Privacy Notice

TABLE OF CONTENTS

1. Purpose of the Privacy Notice, general purpose of processing, legal basis, processing policy, definitions
 
2. Data Controller’s data
2.1. Data Protection Officer
 
3. Method of data processing
3.1. Authorised data controllers
3.2. Data recording 
3.3. Data deletion 
3.4. Processing for the purpose of dental care 
3.5. Protection of medical confidentiality 
3.6. Persons present during treatment 
3.7. Right and obligation to information, patient’s right to be informed 
3.8. Informing relatives and other persons
3.9. Right of access to medical documentation

4. Central implant register 
4.1. Information on the legal obligations related to the implant register
 
5. Processing for public health and epidemiological purposes 
 
6. Registration of health and personal identification data 
6.1. Record keeping obligation
6.2.Arrangements for the storage and archiving of medical documentation:
6.3. Data security

7. Scope of personal data processed 
7.1. Data provided during e-mail and telephone communication, subscription 
7.2. Processing for the purposes of medical treatment 
7.3. Issue of the invoice 
7.4. Handling complaints 
7.5. Website traffic data (cookies, analytics, remarketing) 
 
8. Transmission, processing, access to data 
8.1. Data processing in relation to accounting 
8.2. Data processing activities related to the sending of newsletters 
8.3. Data processing activities for dental technician 
8.4. Data processing, data transfer based on legal obligations 
8.5. Data processing activities for microscopic examination 
8.6. Data processing in relation to the FLEXI-DENT Dental and Dental Patient Registration System 
 
9. Data subject’s rights and means of redress 
9.1. Right to information 
9.2. Right of access of the data subject 
9.3. Right of rectification 
9.4. Right to erasure 
9.5. Right to restriction of processing 
9.6. Right to data retention 
9.7. Right to object 
9.8. Automated decision-making in individual cases, including profiling 
9.9. Right of withdrawal 
9.10. Right to apply to the courts 
9.11. Data protection authority procedure 

10. Amendments to the Privacy Notice 
 
11. Other provisions 
 

1. Purpose of the Privacy Notice, general purpose of processing, legal basis, processing policy, definitions

Patient data is processed by DENTHA Bt. (hereinafter referred to as the Data Controller, the Company) in accordance with the provisions of this Privacy Notice. The provision of the data is voluntary or based on a legal authorisation. In the case of processing based on voluntary consent, the data subjects may withdraw their consent at any stage of the processing.

In certain cases, the processing, storage and transmission of some of the data provided may be required by law and we will inform our customers separately. We draw the attention of those who provide data to DENTHA Bt. that if they do not provide their own personal data, the data provider is obliged to obtain the consent of the data subject.

Purpose of the processing of health and personal data (Article 4(1) of the Health Data Act):

• To promote the preservation, improvement and maintenance of health,

• to promote the effective medical treatment of patients by the health care provider, including specialist supervision,

• monitoring the health status of the person concerned,

• taking measures necessary in the interests of public health, public health and epidemiology,

• enforcing patients’ rights

• transmission of data to the social security system in the case of services financed by the OEP.

Pursuant to Article 4(2) of the Health Data Act, health and personal data may be processed for the following purposes in addition to those specified above, in cases specified by law:

• training of health professionals,

• medical-scientific and epidemiological examination, analysis, planning and organisation of health care, cost planning,

• statistical analysis,

• anonymisation for impact assessment purposes, scientific research,

• to facilitate the work of bodies carrying out official or regulatory controls, professional or regulatory supervision of bodies or persons handling health data, where the purpose of the control cannot be achieved by other means, and to carry out the tasks of bodies financing health care,

• the award of social security or social benefits, where this is based on health status,

• to check the prescription and provision of services to persons entitled to health care under the compulsory health insurance scheme and compliance with the rules on the prescription of medicines, medical appliances and medical treatment,

• and the financing of the benefits provided to beneficiaries under a contract governed by special legislation and the settlement of the premium,

• law enforcement and crime prevention under the powers conferred on it by Act XXXIV of 1994 on the Police,

• the performance of the tasks provided for in Act CXXV of 1995 on the National Security Services, within the scope of the authorisation granted therein,

• administrative procedure,

• misdemeanour proceedings,

• prosecution proceedings,

• judicial proceedings,

• accommodation and care of the person concerned in a non-medical institution,

• the assessment of suitability for employment, whether in the context of an employment relationship, a civil servant, a civil service relationship, a professional service relationship or any other legal relationship,

• the assessment of suitability for the purposes of public education, higher education and vocational training,

• the assessment of suitability for military service or for personal defence duties,

• unemployment benefits, employment promotion and related checks.

• to check the ordering and provision of services to persons entitled to health care benefits under compulsory health insurance, to check compliance with the rules on the ordering of medicines, medical aids and medical treatment in an economical manner, to check the financing of benefits provided to beneficiaries under contracts governed by special legislation, to check the settlement of reimbursement of prices, to check the assessment and payment of social security benefits and to check the repayment and reimbursement of benefits paid,

• investigating and recording occupational accidents and illnesses, including cases of increased exposure, and taking the necessary occupational safety and health measures,

• the ethics procedure for health workers,

• establishing the effectiveness of medicines and medical devices receiving performance-based funding, the funding of such medicines and the procedures for financing the treatment of such diseases,

• organisation of patient journeys,

• evaluation and improvement of the quality of health services, regular review and improvement of the evaluation criteria for health services,

• monitoring, measuring and evaluating the performance of the health system,

• to promote effective and safe medication and cost-effective drug therapy for health care beneficiaries,

• enforcing rights to cross-border healthcare within the European Union.

Health and personal data may also be processed for purposes other than those set out above with the written informed consent of the data subject or his or her legal representative or authorised representative (hereinafter together referred to as “legal representative”). For the purposes of the processing as set out above, only the amount and type of health and personal data strictly necessary for the purposes of the processing may be processed.

General legal basis of the data processing:

The legal basis for the processing is the Health Data Act, and in the case of mandatory data transmission to the competent authority (including mandatory data transmission to the OEP if the patient uses the health care service at the expense of social security) as required by the Healthcare Act, in case fulfilment of a legal obligation pursuant to Article 6 (1) c) of the GDPR. In other cases, the legal basis for data processing is the performance of a contract with the Data Controller as a health care provider, pursuant to Article 6(1)(b) of the GDPR. The processing of e-mail addresses processed for the purpose of subscribing to the newsletter is based on the consent of the data subject, while the use of cameras installed in the premises of the Controller’s clinic as processing is based on the legitimate interest of the Controller in the security of property pursuant to Article 6(1)(f) of the GDPR.

Its data management principles are in accordance with the applicable data protection legislation, in particular the following:

• Act CXII of 2011 – on the Right to Informational Self-Determination and Freedom of Information (Info Act);

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Regulation (EC) No 95/46/EC (General Data Protection Regulation, GDPR);

• Act V of 2013 – on the Civil Code (Civil Code);

• Act C of 2000 – on Accounting (Accounting Act);

• Act LIII of 2017 – on the Prevention and Combating of Money Laundering and Terrorist Financing (PMT Act);

• Act CLIV of 1997 – on Health Care (Healthcare Act)

• Act XLVII of 1997 – on the processing and protection of health and related personal data (Health Data Act)

• Decree No 62/1997 (XII. 21.) of the Ministry of Welfare on certain aspects of the processing of health and related personal data.

DENTHA Bt. as data controller, is responsible for compliance with the following:

• processing personal data lawfully and fairly and in a transparent manner for the data subject (“lawfulness, fairness and transparency”);

• Process personal data for specified, explicit and legitimate purposes only and not in a way incompatible with those purposes (“purpose limitation”);

• the personal data processed are adequate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”);

• ensure that the personal data are accurate and, where necessary, kept up to date and take all reasonable steps to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without undue delay (“accuracy”);

• store the personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“limited storage”);

• process personal data in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (“integrity and confidentiality”), by implementing appropriate technical or organisational measures.

Definitions

Data Subject: any specified natural person who is identified or identifiable, directly or indirectly, on the basis of personal data;

Personal data: data that can be associated with the data subject, in particular the name, the identification mark and one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of the data subject, and the conclusion that can be drawn from the data concerning the data subject;

Special categories of data: personal data revealing racial or ethnic origin, political opinions or affiliations, religious or philosophical beliefs, membership of an interest group, sex life, and personal data concerning health, disease or criminal offences;

Health data: any data relating to the physical, mental or psychological state of the data subject, his or her pathological condition, pathological addiction, the circumstances of the illness or death, the cause of death, communicated by him or her or by another person, or detected, examined, measured, mapped or derived by the healthcare network; and any data relating to or affecting any of the foregoing (e.g. behaviour, environment, occupation);

Health care: any activity aimed at the preservation of health and the direct examination, treatment, care, medical rehabilitation or processing of the examination material of the person concerned for the purpose of the prevention, early detection, diagnosis, cure, maintenance or improvement of the state of deterioration of health resulting from the disease, including the provision of medical care, rescue and ambulance services, and obstetric care;

Urgent need: a sudden change in a person’s state of health which, in the absence of immediate medical care, would place that person in imminent danger of death or serious or permanent impairment of health;

Patient carer: a medical specialist, a healthcare professional or any other person involved in the treatment of the person concerned;

Medical confidentiality: medical and personal data which have come to the knowledge of the data controller in the course of treatment, as well as other data relating to necessary or ongoing treatment or treatment which has been completed, and other data obtained in connection with the treatment;

Medical documentation: any record, register or any other form of information, irrespective of its medium or form, containing medical and personal data which has come to the attention of the healthcare provider in the course of treatment;

Consent: a voluntary and explicit indication of the data subject’s wishes, based on appropriate information, by which he or she gives his or her unambiguous agreement to the processing of personal data concerning him or her, whether in full or in part, and whether or not the processing is based on specific operations;

Close relative: spouse, relative in the direct line, adopted, step and foster child, adoptive, step and foster parent, as well as brother or sister and life partner.

Objection: a statement by the data subject objecting to the processing of his or her personal data and requesting the cessation of the processing or the erasure of the processed data;

Controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are processed, takes and executes decisions regarding the processing (including the means used) or has them executed by a processor on its behalf;

Data processing: any operation or set of operations which is performed upon data, whatever the means used, in particular any collection, filming, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data or any prevention of their further use, taking of photographs, sound recordings or images, or any other physical means of identification of a person (e.g. fingerprints, palm prints, DNA samples, iris scans);

Transmission: making data available to a specified third party;

Disclosure: making the data available to anyone;

Erasure: rendering data unrecognisable in such a way that it is no longer possible to recover it;

Data marking: the marking of data with an identification mark to distinguish it;

Data blocking: the marking of data with an identifier in order to limit their further processing permanently or for a limited period of time;

Data processing: the performance of technical tasks related to data processing operations, irrespective of the method and means used to perform the operations and the place of application, provided that the technical task is performed on the data;

Data processor: a natural or legal person or unincorporated body which processes data on the basis of a contract with the controller, including a contract concluded pursuant to a legal provision;

Third party: a natural or legal person or unincorporated body other than the data subject, the controller or the processor;

Data Breach: unlawful processing or handling of personal data, in particular unauthorised access, alteration, disclosure, transmission, disclosure, erasure or destruction, accidental destruction or accidental damage.
 

2. Data Controller’s data

• DENTHA Dental Betéti Társaság

• Registered office.

• Tax number: 21751567-1-06

• Company registration number:06-09-008375

• Issuing court: Szeged Court of Registration

• Electronic mail address: info@dentha.hu

• Telephone contact: +36 30 206 9532

2.1. Data Protection Officer

Name: Szilvia Tóth

Address: 6721 Szeged, Osztrovszky u. 12.

E-mail: tothszilvia@dentha.hu
 

3. Method of data processing

3.1. Authorised data controllers:

Within the health care network, the data controller is entitled to process health and personal data unless otherwise provided by law:

• • the patient care provider,

  • the head of the provider, or

  • a person authorised by the head of the provider.

In the processing of health and personal identifying data, the security of the data against accidental or intentional destruction or accidental loss, destruction, alteration, damage, disclosure and access by unauthorised persons must be ensured.

3.2. Data recording:

The date of the data recording and the identity of the data recorder must be recorded in the medical documentation. All records and entries in the patient’s documentation must be authenticated by signature or handwriting and, if necessary, by date, and in the case of electronic data processing, the clear identification of the person making the entry must be ensured. The Data Controller shall record and store the personal data provided by the data subject (name, date and place of birth, mother’s name, address) and the health data recorded before or during the treatment in an electronic database.

The processing of personal data in relation to information society services offered directly to children is lawful once the child has reached the age of 16. In the case of children under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person having parental authority over the child (legal representative).

Where the data subject voluntarily consents to the healthcare network, his/her consent to the processing of his/her medical and personal data relating to the treatment shall be deemed to have been given, unless he/she has stated otherwise, and the data subject (legal representative) shall be informed thereof.

In cases of urgency and lack of capacity of the person concerned, there should be a presumption of voluntariness.

3.3. Data deletion:

Data can only be deleted on the basis of this Notice. Data deletion must comply with data protection regulations, in particular with regard to unauthorised access. In case of deletion, manually processed data must be physically destroyed and, in case of electronically stored data, irreversibly altered. The deletion of data may be carried out with the authorisation of the Data Controller’s manager. The images and sounds recorded during the camera recordings shall be automatically deleted after a maximum of 30 days, unless they are used as evidence in an offence or criminal prosecution, in which case the Controller may only forward the images and sounds to the investigating authority.

3.4. Processing for the purpose of dental care:

In the course of dental and oral surgery treatment, the Data Controller records personal data of the person (data subject) who has undergone the treatment and the health data necessary for the proper performance of the treatment. The data subject or his/her legal representative shall provide the health and personal identification data to the Data Controller in order to fulfil the contract with the Data Controller as a health care provider.

The data subject (legal representative) shall provide health and personal identification data at the request of the healthcare provider,

• • if it is probable or established that he or she is infected by a disease agent or suffers from poisoning or infectious diseases of infectious origin,

  • where it is necessary for the purposes of screening and aptitude tests,

  • in the case of acute poisoning,

  • where it is likely that the person concerned is suffering from an occupational disease,

  • where the provision of the data is necessary for the treatment, health care or protection of a minor child,

  • where the competent authority has ordered the investigation for the purposes of law enforcement, crime prevention, prosecution, judicial proceedings or proceedings by the administrative authorities or in the course of administrative proceedings,

  • if the provision of the data is necessary for the purpose of verification under the Act on National Security Services.

During medical treatment, data in accordance with professional rules must be recorded in the medical documentation. It is up to the dentist providing the treatment to decide which health data, in addition to the compulsory data, should be recorded in accordance with the professional rules. The recording of data should avoid recording data that are not directly related to the treatment of the patient. The management of medical documentation during treatment should be organised in such a way that the records and the patient’s personal data can be accessed by the persons who are responsible for the treatment of the person receiving the treatment. Dental technicians employed by the Data Controller shall have the right to access patient data to the extent necessary for the preparation of the dental prosthesis, and dental technicians shall be subject to the provisions of this Notice.

3.5. Protection of medical confidentiality:

The patient care provider and other persons employed by the provider (Data Controller) are bound by a duty of confidentiality, without time limitation, with regard to data relating to the patient’s medical condition and other data that they have obtained in connection with their work. The duty of confidentiality applies irrespective of the manner in which the data were obtained. The duty of confidentiality shall also apply to a carer who has not cooperated in the treatment of the patient, unless the data are necessary for the further treatment of the person treated.

The obligation of confidentiality may be waived in writing by the patient or by a statutory obligation to provide information. In order to protect medical confidentiality, it is necessary that all employees of the provider undertake to maintain medical confidentiality. The undertaking must be included in or attached to the employee’s job description. The data subject (patient) has the right to declare to whom information about his/her illness, its likely outcome, may be disclosed and to whom partial or total access to his/her medical data is excluded. The health data of the patient concerned shall be disclosed even in the absence of the patient’s consent, where it is

• • required by law,

  • necessary to protect the life, physical integrity or health of others.

3.6. Persons present during treatment:

The patient has the right to have present during his examination and treatment only those persons whose participation in the treatment is necessary or those to whose presence the patient has consented, unless otherwise provided by law.

The person concerned may be present without his/her consent, with respect for his/her human rights and dignity:

• • another person, if the treatment regime requires the simultaneous care of several patients,

  • a professional member of the police, if the treatment is administered to a person in custody,

  • a serving member of the prison service, if the treatment is given to a person serving a custodial sentence in a prison and is necessary for the safety of the treating carer or to prevent escape,

  • if, in the interests of law enforcement, the personal safety of the patient so requires and the patient is incapable of making a statement.

In addition to the above, the following may be present,

• • who has already treated the patient for the disease in question,

  • who has been authorised by the head of the healthcare provider for professional reasons. In this case, the express objection of the person receiving treatment must be accepted.

For the purposes of training of health professionals, a doctor, medical student, health professional, student or pupil of a health college, health professional school or health vocational school may be present during the treatment with the consent of the person concerned (his/her legal representative).

Consent may also be given orally by the person receiving treatment to the dentist providing the treatment. The human rights and dignity of the patient must be respected.

3.7. Right and obligation to information, patient’s right to be informed:

The patient must be informed of the provider’s data protection order before the start of patient care. The patient is informed about data protection when he/she attends in person at the reception. The patient confirms that he/she has been informed by signing the data protection consent form. The patient’s documentation shall be accompanied by any restrictive declaration by the patient. The information on the treatment of the patient shall be provided by the dentist treating the patient. Information on the nursing aspects of the patient’s treatment may also be provided by the healthcare professional attending to the patient. Information on the patient’s treatment shall not be provided by a dental nurse or other staff member unless authorised by the dentist treating the patient. The information shall be provided in person.

The treating dentist shall inform the person concerned directly of any medical data concerning him/her which he/she has ascertained. In the case of a psychiatric patient, the patient’s right of access to the medical documentation may exceptionally be restricted if there are reasonable grounds to believe that the patient’s recovery would be seriously compromised or the privacy of another person would be violated if the medical documentation were disclosed. Only the dentist is entitled to order the restriction. The patient’s legal representative and the patient’s legal or authorised representative must be informed of the restriction without delay.

3.8. Informing relatives and other persons:

When registering with the provider or at a later date, the patient may decide to whom partial or full information about his/her illness, its probable outcome, changes in his/her state of health may be disclosed and who may be excluded. The patient shall be informed of the possibility of making such provision.

3.9. Right of access to medical documentation:

The patient (or his/her legal representative) has the right to be informed of his/her personal identity and medical data and the right to consult the medical documentation. The medical documentation is held by the health care provider and the patient has the right to access the medical documentation.

The patient has the right to

• • be informed of the treatment of his/her data in the context of medical treatment;

  • access to the medical data concerning him/her;

  • have access to the medical documentation and to obtain extracts or copies thereof or to have copies made at his own expense;

  • obtain, at his/her own expense, a written summary or abstract of his health data for justified purposes;

  • receive a final report in cases provided for by law.

The person authorised in writing by the patient during the period of treatment or, after the end of treatment, by a person authorised by the patient in a private document with full probative value, is entitled to request or receive a copy.

In the event of the death of the person concerned, his or her legal representative, close relatives and heirs have the right to obtain access to medical documentation, access to medical documentation and copies of medical documentation relating to the cause of death or which may be related to the cause of death and to his or her medical treatment prior to the death, unless otherwise previously provided. The applicant shall provide documentary evidence of such entitlement. The copy(s) may be issued only on the basis of an application in the form of an original private document with full probative value. The original of the request must be kept with the file (medical documentation).

When medical documentations are released, the requested documents shall be released as recorded in the system. The Data Protection Officer is responsible for the release of the documents. The fact of release shall be recorded in the documentation and in separate records. The identity or authorisation of the recipient must be verified prior to release. The fact of such verification shall be recorded, together with the identity and identity card number of the recipient. If the documentation is requested by another authorised person, the authorisation document must also be attached to the patient documentation.

Medical documentation may be released only with the authorisation of the administrator in the following cases:

a) only when a request is received from the police or other public authority;

b) request from an attorney-at-law;

c) a request relating to a claim for compensation in connection with health care.

If the medical documentation of a patient also contains information concerning another person’s right to privacy, the right of access or the right to obtain a copy may be exercised only in respect of the part of the medical documentation relating to the patient.

The patient who is able to act may, by a declaration in a public document, a private document having full probative value or, if he is legally incompetent, in the presence of two witnesses

a) may name the person who has the capacity to give consent or to refuse to give consent on his behalf or who must be informed;

b) may, with or without the person specified in point a), exclude any of the persons named above from exercising the right to give consent or to refuse consent or from being informed.

Where the patient is incapacitated and there is no person entitled to make the declaration referred to above, the persons entitled to exercise the right of consent and refusal within the limits set out in the preceding paragraph shall be, in the order indicated, the following:

a) the patient’s legal representative;

b) in the absence of such a person, the competent person living in the same household as the patient’s

1. spouse or partner;

2. in the absence of such a person, his/her child;

3. in the absence of such a person, his/her parent;

4. in the absence of such a person, his/her brother or sister,

5. in the absence of such a person, his/her grandparent,

6. in the absence of such a person, his/her grandchild;

c) in the absence of a relative as referred to in b), a person who is not living in the same household as the patient and who has the capacity to act

1. a child;

2. in the absence of such a person, his/her parent;

3. in the absence of such a person, his/her brother or sister;

4. in the absence of such a person, his/her grandparent,

5. in the absence of such a person, his/her grandchild.

The right of access to the records of persons pursuant to Article 16 (1) and (2) of the Health Care Act, minors with limited capacity to act and persons with partially limited capacity to act in exercising rights related to health care shall be granted to the patient, the person named in the power of attorney, or in the absence of such a person, the legal representative.

In case of urgent need, any medical and personal data known to the treating physician which may be relevant to the treatment may be transmitted without the consent of the person concerned.
 

4. Central Implant Register

4.1. Information on the legal obligations related to the implant register:

If an implant is implanted, removed or replaced in connection with the treatment of the patient concerned, the Data Controller is obliged to transfer the data of the register containing the data pursuant to Article 101/C (1) of Act CLIV of 1997 on Health Care to the central implant register for the purpose of further treatment of the person undergoing the implantation, removal and replacement of the implant, monitoring of his/her health, rapid response to unexpected events and checking the conformity of implantable medical devices. The health insurance body operating the central register of implants shall establish a contact code for the personal identification data. The health insurance body shall generate the link code for all personal data on the basis of the same coding method, in such a way that it does not allow any reverse engineering of personal data and that all transmissions of data for the same patient, irrespective of the healthcare provider performing the intervention, are linked to the same link code.

The contact code as referred to above shall be sent by the health insurance authority to the healthcare provider keeping the register via the IT application it operates. The contact code shall be indicated in the medical documentation, including in the final report given to the patient. The body designated to carry out official tasks in relation to medical devices may, for the purpose of carrying out official tasks in relation to medical devices, obtain access to non-personally identifiable data in the central implant register with a contact code.

The health insurance body shall provide the public health administration body and the body responsible for professional quality assessment with information by electronic means on request within 8 days, or without delay if necessary to protect the health of the persons wearing the implants, with information on the non-personally identifiable data stored in the central implant register, with a contact code.

Upon request of the health care provider, including the contact code indicated in the patient documentation, the health care authority shall immediately provide information by electronic means, including the contact code, on the data stored in the central implant register, in relation to the previous implant procedure performed on the person treated by the health care provider.

If it is necessary for the prevention or remedying of an urgent need or a dangerous condition with regard to the person wearing the implant and the last health care provider providing implant-related care has ceased to exist without legal succession or the medical documentation cannot be obtained or can be obtained with significant delay, the body designated to perform official tasks in relation to medical devices may obtain the data pursuant to Article 101/C (1) a) of the Health Care Act in order to contact the person concerned and inform him/her of the actions necessary to protect his/her health.

Data stored in the central implant register shall be deleted 50 years after the last transmission of data relating to the data subject.
 

5. Data processing for public health and epidemiological purposes

The health care provider shall immediately transmit the health and personal identification data to the public health administration if a communicable disease is detected or suspected. The municipal institute of the National Public Health Centre may request the personal identification data of the person concerned on the grounds of public health or epidemiological public interest.
 

6. Registration of health and personal identification data

6.1. Record keeping obligation:

The health and personal identification data recorded on the data subject and necessary for the purposes of medical treatment, as well as their transmission, must be recorded. The record of the transfer must include the recipient of the transfer, the method and date of the transfer and the scope of the data transferred. The means of recording may be any data storage device which ensures that the data are protected against intentional destruction, erasure, alteration, damage, disclosure and unauthorised access. The patient provider’s own records shall form part of the register.

6.2. Arrangements for the storage and archiving of medical documentation:

Records relating to the examination and treatment of the patient are contained in the medical documentation. The medical documentation shall be kept in such a way as to reflect the process of care in a true and fair manner.

The medical documentation shall indicate

• • the identity of the patient,

  • the name, address and contact details of the person to be notified in the case of a patient with capacity, and the name, address and contact details of the legal representative in the case of a minor or a person under guardianship,

  • medical history,

  • the results of the first examination,

  • the results of the tests on which the diagnosis and the plan of care are based, and the date on which the tests were carried out,

  • the name of the disease justifying the treatment, the underlying disease, concomitant diseases and complications,

  • any other disease not directly justifying the treatment and the risk factors,

  • the duration and outcome of the interventions carried out,

  • data on the patient’s hypersensitivity to medication,

  • the name of the health professional making the entry and the date of entry,

  • the content of the information provided to the patient or other person entitled to receive the information,

  • the fact of consent or refusal and the date thereof,

  • any other data and facts which may influence the patient’s recovery.

The below must be kept as part of the medical documentation:

• • the findings of each examination,

  • documents generated during treatment and consultation,

  • records of diagnostic imaging procedures.

In the case of medical documentation, particular attention should be paid to ensuring that they are detailed, professional, legible and retrievable. Pursuant to Article 30(1) of the Health Data Act, the retention period of medical documentation is at least 30 years from the date of recording (50 years for final reports and 10 years for diagnostic imaging records). The Data Controller shall establish its own rules for the storage of medical documentation. During storage, the Data Controller shall ensure that the documentation is protected against unauthorised access, theft, falsification and physical destruction.

6.3. Data security

The Data Controller and the processors undertake to ensure the security of the data, taking into account the state of the art and the cost of implementation, the nature, scope, context and purposes of the processing and the rights and freedoms of natural persons, the likelihood and severity of the risk, they shall also take the technical and organisational measures and establish the rules of procedure to ensure that the data recorded, stored or processed are protected and to prevent their destruction, unauthorised use or alteration. They also undertake to require all third parties to whom data is transferred or disclosed on the basis of the Users’ consent to comply with the requirement of data security.

The Data Controller shall use its best endeavours to ensure that the processed data cannot be accessed, disclosed, transmitted, modified or deleted by unauthorised persons. The processed data may only be accessed by the Data Controller and its Employees and their data processor(s) and shall not be disclosed by the Data Controller to any third party not entitled to access the data.

The Data Controller shall use its best efforts to ensure that the data are not accidentally damaged or destroyed. The Data Controller shall impose the above commitment on its Employees involved in the processing activity.

The Controller and processors shall ensure a level of data security appropriate to the level of risk, including, where applicable:

• pseudonymisation and encryption of personal data,
• the continued confidentiality, integrity, availability and resilience of the systems and services used to process personal data,
• the ability to restore access to and availability of personal data in the event of a physical or technical incident in a timely manner,
• a procedure for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures taken to ensure the security of data processing.

In determining the appropriate level of security, explicit account shall be taken of the risks arising from the processing, in particular from accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed.
 

7. Scope of personal data processed

7.1. Data provided during e-mail and telephone communication, subscription

On our website, patients have the possibility to request communication and consultation by telephone or e-mail. In order to be able to fulfil this request, the following data must be provided:

Purpose of data processing	Scope of data processed	Legal basis of data processing	Data storage location	Data retention	Data recipient
telephone, e-mail enquiries	name e-mail address telephone number X-ray (possible content)	voluntary consent [Processing under Article 6(1)(a) of the Regulation]	electronically	The Company will only process personal data collected for the purposes of this e-content for as long as the information requires. After that, the data will be deleted.
data management related to the booking an appointment	name telephone number e-mail address date of treatment	necessary for medical treatment and legally required	electronically, paper-based	by the booked appointment

7.2. Processing for the purposes of medical treatment

For the purposes of treatment, it is essential that we obtain personal and medical data from the data subject to the extent specified by the treating physician. The collection of health data is part of the medical treatment. The treating doctor decides which health data, in addition to the mandatory data, are necessary for the success of the treatment in accordance with the professional rules.

Purpose of data processing	Scope of data processed	Legal basis of data processing	Data storage location	Data retention	Data recipient
specialised outpatient care (medical treatment)	name place and date of birth social security number mother’s name address telephone number date of treatment mandatory information to be included in the medical records (6.2) documents generated during the medical records	necessary for medical treatment and legally required [Processing under Article 6(1)(b) and (c) of the Regulation]	electronically and paper-based	Pursuant to Article 30(1) of the Health Data Act, the retention period of medical records is at least 30 years from the date of data recording (50 years for final reports and 10 years for diagnostic imaging records). for data stored in the EESZT, 5 years from the death of the person concerned Article 35/F (3) of the Health Data Act.	In the course of data processing activities, the data may be transferred to the OEP, the EESZT, the Implant Registry and Betodent Kft. (6721 Szeged, Osztrovszky u. 12.).

7.3. Issue of the invoice

Data processing is carried out in order to issue invoices in accordance with the law and to comply with the obligation to keep the accounting document. Pursuant to Article 169 (1) to (2) of the Tax Act, companies must keep accounting documents that directly and indirectly support the accounting.

Purpose of data processing	Scope of data processed	Legal basis of data processing	Data storage location	Data retention	Data recipient
creating invoices	name address invoice data	legally required [Processing under Article 6(1)(c) of the Regulation]	electronically and paper-based	Pursuant to Section 159 (1) of Act CXXVII of 2007 on Value Added Tax, the issue of an invoice is mandatory and must be kept for 8 years pursuant to Section 169 (2) of Act C of 2000 on Accounting.	Health Insurance Funds (if applicable) Accountant: Name: Book-L 2000 Bt. Address: 6772 Deszk, Petőfi u. 25.

7.4. Handling complaints

The data management process is used to handle complaints about the service.

Purpose of data processing	Scope of data processed	Legal basis of data processing	Data storage location	Data retention	Data recipient
handling complaints	name e-mail address telephone number address (if any) health care documentation	legal obligation on the controller [Processing under Article 6(1)(c) of the Regulation]	electronically	Under Article 17/A (7) of Act CLV of 1997 on Consumer Protection, we are obliged to keep the complaint for 5 years. [Processing under Article 6(1)(c) of the Regulation]	The court or consumer protection organisation handling the case.

7.5. Data processing related to the sending of the newsletter

The purpose of the processing of data related to the sending of newsletters is to provide patients with comprehensive general or personalised information.

The personal data provided will be stored by the Company on a separate list, which will be kept separately from the data provided to the Company for other purposes and will be accessible only to the Company’s authorised employees and data processors. The list or the data will not be disclosed to any unauthorised third party and all security measures will be taken to ensure that they cannot be disclosed to unauthorised persons.

Purpose of data processing	Scope of data processed	Legal basis of data processing	Data storage location	Data retention	Data recipient
marketing	name e-mail address address	voluntary consent [Processing under Article 6(1)(a) of the Regulation]	electronically	5 years	Dentha Bt.

The Company will process the personal data collected for this purpose only for as long as it intends to inform the data subject by means of the newsletter or until the data subject unsubscribes from the newsletter list.

You may unsubscribe from the newsletter at any time by unsubscribing at the bottom of the e-mails and by sending an unsubscribe request to info@dentha.com, e-mail address. You can unsubscribe by post to DENTHA Bt. (6721 Szeged, Osztrovszky u. 12.)

The Company will review the newsletter list every five years and will ask for confirmation consent to send the newsletter after five years. The data of the data subject who does not give his/her confirmation consent to the sending of the newsletter will be deleted by the Company within 30 (thirty) days after the delivery of such e-mail.

7.6. Website traffic data (cookies, analytics, remarketing)

What is a cookie?

The Data Controller uses so-called cookies when you visit the website. A cookie is a set of information consisting of letters and numbers that our website sends to your browser in order to save certain settings, facilitate the use of our website and help us to collect some relevant statistical information about our visitors. Cookies do not contain any personal information and are not used to identify an individual user. Cookies often contain a unique identifier – a secret, randomly generated sequence of numbers – that is stored on your device. On the website, we use remarketing codes to track visits to specific pages so that we can subsequently provide targeted marketing messages to visitors to those pages.

Visitors to this website can disable the cookies that provide remarketing codes by selecting the appropriate browser settings.

Legal basis for data processing

Your voluntary consent.

The background for data processing is provided by Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (Info Act) and Act CVIII of 2001 on certain aspects of electronic commerce services and information society services.

Duration of data processing

Some cookies are deleted after the website is closed and some are stored on your computer for a longer period.

If you do not accept the use of cookies, certain features will not be available to you. For more information on how to delete cookies, please click on the links below:

Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/deletemanagecookies#ie=ie-11

Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-yourcomputer

Chrome: https://support.google.com/chrome/answer/95647?hl=en

Safari: https://support.apple.com/kb/ph21411?locale=en_US

Google Analytics

Our website uses Google Analytics, which uses internal cookies to compile a report for our customers on the habits of website users.

Google uses this information on behalf of the website operator to evaluate how users use the website. As an additional service, Google will compile reports on website activity for the website operator so that it can provide additional services.

The data is stored by Google’s servers in encrypted form to make it more difficult and to prevent misuse.

You can disable Google Analytics by following these steps. Quote from the page:

Site users who do not want Google Analytics to generate JavaScript reports about their data can install the Google Analytics opt-out browser extension. The extension will prevent Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sending information to Google Analytics. The browser extension can be used in most recent browsers. The Google Analytics browser add-on does not prevent data from being sent to the website itself and other web analytics services.

https://support.google.com/analytics/answer/6004245?hl=hu

Google Privacy Policy: https://policies.google.com/privacy?hl=hu

More detailed information on the use and protection of data can be found at the links above.

Data protection in detail:

https://static.googleusercontent.com/media/www.google.com/en//intl/hu/policies/privacy/google_privacy_policy_hu.pdf

Other Google services

The Website uses codes of the following services that place cookies on the visitor’s device:

Google Adwords Conversion Tracking: Google recognises when a user clicks on an ad and is redirected to a specific page. Google uses this conversion information to generate conversion statistics for AdWords customers. AdWords clients will also receive the total number of users who clicked on their ad and the number of users who were redirected to a Conversion-Tracking-Tag page. However, they do not receive any personal information about the users. These cookies can be turned off by disabling the browser cookies from the “www.googleadservices.com” domain.

Google Tag Manager: It replaces the tags that it uses to collect data on its own behalf. Google Tag Manager does not have access to this data.

For more information about Google’s privacy policy, please visit: https://policies.google.com/privacy?hl=hu

You can disable the cookies used by Google at www.google.com/privacy/ads. However, if you disable cookies, you may not be able to use all the functions of this website.

 

8. Transmission, processing, persons who have access to data

The controller, with the exception of the following paragraph, and the processor shall be bound by the obligation of medical confidentiality. This shall also apply to persons employed by or otherwise engaged in an employment relationship with the controller. Other persons carrying out activities related to the treatment of a patient may collect and process health data in accordance with the instructions of the treating physician and to the extent necessary for the performance of their tasks.

The controller is exempted from the obligation of confidentiality if

a) the transfer of the health and personal data has been agreed in writing by the data subject or his or her legal representative, within the limits set out in the consent; and

b) the transfer of the health and identity data is required by law.

The data subject shall have the right to be informed of the processing of data in the context of medical treatment, to obtain access to his or her health and personal data, to consult and obtain copies of medical documentation at his or her own expense.

8.1. Data processing in relation to accounting

Name of the data processor: Könyv-L Bt.

Registered seat of the data processor: 6772 Deszk, Petőfi u. 25.

Phone number of the data processor: 06 20 461 8813

E-mail address of the data processor: konyvl2000@gmail.com

The Data Processor contributes to the accounting records on the basis of a written contract with the Data Controller. In doing so, the Data Processor shall process the name and address of the data subject to the extent necessary for the accounting records, for the period of time pursuant to Article 169 (2) of the Accounting Act, after which it shall delete them without delay.

8.2. Data processing activities related to the sending of newsletters

Name of the data processor: Dentha Bt.

Registered seat of the data processor: 6721 Szeged, Osztrovszky u. 12.

Phone number of the data processor: 06 30 206 9532

E-mail address of the data processor: info@dentha.hu

The Data Processor contributes to the sending of newsletters on the basis of a contract with the Data Controller. In doing so, the Data Processor shall process the name and e-mail address of the data subject to the extent necessary for sending the newsletter and shall delete it without delay at the request of the data subject.

8.3. Data processing activities for dental technician

Name of the data processor: Alfa-Omega Dent Kft.

Registered seat of the data processor: 6721 Szeged, Pusztaszeri u. 26.

Phone number of the data processor: 06 20 927 2591

E-mail address of the data processor: alfaomegadent@gmail.com

Name of the data processor: H-Team Kft

Registered seat of the data processor: 6723 Szeged, Hóbiárt Basa u. 6. II/6

Phone number of the data processor: 06 30 831 1478

E-mail address of the data processor: labor.dsl@hotmail.com

Name of the data processor: Kapás Dentart Kft

Registered seat of the data processor: 6725 Szeged, Hattyas u. 12/d.

Phone number of the data processor: 06 62 484 997

E-mail address of the data processor: labor@kapasdentart.hu

Name of the data processor: Vörös Labor Kft

Registered sear of the data processor: 6721 Szeged, Bárka u. 1.

Phone number of the data processor: 06 62 426 284

E-mail address of the data processor: voroslabor.szeged@gmail.com

The Data Processor contributes to the performance of dental work on the basis of a contract with the Data Controller. In doing so, the Processor processes the personal and medical data of the data subject to the extent necessary for the dental work.

8.4. Data processing, data transfer based on legal obligations

In the case of data processing and data handling, health and personal identification data may be transmitted and linked within the health care network. Health data and social security numbers may also be transmitted and linked between the health care network and the health insurance body in order to perform the task of the health insurance body as defined in Article 81 of Act LXXXIII of 1997 on Compulsory Health Insurance Benefits (hereinafter: Health Insurance Act) to the extent necessary for the performance of the task. Health and personal identification data from different sources may be linked only to the extent and at the time strictly necessary for the purposes of prevention, treatment, public health, public health and epidemiological measures.

8.5. Data processing activities for microscopic examination

Name of the data processor: Beto-Dent Kft.

Registered seat of the data processor: 6721 Szeged, Osztrovszky u. 12.

E-mail address of the data processor: betodent@invitel.hu

The Data Processor contributes to microscopic analyses on the basis of a contract with the Data Controller. In doing so, the Data Processor processes personal and health data of the data subject to the extent necessary for the performance of the microscopic work.

8.6. Data processing in relation to the FLEXI-DENT Dental and Dental Patient Registration System

Name of the data processor: Flexi Medical Hungary Zrt.

Registered seat of the data processor: 1027 Budapest, Tölgyfa u. 28.

Phone number of the data processor: 06 1 792 1234

E-mail address of the data processor: support@flexi-dent.hu
 

9. Data subject’s rights and means of redress

9.1. Right to information

DENTHA Bt. shall take appropriate measures to provide data subjects with all the information referred to in Articles 13 and 14 of the GDPR and all the information referred to in Articles 15 to 22 and 34 of the GDPR concerning the processing of personal data in a concise, transparent, intelligible and easily accessible form, in clear and plain language. At the request of the data subject, the

9.2. Right of access of the data subject

At the request of the data subject, sent to the email address indicated in each section or to the name and address of the Company, the Company shall, within a maximum of 25 (twenty-five) days from the date of the request, provide information on the data of the data subject processed by the Company or by a processor on its behalf, free of charge once a year for the same data and for a fee in addition to the above, the source of the data, the purpose, legal basis and duration of the processing, the name and address of the data processor and its activities in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy it, and, in the event of the transfer of the data subject’s personal data, the legal basis and the recipient of the transfer.

The Company shall keep a register for the purpose of monitoring the measures taken in relation to the personal data breach and informing the data subject, which shall include the scope of the personal data concerned, the number and type of data subjects affected by the personal data breach, the date, circumstances and effects of the personal data breach and the measures taken to remedy it, as well as other data specified in the legislation requiring data processing.

In the event of a refusal to provide the information, the Company shall inform the data subject in writing of the provision of the law on the basis of which the refusal was made and inform the data subject of the legal remedies available to him or her.

9.3. Right of rectification

If the personal data is not accurate and the accurate personal data is available to the Company, the Company will correct the personal data.

The Company shall notify the data subject of the rectification, as well as any other person to whom the data may have been previously disclosed for processing purposes. The notification may be omitted if this does not harm the legitimate interests of the data subject in relation to the purposes of the processing.

The rectification upon request, the time limit for its execution and the possibility of legal remedy shall be governed by point 5.2.

9.4. Right to erasure

The data subject shall have the right to have personal data relating to him or her erased by the company without undue delay at his or her request if one of the following grounds applies:

• • the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

  • the data subject withdraws the consent on the basis of which the processing was carried out and there is no other legal basis for the processing;

  • the data subject objects to the processing and there is no overriding legitimate ground for the processing;

  • the personal data have been unlawfully processed;

  • the personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the controller is subject;

  • the personal data have been collected in connection with the provision of information society services.

The erasure of the data cannot be initiated if the processing is necessary:

• • for the exercise of the right to freedom of expression and information;

  • to comply with an obligation under Union or Member State law to which the controller is subject to which requires the processing of personal data; or

  • in the public interest or in the exercise of official authority vested in the controller;

  • for archiving, scientific or historical research purposes, or for statistical purposes in the public interest; or for the establishment, exercise or defence of legal claims.

9.5. Right to restriction of processing

At the request of the data subject, the company will restrict processing if one of the following conditions is met:

• • the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the accuracy of the personal data to be verified;

  • the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use;

  • the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims; or

  • the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

Where processing is subject to restriction, personal data, other than storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.

9.6. Right to data retention

The data subject has the right to obtain the personal data concerning him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and to transmit these data to another controller.

9.7. Right to object

The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to processing of his or her personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling based on those provisions. In the event of an objection, the controller may no longer process the personal data, unless there are compelling legitimate grounds for doing so which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

9.8. Automated decision-making in individual cases, including profiling

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

9.9. Right of withdrawal

The data subject has the right to withdraw his or her consent at any time.

9.10. Right to apply to the courts

The data subject may take legal action against the controller in the event of a breach of his or her rights.

9.11. Data protection authority procedure

Complaints may be lodged with the National Authority for Data Protection and Freedom of Information:

Name: National Authority for Data Protection and Freedom of Information

Registered office: 1125 Budapest, Szilágyi Erzsébet fasor 22/C.

Postal address: 1530 Budapest, PO Box 5.

Phone: 0613911400

Fax: 0613911410

E-mail: ugyfelszolgalat@naih.hu

Website: http://www.naih.hu
 

10. Amendments to the Privacy Notice

The Data Controller reserves the right to amend this Privacy Notice in a way that does not affect the purpose and legal basis of the processing.

If the Controller intends to carry out further processing of the data collected for purposes other than those for which they were collected, it will inform you of the purposes of the processing and the information below before carrying out the further processing:

• the duration of the storage of the personal data or, if this is not possible, the criteria for determining the duration;

• your right to request the controller to access, rectify, erase or restrict the processing of personal data concerning you and, in the case of processing based on legitimate interest, to object to the processing of personal data and, in the case of processing based on consent or a contractual relationship, to request the right to data portability;

• in the case of processing based on consent, that you may withdraw your consent at any time,

• the right to lodge a complaint with a supervisory authority;

• whether the provision of the personal data is based on a legal or contractual obligation or is a precondition for the conclusion of a contract, whether you are under an obligation to provide the personal data and the possible consequences of not providing the data;

• the fact of automated decision-making (if such a process is used), including profiling, and, at least in these cases, clear information about the logic used and the significance of such processing and its likely consequences for you.

The processing may only start after this, if the legal basis for the processing is consent, to which you must give your consent in addition to the information.
 

11. Other provisions

Information on processing not listed in this Notice will be provided at the time the data is collected. We inform our customers that the court, the prosecutor, the investigating authority, the law enforcement authority, the administrative authority, the National Authority for Data Protection and Freedom of Information, the Hungarian National Bank, OEP, or other bodies authorised by law may contact the data controller to provide information, to disclose or transfer data, or to provide documents. DENTHA Bt. shall only disclose personal data to the authorities to the extent and to the extent that is indispensable for the purpose of the request, provided that the authorities have indicated the exact purpose and scope of the data.

The text and parts of the text of this Privacy Notice are protected by copyright and any unauthorised copying or use of the text or parts of the text is contrary to copyright and other laws!