Privacy Policy
The DR. LOSONCZY PRIVATE CLINIC LTD. AND DA VINCI LTD. JOINT DATA MANAGEMENT INFORMATION RELATING TO THE ACTIVITIES OF HEALTH SERVICE PROVIDERS
I. Who handles your data?
Dr. Losonczy Private Clinic Limited Liability Company and da Vinci Limited Liability Company will handle your information in accordance with the provisions of this leaflet.
We hereby inform you that Dr. Losonczy Private Clinic Limited Liability Company and da Vinci Limited Liability Company are considered joint data controllers in accordance with the regulations in force (hereinafter: Joint Data Controllers or Data Controllers).
You may contact the Data Controllers regarding the processing of your personal data at the following contact details:
The registered office and postal address of the Data Controllers: 1124 Budapest, Gébics utca 15. fszt. 1.
The contact number for Data Controllers is : +36203373959
Contact Information for Data Controllers E- mail : info @ davincident.hu
The position of Data Protection Officer at Data Controllers has not been established. In matters of data protection, the Data Protection Officer acts as the Data Controller.
The head of data protection for both data controllers Dr. Losonczy Levente.
II. What is this Prospectus about?
- In this information, we use the following privacy terms with the following meanings:
Personal data: Any data or information that identifies a natural person (“Data Subject”), directly or indirectly.
Data subject: Any natural person identified or identifiable, either directly or indirectly, on the basis of specific personal data. During the provision of our services, the Relatives of the Patient and in some cases the Patient are affected.
Data subject’s consent: A specific (unambiguous and unambiguous) act of the data subject’s will, based on voluntary and specific information, in which he or she consents to the processing of personal data concerning him or her.
Data management: Any operation or set of operations on personal data, regardless of the procedure used, in particular the collection, recording, systematisation, segmentation, storage, transformation, alteration, use, querying, viewing, use, communication, dissemination or otherwise making available, disclosing, reconciling or linking, restricting, deleting and destroying.
Data Controller: Who defines the purposes and means of data management. In this case, these are defined jointly by the Data Controllers.
Data Processor: The service provider who handles personal data on behalf of the data controller.
Data processing: The data processors do not make an independent decision, they are only contracted by the data controllers and are entitled to act in accordance with the instructions received. After 25 May 2018, the Data Processors will record, process and process the Personal Data transmitted to us and processed or processed by us in accordance with the provisions of the “GDPR”. processed and a statement is made to the Data Controllers. Data Controllers control the work of Data Processors.
Recipient: The natural or legal person to whom personal data are communicated.
Privacy Incident: A security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal information that is transmitted, stored, or otherwise handled.
- The processing of personal data of patients and other data subjects is necessary for the provision of healthcare services by Data Controllers.
In the course of the healthcare services they provide, the Data Controllers process (record, process and transmit) the personal data of the patients in accordance with the applicable European and Hungarian data protection legislation.
- Data Controllers set out in this Prospectus the principles of their personal data protection practices.
As part of this, they provide information on the purposes and use of personal data and how they are protected and protected. In addition, all information required by current European and Hungarian data protection legislation will be made available to data subjects.
At the request of the data subject, the Data Controllers shall provide further detailed information regarding the personal data processed, the purpose, legal basis, duration of the data processing and the entire activity related to the data processing.
- The Data Controllers may unilaterally change this Prospectus at any time, which shall be notified to the data subjects in due time.
III. What data do Data Controllers handle and for what purpose?
- In the course of our activities, we basically process the data of Patients and other Stakeholders.
- We process personal data only for a pre-determined purpose, based on the exercise of a right and / or fulfillment of an obligation. We act fairly and lawfully in the collection and processing of your data. Only such and as much personal data will be processed that is essential for the fulfillment of our contractual and legal obligations in connection with our activity, for the fulfillment of the provisions thereof, and that is suitable for the purpose. We only process personal data to the extent and for the time necessary.
- In all cases, the data management is related to the services of the Data Controllers, which are used by the Patient or which are contacted by the Data Controllers for the purpose of using them.
The scope of the Personal Data processed is proportionate to the purpose of data processing and does not extend beyond it.
We will not use the personal information you provide for purposes other than those described in this Prospectus.
In all cases where we wish to use personal data for a purpose other than the purpose for which the original data was collected, we will inform you and obtain our prior and express consent or provide an opportunity for our Patients to prohibit their use.
As Data Controllers, we do not control the personal data you provide. The person who provided it is solely responsible for the accuracy of the personal data provided, so you are responsible.
The personal data of a person under the age of 16 may be processed only with the consent of an adult exercising parental supervision over him or her. As Data Controllers, we are not in a position to verify the consent of the consenting person or the content of the statement, so the Patient or the person exercising parental supervision over him or her warrants that the consent complies with the law.
The personal data we process will not be passed on to third parties other than the Data Processors specified in this Prospectus and certain Recipients referred to in this Prospectus.
The transfer of data to the Data Processors specified in this Prospectus may be performed without the separate consent of the Patient. The disclosure of personal data to third parties or authorities is only possible, unless otherwise provided by law, on the basis of an official decision or with the prior express consent of the Patient concerned.
We will notify the affected Patient of the correction, restriction or deletion of the personal data processed by us, as well as all those to whom the personal data has previously been transferred for the purpose of data processing. The notification shall be withheld only if it does not harm the legitimate interests of the data subject with regard to the purpose of the processing.
- Our websites are available at http://davincident.hu/ And You can reach https://dr-losonczy.hu/ . When visiting websites, our server does not log the activities of visitors, we do not use cookies (so-called cookies).
IV. Data processing related to health services provided by Data Controllers
Data Controllers perform data processing operations with personal data for the following purposes and in the following circumstances:
1. Conclusion of a contract for the provision of health services
When you visit one of the Data Controllers to receive the healthcare provided here, a contract for the provision of the healthcare will be concluded between one of the Data Controllers and you.
Name of the data management: obtaining the data required for a supply contract concluded in connection with the use of the services of one of the Data Controllers from the patient or the legal representative of a child with limited capacity to perform the data processing necessary for the fulfillment of contractual obligations.
Purpose of data management: concluding and fulfilling contracts for healthcare services offered by Data Controllers.
basis for data processing: Article 6 (1) (b) GDPR, ie data processing is necessary for the performance of a contract in which one of the parties is required or to take steps at the request of the data subject prior to the conclusion of the contract
Stakeholder categories :
Patients receiving care and, where applicable, their legal representatives.
Scope of data managed :
- Patient’s identification data (surname and first name, birth surname and first name, citizenship, place of birth, time, mother’s birth name, address, if not, place of residence, type and number of identification document)
- Address,
- phone number,
- His e-mail address,
- mailing address,
- Details of the service used:
Source of data processed:
Provision of data by the Patient or his / her legal representative.
Recipient of personal data :
National Health Insurance Fund Manager (NEAK)
Processors of personal data :
- ARPADENT customer service software operator,
- Plus Kft An organization providing accounting services
Duration of data management:
The data processing lasts as long as the claim can be enforced in connection with the established contractual relationship, ie for 8 years from the termination of the contractual relationship, except in the case of termination of the limitation period.
The legislation prescribing the duration of data processing is the Accounting Act, which stipulates an 8-year retention obligation for the preservation of the accounting document and the related records.
If the Accounting Act does not govern the duration of data management, the Civil Code shall apply. 6:58. § applies, according to which the contract creates an obligation to perform the service and the right to demand the service. In this case, the data processing lasts for 5 years from the termination of the contractual relationship, except in the case of termination of the limitation period.
2. Data management related to healthcare
When you visit one of the Data Controllers and use the health care provided here, we will record your personal identification and health data in the documentation certifying and describing the care, which we may pass on to the Data Controllers and other authorities or recipients due to our legal obligations.
Name of data management:
Identifying our patients, documenting their medical condition and care, including obtaining data, recording measured or recorded data, and occasionally transmitting them to intermediary healthcare providers or authorities.
The purpose of data management:
To promote the preservation, improvement and maintenance of the patient’s health, to promote effective medical treatment, to monitor the patient’s state of health and to ensure the enforcement of patients’ rights.
Legal basis for data management:
Article 6 (1) (c) of the GDPR, ie compliance with a legal obligation: CLIV Act 1997 on health care. Act XLVII of 1997 on the processing and protection of health and related personal data. Act No. 62/1997 Coll., on certain aspects of the processing of health and related personal data. (XII. 21.) NM decree
Stakeholder categories :
Patients in need of care.
Scope of personal data processed :
- Data required for Patient Identification and Care:
- Name,
- Birth name,
- Social security number,
- address,
- place and date of birth,
- Data related to health status and care
Source of data processed:
Voluntary data provision of the Patient, results of the performed examinations.
recipient of personal data :
National Health Insurance Fund Manager (NEAK)
Processors of personal data :
- ARPADENT customer service software operator,
- FedEx Courier Service for Sample Delivery
Duration of data management:
1997 XLVII. Act LXXXIII of 1997 on the handling and protection of health and related personal data. Act on the Regulation on Compulsory Health Insurance Benefits and Act No. 62/1997 Coll. (XII. 21.) NM decree on certain issues of the processing of health and related personal data (according to Section 30 (1) of the Eütv. 30 years from the data collection, 50 years in the case of final reports, 10 years in the case of imaging diagnostic recordings
We would like to inform you that if a specialist treating you at one of the Data Controllers deems it necessary to involve another specialist in order to increase your convenience and the quality of the service, you may only have access to your care data in order to ensure the security and speed of care.
We would like to inform our patients that you will be called by name in the waiting room. If your Patient or legal representative does not wish to consent, please indicate this at check-in.
3. Account – related data management
We process this information when we issue an invoice to pay for our service .
Name of data management:
Issuance of a valid document accompanying the service
Purpose of data management:
Providing financial settlement and order
Legal basis for data management:
Article 6 (1) (c) of the GDPR, fulfillment of a legal obligation based on Act C of 2000 on Accounting and Act CXXVII of 2007 on Value Added Tax. law
Stakeholder categories :
Persons in whose name an invoice is issued.
Scope of data managed:
Mandatory account information.
Source of data processed:
The affected.
Recipient of personal data:
National Tax and Customs
Data processor:
ARPADENT patient management software,
Organization providing accounting services:
Planned duration of data management:
Act C of 2000 on Accounting ; Act CXXVII of 2007 on Value Added Tax 8 years from the date of issue in accordance with the provisions of the Act
If you display the details of a relative or other person (as a third party), you must ensure that you have the consent of the third party!
4. Preparation and use of photographic documentation for scientific purposes in connection with health care
With the help of this photo documentation, we would like to follow and document the treatment process, which gives us the opportunity to present the results of the treatment compared to the pre-treatment condition and use the documentation to present special cases of the profession for scientific purposes.
The purpose of the planned processing of personal data is:
Documentation of health care
Legal basis for data management:
Article 6 (1) (a) of the GDPR, express written consent of the Patient
Stakeholder categories:
Patients in need of care
Personal data processed:
Patient name, photos of care processes
Data processor:
In this case, we do not use.
Planned duration of data management:
Until the consent of the Patient concerned is withdrawn
5. Preparation and use of photographic documentation for marketing purposes in connection with health care
With the help of this photo documentation, we want to follow and document the process of the treatment, which gives us the opportunity to present the results of the treatment compared to the condition before the treatment and to use the documentation prepared for marketing purposes.
The purpose of the planned processing of personal data is:
Documentation of health care
Legal basis for data management:
Article 6 (1) (a) of the GDPR, express written consent of the Patient
Stakeholder categories:
Patients taking advantage of ell
Personal data processed:
Patient’s name, photos of care processes
Data processor:
In this case, we do not use.
Planned duration of data management:
Until the consent of the Patient concerned is withdrawn
V. To whom do we or can we pass on the data of Patients and other Stakeholders?
- The Data Controllers shall are entitled to transfer your personal data to the following processors as set out in
- Business system operator and general IT service provider :
- ARPASOLUTION
- contact person: Zsolt Bálint
- head office: 9025 Győr, Töltszer u. 3.
- e – mail address: info (at) arpadent (dot) hu
- telephone number: (30) 988 2674
- Organization providing accounting services:
- PLUS Kereskedelmi és zszolgáltató Kft
- contact person: Jakab Eszter
- head office: 1145 Budapest Tellér u 5
- email address: info@pluskft.hu
- phone number: + 36-1-399-08-41
- Organization transporting samples:
- Fedex
- Attn: Legal Department
Taurusavenue 1112132 LS HoofddorpThe NetherlandsE: euprivacy@fedex.com - FedEx Corporation
Attn: Legal Department – Compliance1000 Ridgeway Loop Road, Ste 600Memphis, TN 38120United States of AmericaE: dataprivacy@fedex.com
- Other recipients to whom the Data Controllers provide your personal data in accordance with Annex IV. may be transmitted in accordance with
- National Health Insurance Fund Manager (NEAK)
- NAV
VI. Other facts related to data management
1. Data security
Organizations of Data Controllers take all security, technical and organizational measures that guarantee the security of the data. The employees of the Data Controllers and the data processors of the Data Controllers are only entitled to access the data to the extent necessary for the performance of the tasks belonging to their duties.
The devices used to store the data are password protected and access levels are strictly regulated. For documents stored on paper, we use closed storage that prevents unauthorized access.
2. Organizational measures
During the implementation of their IT developments, the Data Controllers take into account the enforcement of IT security and data protection aspects already at the planning stage.
All IT systems of the Data Controllers are classified as high security. These security requirements must be met by both developers and operators when designing and operating the system.
All users may use the IT systems and services of the Data Controllers only to the extent necessary for the performance of their job duties, with the appropriate rights and for the required period of time.
Data Controllers also organize their operations through internal regulations.
All employees of the Data Controllers undertake to comply with strict confidentiality rules in a written statement when establishing their employment, and are obliged to act in accordance with these confidentiality rules in the course of their work.
All employees of Data Controllers receive data protection and data security training.
3. Technical measures
Data Controllers would do their utmost to ensure that their IT tools and software comply with the technology solutions generally accepted in the market.
Data Controllers protect the buildings they operate or use, their premises and thus the data handled, processed and stored there with various protection systems . (eg alarms, cameras, grilles, access control systems, fire protection systems, etc.).
Data Controllers have developed IT systems in which logging can be used to control and monitor the operations performed, and to detect incidents, such as unauthorized access.
The Data Controllers also protect and destroy the data processed on paper in accordance with the prescribed data protection requirements upon expiry of the retention period.
VII. Rights of the data subject, possibilities of legal remedy
You have the following rights regarding the processing of your data:
1. Right of access to data:
You have the right at any time to obtain adequate information from the Data Controllers as to whether your personal data is being processed, and if so, you have the right to access and request a copy of, or request information about, the personal data we hold about you. how we handle your personal information.
2. Right to information:
You have the right to be fully informed about the processing of your personal data. Upon request, we will provide information on:
- what is the purpose and legal basis of the data processing,
- what source our data is available to us,
- what personal data we handle,
- whether we transfer personal data and, if so, to whom,
- how long we store the data.
You can contact us in writing at any time regarding the processing of your personal data. You can request information by registered mail or registered letter with acknowledgment of receipt sent to our contact postal address specified in point I or by e-mail to the e-mail address indicated here. A request for information sent by post is considered authentic if the Patient can be clearly identified on the basis of the request sent. A request for information sent by e-mail will only be considered authentic if it is sent from the patient’s e-mail address registered with us. However, this does not preclude us from identifying the Patient in another way before providing the information.
3. Right to rectification:
At your request, we will correct and correct inaccurate data or add incomplete data without undue delay.
4. Right of cancellation:
At your request, we will delete your personal information without undue delay if
- we no longer need that data;
- You object to the processing of personal data and there is no purpose or legal basis for the processing of the data.
If you withdraw your consent to the processing of certain data; documents created on the basis of data processed before revocation can still be processed for us, but we will no longer initiate a new data processing operation on your data.
5. Right to restrict data processing:
If we have any questions about the accuracy, justification or lawfulness of our processing of your personal data, you may request that certain of our data processing activities be restricted. You may request a restriction even if we no longer need your information, but you need it to file, enforce or defend any of your legal claims. No data management operations can be performed during the restriction period, only data can be stored. We will notify you when the restriction is lifted.
6. Right to lodge a complaint with a supervisory authority , judicial enforcement
If you believe that your right to your personal data has been violated in any way by our data processing, you may lodge a complaint with the National Data Protection and Freedom of Information Authority.
Details of the supervisory authority:
National Authority for Data Protection and Freedom of Information, Headquarters: 1125 Budapest, Szilágyi Erzsébet fasor 22 / C, Mailing address: 1530 Budapest, Pf. 5., Phone: + 36-1-391-1400, Fax: + 36-1-391-1410 , E-mail: ugyfelszolgalat@naih.hu, Website: http://www.naih.hu
Judicial enforcement
You can also go directly to court if your right to personal information is violated.
The details of the competent court are as follows:
or the Metropolitan Court of the registered office of the Data Controllers, 1055 Budapest, Markó u. 27.,
or the court of your place of residence, more information is available at https://birosag.hu/birosag-kereso .
7. Privacy Incident
We pay special attention to data security. Pursuant to Article 32 of the GDPR, we will make every effort to raise awareness of data protection and data security. If you notice a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise handled, please notify infoavincident.hu immediately .
If a data protection incident occurs, without undue delay, but no later than 72 hours after the incident became known, it shall be reported to the competent Supervisory Authority, unless the data protection incident is not likely to endanger the rights and freedoms of natural persons.
If the data protection incident is likely to pose a high risk to the rights and freedoms of the natural person, we will inform you – or the Data Subject – of the data protection incident without undue delay and take the action specified in the internal regulations.