Privacy notice for the client

The protection of your personal data is of the utmost importance to us, and this Privacy Notice explains what personal data we process about you, for what purposes and on what legal basis. The Privacy Notice also sets out your rights.

1.) Data of the Data Controller

Data Controller: “Geronto-MED 2005” Non-Profit Ltd (hereinafter referred to as “Data Controller”)

Registered office: 8623 Balatonföldvár, Kemping utca 3/A.

Locations

8623 Balatonföldvár, Széchenyi utca 2.

8623 Balatonföldvár, Kemping utca 3.

Company registration number: 14-09-309359

Tax number: 22210991-2-14

Website: https://irisintezet.hu/ 

Contact details of the Data Protection Officer: info@irisintezet.hu 

2. General legislation on which the processing is based

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
  • Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (Infotv.)
    • Act V of 2013 on the Civil Code (Civil Code)
  • Act CXXVII of 2007 on Value Added Tax (VAT Act)
  • Act C of 2000 on Accounting (Accounting Act)
  • Act CLV of 1997 on Consumer Protection (Fgy.tv.)
  • Act CLIV of 1997 on Health Care (Health Care Act) 
  • Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (Eüaktv.) 
  • Act LXXXIII of 1997 on Compulsory Health Insurance Benefits (Ebtv.)
  • 217/1997 (XII. 1.) Government Decree on the implementation of Act LXXXIII of 1997 on the implementation of the Act on Compulsory Health Insurance Benefits (Ebtv. vhr.)
  • Government Decree 134/1999 (VIII. 31.) on the accounting and payment of subsidies for the cost of medicines, medical aids and spa treatments ordered in the framework of outpatient care
  • 7/2004 (XI. 23.) EüM Decree on the professional requirements for the distribution, repair and rental of medical devices
  • 14/2007 (III. 14.) EüM Decree on the inclusion of medical aids in social insurance support, ordering, distribution, repair and loan of medical aids with support 
  • Decree No 53/2007 (XII. 7.) of the Ministry of Health on the rules of qualification of the computer program to be used for prescribing medicines
  • 4/2009 (III. 17.) EüM Decree on medical devices
  • 39/2016.(XII. 21.) EMMI Decree on the detailed rules related to the Electronic Health Service Space 
  • 489/2013 (XII. 18.) Government Decree on state support for church and non-state social, child welfare and child protection service providers, institutions and networks
  • 9/1999 (XI. 24.) SzCsM Decree on the receipt of social benefits providing personal care
  • 1/2000 (I. 7.) SzCsM Decree on the professional tasks of social institutions providing personal care and the conditions of their operation
  • Act III of 1993 on Social Administration and Social Benefits (Act on Social Administration and Social Benefits)
  • 36/2007 (XII. 22.) SZMM Decree on the detailed rules for the assessment and verification of social need based on health status and care needs

3. Concepts

Personal data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Such typical personal data include in particular: name, address, place and date of birth, mother’s name.

Data processing: any operation or set of operations which is performed upon personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the Controller or the specific criteria for the designation of the Controller may also be determined by Union or Member State law.

Data Processor: a natural or legal person, public authority, agency or any other body that processes personal data on behalf of the Controller.

Recipient: the natural or legal person, public authority, agency or any other body, whether or not a third party, with whom or to which the personal data are disclosed.

4. Principles

The Data Controller shall take into account the following principles in the processing of personal data, including:

  • be carried out lawfully and fairly and in a transparent manner for the Data Subject (lawfulness, fairness and transparency)
  • collected only for specified, explicit and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes is not considered incompatible with the original purpose in accordance with Article 89(1) of the GDPR (purpose limitation)
  • be adequate, relevant and limited to what is necessary for the purposes for which the data are processed (data minimisation)
  • be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes for which they are processed are erased or rectified without delay (accuracy)
  • be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be kept for longer periods only if the personal data will be processed for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of Data Subjects as provided for in this Regulation (limited storage)
  • be processed in such a way as to ensure adequate security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage (integrity and confidentiality), by using appropriate technical or organisational measures
  • The Data Controller is responsible for compliance with the above and must be able to demonstrate such compliance (accountability)

5. Data management activities

I. Data processing activities in the capacity of data controller

a) contact us (website)

Purpose of data processing How to contact us
Legal basis for data processing Article 6(1)(b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Affected Persons Interested
Scope of personal data Name, phone number, email address
Data retention time Until the end of the 1st year after contact
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • hosting provider: Websupport Hungary Ltd. (registered office: 1119 Budapest, Fehérvári út 97-99., company registration number: 01-09-381419)
  • mail system provider: Google Ireland Ltd. (based in Google Building Gordon House, Barrow St, Dublin 4, Ireland)
Source of data The source of the personal data is the interested party
How to provide data, consequences The data must be provided. If you do not provide the personal data, the Data Controller will not be able to contact you.

b) contact by email 

Purpose of data processing Making contact, maintaining contact
Legal basis for processing Article 6(1)(b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Affected Persons Interested
Scope of personal data Name, phone number, email address
Data retention time Until the end of the 1st year after contact
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s): 

  • mail system provider: Google Ireland Ltd. (based in Google Building Gordon House, Barrow St, Dublin 4, Ireland)
Source of data The source of the personal data is the interested party
How to provide data, consequences The data must be provided. If you do not provide the personal data, the Data Controller will not be able to contact you by email.

c) health certificate

Purpose of data processing Completing a health certificate for placement in a social institution
Legal basis for data processing Article 6 (1) (c) GDPR: fulfilment of a legal obligation: pursuant to Annex 1 of the Social Security Ministerial Decree No. 9/1999 (XI. 24.) on the receipt of social benefits providing personal care 
Categories of Affected Persons Person in need of social care
Scope of personal data Personal identification data (name, name at birth, place and date of birth, place of residence, social security number), health data
Data retention time Pursuant to Art. 30 (1) Paragraph (1) of the Eüaktv.: final report 50 years, all other documents 30 years, diagnostic imaging 10 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • the Data Controller uses only patient registration software (Netdoktor) issued by the National Health Insurance Fund Management (NEAK) and certified by DeriCom Kft. (headquarters: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

The Data Controller is legally obliged to transfer data to the National Health Insurance Fund Manager (NEAK)

Source of data The source of the personal data is the person requesting social assistance
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to comply with its legal obligations.

d) pre-conditioning data sheet

Purpose of data processing Completing a pre-care form for placement in a social institution
Legal basis for data processing Article 6 (1) (c) GDPR: fulfilment of a legal obligation: pursuant to Annex 2 of the Social Security Ministerial Decree No. 9/1999 (XI. 24.) on the receipt of social benefits providing personal care
Categories of Affected Persons Person in need of social care, person receiving pre-care
Scope of personal data In the case of a person claiming social assistance: personal identification data, data on housing conditions, data on family circumstances, data on social situation, data on health, state of incapacity, data on placement, summary opinion, other 

In the case of the person who carried out the screening: name, signature

Data retention time Pursuant to Art. 30 (1) Paragraph (1) of the Eüaktv.: final report 50 years, all other documents 30 years, diagnostic imaging 10 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • the Data Controller uses only patient registration software (Netdoktor) with a certificate of conformity issued by NEAK: DeriCom Kft. (headquarters: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

The Data Controller is legally obliged to transfer data to the National Health Insurance Fund Manager (NEAK)

Source of data The source of personal data is the person requesting social care, the person providing pre-care
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to comply with its legal obligations.

e) conclusion of a supply agreement

Purpose of data processing Conclusion of a supply agreement
Legal basis for data processing Article 6(1)(b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Affected Persons Person receiving social care, person obliged (or undertaking) to pay maintenance, relative, person liable to pay maintenance, witness 
Scope of personal data In the case of a person receiving care, a person liable for maintenance (or committing to maintenance) and a relative: name, name at birth, mother’s name, place of birth, contact details (telephone number, email address), address, signature

In the case of a fee-payer: signature

In case of witness: name, address, signature

Data retention time Until the end of the 5th year after the contract is performed or terminated
Data transmission Transfers are made in accordance with Articles 44-49 of the GDPR
Addressees The Data Controller does not use Data Processor(s)
Source of data The source of personal data is the social care recipient, person obliged (or undertaking) to pay maintenance, relative, person liable to pay maintenance, witness
How to provide data, consequences The data must be provided. If you do not provide the personal data, the Data Controller cannot conclude a contract with you.

f) declaration of burial

Purpose of data processing Declaration on burial
Legal basis for processing Article 6(1)(b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Affected Persons Person receiving social assistance, person subject to (or undertaking to provide) maintenance
Scope of personal data In the case of a person receiving care: name

In the case of a person obliged (or undertaking) to maintain: name, signature

Data retention time Until the end of the 5th year after the contract is performed or terminated
Data transmission Transfers are made in accordance with Articles 44-49 of the GDPR
Addressees The Data Controller does not use Data Processor(s)
Source of data The source of personal data is the social care recipient, the person obliged (or undertaking) to pay maintenance
How to provide data, consequences The data must be provided. If you do not provide the personal data, the Data Controller will not be able to store the burial declaration

g) contact

Purpose of data processing Contact 
Legal basis for processing Article 6(1)(a) GDPR: consent

Article 9(h) GDPR: processing for health and occupational health purposes

Categories of Affected Persons  Person receiving social care and/or their legal representative/dependant
Scope of personal data Name, phone number, email address
Duration of data processing Until withdrawal of consent
Data transmission Transfers are made in accordance with Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • hosting provider: Websupport Hungary Ltd. (registered office: 1119 Budapest, Fehérvári út 97-99., company registration number: 01-09-381419)
  • mail system provider: Google Ireland Ltd. (based in Google Building Gordon House, Barrow St, Dublin 4, Ireland)
  • patient registration software (Netdoktor): DeriCom Kft. (head office: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)
Source of data Source of personal data is the social care recipient and/or his/her legal representative/relative
How to provide data, consequences The provision of data is voluntary. If you do not provide the personal data, the Data Controller will not be able to contact you.

h) filling in the evaluation form

Purpose of data processing Completing the assessment form (health check) 
Legal basis for processing Article 6 (1) (c) GDPR: Decree No. 36/2007 (XII. 22.) of the Ministry of Social Affairs and Health on the detailed rules for the assessment and verification of social needs based on health status
Categories of Affected Persons Person receiving social care, legal representative, treating doctor completing the form
Scope of personal data In the case of a person claiming social security benefits: personal identification data, address,

In case of legal representative: name and contact details

For treating doctor completing the form: signature

Data retention time According to § 30 (1) of the Eüaktv.: final report 50 years, all other documents 30 years, diagnostic imaging 10 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller does not use Data Processor(s)
Source of data The source of the personal data is the social care recipient, the legal representative, the treating doctor who fills in the form
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to comply with its legal obligations.

i) patient care

Purpose of data processing Pursuant to Section 4 (1) of the Eüaktv: 

a) promoting the preservation, improvement and maintenance of health

(b) to facilitate the effective treatment of patients by the carer, including supervision

c) monitoring the health of the person concerned

Legal basis for processing Article 6(1)(c) GDPR: fulfilment of a legal obligation: § 136(1) of the GDPR 

Article 9(h) GDPR: processing for health and occupational health purposes

Categories of Affected Persons Person receiving social care
Scope of personal data Pursuant to § 136 (1) and (2) of the Health Care Ordinance, the relevant parts of the medical records are 

Eüaktv. § 3 e), § 3/B, § 28

Data retention time According to § 30 (1) of the Eüaktv.: final report 50 years, all other documents 30 years, diagnostic imaging 10 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • patient registration software (Netdoktor): DeriCom Kft. (head office: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

Data transfer(s) under legal obligation:

  • Electronic Health Service Space (EESZT) data communication
Source of data The source of personal data is the social care recipient
How to provide data, consequences The data must be provided. If you do not provide the data, the Data Controller will not be able to provide healthcare. 

j) Recording in the EESZT system

Purpose of data processing Recording in the Electronic Health Service Space (EESZT) system for the purposes specified in Section 4 (1) of the Eüaktv.
Legal basis for processing GDPR Article 6 (1) (c): legal obligation: 39/2016 (XII. 21.) EMMI Decree on the Detailed Rules of the Electronic Health Service Space 
Categories of Affected Persons Social care recipient
Scope of personal data Health and personal identification data
Data retention time According to § 30 (1) of the Eüaktv.: final report 50 years, all other documents 30 years, diagnostic imaging 10 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • the Data Controller uses only patient registration software with a certificate of conformity issued by NEAK: DeriCom Kft. (headquarters: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

The Data Controller is legally obliged to transfer data to the National Health Insurance Fund Manager (NEAK).

Source of data The source of personal data is the social care recipient
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to comply with its legal obligations.

k) settlement on the basis of a legally issued medical prescription

Purpose of data processing Meeting the statutory obligation to settle accounts with the National Health Insurance Fund Management (NEAK)
Legal basis for data processing GDPR Article 6 (1) (c): fulfilment of a legal obligation: Government Decree 134/1999 (VIII. 31.) on the accounting and payment of subsidies for the cost of medicines, medical aids and spa treatments ordered in the framework of outpatient care
Categories of Affected Persons Prescription holder
Scope of personal data Information on the prescription, such as: name, address, date of birth, social security number, BNO code of the disease, number and validity of the public health insurance card, name and quantity of the product
Data retention time Pursuant to Section 30 (7) of the Health Care Act: in the case of medical devices delivered in a specialised medical device shop, if the expiry date of the medical device is longer than 5 years, the retention period of the paper prescription and the issue certificate is the same as the expiry date. After the mandatory retention period, paper prescriptions and dispensing certificates shall be destroyed.
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • the Data Controller uses only patient registration software with a certificate of conformity issued by NEAK: DeriCom Kft. (headquarters: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

The Data Controller is legally obliged to transfer data to the National Health Insurance Fund Manager (NEAK)

The Data Controller forwards the prescriptions to the pharmacy in order to replace the beneficiary of social benefits with the medicines necessary for the benefits.

Source of data Source of personal data is the holder of the prescription
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller cannot provide medication.

l) keeping care records

Purpose of data processing Keeping care records
Legal basis for data processing GDPR Article 6 (1) (c): fulfilment of a legal obligation: Eüaktv. 
Categories of Affected Persons Social care recipient, occupational health physician
Scope of personal data Identity and health information in care documents
Data retention time According to § 30 (1) of the Eüaktv.: final report 50 years, all other documents 30 years, diagnostic imaging 10 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • patient registration software (Netdoktor): DeriCom Kft. (head office: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

Data transfer(s) under legal obligation:

  • EESZT data communication
Source of data Source of personal data Social care recipient and/or occupational health practitioner
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to comply with its legal obligations.

m) billing

Purpose of data processing Issuing an invoice
Legal basis for data processing Article 6(1)(c) GDPR: fulfilment of a legal obligation: section 159(1) of the VAT Act
Categories of Affected Persons Person receiving social care and/or their relative 
Scope of personal data Name, address, tax number (for business customers), email address
Data retention time Pursuant to paragraphs (1) and (2) of § 169 of the Accounting Act 8 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processors: 

  • billing software: Baloghy Szoftver Kft. (head office: 1237 Budapest, Hrivnák Pál utca 165. Fsz. door 3, company registration number: 01-09-908052)
  • accounting: Sió Taxatíve Kft. (head office: 8600 Siófok, Fő utca 174-176. I. floor. 32. door, company registration number: 14-09-318529)

The Data Controller shall provide data to the National Tax and Customs Administration (NAV) in accordance with point 1 of Annex 10 of Act CXXVII of 2007 on Value Added Tax (VAT Act).

Source of data Source of personal data is the social care recipient and/or his/her relative
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to fulfil its legal obligation to invoice.

n) payment for the service

Purpose of data processing Payment for the service can be made in the following ways:

  • cash
  • credit card purchases
  • bank transfer
Legal basis for data processing Article 6(1)(b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Affected Persons Person receiving social care and/or their relative
Scope of personal data Name, product or service identifier, bank account number, transfer amount, transfer time 
Data retention time Pursuant to paragraphs (1) and (2) of § 169 of the Accounting Act 8 years
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller does not use Data Processor(s)

In the case of bank transfers, personal data are accessed by the banks providing and managing the credit card payment as independent Data Controllers:

  • Oberbank AG Hungary Branch (head office: 1062 Budapest, Váci út 1-3., company registration number: 01-17-000456), the Bank’s Privacy Policy is available here: 

https://www.oberbank.hu/documents/416244/3006264/hu_datenschutz_052018.pdf/08920060-7acc-42aa-b984-d1c56e771617 

Source of data Source of personal data is the social care recipient and/or his/her relative
How to provide data, consequences The data must be provided. If you do not provide personal data, you will not be able to pay for the service

o) feedback on services

Purpose of data processing Feedback on services
Legal basis for data processing Article 6(1)(a) GDPR: consent
Categories of Affected Persons Person receiving social care and/or their relative
Scope of personal data Name, content of opinion
Data retention time Until the withdrawal of consent or for 30 days after the withdrawal of consent
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller does not use Data Processor(s)
Source of data Source of personal data is the social care recipient and/or his/her relative
How to provide data, consequences The provision of data is voluntary. If you do not provide personal data, the Data Controller will not be able to display your opinion.

p) contractual relations

In the case of its contracted partners (suppliers), the Data Controller communicates and maintains business relations through its contact person as set out in the contract. 

Purpose of data processing Maintaining communication and cooperation in order to fulfil the purpose of the contract between the Data Controller and the Partner
Legal basis for processing Article 6(1)(f) GDPR: legitimate interest
Categories of Affected Persons Employee of the partner (sole proprietor, LLC, Bt., Zrt.) as the designated contact person
Scope of personal data Name, position, phone number, email address
Data retention time Until the end of the 5th year after the contract is performed or terminated
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller does not use Data Processor(s)
Source of data Source of personal data is the Partner’s contact person
How to provide data, consequences Providing the data is mandatory. If you do not provide the personal data, the Data Controller will not be able to reconcile with the Partner

II Data processing activities in the capacity of a data processor

q) booking

Purpose of data processing Making an appointment for a patient coming for a health service
Legal basis for processing Article 6(1)(b) GDPR: necessary for the performance of the contract or for taking steps at the request of the Data Subject prior to the conclusion of the contract
Categories of Affected Persons Patient
Scope of personal data Name, date of birth, telephone number, email address 
Data retention time By the end of the 1st year after the date of reservation
Data transmission No transfer of data pursuant to Articles 44-49 of the GDPR
Addressees The Data Controller uses Data Processor(s):

  • patient registration software: DeriCom Kft. (headquarters: 1095 Budapest, Ipar u. 2/b 2. floor. door 13, company registration number: 01-09-687394)

Doctors who provide patient care services carry out their data management activity(ies) as independent Data Controllers on the basis of their own Data Management Notice. 

The Iris Institute performs administrative tasks for the booking of appointments.  

Source of data The source of personal data is the patient
How to provide data, consequences The data must be provided. If you do not provide the personal data, the Data Controller will not be able to schedule an appointment for the health service.

6.) Website data management

The Website uses cookies.

A cookie is a file that is placed on your computer when you visit a website. A cookie is a packet of information that the server sends to the browser, and then each time you request a cookie, the browser sends it back to the server with the data content specified by the server. The purpose of this is to save the web settings of the website you are visiting, so that when you visit the same website again from the same device, the site will remember the parameters you have set.

The cookie has countless functions. Cookies are most often used to personalise ads, services and analyse website traffic. 

Under current legislation, cookies can only be stored on your device if they are absolutely necessary, i.e. they are essential for the website to function, and are called “necessary cookies”. For all other types of cookies, your consent is required. You can view and set the cookies currently used on the website in a pop-up window when you access the website.  

Modern browsers allow you to change cookie settings. Some browsers automatically accept cookies by default, but you can change this setting to prevent automatic acceptance in the future. If you change this setting, the browser will offer you the option to set cookies each time you change it.

Given that the cookies are intended to support and facilitate the usability and processes of the website, it cannot be guaranteed that you will be able to use all the features of the website to their full extent if you disable cookies. The website may then function differently than intended in the browser. For more detailed information on cookie settings for the browsers below:

7.) Social media

The Data Controller is not available on social networking sites. 

8.) Access to data

The personal data may be accessed by the competent staff and doctors of the Data Controller to the extent necessary for the performance of their tasks.

9.) Data security measures

The Data Controller shall take appropriate IT, technical and personnel measures to protect the personal data it processes against, inter alia, unauthorised access or unauthorised alteration.

10.) Data Subjects’ rights in relation to data processing and their content

About data management

Right of access

Content of the Data Subject’s right in relation to data processing
Right to information

/Articles 13-14 of the GDPR/

You have the right to be informed of the fact and purposes of the processing at the time of obtaining your personal data. The Controller will also provide you with such additional information as is necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. You shall also be informed of the fact of profiling and its consequences.
Right of access

/Article 15 of the GDPR/

You have the right to request information from as to whether your personal data is being processed and, if such processing is taking place, you have the right to be informed that the Data Controller:

  • what personal data
  • on what legal basis
  • for what purpose
  • how long it treats 
  • to whom, when, under which law, to which personal data, to whom you have given access or to whom you have transferred your personal data
  • the source of your personal data (if not provided by you to the Data Controller)
  • whether it uses automated decision-making and its logic, including profiling.
Right to rectification

/Article 16 of the GDPR/

You have the right to have inaccurate personal data concerning you corrected or incomplete personal data completed by the Data Controller at your request. You may therefore request that the Controller amend any of your personal data (for example, you may change your e-mail address or other contact details at any time).
Right to erasure (“right to be forgotten”)

/Article 17 of the GDPR/

You have the right to have your personal data deleted by the Data Controller at your request if one of the following grounds applies: 

  • your personal data are no longer necessary for the purposes for which they were collected or otherwise processed 
  • you withdraw your consent on the basis of which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing
  • you object to processing on the basis of Article 21(1) and there are no overriding legitimate grounds for processing, or you object to processing on the basis of Article 21(2)
  • your personal data have been unlawfully processed
  • your personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the Data Controller is subject
  • your personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
Right to restriction

/Article 18 of the GDPR/

You have the right to have the Controller restrict the processing of your personal data at your request if one of the following grounds applies: 

  • You contest the accuracy of your personal data (in which case the limitation applies for the period of time that allows the Controller to verify the accuracy of the personal data)
  • the processing is unlawful and you oppose the erasure of the data and instead request the restriction of their use
  • the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of a legal claim

You have objected to the processing pursuant to Article 21(1) (in which case the restriction applies for the period until it is established whether the legitimate grounds of the Controller prevail over your legitimate grounds).

Right to data portability

/Article 20 of the GDPR/

You have the right to receive personal data concerning you which you have provided to a Data Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another Data Controller without hindrance from the Data Controller to which you have provided the personal data, if:

  • the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a), or on a contract within the meaning of Article 6(1)(b), and 
  • the processing is carried out by automated means.

You have the right to request, where technically feasible, the direct transfer of your personal data between Data Controllers.

Right to object

/Article 21 of the GDPR/

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data based on Article 6(1)(e) or (f), including profiling based on those provisions. In such a case, the Controller may no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such purposes, including profiling, where it is related to direct marketing.

Right to withdraw consent

/Article 7(3) GDPR/

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal. You must be informed of this before consent is given. The withdrawal of consent shall be made possible in the same simple manner as the granting of consent.

11.) Data subject’s rights of redress in relation to data processing and their content

Legal remedies Content of the remedy
Right to complain to the Supervisory Authority

/Article 77 of the GDPR/

If your right to the protection of your personal data is infringed, you may lodge a complaint with the following Authority:

National Authority for Data Protection and Freedom of Information 

head office: 1055 Budapest, Falk Miksa utca 9-11.

mailing address: 1363 Budapest, Pf. 9.

phone: +36 (1) 391-1400

email: ugyfelszolgalat@naih.hu   

Website: www.naih.hu 

The right to an effective judicial remedy against the Controller or the Processor (initiation of legal proceedings)

/Article 79 of the GDPR/

You have the right to take legal action against the Controller or Processor if you consider that the processing of your personal data is unlawful. The court will decide the case out of turn. In such a case, you are free to decide whether to bring your action before the competent court in your place of residence or domicile. The courts can be contacted at: www.birosag.hu/torvenyszekek

12.) Update of the Privacy Notice

The Data Controller reserves the right to unilaterally amend this Privacy Notice. In particular, this Privacy Notice may be amended if necessary due to changes in legislation, data protection authority practices, business needs or other circumstances. At the Data Subject’s request, the Controller shall send him a copy of the current version of the Privacy Notice in the form agreed with him.

Balatonföldvár, 12 February 2024.