Privacy Notice
Purpose and Scope of this Privacy Notice
The purpose of this Privacy Notice (hereafter referred to as “Notice”) is to specify the rules governing the use of records and/or databases kept by Fehér Dental Team Kft. (hereinafter referred to as “Controller”) and to ensure enforcement of the constitutional principles of data protection, the right of information self-determination and data security requirements as well as to guarantee that, within the limits of the statutory framework, everybody should be able to dispose over his or her personal data, familiarise themselves with the conditions of the processing of such data and to prevent unauthorised access to or unauthorised modification or disclosure of the personal data concerning him or her. In addition, this Notice provides information to data subjects with regard to the data processing practices of the Controller.
The scope of this Notice covers the processing of personal data and sensitive data carried out at all organisational units of the Controller.
· Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR”);
· Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as “Informational Self-Determination Act”;
· Act V of 2013 on the Civil Code (hereinafter referred to as “Civil Code”);
· Act CXXX of 2016 on the Code of Civil Procedure (hereinafter referred to as “Code of Civil Procedure”);
Act XLVII of 1997 on the Processing and Protection of Medical Data and Related Personal Data (hereinafter referred to as “Medical Data Processing Act”);
Decree No. 62/1997. (XII. 21.) of the Minister of Welfare on Certain Aspects of the Processing and Protection of Medical Data and Related Personal Data (hereinafter referred to as “Medical Data Processing Decree”);
Act XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities (hereinafter referred to as “Advertising Act”);
Act I of 2012 on the Labour Code (hereinafter referred to as “Labour Code”).
· Name: FEHÉR DENTAL TEAM Kereskedelmi és Szolgáltató Korlátolt Felelősségű Társaság
Registered office: H-9400 Sopron, Várkerület 59. 1. em. 2.
Company registration number: 08-09-010446
VAT number: 12853788-1-08
Commercial Court keeping the relevant records in the Register of Companies: Commercial Court of the Metropolitan Court of Győr (Győri Törvényszék Cégbírósága)
Telephone number: +36 99 339-349
Email: fdt@fdt.hu
· Name of the data protection officer (DPO): dr. Péter Pozsgay
· Email address of the DPO: office@drpozsgaypeter.hu
· Telephone number of the DPO: +36 20 55-74-860
The Controller carries out its data processing activities based on the data subjects’ voluntary consent or a statutory authorisation. In the case of voluntary consent, the data subject may at any time request information about the scope and uses of their data being processed, and the data subject may withdraw his or her consent, except in specific cases where the processing continues due to a statutory obligation (in such cases, the Controller shall provide information on such further processing to the data subject).
People providing data shall provide all data to the best of their knowledge and accurately.
If a person providing data does not provide his or her own personal data, the person providing data shall obtain the consent of the data subject.
If the Controller transfers data to processors or other third parties, the Controller shall keep records of such transfers of data. These records on the transfers of data shall include the recipient, the means and the date of the transfers of data, as well as the scope of the data transferred.
Data processing relating to individual activities of the Controller:
Personal data of patients
Documentation of dental implants
Contact via the Controller’s website
Invoicing
Newsletter
Security cameras
Use of cookies on the Controller’s website
Data subjects may at any time request information from the Controller in writing about the means by which their personal data are processed, communicate their request for erasure or rectification of the data, or withdraw their previously granted consent via the contact details specified in Section 3 herein.
Data subjects may not exercise their right to erasure in cases where the data processing is required by law.
Summary of the right to information: At the request of the data subject, the Controller shall provide the data subject with the information listed in Articles 13-14, 15-22 and 34 of the GDPR concerning the processing of personal data in a concise and comprehensible form.
Summary of the right of access by the data subject: At the request of the data subject, the Controller shall provide information on whether any personal data concerning the data subject in being processed by the Controller. If the Controller is processing any personal data concerning the data subject, the data subject shall have the right to access as regards the following:
the personal data concerning him or her;
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed;
the envisaged period for which the personal data will be stored;
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data;
the right to lodge a complaint with a court or supervisory authority;
source of the personal data undergoing processing;
details of the use of automated decision-making, including profiling, and the envisaged consequences of such automated decision-making for the data subject;
where appropriate, information that personal data are transferred to a third country or to an international organisation.
In the case of a request for data as described above, the Controller shall provide the data subject with a copy of the corresponding data that it processes. Subject to a separate request, it is possible to ask the Controller to provide this copy by electronic means.
The Controller charges an administration fee of HUF 500 per page for each additional copy.
The deadline for providing the requested data is 30 days from receipt of the relevant request.
Right to rectification: The data subject may request the rectification of inaccurate personal data concerning him or her processed by the Controller.
Right to erasure: At the request of the data subject, the Controller shall, as soon as possible but no later than within 5 working days, erase all personal data concerning the data subject, if any of the following applies:
the personal data have been unlawfully processed (without a statutory authorisation or the data subject’s consent);
the personal data are no longer necessary in relation to the purposes for which they were collected;
the data subject withdraws consent on which the processing is based, and where the Controller has no other legal ground for the processing;
the personal data have been collected in relation to the offer of information society services;
the personal data have to be erased for compliance with a legal obligation imposed by law to which the controller is subject;
The Controller will be unable to erase the data where the further processing is required for any of the following:
Further processing is required to comply with legal requirements to which the Controller is subject; or
it is required for the exercise of the right to freedom of expression or right to information;
it is required to achieve a public interest;
it is required for archival, scientific, research or statistical purposes;
it is required for the establishment, exercise or defence of legal claims.
Right to restriction of processing: Where any of the following grounds exist, the Controller shall restrict processing at the request of the data subject:
the accuracy of the personal data is contested by the data subject; in this case, the restriction shall remain in force for a period enabling the controller to credibly verify the accuracy and correctness of the personal data;
the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their processing instead;
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
Where processing has been restricted by the Controller, such personal data shall only be processed if and in so far as
the data subject consents to it;
it is required for the establishment, exercise or defence of legal claims;
it is required for the enforcement or defence of other persons’ rights;
it is required to achieve a public interest.
Right to withdraw consent: The data subject shall have the right to withdraw his or her consent at any time in writing. Upon such request, the Controller shall immediately and permanently erase any data that are being processed concerning the data subject and the further storage of which is not required by law or for the enforcement or protection of rights related to legitimate interests. The lawfulness of data processing carried out before the withdrawal of the consent shall not be affected by such withdrawal.
Right to data portability: The data subject shall have the right to receive the personal data concerning him or her in a commonly used and machine-readable format and have the right to transmit those data to another controller. Such requests shall be fulfilled by the Controller within the shortest possible time, but no later than within 30 days.
Automated decision-making and profiling: The data subject shall have the right not to be subject to a decision based solely on automated processing (e.g. profiling), which produces legal effects concerning him or her or similarly significantly affects him or her. This right shall not apply if the decision:
is necessary for entering into, or performance of, a contract between the data subject and the Controller;
is based on the data subject’s explicit consent;
is authorised by law;
is necessary for the establishment, exercise or defence of legal claims.
Controller stores the data processed by it, both in paper and electronic form, in its registered office. Controller processes electronic data using a piece of software called DentAdmin3, the provider of which is Medadmin Kft. (company registration number: 06-09-009409; VAT number: 13336695-2-06; registered office: H-6721 Szeged, Juhász Gyula utca 36. 1. em. 1.).
Controller’s website (http://www.feherdentalteam.com) is hosted by a web hosting provider. The web hosting provider is Binvision Kft. (registered office: H-9400 Sopron, Mikoviny utca 26.; telephone: +36 20 983 94 88; email: info@binvision.hu).
The exceptions to paragraph (1) are the data stored by the Controller’s processors, the place of storage of which is the registered office of the data processor concerned.
Controller uses an IT system capable of ensuring the following:
the absence of a change in the data can be verified (data integrity);
the authenticity of the data is ensured (authenticity of the processing);
data are only accessible to the authorised people (availability);
and data are protected against unauthorised access (confidentiality of data).
The protection of data shall cover in particular:
unauthorised access;
modification;
transfer;
erasure;
disclosure;
accidental corruption;
accidental destruction;
unavailability due to a change in the technology used.
In order to protect the data processed electronically, the Controller uses a solution ensuring an appropriate level of security taking into account the state of the art. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by the processing performed by the Controller. IT protection shall ensure that the data stored may not be directly attributed or linked to a data subject (unless permitted by law).
When processing personal data, the Controller shall ensure that:
authorised people can access the data whenever they need them;
only authorised people can access the data;
the accuracy and completeness of the information and of the means of processing are safeguarded.
The Controller and its processors, if any, shall at all times ensure the protection of their IT systems against fraud, espionage, viruses, burglary, vandalism and natural disasters. The Controller (or its processor) shall use server-level and application-level security measures.
Messages transmitted to the Controller via the Internet, in any form, are at high risk for network threats that may result in the unauthorised modification of or unauthorised access to information or other illegal activity. Controller shall use its best endeavours to do all that can be reasonably done and expected from it, taking into account the state of the art, to eliminate such threats. To this end, the systems used are being monitored in order to register any security derogations, to obtain evidence of security incidents or to investigate the effectiveness of precautionary measures.
If the Controller receives a request in accordance with Articles 15-22 of the GDPR, the Controller shall inform the data subject, within the shortest possible time but no later than within 30 days, in writing, about the measures taken based on his or her request.
Where this is justified taking into account the complexity of the request or other objective circumstances, this deadline may be extended once by a maximum of 60 days. The Controller shall notify the data subject in writing of the extension of the deadline, providing appropriate reasons for the extension.
The Controller shall provide information free of charge, except if:
the data subject requests information/measures repeatedly with substantially unchanged content;
the request is clearly unfounded;
the request is excessive.
In the cases referred to in paragraph (3), the Controller shall be entitled to:
refuse the request;
make the fulfilment of the request subject to the payment of a reasonable fee.
If the applicant requests the transfer of data on paper or electronic media (CD or DVD), the Controller shall provide a copy of the data concerned free of charge in the requested form (unless the media chosen would present disproportionate technical difficulties). Any additional copy requested shall be provided for an administration fee of HUF 500 per page or CD/DVD.
The Controller shall notify any person to whom the data has been previously communicated about the completed rectification, erasure or restriction of processing, unless the provision of information is impossible or requires disproportionate efforts.
Where the data subject so requests, the Controller shall inform him or her about the persons to whom his or her data have been transferred.
The Controller shall respond to requests in an electronic format, unless:
the respondent expressly requests the response in another format and the Controller does not incur unreasonably high extra costs if it complies with the request;
the Controller does not know the data subject’s electronic contact details.
In the event that any data subject has suffered material or special damages as a result of an infringement of the data protection legislation, he or she shall be entitled to claim damages from the Controller and/or the processor. Where the Controller and the processor(s) are also involved in this infringement, they shall be held liable for the damage sustained jointly and severally.
The processor shall only be liable for any damages sustained if it has violated the relevant provisions of the data protection legislation specifically applicable to processors or if the damage occurred due to a failure of the processor to observe the instructions of the Controller.
The Controller and any processor shall only be held liable if they cannot prove that they are not liable for the incident or circumstance giving rise to the damage.
Should you have any objections to or concerns about the processing of your personal data by the Controller, please contact the Data Protection Officer of the Controller, dr. Péter Pozsgay (contact details: office@drpozsgaypeter.hu; +36 20 557 4860).
Where, in your opinion, your rights have been infringed by the Controller and/or its processors, you have the right to bring an action before the court of competent jurisdiction under the Code of Civil Procedure. The court shall deal with such requests as a matter of urgency.
Where you, as the data subject, wish to lodge a complaint concerning the processing of your personal data, you may contact the Hungarian National Authority for Data Protection and Freedom of Information (NAIH) via the following contact details: registered office: H-1125 Budapest, Szilágyi Erzsébet fasor 22/C; postal address: H-1530 Budapest, Pf.: 5. Telephone: +36 1 391-1400; Fax: +36-1 391-1410; Email: ugyfelszolgalat@naih.hu; Web: www.naih.hu.
Where it receives a formal request from a competent authority, the Controller is obliged to transfer specific personal data.
In the cases referred to in paragraph (1), the Controller shall only transfer the data that are strictly necessary to achieve the purpose indicated by the requesting authority.
Applicable Legislation
Details of the Controller
Electronic data of the Controller
Rights of Data Subjects and Available Remedies
Means of Storage and Protection of Personal Data
Procedural Rules
Compensation for Damages
Legal Remedies
Cooperation with Authorities
Place and date: Sopron, 24 May 2018
