PRIVACY NOTICE
OF MANÓ DENTAL LIMITED LIABILITY COMPANY

Manó Dental Limited Liability Company, as data controller, respects the privacy of all individuals who provide it with personal data and is committed to protecting such data. Pursuant to Article 13 of the General Data Protection Regulation of the European Union (Regulation (EU) 2016/679, hereinafter referred to as the “GDPR”), it provides the following information:

Manó Dental Limited Liability Company processes the personal data recorded by it confidentially, in accordance with applicable data protection legislation and international recommendations, and in compliance with this Privacy Notice (hereinafter referred to as the “Notice”). The Company implements all necessary security, technical, and organizational measures to ensure the protection of personal data. This Notice sets out the principles governing the processing of personal data provided by Users/Data Subjects.

The purpose of this Notice is to provide detailed information to individuals who enter into a client relationship with the Data Controller (hereinafter referred to as the “Company” or “Data Controller”) in connection with the provision of dental healthcare services (hereinafter referred to as the “Services”), as well as to other contracting or cooperating partners; clients (patients) who book appointments for dental healthcare services; their legal or authorized representatives; their relatives; other persons involved in the provision of healthcare services; and persons entering the Company’s registered office (hereinafter collectively referred to as “Clients”), as well as visitors to the website operated by the Company at https://manodental.hu/ (hereinafter referred to as the “Website”) (hereinafter collectively referred to as “Data Subjects”). This Notice provides detailed information regarding all relevant facts related to the processing of their personal data, in particular the purpose and legal basis of the processing, the persons entitled to carry out data processing and data processing operations, the duration of the data processing, and who may have access to the data, in accordance with the provisions of the GDPR.

With regard to other types of personal data processing, the Company provides information to the Data Subject in separate notices, policies, or at the time of data collection. The current version of this Notice is continuously available on the Company’s website and at the reception desk of the Company’s registered office.

Company Name:
Manó Dental Kft.

Registered Office:
1138 Budapest, Viza Street 9, Building A, Ground Floor 2, Hungary

Company Registration Number:
01-09-406801

Website:
https://manodental.hu/

Representative:
Edina Petrus, Managing Director

Telephone:
+36 30 395 5090

Email:
info@manodental.hu

Contact Details of the Data Protection Officer:
petrus.panni@manodental.hu

1. Scope of Data Subjects and Scope of the Notice

The scope of this Notice extends to all individuals whose personal data is processed by the Company for business purposes, as well as to those who provide their personal data to the Company, and to individuals who use the Company’s healthcare services.

The personal scope of this Notice covers the Company as Data Controller, as well as all individuals whose data is subject to processing under this Notice, and all individuals whose rights or legitimate interests are affected by such data processing.

The Company also processes the personal data of natural persons who, for example, contact the Company electronically (including via email sent to the Data Controller’s email address), through social media platforms, by telephone, or in person for the purpose of establishing a client relationship, requesting a quotation, using or requesting the Company’s Services, or contacting the Company for any other reason unrelated to establishing a client relationship, as well as individuals who enter the Company’s registered office or premises. The Company further processes the data of its natural person Clients, as well as the representatives and contact persons of non-natural person Clients, and any other data provided by Clients.

In cases where the Data Subject and the person providing the personal data relating to the Data Subject are not the same, the person supplying the data is responsible for ensuring that they have the appropriate authorization from the Data Subject to provide such data and is obliged to inform the Data Subject of the provisions contained in this Notice.

This Notice applies to all personal data processing activities carried out by the Company in electronic and/or paper-based form.

This Notice shall remain in effect until further notice or withdrawal. The Company reserves the right to unilaterally amend this Notice.

2. Definitions

For the purposes of interpreting this Notice, the following terms shall have the meanings set out below:

“Personal Data”: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

“Processing”: any operation or set of operations which is performed on personal data or on data sets, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

“Controller”: the Company, as well as any natural or legal person, or any other body, which alone or jointly with others determines the purposes and means of the processing of personal data.

“Processor”: a natural or legal person, public authority, agency, or any other body which processes personal data on behalf of the Controller.

“Recipient”: a natural or legal person, public authority, agency, or any other body to which personal data is disclosed, whether a third party or not. Public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by those public authorities shall comply with the applicable data protection rules according to the purposes of the processing.

“Third Party”: a natural or legal person, public authority, agency, or any other body other than the Data Subject, the Controller, the Processor, or persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.

“Consent of the Data Subject”: any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

“Special Categories of Personal Data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation.

“Data Concerning Health”: personal data related to the physical or mental health condition of a natural person, including data relating to healthcare services provided to that person, which reveal information about his or her health status.

“Data Transfer”: making personal data accessible to a specified recipient.

“Personal Data Breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Other definitions set out by the GDPR are contained in Article 4 thereof.

Additional Applicable Legislation:

Eütv.: Act CLIV of 1997 on Healthcare
Eüak.: Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data

3. Purposes and Legal Bases of Data Processing, Legal Safeguards Applied, and Storage of Personal Data

3.1. General Purposes of Data Processing Carried Out by the Company

a) In connection with the Company’s activities and the Services it provides, processing the personal data of Service users, and in the case of legal entity Clients, the personal data of their employees or other natural persons provided by the Clients, for the purposes of preparing, concluding, and performing contracts, fulfilling legal obligations, and maintaining client relationships;

b) Processing the Data Subject’s data in relation to ensuring rights and fulfilling obligations arising from contractual relationships (including the use of Services, fulfillment of orders, and processing the contact details of Clients’ representatives);

c) Conducting marketing activities for potential Clients based on their consent;

d) Processing the personal data of potential Clients for direct business acquisition purposes based on the Company’s legitimate interest;

e) Fulfilling the legal obligations of the Data Subject and the Company and enforcing their legitimate interests;

f) Transferring the Data Subject’s data to business partners where unavoidable, provided that it facilitates the provision of the Service to the Data Subject and the Data Subject has given prior consent;

f) After the termination of a contract concluded with the Company, exercising rights and fulfilling obligations arising from the contract or from the provision of the Service, in particular the enforcement of claims based on the contract or resulting from the provision of the Service;

g) Improving the quality of the Services, including conducting market research and assessing usage habits for this purpose.

3.2. Legal Bases for Data Processing

a) The legal basis for data processing may be the Data Subject’s prior, voluntary consent provided on the basis of prior information given by the Controller. The general purpose of such processing is to ensure the provision of the Services and to maintain contact. In addition, the Company processes personal data for the performance of the Services, for the fulfillment of its legal obligations, and for the enforcement of the legal interests of the parties.

b) In the case of voluntary provision of data by the Data Subject, the Company processes the personal data with the Data Subject’s consent. Voluntary consent shall also include conduct whereby the Data Subject, by using the Website, accepts that all regulations related to the use of the Website — including this Notice — shall automatically apply to him or her.

c) The Data Subject has the right to withdraw his or her consent at any time. However, pursuant to the GDPR, if the personal data was collected on the basis of the Data Subject’s consent, the Company may, in the absence of a legal provision to the contrary, continue to process the collected data without further consent after the withdrawal of consent for the purpose of fulfilling its legal obligations, or for the enforcement of its own or a third party’s legitimate interests, provided that such enforcement is proportionate to the restriction of the right to the protection of personal data. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. In cases prescribed by law, data processing is mandatory.

d) In cases where the Data Subject and the person providing the personal data relating to the Data Subject are not the same, the person supplying the data is responsible for ensuring that he or she has the appropriate authorization from the Data Subject to provide such data and is obliged to inform the Data Subject of the provisions contained in this Notice.

e) In the case of Services provided electronically by the Company to persons not physically present, where the recipient of the Service as Data Subject accesses the Service individually, the Company processes the data of the Data Subject (as the recipient of the Service) for the purposes of concluding the contract for the provision of the Service, proving the establishment of the contract, invoicing fees arising from the Service, and enforcing any related claims.

g) The Company further draws attention to the fact that, in certain cases, failure to provide data may result in increased difficulties in maintaining business contact during the term of the Service or in the provision of the Service itself, and that the provision of certain data by the Data Subject during specific data processing activities may constitute a condition for the use of the Services provided by the Company.

3.3. Scope, Limitations, and Fundamental Principles of Data Processing

The Company processes the personal data of Data Subjects only to the extent and for the duration necessary to achieve the purposes defined above. Only personal data that is essential for achieving the purpose of the processing and suitable for attaining that purpose may be processed.

In the course of processing personal data, the Controller observes the following principles. Accordingly, personal data must be:

a) processed lawfully, fairly, and in a transparent manner in relation to the Data Subject (lawfulness, fairness, and transparency);

b) collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes (purpose limitation);

c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization);

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);

e) kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (integrity and confidentiality);

g) the Controller shall be responsible for, and be able to demonstrate compliance with, the above principles (accountability).

The Company takes all necessary measures to ensure the accuracy, completeness, and up-to-date status of personal data. However, as Data Subjects are responsible for the accuracy of the data they provide, they are obliged to notify the Company of any changes to their data as soon as possible after such change, but no later than within 3 working days, using the contact details specified in this Notice.

The Company does not carry out automated decision-making or profiling.

3.4. Source of Data

The Company obtains personal data either directly from the Data Subjects or from its Clients, who provide the personal data of their contributors, employees, or business partners as Data Subjects, as well as from the legal representatives of its Clients, who provide the personal data of the Clients they represent.

3.5. Duration of Data Processing

The duration of data processing is as set out below, with the proviso that specific data processing purposes may determine a different retention period; therefore, the retention periods specified under each individual data processing purpose shall primarily apply.

As a general rule, the duration of data processing shall last:

(i) until the purpose of the given data processing is achieved and the personal data are deleted;
(ii) until the withdrawal of the Data Subject’s consent to the processing of his or her data and the consequent deletion of such personal data;
(iii) until the execution of a deletion decision issued by a competent court or authority;
(iv) in the absence of a different statutory provision, until the expiry of the limitation period for enforcing rights and obligations arising from the legal relationship forming the basis of the Company’s data processing, which, pursuant to Act V of 2013 on the Civil Code, is 5 years.

In the case of mandatory data processing based on legal obligations, the applicable legislation determines the retention period. With regard to issued invoices, pursuant to Act CL of 2017 on the Rules of Taxation and Act C of 2000 on Accounting, invoices must be retained for 8 years from the date of issuance.

Except as otherwise specified under the individual data processing purposes set out in this Notice, the Company retains personal data for the general retention period defined herein and subsequently deletes them, or deletes them upon the request of the Data Subject or upon withdrawal of the Data Subject’s consent to the processing of his or her data.

4. Description of Specific Data Processing Activities

4.1. Processing of Website Visitors’ Data

When accessing the Website, certain data generated during the visit may be automatically recorded on the server hosting the Website for technical reasons. The data recorded automatically are logged by the system upon entry to and exit from the Website without any separate statement or action by the visitor to the Website (hereinafter referred to as the “User”).

The system processes such data only for the shortest period necessary for the provision of the Service and to ensure operational security — typically for less than 1 day — after which the data are overwritten, i.e., deleted.

Such data may include, for example: IP address, browser data, and visit parameters.

Categories of Data Subjects:
Individuals visiting the Controller’s Website

Purpose of Data Processing:
During visits to the Website, the hosting service provider records visitor data for the purpose of monitoring the proper functioning of the Service and preventing misuse.
Identification of the Data Subject.

Legal Basis for Data Processing:
The Data Subject’s voluntary consent [Article 6(1)(a) GDPR].

Scope of Processed Data and Purpose of Processing:

Scope of Processed DataPurpose of Processing
Session identifierIdentification of the Data Subject

Retention Period of Personal Data:
90 days from the date of visiting the Website.

Consequences of Failure to Provide Data:
The Website will not be accessible and its basic functions will not operate properly.

How the Controller Becomes Aware of the Data:
The data are generated by the Data Subject through the provision of his or her data.

4.2. Cookies and Their Management

The Website and its external partners use cookies and similar technologies when registered or non-registered Users access the Website via computer, tablet, or mobile phone. The primary purpose of using cookies is to ensure certain essential functions of the Website, enhance and personalize the user experience, display appropriate and tailored advertisements and offers, and collect statistical data to support further development of the Services.

A cookie is a package of information, typically a small text file containing a unique identifier, which is stored on the user’s computer or mobile device. The visited Website places the cookie on the User’s device for identification purposes, enabling the device to be recognized when visiting a specific website. Cookies collect information about visitors and their devices; they remember visitors’ individual settings, which may be used, for example, during online transactions so that these settings do not need to be re-entered; they facilitate easier website use and provide a high-quality user experience.

If the browser sends back a previously saved cookie, the cookie service provider has the opportunity to link the User’s current visit with previous ones, but exclusively with respect to its own content.

Some cookies that are not strictly necessary for functionality are based on the User’s consent (Article 6(1)(a) GDPR), while others (which are indispensable for providing the service) are based on the Controller’s legitimate interest (Article 6(1)(f) GDPR).

The Website uses the following types of cookies when Users open and browse the Website:

Strictly Necessary Session Cookies

These cookies are essential for the proper functioning of the Website. Without accepting these cookies, the Company cannot guarantee that the Website will function as expected or that the User will have access to all requested information. The data stored by these cookies do not collect personal data for marketing, analytics, or other purposes; they are solely necessary for the Website’s core functionality. Their purpose is to enable visitors to browse the Website smoothly and fully use its functions and available services.

Legal basis:
The Controller’s legitimate interest. User consent is not required if the sole purpose of using the cookies is to transmit communications over an electronic communications network or where they are strictly necessary for providing an information society service explicitly requested by the subscriber or user.

Categories of data processed:
Unique identifier, dates, timestamps

Purpose of processing:
User identification and tracking of visitors

Categories of Data Subjects:
Website visitors

Retention period:
For cookies, the retention period is 1 month. If the Data Subject rejects the cookies, the retention period is 1 day. Data Subjects may delete cookies via the Tools/Settings menu of their browser, usually under the Privacy settings.

Statistical Cookies

Purpose of processing:
Statistical cookies collect information about how users use the Website. They support website analysis and further development (e.g., Google Analytics).

Legal basis:
User consent.

Marketing Cookies

Marketing cookies track users across websites, for example to display advertisements, in order to present relevant content to them.

Legal basis:
User consent.

Managing Cookie Settings in Browsers

The Controller informs Users that some internet browsers automatically accept cookies. However, Users can configure or modify their browser settings to enable, delete, or automatically reject cookies. If consent to the use of cookies is not provided, certain functions of the Website may not operate fully. Information and assistance regarding cookie management are available in the “Help” section of browsers.

Managing Cookie Settings on the Website

After accessing the Website, the Controller provides information in a pop-up window regarding the details of cookie management, where the User must provide consent to the Website’s cookie practices. When giving consent, the User may freely decide whether to consent or not.

Links to External Websites

The Website may contain links to external websites not operated by the Controller, provided solely for Users’ information (“cross-linking”). The Controller has no influence over the content or security of these external websites and therefore assumes no responsibility for them. The Company requests that Users review the privacy notices and data protection statements of such websites before providing any personal data on them.

4.3. Contact, Requests for Information, Communication

Data Subjects may contact the Company via the contact form available on the Website or by sending emails to the designated email address (under the “Contact” menu). By providing certain personal data, they may request information from the Company. Prospective Clients may also directly contact the Company’s designated employees responsible for communication.

Categories of Data Subjects:
Natural persons who contact the Company and request information by providing their personal data.

Categories of Data Subjects:
Persons contacting the Controller.

Purpose of Data Processing:
Processing the personal data of persons contacting the Controller via the contact form on the Website or by other means;
Identification of the natural person sending the message.

Legal Basis:
The Data Subject’s voluntary consent [Article 6(1)(a) GDPR].

Scope of Processed Data and Purpose of Processing:

Scope of Processed DataPurpose of Processing
NameIdentification
Telephone numberContact
Email addressContact
Date of messageIdentification
Subject and content of the messageProviding response and information
Other personal data provided by the Data SubjectAs necessary for responding

Retention Period:
For the period necessary to achieve the purpose of processing, which may be up to 5 years from the date of data provision and/or the applicable limitation period for potential claims, but no later than the withdrawal of consent.
If no contract or agreement is concluded following pre-contractual data processing, the Controller deletes the message(s) after the communication is closed, provided no other lawful purpose for data processing applies.

Consequences of Failure to Provide Data:
The response may be incomplete or impossible.

Source of Data:
Provided directly by the Data Subject.

4.4. Data Processing Related to the Services Provided by the Company and Client Relationships

4.4.1. Data Processing Related to Appointment Booking

Description of Activity:
Appointments may be booked in person, by telephone, or via the contact form available on the Controller’s Website. During booking, the Data Subject (Client) provides certain contact details and other information necessary for booking (e.g., description of health complaints, type of requested Service). The Controller maintains the appointment schedule electronically and records the personal data necessary for booking.

Categories of Data Subjects:
Persons wishing to use the Controller’s healthcare services (Clients).

Purpose of Data Processing:
Scheduling appointments for Clients seeking healthcare services;
Organizing the provision of services;
Contacting Clients (in the case of telephone number);
Identification of the Client.

Legal Basis:
Processing is necessary in order to take steps at the request of the Data Subject prior to entering into a contract [Article 6(1)(b) GDPR, second clause].

Scope of Processed Data and Purpose of Processing:

Scope of Processed DataPurpose of Processing
Client’s nameIdentification
Client’s addressContact
Client’s telephone numberContact, sending appointment reminder SMS
Type of requested servicePreparation of examination, referral to appropriately qualified specialist

Retention Period:
5 years from the date of data collection.

Consequences of Failure to Provide Data:
No appointment can be scheduled and healthcare services cannot be provided.

Source of Data:
Provided by the person booking the appointment, who may be the Client or another person acting on the Client’s behalf (e.g., relative, legal representative).

Special Category of Data:
Data concerning health.

Additional Condition for Processing Special Category Data:
Provision of healthcare or treatment [Article 9(2)(h) GDPR].

4.4.2. Patient Registration I: Recording the Client’s Personal Data

Description of Activity:
Check-in and identification of the Client are carried out in accordance with the Controller’s internal procedures. The Client is required to verify his or her identity with an official identification document and present their social security card (TAJ card) and address card.

During patient registration, the personal data necessary for providing care are recorded in the Controller’s electronic information system. The Client provides his or her personal data in writing on a form supplied by the Controller (Medical History Form / Anamnesis Form). In certain cases, the Client also provides additional written consent for examinations or medical interventions.

The Controller electronically stores the healthcare documentation generated during the provision of its services.

Categories of Data Subjects:
Individuals receiving healthcare services (Clients).

Purpose of Data Processing:

  • Promoting the preservation, improvement, and maintenance of health;
  • Facilitating the Controller’s effective provision of healthcare/treatment services;
  • Fulfilling healthcare documentation obligations;
  • Monitoring the Data Subject’s health status.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Sections 136 and 3(p), and Section 15(2)-(5) of Act CLIV of 1997 on Healthcare (Eütv.)].
Processing is mandatory and independent of the Data Subject’s will.

Scope of Processed Data and Purpose:

Scope of Processed DataPurpose of Processing
Client’s name, birth name, mother’s birth name, place and date of birth, address, residence, passport number (for foreign nationals), name of legal representativeIdentification of the Client and legal representative; recording in healthcare documentation
Client’s social security number (TAJ number)Identification within the healthcare system; fulfillment of data transfer obligations to the Electronic Health Service Space (EESZT)
Health data provided in the consent form for examination/interventionReducing risks of examination or intervention; professional medical assessment of feasibility; performing examination/intervention
Identification and health data recorded in healthcare documentationCompliance with healthcare documentation obligations

Retention Period:
30 years from data collection (50 years for discharge summaries; 10 years for diagnostic imaging records) pursuant to Section 30 of Act XLVII of 1997 (Eüak.).

Consequences of Failure to Provide Data:
Healthcare services cannot be provided to the Client.

Source of Data:
Provided by the Client or his/her representative.

Special Category of Data:
Data concerning health.

Additional Condition for Processing Special Category Data:
Medical diagnosis, provision of healthcare or treatment [Article 9(2)(h) GDPR].

4.4.3. Patient Registration II: Processing the Personal Data of the Client’s Legal Representative

Description of Activity:
In certain cases, the Client’s legal representative is entitled to provide consent for an examination or intervention on behalf of the Client. The legal representative must credibly verify his or her identity and representative capacity. The Controller retains the original copy of the authorization document. The legal representative’s identification data are recorded in the Client’s healthcare documentation.

Categories of Data Subjects:
The Client’s legal representative.

Purpose of Data Processing:

  • Verification and documentation of the legal representative’s identity and legal basis of representation, and ensuring subsequent proof thereof;
  • Providing consent for examination or intervention on behalf of the Client.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR and Sections 136 and 3(p) of Act CLIV of 1997 on Healthcare (Eütv.)].
Processing is mandatory and independent of the Data Subject’s will in the case of children under 16 years of age.

Scope of Processed Data:

  • Identification data of the legal representative;
  • Legal basis of representation and other personal data contained in the document evidencing such representation.

Retention Period:
30 years from data collection (50 years for discharge summaries; 10 years for diagnostic imaging records) pursuant to Section 30 of Act XLVII of 1997 (Eüak.).

Consequences of Failure to Provide Data:
The examination or intervention cannot be performed.

Source of Data:
Provided by the Client’s legal representative.

4.4.4. Patient Registration III: Processing Contact Details of the Client and the Client’s Legal Representative

Description of Activity:
The Client’s and/or the Client’s legal representative’s telephone number, email address, and residential address are recorded in the Client’s healthcare documentation at the time of registration. The purpose of this is to ensure that the Client can be contacted in the event of any subsequent occurrence affecting the examination, treatment, or the Client’s health condition.

Additionally, the Controller sends appointment reminder notifications related to the Client’s treatment via email or SMS to the Client or the legal representative.

Categories of Data Subjects:

  • The Client
  • The Client’s legal representative

Purpose of Data Processing:

  • Maintaining contact with the Client and the legal representative;
  • Sending appointment reminder messages.

Legal Basis:
Processing is necessary for the performance of a contract to which the Data Subject is a party [Article 6(1)(b) GDPR].

Scope of Processed Data:

  • Telephone number, email address, and residential address of the Client and/or the Client’s legal representative.

Retention Period:
30 years from the date of data collection.

Consequences of Failure to Provide Data:
It will not be possible to maintain contact with the Client and/or legal representative, which may result in the failure of communication and service provision.

Source of Data:
Provided by the Client or the legal representative.

4.4.5. Conclusion of an Individual Service Agreement

Description of Activity:
The Controller concludes individual service agreements with Clients for the provision of healthcare services. For this purpose, Clients provide certain personal data necessary for entering into the contract.

Categories of Data Subjects:

  • The patient
  • The legal representative

Purpose of Data Processing:
Conclusion of an individual service agreement for the provision of healthcare services.

Legal Basis:
Processing is necessary for the performance of a contract to which the Data Subject is a party [Article 6(1)(b) GDPR].

Scope of Processed Data and Purpose:

Scope of Processed DataPurpose of Processing
Patient’s name, place and date of birth, mother’s birth name, residential address, bank account numberIdentification of the patient; conclusion of the contract
Patient’s email address, telephone numberEnsuring contact
Legal representative’s name, place and date of birth, mother’s name, legal basis of representationIdentification of the legal representative; verification of legal basis of representation; conclusion of the contract
Name of healthcare service, service fee, other fees and costs, payment deadlineConclusion and performance of the contract

Retention Period:
1 year following the expiry of the 5-year limitation period calculated from the performance of the contract.

Source of Personal Data:
Provided by the patient or the legal representative.

Consequences of Failure to Provide Data:
The examination or intervention cannot be performed.

Is Data Provision Mandatory?
Yes.

Special Category of Data:
Data concerning health.

Additional Condition for Processing Special Category Data:
Medical diagnosis, provision of healthcare or treatment [Article 9(2)(h) GDPR].

4.4.6. Data Processing Related to the Provision of Healthcare Services

Description of Activity:
The Controller stores, both electronically and in paper form, the personal data and healthcare documentation generated during the provision of its services.

Categories of Data Subjects:

  • Individuals receiving healthcare services
  • Their legal representatives

Purpose of Data Processing:
Fulfillment of healthcare documentation obligations.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Section 136 of Act CLIV of 1997 on Healthcare (Eütv.)].
Processing is mandatory and independent of the Data Subject’s will.

Scope of Processed Data:
Identification and health data recorded in the healthcare documentation.

Retention Period:
Healthcare documentation must be retained for 30 years from the date of data collection; diagnostic imaging recordings must be retained for 10 years from the date of creation; reports prepared on the basis of such recordings must be retained for 30 years from the date of creation (Section 30(1)-(2) of Act XLVII of 1997 (Eüak.)).

Consequences of Failure to Provide Data:
Not applicable, as the data are generated by the Controller and retained until the expiry of the statutory retention period.

Is Data Provision Mandatory?
The data do not originate from the Data Subject; there is no separate data provision.

Source of Personal Data:
Generated by the Controller during the provision of healthcare services.

Special Category of Data:
Data concerning health.

Additional Condition for Processing Special Category Data:
Medical diagnosis, provision of healthcare or treatment [Article 9(2)(h) GDPR].

Processors:
(As applicable.)

4.4.7. Register Relating to Data Protection Requests / Exercise of Data Subject Rights

Description of Activity:
Under the GDPR, Data Subjects are entitled to certain rights in relation to the processing of their personal data. A detailed description of these rights is provided in Section 10 of this Notice. The Controller maintains a register of the exercise of these rights and the measures taken in response, and retains documents generated in connection with such requests.

Categories of Data Subjects:

  • The Client
  • The Client’s legal or authorized representative

Purpose of Data Processing:

  • Maintaining records of the exercise of Data Subject rights;
  • Recording how many times the Data Subject has exercised his or her rights;
  • Ensuring compliance with the GDPR accountability principle.

Legal Basis:
The Controller’s legitimate interest [Article 6(1)(f) GDPR].
The Controller has a legitimate interest in demonstrating when and what measures were taken in response to Data Subject requests and in proving compliance with GDPR requirements. Maintaining a separate register ensures demonstrable compliance, particularly in the case of a potentially large number of requests.

Scope of Processed Data:

  • Content of the Data Subject’s request;
  • Content of the register relating to the exercise of rights (name of the person exercising the right, name of the Data Subject, method and date of receipt of the request, subject of the request, date and method of any measure restricting or refusing the request and its legal and factual grounds, confirmation of ensuring the Data Subject’s rights, date of fulfillment of the request);
  • Copies of documents verifying the requester’s right to exercise the right;
  • Identification data of the requester.

Retention Period:
Until the expiry of the retention period applicable to the personal data concerned by the exercise of rights.

Consequences of Failure to Provide Data:
The Data Subject’s request cannot be fulfilled.

Source of Data:
Provided by the requester.

4.4.8. Register of Access to Healthcare Documentation, Requests, and Copy Requests

Description of Activity:
The Client, and in certain cases other persons authorized by law, are entitled to access healthcare data, inspect healthcare documentation, and request copies thereof. The Controller maintains a register of such requests and the measures taken in response, and retains copies of documents substantiating the lawfulness of the exercise of rights.

The Controller verifies the requester’s right to obtain copies and his or her identity, and requests documents prescribed by law to justify the right to request copies. If the Client exercises such rights, this is recorded in the register relating to data protection requests (Section 4.4.7).

Categories of Data Subjects:

  • The Client
  • The Client’s legal or authorized representative
  • Other persons authorized by law to access, inspect, or request copies.

Purpose of Data Processing:

  • Verification and subsequent proof of the lawfulness of the exercise of rights;
  • Ensuring compliance with the GDPR accountability principle.

Legal Basis:
The Controller’s legitimate interest [Article 6(1)(f) GDPR].
The Controller has a legitimate interest in demonstrating to whom, when, and on what legal basis access to the Client’s personal data and healthcare documentation was granted, and that such measures were lawful.

Scope of Processed Data:

  • Copies of documents verifying the requester’s right of access;
  • Content of the request;
  • Identification data of the requester;
  • Personal data contained in the Client’s healthcare documentation;
  • Content of the register relating to the exercise of rights (name of the person exercising the right, name of the Client, method and date of receipt of the request, subject of the request, date and method of any measure restricting or refusing the request and its legal and factual grounds, confirmation of ensuring the requester’s rights, date of fulfillment of the request).

Retention Period:
5 years from the fulfillment or refusal of the request (limitation period).

Consequences of Failure to Provide Data:
Not applicable, as the data are generated by the Controller.

4.4.9. Data Processing Related to the Issuance of Invoices

Description of Activity:
The Controller issues an invoice to the Client or another person. The invoice contains the personal data of the Client or other person and details of the services provided.

Categories of Data Subjects:
The person in whose name the invoice is issued.

Purpose of Data Processing:
Fulfillment of invoicing and statutory record-keeping obligations.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Section 159(1) and Section 169(e)-(f) of Act CXXVII of 2007 on Value Added Tax; Sections 166(1)-(3), 167, and 169(2) of Act C of 2000 on Accounting].
Processing is mandatory and independent of the Data Subject’s will.

Scope of Processed Data:
Invoice data content, including:

  • Name of the service recipient;
  • Health fund data (if applicable);
  • Membership identification number;
  • Residential address;
  • Name of the healthcare service provided;
  • Date of issuance.

Retention Period:
8 years from the date of issuance of the invoice (Section 169(2) of the Accounting Act).

Consequences of Failure to Provide Data:
An invoice cannot be issued and the service cannot be performed.

Source of Data:
Provided by the service recipient.

Special Category of Data:
Data concerning health.

Additional Condition for Processing Special Category Data:
Provision of healthcare or treatment [Article 9(2)(h) GDPR].

4.4.10. Data Processing and Register Related to Complaints

Description of Activity:
The Client is entitled to submit a complaint to the Controller regarding healthcare services. The Controller is obliged to investigate the complaint and inform the Client in writing of the outcome as soon as possible, but no later than within 30 working days (Section 29(2) of Act CLIV of 1997 on Healthcare). Complaints must be recorded, and documents related to the complaint and its investigation must be retained for 5 years. The Client may act through a patient rights representative or another authorized representative.

Categories of Data Subjects:

  • The complainant;
  • The Client;
  • The complainant’s or Client’s representative;
  • Patient rights representative.

Purpose of Data Processing:
Fulfillment of statutory obligations relating to the investigation, recording, and retention of complaints and related documentation.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Section 29(4) of Act CLIV of 1997 on Healthcare].

Scope of Processed Data:

  • Personal data contained in the complaint and the response;
  • Data generated during the investigation of the complaint;
  • Data recorded in the complaint register (name of complainant, date of complaint, method of submission, date of receipt, summary of complaint, date and summary of response, method of response, name of the healthcare center concerned).

Retention Period:
5 years from the date of responding to the complaint (Section 29(4) Eütv.).

Consequences of Failure to Provide Data:
The complaint cannot be investigated.

Source of Data:
Provided by the complainant.

Special Category of Data:
Data concerning health.

Additional Condition for Processing Special Category Data:
Provision of healthcare or treatment [Article 9(2)(h) GDPR].

4.4.11. Register of Data Transfers

Description of Activity:
In cases prescribed by law, the Controller is required to transfer healthcare and identification data of the Client necessary for medical treatment to third parties. The Controller examines the lawfulness of such requests in accordance with its internal data protection policy and, if compliant with legal requirements, fulfills the request. The Controller maintains a register of such requests and the measures taken in response.

Categories of Data Subjects:
Individuals receiving healthcare services.

Purpose of Data Processing:
Fulfillment of statutory data transfer record-keeping obligations.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Section 28(1) of Act XLVII of 1997 (Eüak.)].
Processing is mandatory and independent of the Data Subject’s will.

Scope of Processed Data:
Transferred healthcare and identification data of the Client.

Retention Period:
5 years from the date of data transfer (limitation period).

Consequences of Failure to Provide Data:
Not applicable, as the data are already available to the Controller.

Source of Data:
Data already available to the Controller.

4.4.12. Reporting Adverse Reactions to the Pharmaceutical State Administrative Authority

Description of Activity:
The Controller is required to immediately investigate any suspected adverse reaction detected by or brought to its attention and report it to the pharmaceutical state administrative authority. The report must be submitted using the official form prescribed by the pharmaceutical authority.

Categories of Data Subjects:
The Client.

Purpose of Data Processing:
Fulfillment of the statutory obligation to report adverse reactions.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Section 18(2) of the Act on Medicinal Products (Gyógyszertv.); Section 6(2) of the Pharmacovigilance Regulation].
Processing is mandatory and independent of the Data Subject’s will.

Scope of Processed Data:
Data contained in the adverse reaction reporting form prescribed by the pharmaceutical authority.

Retention Period:
5 years from the date of reporting the adverse reaction (limitation period).

Consequences of Failure to Provide Data:
The investigation of the adverse reaction may become impossible.

Source of Data:
Provided by the Client and/or derived from data available to the Controller.

Recipient:
The pharmaceutical state administrative authority, which at the time of entry into force of this Notice is the Országos Gyógyszerészeti és Élelmezés-egészségügyi Intézet
(1051 Budapest, Zrínyi Street 3., Tel.: +36 1 886 9300).

Frequency of Data Transfer:
Occasional (case-by-case).

4.4.13. Data Provision to the Electronic Health Service Space (EESZT)

Description of Activity:
The Controller complies with its statutory obligation to transfer data to the Electronic Health Service Space (EESZT). Within this framework, the Controller transfers personal data of Clients (patients) as defined by law to the EESZT. The data controller of the EESZT system is the state body operating the system.

Categories of Data Subjects:
Individuals (Clients) to whom the Controller provides healthcare services.

Purpose of Data Processing:
Fulfillment of mandatory data provision necessary for the operation of the EESZT system.

Legal Basis:
Fulfillment of the Controller’s legal obligation [Article 6(1)(c) GDPR; Sections 35/F and 35/K of Act XLVII of 1997 (Eüak.); Sections 6, 12, 19, and 20/A of Decree 39/2016 (XII.21.) of the Ministry of Human Capacities (EMMI)].
Processing is mandatory and independent of the Data Subject’s will.

Scope of Processed Data:

  • The Data Subject’s social security number (TAJ), date of birth, gender, nationality;
  • In the case of prescriptions and referrals transmitted via EESZT, additional identification data contained therein;
  • The Data Subject’s EESZT-generated identifier;
  • Identification, type, date, and duration of the healthcare event, and other data and documents specified by ministerial decree;
  • Identification of the healthcare provider delivering the service, its EESZT identifier, and the EESZT identifier of the person providing or participating in the care;
  • Personal data contained in medical reports;
  • Data to be provided to the EESZT central event catalogue as specified in Annex 1 of Decree 39/2016 (XII.21.) EMMI.

Consequences of Failure to Provide Data:
Not applicable, as the data are generated by the Controller during examination and treatment.

Source of Data:
Provided by the Client or his/her representative and/or generated by the Controller during the provision of healthcare services.

Recipient:
The Országos Kórházi Főigazgatóság
(1125 Budapest, Diós árok 3., Tel.: +36 1 356 1522,
https://okfo.gov.hu/, helpdesk.eeszt@okfo.gov.hu)

Frequency of Data Transfer:
Continuous.

4.5. Processing of Contractual Contact Details

In the course of its business activities, the Company may process personal data if such data are provided either directly by the Data Subject or by the other contracting party (legal entity). The Company assumes that its Clients and business partners have obtained the necessary authorization or consent from the natural persons whose data they provide.

Categories of Data Subjects:
Natural persons establishing a business relationship; legal entities providing personal data; and natural persons acting on behalf of such legal entities.

Purpose of Data Processing:
To enable the Controller to contact and maintain contact with the Client and the Client’s employee or contact person (the Data Subject) in matters concerning the Controller and the Client.

Legal Basis:
The Controller’s legitimate interest (Article 6(1)(f) GDPR) in maintaining business contact with the Client.

Scope of Processed Data and Purpose:

Scope of Processed DataPurpose
NameIdentification
Email addressContact
Telephone numberContact

Retention Period:
For the period necessary to achieve the purpose of processing, typically corresponding to the duration of the contractual relationship, but no longer than until withdrawal of consent (where applicable) and/or the applicable limitation period (5 years from contract performance), and in accordance with accounting legislation (8 years from preparation of the relevant annual financial statement).

Consequences of Failure to Provide Data:
Contact cannot be maintained.

Source of Data:
Provided by the Data Subject or by the Company’s business partner/contracting party.

4.6. Marketing-Related Data Processing

a) Data Processing Related to Newsletter Distribution

Description of Activity:
The Data Subject may subscribe to the newsletter before or during the use of the Services, or by other means, by providing the data specified below. The Controller sends newsletters via telephone and/or email and/or post to inform subscribers about its services, promotions, offers, and discounts.

After subscription, the Data Subject receives an email confirming the subscription, which must be confirmed (double opt-in). The subscription becomes effective after confirmation.

Categories of Data Subjects:
All natural persons, including those acting on behalf of legal entities, who subscribe to the newsletter to receive regular updates.

Purpose of Data Processing:
Providing general or personalized information about the Company’s latest services, news, promotions, offers, and discounts.

Legal Basis:
The Data Subject’s consent [Article 6(1)(a) GDPR].
In the case of unsolicited marketing communications, processing for direct marketing purposes may be based on the Company’s legitimate interest.

Scope of Processed Data:
Email address and/or telephone number; date of subscription.

Retention Period:
Until deletion upon the Data Subject’s request, i.e., until withdrawal of consent.

Consequences of Failure to Provide Data:
No newsletter can be sent; the Data Subject will not receive commercial or informational communications.

Source of Data:
The Company uses the services of the MailerLite automated newsletter distribution platform for sending newsletters. In this capacity, MailerLite (Registered office: 88 Harcourt Street, Dublin 2, D02 DK18, Ireland) qualifies as a data processor, and its data processing activity related to data management consists of providing the technical background service. The Privacy Policy of MailerLite is available at the following link: https://www.mailerlite.com/legal/privacy-policy, and information regarding its Terms of Service is available at: https://www.mailerlite.com/legal/terms-of-service

b) Data Processing Related to Social Media Platforms

Description of Activity:
The Controller maintains a presence on social media platforms such as Facebook, Instagram, and LinkedIn. The primary purpose of content published on these platforms is to present the Services, share Website content, and conduct marketing activities.

Through social media platforms, Data Subjects may receive information about new services, promotions, and news. The Company may process the names and publicly available data of individuals registered on these platforms who “like,” follow, share, or comment on the Company’s content.

The Company communicates with Data Subjects via social media only if the Data Subject initiates contact through that platform.

Categories of Data Subjects:
Natural persons who follow, share, like, or comment on the Company’s social media pages or content.

Purpose of Data Processing:
Establishing and maintaining contact with the Data Subject via social media and performing operations permitted by the platform.

Legal Basis:
The Data Subject’s consent [Article 6(1)(a) GDPR], provided under the terms of the respective social media platform.

Scope of Processed Data:
Name, email address, publicly available data, messages, date of comments.

Retention Period:
Until deletion upon the Data Subject’s request or withdrawal of consent.

Consequences of Failure to Provide Data:
No communication via the given platform.

Source of Data:
Provided by the Data Subject.

Data processing takes place on the respective social media platforms; therefore, the duration, method of processing, and deletion/modification options are governed by the rules of the respective platform.

4.7. Debt Collection

Description of Activity:
Debt collection includes all measures taken by the Controller to recover its legitimate outstanding claims.

Processing Activities Include:

  • Contacting the representative of the Client with outstanding debt by phone and/or in writing to request payment;
  • Providing claims and related personal data to an external debt collection company;
  • Transferring necessary data to competent authorities or courts in administrative, non-contentious, or litigation proceedings.

Categories of Data Subjects:
Persons against whom the Controller has an overdue claim and persons designated as contact persons by debtor companies.

Purpose of Data Processing:
Identification of Clients, maintaining contact, and taking measures to recover claims.

Legal Basis:
The Controller’s legitimate interest [Article 6(1)(f) GDPR] in enforcing its lawful claims.

Use of an Electronic Surveillance System (CCTV)

Description of Activity:
The Company operates a camera surveillance system at its registered office (clinic) in order to ensure property protection and accident prevention. The cameras record images only.

Categories of Data Subjects:
Persons entering the premises of the clinic operated by the Controller.

Purpose of Data Processing:
Property protection, protection of medical confidentiality, and accident prevention in the context of personal safety.

Legal Basis:
The Controller’s legitimate interest [Article 6(1)(f) GDPR].
The Controller has a legitimate interest in ensuring the protection of its own property and the personal belongings and valuables left by Clients in the waiting area, as well as in preventing accidents.

Scope of Processed Data:
The image of the Data Subject and conclusions that may be drawn from his or her movements.

Retention Period:
72 hours from the time of recording (except in the X-ray room, where no recording takes place, only live monitoring).

Source of Data:
Recorded through the conduct of the Data Subject.

The rules governing the operation of the camera system are set out in a separate notice and camera policy, which are available at the healthcare center located at the Company’s registered office.

4.9. Processing of Personal Data of Job Applicants

With regard to job applications submitted to the Company, the Company provides information about such data processing in its separate Privacy Notice relating to Job Applications. For contact purposes, review and acceptance of that notice are required.

5. Persons Authorized to Access Data

Only those employees and other collaborators of the Company are authorized to access the data whose duties require such access.

Persons at the Company who have access to personal data are bound by confidentiality obligations with regard to the personal data of Data Subjects. Accordingly, they are required to treat as confidential all personal data and other information that come to their knowledge in the course of performing their job duties or otherwise, and must not make such data accessible to third parties.

6. Data Security

The Company applies the principle of “privacy by design,” meaning that it takes data security requirements into account when designing its entire data protection process. The Company aims to minimize the processing of personal data in order to reduce data processing risks.

The Company ensures compliance with the data security requirements set out in applicable legislation. When determining and applying measures serving data security, the Company takes into account the current state of technology and, from among several possible data processing solutions, chooses the one that provides a higher level of protection of personal data, unless doing so would involve disproportionate difficulty.

The Company implements the technical and organizational measures and establishes the procedural rules necessary to enforce applicable legal, data protection, and confidentiality requirements.

The Company protects data with appropriate measures against unauthorized access, alteration, transmission, disclosure, deletion, or destruction, as well as against accidental destruction or damage and inaccessibility resulting from changes in applied technology.

Within its data security responsibilities, the Controller:

  • implements technical and organizational measures to ensure the security of electronically stored data;
  • ensures compliance with statutory data security requirements;
  • ensures compliance with data protection and confidentiality rules;
  • prevents unauthorized access to data;
  • takes necessary measures to prevent data damage;
  • promotes data protection awareness among its employees to ensure data security;
  • ensures the physical protection of paper-based records;
  • ensures the physical protection of devices used to store electronic data;
  • ensures password protection of electronically stored data;
  • provides for regular backups of data;
  • ensures that access to data is granted exclusively to authorized persons.

The Company ensures the security of data processing by implementing technical, organizational, and structural measures that provide a level of protection appropriate to the risks associated with data processing. The IT tools used are selected and operated in such a way that the processed data:

a) are accessible to authorized persons (availability);
b) their authenticity and authentication are ensured (authenticity of processing);
c) their integrity can be verified (data integrity);
d) are accessible only to authorized persons and protected against unauthorized access (confidentiality).

7. To ensure compliance with data security requirements, the Company provides appropriate training to the employees concerned. During data processing — particularly storage, rectification, deletion, and handling of requests for information or objections by Data Subjects — the Company provides the required level of protection.

Backup

The Company performs daily backups of electronically stored data. Backups are stored on the Controller’s own server.

Legal basis for data processing related to backups:
The Company’s legitimate interest (Article 6(1)(f) GDPR) in complying with GDPR requirements and ensuring the continuous and uninterrupted availability of data generated during its activities. The Company processes a significant volume of data, and there is a substantial public interest in ensuring their secure preservation and restoration in the event of damage.

Purpose of processing:
Enhancing data security, preserving documents related to the Controller’s operations, restoring data in the event of a data security incident, and ensuring continuity of work processes.

Retention period for backups:
Up to 5 years.

Document Destruction

The Controller carries out document destruction every 5 years, taking into account the large volume of client records and the complexity of the destruction process.

The legal basis for this processing is the Controller’s legitimate interest (Article 6(1)(f) GDPR). The Controller has conducted a balancing test in relation to this process.

Storage of Personal Data and General Information on Data Processing

Personal data are stored at the Company’s registered office in paper form and electronically on the Company’s servers.

General information regarding processing based on the Controller’s legitimate interest:
In connection with data processing based on legitimate interest, the Controller has carried out a balancing test. On the basis of legitimate interest, the Controller does not process personal data that would be incompatible with the purposes of the contract between the Controller and the Client.

8. Data Processing and Data Transfers

Recipients of Personal Data:

a) Employees and collaborators of the Controller responsible for financial, taxation, invoicing, controlling, and auditing tasks; the Managing Director of the Controller; administrative staff; and the Controller’s data processors;

b) Courts, police, and other public authorities exercising official powers may request the transfer of personal data within the framework of their official proceedings based on statutory authorization;

c) The Nemzeti Adó- és Vámhivatal (http://nav.gov.hu/);

d) Legal counsel providing legal representation;

e) The Electronic Health Service Space (EESZT) operated by the Állami Egészségügyi Ellátó Központ;

f) The Controller’s (personal) collaborators, including dental technicians.

Data Processors Engaged by the Controller

In order to achieve the data processing purposes specified in this Notice, fulfill legal obligations, and carry out its tasks, the Company uses the services of third parties, which may involve the processing of personal data of Data Subjects.

Such third parties (hereinafter: “Data Processors”) carry out processing in accordance with the Company’s instructions and in compliance with applicable legal requirements.

Only personal data necessary for the achievement of the specific purpose are transferred to each Data Processor for processing.

Annex 1 to this Notice contains the list of Data Processors engaged by the Controller.

9. Management of Personal Data Breaches

The Company takes all reasonable measures to prevent personal data breaches. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

The Controller shall notify the Hungarian National Authority for Data Protection and Freedom of Information without undue delay of any personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of Data Subjects.

The Controller keeps a record of personal data breaches, including the measures taken in connection with each incident.

If the breach is severe (i.e., likely to result in a high risk to the rights and freedoms of the Data Subject), the Controller shall inform the Data Subject of the personal data breach without undue delay.

10. Rights of the Data Subject in Relation to Data Processing

The Company draws the attention of Data Subjects that in the event of a complaint or remark, it is advisable to first contact the Company as Controller using one of the contact details provided in this Notice.

Rights of the Data Subject:

a) Right to Information / Right of Access

The Data Subject has the right to receive confirmation from the Company as to whether or not personal data concerning him or her are being processed, and, where that is the case, has the right to receive information about the processed personal data, the purpose of processing, the categories of data, the recipients, the retention period, his or her rights, and the source of the data.

The Company shall provide a copy of the personal data undergoing processing to the Data Subject. The information shall be provided free of charge if the requesting person has not submitted a request for information regarding the same data set in the current year. In other cases — particularly if the request is excessive or unfounded — a reasonable fee based on administrative costs may be charged. The Company may charge a reasonable fee based on administrative costs for additional copies requested by the Data Subject.

b) Rectification and Completion

The Data Subject has the right to obtain from the Company, without undue delay, the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of processing, the Data Subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

c) Erasure / Right to be Forgotten

The Data Subject has the right to obtain from the Company the erasure of personal data concerning him or her without undue delay if the purpose of processing has ceased, the Data Subject has withdrawn consent and there is no other legal basis for processing, or if the personal data have been processed unlawfully.

d) Restriction of Processing

The Data Subject has the right to obtain restriction of processing where one of the following applies:

  • the Data Subject contests the accuracy of the personal data, for a period enabling the Controller to verify the accuracy of the personal data;
  • the processing is unlawful and the Data Subject opposes the erasure of the data and requests the restriction of their use instead;
  • the Company no longer needs the personal data for the purposes of processing, but they are required by the Data Subject for the establishment, exercise, or defense of legal claims;
  • the Data Subject has objected to processing; in this case, restriction applies for the period pending verification of whether the legitimate grounds of the Company override those of the Data Subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for important public interest reasons of the Union or a Member State.

The Company shall inform all recipients to whom the personal data have been disclosed of any rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort.

e) Right to Data Portability

The Data Subject has the right to receive the personal data concerning him or her, which he or she has provided to the Company, in a structured, commonly used, machine-readable format and has the right to transmit those data to another controller without hindrance from the Company, where processing is based on consent and carried out by automated means.

Where technically feasible, the Data Subject has the right to request direct transmission of personal data between controllers. This right shall not adversely affect the right to erasure. The right does not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. It shall not adversely affect the rights and freedoms of others.

f) Right to Object

The Data Subject has the right to object, on grounds relating to his or her particular situation, at any time to processing based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. In such cases, the Company shall no longer process the personal data unless it demonstrates compelling legitimate grounds overriding the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defense of legal claims.

The Data Subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Exceptions apply where the decision:

  • is necessary for entering into or performing a contract between the Data Subject and the Company;
  • is authorized by Union or Member State law applicable to the Company and includes appropriate safeguards; or
  • is based on the Data Subject’s explicit consent.

g) Right to Withdraw Consent

Where processing is based on the Data Subject’s consent, he or she has the right to withdraw consent at any time. Upon withdrawal, processing shall cease and personal data shall be erased, provided there is no other legal basis for processing. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

Exercise of Rights by Legal Basis:

ConsentContractLegal ObligationLegitimate Interest
Information
Rectification
Restriction
Erasure
Objection
Data Portability
Withdrawal of Consent
Complaint
Legal Remedy

11. Procedure in Case of a Request by the Data Subject

The Data Subject may contact the Company’s representative regarding the above rights or any other question or request concerning personal data using any of the contact details provided in this Notice. If possible, please contact us electronically. The Controller will respond to data protection requests electronically where possible, unless the Data Subject explicitly requests another method of communication or the Controller does not have the Data Subject’s electronic contact details.

The Company shall assess the request within 30 days of receipt. Where necessary, taking into account the complexity and number of requests, the deadline may be extended by two months. The Data Subject shall be informed in advance of the extension and its reasons.

If the request is well-founded, the Company shall take the requested measures within the procedural deadline and provide written confirmation of the action taken. If the Company rejects the request, it shall issue a written decision, including the factual background, legal reasoning with reference to relevant legislation or case law, and information about available legal remedies.

If the Data Subject disagrees with the Company’s decision or if the Company fails to meet the deadline, the Data Subject may turn to the supervisory authority or to a court.

Please note that for persons under 18 years of age, their legal representative is entitled to act on their behalf.

12. Supervisory Authority

If the Data Subject considers that the processing of his or her personal data by the Company infringes the applicable data protection legislation, in particular the provisions of the GDPR, he or she has the right to lodge a complaint with the Hungarian National Authority for Data Protection and Freedom of Information.

Contact details of the Hungarian National Authority for Data Protection and Freedom of Information:

Name: Nemzeti Adatvédelmi és Információszabadság Hatóság
Website: http://naih.hu/
Address: 1055 Budapest, Falk Miksa utca 9-11.
Postal address: 1363 Budapest, P.O. Box 9.
Telephone: +36-1-391-1400
Fax: +36-1-391-1410
E-mail: ugyfelszolgalat@naih.hu

The Data Subject also has the right to lodge a complaint with another supervisory authority established in a Member State of the European Union, in particular in the Member State of his or her habitual residence, place of work, or the place of the alleged infringement.

13. Right to Bring an Action (Right to Seek Judicial Remedy)

Without prejudice to the right to lodge a complaint, the Data Subject has the right to bring a claim before a court if his or her rights under the GDPR have been infringed as a result of the processing of personal data.

Legal proceedings against the Company, as a Hungarian Controller, may be initiated before Hungarian courts.

If the Data Subject wishes to initiate proceedings against a Data Processor, such proceedings must be brought before the court of the Member State where the Data Processor is established.

The Data Subject may bring the action before the competent regional court (court of general jurisdiction) of his or her place of residence or habitual residence.
In Hungary, the contact details of regional courts are available at:
http://birosag.hu/torvenyszekek

If the Data Subject’s habitual residence is in another Member State of the European Union, proceedings may also be initiated before the competent court of that Member State.

14. Miscellaneous Provisions

The Company reserves the right to unilaterally amend this Notice at any time.

This Notice shall remain in effect until further notice or until withdrawn.

Annexes:

  • Annex 1 – List of Data Processors and Data Transfers

1 January 2025
Manó Dental Ltd. / Controller

ANNEX 1

LIST OF DATA PROCESSORS AND DATA TRANSFERS

Activity PerformedData Processors and Data TransfersContact Details of Data Processor
IT system operationZsolt Korpás+36-20-935-3524
Hosting service
Marketing servicesAlexandra Zelki-Horkay+36-30-395-5090
Data entry, Invoicing servicesFlexi-Dent1027 Budapest, Tölgyfa u. 28 support@flexi-dent.hu
Accounting servicesBalance Ltd.+36-70-596-4948

Data Transfers:

ActivityRecipientContact Details
Dental techniciansMargit-dent Ltd.+36-30-520-2203