or indirectly – on the basis of personal data, including, but not limited to, a natural person using the services of the Data Controller, etc.;
– The concept of personal data following the application of the GDPR: any information relating to an identified or identifiable natural person (i.e. the data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
– Clinic: Dental Angels Budapest Dental Center, located in nature at 1015 Budapest, Hattyú utca 16. 1/7., operated by the Data Controller;
– Consent: a voluntary and definite expression of the data subject's will, based on adequate information, by which he or she gives his or her unambiguous consent to the processing of personal data concerning him or her, whether in full or in relation to certain operations. Thus, consent has 3 basic elements: voluntariness, definiteness, and adequate information;
– Data controller or service provider or patient care provider: the natural or legal person or organization without legal personality who, or which, independently or together with others, determines the purpose of data processing, makes and implements decisions regarding data processing (including the means used), or has them implemented by a data processor commissioned by it, thus, for the purposes of this Policy, the Data Controller is the person defined in Chapter 2;
– Data processing: any operation or set of operations performed on data, regardless of the procedure used, including in particular collection, recording, recording, organization, storage, alteration, use, retrieval, transmission, disclosure, alignment or combination, blocking, erasure and destruction, as well as preventing further use of data, taking photographs, audio or video recordings, and recording physical characteristics suitable for identifying a person, including, but not limited to: declaration of consent, processing of health data, etc.;
– Restriction of data processing: marking of stored personal data with the aim of restricting their future processing;
– Profiling: any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
– Pseudonymisation: the processing of personal data in such a way that, without the use of additional information, it can no longer be determined which specific natural person the personal data relates to, provided that such additional information is stored separately and technical and organisational measures are taken to ensure that the personal data cannot be linked to an identified or identifiable natural person;
– Data transfer: making data available to a specific third party;
– Data processing: the performance of technical tasks related to data management operations, regardless of the method and means used to perform the operations and the place of application, provided that the technical task is performed on data; for the sake of easier understanding, using an illustrative list, data processing is the performance of accounting tasks;
– Data erasure: making data unrecognizable in such a way that their recovery is no longer possible;
– Data blocking: marking the data with an identification mark in order to limit its further processing permanently or for a specific period of time;
– Data destruction: complete physical destruction of the data medium containing the data, such as shredding the document containing the data;
– Data set: the set of data managed in a register;
– Filing system: a file of personal data structured in any way – centralized, decentralized or according to functional or geographical aspects – which is accessible based on specific criteria;
– Third party: a natural or legal person or an organization without legal personality who is not the same as the data subject, the data controller or the data processor, or the persons who have been authorized to process personal data under the direct control of the data controller or data processor;
– Data protection incident: unlawful handling or processing of personal data, in particular unauthorized access, alteration, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage;
– The concept of a data breach following the application of the GDPR: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored, or otherwise processed;
– Health data: pursuant to Section 3(a) of Act XLVII of 1997 (Health Care), data relating to the physical, mental and spiritual condition of the data subject, his/her pathological condition, the circumstances of the illness or death, the cause of death, communicated by him/her or another person, or detected, examined, measured, mapped or derived by the healthcare network; furthermore, any data that can be linked to the above and influences them (e.g. behaviour, environment, occupation),
– Health data after the application of the GDPR: personal data relating to the physical or mental health of a natural person, including data relating to healthcare services provided to the natural person which contain information about the health status of the natural person;
– Partner: legal entities using the Data Controller's services on the basis of a contract and/or facilitating the performance of the Data Controller's services (performance assistant), business entities without legal personality, to which the Data Controller - after the consent of the data subject - transfers or may transfer personal data, or which perform or may perform data storage, processing, related IT and other activities facilitating secure data management for the Data Controller;
– Employee: a natural person in a contractual, employment or other legal relationship with the Data Controller, who is entrusted with the task of providing and fulfilling the Data Controller's services and who comes into contact or may come into contact with personal data during his/her data management or data processing tasks and for whose activities the Data Controller assumes full responsibility towards the personal circle of the data subjects and third parties;
– Data Controller: the Employee who created the data and/or who has access to the data and/or to whom the data was transmitted by another data controller or third party and/or to whom the data came into possession in any other way;
– Website: the http://dentalangels.hu/, http://dentalangels.eu portals and all their subpages operated by the Data Controller;
– Community page: using an illustrative list, https://www.facebook.com/dentalangelsfogaszat page accessible via link, maintained by the Data Controller;
– Healthcare network: an organization and natural person providing healthcare and carrying out its professional supervision and control;
– Medical treatment: any activity aimed at the direct examination, treatment, care, medical rehabilitation of the person concerned for the purpose of preserving health, preventing, early detecting, diagnosing and curing diseases, maintaining or improving the deterioration of the condition resulting from the disease, and processing the test materials of the person concerned for the purpose of all these, including the provision of medicines, medical aids, spa services, rescue and patient transport, and obstetric care;
– Medical secret: health and personal identification data that the data controller has come to know during medical treatment, as well as other data related to the necessary or ongoing or completed medical treatment, as well as other data learned in connection with the medical treatment;
– Close relative: spouse, direct relative, adopted, step and foster child, adoptive parent, step and foster parent, sibling and life partner;
– Urgent need: a sudden change in the health status that, in the absence of immediate medical care, would put the person concerned in immediate danger of death or would suffer serious or permanent health damage;
– Healthcare worker: a dentist, a person with other higher healthcare qualifications, a person with a healthcare qualification, and a person without a healthcare qualification who participates in healthcare activities;
– Provider: the treating physician, the healthcare professional, any other person performing activities related to the medical treatment of the data subject, the pharmacist; for the purposes of this Policy, the Data Controller is the treating physician;
– Dentist: for the purposes of this Policy, a natural person in a contractual, employment or other legal relationship with the Data Controller, or a natural person acting on behalf of such a non-natural person, who performs dental or other medical tasks for the Data Controller.
2. THE DATA CONTROLLER PERSON
1. For the purposes of this Privacy and Data Security Policy, Data Controller:
a) the operator of the Dental Angels Budapest Dental Center, Dental Angels Kft.
a. registered office: 1015 Budapest, Hattyú Street 16. 1/7.
b. actual data management address: 1015 Budapest, Hattyú utca 16. 1/7.
c. company registration number: 01-09-320109
d. tax number: 26249913-2-41
e. Internet access: http://dentalangels.hu/ and http://dentalangels.eu
phone number: 0630-291-7500
g. email: info@dentalangels.hu
h. independently represented by: Dr. Tamás Egerszegi, managing director
b) the Employee, for whose activities Dental Angels Ltd. assumes full responsibility towards the personal group of those affected and third parties.
2. With reference to subparagraphs a) and b), the term Data Controller shall also include the Employee, unless otherwise specified in the text of the Regulations.
2.1 The Data Controller's data protection organization
1. The Data Controller is committed to data protection, therefore it continuously modifies this Policy and the entire data protection regulation in general, in accordance with legal and operational changes.
2. Under the GDPR, if the Data Controller processes special categories of personal data (health data), it is required to appoint a data protection officer.
Name of Data Protection Officer:
Dr. Tamás Egerszegi
Data Protection Officer contact information:
3. The Data Controller's management of data protection, data management, data security and information security is carried out independently by the representative of the Data Controller's organizational management, taking into account the proposals of the data protection officer. (The representative of the Data Controller's organizational management is hereinafter referred to as: Data Controller's management).
4. Management of the Data Controller
a) performs the task specified in point 2.1.1;
b) decides on the identity of Partners other than the Data Controller and the content of the relevant contract, including data processing;
c) determine the date of data processing tasks to be carried out by a person or body outside the organisation;
d) regularly checks records related to data management and data protection, as well as IT;
e) grants access rights to the IT applications necessary for the Employee to perform his/her job, if the Data Controller employs an Employee;
f) performs other tasks that are defined by an Information Security Regulation or procedure, other rule or law that is formally different from these Regulations.
5. The Data Protection Officer shall perform the tasks set out below:
a) participates in and provides assistance in making decisions related to data processing and in ensuring the rights of data subjects;
b) informs and provides professional advice to the Data Controller or the data processor, as well as to the Employees performing data processing, regarding their obligations;
c) monitors compliance with the provisions of Act CXII of 2011, the GDPR, other laws on data protection and data management, as well as internal data protection and data management regulations and data security requirements;
d) investigates the reports received and, if unauthorized data processing is detected, calls on the Data Controller or the data processor to terminate it;
e) prepares and continuously maintains the Regulations;
f) keeps internal data protection records;
g) ensures the provision of data protection training;
h) provides professional advice to Employees upon request,
(i) advise on and monitor the performance of data protection impact assessments;
j) cooperate and maintain contact with the supervisory authority;
k) performs other tasks specified in his contract.
3. PURPOSE OF THE RULES
1. The primary purpose of this policy is to define and comply with the basic principles and provisions regarding the processing of data of natural persons who come into contact with the Data Controller in order to protect the privacy of natural persons in accordance with the relevant legal provisions and official resolutions.
2. With reference to the provisions of point 3.1, the purpose of this policy is to ensure that the Data Controller complies in all respects with the provisions of the applicable laws on data protection, in particular, but not exclusively,
- Act XLVII of 1997 on the processing and protection of health and related personal data (Eüat),
- Act CXII of 2011 on the right to informational self-determination and freedom of information,
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR),
- Act CXXXIII of 2005 on the rules of personal and property protection and private detective activities,
- the provisions of Act XLVIII of 2008 on the basic conditions and certain limitations of economic advertising activities.
3. The Data Controller considers it of utmost importance and is committed to protecting the data provided by the data subject via the website or other forum or in any other way, as defined in Act CXII of 2011 on the right to informational self-determination and freedom of information, and to respecting the data subjects' right to informational self-determination. In this context, it contributes to creating safe internet access opportunities for the data subjects by fully complying with the relevant applicable laws.
4. SCOPE OF RULE
1. Effective Date: These Regulations are effective from October 1, 2018 until further notice or revocation.
2. Personal scope extends
i. the Data Controller, and
ii. to persons whose data are included in data processing operations covered by this Policy, and
(iii) to persons whose rights or legitimate interests are affected by the processing of data.
3. With reference to the provisions of point 2. ii. and iii., the scope of data subjects is further defined below for explanatory clarification. The Data Controller therefore primarily processes the data of those natural persons who
i. through the means or methods available to them – for example, electronically, with their data sent to the email address info@dentalangels.hu, via a social media page, via a patient intermediary, by telephone, or in person –
1. they applied to establish a customer relationship,
2. the services of the Data Controller have been used or requested (e.g. patients); or
3. they applied for a reason or purpose other than establishing a customer relationship;
ii) the Data Controller's natural person Partners, representatives, contacts, or other employees of its non-natural person Partners;
iii) enter or remain in an area monitored by an electronic surveillance camera system operated by the Data Controller.
4. Scope: The scope of this Policy covers all data processing and data containing personal data carried out in all organizational units of the Data Controller, regardless of whether it is carried out electronically and/or on paper, and thus covers in particular all health and personal identification data concerning the data subject processed in accordance with the provisions of Act XLVII of 1997 on the processing and protection of health and related personal data.
5. LEGAL BASIS FOR DATA PROCESSING
1. The reason for processing the personal data of the data subject, or the legal basis, is that Dental Angels Kft. can provide the data subject with dental, oral surgery or plastic surgery treatment in accordance with the data subject's request. In this context, the Data Controller also processes your health data from the special categories of your personal data, to which the data subjects consent. The legal basis for data processing is necessary for the performance of the contract between Dental Angels Kft. and its data subjects. The data subject enters into a contractual relationship with Dental Angels Kft.
2. On the other hand, in connection with the data processing carried out in this way, we may process the personal data of the data subject because their processing is necessary for the fulfillment of a legal obligation applicable to Dental Angels Kft. (for example: fulfillment of the statutory obligation to retain health data, based on Section 30 (1) of the Act on the Protection of Health Data, for at least 30 years).
3. In the public interest, data may continue to be recorded beyond the mandatory statutory registration period, e.g. for the purpose of (public health) scientific research (GDPR preamble (50), (52), (53), (54), (65), (159); Esztv. Section 30 (1) para.].
6. DURATION OF DATA PROCESSING
1. We will retain the personal data of the data subject that are part of the health documentation, in particular the findings for at least 30 years pursuant to Section 30 (1) of the Health Act, the final report for at least 50 years, images taken using an imaging diagnostic procedure (e.g. CT scan), for 10 years from the date of the image being taken pursuant to Section 30 (2) of the Health Act, and the findings from the image being taken for 30 years from the date of the image being taken.
2. In the public interest, data may continue to be recorded beyond the mandatory statutory registration period, e.g. for the purpose of (public health) scientific research (GDPR preamble (50), (52), (53), (54), (65), (159); Esztv. Section 30 (1) para.].
3. Both Dental Angels Ltd. and its dentists may process your personal data necessary for the exercise of their legitimate interests. Accordingly, your personal data may be processed for the general 5-year limitation period for the purpose of exercising their legitimate interests in connection with your requests for dental treatment provided by the service provider or its dentists.
7. CERTAIN ACTIVITIES AFFECTED BY DATA PROCESSING AND SCOPE OF DATA PROCESSED
7.1. Data processing by the bodies of the healthcare network
1. The following are authorized to process health and personal identification data within the healthcare network, unless otherwise provided by law:
a. the patient care provider,
b. service provider manager, or
c. a person appointed by the head of the service provider.
2. When handling health and personal identification data, the security of the data must be ensured against accidental or intentional destruction, alteration, damage, disclosure, and unauthorized access.
7.1.1. Data collection
1. During data collection, the date of data collection must be recorded in the medical documentation.
2. All notes and entries in the patient's documentation must be authenticated with a signature or handprint, and if necessary, with a date. In the case of electronic data management, the clear identification of the person making the entry must also be ensured.
7.1.2. Data modification
1. If the entered data needs to be modified due to a mistake or other reason, this can only be done in a way that allows the original data to be identified. Even in the case of a modification, the modification must be signed by hand, and in the case of electronic data management, the system must ensure clear identification of the person making the entry and logging of the entry.
7.1.3. Data deletion
1. Data may only be deleted in accordance with this Policy. Data protection regulations must be observed during deletion, with particular regard to unauthorized access. During deletion, manually processed data must be physically destroyed, and electronically stored data must be irretrievably changed.
7.2. Data processing for the purpose of dental and plastic surgery care
2. The legal basis for data processing is therefore necessary for the performance of the contract between Dental Angels Kft. and its data subjects. The data subject enters into a contractual relationship with Dental Angels Kft.
3. The data subject (their legal representative) is obliged to provide their health and personal identification data upon the request of the healthcare provider,
a. if it is probable or confirmed that he/she is infected with a disease agent or suffers from infectious poisoning or an infectious disease,
b. if necessary for conducting screening and suitability tests,
c. in case of acute poisoning,
d. if it is likely that the person concerned suffers from an occupational disease,
e. if the provision of data is necessary for the medical treatment, preservation or protection of the minor child's health,
f. if the competent body has ordered the investigation for the purposes of law enforcement, crime prevention, or during prosecution, court proceedings, or administrative or misdemeanor proceedings,
g. if the provision of data is necessary for the purpose of control pursuant to the Act on National Security Services.
4. In cases of urgent need and the lack of capacity of the person receiving medical treatment, voluntariness shall be presumed.
5. During treatment, data in accordance with professional rules must be recorded in the medical documentation. The dentist performing the treatment decides which medical data must be recorded in accordance with professional rules – in addition to the mandatory data. Recording medical data and documentation is part of the provision of the service (treatment).
6. The Data Subject may disclose his/her previous and current health data and health documentation to the Data Controller for the purpose of informing the Data Controller and clarifying the subsequent service (intervention), and the Data Controller collects, stores, records and processes health data and health documentation during the examination of the Data Subjects.
7. The data subject voluntarily provides their health data and documentation, and the data subject voluntarily consents to the examinations.
8. Scope of data subjects: Every natural person who provides the Data Controller with their health data or documentation or gives prior consent to an examination, the result of which is the processing of health data or documentation.
9. Scope and purpose of the data subject to data processing:
name, birth name*
identification
Address, place of residence*
identification/contact
mother's name
identification
place of birth, time*
identification
phone number*
keeping in touch
e-mail address, mailing address
keeping in touch
not
identification
language used
keeping in touch
Social Security number
identification
billing address
invoicing
health fund and insurance data
necessary for the provision of services and administration
health data, documentation*
necessary for the provision of services
Providing the data marked with * is a condition for using the service.
10. The direct purpose of data processing is to confirm which service of the Data Controller is suitable for the data subject and under what conditions.
11. The health data necessary for the service may be processed by the dentist and other persons performing activities related to the treatment of the data subject, such as the assistant, receptionist, patient coordinator, in accordance with the instructions of the treating physician and to the extent necessary for the performance of their duties.
12. Other guarantee rules related to health data and documentation, which the Data Controller strictly adheres to:
-‐ If the Data Controller becomes aware of health data based on the voluntary consent of the data subject, the Data Controller will process them in accordance with the provisions of Act CXII of 2011 and Act XLVII of 1997 on the processing and protection of health and related personal data, as follows:
i. Health documentation and health data shall be kept for at least 30 years pursuant to Section 30, Paragraph 1, of Act XLVII of 1997,
(ii) the final report for at least 50 years,
iii. the image taken using an imaging diagnostic procedure for 10 years from the date of its creation,
iv. the Data Controller must retain the report prepared from the recording for 30 years from the date of recording.
-‐ The data controller only records the most necessary health data, but the data subject may of course disclose more detailed data to him, which he is also obliged to keep.
-‐ The Data Controller and the Employee acting on its behalf are obliged to keep the medical secrets that come to their knowledge.
-‐ Health data and documentation are transmitted only in the following cases:
a. if the data subject has expressly, voluntarily and in writing consented to the transfer with the knowledge of the recipient of the transfer; or
b. in case of danger to life, or
c. if the transmission of health and personal identification data is a legal obligation.
-‐ The data subject has the right to receive information about the data processing in connection with the treatment, to learn about the health and personal identification data relating to him/her, to view the health documentation and to receive a copy of it.
-‐ The right to the above-mentioned information is also granted to the person authorized by the data subject in writing during the period of the data subject's care, and to the person authorized by the data subject in a private document with full probative force after the end of the data subject's care.
13. The Data Controller and the Employee are exempt from the obligation of confidentiality if
a. the data subject or their legal representative has given their written consent to the transmission of health and personal identification data, within the limitations set out therein, and
b. the transmission of health and personal identification data is a legal obligation (e.g. public health interest).
14. Activity and process involved in data processing:
-‐ The Data Controller creates the opportunity for the data subject to share health data and health documentation with the Data Controller (e.g. by filling out a questionnaire), and examines the data subject based on the data subject's prior and voluntary consent, as a result of which the health data and documentation are created.
-‐ The Data Controller stores health data and documentation in an electronic registration system used specifically for this purpose and/or on paper.
-‐ The Data Controller maintains the health documentation in such a way that it accurately reflects the care process.
-‐ The data controller indicates in the medical documentation
i. the patient's personal identification data,
ii. in the case of a competent patient, the name, address and contact details of the person to be notified, or in the case of a minor or a patient under guardianship, the name, address and contact details of the legal representative,
iii. medical history, medical history,
(iv) the result of the first examination,
v. the test results that form the basis for the diagnosis and treatment plan, the date of the tests,
vi. the name of the disease justifying the treatment, the underlying disease, concomitant diseases and complications,
vii. other diseases that do not directly justify the treatment, or the name of the risk factors,
viii. the time of the interventions performed and their results,
ix. data on the patient's drug hypersensitivity,
x. the name of the healthcare worker who made the entry and the date of entry,
xi. recording the content of the information provided to the patient or other person entitled to information,
xii. the fact of consent or refusal, and the date thereof,
xiii. any other data and facts that may have an impact on the patient's recovery.
-‐ The data controller retains it as part of the health documentation
i. the findings of individual examinations, the documents generated during medical treatment and consultation,
(ii) images of diagnostic imaging procedures.
-‐ In the case of health documentation, special attention must be paid to ensuring that it is detailed, professional, readable and retrievable.
-‐ The data controller pays special attention to meeting data security requirements with regard to health data.
15. Duration of data management: The Data Controller must retain the health documentation and health data for at least 30 years, the final report for at least 50 years, the imaging diagnostic procedure for 10 years from the date of its creation, and the report prepared from the imaging procedure for 30 years from the date of the creation of the imaging procedure, pursuant to Section 30, Paragraph 1 of Act XLVII of 1997.
7.3. Request for information
1. The Data Controller enables data subjects to request information from the Data Controller by providing their data detailed below.
2. Data processing is lawful if it is necessary to take steps at the request of the data subject prior to entering into a contract.
3. Scope of data subjects: Every natural person who contacts the Data Controller and requests information from the Data Controller in addition to providing their personal data.
4. Scope and purpose of processed data:
name*
identification
phone number
keeping in touch
email address*
keeping in touch
message*
response
Providing the data marked with * is a condition for using the service.
5. The purpose of data processing is to provide appropriate information to the data subject and to maintain contact.
6. The activities and processes involved in data processing are as follows:
a. The data subject may consult with the Data Controller about the Data Controller's services and/or other related issues through the means provided by the Data Controller and accessible to him/her.
b. The data provided to the Data Controller via the website is sent by e-mail or other electronic means.
c. The Data Controller will answer the data subject's question and forward it to them - in the same way as the information request was received, unless the data subject has otherwise provided.
d. The data subject, in accordance with the purpose of data processing, voluntarily agrees that if he/she provided his/her contact information during the request for information, the Data Controller may contact him/her through that contact information in order to clarify the question or answer it for him/her.
7. Duration of data processing: until the purpose is achieved. Both Dental Angels Kft. and its dentists and colleagues may process your personal data necessary for the enforcement of their legitimate interests. Based on this, your personal data may be processed for the general 5-year limitation period for the purpose of enforcing their legitimate interests in connection with the demands of the service provider or dentists regarding the dental treatment provided.
7.4. Appointment booking
1. The Data Controller enables data subjects to request an appointment from the Data Controller to use the Data Controller's services by providing their details as detailed below.
2. Data processing is lawful if it is necessary to take steps at the request of the data subject prior to entering into a contract.
3. Scope of data subjects: Every natural person who wishes to use the Data Controller's services at a specific time, therefore booking an appointment by providing their data.
4. Scope of processed data:
name*
identification
phone number*
keeping in touch
email address
keeping in touch
service details
necessary to provide the service
time*
necessary to provide the service
Providing the data marked with * is a condition for using the service.
5. The purpose of data management is to provide the data subject with an appointment to use the service and to maintain contact.
6. The activities and processes involved in data processing are as follows:
a. The data subject may consult with the Data Controller about the time(s) of using the service(s) provided by the Data Controller, through the means available to him/her, or in a manner provided by the Data Controller.
b. The Data Controller records the data disclosed to the Data Controller during the appointment booking in an electronic registration system and/or on paper and confirms the booked appointment to the data subject verbally and/or in writing.
c. The data subject, in accordance with the purpose of data processing, voluntarily agrees that if he/she provides his/her contact information, the Data Controller will contact him/her through this contact information to inform him/her of any cancellation of the appointment, or to respond to any complaint of the data subject, or to take other steps related to his/her complaint.
7. Duration of data processing: until the purpose is achieved. Both Dental Angels Kft. and its dentists and colleagues may process your personal data necessary for the enforcement of their legitimate interests. Based on this, your personal data may be processed for the general 5-year limitation period for the purpose of enforcing their legitimate interests in connection with the demands of the service provider or dentists regarding the dental treatment provided.
7.5. Data processing related to the conclusion of a declaration of consent/agreement (service contract)
1. The Data Controller may make the provision of certain services subject to the prior conclusion of a declaration of consent and/or agreement (service contract), which the Data Subject shall be informed of.
2. The conclusion of the consent statement and/or agreement (service contract) is based on voluntary consent.
3. Scope of data subjects: Every natural person who, in addition to providing their personal data, gives a declaration of consent and/or concludes an agreement (service contract) with the Data Controller regarding the use of a given service.
4. Scope and purpose of the data subject to data processing:
name
identification
address*
identification/contact
place of birth, time*
identification
mother's name
identification
Social Security number
identification, required for health fund support
phone number*
keeping in touch
email address
keeping in touch
health data, documentation*
necessary for the provision of services
subject, content of the service
necessary for information and service provision
remuneration
content element of the agreement
rights and obligations
content element of the agreement
Providing the data marked with * is a condition for using the service.
5. The purpose of data processing is to identify the data subject, to provide the data subject with appropriate services in accordance with the provisions of the consent declaration and/or the agreement (service contract), and to maintain contact.
6. The activities and processes involved in data processing are as follows:
a. The data controller informs the data subject about the service, such as dental intervention, its risks, etc., in accordance with the law.
b. The data subject decides, at his own discretion, independently and voluntarily, to use the Data Controller's service(s). If he wishes to use it/them, he/she gives a consent statement by providing the above data and/or enters into an agreement with the Data Controller.
c. The data subject acknowledges that the data and information provided on the general medical history form signed by him/her regarding his/her health condition are necessary for the selection of the content of the services and medical treatments, and declares that the data provided is complete and that he/she is obliged to inform the Data Controller in writing about any changes that occur during the treatment period.
d. The Data Controller shall store the consent statement and/or agreement (service contract), together with the related health data and documentation absolutely necessary for the provision of the service, in an electronic registration system used specifically for this purpose and/or on paper.
e. The Data Controller pays special attention to meeting the requirements of data security with regard to health data.
a. The data subject, in accordance with the purpose of data processing, voluntarily consents to the Data Controller contacting him/her via his/her provided contact information regarding issues related to the service to be provided or provided.
b. In the agreement, the data subject and the Data Controller may agree that the image or image and audio material created during the service, from which the data subject can be recognized, will be used on the Data Controller's social media page, website or other platform for its own advertising or marketing purposes. In this case, the data subject may withdraw his/her consent, and the Data Controller must delete the data based on the withdrawal, but other, possibly restrictive, provisions of the relevant agreement must also be observed.
c. The provisions of the current GTC shall apply to all other matters.
7. If the data subject discloses to the Data Controller a fact that influences or excludes the provision of the service, or the Data Controller clearly and provably finds such a fact in relation to the data subject, the Data Controller will refuse to provide the given service(s).
8. Duration of data management: The Data Controller must retain the health documentation and health data for at least 30 years, the final report for at least 50 years, the imaging diagnostic procedure for 10 years from the date of its creation, and the report prepared from the imaging procedure for 30 years from the date of the creation of the imaging procedure, pursuant to Section 30, Paragraph 1 of Act XLVII of 1997.
9. Both Dental Angels Ltd. and its collaborating dentist(s) may process your personal data necessary for the exercise of their legitimate interests. Accordingly, your personal data may be processed for the general 5-year limitation period for the purpose of exercising their legitimate interests in connection with your claims related to the dental treatment provided by the service provider or your dentist.
7.6. Dental Angels Ltd.'s data processing related to invoicing and accounting
1. Dental Angels Kft. is obliged to issue an invoice for the consideration of the services to its service users in accordance with the applicable laws. In connection with the issuance of the invoice, Dental Angels Kft. processes the billing data of the data subjects. The purpose of this data management is for Dental Angels Kft. to comply with its legal obligation to issue accounting documents for economic events.
2. Dental Angels Kft. processes the following personal data of the data subjects for the purpose of invoicing and accounting:
Personal identification data: name, postal address, tax identification number of the data subject. Data required for contact: telephone number, e-mail address.
3. Legal basis for data processing: Data processing is necessary to fulfill a legal obligation applicable to the data controller.
4. In addition to the data controller, the data processor performing the accounting specified in Annex 1 may also have access to the data of the data subject specified above.
5. Data storage period: Based on Section 169 (1) – (2) of Act C of 2000 on Accounting, the retention period of the invoice and the data necessary for its issuance is 8 years.
7.7. Pictures and video recordings taken of the data subject with their consent – during the use of the service
1. In full compliance with the provisions of Section 2:48. (1) of the Civil Code in force, the Data Controller shall create audio, image and video recordings of and/or with the data subject only with the prior consent of the data subject and publish them on its website and/or the Data Controller's social media page, in compliance with the provisions of the data subject's consent.
2. The aforementioned data processing may only be carried out with the voluntary, definite consent of the data subject.
3. Scope of data subjects: All natural persons who consent in advance to having their images and videos taken while using the service.
4. Scope and purpose of the processed data:
affected person's image
identification, marketing
other image recording of the data subject, including video recording, from which the data subject can be identified
identification, marketing
5. The purpose of data processing is to publish images and videos of the data subject, taken with the express, voluntary and written consent of the data subject, on the Data Controller's website or social media page following the data subject's consent, and thus the data controller's marketing.
6. The Data Controller declares that the data subject acknowledges that if the data subject can be recognized from the image and video recording made, the data is considered personal data and its processing is governed by the following rules:
a. If the data subject can be identified from the data, he/she may withdraw his/her prior consent at any time (either before uploading to the website or social media site, or after uploading - request for deletion).
b. Upon withdrawal of consent or receipt of a request for erasure, the Data Controller shall immediately take steps to remove the data and all other reasonable steps to ensure that the data is no longer available on the world wide web.
7. Regarding the processing of data concerning data subjects, info@dentalangels.hu The Data Controller will provide further information upon request sent to the e-mail address. Deletion or blocking from the website and/or social media page and/or data file can also be requested here.
8. Duration of data management: until deletion at the request of the data subject.
7.8. Applying for a job
1. The Data Controller enables data subjects to apply in general or for advertised job vacancies.
2. Application for the job is based on voluntary consent.
3. Scope of data subjects: All natural persons who apply for a job with the Data Controller.
4. Scope and purpose of the processed data:
name
identification
email address
keeping in touch
phone number
keeping in touch
title
keeping in touch
place of birth, time
identification
name of the position applied for, if any
required for application identification
experiences – name of previous workplace and time spent there
required for assessing the position
work experience experiences – position description
required for assessing the position
work experience
required for assessing the position
educational qualifications, knowledge of a foreign language, level of knowledge of a foreign language
required for assessing the position
foreign language knowledge, work experience, other details in the attached CV
required for assessing the position
other details of the CV, attached motivation letter
required for assessing the position
the motivation letter
required for assessing the position
5. The purpose of data processing is to apply for a job and to maintain contact.
6. Activity and process involved in data processing:
a. The data subject may provide the above-specified data to the Data Controller via the Data Controller's contact details.
b. During the selection process, the data controller compares the applications with the requirements of the position to be filled, the conditions for establishing the employment relationship, if a job application has been published at all, and based on the comparison, invites the most suitable persons for a personal interview.
c. The selection process continues with a personal interview.
d. The selection ends with the conclusion of a contract with the most suitable data subject, with the note that the data of the data subjects not selected will only be further processed by the Data Controller if the data subjects have specifically consented to this.
e. The Data Controller shall notify the applicants of the selection results. Following the selection, the Data Controller shall process the data of the data subjects indicated above for 2 years based on its legitimate interest. The Data Controller shall prove its legitimate interest with a balancing of interests test.
f. If the data subject requests the deletion of their data, the Data Controller will delete or destroy the data.
7. Duration of data management: until the purpose is achieved, or based on legitimate interest, for 2 years after the application has been assessed.
7.9. Complaints handling
1. The Data Controller ensures that the data subject can communicate his/her complaint regarding the ordered service (and/or product) and/or the Data Controller's conduct, activity or omission orally (in person, by telephone) or in writing (in person or by document delivered by another person, by post, by electronic mail).
2. Filing a complaint is based on voluntary consent, but in the event of a complaint, the processing of the data is mandatory for the Data Controller pursuant to Act CLV of 1997.
3. Scope of data subjects: Any natural person who wishes to submit a complaint orally or in writing regarding an ordered service (product) and/or the conduct, activity or omission of the Data Controller.
4. Scope and purpose of the processed data:
complaint ID*
identification
name*
identification
date of receipt of complaint
identification
phone number
keeping in touch
time of call
identification
personal data provided during the conversation
identification
billing/mailing address
keeping in touch
complained about service (product)
complaint investigation
attached documents
complaint investigation
reason for complaint*
complaint investigation
the complaint itself*
complaint investigation
Data marked with * is mandatory.
5. The purpose of data management is to enable the communication of the complaint, to identify the data subject and the complaint, to record data required by law, to fulfill legal obligations, and to maintain contact.
6. The activities and processes involved in data processing are as follows:
a. The data subject shall communicate his/her complaint to the Data Controller orally (in person, by telephone) or in writing (in person or by document delivered by another person, by post, by electronic mail).
b. If the data subject makes a complaint orally, the Data Controller will record it.
c. If the data subject wishes to make his/her complaint in writing, he/she has the option to do so.
d. The Data Controller will process the complaint and respond as soon as possible.
e. The Data Controller strives to resolve any complaints that may arise as soon as possible, in accordance with common interests.
7. Duration of data management: The data controller shall manage the minutes of the complaint and the copy of the response for 5 years from the date of their recording, pursuant to Section 17/A, Paragraph 7, of the relevant and effective Act CLV of 1997, on a mandatory basis.
7.10. Sending a newsletter
1. The data subject may subscribe to the newsletter with the data specified below before or during the use of the services, or in any other way.
2. Subscribing to the newsletter is based on voluntary consent.
3. Scope of data subjects: All natural persons who wish to be regularly informed about the Data Controller's news, promotions and discounts, therefore subscribe to the newsletter service by providing their personal data.
4. Scope and purpose of the processed data:
name
identification (mandatory data according to law)
email address
sending a newsletter (mandatory data according to law)
5. The purpose of data processing related to sending newsletters is to provide the recipient with comprehensive general or personalized information about the Data Controller's latest promotions, events, news, and changes or cancellations of notification services.
6. Newsletters are sent only with the prior consent of the data subject.
7. The Data Controller will only process the personal data collected for this purpose until the data subject unsubscribes from the newsletter list or, in the case referred to in point 10, provides confirmation.
8. The data subject may unsubscribe from the newsletter at any time, at the bottom of the emails and by sending a cancellation request to the email address info@dentalangels.hu.
9. You can unsubscribe from the newsletter by post at the following address: Dental Angels Kft., 1015 Budapest, Hattyú utca 16. 1/7.
10. The Data Controller reviews the newsletter list every three years and requests confirmation of consent to send the newsletter after three years. The Data Controller deletes the data of the data subject who does not provide confirmation of consent from the data file.
11. Duration of data management: until deletion at the request of the data subject, or if the data subject does not provide further consent.
12. The Data Controller keeps statistics on the reading of the newsletters sent out, using clicks on the links in the newsletters.
13. The data subject can subscribe to the news feed published on the message board of social networking sites, especially Facebook, by clicking on the “like” link on the page, and can unsubscribe by clicking on the “dislike” link on the same page, or delete unwanted news feeds appearing on the message board using the message board settings. You can find information about the news feeds, unsubscriptions and subscriptions of social networking sites, and the data management of the given social networking site on the social networking site.
7.11. Camera system
Cameras are installed in the area of Dental Angels Dentistry operated by the Data Controller for the personal and property safety of the data subjects and for other purposes. You can find the data management information on this in a separate document in the area of Dental Angels Dentistry.
7.12. Website visit data
I. References and links
1. The Data Controller's website may also contain links that point to pages that are not operated by the Data Controller, but are only intended to inform visitors. The Data Controller has no influence on the content and security of websites operated by partner companies, and is therefore not responsible for them.
2. Please review the Privacy Policy and Privacy Statement of the websites you visit before providing any of your information on that website.
II. Profiling
1. Profiling is carried out through the Data Controller's website. Our company does not carry out profiling.
2. "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal characteristics relating to a natural person, in particular to analyse or predict characteristics relating to his or her performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
3. The purpose of profiling is to offer you more interesting and important products and to provide you with products that are more tailored to your shopping habits. Profiling only covers your shopping habits and preferences. Profiling does not have any adverse consequences or restrictions for you.
4. Google: Dental Angels Kft. uses the services of Google LLC. Google Analytics, Google LLC. Google DoubleClick and Google LLC. Youtube on its website. Google LLC. Google Analytics, Google LLC. Google DoubleClick and Google LLC. Youtube use cookies to help analyze the use of the website. The primary purpose of this is to provide you with offers that are more relevant to your interests. This requires that we be able to analyze your activity on our website with the help of Google.
5. The information stored by the cookie (including the user's IP address) is stored on Google LLC. servers in the United States. Google LLC. may transfer the collected information to third parties if required to do so by law or if such third parties process the information on behalf of Google LLC. Google LLC.'s privacy policy is http://www.google.hu/intl/hu/policies/privacy/ available on the website.
6. Additional useful information about Google LLC's data-related activities, disabling cookies, and personalizing ads can be found on the Google LLC website: http://www.google.com/intl/hu/policies/privacy/ads/.
7. You can change your Google data management settings here: https://privacy.google.com.
8. Facebook: Dental Angels Kft. uses the Facebook Inc. service on its website. Facebook uses cookies to help analyze the use of the website. The primary purpose of this is to provide you with offers that are more relevant to your interests. This requires that we analyze your activity on our website using Facebook.
9. The information stored by the cookie (including the user's IP address) is stored on Facebook Inc. servers in the United States. Facebook Inc. may transfer the collected information to third parties if required to do so by law or if such third parties process the information on behalf of Facebook Inc. The Facebook Inc. Privacy Policy is https://www.facebook.com/privacy/explanation available on the website.
10. The Facebook Inc. website provides additional useful information about Facebook Inc.'s data-related activities, disabling cookies, and personalizing ads: https://www.facebook.com/policies/cookies/.
8. DATA PROCESSING, DATA TRANSFER AND TRANSMISSION
1. As a general rule, the Data Controller does not use an external data processor and processes the data it manages itself.
2. In the event that the Data Controller entrusts a third party with accounting, payroll tasks, and/or delivery, package delivery, hosting/server service, system administration or other tasks that qualify as data processing tasks, the data of this partner as a data processor are specified in Annex I to the Regulations.
Data transfer within the Data Controller's organization
3. Data may only be transferred within the Data Controller if the recipient data controller also has access rights to the data(s) to be transferred. The data controller is obliged to obtain information about the recipient data controller's access rights prior to transfer.
4. The data can be accessed by the Data Controller's data controllers available at the following link: https://dentalangels.hu/hu/csapat
Data transfer to a third party other than the Data Controller
5. In order to provide you with high-quality treatment, the Data Controller transfers your data to data processors. The data processors are defined in Annex I.
6. The data controller also transfers your data to various dental technicians in order to ensure that you receive the most appropriate treatment. If you have any questions regarding the data processing dental technicians, we will provide information at the following contact details.
phone number: 0630-291-7500
e-mail: info@dentalangels.hu
7. The Data Controller will do everything expected of it in order to enforce the principles of data protection and to transmit data that is appropriate for the purpose, but as little as possible, to the data processors.
8. In addition to data transfers based on legal authorization, the data controller may transfer data based on and within the scope of the authorization of the data subject, therefore the transfer of data to others or other data outside the authorization is prohibited.
9. Based on legal requirements, we may forward your personal data to the public health department of the competent government office, the competent archive or the body designated by the Government.
10. Electronic Health Service Area (EHS): Dental Angels Kft. is obliged to forward the data of the data subjects using its healthcare services to the Electronic Health Service Area (EHS). The purpose of this data processing is for Dental Angels Kft. to comply with its data provision obligation to the EHS. In the data processing carried out in connection with the EHS, the data controller is the State Health Care Center (Address: 1125 Budapest, Diós árok 3., Telephone number: +36 1 356 1522) and the data processor is Dental Angels Kft.
11. You can find information about data processing in connection with the EESZT on the following page: https://e-egeszsegugy.gov.hu/web/eeszt-informacios-portal/adatvedelem
12. If you wish to exercise your rights regarding the processing of your personal data, please contact the data controller, i.e. the State Health Care Center.
13. If you have any questions regarding data processing carried out by a data processor, or if you wish to exercise your rights, please contact Dental Angels Kft. in the first instance.
9. Rights of data subjects during data processing
As a data subject whose personal data is being processed, you have the following rights in relation to data processing. We inform you that you can exercise your rights below primarily against the data controller. In this data processing, Dental Angels Kft. is the data controller.
1. Your rights as a data subject in relation to data processing
– right to information,
– right of access,
– right to rectification,
– right to erasure, “the right to be forgotten”,
– right to restriction,
– right to protest,
– the right to data portability,
– the right to withdraw consent,
– right to complain,
– right to judicial remedy.
2. Right to information
General rules for informing the data subject and the right to information
Before starting data processing, at the latest upon obtaining the data subject's personal data, the data controller must inform the data subject in detail about the information contained in this data processing notice regarding data processing.
The controller is responsible for providing prior information. In addition to the prior information above, you may request information from the controller at any stage of data processing as follows. In this case, the controller must provide the information immediately, but no later than 25 days. The 25-day deadline may only be extended by a maximum of 2 months in justified cases.
The data controller may only refuse to provide information if it proves that the data subject cannot be identified.
If the data controller does not take action, i.e. does not comply with its obligation to provide information, it must inform the data subject within 25 days of the failure to take action, the reason for this, and the data subject's right to lodge a complaint or to go to court in connection with the data processing. This information contains detailed information on the details of the complaint or court remedy below.
The data controller may charge a reasonable fee or refuse to provide information and take action if the data subject's request is clearly unfounded, repetitive or excessive.
3. Right of access of the data subject
The data subject has the right to receive feedback from the data controller as to whether his or her personal data is being processed and, if such processing is taking place, he or she has the right to access the personal data and the following information:
Under the right of access, the data subject must be informed of the following information upon request: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom or to which the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations; d) where applicable, the planned period for which the personal data will be stored; e) the right of the data subject to request from the controller rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data; f) the right to lodge a complaint with the supervisory authority (NAIH); g) if the data were not collected from the data subject, all available information on their source; h) the fact of automated decision-making, including profiling, or the absence thereof, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.
The data controller shall provide the data subject with a copy of the personal data subject to processing. For any additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs.
4. Right to rectification
The data subject shall have the right to obtain from the controller, at his or her request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.
5. Right to erasure, “the right to be forgotten”
As a data subject, you have the right to request that the data controller erase personal data concerning you without undue delay, and the data controller is obliged to erase personal data concerning you without undue delay if one of the following reasons applies:
a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) if the data processing is based on the data subject's consent (e.g. sending a newsletter), and the data subject withdraws his or her consent to the data processing, and there is no other legal basis for the data processing;
c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
d) the personal data have been processed unlawfully;
(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
f) the personal data were collected in connection with the provision of information society services.
Where the controller has made the personal data public and is obliged to erase them pursuant to paragraph 1, the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, the personal data concerned.
The controller is not obliged to comply with the request for erasure specified in the above cases if the processing is necessary: a) for the exercise of the right to freedom of expression and information; b) for compliance with an obligation to which the controller is subject under Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; c) for reasons of public interest in the field of public health; d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, and the right to erasure would likely render impossible or seriously jeopardise such processing; or e) for the establishment, exercise or defence of legal claims.
6. Right to restriction of data processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: a) the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period enabling the controller to verify the accuracy of the personal data; b) the processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead; c) the data controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or d) the data subject has objected to the processing; in which case the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the data controller override those of the data subject.
If processing is subject to restrictions as set out above, such personal data may only be processed, with the exception of storage, with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important public interests of the Union or a Member State.
The data controller shall inform the data subject, at whose request data processing has been restricted based on the above, in advance of the lifting of the restriction on data processing.
7. Notification obligation related to the correction or deletion of personal data or the restriction of data processing
The data controller is obliged to inform all recipients to whom the personal data have been disclosed of the rectification, erasure or restriction of processing, unless this proves impossible or involves a disproportionate effort.
8. Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where: a) the processing is based on the consent of the data subject (e.g. sending a newsletter) or for the performance of a contractual obligation between the parties; and b) the processing is carried out by automated means.
When exercising the right to data portability as described above, the data subject has the right to request the direct transmission of personal data between data controllers, if technically feasible.
The exercise of the right to data portability shall not prejudice the right to erasure. The right to data portability shall not adversely affect the rights and freedoms of others.
9. Right to object
You, as the data subject, have the right to object at any time to the processing of your personal data on grounds relating to your particular situation. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
If personal data are processed for direct marketing purposes (e.g. sending marketing emails to customers), the data subject has the right to object at any time to the processing of personal data concerning him or her for such purposes, including profiling, where it is related to direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, the personal data will no longer be processed for such purposes.
10. Right to withdraw consent
The data subject has the right to withdraw his/her consent to data processing at any time, provided that the legal basis for data processing is the data subject's consent (e.g. sending a marketing newsletter). However, withdrawal of consent does not render data processing prior to withdrawal unlawful.
10. Data security
1. Storage of personal data and security of data processing
Dental Angels Ltd.'s IT infrastructure, storage and other data storage locations are located at its headquarters and sites.
We select and use the IT tools and solutions used for data management, especially security systems, in such a way that the personal data processed is accessible to authorized persons, its authenticity and authentication are ensured, its immutability can be verified, and it is protected against unauthorized access.
We protect your personal data with appropriate measures, in particular against unauthorized access, alteration, data breach, data theft, data leakage, transmission, disclosure, deletion or destruction, as well as accidental destruction and damage, as well as inaccessibility resulting from changes in the technology used.
In order to protect the data files managed in its records, Dental Angels Ltd. uses appropriate technical solutions to ensure that the stored data - except in the case of legal authorization - cannot be directly linked or assigned to the data subject.
Given the current level of technical development, we ensure the security and protection of our data processing with technical, organizational and organisational measures that ensure an adequate level of protection for your personal data.
The IT system and network of Dental Angels Ltd. and its partners are protected against computer-assisted dangerous human (e.g. fraud, espionage, sabotage, vandalism, computer viruses, computer intrusions, etc.) and natural (e.g. fire and flood) or other harmful influences (e.g. service outage, etc.). Dental Angels Ltd. ensures the security of its data with server and software-level protection procedures and services.
Dental Angels Kft. protects your personal data during data processing so that only those who are authorized to do so can access it (confidentiality), the accuracy and completeness of your personal data and the processing method (integrity), and ensures that when authorized users need the personal data, they can actually access the desired data and that it is available (availability).
We inform the data subjects that personal data is partly transmitted to Dental Angels Kft. via the Internet. The security of data and electronic messages transmitted over the Internet, regardless of the protocol used (e-mail, web, ftp, etc.), is vulnerable to network threats that are aimed at unfair activity, contract dispute, or disclosure or modification of information. In order to eliminate such threats, Dental Angels Kft. takes all security measures that can be expected of it.
2. The data protection incident and its management
According to the European Data Protection Regulation (GDRP), a data breach is a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A data breach is any event or situation in which your personal data may fall into unauthorized hands. We will notify the relevant supervisory authority within 72 hours of becoming aware of the data breach and will also inform you, as the data subject, if the data breach is likely to result in a risk to your rights and freedoms.
11. Legal remedies, right to complain, judicial remedies
1. Right to complain
As a data subject, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you is unlawful. In Hungary, the competent supervisory authority is the National Authority for Data Protection and Freedom of Information (NAIH).
Exercising your right to complain does not exclude the possibility that you, as the data subject, may resort to other administrative or judicial remedies if you consider that the processing of your personal data is being carried out in a manner that violates the law. Therefore, even if you exercise your right to complain, you may also initiate administrative or judicial remedies at the same time.
Complaints can be filed with the National Data Protection and Freedom of Information Authority, whose contact details are as follows:
Name: National Data Protection and Freedom of Information Authority Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22/C. Mailing address: 1530 Budapest, P.O. Box: 5.
Phone: 06 1 391 1400
Fax: 06 1 391 1410
Website: http://www.naih.hu
E-mail: ugyfelszolgalat@naih.hu
2. Right to judicial remedy against the decision of the NAIH or another supervisory authority
If you have contacted the supervisory authority (NAIH) regarding the processing of your data and the authority has made a decision in your case, you, as the data subject of the processing, have the right to initiate a judicial remedy against this decision, i.e. to challenge the decision in court. You have the right to the aforementioned judicial remedy even if the competent supervisory authority (NAIH) does not deal with the complaint or does not inform the data subject within three months about the procedural developments related to the complaint or its outcome.
Proceedings against the supervisory authority (NAIH) must be brought before the courts of the Member State in which the supervisory authority is established.
3. Right to a judicial remedy against the controller or processor
As a data subject, you have the right to seek judicial redress if you consider that your rights in relation to data processing have been violated as a result of the unlawful processing of your personal data. The exercise of the right to judicial redress does not exclude the possibility that you, as a data subject, may resort to other administrative or judicial remedies or exercise your right to lodge a complaint if you consider that the processing of your personal data is unlawful.
Proceedings against the controller or processor shall be brought before the court of the Member State in which the controller or processor is established. In the case of Dental Angels Kft., the court of its place of business is the Hungarian courts. While the court with jurisdiction over the registered office of Dental Angels Kft. is the Pest Central District Court, or in the case of special jurisdiction, the Budapest Metropolitan Court.
4. Liability for damages and compensation for injuries
If the improper data processing has caused damage to you as the data subject, the data controller is liable for compensation for the damage. Damage can be considered if the data processing was unlawful or in breach of contract, and the data subject suffered financial loss as a result. In the event of unlawful data processing, the data subject may also claim damages.
You can primarily assert your claim for compensation or damages against the data controller. The data processor is only liable for compensation if it has violated the rules applicable to it or has not followed the lawful instructions of the data controller. In other words, the data processor is not liable for errors made by the data controller.
Date: October 1, 2018
Dental Angels Ltd.
Dr. Tamás Egerszegi, Managing Director
Dental Angels Budapest Dental Center
Privacy and Data Security Policy
Annex I
With reference to the provisions of the Data Protection and Data Security Policy, the Data Controller hereby notifies and informs the data subjects that the Data Controller
A. Data processor entrusted with the performance of outsourced accounting and payroll tasks:
Name: E&G Economic Consulting Bt.
Headquarters: 2142 Nagytarcsa, Jókai Street 15.
Tax number: 25036419-1-13
Company registration number: 13-06-068324
Represented by: Erzsébet Hegedűs
B. Data processor entrusted with the task of hosting services:
Name: Samuel FB Morse Ltd.
Headquarters: 1029, Budapest, Bocskai Street 2.
Tax number: 12830732-2-41
Company registration number: 01-09-705526
Represented by: István Fekete Jr.
C. IT system maintenance technician:
Company name: First-Aid Ltd.
Registered office: 2049 Diósd, Gerle Street 6.
Company registration number: 13-09-176693
Tax number: 12983414-2-13
Representative: Csaba Papp
D. Enterprise management system operator
Company name: Medadmin Ltd.
Registered office: 6721 Szeged, Juhász Gyula Street 36.
Company registration number: 06-09-009409
Tax number: 13336695-2-06
Representative: György Csík
Email address: support@medadmin.hu
Website: https://www.medadmin.hu
Referring to the provisions of the Data Protection and Data Security Policy, the Data Controller hereby notifies and informs the data subjects that the Data Controller transfers data to the following organizations:
Dental technician Partner(s) in a contractual relationship with the Data Controller
Scope of transmitted data:
name
circle
not
dental status
Expected data processing period: 10 years
Patient Referral Partner(s) in a contractual relationship with the Data Controller
Scope of transmitted data:
name
circle
not
dental status
billing information
Expected data processing period: 10 years
Central Implant Registry
Scope of transmitted data:
name,
place of birth, time of residence,
mother's name,
not,
implant manufacturer, serial number
Legal basis: Act XLVII of 1997. § 22/B Expected duration of data processing: 50 years
Electronic Health Service Space
Please refer to the following page for information about the data transmitted:
https://e-egeszsegugy.gov.hu/web/eeszt-informacios-portal/adatvedelem
Legal basis: EMMI Decree 39/2016. (XII. 21.) on detailed rules related to the Electronic Health Service Space.
Date: October 1, 2018
Dental Angels Ltd.
Dr. Tamás Egerszegi
executive
