Privacy policy and data protection for treatment in the clinic

PRIVACY POLICY AND DATA PROTECTION  

1. Legislation, that shall form a basis for this information, as well as data processing and health care services

 Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter:  „GDPR“)  

 Act CXII of 2011 on the right to self-determination as regards information and freedom of  information (hereinafter referred to as: “Info Act”),  

 Act XLVII of 1997 on the processing and protection of health and related personal data  (hereinafter referred to as: “Privacy Act”),  

 Act CLIV of 1997 on Health Care (hereinafter referred to as: “Health law”),   Government Regulation No 96/2003 (VII.15.) on the general conditions for the practice of  the health care services and the operating authorization procedure,  

 Act LXXXIII of 1997 on the provision of compulsory sickness insurance (hereinafter  referred to as: “Law on sickness insurance”)  

 Act No XLVIII of 2008 on the basic requirements and certain restrictions of commercial  advertising activities.  

2. Data controller and activities they carry out  

Company 1 /data controller 1  

The data controller is DENTALKLINIK DR. TÓKA Egészségügyi Korlátolt Felelősségű  Társaság (HU-9400 Sopron, Lackner Kristóf utca 62/B., Registry Court of Győr company  registration number: 08-09-011297, tax number: 13059365-2-08, statistical code: 13059365-8623- 113-08, hereinafter referred to as: “Company 1 / data controller 1”).  

Company 2 /data controller 2  

The data controller is IMPLANTKLINIK DR. TÓKA Egészségügyi Korlátolt Felelősségű  Társaság (HU-9400 Sopron, Lackner Kristóf utca 62/B., Registry Court of Győr company  registration number: 08-09-035690, tax number: 32246445-1-08, statistical code: 32246445-8623- 113-08, hereinafter referred to as: “Company 2 / data controller 2”).  

“Company 1 / data controller 1” and “Company 2 / data controller 2” hereinafter collectively  referred to as “Company / data controller”  

The e-mail address of the data controller to be contacted:  

DENTALKLINIK DR. TÓKA Egészségügyi Korlátolt Felelősségű Társaság office@drtoka.com 

Name and contact details of the data protection officer and the data management administrator  appointed by the data controller:  

Name: Dr. Stephan Tóka,  

email address: office@drtoka.com 

and 

IMPLANTKLINIK DR. TÓKA Egészségügyi Korlátolt Felelősségű Társaság office@implantklinik.hu 

Name and contact details of the data protection officer and the data management administrator  appointed by the data controller:  

Name: Dr. Stephan Tóka,  

email address: office@implantklinik.hu 

The website drtoka.com and implantklinik.hu all rights related to its operation belong to the  Company. Please note that the details available on the Company’s website at drtoka.com and  implantklinik.hu (hereinafter collectively referred to as: “Website”) are for information only. In  order to use the services provided by the Company, certain personal data must be provided,  processed and possibly transferred to third parties, for which the consent of the Data Subjects and  the legislative provisions are mandatory in all cases.  

The company provides health care services (dental practice activities) in accordance with Article  3 e) of Health law. According to the law, health care services are all health activities that can be  carried out – in cases specified by law – in possession of operating license issued by the state health  administration is aimed at the examination and treatment, care, nursing, medical rehabilitation of  the patient, the reduction of pain and suffering, and a for those purposes, the processing of the  patient’s test materials, including the activity in accordance with the special legislation related to  medicines, medical aids, medical care, as well as the rescue and ambulance transport, obstetrical  services, special procedures for human reproduction, surgical sterilization, medical research  conducted on humans, as well as medical procedures related to autopsy and death–related medical  procedures, including those related to the transfer of inert human bodies according to the special  legislation activities as well, to ensure the maintaining human health and the prevention, early  detection, diagnosis and treatment of diseases, the avert a life-threatening situation, the  improvement of the condition caused by illness.  

On the basis of this Data Processing Policy, the Data Subject is a person who uses the health care  services provided by the Company or is interested in the services provided by the Company (patient, client), persons staying temporarily or for a longer period in the territory of the Company’s  institution (especially with regard to the use of photographs and audio and video recordings in the  territory of the Company’s institution).  

3. Legal basis for data processing  

During the application of this information, data processing according to Article 3 (10) of the Info  Act: shall mean any operation or set of operations that is performed upon data, whether or not by  automatic means, such as in particular collection, recording, organisation, storage, adaptation or  alteration, use, retrieval, transmission, dissemination or otherwise making available, alignment or  combination, blocking, erasure or destruction, and blocking them from further use, photographing,  sound and video recording, and the recording of physical attributes for identification purposes (such  as fingerprints and palm prints, DNA samples and retinal images);  

Legal basis for the Company’s data processing:  

 relating to the health care service activity specified in point 2 of these regulations, the  fulfilment of the mandatory data processing, data retention and data transmission  obligations based on the legislation applicable to this activity, as well as the Data Subject’s  consent, 

in respect of the profiling activity generated by the use of the website or any marketing services  available through it, and based on the data stored by the so-called cookies, the data processing takes  place on the basis of the consent of the user of the service or the user of the website.  

Photographs and audio and video recordings are made on the Company’s territory on the basis of  the consent of the Data Subjects.  

In all of the cases listed above, the legal basis for data processing is also the legitimate interest of  the Company, furthermore, it may be based on a legitimate interest to conclude the existing debt,  outstanding claims or legal disputes, to fulfil legal, tax, audit and accounting obligations, to prevent  fraud, and to maintain the data security of users, clients and patients, in addition, the monitoring of  dental treatments, interventions (surgeries, anaesthetics, etc.) and possible complications arising in  connection with these, in order to clarify details.  

4. Scope of processed data  

The Data Subjects are responsible for the correctness and completeness of the data they  provide, including that any service involving data processing is used by the Data Subjects in their  own name and, in the case of a private person, the Data Subject is over 18 or s/he has the consent  of a legal representative.  

The data processed by the Company in connection with the activities defined in point 2 and  the legal bases defined in point 3 may be: 

 natural person identification data  

 address  

 place and date of birth  

 contact details (email address, phone number, mailing address)  

 tax code  

 social security number  

 health data  

 photographs and audio and video recordings  

The website may also collect non-personal statistical data incapable of identification by so-called  cookies for marketing purposes and for the website development.  

5. Duration of data processing  

Except in cases of mandatory data processing, the duration of data processing lasts until the  withdrawal of the consent of the Data Subject.  

Photographs, audio and video recordings made on the Company’s territory are kept for a period of  2 weeks after the recording was made, after the expiry of this period, the recordings will be  automatically deleted.  

The Company stores the data generated during the performance of the health care service contained  in point 2 of this information according to Article 30 of Privacy Act as follows:  

 Health records – with the exception of recordings made with medical imaging services,  medical reports made from them, as well as printed and electronic prescriptions – must be  kept for at least 30 years from the date of data collection, and the final report for at least 50 

years. After the mandatory registration period, the data can still be registered for medical  treatment or scientific research – where relevant. If the additional register is not justified,  the register shall be destroyed.  

 Recordings made with medical imaging services must be kept for 10 years from the date of  the recording, and the medical reports made from the recording must be kept for 30 years  from the date the recording.  

 If the health records have scientific importance, they must be handed over to the competent  archive after the mandatory registration period.  

Based on the relevant legislation, the Data Controller and all of its employees are obliged to keep  the medical confidentiality without any time limit. Related to the data processing, the rules on  medical confidentiality should also apply to the person who contacts the Company for the purpose  of using a health care service, but does not use this service.  

6. Purpose of data processing  

The purpose of processing medical and identification data:  

 promoting the preservation, improvement and maintenance of health,  

 facilitating the effective medical-care activity of hospitals, including technical supervision,   monitoring the health the person concerned,  

 taking the necessary measures in the interest of public health and epidemiology,   enforcement of patient rights,  

 following the individual patient pathway.  

The Company is entitled to handle medical and identification data in addition to those  specified above – in the cases specified by law – for the following purposes:   training of health care professionals,  

 medical-professional and epidemiological studies, analysis, planning and organization of  health care, drawing up the budget,  

 statistical investigations,  

 anonymization for impact assessment purposes and scientific research,   facilitating the work of organizations exercising professional supervision or legal review,  professional or legality supervision of the body or person managing health data, if the  purpose of the control cannot be achieved in any other way, as well as performing the tasks  of organizations that finance healthcare services,  

 determination of social security and social benefits, if it is based on the state of health, as  well as determination of law enforcement health care in accordance with the law on the  service status of professional members of law enforcement agencies, as well as  determination of health impairment benefits in accordance with the law on on the legal  status of the personnel of Nemzeti Adó- és Vámhivatal (National Tax and Customs Office),  

 examination of the ordering and provision of services available to persons entitled to health  care at the expense of compulsory health insurance, as well as compliance with the rules on  the ordering of economical medicines, medical devices and medical care, financing of the  benefits provided to the beneficiaries based on the contract according to the separate  legislation, and accounting for price support, and for the establishment, payment of social  security benefits and repayment and reimbursement of benefits paid,  

 for the continuous and safe supply and provision of prescribed medical devices, medical  aids and medical care to persons entitled to health care,  

 investigation and registration of work accidents and occupational diseases – including cases  of increased exposure – and the implementation of the necessary occupational safety  measures,  

 ethical approach against healthcare workers; 

 establishing the effectiveness and support of medicines, medical devices and medical aids  receiving effectiveness–based support and establishing the financing procedures for  medical treatment of these medical products,  

 organization of patient pathway,  

 evaluation and development of the quality of health care services, regular review and  development of the evaluation aspects of health care services,  

 monitoring, measuring and evaluating the performance of the health care system,   promoting effective and safe medication for those entitled to health benefits and developing  cost-effective drug therapy;  

 enforcement of rights related to cross-border health care within the European Union.  

With the – voluntarily – consent of the Data Subject or his legal or authorized representative – based  on adequate information, containing a clearly expressed will, and given in a way that credibly  proves the making of the legal declaration – the Company is also entitled to manage health data for  purposes other than those specified above, either in full or in the scope of certain data processing  activities.  

For purposes based not on a consent, the Company shall only process such medical and  identification data that are necessary for the purpose of data processing.  

In addition to the above, the Company processes data for the following purposes:   direct contact with the client via phone and email;  

 performance of the contract for the service provided by the Company;   direct marketing (information activities and ancillary services carried out by the method of  direct contact, intended to transmit to the client advertising or direct mail related to the sale  or provision of products or services);  

 sending other advertising material, electronic advertisements or other addressed content to  the client by email;  

 sending newsletters and offers to the client  

 development of the website;  

 promoting the professional and personal development of employees of the Company;   for quality assurance purposes.  

The Company has carried out an impact assessment in accordance with Article 35 of GDPR related  to the individual data processing operations it carries out, and reviews it annually or in the event of  a circumstance that has a significant impact on the risks. As a result of the investigation, it has been  established that data processing is carried out on the basis of the requests of the Data Subjects, in  the interest of the patients and on the basis of their consent, the purpose of which is to provide the  patients with a full dental service, to determine the underlying procedures, and the data used are  always determined in relation to the necessary and specific medical intervention.  

7. Data transfer  

The Company does not transfer data to contractual partners in the context of its health care service  activities in a way that can be used to determine the identity of the Data Subject. The Data Subject’s  data may be transferred to third parties in the form of aggregated data that cannot be linked to a  person.  

For the purposes of Article 4 (1)-(3) of Privacy Act, the Company is entitled to transfer and link  medical and identification data within the health care network. In order to fulfil the task of the health  insurance body defined in Article 81 of the Law on sickness insurance, health data and social  security numbers (hereinafter the Hungarian acronym: TAJ number) can be transmitted and  connected between the health care network and the health insurance body, to the extent necessary 

for the performance of the task. Medical and identification data from different sources can only be  connected until the time and to the extent that it is absolutely necessary for prevention, medical  treatment, public health and epidemiological measures.  

In the case of any mandatory transfer of data required by the health legislation applicable to the  Company, the recipient of the data is the organization specified in the relevant health legislation  (e. g. Országos Egészségbiztosítási Pénztár – National Health Insurance Fund), which acts as an  independent data controller, the data transfer is required by law, therefore the consent of the Data  Subjects is not required.  

In the course of data processing, any health data related to the illness of the Data Subject may be  transmitted which is important for the purpose of the treatment according to the decision of the  attending physician, unless the Data Subject prohibits this in writing or in a self–determination  registered statement. In spite of the Data Subject’s prohibition, medical and, if required by law,  identification data must be forwarded in the cases provided for in Article 13 of Privacy Act, or for  public health, epidemiological or occupational health purposes in accordance with the provisions  of Article 15 of Privacy Act.  

In the case of data transfer in accordance with the above, the Even in the case of data transfer  according to the above, the Company – with the exception specified in the law – does not transfer  health data related to previous illness unrelated to the illness at the time of transfer without the  consent of the Data Subject.  

The Company (employees of the Company) and any data processors entrusted by the Company  with the collection, management and performance of quality assurance tasks may see the client’s  personal data provided orally, in writing or electronically in connection with the interest in the  health care service. If the Company uses a data processor during a given procedure, the Company  will inform the Data Subjects.  

In addition to the third parties named or referred to in this Policy, the personal data of the Data  Subject will not be transferred to third parties, except for mandatory data transfer based on law, in  particular, but not exclusively, including judicial or administrative requests based on law.  

8. Data processors  

The Company also acts as a data processor in connection with all data processing.  9. Newsletter registration  

The client may withdraw his/her consent to the processing and transfer of his/her personal data at  any time, without limitation or justification, in writing at any of the following contact details:  

FOR DENTALKLINIK DR. TÓKA KFT.  

Email: office@drtoka.com 

Postal address: DENTALKLINIK DR. TÓKA Egészségügyi Korlátolt Felelősségű Társaság – HU 9400 Sopron, Lackner Kristóf utca 62/B 

FOR IMPLANTKLINIK DR. TÓKA KFT.  

Email: office@implantklinik.com 

Postal address: IMPLANTKLINIK DR. TÓKA Egészségügyi Korlátolt Felelősségű Társaság –  HU-9400 Sopron, Lackner Kristóf utca 62/B  

10. Rights of Data Subjects  

If not limited by applicable law, the following rights are granted to individuals based on GDPR:  

 Right of access – to receive information about the personal data processed and access to  such data;  

 Right to rectification – to request the modification or the updating of personal data if the  data are inaccurate or incomplete;  

 Right to erasure – to request the deletion of the personal data, if it is not medical secret and  the data processing is not based on a legal obligation;  

 Right to restriction – to request that the processing of personal data is suspended temporarily  or permanently related to all or part of the personal data, if it is not medical secret and the  data processing is not based on a legal obligation;  

 Right to object – an objection can be raised at any time against the processing of personal  data or processing for direct sales purposes, unless it is a medical secret or a legal obligation;   The right to data portability – an electronic copy of personal data and the transfer of personal  data to third parties may be requested;  

 Right to exemption from automated decisions – upon request, the Data Subject is exempted  from a decision made solely on the basis of automated decision, including profiling during  which the decision made would have a legal effect on the Data Subject or have a significant  impact.  

The Data Controller examines the Data Subject’s request for the exercise of the above rights as  soon as possible, but no later than 15 days after the submission of the request, makes a decision on  the validity of the request, or gives an answer, and informs him/her of his decision or answers in  writing. In case of deletion, restriction or objection, if the Data Controller determines that the  request is justified, the data processing – including further data collection and data transfer – will  be terminated and the data will be blocked. The Data Controller shall inform all those to whom  the personal data concerned has been previously transferred and who are obliged to take action to  enforce the right contained in the request. If the Data Subject does not agree with the decision of  the Data Controller, or if the Data Controller fails to meet the above deadline, s/he may lodge a  complaint or go to court within 30 days of the notification of the decision or the last day of the  deadline.  

Rights and obligations related to data processing and data protection, and information on how to  exercise them can be requested in a request sent to the email address of the Data Controller to be  contacted.  

The Data Controller does not transfer personal data outside the territory of the European Union.  The Data Controller may transfer data that cannot be linked to a person outside the territory of the  EU to a country or to a service provider that meets the requirements of GDPR. In the agreements  concluded with its contracted partners, as well as their agents, collaborators and employees, the  Data Controller ensures compliance with the requirements contained in these regulations and  related internal regulations. 

The Data Controller takes appropriate technical and organizational measures to protect personal  data, however, no IT system can provide full protection. In the event of an unlawful attack on the it  system used by the Company, the Company cannot assume responsibility for the protection of  personal data.  

The authority which is authorized to monitor the Data Controller’s activities related to data  processing:  

Nemzeti Adatvédelmi és Információszabadság Hatóság (the national authority for data  protection and freedom of information; “the Hungarian data protection authority”)  Address: HU-1055 Budapest, Falk Miksa utca 9-11.  

Postal address: HU-1374 Budapest, POB: 603.  

Phone numbers:  

+36 (30) 683-5969  

+36 (30) 549-6838  

+36 (1) 391-1400  

Email address: ugyfelszolgalat@naih.hu  

This Privacy Policy can be unilaterally amended by the Data Controller at any time.  This Data Processing Policy enters into effect on 1 April 2023.  

DENTALKLINIK DR. TÓKA Kft.  

represented by Dr. Stephan Tóka, managing director  

and  

IMPLANTKLINIK DR. TÓKA Kft.  

represented by Dr. Stephan Tóka, managing director