Skip to main content

Privacy Policy

The protection of personal data is extremely important to us. Therefore, in this Privacy Policy, we outline what personal data we process about you, for what purposes, and on what legal basis. The Privacy Policy also includes your rights regarding data processing.

 

  1. Data Controller Information

Data Controller: MATERNITY Magánklinika Kft. (hereinafter: Data Controller)

Registered seat and mailing address: 1126 Budapest, Királyhágó tér 8-9.

Company Registration Number: 01-09-918867

Taxpayer Identification Number: 14766624-2-43

Website address: www.maternity.hu

Email address: adatvedelem@maternity.hu

 

  1. General Legal Framework for data protection

 

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR)
  • Act CXII of 2011 on informational self-determination and freedom of information (Infotv.)
  • Act V of 2013 on the Civil Code (Ptk.)
  • Act CXXVII of 2007 on value added tax (Áfatörvény)
  • Act C of 2000 on accounting (Számviteli tv.)
  • Act CLIV of 1997 on healthcare (Eütv.)
  • Act XLVII of 1997 on the processing and protection of healthcare-related personal data (Eüaktv.)

 

  1. Definitions

 

Personal data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Typical examples of personal data include name, address, place and date of birth, and mother’s name.

Processing: any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Controller: a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Recipient: a natural or legal person, public authority, agency or other body to whom or which the personal data are disclosed, whether a third party or not.

 

  1. Principles

 

The Data Controller adheres to the following principles when processing personal data.

Personal date shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency)
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (purpose limitation)
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy)
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (storage limitation)
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality)
  7. The controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. (accountability).

 

  1. Data Processing Activities

 

  1. Contact (website)

 

Purpose of data processing Contact, communication
Lawful basis for processing Art. 6 GDPR point (b) of the first paragraph: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Categories of Data Subjects Inquirers
Scope of personal data Name, email address, message content
Data retention period Until the end of the first year following the contact.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       hosting service provider: ININET Kft. (registered office: 1063 Budapest, Szinyei Merse utca 10., company registration number: 01-09-970252)

·       email system provider and system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

Source of data The source of personal data is the inquirer.

 

Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to contact you.
Automated individual decision-making, including profiling It does not occur.

 

 

  1. Contact via email

 

Purpose of data processing Contact via email
Lawful basis for processing Art. 6 GDPR point (b) of the first paragraph: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Categories of Data Subjects Inquirers
Scope of personal data Name, email address, message content
Data retention period Until the end of the first year following the contact.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       email system provider and system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

Source of data The source of personal data is the inquirer.

 

Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to contact you.
Automated individual decision-making, including profiling It does not occur.

 

  1. Patient feedback

 

Purpose of data processing Displaying patient feedback directly on the website
Lawful basis for processing Art. 6 GDPR point (a) of the first paragraph: consent
Categories of Data Subjects Patient
Scope of personal data Name, feedback content
Data retention period Until withdrawal of consent or for 30 days after withdrawal of consent
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       hosting service provider: ININET Kft. (registered office: 1063 Budapest, Szinyei Merse utca 10., company registration number: 01-09-970252)

·       email system provider and system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József steet 1., company registration number: 13-09-133795)

Source of data The source of personal data is the patient.

 

Data Provisioning and its consequences Providing the data is voluntary. If you do not provide your personal data, the Controller will not able to display your opinion or feedback.
Automated individual decision-making, including profiling It does not occur.

 

  1. Filling out a satisfaction survey

 

Purpose of data processing Filling out a satisfaction survey regarding the outpatient clinic and the hospital
Lawful basis for processing Art. 6 GDPR point (a) of the first paragraph: consent
Categories of Data Subjects Person who filling out the satisfaction survey
Scope of personal data Name, email address, data provided in the survey
Data retention period Until withdrawal of consent, but no later than the end of the first month following the evaluation of the survey.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       hosting service provider: ININET Kft. (registered office: 1063 Budapest, Szinyei Merse steer 10., company registration number: 01-09-970252)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       form filling software provider: Google Ireland Kft. (registered office: Gordon House, Barrow Utca, Dublin 4, Ireland)

Source of data The source of personal data is the person who filling out the survey.
Data Provisioning and its consequences Providing the data is voluntary. If you do not provide your personal data, the Controller will not able to display your opinion or feedback.
Automated individual decision-making, including profiling It does not occur.

 

  1. Appointment booking (phone, online customer service)

 

Purpose of data processing Providing appointments for patients seeking healthcare services.
Lawful basis for processing Art. 6 GDPR point (b) of the first paragraph: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Categories of Data Subjects Patient
Scope of personal data Based on Eütv. 136 § (1) and (2) relevant parts of healthcare documentation, such as name and contact information (phone number, email address) are included.  Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       hosting service provider: ININET Kft. (registered office: 1063 Budapest, Szinyei Merse utca 10., company registration number: 01-09-970252)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to schedule an appointment for healthcare services.
Automated individual decision-making, including profiling It does not occur.

 

  1. Registration for online customer service

 

Purpose of data processing With the registration, the patient can manage their affairs online, such as accessing test results and booking appointments. The Controller will send an activation email, and by clicking on it, you can activate your personal account. The registration is successful only in this case; if confirmation is not received, your registration data will be deleted after 24 hours.
Lawful basis for processing Art. 6 GDPR point (a) of the first paragraph: consent

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Registered person, minor, authorized representative
Scope of personal data Name, maiden name, mother’s name, social security number (TAJ in Hungarian), place of residence, place and date of birth, phone number, email address, minor’s name, minor’s social security number (TAJ in Hungarian), authorized representative’s name
Data retention period With the deletion of the registration, the personal account will be deleted. However, the Controller is still obligated to continue processing the healthcare data based on Eüaktv. 30 § (1) the processing and protection of healthcare-related personal data.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       hosting service provider: ININET Kft. (registered office: 1063 Budapest, Szinyei Merse utca 10., company registration number: 01-09-970252)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

Source of data The source of personal data is the registered person, minor, authorized representative
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to create a personal account and thus you will not be able to manage your affairs online.
Automated individual decision-making, including profiling It does not occur.

 

  1. Online customer service (issuance of test results)

 

Purpose of data processing Issuance of test result online in personal account. If you register on our website and give your consent (tick the box), we will also upload your test results to your password-protected account. You can view your test results either in person or through the EESZT (eHealth system of Hungary).
Lawful basis for processing Art. 6 GDPR point (a) of the first paragraph: consent

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient registered for online customer service
Scope of personal data Name, social security number (TAJ in Hungarian), test results, medical history
Data retention period With the deletion of the registration, the personal account will be deleted. However, the Controller is still obligated to continue processing the healthcare data based on Eüaktv. 30 § (1) the processing and protection of healthcare-related personal data.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       hosting service provider: ININET Kft. (registered office: 1063 Budapest, Szinyei Merse utca 10., company registration number: 01-09-970252)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

Source of data The source of personal data is the patient
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, you will not able to access your test result online.
Automated individual decision-making, including profiling It does not occur.

 

 

  1. Communications

 

Purpose of data processing Communications
Lawful basis for processing Art. 6 GDPR point (a) of the first paragraph: consent

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient, legal representative of the patient
Scope of personal data Name, phone number, email address
Data retention period Until withdrawal of consent
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       email system provider and system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

Source of data The source of personal data is the patient and the legal representative of the patient
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to contact you if it necessary.
Automated individual decision-making, including profiling It does not occur.

 

 

  1. Patient admission

 

Purpose of data processing Based on 4 § (1) of Eüaktv.:

a)       promoting the preservation, improvement and maintenance of health

b)       facilitating effective medical treatment by healthcare providers including specialist supervision

c)       monitoring the health status of the patient

Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 136. § (1)

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient
Scope of personal data Based on Eütv. 136. § (1) and (2) the relevant parts of healthcare documentation Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       hospital information software: SummaHosp Kft. (registered office: 1122 Budapest, Maros utca 40. 4. floor 19. door, company registration number: 01-09-345094)

·       operating room scheduling software: (MediTime) NexGenics Kft. (registered office: 8518 Kemenesszentpéter, Jókai utca 32., company registration number: 19-09-521782)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to provide healthcare service.
Automated individual decision-making, including profiling It does not occur.

 

 

  1. Patient care

 

Purpose of data processing Based on 4 § (1) of Eüaktv.:

a)       promoting the preservation, improvement and maintenance of health

b)       facilitating effective medical treatment by healthcare providers including specialist supervision

c)       monitoring the health status of the patient

Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 136. § (1)

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient
Scope of personal data Based on Eütv. 136. § (1) and (2) the relevant parts of healthcare documentation Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       operating room scheduling software: (MediTime) NexGenics Kft. (registered office: 8518 Kemenesszentpéter, Jókai utca 32., company registration number: 19-09-521782)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

·       police notification

·       patient transport: OMSZ and the Peter Cerny Alapítvány a Beteg Koraszülöttek Gyógyításáért

 

 

For contract performance, data transfer(s):

·       operator of e-Medsol hospital information system: Semmelweis University, Directorate-General for Informatics

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to provide healthcare service.
Automated individual decision-making, including profiling It does not occur.

 

  1. Diagnostic activities (medical imaging, laboratory tests, histology, screening)

 

Purpose of data processing Based on 4 § (1) of Eüaktv.:

a)       promoting the preservation, improvement and maintenance of health

b)       facilitating effective medical treatment by healthcare providers including specialist supervision

c)       monitoring the health status of the patient

Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 136. § (1)

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient
Scope of personal data Based on Eütv. 136. § (1) and (2) the relevant parts of healthcare documentation Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       hospital information software: SummaHosp Kft. (registered office: 1122 Budapest, Maros utca 40. 4. floor 19. door, company registration number: 01-09-345094)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

 

For contract performance, data transfer(s):

·       SYNLAB Hungary Kft. (registered office: 1211 Budapest, Weiss Manfréd út 5-7., company registration number: 01-09-923956)

·       Országos Vérellátó Szolgálat Központ (1113 Budapest, Karolina út 19-21.)

·       PentaCore Lab Egészségügyi Szolgáltató Kft. (registered office: 1134 Budapest, Lehel utca 11., company registration number: 01-09-907101)

·       New Era Genetics kft. (registered office: 1016 Budapest, Bérc utca 23., company registration number: 01-09-987812)

·       Czeizel Intézet (registered office: 1016 Budapest, Bérc utca 23.)

·       Pest Megyei Flór Ferenc Kórház (registered office: 2143 Kistarcsa, Semmelweis tér 1.)

·       Semmelweis Egyetem I. Sz. Patológiai és Kísérleti Rákkutató Intézet (registered office: 1085 Budapest, Üllői út 26.)

·       Istenhegyi Géndiagnosztika Labor Kft. (registered office: 1125 Budapest, Zalatnai utca 2., company registration number: 01-09-283801)

·       Istenhegyi Géndiagnosztika Kft. (registered office: 1125 Budapest, Zalatnai utca 2., company registration number: 01-09-701520)

 

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to provide healthcare service.
Automated individual decision-making, including profiling It does not occur.

 

  1. Registration of infectious patients

 

Purpose of data processing Fulfillment of reporting and documentation obligations as stipulated by law
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation:

Eütv. 136. § (1)

Decree 18/1998. (VI. 3.) NM on epidemic measures for the necessary for the prevention of infectious diseases and epidemics

Decree 1/2014. (I. 16.) EMMI on the reporting of infectious diseases

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient
Scope of personal data Attachment No. 1. of 1/2014. (I. 16.) EMMI decree
Data retention period 50 years
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

·       Reporting of healthcare-associated infections

·       Reporting to the Nemzeti Nosocomialis Surveillance Rendszer

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to fulfil its legal obligation.
Automated individual decision-making, including profiling It does not occur.

 

  1. Discharge

 

Purpose of data processing Closure of patient treatment-related registration and other administration
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 136. § (1)

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient
Scope of personal data Based on Eütv. 136. § (1) and (2) the relevant parts of healthcare documentation Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

·       patient transport: Országos Mentőszolgálat (OMSZ) és a Peter Cerny Alapítvány a Beteg Koraszülöttek Gyógyításáért

·       data provision to Országos Szociális Információs Rendszer (OSZIR)

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to fulfil its legal obligation.
Automated individual decision-making, including profiling It does not occur.

 

  1. healthcare service contract (prenatal care, delivery, gynecological surgery)

 

Purpose of data processing Fulfillment of obligations arising from healthcare service contracts
Lawful basis for processing Art. 6 GDPR point (b) of the first paragraph: performance of a contract

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Service recipient
Scope of personal data Based on Eütv. 136. § (1) and (2) the relevant parts of healthcare documentation Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       operating room scheduling software: (MediTime) NexGenics Kft. (registered office: 8518 Kemenesszentpéter, Jókai utca 32., company registration number: 19-09-521782)

Source of data The source of personal data is the service patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to provide healthcare service.
Automated individual decision-making, including profiling It does not occur.

 

  1. Data processing related to obstetric care

 

Purpose of data processing Registration and other administrative procedures related to obstetric care
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 136. § (1)

 

Eütv. 136. § (1) and (2):

429/2017. (XII. 20.) a government decree on the detailed rules of handling birth certificate registry tasks

184/2017. (VII. 5.) a government decree on the implementation of act CLV. year 2016 of official statistics

21/2014. (III. 20.) EMMI decree on reporting and registration procedure of congenital abnormalities

Eüaktv. 20. § (3):

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Patient, parent
Scope of personal data 429/2017. (XII. 20.) government decree 10. § (1)
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       operating room scheduling software: (MediTime) NexGenics Kft. (registered office: 8518 Kemenesszentpéter, Jókai utca 32., company registration number: 19-09-521782)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

·       Statistical reporting related to fetal mortality

·       data provision to Országos Szülészeti és Perinatális Regiszter (OSZIR)

·       data provision of deliveries

·       health visitor reports

·       data provision related to pregnancy termination

 

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to fulfil its legal obligation.
Automated individual decision-making, including profiling It does not occur.

 

  1. Operation of the social indicator system

 

Purpose of data processing Assistance for endangered patients based on legal regulations
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation:

Act XXXI of 1997 on the protection of children and guardianship administration

Categories of Data Subjects Patient, parent
Scope of personal data 429/2017. (XII. 20.) government decree 10. § (1)
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       operating room scheduling software: (MediTime) NexGenics Kft. (registered office: 8518 Kemenesszentpéter, Jókai utca 32., company registration number: 19-09-521782)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

·       Statistical reporting related to fetal mortality

·       data provision to Országos Szülészeti és Perinatális Regiszter (OSZIR)

·       data provision of deliveries

·       health visitor reports

·       data provision related to pregnancy termination

 

Source of data The source of personal data is the patient.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to fulfil its legal obligation.
Automated individual decision-making, including profiling It does not occur.

 

  1. Vaccine administration

 

Purpose of data processing Vaccine administration
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 136. § (1) and (2)

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects A person receiving a vaccination
Scope of personal data Based on Eütv. 136. § (1) and (2) the relevant parts of healthcare documentation Eüaktv. 3. § e) point, 3/B. §, 28. §
Data retention period Based on Eüaktv. 30. § (1): final medical report for 50 years, all other documents for 30 years, and diagnostic imaging reports for 10 years.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

 

Data transmission(s) based on legal obligation:

·       EESZT (eHealth system of Hungary) data communication

·       data provision related to vaccination

 

Source of data The source of personal data is a person receiving vaccination.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to provide vaccination.
Automated individual decision-making, including profiling It does not occur.

 

  1. Camera surveillance data management

 

Purpose of data processing Protection, safeguarding, and ensuring the lives, physical integrity, personal freedom of individuals entering and staying in the area, as well as the property assets of the Data Controller.
Lawful basis for processing Art. 6 GDPR point (f) of the first paragraph: legitimate interest
Categories of Data Subjects Guest, client, patient
Scope of personal data Likeness
Data retention period 30 days from the date of recording
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller does not use Data Processor(s)
Source of data The source of personal data is the guest, the client and the patient
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to give you permission to entry.

A visible and easily readable warning sign (pictogram) has been placed to indicate the use of the electronic surveillance system.

Automated individual decision-making, including profiling It does not occur.

 

  1. Data processing related to relatives or another notified person

 

Purpose of data processing Exercise of patient rights
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 16. §
Categories of Data Subjects Patient, person designated by the patient
Scope of personal data Name, contact information
Data retention period 30 years
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       system administrator: ItSmart Kft. (registered office: 2131 Göd, Katona József utca 1., company registration number: 13-09-133795)

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

Source of data The source of personal data is the patient
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to fulfil its legal obligation.
Automated individual decision-making, including profiling It does not occur.

 

  1. Billing

 

Purpose of data processing Exercise of patient rights
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation:

Act CXXVII of 2007 159. § (1) on Value added tax

Categories of Data Subjects The person receiving the service
Scope of personal data Name, address, tax number (in case of corporate clients), email address.

Health savings account member and membership ID.

Authorization code, or insured person’s name and insurance ID.

Data retention period Based on 169. § (1) and (2) on Accounting Act, 8 years
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

 

·       Accounting:

Ø  PALOTA AUDIT Kft. (registered office: 1151 Budapest, Veresegyházi utca 76., company registration number: 01-09-969186)

Ø  FairConto Audit Kft. (registered office: 1097 Budapest, Könyves Kálmán körút 12-14., company registration number: 01-09-924528)

Ø  BÉRMENTOR Kft. (registered office: 1042 Budapest, Árpád út 119. 9. em. 29. ajtó, company registration number: 01-09-394743)

 

·       patient record software: HOSPITALY Kft. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-09-690165)

·       invoicing software: infoMátrix Zrt. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-10-048064)

 

The Data Controller provides information to Nemzeti Adó- és Vámhivatal (National Tax and Customs Administration – NAV) in accordance with point 1 of annex 10 to Act. CXXVII of 2007 on Value added tax.

Source of data The source of personal data is the person receiving the service.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to fulfil its invoicing obligation required by law.
Automated individual decision-making, including profiling It does not occur.

 

  1. Payment of the consideration for the service

 

Purpose of data processing Payment of the consideration for the service can be paid by:

·       credit/debit card

·       bank transfer

·       health savings card

·       insurance company

Lawful basis for processing Art. 6 GDPR point (b) of the first paragraph: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Categories of Data Subjects The person receiving the service
Scope of personal data Name, bank account number, authorization code, date of performance, email address, health savings account and ID, insurances ID
Data retention period Based on 169. § (1) and (2) on Accounting Act, 8 years
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s)

·       provider of credit/debit card payments: NOVOPAYMENT Kft. (registered office: 1034 Budapest, Tímár utca 20. IV. em., company registration number: 01-09-302898)

 

In case of bank transfer the Data Controller’s bank, as a separate data controller has access to personal data:

·       Raiffeisen Bank Zrt. (registered office: 1133 Budapest, Váci út 116-118., company registration number: 01-10-041042). The bank’s Privacy Policy is available here:

https://www.raiffeisen.hu/web/english/raiffeisen-group/raiffeisen-bank-in-hungary/legal-declaration/data-protection

 

In case of health savings card payment or through an insurance company, the respective providers have access to personal data as independent data controllers.

 

Source of data The source of personal data is the person receiving the service.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, you will not able to pay for the service.
Automated individual decision-making, including profiling It does not occur.

 

  1. Contractual communication

 

The Data Controller communicates and maintains business relations with their contracted Partners (supplier, client) through the designated contact person specified in the contract.

 

Purpose of data processing To achieve the purposeful implementation of the contract between the Data Controller and the Partner is maintaining communication and ensuring cooperation.
Lawful basis for processing Art. 6 GDPR point (f) of the first paragraph: legitimate interest
Categories of Data Subjects Employee of the Partner (sole proprietorship, Ltd., Partnership, Inc.) designated as the contact person
Scope of personal data Name, position, phone number, email address
Data retention period Until the end of the 5th year following the completion or termination of the contract
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s):

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

·       operator of digitalization software: infoMátrix Zrt. (registered office: 1143 Budapest, Szobránc utca 29., company registration number: 01-10-048064)

Source of data The source of personal data is the contact person of the Partner.
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to coordinate with the Partner.
Automated individual decision-making, including profiling It does not occur.

 

  1. Investigation of complaints related to healthcare services of a patient

 

Purpose of data processing Investigation of patient’s complaints
Lawful basis for processing Art. 6 GDPR point (c) of the first paragraph: fulfilment of legal obligation: Eütv. 29. §

Art. 9 GDPR point (h): data processing for healthcare and occupational health purposes

Categories of Data Subjects Complaining patient
Scope of personal data Personal identification information, email address, mailing address
Data retention period Based on Eütv. 29. § (4): 5 years
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller uses Data Processor(s):

·       record office: Rhenus Office Systems Hungary Kft. (registered office: 2310 Szigetszentmiklós, Leshegy utca 30., company registration number: 13-09-112000)

Source of data The source of personal data is the complaining patient
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to investigate the complaint.
Automated individual decision-making, including profiling It does not occur.

 

  1. Communication on social media platforms

 

Purpose of data processing Communication on social media platforms
Lawful basis for processing Art. 6 GDPR point (a) of the first paragraph: consent
Categories of Data Subjects A person registered on a social media platform
Scope of personal data Name, public profile data
Data retention period Data processing occurs on social media platforms, therefore the privacy policy of the specific social media platform applies.
Data transfer According to Art. 44-49. GDPR transfer of personal data does not take place.
Recipients The Data Controller does not use Data Processor(s)
Source of data The source of personal data is a person registered on a social media platform
Data Provisioning and its consequences Providing the data is required. If you do not provide your personal data, the Controller will not able to inform you about its current activities or services on social media platforms.
Automated individual decision-making, including profiling It does not occur.

 

 

  1. Website data processing

 

The website uses cookies.

 

A cookie is a file that is placed on your computer when you visit a website. It is an information package that the server sends to the browser, and then the browser sends it back to the server with specific data content defined by the server with each request. The purpose of this is to save the internet settings of the website you visit, so if you revisit the same website from the same device, the page will remember the set parameters.

 

Cookies have numerous functions. They are most commonly used for advertising, personalizing services, and analysing website traffic.

According to current laws and regulations, cookies can only be stored on your device if they are strictly necessary for the functioning of the website, known as “essential cookies”. For all other types of cookies, your consent is required. You can view and manage the cookies currently used on the website through a pop-up window that appears when you enter the website.

 

Modern browsers allow you to modify cookie settings. Some browsers accept cookies automatically by default, but this setting can be changed to prevent automatic acceptance in the future. If you adjust this setting, your browser will prompt you to choose your cookie preferences each time thereafter.

 

Considering that cookies are intended to support and facilitate the usability and processes of the website, disabling cookies may prevent you from fully utilizing all functions of the website. The website may operate differently than intended in your browser. For more detailed information about cookie settings in the following browsers:

 

  1. Social media

 

The Data Controller is available on the following social media platform(s):

Social media platform Data Controller’s name Privacy Policy
Facebook Meta Platforms Ireland Ltd. (registered office: Merrion Road, Dublin 4 D04 X2K5, Ireland) https://www.facebook.com/privacy/explanation
Instagram Meta Platforms Ireland Ltd. (registered office: Merrion Road, Dublin 4 D04 X2K5, Ireland) https://www.facebook.com/help/instagram/155833707900388/
X Twitter International Unlimited Company

(registered office: One Cumberland Place, Fenian Street

Dublin 2, D02 AX07, Ireland)

https://x.com/en/privacy

 

LinkedIn LinkedIn Ireland Unlimited Company (registered office: Wilton Plaza Wilton Place, Dublin 2 Ireland) https://www.linkedin.com/legal/privacy-policy
Pinterest Pinterest Europe Ltd. (registered office: Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland) https://policy.pinterest.com/en-gb/privacy-policy-2018

 

YouTube Google Ireland Ltd. (registered office: Gordon House, Barrow Street, Dublin 4, Ireland) https://policies.google.com/technologies/product-privacy?hl=en-GB

 

Reddit Reddit Netherlands B.V. (registered office: Euro Business Center, Keizersgracht 62, 1015CS Amsterdam, Netherland) https://www.reddit.com/policies/privacy-policy

 

Tumblr Aut O’Mattic A8C Ireland Ltd. (registered office: Business Centre, No.1, Lower Mayor Street, International Financial Services Centre, Dublin 1, Ireland) https://www.tumblr.com/privacy/en

 

 

 

The Data Controller does not record or manage personal data of the user of the specific social media platform in its internal database and system.

 

 

  1. Access to data

 

The authorized employees of the Data Controller may access personal data to the extent necessary for performing their duties.

 

  1. Data security measures

 

The Data Controller ensures the protection of the personal data it processes through appropriate IT, technical, and organizational measures, including safeguards against unauthorized access or alteration.

 

  1. Rights of data management related to data processing and their contents

 

 

Rights of data management related to data processing

 

The contents of rights of data management related to data processing
Right to be informed

/Article 13 and 14 GDPR /

You are entitled to be informed about the fact and purposes of data processing at the time your personal data is obtained. The Data Controller will also provide you with additional information necessary to ensure fair and transparent data processing, considering the specific circumstances and context of personal data processing. You must also be informed about the fact of profiling and its consequences.
Right of access

/Article 15 GDPR/

You have the right to request information on whether your personal data is being processed, and if so, you are entitled to know that the Data Controller:

·       Which of your personal data

·       On what legal basis

·       For what purpose

·       For how long it is processing

·       To whom, when, on what legal basis, and which of your personal data has been granted access or to whom your personal data has been transferred

·       The source of your personal data (if you did not provide it to the Data Controller)

·       Whether automated decision-making is applied, including profiling, and the logic involved.

Right to rectification

/Article 16 GDPR/

You have the right to request that the Data Controller correct any inaccurate personal data about you or complete any incomplete personal data. Therefore, you can ask the Data Controller to modify any of your personal data (for example, you can change your email address or other contact information at any time).
Right to erasure (‘right to be forgotten’)

/Article 17 GDPR/

You have the right to request the Data Controller to erase your personal data if one of the following reasons applies:

 

·       Your personal data is no longer needed for the purposes for which it was collected or otherwise processed

·       You withdraw your consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a), and there is no other legal ground for the processing

·       You object to the processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2)

·       Your personal data has been unlawfully processed

·       Your personal data must be erased to comply with a legal obligation under Union or Member State law to which the Data Controller is subject

·       Your personal data has been collected in relation to the offer of information society services referred to in Article 8(1).

Right to restriction of processing

/Article 18 GDPR/

You have the right to request the Data Controller to restrict processing if one of the following reasons applies:

·       You contest the accuracy of your personal data (in this case, the restriction applies for a period that allows the Data Controller to verify the accuracy of the personal data)

·       The processing is unlawful, and you oppose the erasure of the data and request the restriction of its use instead

·       The Data Controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims. You have objected to processing pursuant to Article 21(1) (in this case, the restriction applies for a period until it is determined whether the Data Controller’s legitimate grounds override yours).

Right to data portability

/Article 20 GDPR/

You have the right to receive your personal data that you provided to a Data Controller in a structured, commonly used, and machine-readable format, and you have the right to transmit those data to another Data Controller without hindrance from the Data Controller to whom the personal data were provided, where:

·       the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b), and

·       the processing is carried out by automated means.

You have the right to request, where technically feasible, the direct transmission of your personal data between Data Controllers.

Right to object

/Article 21 GDPR/

You have the right to object at any time, for reasons related to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f), including profiling based on those provisions. In such cases, the Controller shall no longer process your personal data unless they demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

 

If your personal data is processed for direct marketing purposes, including profiling related to such direct marketing, you have the right to object at any time to the processing of your personal data for these purposes.

Right to withdraw consent

/Article 7 (3) GDPR/

You have the right to withdraw your consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. You must be informed of this before giving your consent. Withdrawal of consent should be as easy as giving it.

 

  1. Remedies and contents related to data subjects’ rights in data processing
Remedies Content of remedy
The right to lodge a complaint with the supervisory authority

/Article 77 GDPR/

If your right to the protection of personal data has been violated, you can file a complaint with the following Authority:

Nemzeti Adatvédelmi és Információszabadság Hatóság

registered office: 1055 Budapest, Falk Miksa utca 9-11.

mailing address: 1363 Budapest, Pf. 9.

phone number: +36 (1) 391-1400

email address: ugyfelszolgalat@naih.hu

website: https://www.naih.hu/about-the-authority

 

The right to effective judicial remedy against the Data Controller or Processor (initiating judicial proceedings).

/Article 79 GDPR/

You have the right to turn to a court if you observe illegality in the processing of your personal data by the Data Controller or Processor. The court shall handle the case expeditiously. In this case, you are free to decide whether to file your lawsuit at the court competent according to your domicile or place of residence. Contact details of the courts:

https://birosag.hu/ugyfeleknek/birosagok/torvenyszekek

 

  1. Updating the Privacy Policy

 

The Data Controller reserves the right to unilaterally modify this Privacy Policy. Modifications to this policy may occur, particularly in the event of changes in legislation, practices of data protection authorities, business needs, or other circumstances. Upon request by the Data Subject, the Data Controller will provide them with a copy of the current Privacy Policy in the agreed format.

 

Budapest, June 27, 2024.