1. General provisions
1.1. Purpose and scope of the Policy
The purpose of these Rules is to ensure that Dental For You Dental Centre Limited Liability Company (registered office: 1053 Budapest, Kecskeméti utca 1, 1st floor 2, company registration number: Cg. 01-09-193901, tax number: 25000076-1-41, represented by Dr. Steinhof Péter Márton, Managing Director) as a healthcare service provider (hereinafter referred to as the “Data Controller”), the processing of personal data must comply with the legal and professional requirements for the processing of health data, and be in compliance with other legal provisions on data processing, and protect the data of individuals. Accordingly, the purpose of this Policy is to ensure that the activities of the Data Controller, as a company processing health data, comply with the provisions of Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as “the Infotv.”) and the GDPR Regulation (Regulation (EU) No 2016/679 of the European Parliament and of the Council of 25 May 2018 on the protection of personal data, as amended). Regulation (EC) No 2016/19/EC of the European Parliament and of the Council of 25 May 2011 on the protection of personal data (hereinafter referred to as “Regulation (EC) No 45/1977), Act XLVII of 1997 on the processing and protection of personal data concerning health and related matters (hereinafter referred to as “Eüak.”) and Act CXXXIII of 2005 on the rules of protection of persons and property and on private investigation.
The scope of the Regulation covers:
- to the organisation providing health services (the Data Controller), all its employees, as well as the organisation and natural persons carrying out professional supervision and control,
- the natural person who has been or comes into contact with the controller or who uses its services (hereinafter referred to as the patient or the data subject),
- to any external service provider that processes or comes into contact with personal data within the scope of the activities of the Controller providing dental care,
- health and personal data relating to the data subject processed in accordance with the provisions of the Eüak tv.
- This Policy does not cover the processing of data relating to the employment relationship with the Controller.
1.2. Purpose of the processing of health data:
Purpose of processing health and personal data (§ 4 (1) of the Eüak tv.):
- to promote the preservation, improvement and maintenance of health,
- to facilitate the effective medical treatment of patients by the health care provider, including specialist supervision,
- monitoring the health status of the person concerned,
- taking measures necessary in the interests of public health, public health and epidemiology,
- asserting patients’ rights
- transmission of data to the social security system in the case of services financed by the OEP.
In addition to the above, health and personal data may be processed pursuant to Section 4 (2) of the Health Care Act in the following cases, in accordance with the law:
- training of health professionals,
- medical and epidemiological investigation, analysis, planning and organisation of health care, cost planning,
- statistical analysis,
- anonymisation for impact assessment, scientific research,
- facilitation of the work of bodies carrying out official or regulatory controls, professional or regulatory supervision of bodies or persons handling health data, where the purpose of the control cannot be achieved by other means, and of bodies financing health care,
- the determination of social security or social benefits, where this is based on health status,
- examination of the ordering and provision of services to persons entitled to health care benefits under compulsory health insurance and of compliance with the rules on the ordering of medicines, medical aids and medical treatment in an economical manner,
- also the provision of benefits to beneficiaries under a contract governed by special legislation
- financing and accounting for the reimbursement of prices,
- crime prevention and, within the scope of the powers conferred on it to perform the tasks provided for in Act XXXIV of 1994 on the Police,
- performing the tasks specified in Act CXXV of 1995 on the National Security Services, within the scope of the authorisation granted therein,
- administrative procedure,
- proceedings for infringement of the rules,
- proceedings before the public prosecutor,
- judicial proceedings,
- placement or care of the person concerned in a non-medical institution,
- assessment of fitness for work, whether or not this activity
- employment, civil servant, public service, professional or other legal relationship,
- for the purposes of public education, higher education and vocational education and training,
- to determine fitness for military service or for personal defence,
- unemployment benefits, promotion of employment and related checks.
Health and identity data may be processed for purposes other than those set out above with the written informed consent of the data subject or his/her legal or authorised representative (hereinafter together referred to as “legal representative”). For the purposes of the processing as set out above, only the amount and type of health and personal data strictly necessary for the purposes of the processing may be processed.
1.3. Principles, legal basis and general conditions for processing:
The legal basis for the processing is the fulfilment of a legal obligation pursuant to Article 6(1)(c) of the GDPR Regulation in the case of mandatory transfers of data to the competent authority as provided for by the Eüak tv. and the Eü tv. In other cases, the performance of a contract concluded with the Data Controller as a healthcare service provider pursuant to Article 6(1)(b) of the GDPR Regulation. The processing of e-mail addresses processed for the purpose of subscribing to the newsletter is based on the data subject’s consent, while the use of cameras installed in the premises of the Controller’s clinic as processing is based on the legitimate interest of the Controller in the security of property pursuant to Article 6(1)(f) of the GDPR Regulation. Cameras are installed in the treatment rooms (surgeries) and in the waiting room, the exact location of which and the angle of view of the recording are set out in the Camera Policy of the Data Controller, which is available for inspection at the reception.
Personal data may only be processed for clearly defined, legitimate purposes, for the exercise of rights and the performance of obligations. At all stages of processing, the purpose of the processing must be fulfilled and the collection and processing of data must be fair and lawful. Only personal data that is necessary for the purpose of the processing and is adequate for the purpose shall be processed. Personal data may only be processed to the extent and for the duration necessary to achieve the purpose. The personal data shall retain this quality during the processing for as long as its relationship with the data subject can be re-established. The link with the data subject can be re-established if the controller has the technical conditions necessary for the re-establishment of the link. The processing must ensure that the data are accurate, complete and, where necessary for the purposes for which they are processed, kept up to date, and that the data subject can be identified only for the time necessary for the purposes for which they are processed.
The adequate security of personal data must be ensured by the application of appropriate technical or organisational measures, in particular measures to protect against unauthorised or unlawful processing, accidental loss, destruction or damage.
Personal data may be processed if it is ordered by law or, on the basis of a statutory authorisation, within the scope specified therein, by a decree of a local authority for a purpose in the public interest in the case of data not constituting special data or personal data for criminal matters, or, failing this, if it is absolutely necessary for the performance of the tasks of the controller as defined by law and the data subject has given his or her explicit consent to the processing of the personal data, or where it is necessary and proportionate for the protection of the vital interests of the data subject or of another person, or for the prevention or elimination of an imminent threat to life, limb or property of a person, or where the personal data have been explicitly disclosed by the data subject and where it is necessary and proportionate for the purpose of the processing.
If the duration of the mandatory processing or the periodic review of its necessity is not specified by law, local government regulation or a legally binding act of the European Union, the controller shall review, at least every three years from the start of the processing, whether the processing of personal data processed by the controller or by a processor acting on its behalf or under its instructions is necessary for the purposes of the processing. The data controller shall document the circumstances and the results of this review, keep this documentation for ten years after the review and make it available to the National Authority for Data Protection and Freedom of Information (hereinafter referred to as “the Authority”) upon request.
In the case of processing of sensitive data, the controller or the processor acting on its behalf or under its instructions shall ensure by appropriate technical and organisational measures that, when carrying out the processing operations, only those persons who are strictly necessary for the performance of their tasks in relation to the processing operation have access to the sensitive data.
- Related: A natural person identified or identifiable on the basis of any information;
- identifiable natural person:a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person;
- personal data: any information relating to the data subject;
- special categories of data: any data falling within special categories of personal data, namely personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data revealing the identity of natural persons, health data and personal data concerning the sex life or sexual orientation of natural persons,
- health data: personal data concerning the physical or mental health of a natural person, including data relating to the provision of health services to a natural person which carries information about the health of the natural person;
- data of public interest: information or knowledge in any form or by any means which is held by a body or person exercising a State or local government function or other public function as defined by law and which relates to its activities or arises in the course of the exercise of its public function, but which is not covered by the concept of personal data, irrespective of the way in which it is handled, whether or not it is of a specific or collective nature, in particular data concerning the powers, competences, organisation, structure, professional activities, including an assessment of their effectiveness, the types of data held and the legislation governing their operation, as well as data concerning management and contracts concluded;
- public interest information: any information not covered by the concept of public interest information, the disclosure, disclosure or availability of which is required by law to be in the public interest;
- consent: an unequivocal, freely given and informed indication of the data subject’s wishes by which he or she signifies, by a statement or by other conduct unambiguously expressing his or her wishes, his or her agreement to the processing of personal data relating to him or her;
- controller: a natural or legal person or unincorporated body which, alone or jointly with others, determines the purposes for which the data are to be processed, alone or jointly with others, and within the limits set by law or by a legally binding act of the European Union, makes and executes decisions regarding the processing (including the means used) or has a processor do the processing;
- joint controller: a controller who, within the limits set by law or by a legally binding act of the European Union, determines the purposes and means of the processing jointly with one or more other controllers, takes and implements decisions with regard to the processing (including the means used) jointly with one or more other controllers or implements them with the processor;
- control: any operation or set of operations which is performed upon the data, regardless of the procedure used, in particular collection, recording, recording, organisation, storage, alteration, use, retrieval, disclosure, transmission, alignment or combination, blocking, erasure or destruction, prevention of further use, photographing, audio or video recording, and physical features which can be used to identify the data subject (e.g. fingerprints or palm prints,
- transmission of data:making data available to a specified third party;
- indirect transfer:transmission of personal data to a controller or processor in a third country or to a controller or processor in another third country or to a processor in an international organisation by transferring the personal data to the controller or processor in a third country or to a processor in an international organisation;
- disclosure: making the data available to any person;
- deletion: making the data unrecognisable in such a way that it is no longer possible to retrieve it;
- restriction of processing: blocking of stored data by marking it for the purpose of restricting its further processing;
- data destruction: the complete physical destruction of the storage medium containing the data;
- processing:a set of processing operations carried out by a processor acting on behalf of or under the authority of the controller;
- processor: a natural or legal person or unincorporated body which processes personal data on behalf of or under the authority of the controller, within the limits and under the conditions laid down by law or by a legally binding act of the European Union;
- data file: the set of data processed in a register;
- hthird party: a natural or legal person or unincorporated body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, carry out operations processing personal data;
- a data breach:a breach of data security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or transmission of, or access to, personal data transmitted, stored or otherwise processed;
- profiling: any processing of personal data by automated means intended to evaluate, analyse or predict personal aspects relating to the data subject, in particular his or her performance at work, economic situation, state of health, personal preferences or interests, reliability, behaviour, location or movements;
- addressee: the natural or legal person or unincorporated body to whom or to which personal data are made available by the controller or processor;
- sub-identification: processing of personal data in such a way that, without further information being used, it is not possible to determine to which data subject the personal data relate, stored separately from the personal data, and technical and organisational measures are taken to ensure that the personal data cannot be linked to an identified or identifiable natural person;
- treatment: any activity aimed at preserving health and at the direct examination, treatment, care, medical rehabilitation or processing of the data subject’s test material for the purpose of the prevention, early diagnosis, diagnosis, treatment, maintenance or correction of a disease or deterioration in the state of health resulting from a disease, including the provision of medicines, medical aids, spa services, rescue and ambulance services and obstetric care.
- medical confidentiality: health and personal identifying information that has come to the attention of the controller in the course of medical treatment, and other information relating to necessary or ongoing or completed medical treatment and information obtained in connection with medical treatment.
- health records: records, registers or any other form of information, irrespective of medium or form, containing health and personal data which have come to the attention of the carer in the course of treatment.
- patient care provider: a medical practitioner, health care professional, other person involved in the treatment of the person concerned.
- close relative: spouse, relative in the direct line, adopted, step and foster child, adoptive, step and foster parent, brother, sister and life partner.
- third party: a natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor or the persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- emergency: a sudden change in health status that, in the absence of immediate medical attention, places the data subject at imminent risk of death
2. Rights of data subjects and their validity
- request information about the processing of their personal data,
- request rectification or, except for mandatory processing required by law, erasure of his/her data,
- object to the processing of his/her personal data,
- take legal action in the event of a breach of his/her rights.
2.2 Right to information:
At the request of the data subject, the Controller shall provide information on the data of the data subject processed by the Controller or by a processor appointed by the Controller or on its behalf, on the source of the data, the purposes, legal basis and duration of the processing, and on whether the processing is ongoing, the name, address and activities of the data processor in relation to the processing, the circumstances of the personal data breach, its effects and the measures taken to remedy it and, in the case of a transfer of personal data of the data subject, the legal basis and the recipient of the transfer. The controller shall provide the information in writing in an intelligible form within the shortest possible time from the date of the request, but no later than 25 days. The information shall be provided free of charge if the person requesting the information has not yet submitted a request for information to the controller for the same set of data in the current year. In other cases, a fee may be charged. The Data Controller may refuse to provide information only on the basis of the provisions of the data protection legislation in force at the time.
2.3. Correction and deletion of data:
The data subject shall have the right to obtain, at his or her request and without undue delay, the rectification by the controller of inaccurate personal data relating to him or her. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration.
Personal data shall be deleted if
- the processing is unlawful,
- the data subject requests or withdraws his or her consent to the processing, unless the processing is required by law,
- is incomplete or incorrect – and this situation cannot be lawfully corrected, provided that the deletion
is not precluded by law,
- the purpose of the processing has ceased or the time limit for storing the data has expired,
- the personal data have been unlawfully processed,
- has been ordered by a court or the Data Protection Commissioner.
The rectification or erasure must be notified to the data subject or to those to whom the data were previously disclosed, unless this would be against the legitimate interests of the data subject.
2.4 Right to object:
The data subject may object to the processing of his/her personal data if
- the processing or transfer of personal data is necessary solely for the purposes of the exercise of a right or legitimate interest pursued by the controller or recipient of the data, except where the processing is required by law,
- if the personal data are used or transmitted for direct marketing, public opinion polling or scientific research purposes
- the exercise of the right to object is otherwise permitted by law.
The Controller may only continue to process the data subject’s data, despite the data subject’s objection, if it is required to do so by law.
2.5 Right to restriction of processing:
The data subject shall have the right to obtain, at his or her request, the restriction of processing by the controller where one of the following conditions is met:
- the data subject contests the accuracy of the personal data, in which case the restriction shall apply for a period of time which allows the controller to verify the accuracy of the personal data,
- the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use,
- the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims,
- the data subject has objected to the processing; in this case, the restriction shall apply for a period of time until it is established whether the legitimate grounds of the controller override those of the data subject.
If processing is subject to restriction, such personal data, except for storage, may be processed only with the consent of the data subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for important public interests of the Union or of a Member State.
The controller shall inform the data subject at whose request the processing has been restricted in advance of the lifting of the restriction.
2.6 Right to data portability:
The data subject shall have the right to receive personal data concerning him or her which he or she has provided to the controller in a structured, commonly used, machine-readable format and the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided.
In the event of a breach of the data subject’s rights, the controller may take legal action against the data subject. The court will decide the case out of turn. The controller has the burden of proving that the processing is lawful.
2.8 Compensation, damages:
If the data controller causes damage to another person by unlawful processing of the data subject’s data or by breaching the requirements of data security, the data controller shall compensate the damage. If the controller infringes the data subject’s right to privacy by unlawfully processing his or her data or by breaching data security requirements, the data subject may claim damages from the controller. The controller shall be liable to the data subject for the damage caused by the processor and the controller shall also pay the data subject the damages due to the data subject in the event of a personal data breach caused by the processor. The controller shall be exempted from liability for the damage caused and from the obligation to pay the damage fee if it proves that the damage or the infringement of the data subject’s personality rights was caused by an unavoidable cause outside the scope of the processing. No compensation or damages shall be payable where the damage or injury to the personality right of the victim was caused by the intentional or grossly negligent conduct of the data subject.
The following persons are entitled to process health and personal data within the healthcare network:
- the treating physician,
- the assistant, the clinical hygienist
- the managers of the Controller, or
- the persons delegated by the managers of the Controller.
When processing health and personal data, the security of the data against accidental or intentional destruction or accidental loss, destruction, alteration, damage, disclosure and access by unauthorised persons shall be ensured.
When recording data, the date of the recording and the identity of the person recording the data must be recorded in the medical records. All records and entries in the patient’s record shall be authenticated by signature or handwriting and, where necessary, by date, and in the case of electronic data management, the clear identification of the person making the entry shall be ensured. The Data Controller shall record and store the personal data provided by the data subject (name, date and place of birth, mother’s name, address) and the health data recorded before or during the treatment in an electronic database. The processing of personal data in relation to information society services offered directly to children is lawful once the child has reached the age of 16. In the case of children under the age of 16, the processing of personal data of children is lawful only if and to the extent that consent has been given or authorised by the person having parental authority over the child (legal representative).
Data may only be deleted on the basis of this Policy. Deletion must comply with data protection rules, in particular with regard to unauthorised access. During the deletion process, manually processed data must be physically destroyed and, in the case of electronically stored data, irreversibly altered. The deletion of data may be carried out with the authorisation of the Data Controller’s manager. Data on prescriptions may not be deleted for 5 years, images for 10 years, findings for 30 years and final reports for 50 years.
3.4 Processing for the purpose of dental care:
During dental treatment, the Data Controller records the personal data of the person (data subject) who receives the treatment and the health data necessary for the proper conduct of the treatment. The data subject or his or her legal representative provides the health and personal identification data to the Data Controller for the purposes of fulfilling a contract with the Data Controller as a healthcare provider.
The data subject (legal representative) is obliged to provide his/her health and personal identification data at the request of the healthcare provider,
- if it is probable or confirmed that he/she is infected by a disease agent or suffers from poisoning or infectious diseases of infectious origin,
- if it is necessary to carry out screening and aptitude tests,
- in case of acute poisoning,
- if the person concerned is likely to have an occupational disease,
- if the provision of the data is necessary for the treatment, preservation or protection of the health of a minor child,
- if the competent authority has ordered the investigation for the purposes of law enforcement, crime prevention, prosecution, judicial proceedings or proceedings by the administrative authorities or in the course of administrative or criminal proceedings,
- if the data must be provided for the purpose of an inspection under the Act on National Security Services.
Data in accordance with the professional rules must be recorded in the medical records during medical treatment. It is up to the dentist providing the treatment to decide which health data, in addition to the mandatory data to be recorded, should be recorded in accordance with the professional rules. The recording of data should avoid recording data that are not directly related to the treatment of the patient. The management of medical records during treatment should be organised in such a way that the records and the patient’s personal data can be accessed by the persons who are responsible for the treatment of the person receiving the treatment. A subcontractor of a dental technician under contract with the controller and his/her employees in such a capacity should be entitled to access patient data to the extent necessary for the dental work. The processing of data by dental technicians is otherwise governed by this Policy.
3.5 Protection of medical confidentiality:
The Data Controller, as well as other persons in a legal relationship with the Data Controller, is bound by an obligation of confidentiality without time limitation with regard to data relating to the health status of a patient and other data that has come to its knowledge in connection with the performance of its work. The obligation of confidentiality is independent of the manner in which the data has come to its knowledge. The duty of confidentiality shall also apply to a carer who has not cooperated in the treatment of the patient, unless the data are necessary for the further treatment of the person treated. The obligation of confidentiality may be waived in writing by the patient or by a statutory obligation to provide information. In order to protect medical confidentiality, it is necessary that all employees of the provider undertake to maintain medical confidentiality. The undertaking must be included in or attached to the employee’s job description. The data subject (patient) has the right to declare to whom information about his/her illness, its likely outcome, may be disclosed and to whom partial or total access to his/her medical data is excluded. The health data of the patient concerned shall be disclosed even in the absence of the patient’s consent, where this is
- is required by law,
- necessary to protect the life, limb or health of others.
3.6 Persons present during medical treatment:
The patient has the right to have present during his/her examination and treatment only those persons whose participation is necessary for the treatment or those to whose presence the patient has consented, unless otherwise provided by law. Without the consent of the person concerned, the following may be present, with respect for the human rights and dignity of the person concerned:
- another person if the treatment regime requires the simultaneous care of several patients,
- a professional member of the police force, if the treatment is administered to a person in custody,
- a member of the prison service, if the treatment is administered to a person serving a custodial sentence in a prison and is necessary for the safety of the treating carer or to prevent escape,
- if law enforcement interests so require for the patient’s personal safety and the patient is incapable of making a statement.
In addition to the above, the following may be present,
- anyone who has already treated the patient for the disease in question,
- who has been authorised by the head of the healthcare provider for a professional reason. In this case, the express objection of the person receiving the treatment must be upheld.
For the purpose of training a health professional, a doctor, medical student, health professional, student of a health college, health professional school or health vocational school, as well as a student, may be present during the treatment with the consent of the person concerned (legal representative). The consent may also be given orally to the dentist providing the treatment.
3.7 Right and obligation to information, patient’s right to information:
The treating dentist shall inform the data subject directly of the medical data concerning the data subject which he/she has established. In the case of a psychiatric patient, the patient’s right of access to the medical records may exceptionally be restricted if there are reasonable grounds to believe that the patient’s recovery would be seriously compromised or the privacy of another person would be violated if the medical records were disclosed. Only the dentist is entitled to order the restriction. The patient’s legal representative and the patient’s legal or authorised representative must be informed of the restriction without delay.
3.8 Information to relatives and other persons:
The patient may, at the time of registration with the provider or at a later date, decide to whom partial or full information about his/her illness, its expected outcome, changes in his/her state of health may be disclosed and who may be excluded. The patient must be informed of this possibility.
3.9 Right of access to medical records:
The patient (or his/her legal representative) has the right to be informed of his/her personal identity and health data and has the right to consult the medical records. The health record is held by the health care provider and the patient has the right to access the information contained therein.
The patient has the right
- to be informed about the processing of his/her data relating to his/her medical treatment,
- to have access to his/her health data,
- to have access to medical records and to obtain extracts or copies thereof or to have copies made at his/her own expense
The health care provider shall immediately transmit health and personal identification data to the public health administration if a communicable disease is detected or suspected. The municipal institute of the National Sanitary and epidemiological Service may request the personal identification data of the person concerned on the grounds of public health or epidemiological public interest.
5. Registration of health and personal identification data
5.1. Obligation to register:
The health and personal identification data recorded on the data subject for the purposes of treatment and their transmission must be recorded. The record of the transfer must include the recipient, the method, the date of the transfer and the scope of the data transferred. The means of recording may be any data storage device which ensures that the data are protected against intentional destruction, destruction, alteration, damage, disclosure and unauthorised access. The patient provider’s own records shall form part of the register.
5.2 Procedure for storage and archiving of medical records:
Records relating to the examination and treatment of the patient are contained in the medical record. Health records shall be maintained in a manner that accurately reflects the process of care.
The medical records must indicate
- identifying information of the patient,
- the name, address and contact details of the person to be notified in the case of an incapacitated patient, and the name, address and contact details of the legal representative in the case of a minor or a patient under guardianship,
- history, medical history,
- results of the first examination,
- the results of the tests and the date on which the tests were carried out to establish the diagnosis and the plan of care,
- the name of the disease justifying the treatment, the underlying disease, concomitant diseases and complications,
- any other disease not directly justifying the treatment and the risk factors,
- time of the interventions performed and their outcome,
- information on the patient’s hypersensitivity to medication,
- name of the health professional making the entry and date of entry,
- recording the content of the information provided to the patient or other person entitled to receive the information,
- the fact of consent or refusal and the date of such consent or refusal,
- any other data and facts which may have an influence on the patient’s recovery.
All other information and facts, including but not limited to:
- the findings of each examination,
- documents generated during treatment and consultation,
- records of diagnostic imaging procedures.
Special care should be taken to ensure that medical records are detailed, professional, legible and retrievable. Pursuant to Section 30(1) of the Health Care Act, the retention period for medical records is at least 30 years from the date of recording (50 years for final reports and 10 years for diagnostic imaging records). The Data Controller shall establish its own rules for the storage of medical records. During storage, the Data Controller shall ensure that the documentation is protected against unauthorised access, theft, falsification and physical destruction.
6. Implant register
6.1 Information on the legal obligations relating to the implant register
If an implant is inserted, removed or replaced in connection with the treatment of the patient concerned, the Data Controller shall be obliged to comply with the provisions of Article 101/C. § (1) of the Act of CLIVIA of the Federal Law on Health Care (CLIVIA), the Data Controller is obliged to transfer the data of the register containing the data to the central implant register for the purpose of further treatment of the person undergoing the implantation, removal or replacement of an implant, monitoring of his/her health, rapid response to an unexpected event and checking the conformity of implantable medical devices. The health insurance body operating the central register of implants shall establish a contact code for the personal identification data. The health insurance body shall generate the link code for all personal data on the basis of the same coding method, in such a way that it does not allow any reverse engineering of personal data and that all transmissions of data for the same patient, irrespective of the healthcare provider performing the intervention, are linked to the same link code. The contact code as referred to above shall be sent by the health insurance authority to the healthcare provider keeping the register via the IT application it operates. The contact code shall be indicated in the medical documentation, including in the final report given to the patient. The body designated to carry out official tasks in relation to medical devices may, for the purpose of carrying out official tasks in relation to medical devices, obtain access to non-personally identifiable data in the central implant register with a contact code. The health insurance body shall provide the public health administration body and the body responsible for professional quality assessment with information by electronic means on request within 8 days, or without delay if necessary to protect the health of the persons wearing the implants, on the non-personally identifiable data stored in the central implant register, with a contact code.
On request of the health care provider, including the contact code indicated in the patient documentation, the health care authority shall immediately provide information by electronic means, with a contact code, on the data stored in the central implant register, in relation to a previous implant procedure performed on a person treated by the health care provider. If it is necessary for the prevention or remedying of an urgent need or a dangerous condition with regard to the person wearing the implant and the last health care provider providing implant-related care has ceased to exist without legal succession or the medical records cannot be obtained or can be obtained with significant delay, the body designated to perform official tasks in relation to medical devices may obtain the data pursuant to Section 101/C (1) a) of the Medical Devices Act in order to contact the person concerned and inform him/her of the actions necessary to protect his/her health.
The data stored in the central implant register must be deleted 50 years after the last transmission of data concerning the data subject.
7. Electronic health services space (EESZT)
The uploading of data to EESZT starts from the patient’s admission. Data generated in the course of healthcare are recorded in EESZT in the following cases and in the following ways:
Catalogue of events
The central event catalogue contains up-to-date information about your healthcare. For the central event catalogue, the following event details, the date of the event, the date of recording in the health facility’s system and the ID of the person responsible for recording the event are required. Data retention period: 5 years after your death. The data can be accessed:
- Court, Authorities (acting in their capacity)
- a general practitioner, family doctor in connection with your healthcare, in accordance with your digital self-care settings
Recording of health documents
The purpose of the register is to allow treating physicians to access their patients’ health documents, the register contains these documents (e.g. outpatient chart, findings, final report, etc.). The documents contained here are kept according to the rules and for the time period applicable to health records. Retention period: 5 years after your death. You can access the data:
- the healthcare institution
The health profile record contains information describing your general health status (current illnesses, general health information). The purpose of the record is to provide the treating physician with up-to-date and comprehensive health information for your care. Retention period: 5 years after your death. You can access the data:
- your treating doctor or general practitioner
7.2 Where can you access the data on your healthcare that has been entered into EESZT?
The EESZT Resident Portal can be found on the https://www.eeszt.gov.hu website. You can access your own personalised EESZT user account by clicking on the Login button and entering your client identification and social security number. This will allow you to easily access and retrieve all the health documents and data related to you that will be included in the EESZT at any time.
If you do not have an account, you can create one in the following ways:
1. In personat any document office, government office, tax authority customer service or diplomatic mission
2. Electronically if you have a valid identity card issued after 1 January 2016.
You can also use several EESZT services offered by the digital facilities on the Citizen Portal. Some of these are:
Under the CONVENTIONS tab, you can track your care events in the Event Catalogue and find your patient documents generated during your care and uploaded to EESZT in your e-History.
Under the REFERRALS tab, you can retrieve your own electronic referrals filtered by a specific period, view their data content and print them.
Under the RECIPTS heading, you can retrieve your electronic prescriptions, including a list of prescriptions you have already filled, going back to a specific period. All prescription information is also available to you, but this is not a substitute for a prescription certificate, which can be used by others to fill your prescription, so you cannot fill a prescription printed from here. Your traditional paper prescriptions will only appear in your dispensed prescriptions because they are entered into the system by the pharmacy when the prescription is dispensed.
Under the Notify box, you can request to be notified when data or documents related to you are added to the system. You can track who has requested to view what data or document in the system, and when. You will also be able to control the availability of your data and documents that will be included in EESZT.
8. Data protection
8.1 Data protection training policy:
It is the responsibility of the Manager to ensure that the Data Controller’s employees receive annual training on data management and data protection. The training shall be documented. The training of new employees on data protection shall be carried out by the manager and documented.
The Data Protection Officer will be Dr. Róbert Nagy
The Data Protection Officer can be contacted at [email protected]
8.2 Data security, data protection:
The Data Controller and the data processor shall ensure the security of the data and shall take the technical and organisational measures and establish the procedural rules necessary to enforce the Data Protection Act and other data protection and confidentiality rules. In particular, the data must be protected against unauthorised access, alteration, disclosure, disclosure, deletion or destruction and against accidental destruction or damage. In order to ensure the technical protection of personal data, the controller, the processor or the operator of the communication or information technology equipment should take specific protection measures where personal data are transmitted by means of a network or other information technology equipment. All persons involved in the processing of personal data must exercise the utmost care in their work to ensure the authenticity and integrity of the data and to prevent unauthorised access. When storing and transmitting data, general accident and fire safety regulations must be observed. Within the healthcare provider, the head of the institution handling the data is responsible for the protection of health and personal data and the preservation of records.
During the activities of the Data Controller
- to ensure compliance with data protection rules,
- control the activities of controllers and processors in relation to the processing of data,
- initiating the use of new technologies and tools in the field of data protection and data security,
- ensure the training of persons involved in data management and processing in data management,
- allow access to medical records in the case of scientific research,
- designate the person(s) responsible for data protection,
- control the activities of the data protection officer(s)
- decide on the further storage or destruction of the recorded data after the mandatory record-keeping period.
8.3. Data recorded on paper or stored electronically:
Data shall be recorded in a paper document by the Data Controller at the time of recording. The person who records the data is responsible for the legibility of the data. The data recorded shall subsequently be recorded by the Data Controller in the electronic database. In the case of electronically stored data, data may only be processed by the registered controller on the access list. The controller must log in to the system with an individual, secret password. Once the processing is completed, the user must log out of the system. The controller is responsible for password-protected processing in the system. In order to avoid possible misuse, the data controller is obliged to ensure and maintain the confidentiality of his/her individual password.
8.4 Procedure in the event of data corruption:
In the event of damage or destruction of health and personal data, an attempt should be made to replace the damaged data as far as possible from other available data sources. The dental care provider shall perform automatic backups of the computer system at specified intervals to ensure continuity of data backup. Data breaches must be reported to the NAIH.
9. Contact details of the data controller
- Health Service Provider:Dental For You Dental Centre Limited Liability Company
- Location: 1053 Budapest, Kecskeméti utca 1. 1. floor 2.,
- Adószáma: 25000076-1-41
- Tel.: (+36) 1 790 3282
- Email: [email protected]
10. Data Processor
The Data Controller uses a data processor to process the data. The Processor shall provide the Controller with the software used to record patient records in an electronic database. The processor and any person having access to the personal data, acting under the control of the controller or the processor, shall process those data only in accordance with the controller’s instructions, unless the controller is required by law to derogate from them. In addition to the above, the Data Controller shall employ an additional data processor for the processing of the data for the sole purpose of fulfilling the tax obligations arising from the invoicing of the fee for the health care service, for the performance of accounting tasks. The data processor will only know the personal data of the patients which are indicated on the invoice issued for the service fee (name, address). The legal basis for the processing of the data is the fulfilment of a legal obligation pursuant to Article 6(1)(c) of the GDPR Regulation. The data storage period for accounting documents is 5, 8 or 10 years as laid down by law. If, in the course of the treatment, the patient decides to require sedation (anaesthesia) for a procedure, the Data Controller shall provide this service by using an external service provider, during which a separate medical record and a consent form shall be signed by the patient with the doctor providing the anaesthesia care. The sole purpose of this data collection is to obtain information and medical data that may have an impact on the work of the anaesthesiologist. The anaesthesiologist acts as a data processor for the purposes of data processing, the legal basis for which is the performance of a contract with the Data Controller as a healthcare provider, pursuant to Article 6(1)(b) of the GDPR Regulation. The data processor may not take any substantive decisions regarding the processing, may process personal data that come to its knowledge only in accordance with the provisions of the controller, may not process personal data for its own purposes, and shall store and retain personal data in accordance with the provisions of the controller.
The data subject may initiate an investigation with the National Authority for Data Protection and Freedom of Information against the Data Controller if he/she has suffered harm in relation to the processing of his/her data. Contact details of the Authority:
- Name: National Authority for Data Protection and Freedom of Information
- Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/c
- Phone: +36 (1) 391-1400
- Fax: +36 (1) 391-1410
- www: http://www.naih.hu
- e-mail: [email protected]
12. Entry into force, other provisions
His date of entry into force is 10 October 2018.
12.2. The Data Controller shall make this Policy available to patients on its website in electronic form, if necessary, and on paper at its surgery at all times.
12.3. With regard to the provisions on data protection not specified in these Regulations, the legislation referred to in point 1.1 and any applicable and relevant legislation replacing such legislation shall apply.
Budapest, 10 October 2018
Dr. Péter Márton Steinhof
- Consent for data processing
- Camera policy
- Asset inventory
- Risk analysis for data management
- Management impact assessment
- Information technology policy
- Security policy
- Protocol for the review of data management
- Code of Conduct of the Data Controller
- Privacy Incident Reporting Form
- Risk Assessment Test Sheet
- Protocol on data protection education
Our website contains toothless cookies