Privacy policy

Please read this document carefully as by registering and/or using this website you agree to the terms of use and privacy policy set out herein.

1. General provisions

​1.1. Purpose and scope of the Rules

The purpose of these Rules is to ensure that Dental For You Dental Centre Limited Liability Company (registered office: 1053 Budapest, Kecskeméti utca 1, 1st floor 2, company registration number: Cg. 01-09-193901, tax number: 25000076-1-41, represented by Dr. Péter Márton Steinhof, Managing Director) as a healthcare service provider (hereinafter referred to as the "Data Controller"), to comply with the legal and professional requirements for the processing of health data, to be in compliance with other legal provisions on data processing, and to protect the data of individuals. Accordingly, the purpose of this Policy is to ensure that the activities of the Data Controller, as a company processing health data, comply with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as "the Infotv.") and the GDPR Regulation (Regulation (EU) No 2016/679 of the European Parliament and of the Council of 25 May 2018 on the protection of personal data and on the protection of individuals with regard to the processing of personal data) applicable from 25 May 2018. Regulation (EC) No 2017/19/EC of the European Parliament and of the Council of 25 May 2017 on the protection of personal data (hereinafter referred to as "GDPR"), Act XLVII of 1997 on the processing and protection of personal data concerning health and related personal data (hereinafter referred to as "Eüak."), and Act CXXXIII of 2005 on the rules of personal and property protection and private investigation.

The scope of the Rules covers:

• the organisation providing health care services (the Data Controller), all its employees, as well as the organisation and natural persons carrying out professional supervision and control,
• any natural person who has been or comes into contact with the Data Controller or who uses its services (hereinafter referred to as "patient or data subject"),
• any external service provider which processes or comes into contact with personal data within the scope of the activities of the Controller providing dental care,
• health data and personal data concerning the data subject processed in accordance with the provisions of the Eüak tv.
  This Policy does not cover the processing of data relating to the employment relationship with the Data Controller.

1.2. The purpose of health data processing:

Purpose of processing health and personal data (Section 4 (1) of the Health and Social Welfare Act):

• to promote the preservation, improvement and maintenance of health,
• Preservation, maintenance, preservation and improvement of health, health care, health promotion, health maintenance, health protection and health promotion,
• monitoring the health status of the person concerned,
• taking measures necessary in the interests of public health, public health and epidemiology,
• enforcing patients' rights
• transmission of data to the social security system in the case of services financed by the OEP.

Pursuant to Paragraph (2) of Article 4 of the Health and Personal Data Protection Act, in addition to the above-mentioned, health and personal data may be processed - in cases specified by law - for the following purposes:

• health professional training,
• medical-scientific and epidemiological investigation, analysis, planning and organisation of health care, cost planning,
• statistical analysis,
• anonymisation for impact assessment, scientific research,
• facilitating the work of bodies carrying out official or regulatory controls, professional or regulatory supervision of bodies or persons handling health data, where the purpose of such controls cannot be achieved by other means, and the tasks of bodies financing health care,
• the award of social security or social benefits, where this is based on health status,
• to check the prescription and provision of services to persons entitled to health care under the compulsory health insurance scheme and compliance with the rules on the prescription of medicines, medical appliances and medical treatment,
• and the provision of benefits to beneficiaries under a contract governed by special legislation the financing and accounting for the reimbursement of the costs incurred,
• law enforcement and crime prevention under the powers conferred on it by Act XXXIV of 1994 on the Police,
• the performance of the tasks provided for in Act CXXV of 1995 on the National Security Services, within the scope of the authorisation granted therein,
• administrative procedure,
• misdemeanour proceedings,
• prosecution proceedings,
• judicial proceedings,
• accommodation and care of the person concerned in a non-medical institution,
• assessment of fitness for work, whether or not such activity employment, civil service, public service, professional service or other legal relationship,
• for the purposes of public education, higher education and vocational education and training,
• for military service or for personal defence duties,
• unemployment benefits, employment promotion and related checks.

Health and personal data may also be processed for purposes other than those set out above with the written informed consent of the data subject or his or her legal or authorised representative (hereinafter together referred to as "legal representative"). For the purposes of the processing as set out above, only the amount and type of health and personal data strictly necessary for the purposes of the processing may be processed.

1.3. Principles, legal basis and general conditions for data processing:

The legal basis for the processing is the fulfilment of a legal obligation pursuant to Article 6 (1) (c) of the GDPR Regulation in the case of mandatory data transfers to the competent authority (including mandatory transfers to the ECESTA) as required by the Eüak tv. and the Eü tv. In other cases, the performance of a contract with the Data Controller as a healthcare service provider pursuant to Article 6(1)(b) of the GDPR Regulation. The processing of e-mail addresses processed for the purpose of subscribing to the newsletter is based on the data subject's consent, while the use of cameras installed in the premises of the Controller's clinic as processing is based on the legitimate interest of the Controller in the security of property pursuant to Article 6(1)(f) of the GDPR Regulation. Cameras are installed in the treatment rooms (surgeries) and in the waiting room, the exact location of which and the angle of view of the recording are set out in the Camera Policy of the Data Controller, which is available for inspection at the reception.

Personal data may only be processed for clearly specified, legitimate purposes, for the exercise of rights and the performance of obligations. At all stages of the processing, the purpose of the processing must be fulfilled and the collection and processing of the data must be fair and lawful. Only personal data which is necessary for the purpose of the processing and adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose. The personal data shall retain this quality during the processing for as long as its relationship with the data subject can be re-established. The link with the data subject may be re-established if the controller has the technical conditions necessary for the re-establishment of the link. The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.

Adequate security of personal data must be ensured by the application of appropriate technical or organisational measures during processing, in particular measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage. The processing of personal data shall be regarded as fair and lawful if, in order to ensure the freedom of expression of the data subject, the person who wishes to know the opinion of the data subject visits him or her at the place of residence or stay, provided that the personal data of the data subject are processed in accordance with the provisions of this Act and the personal inquiry is not for commercial purposes. The personal inquiry shall not take place on a public holiday within the meaning of the Labour Code.

Personal data may only be processed if it is required by law or - on the basis of a statutory authorisation, within the scope specified therein, in the case of data that does not constitute special data or personal data for criminal purposes - by a local government decree for a purpose in the public interest, or, failing this, if it is absolutely necessary for the performance of the tasks of the controller as defined by law and the data subject has given his or her explicit consent to the processing of the personal data, or where it is necessary and proportionate for the protection of the vital interests of the data subject or of another person, or for the prevention or elimination of an imminent threat to life, limb or property of a person, or where the personal data have been explicitly disclosed by the data subject and where it is necessary and proportionate for the purpose of the processing.

Unless the duration of the mandatory processing or the periodic review of its necessity is determined by law, local government regulation or a binding legal act of the European Union, the controller shall review, at least every three years from the start of processing, whether the processing of personal data processed by the controller or by a processor acting on its behalf or under its instructions is necessary for the purposes of the processing. The controller shall document the circumstances and the results of that review, keep that documentation for ten years after the review and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as the Authority) upon request.

Where special categories of data are processed, the controller or the processor, acting on his behalf or at his instructions, shall take appropriate technical and organisational measures to ensure that, when carrying out the processing operations, access to the special categories of data is restricted to those who have an absolute need to know in order to fulfil their task in relation to the processing operation.

1.4. Definitions:

• data subject: a natural person identified or identifiable on the basis of any information;
• 'identifiable natural person' means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
• personal data: any information relating to the data subject;
• special categories of personal data: any data which fall within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the individual's identity, health data and personal data concerning the sexual life or sexual orientation of natural persons,
• health data: personal data relating to the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which contain information about the health of that natural person;
• data of public interest: information or knowledge, in whatever form or by whatever means, which is held by a body or person exercising a State or local authority function or other public function as defined by law and which relates to its activities or arises in the course of the exercise of its public function, but which is not covered by the concept of personal data, irrespective of the way in which it is handled, whether or not it is of a specific or collective nature, in particular data concerning the powers, competences, organisation, structure, professional activities, including an assessment of their effectiveness, the types of data held and the legislation governing their operation, as well as data concerning management and contracts concluded;
• 'public interest data' means any data not covered by the concept of public interest data, the disclosure, availability or disclosure of which is required by law to be in the public interest;
• consent: a freely given, explicit and properly informed indication of the data subject's wishes by which he or she signifies, by a statement or by other conduct unambiguously expressing his or her wishes, his or her agreement to the processing of personal data relating to him or her;
• controller: the natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, takes and executes decisions regarding the processing (including the means used) or has the data processed by a processor, within the limits set by law or by a legally binding act of the European Union;
• joint controller: a controller who, within the limits set by law or by a legally binding act of the European Union, determines the purposes and means of the processing jointly with one or more other controllers, takes and implements decisions concerning the processing (including the means used) jointly with one or more other controllers or implements them with the processor;
• 'processing' means any operation or set of operations which is performed upon the data, whatever the procedure used, in particular any collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction of data, prevention of their further use, taking of photographs, sound recordings or images and the recording of physical characteristics which can be used to identify a person (e.g. fingerprints, palm prints, etc.)
• transfer: making data available to a specified third party;
• indirect transfer: the transfer of personal data to a controller or processor in a third country or to a controller or processor in another third country or to a processor in an international organisation by transmitting the personal data to the controller or processor in a third country or to a processor in an international organisation;
• disclosure: making the data available to any person;
• erasure: rendering the data unrecognisable in such a way that it is no longer possible to retrieve them;
• restriction of processing: the blocking of stored data by marking them for the purpose of restricting their further processing;
• data destruction: the total physical destruction of the data medium containing the data;
• processing: the totality of processing operations carried out by a processor acting on behalf of or under the authority of the controller;
• 'processor' means a natural or legal person or an unincorporated body which processes personal data on behalf of or under the authority of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;
• data file: the set of data processed in a register;
• third party: a natural or legal person or an unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or the processor, carry out operations relating to the processing of personal data;
• data breach: a breach of data security resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed;
• profiling: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, state of health, personal preferences or interests, reliability, behaviour, location or movements;
• recipient: the natural or legal person or unincorporated body to whom or to which personal data are made available by the controller or processor;
• 'pseudonymisation' means the processing of personal data in a way which makes it impossible to determine, without further information, to which data subject the personal data relate and which ensures, by technical and organisational measures, that the personal data cannot be linked to an identified or identifiable natural person;
• 'medical treatment' means any activity aimed at preserving health and at the direct examination, treatment, care, medical rehabilitation or processing of the data subject's test material for the purpose of the prevention, early diagnosis, diagnosis, cure, maintenance or correction of a disease or deterioration in the state of health resulting from a disease, including the provision of medicinal products, medical aids, spa services, rescue and ambulance services and obstetric care.
• medical confidentiality: health and personal identification data which have come to the knowledge of the controller in the course of medical treatment and other data relating to necessary or ongoing or completed medical treatment and other data obtained in connection with medical treatment.
• 'medical record' means any record, register or any other form of information, irrespective of its medium or form, containing medical and personal data which has come to the attention of the healthcare provider in the course of treatment.
• 'patient carer' means a medical practitioner, a healthcare professional or any other person involved in the treatment of the person concerned.
• close relative: spouse, relative in the direct line, adopted, step and foster child, adoptive, step- and foster parent, brother, sister and life partner.
• third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
• Urgent need: a sudden change in a person's state of health which, in the absence of immediate medical attention, places that person's life in imminent danger

2. Rights of data subjects and their validity

2.1. Rights of the data subject against the Data Controller:

• request information about the processing of your personal data,
• request the rectification or - with the exception of mandatory processing required by law - the erasure of your data,
• object to the processing of his/her personal data,
• in the event of a breach of his/her rights, take legal action.

2.2. Right to information:

At the request of the data subject, the Data Controller shall provide information on the data processed by the Data Controller or by a data processor appointed by the Data Controller or under its instructions, on the source of the data, the purpose, legal basis and duration of the processing, and whether the processing is ongoing, the name, address and activities of the data processor in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy it and, in the case of a transfer of personal data of the data subject, the legal basis and the recipient of the transfer. The controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but no later than 25 days. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information to the controller in the current year for the same set of data. In other cases, a fee may be charged. The Data Controller may refuse to provide information only on the basis of the provisions of the legislation on data protection in force at the time.

2.3. Correction and deletion of data:

The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification of inaccurate personal data relating to him or her. Having regard to the purposes of the processing, the data subject shall have the right to obtain the rectification of incomplete personal data, including by means of a supplementary declaration.

The personal data shall be deleted if

• a its processing is unlawful,
• the data subject requests or withdraws his or her consent to the processing, unless the processing is required by law,
• it is incomplete or inaccurate - and this situation cannot be lawfully corrected, provided that the deletion

is not precluded by law,

• the purpose of the processing has ceased or the time limit for storing the data has expired,
• the personal data have been unlawfully processed,
• ordered by a court or the Data Protection Commissioner.

Rectification or erasure must be notified to the data subject or to those to whom the data were previously disclosed, unless it is contrary to the legitimate interests of the data subject.

2.4. Right to object:

The data subject may object to the processing of his or her personal data if

• the processing or transfer of the personal data is necessary solely for the purposes of the exercise of a right or legitimate interest pursued by the controller or recipient, unless the processing is required by law,
• if the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes
  the exercise of the right to object is otherwise permitted by law.

The Controller may only continue to process the data

subject's data, despite the data subject's objection, if it is required to do so by law.

2.5. Right to restriction of processing:

The data subject shall have the right to obtain, at his or her request, the restriction of processing by the Controller if one of the following conditions is met:

• he data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the controller to verify the accuracy of the personal data,
• the processing is unlawful and the data subject opposes the erasure of the data and requests instead the restriction of their use,
• the controller no longer needs the personal data for the purposes of the processing but the data subject requires them for the establishment, exercise or defence of legal claims,
• the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override the legitimate grounds of the data subject.

If the processing is restricted, such personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or of an important public interest of the Union or of a Member State.

The controller shall inform the data subject at whose request the processing has been restricted in advance of the lifting of the restriction.

2.6. Right to data portability:

The data subject shall have the right to receive the personal data concerning him or her which he or she has provided to the Controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to which he or she has provided the personal data.

2.7. Judicial enforcement:

In the event of a breach of the data subject's rights, the controller may take legal action against the data subject. The court will decide the case out of turn. The controller must prove that the processing is in compliance with the law.

2.8. Compensation, damages:

If the data controller causes damage to another person by unlawful processing of the data subject's data or by breaching the requirements of data security, the data controller must compensate the damage. If the controller infringes the data subject's right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller. The controller is liable to the data subject for the damage caused by the processor and the controller is also liable to pay the data subject the damages for the personal data breach caused by the processor. The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject's personality rights was caused by an unforeseeable cause outside the scope of the processing. No compensation shall be due and no damages shall be payable where the damage or injury to the personality rights of the data subject was caused by the intentional or grossly negligent conduct of the data subject.

3. Method of data processing

3.1. Data controllers are entitled to:

Within the health care network, data controllers are entitled to process health and personal data:

• the treating physician,
• the assistant, the clinical hygienist
• the Data Controller's managers, or
• persons delegated by the managers of the Data Controller.

The processing of health and personal data shall be secure against accidental or intentional destruction or accidental loss, destruction, alteration, damage, disclosure and unauthorised access by unauthorised persons.

3.2. Data recording:

The date of the data recording and the identity of the person recording the data must be recorded in the medical record. All records and entries in the patient's records must be authenticated by signature or handwriting and, if necessary, by date, and in the case of electronic data processing, the clear identification of the person making the entry must be ensured. The Data Controller shall record and store the personal data provided by the data subject (name, date and place of birth, mother's name, address) and the health data recorded before or during the treatment in an electronic database. The processing of personal data in relation to information society services offered directly to children is lawful once the child has reached the age of 16. In the case of children under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person having parental authority over the child (legal representative).

3.3. Deletion of data:

Data may only be deleted on the basis of this Policy. Deletion must comply with data protection rules, in particular with regard to unauthorised access. In case of deletion, manually processed data must be physically destroyed and, in case of electronically stored data, irreversibly altered. The deletion of data may be carried out with the authorisation of the Data Controller's manager. Data on prescriptions may not be deleted for 5 years, images for 10 years, findings for 30 years and final reports for 50 years.

3.4. Processing for the purpose of dental care:

n the course of dental treatment, the Data Controller records personal data of the person (data subject) who has undergone the treatment and the health data necessary for the professional conduct of the treatment. The data subject or his/her legal representative shall provide the health and personal identification data to the Data Controller for the purposes of the performance of a contract with the Data Controller as a healthcare provider.

The data subject (legal representative) shall provide health and personal identification data at the request of the healthcare provider,

• if it is probable or established that he or she is infected by a disease agent or suffers from poisoning or infectious diseases of infectious origin,
• where it is necessary for the purposes of screening and aptitude tests,
• in the case of acute poisoning,
• where it is likely that the person concerned is suffering from an occupational disease,
• where the provision of the data is necessary for the treatment, health care or protection of a minor child,
• where the competent authority has ordered the investigation for the purposes of law enforcement, crime prevention, prosecution, judicial proceedings or proceedings by the administrative authorities or in the course of administrative proceedings,
• if the provision of the data is necessary for the purpose of verification under the Act on National Security Services.

During medical treatment, data in accordance with professional rules must be recorded in the medical records. It is up to the dentist providing the treatment to decide which health data, in addition to the compulsory data, should be recorded in accordance with the professional rules. The recording of data should avoid recording data that are not directly related to the treatment of the patient. The management of medical records during treatment should be organised in such a way that the records and the patient's personal data are accessible to the persons who are responsible for the treatment of the person receiving the treatment. A subcontractor of a dental technician under contract with the controller and his/her employees in such a capacity should have the right to access patient data to the extent necessary for the dental work. The processing of data by dental technicians is otherwise governed by this Policy.

3.5. Protection of medical confidentiality:

The Data Controller, as well as other persons in a legal relationship with the Data Controller, is bound by an obligation of confidentiality without time limitation with regard to data relating to the patient's medical condition and other data that has come to its knowledge in connection with the work. The obligation of confidentiality is independent of the manner in which the data has been disclosed. The duty of confidentiality shall also apply to a carer who has not collaborated in the treatment of the patient, unless the data are necessary for the further treatment of the person treated. The obligation of confidentiality may be waived in writing by the patient or by a statutory obligation to provide information. In order to protect medical confidentiality, it is necessary that all employees of the provider undertake to maintain medical confidentiality. The undertaking must be included in or attached to the employee's job description. The data subject (patient) has the right to declare to whom information about his/her illness, its likely outcome, may be disclosed and to whom partial or total access to his/her medical data is excluded. The health data of the patient concerned shall be disclosed even in the absence of the patient's consent, where

• is required by law,
• is necessary to protect the life, limb or health of others.

3.6. Persons present during treatment:

The patient has the right to have present during his examination and treatment only those persons whose participation in the treatment is necessary or those to whose presence the patient has consented, unless otherwise provided by law. The person concerned may be present without his/her consent, with respect for his/her human rights and dignity:

• another person, if the treatment regime requires the simultaneous care of several patients,
• a professional member of the police, if the treatment is administered to a person in custody,
• a member of the prison service, if the treatment is given to a person serving a custodial sentence in a prison and is necessary for the safety of the carer or to prevent escape,
• if, in the interests of law enforcement, the personal safety of the patient so requires and the patient is incapable of making a statement.

In addition to the above, the following may be present,

• who has already treated the patient for the disease in question,
• who has been authorised by the head of the healthcare provider for professional reasons. In this case, the express objection of the person receiving treatment must be accepted.

For the purposes of training of health professionals, a doctor, medical student, health professional, student or pupil of a health college, health professional school or health vocational school may be present during the treatment with the consent of the person concerned (legal representative). Consent may also be given orally by the person receiving treatment to the dentist providing the treatment.

3.7. Right and obligation to information, patient's right to be informed:

The patient shall be informed of the provider's privacy policy before the patient's care is provided. The patient must be informed of the privacy policy before the start of treatment. The patient shall provide proof of this information by signing the service contract. The patient's documentation must be accompanied by any restrictive declaration by the patient. Information on the treatment of the patient shall be provided by the dentist treating the patient. Information on the nursing aspects of the patient's treatment may also be provided by the health care professional attending to the patient. Information on the patient's treatment shall not be provided by a dental nurse or other staff member unless authorised by the dentist treating the patient. The information shall be provided in person.

The treating dentist shall inform the person concerned directly of the medical data concerning him which he has ascertained. In the case of a psychiatric patient, the patient's right of access to the medical records may exceptionally be restricted if there are reasonable grounds to believe that the patient's recovery would be seriously compromised or the privacy of another person would be violated if the medical records were disclosed. Only the dentist is entitled to order the restriction. The patient's legal representative and the patient's legal or authorised representative must be informed of the restriction without delay.

3.8. Informing relatives and other persons:

When registering with the provider or at a later date, the patient may decide to whom partial or full information about his/her illness, its probable outcome, changes in his/her state of health may be disclosed and who may be excluded. The patient shall be informed of the possibility of making such provision.

3.9. Right of access to medical records:

The patient (or his/her legal representative) has the right to be informed of the personal and medical data concerning him/her and has the right to consult the medical records. The health record is held by the health care provider and the patient has the right to access the health record.

The patient has the right to

• be informed of the treatment of his/her data in connection with his/her medical treatment,
• access to the medical data concerning him/her,
• to have access to the medical records and to obtain extracts or copies thereof or to have copies made at his own expense.

4. Processing for public health and epidemiological purposes

The healthcare provider shall immediately transmit the health and personal identification data to the public health administration if a communicable disease is detected or suspected. The municipal institute of the National Sanitary and epidemiological Service may request the personal identification data of the person concerned on the grounds of public health or epidemiological public interest.

​5. Records of health and identity data

5.1. Obligation to register:

Records must be kept of the health and personal data recorded on the data subject which are necessary for the purposes of treatment and of their transmission. The record of the transfer must include the recipient of the transfer, the method and date of the transfer and the scope of the data transferred. The means of recording may be any data storage device that ensures that the data are protected against intentional destruction, destruction, alteration, damage, disclosure and unauthorised access. The patient provider's own records shall form part of the register.

5.2. Arrangements for the storage and archiving of medical records:

Records relating to the examination and treatment of the patient are contained in the medical records. The medical records shall be kept in such a way that they accurately reflect the process of care.

The medical records shall indicate

• the identity of the patient,

• the name, address and contact details of the person to be notified in the case of a patient with capacity, and the name, address and contact details of the legal representative in the case of a minor or a person under guardianship,

• medical history, medical history,

• the results of the first examination,

• the results of the tests on which the diagnosis and the plan of care are based, and the date on which the tests were carried out,

• the name of the disease justifying the treatment, the underlying disease, concomitant diseases and complications,

• any other disease not directly justifying the treatment and the risk factors,

• the duration and outcome of the interventions carried out,

• data on the patient's hypersensitivity to medication,

• the name of the health professional making the entry and the date of entry,

• the content of the information provided to the patient or other person entitled to receive the information,

• the fact of consent or refusal and the date thereof,

• any other data and facts which may influence the patient's recovery.

It must be kept as part of the medical record:

• the findings of each examination,

• documents generated during treatment and consultation,
  records of diagnostic imaging procedures.

In the case of medical records, particular attention should be paid to ensuring that they are detailed, professional, legible and retrievable. Pursuant to Section 30(1) of the Health Care Act, the retention period of medical records is at least 30 years from the date of recording (50 years for final reports and 10 years for diagnostic imaging records). The Data Controller shall establish its own rules for the storage of medical records. During storage, the Data Controller shall ensure that the documentation is protected against unauthorised access, theft, falsification and physical destruction.

​6. Implant register

6.1. Information on the legal obligations related to the implant register

If an implant is implanted, removed or replaced in connection with the treatment of the patient concerned, the Data Controller is obliged to comply with the provisions of Act CLIV of 1997 on Health Care No. The Data Controller shall be obliged to transmit the data of the register containing the data pursuant to § 101(1) of the CLIVC Act of 21.12.2003 to the central implant register for the purposes of further treatment of the person undergoing the implantation, removal or replacement of an implant, monitoring of his/her state of health, rapid response to an unexpected event and checking the conformity of implantable medical devices. The health insurance body operating the central register of implants shall establish a contact code for the personal identification data. The health insurance body shall create the link code for all personal data on the basis of the same coding method, in such a way that it does not allow for any reverse engineering of personal data and that all transmissions of data for the same patient, irrespective of the healthcare provider performing the intervention, are linked to the same link code. The contact code as referred to above shall be sent by the health insurance authority to the healthcare provider keeping the register via the IT application it operates. The contact code shall be indicated in the medical documentation, including in the final report given to the patient. The body designated to carry out official tasks in relation to medical devices may, for the purpose of carrying out official tasks in relation to medical devices, obtain access to non-personally identifiable data in the central implant register with a contact code. The health insurance body shall provide the public health administration body and the body responsible for professional quality assessment with information by electronic means on request within 8 days, or without delay if necessary to protect the health of the persons wearing the implants, with information on the non-personally identifiable data stored in the central implant register, with a contact code.

Upon request of the health care provider, including the contact code indicated in the patient documentation, the health care authority shall immediately provide information by electronic means, with a contact code, on the data stored in the central implant register concerning the previous implant procedure performed on the person treated by the health care provider. If it is necessary for the prevention or remedying of an urgent need or a dangerous condition with regard to the person wearing the implant and the last health care provider providing implant-related care has ceased to exist without legal succession or the medical records cannot be obtained or can be obtained with significant delay, the body designated to perform official tasks in relation to medical devices may obtain the data pursuant to Section 101/C (1) a) of the Health Insurance Act in order to contact the person concerned and inform him/her of the actions necessary to protect his/her health.

Data stored in the central implant register shall be deleted 50 years after the last transmission of data relating to the data subject.

​7. Electronic health services space (EESZT)

AThe aim of the Hungarian e-health system is to provide the population with faster, more efficient and more service-oriented care. The key to this lies in the continuous connection between care providers, treating physicians and pharmacies, so that information is consistent and accessible. At the same time, the system's services will simplify the administrative and reporting processes in the healthcare sector, speeding up patient care. EESZT is essentially an information flow facilitation system that makes it easier and quicker for data sent to the Space to reach the right person. This data includes personal data and health data, as it is healthcare data. The data is fully secured by a system with the highest level of protection, level 5. The data is handled by the State Health Care Supply Centre (SHSC), which operates the EESZT. Since the introduction of the EESZT, the way in which patients are treated has not changed fundamentally; you have nothing to do other than go to your doctor if you are sick or need a routine check-up, just as you have always done. The purpose of this information note is to familiarise you with the scope of the data that will be entered into the EESZT system by the healthcare institution during the course of your treatment. If you want to take advantage of the opportunities offered by the digital world, this leaflet will also give you the opportunity to find out how to use the latest e-health services. If you would like more information on the operation of the EESZT and the processing of your data than this notice, please visit the information portal https://e-egeszsegugy.gov.hu, where you can read the EESZT Privacy Notice by clicking on the Privacy section and browse the site for more useful information on the operation of the EESZT.

7.1. Scope of personal data processed by the EESZT in the course of healthcare

Data uploading to the EESZT starts from patient admission. Data generated in the course of healthcare are recorded in the EHRC in the following cases and in the following ways:

Event catalogue

The central event catalogue contains up-to-date information about your healthcare. For the central event catalogue, the following event details, the date of the event, the date of recording in the healthcare facility's system and the identifier of the person responsible for recording the event are required. Data retention period: 5 years after your death. You can access the data:

• courts, public authorities (acting in the exercise of their functions)
• You
• treating doctor, general practitioner in connection with your healthcare, in accordance with your digital health settings

Register of medical documents

The purpose of the registry is to allow treating physicians to access their patients' medical documents, the registry contains these documents (e.g. outpatient chart, findings, final report, etc.). The documents contained here will be kept in accordance with the rules and for the period of time applicable to medical records. Retention period: 5 years after your death. You can access the data:

• the healthcare institution
• You

eProfil

The health profile record contains information describing your general health (current illnesses, general health data). The purpose of the record is to provide the treating physician with up-to-date and comprehensive health information for your care. Retention period: 5 years after your death. You can access the data:

• your treating doctor or general practitioner

7.2. Where can you view the data about your healthcare that has been entered into EESZT?

AYou can find the EESZT Population Portal at https://www.eeszt.gov.hu. You can access your own personalised EESZT account by clicking on the Login button and entering your client identification and social security number. This will allow you to easily access and download the medical documents and data related to you that will be included in the EESZT at any time.

If you do not have an account, you can create one in the following ways:

1. in person at any document office, government office, tax office or diplomatic mission

2. electronically, if you have a valid identity card issued after 1 January 2016.

You can also use several EESZT services offered by the digital facilities on the Citizen Portal. Some of these are:

ou can keep track of your care events in the Event Catalogue under the ACTIONS tab and find your patient documents generated during your care and uploaded to EESZT in your e-History.

Under the REFERRALS tab, you can retrieve your own electronic referrals filtered by period, view their data content and print them.

Under the RECIPTES tab, you can retrieve your electronic prescriptions, including a list of your prescriptions already filled, going back to a specific period. All prescription information is also available to you, but this does not replace the prescription certificate which can be used by others to fill your prescriptions, so you cannot fill a prescription printed from here. Your traditional paper prescriptions will only appear in your dispensed prescriptions because they are entered into the system by the pharmacy when the prescription is dispensed.

You can request a notification when data or documents relating to you are added to the system under the SUBMIT tab. You can keep track of who has requested to view what data or document in the system, and when. You will also be able to control the availability of your data and documents that will be included in EESZT.

​8. Data protection

8.1. Regulation of data protection training:

It is the responsibility of the manager to provide annual training on data management and data protection for the employees of the Data Controller. The training must be documented and provided on a regular basis. Data protection training for new employees shall be provided by the manager and shall be documented. The Data Protection Officer shall be employed by the Data Controller.

Name of the Data Protection Officer: Dr. Róbert Nagy

Contact details of the DPO: dentalforyoufogaszaticentrum@gmail.com

8.2. Data security, data protection:

The Data Controller and the Data Processor shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the Data Protection Act and other data protection and confidentiality rules. In particular, the data must be protected against unauthorised access, alteration, disclosure, disclosure, deletion or destruction and against accidental destruction or damage. In order to ensure the technical protection of personal data, the controller, the processor or the operator of the communication or information technology equipment should take specific protection measures where personal data are transmitted by network or other information technology equipment. All persons involved in the processing of personal data must exercise the utmost care in their work to ensure the authenticity and integrity of the data and to prevent unauthorised access. When storing and transmitting data, general accident and fire safety regulations must be observed. Within the healthcare provider, the head of the institution handling the data is responsible for the protection of health and personal data and the preservation of records.

In the course of the activities of the Data Controller

• ensure compliance with data protection rules,
• monitor the activities of controllers and processors in relation to the processing of data,
• initiating the use of new technologies and tools in the field of data protection and data security,
• ensure the training of data controllers and processors in data management,
• allow access to medical records in the case of scientific research,
• designate the data protection officer(s),
• monitor the activities of the data protection officer(s),
• ensure that the institution's data protection policy is drawn up,
• decides on the further storage or destruction of the recorded data after the mandatory retention period.

8.3. Data recorded on paper or stored electronically:

Data are recorded in a paper document by the Data Controller at the time of recording. The person who records the data is responsible for the legibility of the data. The data recorded shall be recorded by the Data Controller in the electronic database. In the case of electronically stored data, only the registered controller on the access list may process the data. The controller must log in to the system with an individual, secret password. Once the processing is completed, the user must log out of the system. The controller is responsible for password-protected processing in the system. In order to avoid possible misuse, the data controller is obliged to ensure and keep the confidentiality of his/her individual password.

8.4. Procedure in case of data corruption:

In the event of damage or destruction of health and personal data, an attempt shall be made to replace the damaged data as far as possible from other available data sources. The dental care provider shall perform automatic backups of the computer system at specified intervals to ensure continuity of data backup. Data security incidents must be reported to the NAIH.

​9. Contact details of the data controller

• Health Service Provider: Dental For You Dental Centre Limited Liability Company
• Registered office, H-1053 Budapest, Kecskeméti utca 1. 1. em. 2., Hungary
• Tax number: 25000076-1-41 (EU VAT: HU25000076)
• Tel.: (+36) 1 790 3282
• Email: info@lukacsspadental.hu

​10. Data processor

10.1. Use of a data processor:

The Data Controller uses a data processor for the processing of data. The Processor shall provide the Controller with the software used for recording patient records in an electronic database. The processor and any person having access to personal data, acting under the control of the controller or the processor, shall process such data only in accordance with the controller's instructions, unless the controller is required by law to derogate from them. In addition to the above, the Data Controller shall employ an additional data processor for the processing of the data for the sole purpose of fulfilling the tax obligations arising from the invoicing of the fee for the health care service, for the performance of accounting tasks. The data processor will only know the personal data of the patients which are indicated on the invoice for the service fee (name, address). The legal basis for the processing of the data in this case is the fulfilment of a legal obligation pursuant to Article 6(1)(c) of the GDPR Regulation. The data storage period for accounting documents is 5, 8 or 10 years as laid down by law. If, in the course of the treatment, the patient decides to require sedation (anaesthesia) for a procedure, the Data Controller will provide this service by using an external service provider, during which a separate medical record and a consent form will be signed by the patient with the doctor providing the anaesthesia care. The sole purpose of this data collection is to obtain information and medical data that may have an impact on the work of the anaesthesiologist. The anaesthesiologist acts as a data processor for the purposes of data processing, the legal basis for which is the performance of a contract with the Data Controller as a healthcare service provider, pursuant to Article 6(1)(b) of the GDPR Regulation. The data processor may not take any substantive decision regarding the processing, may process the personal data coming to its knowledge only in accordance with the provisions of the controller, may not process the data for its own purposes, and shall store and retain the personal data in accordance with the provisions of the controller.

11. Complaints, remedies

The data subject may initiate an investigation against the Data Controller at the National Authority for Data Protection and Freedom of Information in case of a violation of his/her data processing. Contact details of the Authority:

• Name: National Authority for Data Protection and Freedom of Information
• Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
• Phone: +36 (1) 391-1400
• Fax: +36 (1) 391-1410
• www: http://www.naih.hu
• e-mail: ugyfelszolgalat@naih.hu

12. Entry into force, other provisions

12.1. This Privacy Policy shall enter into force on 10 October 2018.

12.2. The Data Controller shall make this Policy available to patients on its website, in electronic form if necessary, and on paper in its surgery at all times.

12.3. With regard to the provisions on data protection not specified in this Policy, the legislation referred to in point 1.1 and any applicable and relevant legal provisions in force and replacing such legislation shall apply.

Budapest, 10 October 2018.

………………………………….

Dr. Péter Márton Steinhof

Managing Director

Annexes:

• Consent to data processing
• Camera policy
• Data Asset Inventory
• Data management risk analysis
• Data Management Impact Assessment
• IT Policy
• Data Security Policy
• Protocol on review of data management
• Code of Conduct of the Data Controller
• Data breach notification form
• Interest screening test form
• Protocol on data protection education
  

  ---

  Original source. This document translated by Deepl.com.