Privacy Notice

Purpose and Scope of this Privacy Notice

  • The purpose of this Privacy Notice (hereafter referred to as “Notice”) is to specify the rules governing the use of records and/or databases kept by Fehér Dental Team Kft. (hereinafter referred to as “Controller”) and to ensure enforcement of the constitutional principles of data protection, the right of information self-determination and data security requirements as well as to guarantee that, within the limits of the statutory framework, everybody should be able to dispose over his or her personal data, familiarise themselves with the conditions of the processing of such data and to prevent unauthorised access to or unauthorised modification or disclosure of the personal data concerning him or her. In addition, this Notice provides information to data subjects with regard to the data processing practices of the Controller.
  • The scope of this Notice covers the processing of personal data and sensitive data carried out at all organisational units of the Controller.
  • · Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”);
  • · Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as “Informational Self-Determination Act”;
  • · Act V of 2013 on the Civil Code (hereinafter referred to as “Civil Code”);
  • · Act CXXX of 2016 on the Code of Civil Procedure (hereinafter referred to as “Code of Civil Procedure”);
  • Act XLVII of 1997 on the Processing and Protection of Medical Data and Related Personal Data (hereinafter referred to as “Medical Data Processing Act”);
  • Decree No. 62/1997. (XII. 21.) of the Minister of Welfare on Certain Aspects of the Processing and Protection of Medical Data and Related Personal Data (hereinafter referred to as “Medical Data Processing Decree”);
  • Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter referred to as “Advertising Act”);
  • Act I of 2012 on the Labour Code (hereinafter referred to as “Labour Code”).
  • · Name: FEHÉR DENTAL TEAM Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
  • Registered office: H-9400 Sopron, Várkerület 59. 1. em. 2.
  • Company registration number: 08-09-010446
  • VAT number: 12853788-1-08
  • Commercial Court keeping the relevant records in the Register of Companies: Commercial Court of the Metropolitan Court of Győr (Győri Törvényszék Cégbírósága)
  • Telephone number: +36 99 339-349
  • Email: fdt@fdt.hu
  • · Name of the data protection officer (DPO): dr. Péter Pozsgay
  • · Email address of the DPO: office@drpozsgaypeter.hu
  • · Telephone number of the DPO: +36 20 55-74-860
  • The Controller carries out its data processing activities based on the data subjects’ voluntary consent or a statutory authorisation. In the case of voluntary consent, the data subject may at any time request information about the scope and uses of their data being processed, and the data subject may withdraw his or her consent, except in specific cases where the processing continues due to a statutory obligation (in such cases, the Controller shall provide information on such further processing to the data subject).
  • People providing data shall provide all data to the best of their knowledge and accurately.
  • If a person providing data does not provide his or her own personal data, the person providing data shall obtain the consent of the data subject.
  • If the Controller transfers data to processors or other third parties, the Controller shall keep records of such transfers of data. These records on the transfers of data shall include the recipient, the means and the date of the transfers of data, as well as the scope of the data transferred.
  • Data processing relating to individual activities of the Controller:
  • Personal data of patients
  • Documentation of dental implants
  • Contact via the Controller’s website
  • Invoicing
  • Newsletter
  • Security cameras
  • Use of cookies on the Controller’s website
  • Data subjects may at any time request information from the Controller in writing about the means by which their personal data are processed, communicate their request for erasure or rectification of the data, or withdraw their previously granted consent via the contact details specified in Section 3 herein.
  • Data subjects may not exercise their right to erasure in cases where the data processing is required by law.
  • Summary of the right to information: At the request of the data subject, the Controller shall provide the data subject with the information listed in Articles 13-14, 15-22 and 34 of the GDPR concerning the processing of personal data in a concise and comprehensible form.
  • Summary of the right of access by the data subject: At the request of the data subject, the Controller shall provide information on whether any personal data concerning the data subject in being processed by the Controller. If the Controller is processing any personal data concerning the data subject, the data subject shall have the right to access as regards the following:
  • the personal data concerning him or her;
  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed;
  • the envisaged period for which the personal data will be stored;
  • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data;
  • the right to lodge a complaint with a court or supervisory authority;
  • source of the personal data undergoing processing;
  • details of the use of automated decision-making, including profiling, and the envisaged consequences of such automated decision-making for the data subject;
  • where appropriate, information that personal data are transferred to a third country or to an international organisation.
  • In the case of a request for data as described above, the Controller shall provide the data subject with a copy of the corresponding data that it processes. Subject to a separate request, it is possible to ask the Controller to provide this copy by electronic means.
  • The Controller charges an administration fee of HUF 500 per page for each additional copy.
  • The deadline for providing the requested data is 30 days from receipt of the relevant request.
  • Right to rectification: The data subject may request the rectification of inaccurate personal data concerning him or her processed by the Controller.
  • Right to erasure: At the request of the data subject, the Controller shall, as soon as possible but no later than within 5 working days, erase all personal data concerning the data subject, if any of the following applies:
  • the personal data have been unlawfully processed (without a statutory authorisation or the data subject’s consent);
  • the personal data are no longer necessary in relation to the purposes for which they were collected;
  • the data subject withdraws consent on which the processing is based, and where the Controller has no other legal ground for the processing;
  • the personal data have been collected in relation to the offer of information society services;
  • the personal data have to be erased for compliance with a legal obligation imposed by law to which the controller is subject;
  • The Controller will be unable to erase the data where the further processing is required for any of the following:
  • Further processing is required to comply with legal requirements to which the Controller is subject; or
  • it is required for the exercise of the right to freedom of expression or right to information;
  • it is required to achieve a public interest;
  • it is required for archival, scientific, research or statistical purposes;
  • it is required for the establishment, exercise or defence of legal claims.
  • Right to restriction of processing: Where any of the following grounds exist, the Controller shall restrict processing at the request of the data subject:
  • the accuracy of the personal data is contested by the data subject; in this case, the restriction shall remain in force for a period enabling the controller to credibly verify the accuracy and correctness of the personal data;
  • the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their processing instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
  • Where processing has been restricted by the Controller, such personal data shall only be processed if and in so far as
  • the data subject consents to it;
  • it is required for the establishment, exercise or defence of legal claims;
  • it is required for the enforcement or defence of other persons’ rights;
  • it is required to achieve a public interest.
  • Right to withdraw consent: The data subject shall have the right to withdraw his or her consent at any time in writing. Upon such request, the Controller shall immediately and permanently erase any data that are being processed concerning the data subject and the further storage of which is not required by law or for the enforcement or protection of rights related to legitimate interests. The lawfulness of data processing carried out before the withdrawal of the consent shall not be affected by such withdrawal.
  • Right to data portability: The data subject shall have the right to receive the personal data concerning him or her in a commonly used and machine-readable format and have the right to transmit those data to another controller. Such requests shall be fulfilled by the Controller within the shortest possible time, but no later than within 30 days.
  • Automated decision-making and profiling: The data subject shall have the right not to be subject to a decision based solely on automated processing (e.g. profiling), which produces legal effects concerning him or her or similarly significantly affects him or her. This right shall not apply if the decision:
  • is necessary for entering into, or performance of, a contract between the data subject and the Controller;
  • is based on the data subject's explicit consent;
  • is authorised by law;
  • is necessary for the establishment, exercise or defence of legal claims.
  • Controller stores the data processed by it, both in paper and electronic form, in its registered office. Controller processes electronic data using a piece of software called DentAdmin3, the provider of which is Medadmin Kft. (company registration number: 06-09-009409; VAT number: 13336695-2-06; registered office: H-6721 Szeged, Juhász Gyula utca 36. 1. em. 1.).
  • Controller’s website (http://www.feherdentalteam.com) is hosted by a web hosting provider. The web hosting provider is Binvision Kft. (registered office: H-9400 Sopron, Mikoviny utca 26.; telephone: +36 20 983 94 88; email: info@binvision.hu).
  • The exceptions to paragraph (1) are the data stored by the Controller’s processors, the place of storage of which is the registered office of the data processor concerned.
  • Controller uses an IT system capable of ensuring the following:
  • the absence of a change in the data can be verified (data integrity);
  • the authenticity of the data is ensured (authenticity of the processing);
  • data are only accessible to the authorised people (availability);
  • and data are protected against unauthorised access (confidentiality of data).
  • The protection of data shall cover in particular:
  • unauthorised access;
  • modification;
  • transfer;
  • erasure;
  • disclosure;
  • accidental corruption;
  • accidental destruction;
  • unavailability due to a change in the technology used.
  • In order to protect the data processed electronically, the Controller uses a solution ensuring an appropriate level of security taking into account the state of the art. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the processing performed by the Controller. IT protection shall ensure that the data stored may not be directly attributed or linked to a data subject (unless permitted by law).
  • When processing personal data, the Controller shall ensure that:
  • authorised people can access the data whenever they need them;
  • only authorised people can access the data;
  • the accuracy and completeness of the information and of the means of processing are safeguarded.
  • The Controller and its processors, if any, shall at all times ensure the protection of their IT systems against fraud, espionage, viruses, burglary, vandalism and natural disasters. The Controller (or its processor) shall use server-level and application-level security measures.
  • Messages transmitted to the Controller via the Internet, in any form, are at high risk for network threats that may result in the unauthorised modification of or unauthorised access to information or other illegal activity. Controller shall use its best endeavours to do all that can be reasonably done and expected from it, taking into account the state of the art, to eliminate such threats. To this end, the systems used are being monitored in order to register any security derogations, to obtain evidence of security incidents or to investigate the effectiveness of precautionary measures.
  • If the Controller receives a request in accordance with Articles 15-22 of the GDPR, the Controller shall inform the data subject, within the shortest possible time but no later than within 30 days, in writing, about the measures taken based on his or her request.
  • Where this is justified taking into account the complexity of the request or other objective circumstances, this deadline may be extended once by a maximum of 60 days. The Controller shall notify the data subject in writing of the extension of the deadline, providing appropriate reasons for the extension.
  • The Controller shall provide information free of charge, except if:
  • the data subject requests information/measures repeatedly with substantially unchanged content;
  • the request is clearly unfounded;
  • the request is excessive.
  • In the cases referred to in paragraph (3), the Controller shall be entitled to:
  • refuse the request;
  • make the fulfilment of the request subject to the payment of a reasonable fee.
  • If the applicant requests the transfer of data on paper or electronic media (CD or DVD), the Controller shall provide a copy of the data concerned free of charge in the requested form (unless the media chosen would present disproportionate technical difficulties). Any additional copy requested shall be provided for an administration fee of HUF 500 per page or CD/DVD.
  • The Controller shall notify any person to whom the data has been previously communicated about the completed rectification, erasure or restriction of processing, unless the provision of information is impossible or requires disproportionate efforts.
  • Where the data subject so requests, the Controller shall inform him or her about the persons to whom his or her data have been transferred.
  • The Controller shall respond to requests in an electronic format, unless:
  • the respondent expressly requests the response in another format and the Controller does not incur unreasonably high extra costs if it complies with the request;
  • the Controller does not know the data subject’s electronic contact details.
  • In the event that any data subject has suffered material or special damages as a result of an infringement of the data protection legislation, he or she shall be entitled to claim damages from the Controller and/or the processor. Where the Controller and the processor(s) are also involved in this infringement, they shall be held liable for the damage sustained jointly and severally.
  • The processor shall only be liable for any damages sustained if it has violated the relevant provisions of the data protection legislation specifically applicable to processors or if the damage occurred due to a failure of the processor to observe the instructions of the Controller.
  • The Controller and any processor shall only be held liable if they cannot prove that they are not liable for the incident or circumstance giving rise to the damage.
  • Should you have any objections to or concerns about the processing of your personal data by the Controller, please contact the Data Protection Officer of the Controller, dr. Péter Pozsgay (contact details: office@drpozsgaypeter.hu; +36 20 557 4860).
  • Where, in your opinion, your rights have been infringed by the Controller and/or its processors, you have the right to bring an action before the court of competent jurisdiction under the Code of Civil Procedure. The court shall deal with such requests as a matter of urgency.
  • Where you, as the data subject, wish to lodge a complaint concerning the processing of your personal data, you may contact the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) via the following contact details: registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: H-1530 Budapest, Pf.: 5. Telephone: +36 1 391-1400; Fax: +36-1 391-1410; Email: ugyfelszolgalat@naih.hu; Web: www.naih.hu.
  • Where it receives a formal request from a competent authority, the Controller is obliged to transfer specific personal data.
  • In the cases referred to in paragraph (1), the Controller shall only transfer the data that are strictly necessary to achieve the purpose indicated by the requesting authority.

Applicable Legislation

Details of the Controller

The Controller’s current details are as follows:

Scope of the Personal Data Processed; Purposes, Duration and Legal Basis of the Processing

Legal basis of data processing: the data subjects’ consent or a statutory obligation

Scope of the personal data processed: name, date of birth, occupation, health insurance fund, home address (country, city/town/village, postal code, street name, house number), telephone number, email address, source from which they learned about the Controller’s services; questions about the general health status and previous interventions; data concerning dental/medical history, smoking and oral care habits; photos of the oral cavity taken before, during and/or after a treatment; x-rays of a part or the whole of the oral cavity, where necessary;

Purpose of data processing: promotion of health preservation, improvement or maintenance; facilitation of efficient medical treatments, including specialist supervision activities; monitoring of the data subject’s health status; enforcement of patients’ rights

Deadline for erasure of the data: Under Section 30(1) of the Hungarian Health Care Act, 30 years from the date of recording of the data, or 50 years for discharge summaries, or 10 years for diagnostic images, with the exception of invoicing data that will be erased after 6 years, email addresses and telephone numbers that will be erased by the Controller after 5 years as well as data on the source where data subjects learned about the Controller’s services which will be erased after 30 days.

Possible consequences of failure to provide the required data: where medical or basic invoicing and identification data are not provided, the inability to provide health care services; medical data cannot be erased after a service has been provided due to the provider’s statutory obligations; where the email address or the telephone number is not provided, this may make it more difficult to contact the data subject; where the data subject fails to provide information on the source from which they learned about the Controller’s services, this makes the Controller’s advertising activities less effective

Controller shall treat confidentially any medical secret obtained by it.

Legal basis of data processing: statutory obligation (Section 22/B. of the Medical Data Processing Act)

Scope of the data processed: out of the personal identity data specified in the Act on the Processing and Protection of Medical Data and Related Personal Data, first and last name, birth name, date of birth, mother's birth name, home address or place of residence and other contact details of the person undergoing an intervention, the date of implantation/removal/replacement, the reasons for implantation/removal/replacement; as regards the implant, the name, type, production batch number (if available) and serial number of the implant, the manufacturer’s and distributor’s name and address from which the healthcare provider purchased the implant; name and medical stamp number of the dentist who performed the implantation; name and operating licence number of the healthcare provider where the intervention was performed

Purpose of data processing: central registration of implants

Deadline for erasure of the data: 50 years from recording in the Central Register of Implants

Possible consequences of failure to provide the required data: it is a statutory obligation and therefore it is not possible to refuse to provide information

Legal basis of data processing: the data subjects’ consent by implication

Scope of the personal data processed: name; email address; telephone number; home address; message text

Purpose of data processing: First contact with the Controller

Deadline for erasure of the data: at the Controller’s absolute discretion, where the message contains any information that may result in a legal obligation for the Controller or where the Controller considers that such information may be necessary to enforce or defend the rights of the Controller or of a third party in the future then the Controller will erase the data after 5 years, otherwise within 30 days after the receipt of the message

Possible consequences of failure to provide the required data: where incomplete data are provided, failure or difficulty to contact the data subject

Legal basis of data processing: fulfilment of legal obligation

Scope of the personal data processed: name; home address

Purpose of data processing: fulfilment of legal obligation

Processor: All invoices issued are processed and stored by Orbán & Partners Audit Kft. accounting firm for 1.5 years and then are stored by the Controller at its registered office located at H-9400 Sopron, Várkerület 59.

Legal grounds for the transfers of data: fulfilment of legal obligation

Deadline for erasure of the data: 9 years after the invoice date

Possible consequences of failure to provide the required data: it is not possible to refuse to provide information due to a statutory obligation

Legal basis of data processing: data subjects’ consent

Scope of the personal data processed: name; email address

Purpose of data processing: the purpose of data processing is to inform subscribers about the activities and promotions of the Controller

Deadline for erasure of the data: withdrawal of the consent

Possible consequences of failure to provide the required data: inability to receive newsletters and therefore to receive information about the latest news and promotions of the Controller

A video surveillance and recording (CCTV) system is operated at the Controller’s office building. Security cameras monitor hallways and rooms accessible to customers, with the exception of toilets and designated smoking areas.

Legal basis of data processing: the data subjects’ consent by implication – entry into the Controller’s building implies their consent; for employees, Section 11 of the Labour Code

Scope of the personal data processed: name; email address; telephone number; home address; message text

Purpose of data processing: operation of a video surveillance and recording system to protect the legitimate interests of the Controller and of its visitors

Deadline for erasure of the data: where the recordings are not used, within 60 days of recording

Data storage location: on a server located at the Controller’s registered office

Possible consequences of failure to provide the required data: inability to use the services provided by the Controller

Enforcement of the rights of the data subject: the data subject whose right or legitimate interest is affected by the recorded images, by simultaneously presenting proof of his or her right or interest, may request the Controller not to erase the recordings until a request by the competent authority or court, but for no later than 30 days. A person captured on the recordings may request written information from the Controller about the conduct displayed by him or her in the recordings. The data subject may request a copy of the recordings, provided that no other person can be seen or is recognisable on such recordings. Where this is not the case and therefore the request cannot be fulfilled, the Controller shall allow the data subject to view the recordings concerning him or her. The data subject may request erasure of the recordings made concerning him or her, oppose the data processing or request rectification of the data. Such request will be fulfilled by the Controller, provided that the recordings concerned are not required for the protection or enforcement of the right or legitimate interest of another party.

Legal basis of data processing: data subjects’ consent

Types of cookies used: PHP Session cookies – they do not expire and are only responsible for enabling the functioning of the website. No personal data is saved into such cookies by the system. Google Analytics cookies – they send data to Google Inc. using anonymised IP addresses, which only contain the visitors’ tracker IDs.

Scope of personal data processed: PHP Session cookies: –; Google Analytics cookies: IP addresses for improvement of the functioning of the Controller’s website.

Purpose of data processing: PHP Session cookies: Basic functioning of the Controller’s website; Google Analytics cookies: Improvement of the functioning of the Controller’s website.

Data transfers: Google Inc.

Legal basis of the transfers of data: the data subjects’ consent

Data processors: Google Inc. (Mountain View, California, United States of America)

Deadline for erasure of the data and additional detailed information: See: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Possible consequences of failure to provide the required data: jeopardisation of the proper functioning of the Controller’s website

Electronic data of the Controller

Rights of Data Subjects and Available Remedies

Means of Storage and Protection of Personal Data

Procedural Rules

Compensation for Damages

Legal Remedies

Cooperation with Authorities

Place and date: Sopron, 24 May 2018